Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Debian Server Compromised

Posted by samzenpus on Wed Jul 12, 2006 09:54 PM
from the fox-in-the-henhouse dept.
Security Software Linux
Security News writes "According to a post on the debian-devel-announce mailing list "Early this morning we discovered that someone had managed to compromise gluck.debian.org. We've taken the machine offline and are preparing to reinstall it. " gluck is a core development machine."
+ -
story

Related Stories

[+] Linux: Debian Locks Out Developers 331 comments
daria42 wrote in with an update to an earlier story about a Debian server that was compromised. He explains: "The Debian GNU/Linux project has discovered a compromised developer account was used to gain access to a server compromised this week. A local kernel vulnerability was then used to gain root access. Due to this, a number of developers with weak passwords have been locked out of their system accounts." To be fair, they'll most likely be let in once everything's back to normal. Of course, they'll probably need to set safer passwords too.
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Debian Server Compromised 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Oh no (Score:5, Funny)

    by Anonymous Coward on Wednesday July 12 2006, @09:56PM (#15710188)
    Oh no, now they have access to all the Debian source!

  • Once is ok, but twice is too much... (Score:3, Insightful)

    by ModernGeek (601932) on Wednesday July 12 2006, @09:58PM (#15710197) Homepage
    ...first we had the hack into the repository severs, and we didn't know whether or not we are running exploited code when we use apt-get to update our programs. Now it seems that internal development machines are being hacked. If the debian team cannot keep their own products secure in their own environments, how can we expect to take them seriously in the enterprise? Granted this was on a development branch and development server, but how many times do you have to upgrade to an "experimental" package to get a function or feature that you need to have in your setup? I might be spreading FUD, but I think I speak for the rest of us when I speak of this vibe I feel from debian.

    • Re:Once is ok, but twice is too much... (Score:5, Insightful)

      by lawpoop (604919) on Wednesday July 12 2006, @10:09PM (#15710240) Homepage Journal
      You know, the difference between open source and closed source software is that with open source, *we know what's going on*. Debian admins are being very bold and forthright in stating that the machine was hacked.

      How many times has windowsupdate.microsoft.com been hacked? Zero? How would you know? What incentives ( and disincentives ) does Microsoft have to tell us if such a thing were to happen?

      So if corporate America wants to trust a black box, let 'em. There's no convincing them anyway.
      • That's nice, but it's usually hard to prove a negative. How do you know RedHat or SUSE haven't been hacked? Because they haven't told you? How can you be sure?

        Oh and BTW, Windows updates are signed, so even if someone managed to crack into it the packages would not install.

        • Re:Once is ok, but twice is too much... (Score:4, Interesting)

          by sqlrob (173498) on Wednesday July 12 2006, @10:21PM (#15710294)
          Oh and BTW, Windows updates are signed, so even if someone managed to crack into it the packages would not install.

          Are you sure about that? Remember, the MS network was compromised a while as well. Do you trust their auditing?

            • If you remember, the incident in question involved someone loose for weeks or months on Microsoft's internal networks before they were discovered. It's wouldn't have been impossible for them to modify the code before it got signed. Microsoft had to spend a great deal of effort to try to verify that such a thing didn't actually happen.

                • Re:Once is ok, but twice is too much... (Score:5, Insightful)

                  by _Sprocket_ (42527) on Thursday July 13 2006, @12:21AM (#15710755)
                  The point being that digitally signed binaries aren't a guarantee. They're darned nice. Makes things more difficult to slip in a rogue binary. But they're not the end-all, be-all in assuring some rogue code isn't slipped in there somewhere.

                  And yes - that goes for closed, proprietary software houses as well as the public, open groups.
              • Yes [microsoft.com]. But it really really sucks. A lot. If you're a major control freak (or just like avoiding auto-updates and such) you could probably go that route. Useful for people on dialup ... download important updates, maybe dump them to a jumpdrive or burn a cd when you've got a couple of them.

                I think they also do monthly iso-images that are just compilations of all the update installers in a given month, for the same reason -- not everyone's got a good net connection at home.

      • Things are chaning... (Score:5, Funny)

        by ModernGeek (601932) on Wednesday July 12 2006, @10:19PM (#15710285) Homepage
        ...they aren't as grim as you may think. Soon enough, universities will be obsolete, and corporations will judge one based on open source contributions. If we all move aggressively toward this stance, the MCSEs will hit the road, and open source pioneers will rule the world of research, development, and jobs all funded by large corporations. All the source will be open, and the developers will work for companies like Verizon and the government as researchers. The same way that students pay universities to do the same thing for them, the difference is that the companies will pay you and you won't be paying a university. A large company that does not employ open source developers will be seen as bad in morale the same way a company is seen as bad for outsourcing manufacturing jobs to Mexico. If we take open source and ourselves seriously, all of this can happen. The old attitude of "don't use it if you don't like it" is going away, and things will be set straight if we push things forward.

      • Re:Once is ok, but twice is too much... (Score:5, Informative)

        by YU Nicks NE Way (129084) on Wednesday July 12 2006, @10:25PM (#15710311)
        You do understand that everything downloaded from update.microsoft.com needs to be digitally signed, right? In order to actually subvert the downloads, an attacker would not only need to take over the system, but would also need to sign the modified download with a Microsoft key. That's hard: the private keys for signing code are kept on a machine inside a SKIF. Last time I checked, code was taken to be signed by sneakernet, so that there would be a physical airgap between the network and the signing system.

        • Mwuahahahha! Perfect place to ply the first-ever Carrier Pigeon Protocol hack!

        • Re:Once is ok, but twice is too much... (Score:4, Informative)

          by SnowZero (92219) on Wednesday July 12 2006, @11:09PM (#15710493)
          You do understand that everything downloaded from update.microsoft.com needs to be digitally signed, right?

          Btw, Debian also does digital signatures for every package installed (see here [debian-adm...ration.org]). I don't think they have gone as far as having an air-gap, but it does mean that a regular hacking won't be able to silently corrupt packages.

          Debian's system is actually quite cool, since it can check *every* program installed, and not just core OS updates (courtesy of apt controlling 99% of software installation). In fact, you can add additional keys for other package sources (I run some unofficial packages, but those developers also sign their packages with their own keys, so it is covered as well).
      • Diverting attention from a problem by pointing out the flaws of others is not really helpful.

        Yeah, "we know what's going on", just as soon as somebody diffs a bazillion lines of code against a known-good repository. Until the Debian team announces that tidbit of info, the only security you have is the "false sense of" kind.

    • Re:Once is ok, but twice is too much... (Score:5, Informative)

      by Josh Triplett (874994) on Wednesday July 12 2006, @10:15PM (#15710266)
      first we had the hack into the repository severs, and we didn't know whether or not we are running exploited code when we use apt-get to update our programs.

      No, we didn't. The server holding the Debian archive did not succumb to the exploit, because it didn't run on an x86 machine and the people exploiting it only attempted to run x86 code. Furthermore, data on the servers that *did* succumb to the exploit got checked before it became available again.
    • If the debian team cannot keep their own products secure in their own environments, how can we expect to take them seriously in the enterprise?


      The previous attack was one that can be applied against any platform: somebody used their password over an unencrypted channel (presumably a non-Debian channel, since all the project ones should be encrypted), and somebody else sniffed it and used it to gain access. You can't really do anything about that.

      The secondary attack was a local kernel exploit that was first discovered when it was used to attack the debian.org hosts. The attacker(s) came up with something genuinely new (the brk() exploit), there's not a great deal to be done about that either. While the Debian team did make a few mistakes that were cleaned up at that time, none of them were involved in the attack - it wasn't admin error, like you imply.

      Goodness knows what this one was.

    • Re:Once is ok, but twice is too much... (Score:5, Insightful)

      by Nik Picker (40521) on Thursday July 13 2006, @01:36AM (#15710959) Homepage
      Converserly, We know nothing about the code we buy from propriatery developer nor do we ( or most likely they ) know anything about the code in the thridparty libraries that may have been included inthe purchased application. We know nothing about the security of the servers providing the updates nor the features included in those updates. We KNOW NOTHING. Yet we accept , almost glibly, the stanards and security of those systems accepting that since its for enterprise it must me more reliable.

      So when an group of administrators working on a server which provides software and updates to products for which you can read and see the content and know the features is compromised, you feel its poor quality.

      it seems the effort and the acceptance of responsibility do nothing more than increase the level with which we should be accepting these open systems. They appear to have a demonstrably better level of reporting and culpability than many closed servers.

    • Re:Once is ok, but twice is too much... (Score:5, Insightful)

      by zCyl (14362) on Thursday July 13 2006, @02:08AM (#15711034)
      first we had the hack into the repository severs, and we didn't know whether or not we are running exploited code when we use apt-get to update our programs

      If only there were some tool anyone in the world could use to assess the difference between source versions to see if anything malicious had been inserted...
        • Oh boy... Low UIDs hardly instill authority!

          Take it from someone with a waaaaaaayyyyy lower UID as yours! ;-)

          But to your original point - I'm not too sure you can rule out future break-ins at all. It would only be REALLY stupid, if both breakins happened through the same setup fault.

          But I don't think debian has a full time security admin who constantly and ACTIVELY monitors every debian.org box, like other big name companies might be able to afford to.

          Secondly, the sheer multitude of packages, and frequent
          • Ahem.

            As a Gentoo user over the age of 30 I'd like to apologize for the under 20 Gentoo user's previous post. I'll slap him around on IRC later. ;-)

            kashani

              • Re:This has been said before... (Score:5, Informative)

                by Apro+im (241275) on Thursday July 13 2006, @02:19AM (#15711050)
                That's why, as a l337 hax0r, you can run a mixed system [debian.org]. Nobody stops you from installing unstable packages, right from apt, even! (Check out that -t flag!) Or even better, you can actually build your own source.

                The argument for Gentoo that "I like the idea of building my own source" in the sense of "I like getting down and dirty into my system" is really kind of bull. I ran Gentoo for a while, and I thought they had done some amazing work. Portage/emerge is just amazingly well done, and it's nice to have code that's been optimized for my hardware requirements. It's not exactly scalable (maintaining a large set of diverse hardware is a lot harder), and it can lead to untenable situations and instability, but it's still damn cool. And you know what's really cool about it? It's the convenience of apt, for source packages! Please disabuse yourself of the notion that you are "building your own source" -- the Gentoo maintainers are very diligently, very cleverly packaging the source so that you can specify a set of system parameters and then let it build. If you really want to get nitty gritty, run Slackware (although, I guess they have package management now, too). Gentoo has lots of merits, but the truth is, most Gentoo users know no more or less about how things work than an average Liinux user.

                For me, in the end, the speedup I was getting just wasn't making up for the hours it would take each time I ran a system-wide upgrade and the unexpected conflicts because the USE flags that made each package special for MY computer were screwing up MY computer something fierce.

          • Re:This has been said before... (Score:5, Informative)

            by ComputerizedYoga (466024) on Thursday July 13 2006, @12:15AM (#15710731) Homepage
            I've got a lot of other problems with debian which prevent me from using it. However, their security track record is not really one of them. Given the huge project with a very large number of machines and developers, and their long track record with very few incidents, I don't think it's fair to pick too much on this one.

            That, and Gentoo is hardly immune [gentoo.org] to this sort of thing either.

  • No fear... (Score:5, Funny)

    by gravyface (592485) on Wednesday July 12 2006, @10:00PM (#15710206)
    It's Debian... they found an old DAT tape from three years ago, restored it, and realised that nothing's changed in the source tree. *ducks*

    • Re:No fear... (Score:5, Funny)

      by the_humeister (922869) on Wednesday July 12 2006, @10:40PM (#15710373)
      And after recovering the DAT tape from the safe-deposit box at the bank, they went to the ATM machine and entered their PIN numbers to get some money.

      • Re:No fear... (Score:4, Informative)

        by chill (34294) on Thursday July 13 2006, @12:22AM (#15710757) Homepage Journal
        Well, considering that DAT stands for Digital Audio Tape, I find that a bit unlikely...

        How old are you? Gotta be under 25, easy.

        4mm helical scan DAT tapes were very, very popular for enterprise data backup. Do a quick google on "dat tape backup" and enlighten yourself.

          -Charles

  • You have my sympathies (Score:3, Funny)

    by Anonymous Coward on Wednesday July 12 2006, @10:02PM (#15710212)
    Aw man, that's too bad. I think we should all wish the Debian team g'luck.

  • Question (Score:5, Interesting)

    by Frogbert (589961) <[moc.liamg] [ta] [trebgorf]> on Wednesday July 12 2006, @10:10PM (#15710243)
    I realise that debian stable release has packages that are very old in order to stay stable. Does this mean that they lack patches later versions of programs use? Or are patches typically backported to the stable release packages?

    • Re:Question (Score:5, Informative)

      by Nutria (679911) on Wednesday July 12 2006, @10:21PM (#15710293)
      I realise that debian stable release has packages that are very old in order to stay stable. Does this mean that they lack patches later versions of programs use? Or are patches typically backported to the stable release packages?

      http://www.debian.org/security/ [debian.org]

      Security (not feature) patches are backported if possible, and if the patches are too extensive, an upgraded version goes into Stable.

      • Re:Question (Score:5, Insightful)

        by macemoneta (154740) on Wednesday July 12 2006, @10:54PM (#15710425)
        I use Fedora Core, and know that there are (at least) a couple of features active in the distribution to address zero-day exploits; ExecShield and SELinux (or other mandatory access control system).

        I have not used Debian; are these security facilities part of the distribution? If not, perhaps they should be given an expedited path.

