Debian Project Servers Compromised 666
Sean was one of many to pass along
the bad news
from the debian-announce mailing list: "Some Debian Project machines have been compromised. This is a very unfortunate incident to report about. Some Debian servers were found to have been compromised in the last 24 hours. The archive is not affected by this compromise! In particular the following machines have been affected: 'master' (Bug Tracking System), 'murphy' (mailing lists), 'gluck' (web, cvs), 'klecker' (security, non-us, web search, www-master). Some of these services are currently not available as the machines undergo close inspection. Some services have been moved to other machines (www.debian.org for example). The security archive will be verified from trusted sources before it
will become available again." They were going to announce 3.0r2 this morning; they've checked it and it's unaffected but obviously they're still postponing that release.
Not on debian-announce archive (Score:3, Informative)
-JohnF
That explains (Score:3, Informative)
Re:Not on debian-announce archive (Score:5, Informative)
Re:Digital Signing of Packages? (Score:5, Informative)
MD5 sums are used for the contents of packages, but packages may only be uploaded and processed by the build system if they're correctly signed.
So yes it's not trivial to backdoor a package - unless you're already a Debian Developer...
Re:apt (Score:3, Informative)
Re:Not on debian-announce archive (Score:5, Informative)
I got the email too, and I checked its Received: headers against a debian-announce message in my mail archives from about a year ago. They both came from the same source. So there's no way this is a hoax ...unless the murphy.debian.org machine that emailed it to me is compromised, in which case it's not an inaccurate hoax :/
Re:Not on debian-announce archive (Score:2, Informative)
Re:apt (Score:3, Informative)
Indeed, that's one of the few areas where the Debian Project has lagged behind other distribution vendors technically - cryptographic signature verification for packages.
This infrastructure has been kind of long in coming, but as of a few months ago, you can now verify Debian package signatures with debsig-verify [debian.org]. Might I suggest everyone install and use that?
Re:Running Debian-Stable? (Score:3, Informative)
- accounts can be compromised
- unknown bugs may have been exploited (although that's unlikely in this particular case)
- crackers could have been cracking a developer's system, and using information they find on that developer's hard disk (ssh key, gpg key,
- also of importance in general is the competence of the administrators (which surely is *not* at the cause of the problem here).
Of course these systems are running debian stable; but that's most likely not the problem.
Re:How in the world... (Score:5, Informative)
Yes Debian's machines run Debian, this breakin wasn't anything to do with the software installed upon the box, as it was due to a password compromise.
If anything it's more embaressing that somebody lost their password than that the software wasn't up to date.
Signed announcement (Score:2, Informative)
To verify it:
$ wget -O- http://cert.uni-stuttgart.de/files/fw/debian-secu
(drop the space, of course)
Assuming you trust the key it was signed with, of course...
Re:Where's the confirmation from debian people? (Score:5, Informative)
Re:apt (Score:1, Informative)
There is a script apt-check-sigs that will check the above signature: this is explained in the debian page on releases; [debian.org] unfortunately the link to download the script from there is down, here are two alternatives: google cache [216.239.51.104] my site (slow) [tonelli.sns.it]
Re:Signatures? (Score:5, Informative)
Re:Where's the confirmation from debian people? (Score:5, Informative)
This is a truthful report.
You may validate this message against the key for skx@debian.org.
Steve
--
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.2.3 (GNU/Linux)
owGbwMvMwCR44PyxzWd9eOcyns5PYrDfJ7EiJCOzWAGIEhV
i0r0uLgi80sVchMrFcoSczJTEktSFUpAi
aflFCsXZFQ4pqUmZiXl6+UXpQCO4gktSy
SLxI+1madnvjbIZVrZu0HcTnzGdY0LBFy
=xVtr
-----END PGP MESSAGE-----
Re:Has a Microsoft release ever been compromised? (Score:4, Informative)
I don't know if this delayed a release, but -- in October 2000, the news broke that Microsoft's internal network had been cracked for three months.
(Debian made this announcement in 24 hours.)
Read for yourself:
Microsoft Cracked [slashdot.org]
Re:apt (Score:2, Informative)
If you're using stable, the only updates are security fixes and point releases. Both are annouced by signed emails before hitting the archive.
So just don't blindly update & upgrade on a whim. Instead, regularly check the annouce/security lists, and only upgrade when required. For the common case (security update), you'll also know exactly which packages apt should flag for update (you can also do the exercize for a point release, but it's more work
Of course, that's not 100% bullet-proof. The archive could be compromised so that just a security updated package is "trojaned" for example. But that's harder.
Practical exampl: this morning apt got errors and suggested upgrades never annouced for after an update. I smelled something bad and did not upgrade, waiting for just this kind of news
And I haven't been disappointed: the reaction has been quick & honest, and no harm on my side...
Not BitKeeper, CVS (Score:2, Informative)
Nobody's asking you to trust the keyserver (Score:5, Informative)
PGP keyservers (unlike, say, Kerberos KDCs) are completely untrusted. Anyone can upload any key to a keyserver. And downloading a key from a keyserver implies nothing about that key.
To verify that you have a valid key, you have to rely on the web of trust. Basically, if a key is signed by someone whose key is signed by someone [recurse through however many levels you are comfortable with] whose key you have personally inspected, then the key can be assigned a trust metric based on how reliable you consider that chain of signatures to be. (Basically, how much you trust the integrity and acuity of the people controlling the chain of signatures.)
PGP and GnuPG have supported this infrastructure from Day 1. Asking people to trust an arbitrary third-party public keyserver was never in the plans.
Re:Sign, sign, sign, sign. (Score:2, Informative)
So unless you can trust the entity who signed the package, it's all moot.
Obviously, the debian project could sign the package using the Debian Package Signing Key, but you've just changed the problem from "how can an end user know that this key is worth trusting" to "how can debian know that this key is worth trusting". This is (probably) solvable, but still quite hard.
Note that the technology is easy, but the processess to back it up aren't.
Re:Signatures? (Score:1, Informative)
Re:Debian - maybe not so great (Score:2, Informative)
Precisely as hard as it would be on any other system, excluding those Debian boxes which actually verify the signatures before installing packages (where it would be impossible).
However, it would be noticed rapidly and suitable announcements made.
Re:Honestly... (Score:5, Informative)
Not true. [computerworld.com]
Everyone here knows if windowsupdate.microsoft.com had been compromised, people would be droning on about how it's some sort of illustration of Microsoft's security.
Their update server wasn't compromised, but the debian archive also wasn't compromised in this case. But, yes, we have to work harder to make our servers secure. And we will never reach the point were our systems will be unvulnerable. So what is your point? You complain that there aren't enough anti-oss-trolls here?
Re:Where's the confirmation from debian people? (Score:2, Informative)
Re:Honestly... (Score:3, Informative)
I'd hate to say this too, since it is wrong.
Microsoft's internal network was compromised, as reported by the BBC [bbc.co.uk], and many other news agencies.
So, please do some research before welcoming your "secure" overlords...
Re:...not the archive. (Score:5, Informative)
As far as I understand, no machines apart from the several Debian computers have been compromised. Compromising a machine that hosts the central Debian APT repositories is a perfect opportunity for backdooring thousands of machines In this case, that didn't happen. "Thousands of machines across the globe" have not been compromised. I guess it's only good luck but Debian users were not affected by this security breach.
Re:Where's the confirmation from debian people? (Score:5, Informative)
Re:apt (Score:3, Informative)
Re:I was wondering... (Score:1, Informative)
Skip ahead a year or two. If you're doing a good job (and I mean a _damn_ good job), someone might propose you become a Debian Developer. Here is where the danger lies, and I'm not sure how a DD let their password slip.
But certainly don't think that because you have some 2-year college course under your belt that you are going to jump into the think of Debian development right away.
Re:So what do we do to prevent this in the future? (Score:2, Informative)
apt-secure
apt-check-sigs
not to mention they are already gpg signed
Re:Sign, sign, sign, sign. (Score:4, Informative)
Which is exactly the state in Debian, too.
Jeremy
Re:Honestly... (Score:3, Informative)
It has been before. when code red hit. [winnetmag.com] Although the link given in that article is no longer working there are plenty of screen shots of www.windowsupdate.com with 'hacked by chinese' on it out there somewhere.
You cannot blindly trust anything, from anyone. I don't care if Mom says her apple pie is just dandy I'm gonna run my own tests.
Re:Sign, sign, sign, sign. (Score:3, Informative)
Finally, the NM process [debian.org] itself is the ultimate arbitrator of who enters Debian. A prospective developer gets evaluated by multiple people before he or she actually becomes a developer.
While still not foolproof, these techniques combined help reduce the lack of accountability and the lack of trust in the system. [Of course, in the end, you really need to go out and sign and get your key signed by a Debian Developer (or a couple) so you can join the web of trust and the strongly connected set too.]
Re:Digital Signing of Packages? (Score:2, Informative)
A revokation key has little attractiveness, IMO. By most part, having your key rekoved doesn't stop you from communicating, nor it allows whoever got it pretend it's you. Nothing stops you from having more than one key either. You don't have to use the Debian one for everything.
Safekeeping is easy too. Print it on paper (it looks same as a PGP ASCII-armored key), store somewhere safe (put it in a bank for safekeeping) and then agree that when there's enough people who think the key should be revoked, go fetch the paper and type the key on the computer.
There's really no reason to keep them on a computer. Revoking your key isn't something you do often.