[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian Server Compromise -- A Fire Drill ??

On Fri, 05 Dec 2003 15:50:13 +0100, John Hasler <john@dhh.gt.org> wrote:

>Dave writes:
>> He or she had intimate knowledge of the various Debian servers.
>I see no evidence that the cracker had anything other than public

I'm guessing, based on the timeline ( hours, not days ) and other info in the report. Seems like an outsider, having only a password, would have to spend an awful lot of time poking around to find the right machines and directories.

>> And no damage was done.
>You don't consider the downtime and wasted labor damage?

The labor of the firefighters is good exercise and will help prevent a real fire. But you are right about the downtime for us users. Still, it's a small price for the gain in security, and one I am willing to pay.

>> Do you think he could have had the same impact by merely announcing that
>> he *could* break into a system if he wanted?
>Privately delivering the exploit to the appropriate people would have
>gotten the bug fixed at least as quickly.

You are right about the fix, the Debian team is tops. What about users updating their systems, however. Seems like a little drama here is a good thing.

On the whole, this incident *boosts* my confidence in Linux. I just can't imagine MS dealing with an incident like this as quickly and openly.

-- Dave

Reply to: