Debian Project Servers Compromised

Sean was one of many to pass along the bad news from the debian-announce mailing list: "Some Debian Project machines have been compromised. This is a very unfortunate incident to report about. Some Debian servers were found to have been compromised in the last 24 hours. The archive is not affected by this compromise! In particular the following machines have been affected: 'master' (Bug Tracking System), 'murphy' (mailing lists), 'gluck' (web, cvs), 'klecker' (security, non-us, web search, www-master). Some of these services are currently not available as the machines undergo close inspection. Some services have been moved to other machines (www.debian.org for example). The security archive will be verified from trusted sources before it will become available again." They were going to announce 3.0r2 this morning; they've checked it and it's unaffected but obviously they're still postponing that release.

It's good to see that they are holding everything

[Anonymous Coward]

back until they are sure.

however, it does remind me of the gnu ftp cracking incident a while back...

(although that was a known exploit, and this seems to be login/password being compromised)

Re:...not the archive.

[greechneb]

Who knows what the motives were at this point. Maybe its just a *BSD user trying to show that linux is insecure, and doesn't want to hurt anyone else. Maybe it's some script kiddie who had an early bedtime and had to go to bed before he got to do any major damage. Maybe it is part of a campaign to discredit linux in general (*cough*SCO). Until more is known, the goal of this break-in won't be known.

Re:Not on debian-announce archive

[Tri]

This message is not on the archive, as the archive is not currently being updated (It lives on master). You can get a copy of the announcent on other archives of debian mailing lists such as gmane's.

How long will it take?

[cgranade]

How long will it take for the few MS fanboys around to say that this why Windows is better? Let me pull a Rumsfield (pre-emptive retaliation, that is...). Everyone gets comprimised once in a while. At least Debian is open about it, and not sitting on an insecure system because it's more profitable to let a bad product go then to risk bad press from releasing a security bulletin.

Bonus point for Debian

[Alcoyotl]

Any other company would have sweeped that kind of incident under the rug hoping it had gone unnoticed, or would have cooked up a PR statement to minimize the incident.

Here we can see the strength of such projects, as in this [slashdot.org] recent kernel story.

Re:How long will it take?

[stevey]

Password stealing is pretty OS independent.

So this compromise, whilst undenyably bad, isn't really going to show much about Debian, or Windows.

Makes you wonder

[bigberk]

It really is impressive for me how honest some organizations have been about admitting system compromises (Debian, ProFTP, GNU.org).

As someone who works with networking security, I know lots of business servers get compromised regularly. Everyone hides it because it's embarassing for a business.

This makes you wonder how often other 'critical systems' get compromised, and get fixed without any public reports. Government computer systems get regularly compromised after all. But I'm sure so do vital Microsoft, IBM, systems, etc. Windows Update, anyone?

Re:Digital Signing of Packages?

[Anonymous Coward]

Saner Open Source heads sign with GPG. God alone knows why anyone thinks MD5 alone is adequate in this day and age.

Just don't do it kids.

I do wonder though, what with the "professional" level of the unsuccessful attack on linux Bitkeeper, and so on, whether there are more serious forces than the usual crop of script-kiddie losers currently targetting open-source.

Actually, I think a good code-audit is healthy once in a while. Open Source is made stronger and stronger by attacks. Hopefully this will be the final death knell for md-fucking-5.

Re:It's good to see that they are holding everythi

[Anonymous Coward]

What makes you believe that it was a compromised password and not some new or unknown exploit?

-JohnF

Re:How long will it take?

[Anonymous Coward]

I don't think the "MS fanboys" are trying to say that windows is more secure than linux (though no doubt some of the trolls are) I think in general what they are saying is "see linux doesn't have the rock solid invincible security the linux zealots would like us to believe it has"

In other words, "here is a taste of your own medicine"... bitter isn't it?

