Slashdot Mirror

← Back to Stories (view on slashdot.org)

Debian Locks Out Developers

Posted by ryuzaki0 on from the in-the-name-of-safety dept.

daria42 wrote in with an update to an earlier story about a Debian server that was compromised. He explains: "The Debian GNU/Linux project has discovered a compromised developer account was used to gain access to a server compromised this week. A local kernel vulnerability was then used to gain root access. Due to this, a number of developers with weak passwords have been locked out of their system accounts." To be fair, they'll most likely be let in once everything's back to normal. Of course, they'll probably need to set safer passwords too.

13 of 331 comments (clear)

  1. Ah. balance by Kid+Zero · · Score: 5, Insightful

    That wonderful feeling of making the password hard to guess, but easy to recall.

    1. Re:Ah. balance by finiteSet · · Score: 5, Funny
      That wonderful feeling of making the password hard to guess, but easy to recall.
      If you are like me, it seems like almost everyday the bank or eBay is emailing about a new upgrade to the system, one that requires entering your old and new passwords, social security numbers, bank account numbers, and so on. Accordingly, I've developed some simple tips for coming up with making a hard-to-crack but easy-to-remember password:
      • Short but strong: you can make the password relatively short (e.g. one character) so that it is easy to remember, but random enough to be hacker-proof. Do you really think someone would guess 'q' or 'z' ?
      • Long but simple: if you are unsatisfied with the previous strategy, try this one on for size: the longer the better. So instead of 'a', you might want to use 'aaaaaaaaaaaa'. ('0000000' works, too.)
      • Mirror Mirror: use your username as your password and cut the memory load in half!
      • Long and strong: for the absolutely mission critical stuff, you may have to spice it up. Pair a common dictionary word, like 'dog', 'log' or 'hog' with a small digit ('1', '2', and so on), and you're golden.
      • Final Notes: don't forget to recycle your old passwords and - please - keep a public list!
      --
      If we start buying CDs then the terrorists have already won.
    2. Re:Ah. balance by Millenniumman · · Score: 5, Funny

      "and starting today, all passwords must contain letters, numbers, doodles, sign language and squirrel noises."

      --
      Stupidity is like nuclear power, it can be used for good or evil. And you don't want to get any on you.
  2. password requirements by PetriBORG · · Score: 5, Insightful

    Hopefully then they will also implement a good set of password rules and enforce them to protect themselves from future problems. Where I work they require 3 out of the 4 rules to be met such as mixed case, numbers and special characters... of course they also make us change our password every 30 days so i've discovered that people have taken to doing things like Asdf1234 and then when the password requires changing changing it to Asdf2345... Doh.

    --
    Pete/Petri "damn, my chainsaw is clogged with 1's and 0's again." --clyde
  3. ssh2 keys? by saleenS281 · · Score: 5, Insightful

    Why don't they just have the developers use ssh2 keys? I didn't know anyone actually used passwords on secure systems for authentication...

  4. B...b...b... by htnprm · · Score: 5, Funny

    ...but it's Linux!

  5. Secure Passwords lead to Insecure Passwords by cloricus · · Score: 5, Interesting

    I have noticed what you talk about though I've seen it go to further extremes. While at work (we run a mainly Windows network with a few hundred users) I've done further education (out side of Uni) at Australian TAFEs (basically vocational collages) in Queensland - the TAFE I went to runs a pure Windows network with around twenty thousand plus users over several sites...Any one who has been to one of these TAFEs understands how much of a raping they have taken from Microsoft, and I say raping because they run the 'perfect Windows network' following all of Microsoft guidelines etc which mean some machines take over fifteen minutes to log in and are laggy as all hell once they are in.

    Anyway onto the topic. They also follow the recommended guidelines for passwords which includes at least one capital, two numbers, over six chars, and cannot be any of your previous passwords (with I believe a 80% match so you can't just add a 1 or a 2 to it) and these roll every thirty days. Now as a geek I have my own unique password system where no two are the same, they are long, and they have numbers, and at least one capital - unfortunately there is only five or six possible combinations that meet the password system for each item meaning after five months going to this TAFE (I was there a year part time) I ran out of passwords. This put me on the tred mill that every one else had been on for a few months (they did a fresh roll over to XP from 98 at the start of last year) of forgetting the password (that I made up to get into the system after my old one expired) or where I wrote it down (yes, every one wrote down their passwords in blatant places so they could find them again, which to me makes passwords null anyway) and then starting to use generic passwords that every one else was using that month for example t4f3IsShit or fUkp455words and the like. As you can probably see this just ends up a mockery of the idea.

    So basically the point I'm trying to make is you have to be careful with what you mean by a 'good set of password rules' as if you go overboard even to the slightest extent (as I've seen happen time and time again) passwords just become a joke and you may as well not have them.

    Personally I've found that if you teach people/users what a secure password is, teach them not to tell it to any one, get them to use firefox to avoid keyloggers, and then enforce a six to twelve month roll over no problems ever come up. That's my happy medium and 2cents anyway. :)

    --
    I ate your fish.
  6. Re:kernel exploited... by scum-e-bag · · Score: 5, Informative

    According to the ubuntu-security-announce lists, the current up to date kernel version is 2.6.15-26.44 This was released 3 days ago, before the debian server compromise was announced. According to the zdnet report, this version falls within the exploitable.

    I made a mistake in my initial post, slip of finger, 2.6.13* not 2.6.12*

    --
    Does it go on forever?
  7. Re:I wonder... by Anonymous Coward · · Score: 5, Insightful

    Did you fail to understand what a remote exploit is?

    Here, let's try an analogy. In this case someone left the door to the building unlocked. A burglar got in. He then methodically cracked the safe, and took the money from within.
      Following this, "MSFanBoi" posts to slashdot making a false equivalency between that and the Win building where the locks were defective and the money was taken from where it was sitting on the floor. (The windows exploits being criticised are remote, the linux exploit was local-only. In the latter, you have to actually break in before they are useful.)
      Do you still fail to see the difference?

  8. Re:WTF?!!! by linvir · · Score: 5, Funny
    Old password:
    > ******
    New password:
    > *****
    Retype new password:
    > *****

    WARNING
    This is a really stupid password, the kind that would put this entire computer at risk.
    Are you sure you want to continue?
    [ Y / n ]
    > Y

    BASTARD
    Okay then, fuck you. Your account has been completely cleared out, to help you understand the importance of choosing a secure password.

    Now, let's try again, shall we?
    Old password:
    >
  9. Accounts with bad passwords locked, not all by dondelelcaro · · Score: 5, Informative

    The story title is a bit misleading; only accounts with bad passwords or those who (for $DEITY knows what reason) appeared to have private keys on gluck were locked out. Everyone who has sane passwords and/or only uses ssh keys to log into their accounts still have access.

    Of course, anyone who could actually log in already knows this because they've read d-d-a (or have already logged in.) In any event, rather troubling that the PRCTL bug managed to find its way into the kernel, but good that the intrusion was caught relatively quickly and neutralized.

    --
    http://www.donarmstrong.com
  10. Your new Debian password. by Savage-Rabbit · · Score: 5, Funny

    Dear Mr finiteSet,
    To punish you for using such a weak password to your Debian developer account we have changed your password to the following:
    !_@m_@n_!ns3ns!t!v3_cl0d_wh0_us3s_w3@k_p@ssw0rds_b ut_!_pr0m!s3_n0t_t0_d0_!t_@g@!n_s0_l0ng_@s_!_l!v3

    Enjoy
    The Debian team

    --
    Only to idiots, are orders laws.
    -- Henning von Tresckow
  11. howto: strong passwords by dune73 · · Score: 5, Insightful

    If you are in need of a strong password, use the following recipe:

    Think of a sentence with 6-10 words with a number in it.
    - The number can be inside one of the words.
    - If you manage to have multiple Capital words in the sentence, your password gets stronger.

    Then take the first letter and write the numbers as digit, include the point,
    question mark, exclamation point at the end and you got a strong password.

    Today i ate two buns for breakfast! -> Tia2bfb!
    I have seen six dups on Slashdot this week. -> Ihs6doStw.
    Can you memorize all four new passwords? -> Cyma4np?
    And today: A new password for my debian account! -> At:1npfmda!

    Works fine for me and is fairly easy to memorize.