Re: Debian Server Compromise -- A Fire Drill ??

To: debian-user@lists.debian.org
Subject: Re: Debian Server Compromise -- A Fire Drill ??
From: Dave <dmq@gci-net.com>
Date: Fri, 05 Dec 2003 09:11:00 -0700
Message-id: <[🔎] 5.2.1.1.0.20031205090734.0282be10@mail.gain.com>

On Fri, 05 Dec 2003 15:50:13 +0100, John Hasler <john@dhh.gt.org> wrote:

>Dave writes:
>> He or she had intimate knowledge of the various Debian servers.
>
>I see no evidence that the cracker had anything other than public
>information.

I'm guessing, based on the timeline ( hours, not days ) and other info inthe report. Seems like an outsider, having only a password, would have tospend an awful lot of time poking around to find the right machines anddirectories.


>> And no damage was done.
>
>You don't consider the downtime and wasted labor damage?

The labor of the firefighters is good exercise and will help prevent a realfire. But you are right about the downtime for us users. Still, it's asmall price for the gain in security, and one I am willing to pay.


>> Do you think he could have had the same impact by merely announcing that
>> he *could* break into a system if he wanted?
>
>Privately delivering the exploit to the appropriate people would have
>gotten the bug fixed at least as quickly.

You are right about the fix, the Debian team is tops. What about usersupdating their systems, however. Seems like a little drama here is a goodthing.

On the whole, this incident *boosts* my confidence in Linux. I just can'timagine MS dealing with an incident like this as quickly and openly.


-- Dave

Reply to:

Follow-Ups:
- Re: Debian Server Compromise -- A Fire Drill ??
  - From: John Hasler <john@dhh.gt.org>

Prev by Date: Re: ye olde upgrade vs. dist-upgrade
Next by Date: Re: esd problem
Previous by thread: Re: Debian Server Compromise -- A Fire Drill ??
Next by thread: Re: Debian Server Compromise -- A Fire Drill ??
Index(es):
- Date
- Thread