Slashdot Mirror

← Back to Stories (view on slashdot.org)

Debian Server Compromised

Posted by ryuzaki0 on from the fox-in-the-henhouse dept.

Security News writes "According to a post on the debian-devel-announce mailing list "Early this morning we discovered that someone had managed to compromise gluck.debian.org. We've taken the machine offline and are preparing to reinstall it. " gluck is a core development machine."

44 of 349 comments (clear)

  1. Oh no by Anonymous Coward · · Score: 5, Funny

    Oh no, now they have access to all the Debian source!

    1. Re:Oh no by NadNad · · Score: 5, Funny

      Maybe it's SCO, trying to find their code buried in linux...

    2. Re:Oh no by eeg3 · · Score: 5, Insightful

      More like, now they have to verify that no backdoors or other malicious code were inserted.

    3. Re:Oh no by Anonymous Coward · · Score: 5, Funny

      Forget running Debian Unstable. Debian Compromised is where it's at.

    4. Re:Oh no by Aranth+Brainfire · · Score: 4, Funny

      It doesn't matter, just email them to whoever you like and the maintainer will get them anyway.

      --
      "Quoting yourself is stupid." -Me
    5. Re:Oh no by rolfwind · · Score: 3, Funny

      They should look under /dev/null, it happens to be the same place their case is headed soon:)

  2. Once is ok, but twice is too much... by ModernGeek · · Score: 3, Insightful

    ...first we had the hack into the repository severs, and we didn't know whether or not we are running exploited code when we use apt-get to update our programs. Now it seems that internal development machines are being hacked. If the debian team cannot keep their own products secure in their own environments, how can we expect to take them seriously in the enterprise? Granted this was on a development branch and development server, but how many times do you have to upgrade to an "experimental" package to get a function or feature that you need to have in your setup? I might be spreading FUD, but I think I speak for the rest of us when I speak of this vibe I feel from debian.

    --
    Sig: I stole this sig.
    1. Re:Once is ok, but twice is too much... by lawpoop · · Score: 5, Insightful

      You know, the difference between open source and closed source software is that with open source, *we know what's going on*. Debian admins are being very bold and forthright in stating that the machine was hacked.

      How many times has windowsupdate.microsoft.com been hacked? Zero? How would you know? What incentives ( and disincentives ) does Microsoft have to tell us if such a thing were to happen?

      So if corporate America wants to trust a black box, let 'em. There's no convincing them anyway.

      --
      Computers are useless. They can only give you answers.
      -- Pablo Picasso
    2. Re:Once is ok, but twice is too much... by The+Bungi · · Score: 4, Insightful
      That's nice, but it's usually hard to prove a negative. How do you know RedHat or SUSE haven't been hacked? Because they haven't told you? How can you be sure?

      Oh and BTW, Windows updates are signed, so even if someone managed to crack into it the packages would not install.

    3. Re:Once is ok, but twice is too much... by Josh+Triplett · · Score: 5, Informative
      first we had the hack into the repository severs, and we didn't know whether or not we are running exploited code when we use apt-get to update our programs.

      No, we didn't. The server holding the Debian archive did not succumb to the exploit, because it didn't run on an x86 machine and the people exploiting it only attempted to run x86 code. Furthermore, data on the servers that *did* succumb to the exploit got checked before it became available again.
    4. Re:Once is ok, but twice is too much... by sqlrob · · Score: 3, Interesting

      Oh and BTW, Windows updates are signed, so even if someone managed to crack into it the packages would not install.

      Are you sure about that? Remember, the MS network was compromised a while as well. Do you trust their auditing?

    5. Re:Once is ok, but twice is too much... by YU+Nicks+NE+Way · · Score: 5, Informative

      You do understand that everything downloaded from update.microsoft.com needs to be digitally signed, right? In order to actually subvert the downloads, an attacker would not only need to take over the system, but would also need to sign the modified download with a Microsoft key. That's hard: the private keys for signing code are kept on a machine inside a SKIF. Last time I checked, code was taken to be signed by sneakernet, so that there would be a physical airgap between the network and the signing system.

    6. Re:Once is ok, but twice is too much... by B3ryllium · · Score: 3, Funny

      Mwuahahahha! Perfect place to ply the first-ever Carrier Pigeon Protocol hack!

    7. Re:Once is ok, but twice is too much... by Waffle+Iron · · Score: 3, Interesting

      If you remember, the incident in question involved someone loose for weeks or months on Microsoft's internal networks before they were discovered. It's wouldn't have been impossible for them to modify the code before it got signed. Microsoft had to spend a great deal of effort to try to verify that such a thing didn't actually happen.

    8. Re:Once is ok, but twice is too much... by SnowZero · · Score: 3, Informative

      You do understand that everything downloaded from update.microsoft.com needs to be digitally signed, right?

      Btw, Debian also does digital signatures for every package installed (see here). I don't think they have gone as far as having an air-gap, but it does mean that a regular hacking won't be able to silently corrupt packages.

      Debian's system is actually quite cool, since it can check *every* program installed, and not just core OS updates (courtesy of apt controlling 99% of software installation). In fact, you can add additional keys for other package sources (I run some unofficial packages, but those developers also sign their packages with their own keys, so it is covered as well).

    9. Re:Once is ok, but twice is too much... by flacco · · Score: 4, Informative

      but with a compromised dev machine, one could patch in back door code that gets signed as valid.

      --
      pr0n - keeping monitor glass spotless since 1981.
    10. Re:Once is ok, but twice is too much... by _Sprocket_ · · Score: 5, Insightful

      The point being that digitally signed binaries aren't a guarantee. They're darned nice. Makes things more difficult to slip in a rogue binary. But they're not the end-all, be-all in assuring some rogue code isn't slipped in there somewhere.

      And yes - that goes for closed, proprietary software houses as well as the public, open groups.

    11. Re:Once is ok, but twice is too much... by asuffield · · Score: 5, Insightful
      If the debian team cannot keep their own products secure in their own environments, how can we expect to take them seriously in the enterprise?


      The previous attack was one that can be applied against any platform: somebody used their password over an unencrypted channel (presumably a non-Debian channel, since all the project ones should be encrypted), and somebody else sniffed it and used it to gain access. You can't really do anything about that.

      The secondary attack was a local kernel exploit that was first discovered when it was used to attack the debian.org hosts. The attacker(s) came up with something genuinely new (the brk() exploit), there's not a great deal to be done about that either. While the Debian team did make a few mistakes that were cleaned up at that time, none of them were involved in the attack - it wasn't admin error, like you imply.

      Goodness knows what this one was.
    12. Re:Once is ok, but twice is too much... by Nik+Picker · · Score: 4, Insightful

      Converserly, We know nothing about the code we buy from propriatery developer nor do we ( or most likely they ) know anything about the code in the thridparty libraries that may have been included inthe purchased application. We know nothing about the security of the servers providing the updates nor the features included in those updates. We KNOW NOTHING. Yet we accept , almost glibly, the stanards and security of those systems accepting that since its for enterprise it must me more reliable.

      So when an group of administrators working on a server which provides software and updates to products for which you can read and see the content and know the features is compromised, you feel its poor quality.

      it seems the effort and the acceptance of responsibility do nothing more than increase the level with which we should be accepting these open systems. They appear to have a demonstrably better level of reporting and culpability than many closed servers.

      --
      And thats why Firecrackers and kittens don't mix.
    13. Re:Once is ok, but twice is too much... by redcane · · Score: 3, Informative

      You can import the appropriate keys using PGP. If I recall correctly a google search for the error messages apt is emitting will find you some discussions on this matter, including fixes.

    14. Re:Once is ok, but twice is too much... by zCyl · · Score: 4, Insightful

      first we had the hack into the repository severs, and we didn't know whether or not we are running exploited code when we use apt-get to update our programs

      If only there were some tool anyone in the world could use to assess the difference between source versions to see if anything malicious had been inserted...

  3. No fear... by gravyface · · Score: 5, Funny

    It's Debian... they found an old DAT tape from three years ago, restored it, and realised that nothing's changed in the source tree. *ducks*

    --
    body massage!
    1. Re:No fear... by the_humeister · · Score: 5, Funny

      And after recovering the DAT tape from the safe-deposit box at the bank, they went to the ATM machine and entered their PIN numbers to get some money.

    2. Re:No fear... by chill · · Score: 3, Informative

      Well, considering that DAT stands for Digital Audio Tape, I find that a bit unlikely...

      How old are you? Gotta be under 25, easy.

      4mm helical scan DAT tapes were very, very popular for enterprise data backup. Do a quick google on "dat tape backup" and enlighten yourself.

        -Charles

      --
      Learning HOW to think is more important than learning WHAT to think.
  4. You have my sympathies by Anonymous Coward · · Score: 3, Funny

    Aw man, that's too bad. I think we should all wish the Debian team g'luck.

  5. Question by Frogbert · · Score: 4, Interesting

    I realise that debian stable release has packages that are very old in order to stay stable. Does this mean that they lack patches later versions of programs use? Or are patches typically backported to the stable release packages?

    1. Re:Question by Nutria · · Score: 5, Informative
      I realise that debian stable release has packages that are very old in order to stay stable. Does this mean that they lack patches later versions of programs use? Or are patches typically backported to the stable release packages?

      http://www.debian.org/security/

      Security (not feature) patches are backported if possible, and if the patches are too extensive, an upgraded version goes into Stable.

      --
      "I don't know, therefore Aliens" Wafflebox1
    2. Re:Question by macemoneta · · Score: 4, Insightful

      I use Fedora Core, and know that there are (at least) a couple of features active in the distribution to address zero-day exploits; ExecShield and SELinux (or other mandatory access control system).

      I have not used Debian; are these security facilities part of the distribution? If not, perhaps they should be given an expedited path.

      --

      Can You Say Linux? I Knew That You Could.

  6. Things are chaning... by ModernGeek · · Score: 5, Funny

    ...they aren't as grim as you may think. Soon enough, universities will be obsolete, and corporations will judge one based on open source contributions. If we all move aggressively toward this stance, the MCSEs will hit the road, and open source pioneers will rule the world of research, development, and jobs all funded by large corporations. All the source will be open, and the developers will work for companies like Verizon and the government as researchers. The same way that students pay universities to do the same thing for them, the difference is that the companies will pay you and you won't be paying a university. A large company that does not employ open source developers will be seen as bad in morale the same way a company is seen as bad for outsourcing manufacturing jobs to Mexico. If we take open source and ourselves seriously, all of this can happen. The old attitude of "don't use it if you don't like it" is going away, and things will be set straight if we push things forward.

    --
    Sig: I stole this sig.
  7. Maybe Debian devs will finally come around by b3x · · Score: 5, Funny

    and move that source repository to a more secure Windows 2003 Server platform.

  8. obligatory: by Anonymous Coward · · Score: 5, Funny

    I felt a great disturbance in the Force, as if millions of nerds suddenly cried out in terror and were suddenly silenced.

  9. What was exploited..? by paulmer2003 · · Score: 3, Interesting

    Does anyone know what in particular was exploited? TFA dosent give a flying fuck of information.

  10. Re:Good thing... by GoRK · · Score: 4, Insightful

    Well I suppose you probably know this but for the others out there who may miss the subtlety ---

    Ubuntu draws sources heavily from the unstable and/or testing branches of Debian in order to devote more time and energy to testing and the important fixed-length release cycle. They also are partially reliant on the Debian project for security updates. There would be little to no forward movement of Ubuntu currently without the Debian project. Indeed this may change as time goes on, but to me there are a lot of benefits to this model and I hope they stick with it. Previously most every debian-derived distribution has perished by trying to shed their ties and reliance on the core Debian project.

  11. Re:Changelogs by uhoreg · · Score: 4, Informative

    Changelogs don't provide any form of security, and package changelogs have been standard in Debian since many, many years ago. (Long before Ubuntu was a gleam in Mark Shuttleworth's eye.) Changelogs should only be treated as a convenience to the user.

    And apt supports GPG signing of the Release file, which contains an MD5 and SHA-1 hash of the Packages file, which contains MD5 hashes of the packages. (In other words, apt already does package integrity checking.)

    --

    To get something done, a committee should consist of no more than three persons, two of them absent.

  12. Re:Changelogs by SnowZero · · Score: 3, Informative

    It might be nice to include signed authentication of at least the changelog, if not the package itself, to ensure authenticity of upgrades.

    Debian has been checking digital signatures on every package installed for almost a year now. See here.

    Of course, I run testing, so I have no idea when this got into stable.

  13. Re:This has been said before... by kashani · · Score: 4, Funny

    Ahem.

    As a Gentoo user over the age of 30 I'd like to apologize for the under 20 Gentoo user's previous post. I'll slap him around on IRC later. ;-)

    kashani

    --
    - Why is the ninja... so deadly?
  14. Dear Hackers by SnowZero · · Score: 3, Interesting

    Dear Hackers,

    If you manage to hack into the main repository, please fix this bug. A well-tested patch has been available for almost 6 months, and it is even attached to the bug report. The bug has been fixed in Ubuntu, but Debian users are still waiting, more than a year after the bug was first filed.

    If you hack, do it for the right reasons.

  15. Re:I refuse to belive this by CaptainTux · · Score: 4, Insightful

    Your sarcasm is a bit silly. I don't believe the article even mentions that this was an OS leval attack. Most likely, and from the fact that they pulled all these services offline, the attack happened on a piece of software running on the OS and wasn't a problem with the OS itself. So the didn't hack Linux. They hacked a service. Probably.

    --
    Anthony Papillion
    Advanced Data Concepts, Inc.
    "Quality Custom Software and IT Services"
  16. Why all the flak? by Dryanta · · Score: 5, Insightful

    Hey I'm sure that everyone working on Debian's dev servers have lower uids than most of us, and I find the flak to really be undeserved. It's Linux not OpenBSD; the focus of the operating system favors usability over security. If you don't like it, move to a bsd or commercial *nix platform. Also, any machine that maintains services will eventually obtain some sort of vulnerability even with heavy-handed administration and monitoring. I think the speed at which the compromise was detected in addition to the service being taken offline immediately is cause for thanks to the security team!

  17. Re:This has been said before... by ComputerizedYoga · · Score: 4, Informative

    I've got a lot of other problems with debian which prevent me from using it. However, their security track record is not really one of them. Given the huge project with a very large number of machines and developers, and their long track record with very few incidents, I don't think it's fair to pick too much on this one.

    That, and Gentoo is hardly immune to this sort of thing either.

  18. Re:This has been said before... by Apro+im · · Score: 4, Informative

    That's why, as a l337 hax0r, you can run a mixed system. Nobody stops you from installing unstable packages, right from apt, even! (Check out that -t flag!) Or even better, you can actually build your own source.

    The argument for Gentoo that "I like the idea of building my own source" in the sense of "I like getting down and dirty into my system" is really kind of bull. I ran Gentoo for a while, and I thought they had done some amazing work. Portage/emerge is just amazingly well done, and it's nice to have code that's been optimized for my hardware requirements. It's not exactly scalable (maintaining a large set of diverse hardware is a lot harder), and it can lead to untenable situations and instability, but it's still damn cool. And you know what's really cool about it? It's the convenience of apt, for source packages! Please disabuse yourself of the notion that you are "building your own source" -- the Gentoo maintainers are very diligently, very cleverly packaging the source so that you can specify a set of system parameters and then let it build. If you really want to get nitty gritty, run Slackware (although, I guess they have package management now, too). Gentoo has lots of merits, but the truth is, most Gentoo users know no more or less about how things work than an average Liinux user.

    For me, in the end, the speedup I was getting just wasn't making up for the hours it would take each time I ran a system-wide upgrade and the unexpected conflicts because the USE flags that made each package special for MY computer were screwing up MY computer something fierce.

  19. Re:This has been said before... by Spliffster · · Score: 3, Insightful

    i second that and would add: any commercial os vendor would just never tell you wenn this happens (except the stolen source code is beeing published on the net, heh).

  20. WikiDebian? by femto · · Score: 4, Funny

    Maybe we need WikiDebian? "The free operating system that anyone can edit."

    I'm not joking. If it works for Wikipedia, why not Debian??

  21. Re:It was a local root exploit by uhoreg · · Score: 3, Informative

    See also this posting on debian-project for more technical details.

    --

    To get something done, a committee should consist of no more than three persons, two of them absent.