Grumble, grumble

[Anonymous Coward]

What's interesting about your comment is that when a M$ compromise comes to light, the focus is on how big a bozo BillyG is for letting his insecure crap out into the world. When something like this happens, its those nasty little hackers or script kiddies and their deep dark motives or a cabal led by M$/SCO to "discredit" Linux. Face it, the main servers for a major distro was hacked into at a very sensitive time. Ouch. Regardless of the whys of who did it, it was done. Yeah, kudos for them coming public, but if I joe CTO and looking at purchasing some puters, I'm thinking to myself, hey, what's up with this, they told me that M$ stuff sucked and this Linux stuff was secure. This wasn't some ma and pa website that got defaced after all.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Digital Signing of Packages?

[samjam]

Don't be certain that digital signing is such a cure.

The person operating the non-networked signing machine still needs to be sure that what-it-is-that-they-are-signing is what-it-is-supposed-to-be.

Now how does digitial signing on a non-connected machine help you know the source wasn't tampered with?

Re:How in the world...

[martinde]

> I noticed that nowhere did they mention just *how* they were compromised.

They will when it's known. They felt it more important to announce what's going on immediately than to wait until there were details to announce. Part of Debian's social contract is "we will not hide problems"; this announcement and those that will follow as more is known demonstrate this policy in action.

Sign, sign, sign, sign.

[caluml]

.debs should be gpg signed, and should fail to install if the verification fails. In fact, so should all packages from distros. Redhat, +1, Already doing it. -1, not failing to install if the packages don't verify.

Re:OpenBSD

[Ascender]

If Debian ran OpenBSD, this wouldn't have happened! Theo runs a tight ship over there.
I also think that Gentoo would have prevented this tragedy.
Not really. The vast majority of break-ins are through misconfiguration or human error. Gentoo, OpenBSD, nor anything else, can prevent these factors. I would be very surprised if this was due to a security hole or vulnerability. More likely someone wasn't secure enough with their SSH keys or something like that.

A sign of things to come

[Cthefuture]

As Linux becomes more popular this is only natural.

Open-source projects are not immune to attack and they are going to start feeling some of the pain experienced by other big targets like Microsoft. In the beginning it could be really bad because unless you're being attacked seriously all the time then you may not even realize where your vulnerabilities are.

This is a wake-up call to all "open" projects. Systems that are in use by a large number of people need to be protected better. Sure, this may have been a password compromise but the system should have been secure enough that some low-level user account compromise can't cause serious damage. And the high level accounts should never, ever have a password compromise. This needs to be treated in the same way big business does. Protect the customers, otherwise you may lose them.

This made me start thinking... Has Redhat ever been compromised? That'd be a reason for going with a commercial distro if the free distros can't get their act together. (I've been a Debian user for many years by the way)

Re:Makes you wonder

[Pecisk]

I just guess it's because honesty is simply one of our (all open source society) unofficial principles and I think it's very good principle. I love it, however, such happenings like this breaks my hear a little bit. Ok, nevermind, I admit, I'm emotional :)

I think honesty ALWAYS has a payback, sooner or later. It's maybe sound absurd, but people trust you more, if you admit your mistakes, even worst ones.

Re:OpenBSD

[Anonymous Coward]

Considering everyone is saying this was a password compromise, how the fuck would OpenBSD and Gentoo have prevented this?

Re:How in the world...

[sylvester]

Of course, we shouldn't jump to conclusions until we get more information, but really, I don't see an easy way out of this.

Why should you? They were cracked. The bad thing has already happen, so there is no easy way out. However, there *is* a *right* way out. And that includes telling people what they know as quickly and effectively as they can. Too much information too early can be a bad thing.

In short: have a little faith that they're dealing with this correctly, unless you've run a massively-used public box for years without a single compromise.

-Rob

Double Standard on /.

[Goody]

Windows Box Gets Hax0red: "Ha ha ha ! Serves 'em right for running Bill Gates' Satanic OS. Let the jokes begin. Moderators, get ready !"

Linux box gets compromised: "Oh, this is so unfortunate. Oh dear. Can I have a moment of silence ?"

Re:A sign of things to come

[FooBarWidget]

You're talking as if the Linux community is full of zealots who can't be objective. That's completely wrong.

People *already* know that OSS is not perfect, and they have known for years. People already know OSS is not immune.
But, more importantly, those same people know *nothing* is immune. Not MS, not Linux, not BSD, not (even!) MacOS, not DOS. *All* systems can be hacked.

What *really* matters is the attitude to security.
- A lot of the larger OSS projects care deeply about security. If a security bug is found, it's usually fixed very fast, and the fix will be peer reviewed.
- They openly admit all flaws and bugs. Because of this, OSS *appears* to have more bugs.
Do you see Microsoft admit all their bugs? I don't think so. MS hides a lot of bugs, pretending that they don't exist and that Windows is perfect.

Too bad all the MS zealots and anti-OSS/anti-Linux zealots use that to "proof" Windows is more secure than Linux/OSS/whatever. The number of bugs is *not* an accurate indication of security.

Linux zealots are only a small minority of the community. If you think they represent the entire community then you're wrong, just like so many people out there.

"Has Redhat ever been compromised?"

Maybe. If they haven't then it's because of pure luck.

Re:apt

[DGolden]

Security 101 - it's better to have the information as soon as possible, even if there's no fix, you can take the server offline until a fix is available.

Re:How in the world...

[stevey]

That sounds like a great idea for a home machine, or even a dedicated box.

But if you're trying to maintain an open collection of machines like Debian is, where developers from all over the world can connect from wherever they are (dialup/dhcp/cable/travelling) you can't easily restrict their IP.

It's like saying a mail server should only accept mail from ip a.b.c.d - it just doesnt work.

Re:OpenBSD

[FooBarWidget]

As much as a troll he may be, he does have a point. Windows zealots usually use stories like this to say that Linux is insecure. However, when they do that, we can just say "So what? Open source is still more secure. If you want absolute security then go use OpenBSD."

It's not about Linux vs Microsoft, it's about Open Source vs Microsoft.
Heck, maybe even Unix vs Microsoft. Because then we can use MacOS X to beat all the Windows zealots.

Would Microsoft announce that it was compromised?

[G4from128k]

I doubt that Microsoft (or any commercial software company) would publically annouce that it had been compromised. The source code processes at Microsoft are opaque -- nobody knows exactly who is putting what into the source code. If hackers, goverment officials, RIAA, etc. are modifying Window's source, nobody would be the wiser. In contrast, the openness of open source development creates an audit trail of who did what to the code (assuming the version tracking and submission system is not compromised).

Transparency is a prerequisite for trust.

Honestly...

[bonch]

You say "everyone gets compromised once in a while." Is that really your views when a Linux server gets compromised? I hate to say it, but Microsoft's haven't been compromised, and they're the bigger target.

Everyone here knows if windowsupdate.microsoft.com had been compromised, people would be droning on about how it's some sort of illustration of Microsoft's security. All the "+5 Funny" trolls would be out in full force, and everyone would try to act like some sort of security expert.

Here, we have another OSS break-in (remember GNU?), and people can only offer excuses and justifications. It's a double standard I can't not notice. Sorry to spoil it, but there is nothing wrong with pointing out that this has yet to happen to Microsoft's server. And you know people try harder against them!

Security to you apparently means "everyone gets compromised once in a while." Wow. If that's the security mentality going around in the Linux community, expect more compromises as Linux grows more popular, and expect more excuses as people try desperately to avoid the "haha, told you so" laughs from people who have pointed out all along that nothing is 100% secure, and that all operating systems--especially Linux--have flaws, holes, buffer overflows, and so forth.

Re:Double Standard on /.

[TiggsPanther]

You're right, up to a point. But you've also got to compare the other factors that tend to crop up...

Windows Box Compromised: Someone exploited a flaw.
Linux Box Compromised: Insecure password.

or, if it IS due to a flaw exploit...

Linux: Box compromised because machine wasn't carrying latest patches.
Windows: Box compromised even though machine was updated last week.

Linux: Exploit found. Exploit gets fixed. Publically. Usually the same month - with a temp-patch available within the week.
Windows: Exploit found. Exploit gets fixed. Eventually. As a part of the next service pack. Newsgroups, Slashdot and third-party sites suggest workaround. MSKB just says "Problem is under investigation"

Oh, and there's always...:

Windows exploited: /. crowd too busy laughing to make sensible posts.
Linux exploited: /. crowd too busy downloading, testing, and installing the various patches and workarounds that are flying around.
(Or sending "Use a good password" memos around the office, stating that if an organisation like Debian can be compromised by a password, then Joe Average in accounts hasn't got a hope in hell if his password it the cat's name.)

Tempered Arrogance

[ChaoticCoyote]

All three of my Linux boxes run Debian; this latest security breach will not change that.

However, I hope this type of incident tempers the often-strident elitism of the free software camp. My faith in Debian continues because they caught this problem and openly announced it; my concern is that the lack of consequences will make people assume that this was a false alarm or unimportant incident.

Free software suffers from "victory disease" -- an assumption that, based on past success, future success is guaranteed. Because free software has proven reliable and secure, the concensus seems to be that it will always be so.

Pride comes before the fall, as they say. Attempted infiltrations of the Linux source code control system and breaches of security at Debian suggest that we need to be cautiously optimistic, not naively myopic.

Common sense snippets

[jdifool]

Hi,

218 posts and some rare appropriate reactions.

• I thought Linux was secure... Guess not. Who told you that Linux was secure ? Your grandma ? Linux is more secure than Windows, of course. But it's not immunized against cracker. The computer world is based on a set of rules that can be broken. The better you are mastering these rules, the more secure your boxes are. But these rules can be broken, which means that, given human nature, they are bound to be broken occasionnaly. Furthermore, you will have noticed that if often relies on human use mistakes (password cracking for instance).
• Free software sucks, Microsoft rules. Here I can almost physically feel the frustration of advocates of the proprietary world that can do nothing but bash any free software flaw they might encounter. However they deserve a clear, sound, and honest answer. My dears fellows, the free software world never proclamed himself the embodiment of security. We do our best to ensure it. And don't mix things up : our main problem with Redmond handling of security is about post-treatment. We do not appreciate the culture of hiding ; you can see here how coherent we are with ourselves.
• Gentto is better than Debian ; oh no it's Redhat ; oh no it's Slackware. Hey guys, are you really part of the free software world ? Can you just realize these are the precise sentences that led to proprietary software/world ? And don't you think that you should adopt a more conservative stance ? Don't you think that the moral of this sad story is that nobody is preserved from crackers ? Wake up men, this is the very crucial moment where we must stand united. Keep your ammo for you real foes.

There are some days when you would think that the free software world is not that 'free as in freedom'...

Regards,
JDif

Re:This is a major problem

[zorak1103]

But the whole system is useless (even dangerous) if the hash server is compromised.

Re:SO MUCH FOR YOUR SECURE OPERATING SYSTEM

[zeath]

It's not a hole, though. So far we only know it as a login/password that was comprimised. Any system no matter how secure is susceptible to that. Most of Microsoft's holes are much different - they're exploitable and are available from the default recommended installation, meaning the computer grandma bought for Bobby is susceptible and will probably never be patched.

Re:Everything's a tradeoff

[ajnlth]

Beacuse the difference in development/distrubution models most other OS doesn't need to have so many of their critical servers exposed to the internet.

The only way real security can be obtained is by pulling the plug.

Re:Double Standard on /.

