[svlug] Re: Fwd: Re: Debian servers "hacked"?

George Georgalis list-svlug-sender-19fa62 at lists.galis.org
Mon Nov 24 17:20:08 PST 2003

On Mon, Nov 24, 2003 at 01:34:18AM -0800, Karsten M. Self wrote:

>Yes, getting a prominant message on the main Debian.org website would be
>useful.  I imagine people have their hands busy ATM.
>Fact remains:  the project was compromised, appears to have been
>discovered within a matter of days, immediately secured (by taking
>servers offline), word was distributed as soon as a clear assessment was
>available (sooner might have been useful, but we're talking a matter of
>hours at most -- I was on #debian IRC during much of this period).  And
>a full disclosure of methods, systems compromised, risks, and
>mitigations, has been and is being presented.  If only elections or
>accounting operated as transparently.
>Expect more details as they come available, including mainstream
>coverage at The Register and other IT news sites.

That'a all fine and everything, thanks for the other resources too.

The central part of my concern, however, is the unusual circumstance
of a high number of updates announced shortly before the compromise
announcement. I don't know the topology behind the hostnames
and regardless of whether the 'archive' was compromised if
security.debian.org was compromised, there is a big breakdown (we all
know that).

When the first third of updates where announced, I was somewhat shocked.
How could there be so many updates at once? New auditing technique?
Audit procedural bottleneck? and ultimately trojan updates crossed my

Are these new updates really urgent, is there a know exploit in the lab
or in the wild, or theoretical?

I understand admins are busy ATM, but I still think with the special
circumstance of all those updates announced before the compromise
disclosure, approprate background as to why so many updates came out
at once in addition to clarification that security.debian.org is truly
secure now, would be approprate.

Anybody can use there imagination for a variety of scenarios.  With no
announcement re the burst of updates and now that security.debian.org is
online again, admins who trust debian.org are expected to have _faith_
that everything is in order, install updates or remain vulnerable --
while remaining in the dark on the nature and level of eminent threat
-- at a time when trust could be expected at its lowest. Perhaps it is
reasonable to assume the faithful will remain so today, but why put
paranoid folk through the ringer?

Had there been no recent updates, I can see this as a time for silence
and rebuilding; but with so many updates (or any for that matter) at the
time of the compromise, a brief announcement confirming their validity
and assurance relevant pgp pass-phrases are still really secret would
be a good thing. leme see, no revoked keys, sigs good, the parties
responsible must be golden...

I am not qualified to audit the source, but without an announcement re
the updates, and no third party audit to be seen or heard of, a source
audit (and build/install) of these updates would seem approprate, and a
shame (wasted resources) because it was probably just done at debian. Is
there a list of what has been validated and/or restored at debian? If
so I see no reason to withhold it for a final report, and good reason
to have it live, throughout the process. It would enable undertaking of
realtime debian system threat analysis based on the trust established
with debian last week verses after the compromise.

// George

GEORGE GEORGALIS, System Admin/Architect    cell: 646-331-2027    <IXOYE><
Security Services, Web, Mail,            mailto:george at galis.org 
Multimedia, DB, DNS and Metrics.       http://www.galis.org/george 

More information about the svlug mailing list