Slashdot Mirror
Debian Locks Out Developers
daria42 wrote in with an update to an earlier story about a Debian server that was compromised. He explains: "The Debian GNU/Linux project has discovered a compromised developer account was used to gain access to a server compromised this week. A local kernel vulnerability was then used to gain root access. Due to this, a number of developers with weak passwords have been locked out of their system accounts." To be fair, they'll most likely be let in once everything's back to normal. Of course, they'll probably need to set safer passwords too.
That wonderful feeling of making the password hard to guess, but easy to recall.
Marge, get me your address book, 4 beers, and my conversation hat.
I guess this means that there are a lot of ubuntu users out there who are vunerable right now... how long for the patch?
Also, the article seems to be a little out. Shouldn't it be just 2.6.12 -> 2.6.17.4 as this includes 2.6.16 -> 2.6.16.24
Does it go on forever?
Time to enforce a 200 character minimum for passwords.
Hopefully then they will also implement a good set of password rules and enforce them to protect themselves from future problems. Where I work they require 3 out of the 4 rules to be met such as mixed case, numbers and special characters... of course they also make us change our password every 30 days so i've discovered that people have taken to doing things like Asdf1234 and then when the password requires changing changing it to Asdf2345... Doh.
Pete/Petri "damn, my chainsaw is clogged with 1's and 0's again." --clyde
Why when this happens on a Windows server is "OMG! Windows is insecure! M$ is evil!!!!"
But with this its "Oh just set more difficult passwords"...
Bill G.
Why don't they just have the developers use ssh2 keys? I didn't know anyone actually used passwords on secure systems for authentication...
I guess I should be more specific. My point was that people were puting strings of letters and or numbers in sequence as their password because they were forced to change them so frequently. I would argue that any string which is sequential is less secure then a randomized number. Like putting 1234 as your ATM pin... it leads to easy shoulder serfing.
Thus people would pick their first name, Peter123 if I was to use my own name as an example. I'm comparing this to passwords that I had to use at Sandia National Labs which were randomized letters and number strings generated by computer, the user was presented with a screen of 30 passwords and you were allowed to pick any of the 30, or to generate a screen of 30 more passwords... The people would pick things that made sense to them but were completely randomized and were never a dictionary word or even a common short hand for the words etc.
Pete/Petri "damn, my chainsaw is clogged with 1's and 0's again." --clyde
...but it's Linux!
I have noticed what you talk about though I've seen it go to further extremes. While at work (we run a mainly Windows network with a few hundred users) I've done further education (out side of Uni) at Australian TAFEs (basically vocational collages) in Queensland - the TAFE I went to runs a pure Windows network with around twenty thousand plus users over several sites...Any one who has been to one of these TAFEs understands how much of a raping they have taken from Microsoft, and I say raping because they run the 'perfect Windows network' following all of Microsoft guidelines etc which mean some machines take over fifteen minutes to log in and are laggy as all hell once they are in.
:)
Anyway onto the topic. They also follow the recommended guidelines for passwords which includes at least one capital, two numbers, over six chars, and cannot be any of your previous passwords (with I believe a 80% match so you can't just add a 1 or a 2 to it) and these roll every thirty days. Now as a geek I have my own unique password system where no two are the same, they are long, and they have numbers, and at least one capital - unfortunately there is only five or six possible combinations that meet the password system for each item meaning after five months going to this TAFE (I was there a year part time) I ran out of passwords. This put me on the tred mill that every one else had been on for a few months (they did a fresh roll over to XP from 98 at the start of last year) of forgetting the password (that I made up to get into the system after my old one expired) or where I wrote it down (yes, every one wrote down their passwords in blatant places so they could find them again, which to me makes passwords null anyway) and then starting to use generic passwords that every one else was using that month for example t4f3IsShit or fUkp455words and the like. As you can probably see this just ends up a mockery of the idea.
So basically the point I'm trying to make is you have to be careful with what you mean by a 'good set of password rules' as if you go overboard even to the slightest extent (as I've seen happen time and time again) passwords just become a joke and you may as well not have them.