[Goody]

I know, I know, I should get a life.

No, /. should get a spellchecker.

Re:Why Gentoo is Better

[Ziviyr]

All I want to know is what compromised packages?

That and why you don't bleep want to get bleeping flamed and yet you bleep bleeep bleep bleepbleep didn't bother reading the article before posting. :-)

Re:Digital Signing of Packages?

[vadim_t]

Er, if you can't trust the Debian developers, then why would you install Debian in the first place?

The point of the idea would be that breaking into the server wouldn't allow you to modify packages - you'd need a developer's private key to sign it too, or get the developer to sign a bad package.

When it's found security is compromised, all that is needed is to revoke the developer's key. If apt-get is changed so that it checks for revokations before installing the package, the damage will be much less.

The case of a malicious developer is somewhat harder to handle though, since only somebody with the private key can issue a revokation cert. But this could be quite easily worked around, like forcing every developer to submit a revokation certificate for safekeeping. Then if the developer was found to be malicious the revokation could be sent to the key servers without having the private key.

Re:How long will it take?

[Anonymous Coward]

Nobody can stand up to an attack based on leaked passwords. Nobody.

Re:Debian - maybe not so great

[ThisIsFred]

My point is this. Linux is not the be all end all of existence. Its a great OS, with problems just like anything else. Lets keep this in its proper perspective and try to ignore the hysterical ranting of the Debian wackos.

What does this have to do with the "quality" of Debian? AFAIK, the vulnerability that lead to the compromising hasn't been revealed yet. I could have been something as simple as a guessed password.

From James Bond...

[Anonymous Coward]

Once is happenstance; twice is coincidence; three times is enemy action.

Once is the gnu/ftp compromise mentioned here on Slashdot.

Twice is this incident.

The third time should convince us all that someone is out to get Open Source specifically! Tighten up your security, gentlemen! The gloves are off and someone out there is trying any means, fair or foul, to discredit Open Source.

Re:apt

[jrexilius]

After RedHat dropped their free line (I was just paying for RHN access) I have been contemplating going to Debian for my servers and suse for desktops or some other scenario. Debian packages and apt-get were primary reasons for considering that distro as my next platform. I dont want to say I am scared off by this but it does remind me that I have to put more thought into how to deal with these things. I had simply trusted RHN and the PGP signing of their RPMs, which may have been a little foolish.

I do have to say that I am still happier with Debian broadcasting this incident as loudly as possible rather than the corporate tactic of hushing it up (I know of a few companys that have done just that). Thanks for the open honesty Debian!

password

[phorm]

You know what... encrypt your SSH connection at 1024-bit... lock your webserver in a vault, 2km underground, with triple combinations... post armed guards... lock down all ports except port 80 and SSH/whatever.

Then, have your password stolen, and oh shit, you're compromised. It's not about the OS being insecure, it's about a lost password. NOTHING can protect against this, short of one instance I heard where updates required 3 user passwords (from 3 users), but what a pain that would be.

Absolute security is a fallacy

[anti-NAT]

You cannot achieve perfect security. It is impossible. You can only aim for it.

The Debian project will not only retain their credibility, but I'd suggest they'll improve it by

• continuing to maintain a proper incident response, by continuing to take the appropriate response steps
• if possible and practical, putting additional counter measures in place to attempt to ensure this doesn't happen again

What's with all the trolls lately?

[freeweed]

Yikes, I'd figure it's the latest infusion of 6/700,000 user accounts, but your number is really low, so I might as well respond to you.

In case you haven't noticed, Slashdot has, and always has had, an editorial bias towards OSS, and against Microsoft. So do the bulk of the Slashdot readership. This is nothing new. This is a geek website, and the plain truth is, most people who call themselves geeks don't just sit blindy clicking away in Windows all the time. We like to play with our toys, we like experiment, we like to open it up and see what makes this baby tick. With something like Linux, you can do this. With Windows, you can't. Those are simply the facts. So of course people here will look upon OSS in a more favorable light.

Yet today, we have comments such as "hysterical ranting of the Debian wackos" being modded up as Insightful and Interesting? Hello people, that's called flaming. If it was more subtle, as yours is, it's called trolling. Walking into a Britney Spears fan club meeting and shouting "Britney SUCKS!!!" is also an example of trolling/flaming. So when you come to a website with an obvious and open slant towards something, and constantly try to point out that slant...

Well, I guess I just don't see why you're bothering. I mean really. If you really think the OSS community is full of shit, why on Earth do you come to one of their main websites/blogs/message boards/whatever?

As far as a double standard goes, I honestly don't get your point. Slashdot has never had a policy of reporting every single hack of a Windows-based system. However, pretty much every major OSS hole/exploit/hack gets a story here. Considering how many Windows machines there are in the world, you'd think there would be a lot MORE exploiting going on (hey, I'll use the "Linux would get hacked too if it was on 90% of computers" line for a change). And yet, we hear more often about Linux machines being compromised.

Well, except for things like Code Red/Nimda/Slammer/Blaster/etc, which, I'm sorry, but you'd have a hard time convincing me that this DOESN'T prove the case of Microsoft being just slightly less secure than Linux. Or else we'd be seeing Apache worms flooding the Internet on a daily basis, because "Microsoft only gets hacked because it's on 90% of computers", right?

Oh, and for the record, password compromises are OS-independant, and have nothing (read: zero) to do with the OS, design paradigm of the OS, colour of the developer's underwear, or whether we use a penguin or a flying box to represent ourselves. Only trolls would be saying "Ha ha ha ! Serves 'em right for running Bill Gates' Satanic OS. Let the jokes begin. Moderators, get ready !" if Microsoft had a machine get hacked because of a password compromise.

Worse than Microsoft?

[Omega037]

This is much worse than one of Microsoft's normal problems. With Microsoft you expect the problems, and therefore you maintain constant vigilance. This is a perfect example of why linux users and admins need to also be wary at all times. As linux becomes more and more mainstream, the number of security holes shown will increase as well. More people will use linux and more "hackers" will then be attracted to developing viruses and worms that exploit the system. Regardless of what anyone thinks about Windows vs. Linux, everyone must admit that part of the reason more security holes are found in Windows is because there are many more people looking for them. My advice to linux users is to drop any pretense of Linux being infallible and to start using the same caution running a linux-based server as you would running a windows-based server.

Re:Would Microsoft announce that it was compromise

[drooling-dog]

In the days before the Pure Food and Drug Act, it was considered "nobody's business" what was in the food we eat, either; you just opened the can and accepted whatever was in there. Times change.

Re:Grumble, grumble

[Anonymous Coward]

He didn't say that, he pointed out that people jump to conclusions every time anything goes wrong with MS, and do a little happy zealot dance. When a Linux box gets 0wn3d, the same people are trying to minimize the impact here or are suddenly incredibly patient and want to hear the whole story.

If everyone were patient all the time, it would be different, but it's very selective.

Re:Grumble, grumble

[Anonymous Coward]

Yet Microsoft's source code database doesn't get rooted once every six months.

If Microsoft's source code database had been rooted every day for the last 20 years, you wouldn't know about it. Worse, you wouldn't have any way to verify the binaries you're running now. There are hundreds of builds of Windows in the field at any one time, and those have been patched in a myriad of different ways, all where you can't see the results.

Debian has an enormous user base, and there'll be enough people worldwide to rebuild a source database, using all their sources to verify each one. That doesn't count whatever the Debian people have stored back away.

Re:I Haven't Paid for Debian

[Pastis]

Best would be that if Microsoft or any resellers was to refund me the licenses cost of the Windows OS I don't use (all my computers run Debian), I would directly send this money to Debian for sure.

Re:Worse than Microsoft?

[_Sprocket_]

As linux becomes more and more mainstream, the number of security holes shown will increase as well. More people will use linux and more "hackers" will then be attracted to developing viruses and worms that exploit the system. Regardless of what anyone thinks about Windows vs. Linux, everyone must admit that part of the reason more security holes are found in Windows is because there are many more people looking for them.

This belief that Linux is some kind of new kid on the block and untested completely ignores history. First, Linux deployments have existed in considerable strength for years now. It may not be on every desktop. It may be new to some corporate networks. But Linux has been embraced by ISPs and hosting services for far longer than Linux was even an IT industry buzz word.

The target that Linux presents also grows beyond Linux's own install base. Much of what can be attacked on a Linux server is not Linux-specific. Finding exploitable holes in common Unix subsystems can often mean the ability to attack a large base of servers - be they running Linux or common Unix systems (such as *BSD or Solaris).

In short, Linux has been exposed to scritiny for years.

My advice to linux users is to drop any pretense of Linux being infallible and to start using the same caution running a linux-based server as you would running a windows-based server.

There is certainly some good advice here. Linux's critics are right on one thing: Linux is not a silver bullet for security. Information security is a complex issue. Linux can be used to simplify this issue to a point. But popping in a Linux CD and clicking on the affirmitive button until everything installs is not the answer.

Linux advocates should be carefull that while they make their point, they don't oversimply to the extent of being misleading.

Re:A sign of things to come

[FooBarWidget]

The problem with you MS zealots is that you're acting as if the entire Linux community spreads FUD about MS. That's false: only a small minority is. Now suddenly you are the guys again that spread FUD.

"If they can't stand the criticism, then they should just shut the hell up."

As opposed to the Windows community? Moderators from many Windows forums can and will ban you if you say anything that they don't agree with.

Besides, most "criticism" isn't criticism at all, but just insults, flames, trolls and whining. All those "criticism" don't provide any information to make the situation better: all they do is try to mentally hurt people.

Secrecy is the only embarassing thing.

[zCyl]

Everyone hides it because it's embarassing for a business.

From my perspective, hiding it is embarassing for business. A major part of the reason I use Debian is exactly this announcement. I could have guaranteed as a fact that the Debian servers would be compromised, it was just a matter of time. What's important to me is that it's easy to detect when it happens, and that everyone is told about it as soon as it happens.

I have one of my machines which I updated during the compromised period. Now I know that when this investigation is complete, I need to check the details to see if the machine needs treatment.

That's how full disclosure is supposed to work.

Re:How in the world...

[poptix_work]

That sounds like a great idea for a home machine, or even a dedicated box. But if you're trying to maintain an open collection of machines like Debian is, where developers from all over the world can connect from wherever they are (dialup/dhcp/cable/travelling) you can't easily restrict their IP. It's like saying a mail server should only accept mail from ip a.b.c.d - it just doesnt work.

How many people really need access to ssh into a web server? Surely you can manage to restrict access to the handful of people who should be accessing it. If they're on the road, they can ssh home or do without. Is it really worth having systems compromised just so that joe blow can ssh in from a friends house? As a side note, I'm curious as to why, beyond the initial announcement, everyone is being so quiet about it in the debian world.

Re:Grumble, grumble

[Anonymous Coward]

gnu.org was r00ted and compromised for months before anyone caught wind of the break-in. What's better? Not knowing, or thinking that you don't know because they won't tell you?

Oh but this is Slashdork so gnu.org getting rooted is just a little non-event as far as everyone is concerned.

Re:...not the archive.

[Knights who say 'INT]

yes but they comprimised security.debian.org

and rouge ftpd/httpd services which serve different stuff to different people are not unheared of eithe

Christ, if people keep ignoring issues in open source software, the whole thing is gonna sink in a couple of years, and people will remember Linux as yet another stupid thing they invested money on, much like push technology.