On Thu, Dec 04, 2003 at 01:50:35PM -0700, Dave wrote: > On Thu, 04 Dec 2003 20:20:21 +0100, Terry Hancock <[EMAIL PROTECTED]> wrote:
> [...] > >There is also the point that *somebody* found this bug. Just not the > >folks we were hoping would. ;-) Letting real crackers hammer your > >system is another way to find bugs, although we hope it's a last resort. > > You missed my point. I think this *is* a fire drill! I think this > break-in was done by the best folks we could ever hope for. I disagree entirely. All the evidence seems to indicate that this was a serious compromise attempt by a real Black Hat. The Debian folks caught it quickly by a combination of good luck and good management. > Consider this: The attacker chose a system that was heavily guarded and > would generate a quick response from the people who could distribute a fix > most quickly. He or she had intimate knowledge of the various Debian > servers. And no damage was done. Is there any actual indication that the attacker had prior knowledge of the Debian servers? I don't remember any mention of that in the official announcements so far. As for "No damage was done" I believe that has to do with the security model of the package repositories. I don't know the details, but my money says they're designed to be hard to tamper with. > Can you hope for a better hacker than this? Do you think he could have had > the same impact by merely announcing that he *could* break into a system if > he wanted? It's "cracker". Not "hacker". http://web.bilkent.edu.tr/Online/Jargon30/JARGON_C/CRACKER.HTML If it were a publicity stunt, somebody would probably have made some kind of "I did it and here's why" statement ... from a throwaway hotmail address or some other hard-to-trace source. Or left a "ha-ha, see how easily I 0wnzed yer b0x" message on the system to be found. I see no indication in any of the reports that the intruder(s) expected to be caught, or did this as a deliberate warning. If it weren't for the frequent oopses and the AIDE warnings, I completely believe the attacker would be busily figuring out how to get into the package archive to tamper with the distro itself. > The real question now is "How many similar exploits exist, and are being > kept quiet for use in a real situation." We can only hope it's the good > guys who have these secrets. Exist and are _known_ and are being kept quiet... I have my doubts that there's any substantial number of those. When the kernel-hackers find an exploitable bug they squash it, and when the bad guys find one first, their incentive is to use it quick before the kernel-hackers find it and squash it. Cheers! -- -------------------------------<<ScruLoose>>------------------------------- If I had a dog as daft as you, I'd shoot him. - Scottish Proverb --------------------------<<Please do not CC me>>--------------------------
pgp00000.pgp
Description: PGP signature