Personally I've found that if you teach people/users what a secure password is, teach them not to tell it to any one, get them to use firefox to avoid keyloggers, and then enforce a six to twelve month roll over no problems ever come up. That's my happy medium and 2cents anyway.
I ate your fish.
By running cracking tools against them, of course.
Locking them out is totally fair, and imho it's the responsible thing to do.
STRONG passwords should be enforced (hell, mandatory keyed logins would be better) on machines like this (which are fairly attractive targets for abuse)...
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Goodness, no! This might push them behind schedule!
Mod me down with all of your hatred and your journey towards the dark side will be complete!
There's no way you could be dumb enough to actually think that.
How the hell could this be modded insightful? The whole point of changing passwords is so that the compromise of one password doesn't lead to unlimited access or the compromise of future passwords.
If a password is so secure that it can't be guessed, then why change it? If it's so weak that it gets guessed monthly, changing just one digit doesn't do shit.
And if the system gets compromised, you reinstall and choose a totally different password.
Seriously, this must be the most stupid advice I've seen and it's currently +2, Insightful. Scary.
Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
John the Ripper most likely. Great tool - recovered the root password for a SGI box a friend bought on eBay in less than a second (your password may vary.)
Believe me, the Debian project does not store passwords in the clear.
As administrators they have access to the shadow file that contains hashed versions of all the passwords. What they did was run a cracking utility against the shadow file to pick out weak passwords. Usually these cracking utilities use brute force dictionary attacks to try and randomly guess the password. If the utility was able to guess a password quickly, that password was definitely not secure. It's as simple as that.
I encourage you to read more about the topic, it's a fascinating one. Wikipedia has an interesting article at http://en.wikipedia.org/wiki/Password_cracking/.
The story title is a bit misleading; only accounts with bad passwords or those who (for $DEITY knows what reason) appeared to have private keys on gluck were locked out. Everyone who has sane passwords and/or only uses ssh keys to log into their accounts still have access.
Of course, anyone who could actually log in already knows this because they've read d-d-a (or have already logged in.) In any event, rather troubling that the PRCTL bug managed to find its way into the kernel, but good that the intrusion was caught relatively quickly and neutralized.
http://www.donarmstrong.com
As no doubt others will make the same case, the difference here is not that Debian got pwned or the Microscum (personal bias aside
Anyone know of the latest citibank cracks? Funny, no banks will tell us that they have been cracked, yet they are not ripped on as much...
Me failed English...
FreeBSD over Linux. If my comments seem odd, this may explain...
Dear Mr finiteSet,b ut_!_pr0m!s3_n0t_t0_d0_!t_@g@!n_s0_l0ng_@s_!_l!v3
To punish you for using such a weak password to your Debian developer account we have changed your password to the following:
!_@m_@n_!ns3ns!t!v3_cl0d_wh0_us3s_w3@k_p@ssw0rds_
Enjoy
The Debian team
Only to idiots, are orders laws.
-- Henning von Tresckow
Reduce, reuse, cycle
"Due to the short window between exploiting the kernel and Debian admins noticing, the attacker hadn't time/inclination to cause much damage," wrote Schulze.
"The only obviously compromised binary was /bin/ping. The compromised account did not have access to any of the restricted Debian hosts. Hence, neither the regular nor the security archive had a chance to be compromised."
It seems like nothing much really happened. I mean, if this is all a hacker is capable of even with root access to a major Debian server, then what's all the fuss about?
If you are in need of a strong password, use the following recipe:
Think of a sentence with 6-10 words with a number in it.
- The number can be inside one of the words.
- If you manage to have multiple Capital words in the sentence, your password gets stronger.
Then take the first letter and write the numbers as digit, include the point,
question mark, exclamation point at the end and you got a strong password.
Today i ate two buns for breakfast! -> Tia2bfb!
I have seen six dups on Slashdot this week. -> Ihs6doStw.
Can you memorize all four new passwords? -> Cyma4np?
And today: A new password for my debian account! -> At:1npfmda!
Works fine for me and is fairly easy to memorize.