Slashdot Mirror
Debian Locks Out Developers
daria42 wrote in with an update to an earlier story about a Debian server that was compromised. He explains: "The Debian GNU/Linux project has discovered a compromised developer account was used to gain access to a server compromised this week. A local kernel vulnerability was then used to gain root access. Due to this, a number of developers with weak passwords have been locked out of their system accounts." To be fair, they'll most likely be let in once everything's back to normal. Of course, they'll probably need to set safer passwords too.
That wonderful feeling of making the password hard to guess, but easy to recall.
Marge, get me your address book, 4 beers, and my conversation hat.
I guess this means that there are a lot of ubuntu users out there who are vunerable right now... how long for the patch?
Also, the article seems to be a little out. Shouldn't it be just 2.6.12 -> 2.6.17.4 as this includes 2.6.16 -> 2.6.16.24
Does it go on forever?
Time to enforce a 200 character minimum for passwords.
Hopefully then they will also implement a good set of password rules and enforce them to protect themselves from future problems. Where I work they require 3 out of the 4 rules to be met such as mixed case, numbers and special characters... of course they also make us change our password every 30 days so i've discovered that people have taken to doing things like Asdf1234 and then when the password requires changing changing it to Asdf2345... Doh.
Pete/Petri "damn, my chainsaw is clogged with 1's and 0's again." --clyde
Why when this happens on a Windows server is "OMG! Windows is insecure! M$ is evil!!!!"
But with this its "Oh just set more difficult passwords"...
Bill G.
Why don't they just have the developers use ssh2 keys? I didn't know anyone actually used passwords on secure systems for authentication...
An investigation? Doesn't it a long time to bruteforce properly encrypted passwords? How did they carry out this 'investigation'?
Can somebody please cure me of my chronic ignorance?
I guess I should be more specific. My point was that people were puting strings of letters and or numbers in sequence as their password because they were forced to change them so frequently. I would argue that any string which is sequential is less secure then a randomized number. Like putting 1234 as your ATM pin... it leads to easy shoulder serfing.
Thus people would pick their first name, Peter123 if I was to use my own name as an example. I'm comparing this to passwords that I had to use at Sandia National Labs which were randomized letters and number strings generated by computer, the user was presented with a screen of 30 passwords and you were allowed to pick any of the 30, or to generate a screen of 30 more passwords... The people would pick things that made sense to them but were completely randomized and were never a dictionary word or even a common short hand for the words etc.
Pete/Petri "damn, my chainsaw is clogged with 1's and 0's again." --clyde
...but it's Linux!
I have noticed what you talk about though I've seen it go to further extremes. While at work (we run a mainly Windows network with a few hundred users) I've done further education (out side of Uni) at Australian TAFEs (basically vocational collages) in Queensland - the TAFE I went to runs a pure Windows network with around twenty thousand plus users over several sites...Any one who has been to one of these TAFEs understands how much of a raping they have taken from Microsoft, and I say raping because they run the 'perfect Windows network' following all of Microsoft guidelines etc which mean some machines take over fifteen minutes to log in and are laggy as all hell once they are in.
:)
Anyway onto the topic. They also follow the recommended guidelines for passwords which includes at least one capital, two numbers, over six chars, and cannot be any of your previous passwords (with I believe a 80% match so you can't just add a 1 or a 2 to it) and these roll every thirty days. Now as a geek I have my own unique password system where no two are the same, they are long, and they have numbers, and at least one capital - unfortunately there is only five or six possible combinations that meet the password system for each item meaning after five months going to this TAFE (I was there a year part time) I ran out of passwords. This put me on the tred mill that every one else had been on for a few months (they did a fresh roll over to XP from 98 at the start of last year) of forgetting the password (that I made up to get into the system after my old one expired) or where I wrote it down (yes, every one wrote down their passwords in blatant places so they could find them again, which to me makes passwords null anyway) and then starting to use generic passwords that every one else was using that month for example t4f3IsShit or fUkp455words and the like. As you can probably see this just ends up a mockery of the idea.
So basically the point I'm trying to make is you have to be careful with what you mean by a 'good set of password rules' as if you go overboard even to the slightest extent (as I've seen happen time and time again) passwords just become a joke and you may as well not have them.
Personally I've found that if you teach people/users what a secure password is, teach them not to tell it to any one, get them to use firefox to avoid keyloggers, and then enforce a six to twelve month roll over no problems ever come up. That's my happy medium and 2cents anyway.
I ate your fish.
This is a reminder on the more people with access to something the more the risk. Also, passwords aren't meant to be simple.. Get /Rh4d wiF 1t M4Yn3..
;p
;p
When I was just a kiddie people used to crusify me for my 3wh34t|\|3$$.. At least I was fast at it! I even had a cutom script for Procomm Plus to translate all my shit.. By that time I learned how annoying it was though
Wow.. that was like 10 years ago.. Doh!~
Good for passwords!
FYI- If you can't think of a not-so-weak password, use a sentence you know and use the letters you remember..
or..
Hit yo-self wit da clue bat
lol.. too much drinkin today me thinks..
Have you thought this through? The point of regularly changing passwords is so that if a blackhat gets a password then it will only work for a limited time. If a blackhat can find the password "KmcJxusUc822" that was stored on a old broken backup harddrive found in a flee market, it won't be of any use to him if the password is changed monthly, *unless* the user uses incremental passwords. If the backup is one year old then the blackhat only has to guess a password around "KmcJxusUc834".
iforgot /my god, I don't know how many times I saw that password used by my network users...
By running cracking tools against them, of course.
Wait, thats a bad password?!? I have to go change the password on my luggage
A mouse is a device used to point to the xterm you want to type in
Locking them out is totally fair, and imho it's the responsible thing to do.
STRONG passwords should be enforced (hell, mandatory keyed logins would be better) on machines like this (which are fairly attractive targets for abuse)...
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
You would think that Debian would take some extra steps to secure their systems, or at least make sure their developer's passwords were secure enough. For example, I know that while some websites only have a password security meter, some sites, I think I saw this on gmail, will not let you set a password that registers as weak in their password strength meter.
I think that Debian needs to learn from this mistake and start making some serious changes. There are a lot of people running Debian linux distros that are now vulnerable and this includes businesses depending on Debian's security. You would think that something this serious would be better protected.
Klingon Software is not released, it escapes, inflicting terrible damage onto the enemy as it does
For once it's not a compromised windows based system we're waiting for a bug fix on...
Goodness, no! This might push them behind schedule!
Mod me down with all of your hatred and your journey towards the dark side will be complete!
They probably used a dictionary attack and found out various passwords. They dictionary would be things like the %username%, password, asdf1234, admin, root, apple, hello ...
This can be done very fast compared to brute force.
What the script does it gets the word to guess hashes it the same way as the password does (eg SHA-1) and if they match you have the password.
There's no way you could be dumb enough to actually think that.
There's no way you could be dumb enough to actually think that.
Oh yes, there is, and he's got +5, so extrapolate.
Not even funny.
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
How the hell could this be modded insightful? The whole point of changing passwords is so that the compromise of one password doesn't lead to unlimited access or the compromise of future passwords.
If a password is so secure that it can't be guessed, then why change it? If it's so weak that it gets guessed monthly, changing just one digit doesn't do shit.
And if the system gets compromised, you reinstall and choose a totally different password.
Seriously, this must be the most stupid advice I've seen and it's currently +2, Insightful. Scary.
Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
John the Ripper most likely. Great tool - recovered the root password for a SGI box a friend bought on eBay in less than a second (your password may vary.)
Doesn't that mean that if somebody should somehow get into my desktop, either physically, over the network, an old hard drive, etc, and grabs my key, he will have access to every single machine I can access? And I'd have to make a change on each one of those systems?
I'd really like to switch to keypairs for authentication but that seems inherently dangerous. Am I missing something?
Seriously, this must be the most stupid advice I've seen and it's currently +2, Insightful. Scary.
Even scarier was the training class where the instructor *told* us to trivially rotate passwords!
(The one thing I'd add is that the idea that adding complexity can't hurt is completely misguided. Every new chore you add to password maintenance means that many more passwords on a post-it under the keyboard.)
What I'm listening to now on Pandora...
However, said keys better be passphrase- (NOT password-) protected! After all, if, let's say, $DEVELOPER's laptop gets stolen and it has a non-passphrase-protected ssh key, then going to the effort of using keys for authentication will be for naught.
FWIW, I recently ditched Debian for a completely unrelated reason (see also, CVE-2006-1173).
Oh, no! You have walked into the slavering fangs of a lurking grue!