  • Maybe Debian devs will finally come around (Score:5, Funny)

    by b3x (586838) on Wednesday July 12 2006, @10:30PM (#15710338) Journal
    and move that source repository to a more secure Windows 2003 Server platform.

  • obligatory: (Score:5, Funny)

    by Anonymous Coward on Wednesday July 12 2006, @10:32PM (#15710347)
    I felt a great disturbance in the Force, as if millions of nerds suddenly cried out in terror and were suddenly silenced.

  • What was exploited..? (Score:3, Interesting)

    by paulmer2003 (922657) <Paul@paulmer2003.com> on Wednesday July 12 2006, @10:43PM (#15710379) Homepage
    Does anyone know what in particular was exploited? TFA dosent give a flying fuck of information.

  • Dear Hackers (Score:3, Interesting)

    by SnowZero (92219) on Wednesday July 12 2006, @11:16PM (#15710522)
    Dear Hackers,

    If you manage to hack into the main repository, please fix this bug [debian.org]. A well-tested patch has been available for almost 6 months, and it is even attached to the bug report. The bug has been fixed in Ubuntu, but Debian users are still waiting, more than a year after the bug was first filed.

    If you hack, do it for the right reasons.

  • Why all the flak? (Score:5, Insightful)

    by Dryanta (978861) on Wednesday July 12 2006, @11:30PM (#15710572)
    Hey I'm sure that everyone working on Debian's dev servers have lower uids than most of us, and I find the flak to really be undeserved. It's Linux not OpenBSD; the focus of the operating system favors usability over security. If you don't like it, move to a bsd or commercial *nix platform. Also, any machine that maintains services will eventually obtain some sort of vulnerability even with heavy-handed administration and monitoring. I think the speed at which the compromise was detected in addition to the service being taken offline immediately is cause for thanks to the security team!
    • Why all the flak?

      Because heros aren't allowed to have flaws. Read your Greek myths. If a hero is found to have a flaw, he will be destroyed. (P.S.: They are all found to be flawed.)

    • Re:Good thing... (Score:5, Insightful)

      by GoRK (10018) <johnl@nosPAm.blurbco.com> on Wednesday July 12 2006, @10:58PM (#15710438) Homepage Journal
      Well I suppose you probably know this but for the others out there who may miss the subtlety ---

      Ubuntu draws sources heavily from the unstable and/or testing branches of Debian in order to devote more time and energy to testing and the important fixed-length release cycle. They also are partially reliant on the Debian project for security updates. There would be little to no forward movement of Ubuntu currently without the Debian project. Indeed this may change as time goes on, but to me there are a lot of benefits to this model and I hope they stick with it. Previously most every debian-derived distribution has perished by trying to shed their ties and reliance on the core Debian project.

    • Re:Changelogs (Score:5, Informative)

      by uhoreg (583723) on Wednesday July 12 2006, @11:00PM (#15710454) Homepage
      Changelogs don't provide any form of security, and package changelogs have been standard in Debian since many, many years ago. (Long before Ubuntu was a gleam in Mark Shuttleworth's eye.) Changelogs should only be treated as a convenience to the user.

      And apt supports GPG signing of the Release file, which contains an MD5 and SHA-1 hash of the Packages file, which contains MD5 hashes of the packages. (In other words, apt already does package integrity checking.)

        • As I pointed out, faking changelogs is just an inconvenience to an attacker, but it is more than "nothing".

          It may be slightly better than nothing, but it isn't that much better that it's worth mentioning. Any attacker who knows enough to build a fake .deb package will know enough to put something in the changelog, and it may add maybe a minute to the attack.

          If you were less smug about the apt features you might be more interested in the lack of their implementation in Ubuntu

          Ubuntu uses apt for update

    • Re:Changelogs (Score:4, Informative)

      by SnowZero (92219) on Wednesday July 12 2006, @11:01PM (#15710457)
      It might be nice to include signed authentication of at least the changelog, if not the package itself, to ensure authenticity of upgrades.

      Debian has been checking digital signatures on every package installed for almost a year now. See here [debian-adm...ration.org].

      Of course, I run testing, so I have no idea when this got into stable.

    • Re:I refuse to belive this (Score:5, Insightful)

      by CaptainTux (658655) on Wednesday July 12 2006, @11:24PM (#15710551) Homepage Journal
      Your sarcasm is a bit silly. I don't believe the article even mentions that this was an OS leval attack. Most likely, and from the fact that they pulled all these services offline, the attack happened on a piece of software running on the OS and wasn't a problem with the OS itself. So the didn't hack Linux. They hacked a service. Probably.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.