Re: Debian Server Compromise -- A Fire Drill ??
On Thu, Dec 04, 2003 at 04:57:55PM -0500, ScruLoose wrote:
> On Thu, Dec 04, 2003 at 01:50:35PM -0700, Dave wrote:
> > On Thu, 04 Dec 2003 20:20:21 +0100, Terry Hancock <hancock@anansispaceworks.com> wrote:
>
> > [...]
> > >There is also the point that *somebody* found this bug. Just not the
> > >folks we were hoping would. ;-) Letting real crackers hammer your
> > >system is another way to find bugs, although we hope it's a last resort.
> >
> > You missed my point. I think this *is* a fire drill! I think this
> > break-in was done by the best folks we could ever hope for.
>
> I disagree entirely. All the evidence seems to indicate that this was a
> serious compromise attempt by a real Black Hat. The Debian folks caught
> it quickly by a combination of good luck and good management.
>
> > Consider this: The attacker chose a system that was heavily guarded and
> > would generate a quick response from the people who could distribute a fix
> > most quickly. He or she had intimate knowledge of the various Debian
> > servers. And no damage was done.
>
> Is there any actual indication that the attacker had prior knowledge of
> the Debian servers? I don't remember any mention of that in the official
> announcements so far. As for "No damage was done" I believe that has to
> do with the security model of the package repositories. I don't
> know the details, but my money says they're designed to be hard to
> tamper with.
>
> > Can you hope for a better hacker than this? Do you think he could have had
> > the same impact by merely announcing that he *could* break into a system if
> > he wanted?
>
> It's "cracker". Not "hacker".
> http://web.bilkent.edu.tr/Online/Jargon30/JARGON_C/CRACKER.HTML
>
> If it were a publicity stunt, somebody would probably have made some
> kind of "I did it and here's why" statement ... from a throwaway hotmail
> address or some other hard-to-trace source. Or left a "ha-ha, see how
> easily I 0wnzed yer b0x" message on the system to be found.
> I see no indication in any of the reports that the intruder(s) expected
> to be caught, or did this as a deliberate warning.
> If it weren't for the frequent oopses and the AIDE warnings, I
> completely believe the attacker would be busily figuring out how to get
> into the package archive to tamper with the distro itself.
>
the question i keep arriving at is who benefits from the publicity
surrounding this? there's got to be a reason why no calling card was
left, i.e., the caller has a vested interest in not claiming credit,
which would tend to suggest a contract job. as to the issue of whether
the attacker had previous knowledge of the debian servers, only a fool
wouldn't do everything to acquaint him/herself with the environment
where they plan to engage in mischief.
given the regular stream of ridiculous garbage coming from redmond about linux, while new holes are found in their os and apps on an almost weekly basis, this seems like the next stage in the
campaign to buttress the losses they've been taking all the while linux
has found favor. apart from the money issue, linux, and particularly debian,
represents the absolute opposite to their culture. this distro, as a
product of volunteerism on the part of people who have nothing to gain
apart from their own satisfaction in making the thing work, represents a
huge philosophical challenge to those who view the world in terms of how
much they can extract from it.
the attacks are, on
the one hand, a wake-up call, but, on the other, a statement from the
opposition that proves both the significance and the ascendance of human
cooperation as a power, with no other incentive in mind than to do the
best that can be done.
on the subject of disclosure of methods, i've been trusting the team for
almost five years, since i first came across debian. i have no reason
not to trust them now. i'm amazed at the speed of the recovery, given
that everything that had to be done was done by folks who do this in
their spare time. my thanks and respect. debian keeps on rockin'.
ben
Reply to: