On Thu, Dec 04, 2003 at 04:57:55PM -0500, ScruLoose wrote: > On Thu, Dec 04, 2003 at 01:50:35PM -0700, Dave wrote: > > On Thu, 04 Dec 2003 20:20:21 +0100, Terry Hancock <[EMAIL PROTECTED]> wrote: > > > [...] > > >There is also the point that *somebody* found this bug. Just not the > > >folks we were hoping would. ;-) Letting real crackers hammer your > > >system is another way to find bugs, although we hope it's a last resort. > > > > You missed my point. I think this *is* a fire drill! I think this > > break-in was done by the best folks we could ever hope for. > > I disagree entirely. All the evidence seems to indicate that this was a > serious compromise attempt by a real Black Hat. The Debian folks caught > it quickly by a combination of good luck and good management. > > > Consider this: The attacker chose a system that was heavily guarded and > > would generate a quick response from the people who could distribute a fix > > most quickly. He or she had intimate knowledge of the various Debian > > servers. And no damage was done. > > Is there any actual indication that the attacker had prior knowledge of > the Debian servers? I don't remember any mention of that in the official > announcements so far. As for "No damage was done" I believe that has to > do with the security model of the package repositories. I don't > know the details, but my money says they're designed to be hard to > tamper with. > > > Can you hope for a better hacker than this? Do you think he could have had > > the same impact by merely announcing that he *could* break into a system if > > he wanted? > > It's "cracker". Not "hacker". > http://web.bilkent.edu.tr/Online/Jargon30/JARGON_C/CRACKER.HTML > > If it were a publicity stunt, somebody would probably have made some > kind of "I did it and here's why" statement ... from a throwaway hotmail > address or some other hard-to-trace source. Or left a "ha-ha, see how > easily I 0wnzed yer b0x" message on the system to be found. > I see no indication in any of the reports that the intruder(s) expected > to be caught, or did this as a deliberate warning. > If it weren't for the frequent oopses and the AIDE warnings, I > completely believe the attacker would be busily figuring out how to get > into the package archive to tamper with the distro itself. >
the question i keep arriving at is who benefits from the publicity surrounding this? there's got to be a reason why no calling card was left, i.e., the caller has a vested interest in not claiming credit, which would tend to suggest a contract job. as to the issue of whether the attacker had previous knowledge of the debian servers, only a fool wouldn't do everything to acquaint him/herself with the environment where they plan to engage in mischief. given the regular stream of ridiculous garbage coming from redmond about linux, while new holes are found in their os and apps on an almost weekly basis, this seems like the next stage in the campaign to buttress the losses they've been taking all the while linux has found favor. apart from the money issue, linux, and particularly debian, represents the absolute opposite to their culture. this distro, as a product of volunteerism on the part of people who have nothing to gain apart from their own satisfaction in making the thing work, represents a huge philosophical challenge to those who view the world in terms of how much they can extract from it. the attacks are, on the one hand, a wake-up call, but, on the other, a statement from the opposition that proves both the significance and the ascendance of human cooperation as a power, with no other incentive in mind than to do the best that can be done. on the subject of disclosure of methods, i've been trusting the team for almost five years, since i first came across debian. i have no reason not to trust them now. i'm amazed at the speed of the recovery, given that everything that had to be done was done by folks who do this in their spare time. my thanks and respect. debian keeps on rockin'. ben -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
