[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Improved Debian Project Emergency Communications (was Re: communication structures crumbled)

On Friday 28 November 2003 13:14, Karsten M. Self wrote:

>That announcement wasn't delivered for all users until _after_ murphy
>was resurrected.  I myself got the debian-security-announce message
>mailed Nov 21 on 25 Nov 2003 15:16:56 -0800.

Hm, I got that late too, but the (unsigned) announcement got to 
debian-announce before the takedown. 

> First I want to say that the Debian project, in extremely adverse
> circumnstances, comported itself well, disseminated information, if
> not fully effectively, well beyond its nominal capacity with both web
> and email services offline.  Disclosures were timely, informative,
> and helpful, while restraining themselves to established facts and
> working within constraints of an as yet ongoing investigation.   Very
> few organizations can claim as much.  Not only this, but it appears
> at this point that the crown jewels -- the Debian archives and
> mirrored distribution points themselves -- were _not_ compromised.
>  Commendable.


> I'll disagree with Martin's comment that the server compromise didn't
> constitute a security issue despite the lack of an archive
> compromise. 

> Security affecting Debian servers _potentially_ affects Debian
> packages. 

Yes, and I think the point needs emphasis that even if the archives are 
not compromised, what has happened to the Debian servers is very 
relevant to the security of all Debian users.

My first thought when heared about the compromise was "ouch, that 
probably means, I'm vulnerable too". I considered for a moment to take 
my main server offline. The problem is of course that we all run the 
much of the same software that is on the Debian machines. Unless there 
are something generic that is a known problem (such as a sniffed 
password), or something that is special to one of the servers (e.g. 
BTS), the attacker might be able to use the attack he used on the 
Debian servers on pretty much _any_ Debian box. That's really scary. 

I learnt on /. that it had been a password compromise, so that meant, it 
was in the generic class of problems. We're always vulnerable towards 
that. But, we're all likely to be vulnerable to the local exploit used 
to gain root. Besides, it was /. :-) 

For these reasons, I think it is fair to say that any compromise on the 
Debian servers is very relevant to the security of all users. And that 
was the information I was missing earlier, to what extent I would 
myself be vulnerable. 

Also, I'm not a regular IRC user, so it didn't occur to me at the time 
that it was an alternative for gathering information. Besides, how is 
it with signatures on IRC? 


Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
kjetil@kjernsmo.net  webmaster@skepsis.no  editor@learn-orienteering.org
Homepage: http://www.kjetil.kjernsmo.net/        OpenPGP KeyID: 6A6A0BBC

Reply to: