Despite a cracker incursion into Debian Project servers this week, representatives of the Debian Linux distribution said the open-source code behind it remains untouched.
Debian: Attack Didn’t Harm Source Code
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
I read about this in Debian Weekly News.
Given Debian’s reputation for professionality and security, I wonder how their own servers got broken into? Does anyone have any info on what kind of attack it was and which exploit it used?
Debian Weekly News? The latest one is of 18 novembre:
http://www.debian.org/News/weekly/2003/46/
See this orriginal announcement btw (much better than eweek
: http://cert.uni-stuttgart.de/files/fw/debian-security-20031121.txt
is of 21 novembre.
This was also posted at /.
http://slashdot.org/articles/03/11/21/1314238.shtml?tid=126&tid=172…
i read several comments there from people who claim a password was compromised. Probly more news about this Soon, for example in DWN, issie 47.
Yes, and “wine” as we all know, is both the name of an opensource project, AND a drink! Why don’t we just use the name “OpenSource project” on all that apply, so we don’t confuse everyone else?
There’s a real difference between “hacker” and “cracker”. Applaud OSNews for using the correct term, instead of complaining.
Yoda,
You very successfully demonstrate your lack of knowledge about what a hacker is. The term cracker is used correctly in this article.
“Given Debian’s reputation for professionality and security, I wonder how their own servers got broken into?”
Because you are never secure. I’m sure they are very on top of things, but that won’t stop someone who wants to get in. And the harder something is to crack the more tempting the target for someone who wants to test their “skills”
Just being what they are won’t make them secure.
windows or linux, the weakest link is often the human behind the machines
Whomever came up with that ‘cracker’ idea was just adding to confusion. Hacking is a skill, someone who hacks is a hacker. Whether they are using that skill for good or evil.
“windows or linux, the weakest link is often the human behind the machines”
No operating system is 100% secure, whether it’s windows 95 or openbsd. Humans are the weakest link in a properly secured system, up to date with patches; at least, they are when there are not known (public or private) exploits against the software, and all network authentification is encrypted…
However, I would still argue that Linux is more secure than Windows, both historically and potentially, although some linux distributions (redhat 6….) were very insecure by default. (Then again… so is a typical off the shelf PC with Windows that’s not up to date on patches..)
It’s possible to lock linux down -really- tightly. With the SELinux kernel, gcc’s propolice patch, grsecurity…. You can do things with linux that you can’t with Windows, namely modify the kernel into something which actively tries to prevent attacks from working.
This does not take out the human weakness factor. However, arguably worms are what cause the greatest trouble; a worm that -requires- human intervention is much better than one that doesn’t.
It will still spread, but at a much slower pace than those which can use an exploit, generally, because they need to wait for people to actually run them; every infected system will have been infected for less time, and infecting other systems for less time.
Linux software is frequently compiled. Yes, this makes some people roll their eyes. Combine this with the differences it makes in stack alignment, etc, as well as the compiler and/or kernel requiring canary values (based on the old miner’s trick of bringing canaries with them, who would fall over dead at much smaller doses of fatal gas (which exploded when it came in contact with the miner’s torches), letting the miners often live by leaving the mine.) – canary values need to remain intact, so an exploit has a much lower chance of actually suceeding.
Can Windows be tightened? Sure… but not to the same degree.
When the weakest link actually is humans, as in this case, it’s a wonderful thing. Humans can be, sometimes, educated.
Far too many people are running very vulnerable software, whether it’s an old wuftpd or internet explorer 4.
I think there’s a difference between doing something that requires a lot of skill – turning out a short program that actually works – and breaking into a machine using a password that’s somehow been leaked.
If you’d had to sweettalk a hypothetical site maintainer’s teenage daughter and secretary into allowing you her daddy’s password – social engineering – that is a genuine “hack”. Getting into the machine after that is a mere crack.
Downloading a prewritten script that gives you rights to zombie-control a whole heap of machines with brain-dead security – that’s something a mere bot could do, and no skill is required.
Writing a Unix/Windows/BeOS/etc clone – now that’s hacking!!!
Back in the day cracking was considered circumventing copy protection and hacking to compromise a system. I’ll stick to that definition. have a nice day.
“Whomever came up with that ‘cracker’ idea was just adding to confusion. Hacking is a skill, someone who hacks is a hacker. Whether they are using that skill for good or evil.”
Not quite right. Distinguishing between hacker and cracker is in order as a true hacker isn’t malevolent. Then again, since ‘good’ and ‘evil’ are not absolutes, but rather depends on your point of view, a hacker can be a cracker to someone and vice versa to someone else.
Whomever came up with philosophy added confusion, and quite frankly in that respect confusion is a Good Thing(TM).
while people are right that hacker did originally mean something different… its been used to describe someone who breaks into machines for a good while now… enough that it should well be considered an alternate meaning
and cracker has definitely been used as someone who breaks copy protection for quite a long time
cracker in terms of breaking systems is a name for a program.. such as “pass cracker”
Vary a lot. As with other words, some meanings overlap, and some words have more than one meaning.
I personally like the jargon file’s definitions of crack and hacker; the definition of cracker only mentions one meaning.
http://www.catb.org/jargon/html/C/cracker.html
http://www.catb.org/jargon/html/H/hacker.html
http://www.catb.org/jargon/html/C/crack.html
Re: Dave:
“hacker/cracker
By Dave (IP: —.dyn.gotadsl.co.uk) – Posted on 2003-11-22 09:47:54
Whomever came up with that ‘cracker’ idea was just adding to confusion. Hacking is a skill, someone who hacks is a hacker. Whether they are using that skill for good or evil.”
Hacking is not -one- skill. It’s got several meanings. One is to make furniture with an axe; I suspect this one isn’t strongly correlated with the others in terms of ability or experience.
Hacking is, to me, doing something truely new or cool or impressive with code. Someone who can write a c compiler and the libraries in a weekend is a hacker. Many linux kernel contributers are hackers. The guy writing SkyOS is a hacker.
The mainstream/non-techie version of the word ‘hacker’ is someone who breaks into computer systems. Some hackers in the above definition get offended by that. It is a valid use of the word; I just choose to avoid it when possible, because I prefer the above definition, and explain it to people. Language is defined by usage and words drift; I do not like the usage of ‘hacker’ to denote someone who breaks security, but I cannot fail to acknowledge it as -a- definition.
A cracker has a few possible meanings. One is those who can reverse engineer software; many just use this ability to break copy protection, but some make fascinating changes to the way a program works. Another, used almost exclusively by people who are at least marginally intersted in computers, is that of someone who breaks into systems. A third is as a racial epitath, supposedly; this appears to be limited to the southern part of the USA; I have never come across it except in debates over which terminology to use for those who break into computers.
I’m boggled by the claim that “Hacking is a skill, someone who hacks is a hacker. Whether they are using that skill for good or evil.”
Writing good code is a skill which is very close to unrelated to breaking into computers. I’ve met script kiddies; most cannot code at all. I’ve met hackers; most have nothing but disdain for those who break into computers. The two groups have a -very- tiny overlap; you’re more likely to find correlations among hackers who like the color red than those who are crackers.
The only examples I can think of as hacking being used for evil is the writers of complex malicious code. Most malicious code is -not- written by hackers. You could, however, make the case that a polymorphic virus including an smtp server, etc, written in assembly language, is by a hacker; if the author then infects anyone with it, that’s being used for evil.
Hacking, in both definitions being debated here, encompases skill sets with basically no overlap beyond “ability to move a mouse”. Wizard programmers have more in common with people who win photoshop contests than with your average cracker. Your average cracker has more in common with people who use IM a lot.
Ability can be used for good and evil. Hacking is not just one skill set. Common usage has been determined already; it is not the same as usage among some technical people.
What’s left to debate? Use the word you want; explain which meaning you’re using if it’s unclear.
Many other english words have multiple, even contradictory, meanings. I fail to see why this is such a big deal.
@ “skript kiddies” and the admin naivete
It’s this sort of myopic viewpoint that keeps people getting owned over and over again. True there are a lot of skript kiddies. Now that being a geek, or hacker, or cracker is cool, it’s just bound to get worse. Let’s face it, Debian stable or whatever there server runs is not, nor ever will be trusted solaris, SE linux, hardened gentoo, or openbsd. Debian fits a niche to be sure, but security is not of the utmost concern within their development model. Stability, and Reasonable, security is. The true paranoics still have stackguards, tripwire, nids, etc. Skript kiddies too should not be underestimated, as some have access to powerful allies in the underground, as well as a mean streak you wouldn’t believe. The more malicious and inexperienced they are, the more potential to cause widespread damage within minutes. A 17 yo also has time to burn and they have that youthful drive and perseverance I wish I still had at my “old” age. In the words of sun tzu, “know thy enemy ….”
@ the exploit
Some of these crackers are using simple canned exploits or crackers gleaned from the likes of packetstorm. But there exists a subset (perhaps chinese, industrial spies, and 31337 programmers) that are incredibly skilled, very well funded, and using zero days. Yep, zero days indeed exist and are traded as carefully as gold bullion. There also exist a good set of backdoors and tools that you will never read about for years, if ever. The underground that you see in the www hacking forums google tracks, are a small subset of what it’s really all about. Once u get into the world or trojans, rootkits, and virii, things go very deep into the underground. For good reason that the govt would like to throw some of them in a room, and throw away the room.
@ hacker vs cracker
The whole hacker vs cracker thing is infantile. Originally hacking referred to model railroading and woodworking. The term hacking or hardware hacking has been used histrically to refer to elite feats of electronic prowess i.e. that possesed by the likes of Steve Wozniak. I hate to break it to you, that the field of electricity and electronics predates computers by eonz. Cracker was also used a lot to refer to the skills of some software pirates. I heard about software “cracking” long before security “cracking.” The anti security “hacker” threads were started as satire on tuxedo.org and other sites. It was misconstrued as being something more than a joke, yet still gets debated to this very day.
@ kernel ownage
The linux kernel was almost owned recently. The attack this time is more sophisticated, and far more subtle, than some of the previous attempts on backdooring open-source software. They were caught by md5sums or auditing or whatever. I have no doubt, that a good percentage, of packages and ports have already been owned. Some of these are just done for the hell of it. Little local root exploits that aren’t too damaging, but interesting nontheless. Anyway patch, patch, and patch again.
@ wanna be 31337?
Learn to code perl and use tcp dump. Then u can sniff zero days too. Just ask H.D. More for tips.
curious bystander 🙂
Just cause someone plays with exploits on their own lan, codes, runs crackers, enjoys ethereal, sets up honeypots does NOT make them evil. Who the heck do u think gets hired on as a security consulant? An admin with zero security skill and experience running RHEL? Or an admin / security guru with years of experience defending systems, writing exploit code, and being able to recognize the signs of a rootkit or malicious network traffic?
Personally I’d hire an ex cop, someone with a gun, or even a merc if I needed serious physical security as opposed to some mall rent a cop who spent a career tracking down the theft of two big macs from the mall food court. The same applies to computers.
I never made the claim that a script kiddie was a hacker. If you write some code to make a clone OS or exploit a vulnerable system, you are a hacker. Regardless of the outcome of using that skill.
Well, reading the article in EWeek, two things are getting my attention:
A. It was most likely done not by the evil genius trying to destroy OpenSource, but by 15 year old kid with nothing better to do.
B. The fact that Debian Linux servers were hacked proves Linux is going mainstream.
————-
Well, that nice spin boils down to the following:
A. Even 15 years old can hack Linux server secured by people who supposendly know how to administer Linux and who know how to harden Linux and who actually write Linux.
So, how about other people, simple mortals, trying to run Linux servers? Are they all on the mercy of 15 year old bored kids?
B. So, are you telling that more Linux servers hacked is a good fact because it is more proof that Linux is mainstream?
Well, then congratulations: GNU hack unnoticed for months, Debian hack unnoticed for 24 hours, kernel code backdoor planting attempt. You proved your point: Linux IS mainstream.
Should we trust it? If people that supposedly deliver us inherently more secure OS can not make it secure for themselves- is this mainstream or bad Windows-like dream?
Honeymoon for Linux is over. Clean your house, guys, before it is too late. Stop embarassing yourself with insecure systems you run that 15 years old can hack.
Buy ‘Hardening UNIX/Linux’ book, read it and harden your systems. Please?
no matter how secure you make a program, os, whatever.
you will never, ever, ever, ever stop a cracker from breaking a password, eventually it will be broken.
the only way to slow them down is to have frequent password changes, passwords based on random numbers and characters. How many people use their dog’s name as a password? about half the computer users I know.
best example of this is the people who run the distributed clients to crack encryption keys. It may takes years, but in the future it will take days or hours.
hackers exploit bugs, then usually insert their own program to create an easy to access backdoor around security. crackers simply break passwords. crackers have been around a lot longer than computers.
World War 2 crackers figured out messeges from the japanese and german commanders. Now THOSE people were crackers (where brute forcing involved a type writer.)
Mitnick makes some very good points in his book. The best way to attacks systems is to attack the employees or customers. Even have an employee call u asking for tech support, and getting a backdoor in the process. Home boxes and corp workstations are often poorly protected. So u attack joe’s son’s xp box with trojan, get into home LAN, get to nix development box, get passwords and jump onto corp VPN, etc. A lot simpler than trying to get some remote root exploit that’s patched the day before it goes public / mainstream. The human element is invariably the weakest link in the chain. Evidence the aol Merlin hacks which were done via a trojan posing as a screensaver using an obscure windows exe extension. Easy to pass off .scr or .pif as something they are not. And the current crop of mainstream trojans easily gets past AV and app level FW. You can even icmp or http tunnel around proxies if needed. AOL spends oodles on security, with Defender key, kerebos, and RSA securID. Merlin was protected by firewall, Securid and two passwords as I recall. Yet a 14 year old still got past it using a literal “backdoor.”
“A. Even 15 years old can hack Linux server secured by people who supposendly know how to administer Linux and who know how to harden Linux and who actually write Linux.”
Knowing how to secure a system doesn’t correlate with a password attack (as claimed on /.). The same is true for the GNU hack, and it seems to me also the Linux kernel. There’s almost a patern here.
“Should we trust it? If people that supposedly deliver us inherently more secure OS can not make it secure for themselves- is this mainstream or bad Windows-like dream?”
It has nothing to do with the Debian boxes being secure or not. Not from a software point of view. This could have happened on any OS. 100% secure doesn’t exist either.
At least they’re honest about it
“Honeymoon for Linux is over. Clean your house, guys, before it is too late. Stop embarassing yourself with insecure systems you run that 15 years old can hack.”
If i give you my password of my secure box, you can hack mine. Or is it that you’d like to firewall ie. SSH out to a few static IP’s?
Sad to see such comments flying around…
Can you proof it’s due to flakey software or unpatched boxes, like you seem to claim?
http://www.debianplanet.org/node.php?id=1011
“I never made the claim that a script kiddie was a hacker. If you write some code to make a clone OS or exploit a vulnerable system, you are a hacker. Regardless of the outcome of using that skill.”
Most exploits are written by people who can barely code; they take at least the shellcode from other sources.
There is a near-infinate difference between being able to write a 100-line exploit and being able to clone an os. Writing an exploit does not make one a hacker, in -any- sense of the word.
Script kiddies, in modern parlance, are hackers. Not my choice; not my preferred usage.
Writing an exploit is barely more impressive in terms of ability than writing ‘hello world’.
“When the weakest link actually is humans, as in this case, it’s a wonderful thing. Humans can be, sometimes, educated.”
Yet human beings will always repeat the same kind of errors again and again.
“You can do things with linux that you can’t with Windows, namely modify the kernel into something which actively tries to prevent attacks from working…”
The end result is the same – GNU servers owned by hackers for 3 months before the fact was known, Debian project servers cracked and linux kernel was planted with a backdoor.
The reality just comes up short to cover the claims. Yeah, the possibility is there to tight it down to the point of SeLinux, yet the crown jewelry of the linux world has been repeatedly in the hand of bad guys. Doesn’t that suggest that it is too diffcult to actually reach the proclaimed possibility even by the expert and such that the “posibility” is practically meaningless ?
If you want to break a wall, there must be a wall for you to break. No matter how strong or thick that wall is, as long as there is such a wall, there must be a way to break it. This applies to firewall as well. So how do you prevent cracker/hacker? How do you not having your wall broken? If there is no wall, then you cannot break it cuz there is none.
🙂
So…if it indeed was a leaked password, then what? Does that imply that someone tricked somebody else into giving it out, or maybe saw it somewhere, or some such? If so, then not even Windows 2003 is secure, and all this crap from the likes of Microsoft about which OS is more secure is total foolishness and pointless.
And if someone decided to make a public issue of Linux’s “insecurity” by “sweet-talking someone’s teenage daughter or secretary into revealing a password,” or some other form of betrayal was engaged in, then who put up the incentive or the money?
I think it’s time for Microsoft, Linux distros, Sun, Apple, and all the rest, to put aside this “I’m more secure than you” bullshit, and address the underlying problem, which is:
IT IS WRONG TO BREAK INTO SOMEONE ELSE’S PROPERTY AND DAMAGE IT, AND IF YOU DO, YOU DESERVE TO BE PUNISHED.
I guess we should stop calling people who break into safes Safe Crackers, heck, lets just stop calling unleavened crispy grain snacks crackers for the sack of not offending the ignorant.
…representatives of the Debian Linux distribution said the open-source code behind it remains untouched.
Of course they would say that.. sounds like PR/spin/damage control to me.
Thank you for this wonderful analysis!!!!11
Now why is it logical? It’s logical to say the truth? i agree!
The summary you quoted is an oversimplification so whopping as to verge on misrepresentation.
To be fair, its original author probably assumed that the reader would then go on to read the rest of the article, but obviously you did not.
The announcement itself contains a bulleted list of which machines were compromised, together with the services provided by each one.
Once u get into the world or trojans, rootkits, and virii, things go very deep into the underground.
Your comment reads like a bad hollywood flick. Coupled with the mention of elusive 0days and the air of elitism you exude while simultaneously using ‘u’, you really succeed in coming across as someone who really thinks they are something special. I’d invite you to get a grip on reality and stop bolstering your ego.
Announcements are up on http://www.debian.org
Also, Wichert Akkerman wrote some documents about the compromise and how to evade it.
It’s actually useful for other purposes too, ie. how do i secure my box
http://www.wiggy.net/debian/
Russian Guy:
A. Even 15 years old can hack Linux server secured by people who supposendly know how to administer Linux and who know how to harden Linux and who actually write Linux.
Teen-agers are getting into mischief with computers? Stop the presses!
So, how about other people, simple mortals, trying to run Linux servers? Are they all on the mercy of 15 year old bored kids?
Not quite. Anyone with a computer that is in working order is at the mercy of “15 year old bored kids”. If this is news to you, you should reconsider your attempt to convince others that you know what you’re talking about.
B. So, are you telling that more Linux servers hacked is a good fact because it is more proof that Linux is mainstream?
As Linux gains popularity, more attempts will be made to hack it. Whethere that’s “good” or not is entirely subjective and/or besides the point.
Well, then congratulations: GNU hack unnoticed for months, Debian hack unnoticed for 24 hours, kernel code backdoor planting attempt. You proved your point: Linux IS mainstream.
Nice straw man. One fact you fail to mention is that the open-source development model is working EXACTLY AS IT SHOULD. Instead of clamping its hands over its eyes and shouting “icanthearyouicanthearyouicanthearyou”, OSS takes inclemencies into consideration both in theory -and- in practice.
Sure, individual failures are unfortunate, but unlike in CSS, the net result of attacks on OSS is a more robust system for everyone. OSS advocates pack a parachute — CSS advocates weld a “Do not crash this plane” sign to the instrument panel. Which do you think does its job more effectively?
Better luck next time,
GG