They're assuming a decay of password security; that a proportion of people will write them down on odd bits of poaper and lose them, that they'll reuse the password in another context and have it spied out, keylogged, etc. Changing the password cleans up these leaks; unless you're just incrementing as above. If I was cracking and a stolen password failed I'd use it as the seed of an attack.
Being that I work on systems which have a government security clearance requirement, passwords on our networks have a few enforced rules..
;) .. Problem is, using passwords such as this can get VERY confusing if you have to keep changing it, especially when you start having 6 passwords like this in use on various systems because some of them make you change at different time schedules. Chances are that the average user is just going to start using stupid crap like "LisaMarie89" which happens to be their daughters name and year of birth because anything else just gets to hard to remember anymore.
As a system admin and user however, I really do not believe that the rule of changing passwords, especially when combined with a rule that says you can not use the same password for the next 10 changes, is really a bad idea. I have always used very hard to guess passwords like hcwlcd3cm28MP (and no, this is not a password I use
IMO, if you setup the rules so that passwords have to be hard to guess, dump the password change requirement, or make it so that it is extremely rare and so that a few passwords can be recycled.
Be interested to hear how other admins feel about this.
+++ATH0 NO CARRIER
Debian locks out developers after server hack
How much more useful would have been the headline Debian closes accounts with weak passwords?
bash$
Some lady has a weak password and her Windows box gets owned, MS sucks, Windows blows (now the fact that she _does_ run as an Administrator doesn't help).
::waking back up to reality::
_developers_ working for one of the most popular open source projects have weak passwords, there is a _kernel_ exploit, and people defend it still.
FYI I run Linux, OSX and Windows on my machines, but common...why can't we all just get along and admit there are problems with software regardless of the company, mdoel etc.
... means everyone gets to see your machine compromised?
Help poke pirates in the eyepatch, arr.
Agreed. Until last week we used out right strings for our sandbox users passwords on servers and test servers (syntax username12345). That was of course before a friendly Windows script kiddie used a dictionary attack against them and in a stroke of luck the username they got was one of the sandbox accounts and their dictionary just had a huge list of username, username1, username12, username1..6. Luckly we had no out standing security flaws and that the sandbox accounts were indeed sandboxed though poor Undernet got an extra 2mbit to the face for half a day while we tracked down the problem and stopped it.
So using strings that are non random are just an out right bad idea because even a dictionary attack that is large enough can get them and then incremental on top of it is even worse because it gives you a false sense of security. If the attacker knows it is company policy to =/- 1 every month they will just try the pw +/- 1 per month old the pw is. So yeah it is just a bad idea all up when put in userland.
I ate your fish.
If they have access to the server root, being administrators, they have access to the *encrypted* versions of the affected password files. From there, it is trivial to run Cain, or a similar decrypt tool, on the password list, to see which passwords get decrypted fastest. You would be amazed how fast even 9+ character long, multi-case, special character encrusted passwords can be decrypted with some nice Rainbow Tables on modern *desktop* hardware, not to mention a relatively cheap Beowulf cluster, or even a relatively simple multi-PC distributed brute-force crack. Think CRAKI-at-home. Bad passwords, like dictionary words, proper names, SSNs, and dates, can be decrypted by the most limited tools on 10 year old hardware, in a matter of minutes. Decent hardware and tools can reduce that to seconds.
You have to assume any passwords on the 'Net, encrypted or not, can be sniffed -- copied whole as they travel, with no way to detect who did the sniffing. If an encrypted password is sniffed, the same tools an administrator can use to weed out weak passwords can be used by crackers. That's why even encrypted password tokens should be further encrypted by VPN or SSL tunnels, which have other nice features to prevent Man In The Middle, and related address-spoof style attacks. These encrypted tunnels should always be used on anything other than a very physically secure LAN (and no, drywall does not make a LAN secure), and even on a LAN the overhead is low enough to use SSL anyway. I personally use a minimum of HTTPS around any Internet traffic that is intended for private use.
Likewise, e-mail is never "private" unless you use PGP, and phone conversations (VoIP and PSTN, Skype included) are never "private" unless you use something like Zphone on both ends -- as AT+T and NSA have taught us all. Who knows when the NSA will approach Skype?...
Me Takey
These tokens that banks give out, they cost less than $20. Type your pass, put the one-time token number in and on you log to your Deb dev box.
I'd be amazed if there's only one compromised distro dev box out there. And I'm not only talking Debian.
Sleepers ahoy...
<before>now</before>
They rely on the slightly more secure method of ssh keys.
In Soviet Washington the swamp drains you.
He's thinking "Hey, how would you know whether the password was insecure or not without looking at it?", and has correctly identified the fact that you shouldn't be able to work backwards from a hash to the password. However, he failed to take into account the fact that you could come up with a list of N bad passwords (say, 40,000 words pulled from a dictionary or something similar) and check them against all the passwords you have in O(N+M) time, where M is the number of accounts you need to check (constant time to hash a password, constant time to mark that hash location as "bad, collides with known bad password foo" in a hash table, constant time to lookup each password hash within your hash table and test for badness).
You could also do an O(M) search by taking any suite of password hacking tools you want, allocating them X amount of processor resources (say, 5 minutes CPU time each), and then letting them loose. Anybody whose password gets broken gets locked. In previous discussions some folks have noted that their organizations perform this check on a routine basis.
Help poke pirates in the eyepatch, arr.
dictionary attack with custom dictionaries (star wars, star trek, LoTR, DnD, Shadowrun, david weber, william gibson)
that will result in a devastating number of password cracks.
Snowden and Manning are heroes.
People really need to think about how their product names parse when the words are run together and all one case. This is a particularly bad case, because there is only one way to parse "keepass" into real English words, and it's not the way they wanted. I'm sure they liked the idea of sharing the last letter of the first word with the first of the last, and sometimes it works. Other times, though, you end up naming your project "Keep Ass"
Cracking passwords when you have access to the non-reversible hashed versions of the passwords (aka "/etc/shadow") can be trivially easy on modern hardware, when using a tool such as John the Ripper, or, if you have a lot of spare harddrive space (and RAM), RainbowCrack. If this box was using md5 hashes (most likely), JTR on modern hardware can easily crack 8,000+ passwords a second, which, when combined with advanced password guessing techniques, will most likely find weak passwords within an hour or two.
And so we go, on with our lives
We know the truth, but prefer lies
Lies are simple, simple is bliss
Believe me, the Debian project does not store passwords in the clear.
As administrators they have access to the shadow file that contains hashed versions of all the passwords. What they did was run a cracking utility against the shadow file to pick out weak passwords. Usually these cracking utilities use brute force dictionary attacks to try and randomly guess the password. If the utility was able to guess a password quickly, that password was definitely not secure. It's as simple as that.
I encourage you to read more about the topic, it's a fascinating one. Wikipedia has an interesting article at http://en.wikipedia.org/wiki/Password_cracking/.
Password Safe.
http://passwordsafe.sourceforge.net/
It was only after I installed password safe that I began using strong passwords on more than just a few accounts.
As mentioned above, probably John the Ripper is how the found week passwords. (not knowing this removes some crediblity to your comments as that tool has been around for about a decade. and programs like crack and pwc have been around even longer.)
Running an old kernel is against their own recommendations is something that is a little hard to understand.
Finding weak passwords is trivial.
Work bio at MMWD
Reply posters,
Interesting comments (except that one anon creature).. Yes, when one has access to the hashed password files, the test is a lot easier than a wholesale crack.
And the net is not exactly a place to send anything that one doesn't want snniffed, is it.
But by leaving us to guess why & how, Debian did leave the door open to speculation on just what they did that opened this vulnerability and what they did to "determine" there were weak passwords. And I was not knocking the Debian code, just the management errors that led to this particular problem.
And the question about the kernekl version is also a valid curiosity, isn't it. btw do they actually know that this was a hack from outside, entirely outside?
As to credibility, would rather see a good open discussion than waste time with name calling any day.
Oh yeah? Someone has been playing on their network for months, and we know of it only because one of their employees blabbed about it.
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
The story title is a bit misleading; only accounts with bad passwords or those who (for $DEITY knows what reason) appeared to have private keys on gluck were locked out. Everyone who has sane passwords and/or only uses ssh keys to log into their accounts still have access.
Of course, anyone who could actually log in already knows this because they've read d-d-a (or have already logged in.) In any event, rather troubling that the PRCTL bug managed to find its way into the kernel, but good that the intrusion was caught relatively quickly and neutralized.
http://www.donarmstrong.com
As no doubt others will make the same case, the difference here is not that Debian got pwned or the Microscum (personal bias aside
Anyone know of the latest citibank cracks? Funny, no banks will tell us that they have been cracked, yet they are not ripped on as much...
Me failed English...
FreeBSD over Linux. If my comments seem odd, this may explain...
I find it interesting that they would know what accounts have weak passwords... does that mean that they are storing them in clear-text somewhere? If not, then how do they know?
The sites we build and administer only store hashes of the password, or something similarly obsfucated.
But yeah, the public-key ssh2 access previously mentioned seems like the only "proper" method for their access.
Oh well... hindsight is 20/20.
$0.02 (CDN)
Dear Mr finiteSet,b ut_!_pr0m!s3_n0t_t0_d0_!t_@g@!n_s0_l0ng_@s_!_l!v3
To punish you for using such a weak password to your Debian developer account we have changed your password to the following:
!_@m_@n_!ns3ns!t!v3_cl0d_wh0_us3s_w3@k_p@ssw0rds_
Enjoy
The Debian team
Only to idiots, are orders laws.
-- Henning von Tresckow
Few and far between.
In Windows? Well, at some point is not even news (MS just stopped support to an estimated 70 million of pre W2K users, talk about a mega insecurity incubator).
WIndows security is a joke that leaves a bad after taste in your mouth. Even their "most secure" rubish relies on putings bit and pieces on machines' registry where it can be easily harvested. And their security model has been broken for years.
IANAL but write like a drunk one.
Reduce, reuse, cycle
Seems to me that taping such information to sysadmins' foreheads would be alot like placing a post-it note with password hints on the edge on the monitor.
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
"Due to the short window between exploiting the kernel and Debian admins noticing, the attacker hadn't time/inclination to cause much damage," wrote Schulze.
"The only obviously compromised binary was /bin/ping. The compromised account did not have access to any of the restricted Debian hosts. Hence, neither the regular nor the security archive had a chance to be compromised."
It seems like nothing much really happened. I mean, if this is all a hacker is capable of even with root access to a major Debian server, then what's all the fuss about?
If an attacker has your password, they're not likely to let you know about it. Changing your password regularly (no matter how 'strong' it is) limits your exposure.
How hard is it to make a couple a character alpha-numeric passwords and dedicate them to memory? After maybe a week with it written down in your wallet for reference, you'll have them memorized and have no problems!!! Then you just have to worry about yourself muttering them in your sleep....
In undeveloped countries, the consumer controls the market. In capitalist America, the market controls you.
He does one choose users, aka developpers on debian?
If for instances someone wan to be a debian developper, creates his account Bill.Gates@debian.org choose on purpose a weak password (does not matter) and then has been in contact evil@hacker.org who managed to get the password.
In case Bill Gates would obtain a developper status, I wouldn't wonder he would open source his password to any hacker arround.
But seriously, no FUD: How do they work to trust their developpers.
I can't imagine I'm writting a little tiny app, knock on the debian door and they would open it. This is user trust policy.
If you are in need of a strong password, use the following recipe:
Think of a sentence with 6-10 words with a number in it.
- The number can be inside one of the words.
- If you manage to have multiple Capital words in the sentence, your password gets stronger.
Then take the first letter and write the numbers as digit, include the point,
question mark, exclamation point at the end and you got a strong password.
Today i ate two buns for breakfast! -> Tia2bfb!
I have seen six dups on Slashdot this week. -> Ihs6doStw.
Can you memorize all four new passwords? -> Cyma4np?
And today: A new password for my debian account! -> At:1npfmda!
Works fine for me and is fairly easy to memorize.
http://www.sysinternals.com/blog/2006/05/power-i n-power-users.html
Local escalation vulnerabilities have long been a feature of Microsoft Windows!
But seriously, that's a good article about why it's not a good idea to give other users Power User privileges. It might help with securing a system too.
As a long time Debian user I am not so surprised by this - it is just the reality when you operate a system with thousands of user & shell accounts all over the world. It isn't that big of a deal if the debian admins respond correctly, which they always do, but it looks bad.
The issue that gets me is this is the second time the Debian system has been compromised, and in the exact same way - a local kernel exploit from a compromised DD account. As good as the Debian security team is, they are frankly terrible with the kernel. The Linux kernel has continual local security exploits (I am not in denial about that); these don't matter so much for most deployments but for the Debian system they are absolutely critical because of all the shell accounts. The Debian kernel team really needs to work out something better (though I know the issue is more complicated than that); this is the one thing Red Hat does very well. I cannot for the life of me understand why debian servers kernels are not upgraded continually. The downtime is immaterial compared to something like this.
http://en.wikipedia.org/wiki/Humour
hth.
my password really is 'stinkypants'
Passwords that are infinitely strong against guessing will instead be monitored when even a careful person accidentally uses it for FTP, telnet, or an unencrypted IMAP or POP connection, or when some exploit gets put in place on the servers to report other people's passwords.
If you don't believe that this happens, you don't remember the SSH crack that happened some 5 years ago, where companies all over the world had their SSH daemons replaced with one that logs and reports user's local passwords.
To have a right to do a thing is not at all the same as to be right in doing it
Permutations is the word you were looking for.
You better watch out, there may be dogs about . .
I'm really not a spelling-nazi! No excuses necessary.
You better watch out, there may be dogs about . .
Uh, maybe because I was using sendmail instead of exim?
FWIW, I switched over to CentOS - which had a fix for the sendmail bug the same day it was announced.
Oh, no! You have walked into the slavering fangs of a lurking grue!
Is anyone else wondering why someone would be trying to break into the development server of the Debian distribution?
Maybe someone is trying to "own" every Debian-based machine by slipping their own "minor bug" into it undetected.
This is where distributed, public-key-signed version control (like in monotone) would save the day. No one would be able to sneak something into the version-control archive because all change packets are uniquely identified and signed with a developer's public key.
how did he get root from shelling in as a user?
i was under the impression that exploits that are patched as soon as they are discovered
id hope a debian developer machine wouldn't allow any kind of known exploit
And use it for other sites: People often only change their password at the site where they're forced to, but leave it intact elsewhere, begging to have their accounts invaded on those other machines.
That will be _SO_ helpful when you lock yourself out of your own system.
Will be great if your hard drive fails, keychain with your memory key gets stolen, or you're not at your office computer.
Rat our passwords all you want, but combined with throttling/limiting/detection on the server passwords are about as secure as they come. Note my qualifier here. There are tons of scripts, and I run them on all of my servers, that will parse
These scripts are readily available on the net, and are easy to make as well.
This will protect brute force and easy passwords. Now your users just naming their password after their dog will always be a problem. Requiring complexity (a number or mixed case) will be key to securing those passwords, although I'm sure are directly correlated with an increase in support calls.
-M
when you see the word 'Linux', drink!
My workplace does that lockout after short time-out...it doesn't do much when you have to tape the password on the monitor. It also makes it impossible to gracefully shut down the machine when someone else is logged in. I think the practice is a result of somebody reading Sarbanes-Oxley and freaking out. Can't blame 'em too much; if I had to read SarBox I probably would freak out too.
It would help if they required SSH keys plus strong passwords.
This is simply a fact of life. Sure, you can come up with a really long and hard to guess password, but beyond a certain point, you end up with something obnoxious, hard to remeber, or something that simply gets cycled about a bunch of places.
Real (cheap and reasonably strong) security requires a mix of keys. For example, a synchronized pseudorandom number generator, a hashed passfile, followed by the standard text password. Still not perfect because the pseudorandom number sequence can be cracked and the hashed passfile (both stored, stored, say, on a USB drive) can be compromised, but a layered approach provides the best blend of ease-of-use and security.
The problem is (especially on a free project like Debian), how do you pay for the (physical) keys and who issues them? Can it be done without unfairly creating a barrier to participation?
There shouldn't be any passworded accounts on a developer machine at all. It should be SSH access via public key only, period end of story. I stopped using remotely accepted passwords over a decade ago. Passwords are only accepted on the console.
Come on, folks. This is UNIX-101. Don't be stupid.
-Matt
It's easier to require developers to have secure passwords than to force them to run things like fail2ban on their personal machines. If the attacker compromised the developer's machine, then used that info to log into the main debian server, well... they're still boned.
My blog. Good stuff (when I remember to update it). Read it.
Umm actually no, my rebuttal would be the large chunks of windows 2000 source code that was ripped out of the internal MS network by a hacker. Would that be considered "having their arses handed to them"?
Why am I forced to use weak passwords just because some developper somewhere can't figure out how to allow a " or a \ in a string?
Why would you assume there's a stupid developer who can't figure this out? Isn't it more likely the prototype system didn't use an escape mechanism and the developer had one on his TODO list and his manager told him to FUTURE it?
Occam's Razor if you ask me.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
I dont see why I was modded troll, I have no hate for Debian nor love for microsoft. It is simply a funny news story. Does anyone know if the exploit already had a patch? And how long ago was the patch released? And what is Debians excuse for not patching?