Re: Debian Server Compromise -- A Fire Drill ??
On Thu, 04 Dec 2003 20:20:21 +0100, Terry Hancock
<hancock@anansispaceworks.com> wrote:
[...]
>There is also the point that *somebody* found this bug. Just not the
>folks we were hoping would. ;-) Letting real crackers hammer your
>system is another way to find bugs, although we hope it's a last resort.
You missed my point. I think this *is* a fire drill! I think this
break-in was done by the best folks we could ever hope for.
Consider this: The attacker chose a system that was heavily guarded and
would generate a quick response from the people who could distribute a fix
most quickly. He or she had intimate knowledge of the various Debian
servers. And no damage was done.
Can you hope for a better hacker than this? Do you think he could have had
the same impact by merely announcing that he *could* break into a system if
he wanted?
The real question now is "How many similar exploits exist, and are being
kept quiet for use in a real situation." We can only hope it's the good
guys who have these secrets.
--Dave
Reply to: