[ISN] Debian: Attack Didn't Harm Source Code

From: InfoSec News (isn@private)
Date: Sun Nov 23 2003 - 23:32:27 PST

  • Next message: InfoSec News: "[ISN] Wells Fargo offers reward for stolen computers"

    http://www.eweek.com/article2/0,4149,1394538,00.asp
    
    By Steven J. Vaughan-Nichols 
    November 21, 2003 
    
    Despite a cracker incursion into Debian Project servers this week,
    representatives of the Debian Linux distribution said the open-source
    code behind it remains untouched.
    
    Ian Murdoch, chairman of Progeny Linux Systems Inc. and founder of
    Debian, told eWEEK.com, "Fortunately, open-source developers tend to
    be very good at keeping cryptographic signatures on files and multiple
    backups to make sure that everything stays all right."
    
    For Debian, Murdoch said, the attack "is more a matter of
    inconvenience, since the organization was about to release the latest
    version of Debian this Friday."
    
    This is not the first time an open-source site has been attacked by
    crackers. In March of this year, the Free Software Foundation Inc.'s
    GNU Project ftp servers were attacked. This assault, which caused no
    damage to the code, was only discovered months afterwards.
    
    In the Debian case, though, the break-in was discovered within 24
    hours. The cracker had gained access to four machines: "master," the
    bug-tracking system; "murphy," the mailing-list manager; "gluck," the
    Web server and Concurrent Versions System (CVS) system; and "klecker,"  
    which houses security, quality assurance and search-engine code.  
    Martin Schulze, a Debian spokesman, reported that the Debian source
    code archives themselves were "not affected by this compromise."
    
    "This kind of attack is inevitable in open source," Murdoch said.  
    "We've increased security. At the beginning of Debian, becoming a
    developer was as easy as sending me an e-mail, but these days there
    are checks and balances in place to make sure that only real
    developers get in and that the code stays clean."
    
    Some posters at popular Linux news and discussion site Slashdot joked
    that either The SCO Group Inc. was trying to break in and "steal the
    source to prove once and for all that Linux has stolen their patents"  
    or "are trying to break in to insert patented code into Linux code, so
    they'd have a leg to stand on in the court." However, Murdoch said,
    "The sad thing about the break-in is that it was probably done by an
    archetypical 15-year-old in a basement with nothing better to do. If
    that same kid channeled his energy and skills in a creative rather
    than destructive way, he could achieve real recognition as an
    open-source programmer."
    
    Dan Kusnetzky, IDC vice president for system software research, told
    eWEEK.com, "In one sense, people could take this as a backhanded
    complement: Someone felt that [breaking into Debian's servers] was
    hard enough to do to be worth doing. This is one more line of evidence
    that Linux is coming into the mainstream." And, at the same time, "The
    fact that it was caught and dealt with showed the strength of the
    open-source software community."
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Nov 24 2003 - 09:02:39 PST