[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian Server Compromise -- A Fire Drill ??

On Thu, Dec 04, 2003 at 01:50:35PM -0700, Dave wrote:
> On Thu, 04 Dec 2003 20:20:21 +0100, Terry Hancock <hancock@anansispaceworks.com> wrote:

> [...]
> >There is also the point that *somebody* found this bug.  Just not the
> >folks we were hoping would. ;-)  Letting real crackers hammer your
> >system is another way to find bugs, although we hope it's a last resort.
> You missed my point.  I think this *is* a fire drill!  I think this 
> break-in was done by the best folks we could ever hope for.

I disagree entirely. All the evidence seems to indicate that this was a
serious compromise attempt by a real Black Hat. The Debian folks caught
it quickly by a combination of good luck and good management.

> Consider this: The attacker chose a system that was heavily guarded and 
> would generate a quick response from the people who could distribute a fix 
> most quickly. He or she had intimate knowledge of the various Debian 
> servers.  And no damage was done.

Is there any actual indication that the attacker had prior knowledge of
the Debian servers? I don't remember any mention of that in the official
announcements so far. As for "No damage was done" I believe that has to
do with the security model of the package repositories. I don't
know the details, but my money says they're designed to be hard to
tamper with.

> Can you hope for a better hacker than this?  Do you think he could have had 
> the same impact by merely announcing that he *could* break into a system if 
> he wanted?

It's "cracker". Not "hacker".

If it were a publicity stunt, somebody would probably have made some
kind of "I did it and here's why" statement ... from a throwaway hotmail
address or some other hard-to-trace source. Or left a "ha-ha, see how
easily I 0wnzed yer b0x" message on the system to be found.
I see no indication in any of the reports that the intruder(s) expected
to be caught, or did this as a deliberate warning.
If it weren't for the frequent oopses and the AIDE warnings, I
completely believe the attacker would be busily figuring out how to get
into the package archive to tamper with the distro itself.

> The real question now is "How many similar exploits exist, and are being 
> kept quiet for use in a real situation."  We can only hope it's the good 
> guys who have these secrets.

Exist and are _known_ and are being kept quiet... I have my doubts that
there's any substantial number of those.  When the kernel-hackers find
an exploitable bug they squash it, and when the bad guys find one first,
their incentive is to use it quick before the kernel-hackers find it and
squash it.

               If I had a dog as daft as you, I'd shoot him.
               - Scottish Proverb
--------------------------<<Please do not CC me>>--------------------------

Attachment: pgpmTq7eOmIkH.pgp
Description: PGP signature

Reply to: