Linked by Thom Holwerda on Thu 13th Jul 2006 09:24 UTC, submitted by george
Debian and its clones The Debian GNU/Linux project today admitted a hacker had compromised one of its internal servers. "Early this morning we discovered that someone had managed to compromise gluck.debian.org," Debian developer James Troup wrote in an e-mail to the Debian community. "We've taken the machine offline and are preparing to reinstall it," Troup continued, noting a number of key services were currently offline as a result.
Order by: Score:
Just goes to show....
by hhcv on Thu 13th Jul 2006 09:52 UTC
hhcv
Member since:
2005-11-12

I think it is great that they have let this news out.. If anything is just goes to prove how secure a Debian system can be... How many times has microsoft acknowledged something happening like this?

Reply Score: 5

What hack?
by atsureki on Thu 13th Jul 2006 10:24 UTC
atsureki
Member since:
2006-03-12

It was very irresponsible of this article, or the Debian devs, or wherever the choke on info took place not to go into further detail about this hack. The article makes it sound like they have a specific exploit in mind as the vector, and yet it gives no information on what it was, or even where it was (kernel, services, which service, which version, etc.)

Now that I think about it, not going into detail is very conducive to FUD, isn't it? Debian was hacked, therefore Debian is insecure. Debian is Linux, therefore Linux is insecure. Names are tarnished and money is made for the advertiser in the scrolling text in the upper right. Another fine "Microsoft doesn't have the monopoly on swiss cheese" article.

Reply Score: 0

RE: What hack?
by velko on Thu 13th Jul 2006 10:36 UTC in reply to "What hack?"
velko Member since:
2006-06-19

Now that I think about it, not going into detail is very conducive to FUD, isn't it? Debian was hacked, therefore Debian is insecure. Debian is Linux, therefore Linux is insecure.

Calm down - this is no FUD. The server was compromized, so the article says the truth. With comments like this you just feed the MS trolls. There are no details because the analysis is not done yet. It may take days or weeks until is clear how that happened. But stay assured that Debian will disclose the whole information about it.

You may take a look at http://www.debian-administration.org/articles/417 but it does not say much more. I hoped I'll find an isightful comment but sill no avail. Hopefully in a couple of hours, though...

Reply Score: 5

RE[2]: What hack?
by atsureki on Thu 13th Jul 2006 12:32 UTC in reply to "RE: What hack?"
atsureki Member since:
2006-03-12

From the article: Troup added Debian would commence securing its other servers from "what we suspect is the exploit used to compromise gluck".

Tell us what you suspect! If I were running important services on Debian, I'd want to know exactly where the point of vulnerability is. It just seems to me they should be a lot more open source about their investigation. A lot of people rely on Debian. Give them some heads up here.

And I know the article isn't in itself fud; I was just suspicious of the way it was reported and began to wonder if ZDNet had the same leanings as C|Net. Turns out that much was the Deb dev's fault, so I'll turn the sword around: it's very bad for credibility and trustworthiness to act this way in response to a flaw, namely reporting that you've got your own servers under control but not telling anyone else how they might go about doing the same with theirs.

Just clarifying. The lack of detail in this article struck several different nerves. Thanks for the link. Be sure to post any new info.

Reply Score: 1

RE[3]: What hack?
by velko on Thu 13th Jul 2006 13:12 UTC in reply to "RE[2]: What hack?"
velko Member since:
2006-06-19

The lack of detail in this article struck several different nerves.

I'm not sure with what level of detail in an article one could come up after reading the announce about the server beeing owned:

http://lists.debian.org/debian-devel-announce/2006/07/msg00003.html

I have no doubt that this email is the source for the article. Yes - we are all sensitive about such news. But what do you expect to read if the problem has been announced yesterday? I do not have any doubt that we will be able to read more as soon as the debian developers know more about the problem.

James Troup states in his email:

We're still investigating exactly what happened and the extent of the damage. We'll post more info as soon as we reasonably can.

And this is definitely better than specultaions about what might have been happened, right?

Reply Score: 5

RE: What hack?
by halfmanhalfamazing on Thu 13th Jul 2006 12:04 UTC in reply to "What hack?"
halfmanhalfamazing Member since:
2005-07-23

You have to look at frequency. This kind of stuff happens regularly in the windows world.

It happens once.... *once* to a debian server an all of a sudden linux is insecure.

Nothing is perfect, but you're making a very big stretch here.

Reply Score: 5

RE[2]: What hack?
by smashIt on Thu 13th Jul 2006 13:33 UTC in reply to "RE: What hack?"
smashIt Member since:
2005-07-06

You have to look at frequency. This kind of stuff happens regularly in the windows world.

sure, but you can'T compare it to all the insecure desktops out there. you have to compare it with microsoft, msn or hotmail getting hacked. and when was the last time this happened?

Reply Score: 4

RE[3]: What hack?
by Sphinx on Thu 13th Jul 2006 13:42 UTC in reply to "RE[2]: What hack?"
Sphinx Member since:
2005-07-09

sure, but you can'T compare it to all the insecure desktops out there. you have to compare it with microsoft, msn or hotmail getting hacked. and when was the last time this happened?

Probably because they're running on BSD.

Reply Score: 3

RE[4]: What hack?
by killerbyte on Fri 14th Jul 2006 00:31 UTC in reply to "RE[3]: What hack?"
killerbyte Member since:
2006-02-19

Hotmail migrated from BSD some time ago. It took them awhile, but they did it. They have some papers about the migration, and surprisingly enough, the first one is about why it failed the first time.

Reply Score: 1

What hack?
by pardasaniman on Thu 13th Jul 2006 14:38 UTC in reply to "RE[2]: What hack?"
pardasaniman Member since:
2006-07-13

quoting smashit"sure, but you can'T compare it to all the insecure desktops out there. you have to compare it with microsoft, msn or hotmail getting hacked. and when was the last time this happened?"


Incidentally microsoft and msn use akamai which uses a combination of linux, windows and other servers.

hotmail uses a proprietary edition of windows unavailable to the public.

Reply Score: 1

RE[3]: What hack?
by halfmanhalfamazing on Thu 13th Jul 2006 15:00 UTC in reply to "RE[2]: What hack?"
halfmanhalfamazing Member since:
2005-07-23

Don't Microsoft's servers(via akamai) run linux?

Reply Score: 2

RE[2]: What hack?
by fepede on Thu 13th Jul 2006 15:08 UTC in reply to "RE: What hack?"
fepede Member since:
2005-11-14

It happens once.... *once* to a debian server an all of a sudden linux is insecure.

Well... hum... actually it happened _twice_. A couple of years ago (more or less) it happened the same.

Reply Score: 1

RE[3]: What hack?
by deanlinkous on Thu 13th Jul 2006 15:52 UTC in reply to "RE[2]: What hack?"
deanlinkous Member since:
2006-06-19

more actually...

Reply Score: 1

RE: What hack?
by graigsmith on Thu 13th Jul 2006 16:13 UTC in reply to "What hack?"
graigsmith Member since:
2006-04-05

"Debian was hacked, therefore Debian is insecure."

this is a logical fallacy that does not follow.

a server runs debian, and it is hacked. does not automatically mean that debian is insecure, Someone could have had physical access to the machine. or it could have been set up incorrectly. or mabey someone with access got their password stolen. All reasons why debian would not be at fault.

"Debian is Linux, therefore Linux is insecure."

another logical fallacy. this one really doesn't follow. not only because the first one diddn't. but where your train of thought is going you could just say, linux runs on computers therefore computers are insecure. Computers run banks, therefore banks are insecure. There is no logic to such a conclusion, and its the same illogical links that you used to say that debian or linux is insecure.

Reply Score: 3

RE[2]: What hack?
by atsureki on Thu 13th Jul 2006 23:06 UTC in reply to "RE: What hack?"
atsureki Member since:
2006-03-12

Are people actually mad at me because I predicted the trolling before it happened, or because they think I'm actually saying this? They seem to appreciate your useless post, so I guess the latter. I really don't like it when people patronize each other in forum posts, but my god, here is your clue: I'm not actually saying that. I'm saying that an incomplete story leads to rumor, generalization, and misinformation. I called this reasoning FUD right before I spelled it out. I'm sorry mere text didn't allow for a flashing neon sign.

"People might get the wrong idea and think this..."
"But that thinking is wrong in the following four ways..."
Duh! That's the whole point!

Reply Score: 2

RE:Debian Project Server Hacked
by TusharG on Thu 13th Jul 2006 10:29 UTC
TusharG
Member since:
2005-07-06

Nothing wrong getting hacked... what is important restoring of data back and fixing the system not get hacked again.

Reply Score: 3

We will not hide problems
by saxiyn on Thu 13th Jul 2006 11:05 UTC
saxiyn
Member since:
2005-07-08

"We will not hide problems". That is Debian social contract #3.

Indeed, Debian documented exactly what happened and how they restored compromised servers last time this happened. Visit http://www.wiggy.net/debian/.

So I expect them to do the same again. Let's wait.

Reply Score: 5

v RE: We will not hide problems
by nivanson on Thu 13th Jul 2006 12:59 UTC in reply to "We will not hide problems"
CrimsonScythe Member since:
2005-07-10

I suggest you check the date on that email, or look at the url, or in the very least read some of it yourself, such as these parts:

"Wednesday 19th November (2003)" and "Date: Fri, 28 Nov 2003 01:04:00 +0000"

Reply Score: 2

RE[2]: We will not hide problems
by libray on Thu 13th Jul 2006 13:34 UTC in reply to "RE: We will not hide problems"
libray Member since:
2005-08-27

James Troup posted some clarifications!
Check this out:
http://lists.debian.org/debian-devel-announce/2003/11/msg00012.html

You will find all your answers there.


I don't think so. That post is from 2003.

I disagree that every post concerning Linux must be compared to Microsoft and vice-versa. As a NetBSD, Solaris and Windows user, if this were the same kind of post, my concern would be how the problem affects me and how to update my system.

Reply Score: 1

Keep your shirt on!
by drdoug on Thu 13th Jul 2006 11:24 UTC
drdoug
Member since:
2006-04-30

The Debian GNU/Linux project today admitted a hacker had compromised one of its internal servers

I wouldn't get too upset about this. Debian did the correct thing in disclosing (as opposed to admitting), that they have had a compromise.

Be thankfull that they are willing to do this. The best secure systems will evenually get a hack or 2. It is good that Debian found out. I doubt Debian had any secrets hidden for the hacker.

Reply Score: 5

RE: Keep your shirt on!
by Duffman on Thu 13th Jul 2006 14:11 UTC in reply to "Keep your shirt on!"
Duffman Member since:
2005-11-23

And sometimes your a not hacked at all such as the OpenBSD project.

Reply Score: 2

RE[2]: Keep your shirt on!
by killerbyte on Fri 14th Jul 2006 00:35 UTC in reply to "RE: Keep your shirt on!"
killerbyte Member since:
2006-02-19

The OpenBSD got a compromise some time ago on its primay mirror, I think it was sunsite, running Solaris. Ok, granted, its not a developing machine and granted, they're pretty tight on their code, but I don't believe Debian got hacked just because they run linux. And yes, I'm an avid OpenBSD fan && user.

Reply Score: 2

RE: Keep your shirt on!
by killerbyte on Fri 14th Jul 2006 00:20 UTC in reply to "Keep your shirt on!"
killerbyte Member since:
2006-02-19

Shure no secrets... AFAIK is a cvs machine, so no private keys stolen, no backdooors commited to the sourcetree, none of the "I'm watching you since three months ago" will happen. Yeah shure.

Reply Score: 1

Typical
by JohnX on Thu 13th Jul 2006 11:54 UTC
JohnX
Member since:
2005-11-06

Typical excuses when something like this gets to the news... "Microsoft is even worse".

Maybe this is why Linux doesn't take off on the desktop market? Linux zealots consolation is that even if their system is mediocre, "Microsoft one's is even worse".

They don't care about quality... They just want to know that they're better than Microsoft.

Reply Score: 0

RE: Typical
by diskinetic on Thu 13th Jul 2006 13:21 UTC in reply to "Typical"
diskinetic Member since:
2005-12-09

"They don't care about quality... They just want to know that they're better than Microsoft."

And they are. See, did that take so long? Really, I don't know what point you're trying to make. Being better than MS is often exactly the point. Microsoft is a huge company with nigh-infinite R&D funding. If a smaller, independent, not-for-profit project like Debian can outperform the Microsoft equivalent, that's news. It's OS news! It's a bragging point. It's a compelling argument for change. It is the essence of "quality" to be better than something else. The dictionary says so.
If we follow your point to its conclusion, Linux(distros) would have to be flawless before they could make a quality claim at all. It just doesn't hold up. The world record 100-meter sprinter isn't the fastest piece of matter in the universe, but he's faster than other humans attempting the same feat.
And guess what? As long as he holds the record and the fame, he's got a big red bullseye on his tunic. I know Microsoft bashing seems childish (and it often is), but to not mention relative security just because the relative point (MS) is "low" is a tad ridiculous.
That's why MS retaliates against the TCO argument so strongly. If a corporate, for-profit monoculture can come in under budget against a "free" alternative, that's something to brag about. Of course, they still charge, but the argument is that they charge less, not nothing. It's the very basis for choice-making.

Reply Score: 2

RE: Typical
by Sphinx on Thu 13th Jul 2006 13:48 UTC in reply to "Typical"
Sphinx Member since:
2005-07-09

The thought of how far Linux would have to fall to be worse than Microsoft gives me vertigo.

Reply Score: 5

RE: Typical
by ma_d on Thu 13th Jul 2006 19:29 UTC in reply to "Typical"
ma_d Member since:
2005-06-29

I know that's why none of my family uses it. They read OSN everyday and just can't stand the way linux users defend linux!

Reply Score: 1

This article was about Debian not Microsoft
by libray on Thu 13th Jul 2006 12:18 UTC
libray
Member since:
2005-08-27

It goes to show that there could be no Linux thread without some comparison to Microsoft, and when that happens, the whole point is often missed.

This is horrible that a break-in occured at debian. In the days of compromises at tcpdump, irc client sites and the like, people were often afraid that the source or binaries downloaded were somehow changed. Today, its all about defending Linux despite the bad news. If a distribution leader's systems can become compromised, what about the novices out there who know little about their system's security and assume that just because its Linux its unhackable?

What debian did NOT disclose is what exactly was affected and how it could affect its users. Does anyone still want to defend them?

Edited 2006-07-13 12:22

Reply Score: 3

Sphinx Member since:
2005-07-09

Some troll throwing it out there does not change the subject or exonerate anybody from anything, they've admitted it and given what they know as they know it but hey I'm sure you could just glance at it and know exactly what and how it was compromised immediately. Why should they bother taking time with forensics or actually proving things when they could just half ass guess and make you happy.

Reply Score: 1

libray Member since:
2005-08-27

On the contrary. The system was named *.debian.org, which could indicate that it runs some service relative to Debian. The least they could do is say that it is a system that has write accsess to their CVS repository or one that provides web services.

Either way, you would at least be cautioned that you should be careful downloading this or that from Debian as opposed to a false sense of security and "liking" they got hacked because it proves something superfluous to you

Reply Score: 1

Local?
by Milo_Hoffman on Thu 13th Jul 2006 12:27 UTC
Milo_Hoffman
Member since:
2005-07-06

Since this is a developer/build machine...I am thinking this is probably something that requires local access.

The only real good exploits for Linux in quite a while have been ones that require you to first be logged in to the system.

Linux does not have nearly as many exploits that can be attacked from the outside, like that other OS we all love that more holes than a swedish bikini team.

Reply Score: 4

RE: Local?
by killerbyte on Fri 14th Jul 2006 00:23 UTC in reply to "Local?"
killerbyte Member since:
2006-02-19

Linux does not have nearly as many exploits that can be attacked from the outside, like that other OS we all love that more holes than a swedish bikini team.
That's why not only the provider, but any responsible contracter will put that machine(s) way out of reach from the internet. If it won't, then you really deserve to be hacked.

Reply Score: 1

v :)
by Trollstoi on Thu 13th Jul 2006 12:44 UTC
v RE: :)
by Trollstoi on Thu 13th Jul 2006 16:18 UTC in reply to ":)"
Amusing
by JonInAtlanta on Thu 13th Jul 2006 13:00 UTC
JonInAtlanta
Member since:
2006-02-17

How many apologists there are for this.

"Nothing wrong getting hacked... what is important restoring of data back and fixing the system not get hacked again."

"I wouldn't get too upset about this."

"You have to look at frequency. This kind of stuff happens regularly in the windows world. "

Wow
You'd never read that in response to a MS or OS X hack.

Reply Score: 4

RE: Amusing
by Sphinx on Thu 13th Jul 2006 14:01 UTC in reply to "Amusing"
Sphinx Member since:
2005-07-09

Just what exactly do they have to apologise for? This as far as I've read so far is just one box, maybe not even an exploit, possible social engineering or someone leaving root password on a postit note.

Reply Score: 4

RE: Amusing
by backdoc on Thu 13th Jul 2006 18:09 UTC in reply to "Amusing"
backdoc Member since:
2006-01-14

In the realm of Linux users (or any group, for that matter), there are people who:

1. like to point fingers at their competitors, at every opportunity
2. like to defend their product, at every opportunity

It is to be expected that the people from group #1 will make the negative comments towards Windows and the people from group #2 will make defensive remarks towards Linux. It is only hypocritical if the comments you are referring to are coming from the same group.

I'm in group #2. So, I'm going to assume that the apologetic comments you are reading are not from the same people who have made negative comments ;) .

Reply Score: 2

RE[2]: Amusing
by Don T. Bothers on Thu 13th Jul 2006 21:20 UTC in reply to "RE: Amusing"
Don T. Bothers Member since:
2006-03-15

"In the realm of Linux users (or any group, for that matter), there are people who:

1. like to point fingers at their competitors, at every opportunity
2. like to defend their product, at every opportunity

...I'm in group #2."

And the people attacking Debian are probably Windows users who are in group #1. I personally think being in either group #1 or #2 is bad as being in the other group. Instead, people should be neutral and lay blame when it belongs and defend against attacks when they aren't deserved. IMHO, being hacked twice within a few years is very bad and is very close to being inexcusable.

Reply Score: 2

RE: Amusing
by ma_d on Thu 13th Jul 2006 20:26 UTC in reply to "Amusing"
ma_d Member since:
2005-06-29

Actually it's pretty much exactly what you hear in response to OS X security problems.

I don't really much care what people say in response to Windows hacks, so I wouldn't know ;) .

Reply Score: 1

SELinux
by ozonehole on Thu 13th Jul 2006 13:12 UTC
ozonehole
Member since:
2006-01-07

I wonder if SELinux could have prevented this? I believe that Debian does not yet include SELinux, though perhaps it will in the future - does anyone happen to know?

Reply Score: 1

RE: SELinux
by SEJeff on Thu 13th Jul 2006 13:39 UTC in reply to "SELinux"
SEJeff Member since:
2005-11-05

Yes, SELinux would have very likely prevented this if properly configured. SELinux, hence Mandatory Access Control, limits the effects of root access. The "root" user falls under the basic Unix permissions scheme known as DAC or Discretionary Access Control. MAC is a security layer that sits on top of DAC and further limits what DAC priviliged software is capable of doing.

This very likely wouldn't have happened on a redhat box due to SELinux configurations and proactive security like Exec-shield and SSP (gcc 4.1) compiled software.

Reply Score: 3

You shouldn't be saying that
by JoeBuck on Thu 13th Jul 2006 18:09 UTC in reply to "RE: SELinux"
JoeBuck Member since:
2006-01-11

Since you don't know how the attack was carried out, you are not in a position to know whether SELinux would have prevented it.

Reply Score: 2

RE: You shouldn't be saying that
by SEJeff on Thu 13th Jul 2006 18:52 UTC in reply to "You shouldn't be saying that"
SEJeff Member since:
2005-11-05

Yes, SELinux would have very likely prevented this if properly configured.

A properly configured SELinux would have limited the damage a compromise can do. I can guarantee you a properly configured SELinux would have prevented the attacker from installing and using a rootkit.

Reply Score: 2

v You shouldn't be saying that
by JoeBuck on Thu 13th Jul 2006 18:11 UTC in reply to "RE: SELinux"
RE[2]: SELinux
by ma_d on Thu 13th Jul 2006 20:21 UTC in reply to "RE: SELinux"
ma_d Member since:
2005-06-29

If you know that then please tell us how the intruder got in, because that's the only way you could say that.

I think you have to be guessing, and you act like you know.

Reply Score: 1

RE: SELinux
by Sphinx on Thu 13th Jul 2006 14:03 UTC in reply to "SELinux"
Sphinx Member since:
2005-07-09

Sure, SE's magic will harden even the meekest secretary from social engineering.

Reply Score: 1

Re: Secret Cracks
by aGNUstic on Thu 13th Jul 2006 13:13 UTC
aGNUstic
Member since:
2005-07-28

`The best secure systems will eventually get a hack or two. It is good that Debian found out. I doubt Debian had any secrets hidden for the hacker.`

My wife's Win box got hacked about three to four weeks ago. I believe it was something she downloaded as a `surf-by` attachment. She had all the `whiz-bang` programs from `anti-spy and malware` to firewall and it still corrupted her computer. Be carefull of myspace - it's a crackers dream in more than one way.

A Linux box can get cracked as well as a Win box. I've noticed that if a Linux box `is` compromised the damage is generally limited in nature. Generally it limited to weak passwords and deletion of user data files.

Reply Score: 4

RE: Re: Secret Cracks
by killerbyte on Fri 14th Jul 2006 00:26 UTC in reply to "Re: Secret Cracks"
killerbyte Member since:
2006-02-19

So a) if a Linux box prompts for the root password your wife might not know it or b) your wife does know how to work with computers, just had tough luck on her windows machine.
If you don't think deletion of user data dangerous (think - generally if you can delete it you can read it) you must be kidding.

Reply Score: 1

oh pleeeze
by deanlinkous on Thu 13th Jul 2006 14:33 UTC
deanlinkous
Member since:
2006-06-19

It was a developer machine, lots of accounts as well as lots of services running on it! I find it shameful that anyone would hack a debian server, I thought you got more l33t points for knocking microsoft or at least linspire or xandros!

The "known" compromised and being corrected doesnt bother me it is the "unknown" compromised and not even noticed that worries me!

Reply Score: 2

Sniffed password?
by SpasmaticSeacow on Thu 13th Jul 2006 14:53 UTC
SpasmaticSeacow
Member since:
2006-02-17

Doesn't that strike anyone as strange? Why would you use an unencrypted password -- or any password at all. On my home box, login is via SSH with a 4096-bit key only -- no password access at all. Not that people don't try to get into it, but the IPs get auto-blacklisted in response to the attempt.

Reply Score: 2

RE: Sniffed password?
by killerbyte on Fri 14th Jul 2006 00:43 UTC in reply to "Sniffed password?"
killerbyte Member since:
2006-02-19

So, if you have any insecure/vulnerable services working out their privilege escalation features, instead of stealing/rewriting passwords, the exploit only has to *guess* where you keep your keys ;)

Reply Score: 1

That's only an iceberg.
by Babi Asu on Thu 13th Jul 2006 15:45 UTC
Babi Asu
Member since:
2006-02-11

Probably there are many more unreported/uncaught cases. Migration to *BSD or Solaris must be taken into consideration.

Reply Score: 1

Weak security policy?
by n1xt3r on Thu 13th Jul 2006 15:58 UTC
n1xt3r
Member since:
2006-02-05

"limiting access to DSA only, until they can be fixed for what we suspect is the exploit used to compromise gluck."

Seems to be implying that the problem resulted from a weak security policy. Didn't their previous server break-ins involve stolen login credentials? I won't be as impressed if this was a repeat.

Reply Score: 1

I guess the Server is not running Windows
by devtty on Thu 13th Jul 2006 16:20 UTC
devtty
Member since:
2006-04-02

And this story shows after all the troubles a windows shop might encounter during a Windows to linux migration, the result may not look good

Reply Score: 0

Running Windows Server
by snowflake on Thu 13th Jul 2006 16:25 UTC
snowflake
Member since:
2005-07-20

//You have to look at frequency. This kind of stuff //happens regularly in the windows world.

I suspect they were actually running a window server and no linux, that's why it was compromised.

Reply Score: 2

More scary information
by libray on Thu 13th Jul 2006 17:01 UTC
libray
Member since:
2005-08-27

Yes, this is a box that has access to debian sources so you CAN conclude that Debian was hacked. This is not just a workstation that is being talked about. Making a conclusion that the sources are ok without any information is a dangerous assumption.

Taken from:
http://db.debian.org/machines.cgi?host=gluck

Host name: gluck.debian.org
Architecture: i386
Access: developer only
Disk space: 735Gb [6x147 RAID5]
Description: Primary web server, CVS server, People server

Reply Score: 2

unfortunate example
by n1xt3r on Thu 13th Jul 2006 18:20 UTC
n1xt3r
Member since:
2006-02-05

It appears the exploit was a combination of weak passwords and a local root vulnerability[1].

1. http://www.debian.org/News/2005/20060713

Reply Score: 1

RE: unfortunate example
by stuhood on Thu 13th Jul 2006 19:27 UTC in reply to "unfortunate example"
stuhood Member since:
2006-07-11

Your link is bad... here is the correct one:
http://www.debian.org/News/2006/20060713

Reply Score: 1

clam down
by SK8T on Thu 13th Jul 2006 19:48 UTC
SK8T
Member since:
2006-06-01

even the most secure OS on earth can be hacked if the admin is an idoit. OK; i don't want to say it so hard; but what I want to say is the following;

you can use the most secure os, but the human is the failure in it. So this says not very much about the security about debian; but enough about the quality of the network administrator. (imo)

Reply Score: 1

RE: clam down
by libray on Thu 13th Jul 2006 20:44 UTC in reply to "clam down"
libray Member since:
2005-08-27

The person wearing the network admin hat and the one wearing the system admin hat will tell you that developers and normal users routinely ask for more laxed security than they should get. Don't blame them.

You would expect that a Debian server would require VPN access and no passwords would be used for authentication, only tokens of some sort or at least keys. To leave this open as is means the developer's home system is also suspect.

Wow!! I just learned of this server today and can connect via ssh to it from my home system. Its asking me for a password instead of disconnecting me. It should throw me out because I don't have a key, or a challenge response, or kerberos.

Let me guess:

ListenAddress 0.0.0.0:22
PasswordAuthentication=yes

Now all I have to do is read CVS annotation logs for developer names to get valid usernames for this system and go to town. I won't but you would hope that Debian would know better.

Reply Score: 1

v Linux kernel insecure?
by NotParker on Thu 13th Jul 2006 20:12 UTC
Debian crack
by aGNUstic on Thu 13th Jul 2006 20:52 UTC
aGNUstic
Member since:
2005-07-28

It's like the Debian people saying, "Holy crap, we got cracked!" versus the MicSoft people mumbling, "Damn, cracked again."

Reply Score: 1

social engineering
by Cloudy on Fri 14th Jul 2006 00:23 UTC
Cloudy
Member since:
2006-02-15

No, given the description on the Debian site, SELinux wouldn't have made any difference at all.

And no, it's not surprising that it turns on a compromised password. Nor that it happened before. Nor that there were other weak passwords on the system.

And no, requiring shared credentials doesn't make a system more secure from weak password attacks. It merely changes the point at which the attack must occur to succede.

What we see here is a classic example of weakest link exploit. This is why things like SELinux make little or no differnce. They merely amount to adding armor to the strong points of the system. I count at least four social engineering related mistakes here, and none of them would have been addressable by SELinux.

On the other hand, having SELinux around is certainly giving some people a false sense of security.

Reply Score: 4