Slashdot Mirror

← Back to Stories (view on slashdot.org)

Debian Server Compromised

Posted by ryuzaki0 on from the fox-in-the-henhouse dept.

Security News writes "According to a post on the debian-devel-announce mailing list "Early this morning we discovered that someone had managed to compromise gluck.debian.org. We've taken the machine offline and are preparing to reinstall it. " gluck is a core development machine."

16 of 349 comments (clear)

  1. Oh no by Anonymous Coward · · Score: 5, Funny

    Oh no, now they have access to all the Debian source!

    1. Re:Oh no by NadNad · · Score: 5, Funny

      Maybe it's SCO, trying to find their code buried in linux...

    2. Re:Oh no by eeg3 · · Score: 5, Insightful

      More like, now they have to verify that no backdoors or other malicious code were inserted.

    3. Re:Oh no by Anonymous Coward · · Score: 5, Funny

      Forget running Debian Unstable. Debian Compromised is where it's at.

  2. No fear... by gravyface · · Score: 5, Funny

    It's Debian... they found an old DAT tape from three years ago, restored it, and realised that nothing's changed in the source tree. *ducks*

    --
    body massage!
    1. Re:No fear... by the_humeister · · Score: 5, Funny

      And after recovering the DAT tape from the safe-deposit box at the bank, they went to the ATM machine and entered their PIN numbers to get some money.

  3. Re:Once is ok, but twice is too much... by lawpoop · · Score: 5, Insightful

    You know, the difference between open source and closed source software is that with open source, *we know what's going on*. Debian admins are being very bold and forthright in stating that the machine was hacked.

    How many times has windowsupdate.microsoft.com been hacked? Zero? How would you know? What incentives ( and disincentives ) does Microsoft have to tell us if such a thing were to happen?

    So if corporate America wants to trust a black box, let 'em. There's no convincing them anyway.

    --
    Computers are useless. They can only give you answers.
    -- Pablo Picasso
  4. Re:Once is ok, but twice is too much... by Josh+Triplett · · Score: 5, Informative
    first we had the hack into the repository severs, and we didn't know whether or not we are running exploited code when we use apt-get to update our programs.

    No, we didn't. The server holding the Debian archive did not succumb to the exploit, because it didn't run on an x86 machine and the people exploiting it only attempted to run x86 code. Furthermore, data on the servers that *did* succumb to the exploit got checked before it became available again.
  5. Things are chaning... by ModernGeek · · Score: 5, Funny

    ...they aren't as grim as you may think. Soon enough, universities will be obsolete, and corporations will judge one based on open source contributions. If we all move aggressively toward this stance, the MCSEs will hit the road, and open source pioneers will rule the world of research, development, and jobs all funded by large corporations. All the source will be open, and the developers will work for companies like Verizon and the government as researchers. The same way that students pay universities to do the same thing for them, the difference is that the companies will pay you and you won't be paying a university. A large company that does not employ open source developers will be seen as bad in morale the same way a company is seen as bad for outsourcing manufacturing jobs to Mexico. If we take open source and ourselves seriously, all of this can happen. The old attitude of "don't use it if you don't like it" is going away, and things will be set straight if we push things forward.

    --
    Sig: I stole this sig.
  6. Re:Question by Nutria · · Score: 5, Informative
    I realise that debian stable release has packages that are very old in order to stay stable. Does this mean that they lack patches later versions of programs use? Or are patches typically backported to the stable release packages?

    http://www.debian.org/security/

    Security (not feature) patches are backported if possible, and if the patches are too extensive, an upgraded version goes into Stable.

    --
    "I don't know, therefore Aliens" Wafflebox1
  7. Re:Once is ok, but twice is too much... by YU+Nicks+NE+Way · · Score: 5, Informative

    You do understand that everything downloaded from update.microsoft.com needs to be digitally signed, right? In order to actually subvert the downloads, an attacker would not only need to take over the system, but would also need to sign the modified download with a Microsoft key. That's hard: the private keys for signing code are kept on a machine inside a SKIF. Last time I checked, code was taken to be signed by sneakernet, so that there would be a physical airgap between the network and the signing system.

  8. Maybe Debian devs will finally come around by b3x · · Score: 5, Funny

    and move that source repository to a more secure Windows 2003 Server platform.

  9. obligatory: by Anonymous Coward · · Score: 5, Funny

    I felt a great disturbance in the Force, as if millions of nerds suddenly cried out in terror and were suddenly silenced.

  10. Why all the flak? by Dryanta · · Score: 5, Insightful

    Hey I'm sure that everyone working on Debian's dev servers have lower uids than most of us, and I find the flak to really be undeserved. It's Linux not OpenBSD; the focus of the operating system favors usability over security. If you don't like it, move to a bsd or commercial *nix platform. Also, any machine that maintains services will eventually obtain some sort of vulnerability even with heavy-handed administration and monitoring. I think the speed at which the compromise was detected in addition to the service being taken offline immediately is cause for thanks to the security team!

  11. Re:Once is ok, but twice is too much... by _Sprocket_ · · Score: 5, Insightful

    The point being that digitally signed binaries aren't a guarantee. They're darned nice. Makes things more difficult to slip in a rogue binary. But they're not the end-all, be-all in assuring some rogue code isn't slipped in there somewhere.

    And yes - that goes for closed, proprietary software houses as well as the public, open groups.

  12. Re:Once is ok, but twice is too much... by asuffield · · Score: 5, Insightful
    If the debian team cannot keep their own products secure in their own environments, how can we expect to take them seriously in the enterprise?


    The previous attack was one that can be applied against any platform: somebody used their password over an unencrypted channel (presumably a non-Debian channel, since all the project ones should be encrypted), and somebody else sniffed it and used it to gain access. You can't really do anything about that.

    The secondary attack was a local kernel exploit that was first discovered when it was used to attack the debian.org hosts. The attacker(s) came up with something genuinely new (the brk() exploit), there's not a great deal to be done about that either. While the Debian team did make a few mistakes that were cleaned up at that time, none of them were involved in the attack - it wasn't admin error, like you imply.

    Goodness knows what this one was.