Re: Debian Server Compromise -- A Fire Drill ??
On Fri, 05 Dec 2003 15:50:13 +0100, John Hasler <firstname.lastname@example.org> wrote:
>> He or she had intimate knowledge of the various Debian servers.
>I see no evidence that the cracker had anything other than public
I'm guessing, based on the timeline ( hours, not days ) and other info in
the report. Seems like an outsider, having only a password, would have to
spend an awful lot of time poking around to find the right machines and
>> And no damage was done.
>You don't consider the downtime and wasted labor damage?
The labor of the firefighters is good exercise and will help prevent a real
fire. But you are right about the downtime for us users. Still, it's a
small price for the gain in security, and one I am willing to pay.
>> Do you think he could have had the same impact by merely announcing that
>> he *could* break into a system if he wanted?
>Privately delivering the exploit to the appropriate people would have
>gotten the bug fixed at least as quickly.
You are right about the fix, the Debian team is tops. What about users
updating their systems, however. Seems like a little drama here is a good
On the whole, this incident *boosts* my confidence in Linux. I just can't
imagine MS dealing with an incident like this as quickly and openly.