[svlug] Re: Fwd: Re: Debian servers "hacked"?

Karsten M. Self kmself at ix.netcom.com
Mon Nov 24 21:15:04 PST 2003

on Mon, Nov 24, 2003 at 08:20:08PM -0500, George Georgalis (list-svlug-sender-19fa62 at lists.galis.org) wrote:
> On Mon, Nov 24, 2003 at 01:34:18AM -0800, Karsten M. Self wrote:
> >Yes, getting a prominent message on the main Debian.org website would be
> >useful.  I imagine people have their hands busy ATM.
> >
> >Fact remains:  the project was compromised, appears to have been
> >discovered within a matter of days, immediately secured (by taking
> >servers offline), word was distributed as soon as a clear assessment was
> >available (sooner might have been useful, but we're talking a matter of
> >hours at most -- I was on #debian IRC during much of this period).  And
> >a full disclosure of methods, systems compromised, risks, and
> >mitigations, has been and is being presented.  If only elections or
> >accounting operated as transparently.
> >
> >Expect more details as they come available, including mainstream
> >coverage at The Register and other IT news sites.
> That'a all fine and everything, thanks for the other resources too.
> The central part of my concern, however, is the unusual circumstance
> of a high number of updates announced shortly before the compromise
> announcement. 

If you want information on this, I'd recommend you contact someone at
the Debian project directly.  This is the SVLUG list, not
debian-developer, and while there are some Debian types to be found
here, you're better of getting information elsewhere and posting it
here, than grousing to SVLUG.

There are links about the compromise and the 3.0r2 release in the News
section of http://www.debian.org/ (and mirrors) now.  For more
information, send mail to press at debian.org .

Checking on IRC at #debian-devel, the updates aren't security releases,
but a consequence of the 3.0 update, and constitute packages which had
been available on security.debian.org for weeks to months.

Your main problems appear to be:

  - The initial announcements of the compromise were _so_ timely you'd
    missed them on Slashdot and other places if you didn't bother
    checking until late Sunday or early Monday.  Several mainstream news
    sites picked up the item again now Monday as the week started.

  - You performed no research before grousing to a tangentially related

  - You couched your post as complaints, rather than a request for
    information.  A "what's up with Debian updates/websites/archives"
    would be more appropriate.

  - After being mildly directed once as to where you might look for
    additional information, you're repeating the above cycle.

> Are these new updates really urgent, is there a know exploit in the lab
> or in the wild, or theoretical?

If you'd like to review updates and reasons for updates prior to
installation I'd recommend you install the 'apt-listchanges' package.
Similarly, 'apt-listbugs', though the latter is down ATM as the BTS is
among the affected systems.

All Debian packages include a Debian project specific changelog
indicating changes and reasons for same.

> I understand admins are busy ATM, but I still think with the special
> circumstance of all those updates announced before the compromise
> disclosure, approprate background as to why so many updates came out
> at once in addition to clarification that security.debian.org is truly
> secure now, would be approprate.

What specific notification would you feel appropriate, and how would you
have had it distributed?

Note that the list machine (murphy) was among those affected by this
outage, which somewhat cramped the ability to notify and coordinate
communications within the group.  This points to a vulnerability of
collaborative free software projects in general:  open, accessible,
timely, and inexpensive means of communications are essential.  Debian
got hit at a weak spot.  As one of the DDs on #debian-devel put it, the
compromise "left precious few official channels".  Considering this, use
of fallbacks (out-of-band email, websites, news sites, etc.) seem to
have worked pretty well.

I've already suggested that a fallback, out-of-band, independent server
for debian-announce be maintained.

> I am not qualified to audit the source, but without an announcement re
> the updates, and no third party audit to be seen or heard of, a source

If you don't want to install the updates, don't install them.

Information should be, again, available, in the near future.

And again:  I'd suggest you focus on specific concerns and mitigations,
backed by a modicum of research.

> Is there a list of what has been validated and/or restored at debian?

See the previously provided links at wiggy.org:


...which includes an "updates" link.

> If so I see no reason to withhold it for a final report, and good
> reason to have it live, throughout the process. 

Parse error.  Could you rephrase?

> It would enable undertaking of realtime debian system threat analysis
> based on the trust established with debian last week verses after the
> compromise.

Parse error.  Could you rephrase?


Karsten M. Self <kmself at ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
   Support the EFF, they support you:  http://www.eff.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.svlug.org/archives/svlug/attachments/20031124/b12f41ec/attachment.bin

More information about the svlug mailing list