Re: Debian Server Compromise -- A Fire Drill ??

To: debian-user@lists.debian.org
Cc: Thanasis Kinias <tkinias@asu.edu>
Subject: Re: Debian Server Compromise -- A Fire Drill ??
From: ben_foley@web.de
Date: Fri, 5 Dec 2003 03:10:31 +0000
Message-id: <[🔎] 20031205031031.GB2034@benzone.com>
Mail-followup-to: debian-user@lists.debian.org, Thanasis Kinias <tkinias@asu.edu>
In-reply-to: <[🔎] 20031205005934.GD14572@asu.edu>
References: <[🔎] 5.2.1.1.0.20031204134905.027bee98@mail.gain.com> <[🔎] 20031204215755.GB21584@shorty.ca> <[🔎] 20031205004858.GA1105@benzone.com> <[🔎] slrnbsvj2u.lji.spam@home.bounceswoosh.org> <[🔎] 20031205005934.GD14572@asu.edu>

On Thu, Dec 04, 2003 at 05:59:34PM -0700, Thanasis Kinias wrote:
> scripsit Monique Y. Herman:
>  
> > I find this to be unlikely.  I mean, look at the risk vs. reward.
> > 
> > Reward: they cause a very temporary disruption to some trusted sources
> > and cause some folks to maybe worry about how secure linux might be.
> > 
> > Risk: getting caught funding black hats against the competition.
> > 
> > This just doesn't sound like good business to me.
> 
> I'm very much not a black-helicopter conspiracy type, but I think it
> unlikely that, if someone who didn't want to be found out was behind
> this, it could ever be pinned on them.  Look at the trouble FBI has
> pinning things like contract killings on mafia bosses; the amount of
> effort law enforcement is willing to spend on going after them is _much_
> higher than what they'd be willing to spend on crackers going after
> Linux.  If Foo Corp. wanted to do this, they really wouldn't have
> anything to fear from the law -- and if they're confident that they have
> more media pull, they wouldn't have anything to fear from the media
> either.
> 
> That's not to say that MS/SCO/whoever had anything to do with this at
> all, just that I wouldn't discount the possibility based solely on the
> (to me, apparently small) risk they would be taking.
> 
>
well put. to address monique's points, where's the risk? whoever pulled
the stunt has serious talent. an esoteric bug that even the kernel hackers
couldn't imagine being exploitable was manipulated. the thing that
concerns me is that anyone with such skills who isn't interested in
leaving a mark must be getting some other compensation. cracking
debian.org--and gnu/savannah with the same exploit--is no small feat.
not to claim credit suggests the kind of restraint that only money can
buy. who's got the money? who's losing market share to gnu/linux? who
could benefit by demonstrating insecurity in the other os? just
recently, at comdex, gates presented a mini-movie, a matrix parody,
wherein linux was portrayed as the enemy of freedom. that all of this
occurs in the same time period strikes me as way more than coincidence.

ben

Reply to:

References:
- Re: Debian Server Compromise -- A Fire Drill ??
  - From: Dave <dmq@gci-net.com>
- Re: Debian Server Compromise -- A Fire Drill ??
  - From: ScruLoose <scruloose+debuser@eastlink.ca>
- Re: Debian Server Compromise -- A Fire Drill ??
  - From: ben_foley@web.de
- Re: Debian Server Compromise -- A Fire Drill ??
  - From: "Monique Y. Herman" <spam@bounceswoosh.org>
- Re: Debian Server Compromise -- A Fire Drill ??
  - From: Thanasis Kinias <tkinias@asu.edu>

Prev by Date: Re: apt question
Next by Date: Re: Debian Server Compromise -- A Fire Drill ??
Previous by thread: Re: Debian Server Compromise -- A Fire Drill ??
Next by thread: Re: Debian Server Compromise -- A Fire Drill ??
Index(es):
- Date
- Thread