Reader Comments

Nope, noone infuriated here. Quite funny, actually. BTW, love the google ads at the bottom of the page for Linux servers. I highly recommend grabbing one to replace your *truly* insecure Windows server.

Let's put aside the double-standard aspect for a second and examine the response from a historical perspective: -"This kind of attack is inevitable in open source" -"You cannot eliminate all problems" -"Someone felt that [breaking into Debian's servers] was hard enough to do to be worth doing" These three quotes run counter to the conventional wisdom of Linux we've been led to believe since Torvalds and open source became the darlings of the pre-dot com bomb Internet! -Since at least 1997, Linux advocates have publicly claimed that the more egalitarian ethic of Linux users prevents any attacks on open source servers, but now those same people are telling us that "[e]very GNU/Linux distribution is vulnerable"? -Many a Linux fanatic will tell you that running Linux means your networks will be impervious to a virus or hacker because you can limit user resources and everything is locked down in Linux by default. Now those same fanatics are shrugging and mumbling: "You cannot elminate all problems"? -The Linux elitists I've encountered since I began observing the tech industry have always scoffed at the notion that Windows is a target because of it's popularity, but now those same elitists are claiming an attack on the Debian source code servers is "one more line of evidence that Linux is coming into the mainstream"? I know Torvalds, Stallman, and Raymond are the quirky and lovable leaders of "The Revolution" and can sell magazines (NOTE: Isn't it odd that a Linux user will buy an overpriced magazine full of ads with only four pages of Linux love but refuse to pay fifty bucks for an OEM copy of an operating system that is inarguably much more useful), but when are we going to see an expose about the hypocrisy of Linux on the cover of "Time" and "Wired"? You know who else sells magazines? You guessed it: FRANK STALLONE!

What double standard? Debian is put together by volunteers and is one of the 200 or so linux distributions. A couple of servers hacked and quickly dectected doesn't compare to the millions of MS servers / PCs compromised by worms, trojans and viruses (some affecting Microsoft Central itself). Old Quote: "Microsoft was completely hosed (from Slammer). It took them two days to get out from under it," said Bruce Schneier, chief technology officer of Counterpane Internet Security, a network monitoring service provider. "It's as hypocritical as you can get." Try to keep the incident in perspective. Regards rob

You're a $%^#ing idiot. Any OS can and will be cracked, however instances of this happening are far less frequent in Linux than in Microsoft Windows. The Debian development team should be applauded for being so open about the whole incident when other organisations (though surely not the great and powerful Microsoft right?) would have covered it up. This article was so childish and petty it was almost comical. Editor's note: Your posting, in contrast, was mature and well-balanced. I bow to your well-constructed arguments. --Paul

Wasn't this basically a case of someone's username/password being abused rather then an actually security hole in Debian? Personally I'm not infuriated by the double standard here because I just don't see it. You don't have to hack into the Debian servers in order to get access to the source code.

Considering that this was a straight-up password compromise, why is this a double standard? Compromises of Microsoft's systems have typically been due to misconfigured or unpatched systems, not a hard thing given the typically poor default configuration or maze of patches required to secure Microsoft's software. When this occurs in mainstream open source, it typically requires a heck of a lot more technical expertise. I'm more infuriated by Windows apologists such as yourself who seem to think the status-quo that Microsoft provides is good enough. It's not. If nothing else you should thank your stars that Linux provides some competition to force MS to improve their offerings. I compare it to AMD vs Intel. You wouldn't see the low prices that Intel now offers if AMD wasn't a credible threat keeping them on their toes. Likewise, Microsoft has no incentive to improve if they don't have someone offering their customers a credible alternative (and in the server space this is true, no comment on the desktop). Competition is good, and i wish ms apologists would wise up to that fact.

nope. ..in fact your argument is meaningless in this context. hacking into Microsoft may expose carefully guarded secrets, but hacking into Debian will only reveal what is already known in CVS.

i see

Yes, i'm outraged and the obvious bias demonstrated in this article, is that not also a double standard? As a journalist it is your reponsibility to provide balanced and "unbiased" coverage of any story, regardless of your or your sites affliation or target audience. You seem to purposely fail to highlight the key difference between these incidences. One, microsoft provides closed source, therefore their break-in also presented the possiblity that a hacker would have leaked the windows source to the world, an obvious disaster for microsoft. Also because windows code is secret if code was compromised no microsoft customer would have the tools or ability to realize the code had been compromised, therefor the chance of discovery is much lower. On the flip side the linux is open source there was not trade secret to steal, no damage done if the code was leaked to the net. The only concern was the hacker inserting compromising code into the source, but again the situation is entirely differeent, since all files in the distrubutions have a generated cyrpto key the added lines would never have gotten very far with out someone noticing the crypto keys didn't match. The file check in system of the FSF is a perfect example of how the crypto key's saved the day, because it was those keys that allowed their system to automaticly detect an unauthorized change had occured in the code. And the most striking difference, the linux teams were up front about their security problem they announced it, they warned their users. If i remember correctly the fact that microsoft was compromised was leaked in the first place, they tried to hide it, this causes suspsion and makes a much juicer story.

The difference is that Debian's servers are managed by volunteers that don't have billions of dollars to throw at the security. Even so, they have had far fewer breakins that Microsoft. So tell me again, why are you paying all that licensing money to Microsoft?

I feel sorry for you. -IDC is not afiliated with Debian or GNU/Linux. -Debian's GNU/Linux source is not secret. And is mirrored on many servers. So, it cannot be compromised. As opposed to windows source, which in case it leaks, the whole windows world, including your website (and your life), would be compromised.

what double standards? IE still has exploits from two years ago that aren't fixed.

What double standard? If there are security problems, the open-source community promptly discloses it; Microsoft's policy is to "keep quiet", make a patch, then disclose the security problem(s). This make a huge difference; if it is publicly disclosed (as in opensource) a prompt fix is required. If it is "kept secret" or "kept quiet" (as in Microsoft's case) a fix isn't immediately required; crackers can exploit the holes as they find the security problems. The Debian security problem was not in the software (the software wasn't changed).

Some other things to consider. You say that this break in is more dramatic, but I don't remember two years ago what servers were compromised at Microsoft. I don't think they ever released that information, did they? You are also comparing a non-commercial (all volunteer) group to a very commercial group. The Debian project is run by volunteers, while Microsoft's servers are guarded by well paid sentries (server admins). I don't see the double standard. You compare what some people say to what other people say. I personally don't speak for the entire GNU/Linux community, but I certainly believe all systems are vulnerable. Nothing is perfect. At the same time though, GNU/Linux allows more control over system services, therefore it has to be more secure. I say this because I can elect to shut down all services on my GNU/Linux box, while I can't find any documentation of what services are required in Windows, let alone how to shut the unnecessary services down. I don't see a double standard, I see contradictory views between different people.

"Is anyone else infuriated by the double-standard here?" What? Your "double-standard"? Bill Gates offers bounties to help catch people exploiting his products whilst ignoring the fact that one of the chief culprits is his company (and himself as chief architect, or whatever his job title is) - they didn't read the aging literature on writing unexploitable e-mail clients or seemingly do any of the other necessary homework. Yes, I'd like to take several thousand dollars of Bill Gates' money to nominate him as one of the people responsible for the assorted viruses and trojans doing the rounds! Microsoft's culture, at least publicly, is to cover stuff up whenever possible and to deny that there's a problem. With this recent Debian incident, you get to see how the adults deal with such issues.

Get over it.

I'm not infuriated by it. I cannot speak for the people quoted, but the complaint against MS and many other proprietary software vendors is that their security is obfuscated and non-transparent. Rather than hiding security problems, they are dealt with proactively in a transparent way within the open source community. This leads to security holes being filled much quicker, and better security over time. No system is ever 100% secure, and I don't think any big OSS players ever said there was such a thing as a totally secure operating system.

No double standards here. Linux quickly and clearly admits to their faults. They attempt to pass the blame on the folks that made the problem known as Micrsoft does. As a side note, in the Debian IRC chatrooms, it was said that the administrator password was compromised. I believe the same was true for the GNU server that was broken into. So if true, the software is good, but the Administrator suck! While disspells the myth about the higher quality Linux Administrator.

I know I am infuriated by the double-standards... Microsoft is CONSTANTLY claiming things like "trusted computing" initiatives, or "revamping security" and yet there is continutally attack after attack after attack on Micro$oft products. The damages from these attacks is astronomical, entire networks having to be taken offline, millions of emails being spread and wasting bandwidth, home systems being attacked or used to attack other systems. If Micro$oft ever shuts up and actually DOES something to start becoming more trustworthy, I may listen. Until then, I give them as much credibility as SCO...

Double-standard is a two edged sword. You can not compare Microsoft to Debian. If you want to open the can of worms, go right ahead. Open source and Microsoft can not be placed in the same context. Proprietary initiatives will inherit security issues that just don't match open source distribution. Your myopia is non-productive at best.

I was severely inconvenienced over the weekend by not being able to access the Debian security website. However, I didn't lose millions of dollars in revenue, as would happen to an attacked e-commerce site running either Windows or Linux on its servers. In short, a crime is a crime, whether the target is running Windows or Linux. There is no double standard. I've been ragging on the Linux community for years to stop gloating about their supposed lesser vulnerability to attacks. Ed Borasky http://www.borasky-research.net/

What double standard? When Debian servers are compromised, you learn it from Debian as soon as they learn about it. When was the last time Microsoft freely volunteered that kind of information? You ALWAYS learn it from third-party sources.

I suppose I should expect no better from a publication called "winnetmag.com", but no, I'm not infuriated by any percieved "double standard", and in fact I don't see one here. When MS is hacked, we only find out when they're embarassed or otherwise forced into admitting it. When this happens we have no way of knowing what code was accessed or modified other than MS's glib assurance that everything's OK. When Debian is hacked, they announce it immediately with details, we have electronic signitures to confirm that packeges we have are what their maintainers say they are, and they have multiple ways of confirming what has and has not been compromised (in this case, not much). In other words the Debian team can take a pat on the back for the way they handle these things, where as MS, despite their immensely greater resources and centralised control, frankly can't. I'm terribly sorry if this reality check gets in the way of your pathetic little troll, but surely you OS zealots don't really need a whole magazine for your obsessive nerd hobby...

Infuriated? H@ll yes! This is so typical of the linvocates - anything that happens to them is just cool and no big deal, anything that happens to Microsoft is all bad all the time no matter how insignificant the actual event or any truth behind it. It shows the IMmaturity of Linux and it's supporters - pretending nothing is wrong when Linux security is broken daily by "archtypical 15 year olds in a basement with nothing better to do." Imagine if the guys creating Windows worms turned their attention to little linux with all it's holes laid open before them.... Oh, how I await that day...

Please note what compromised actaully means: there was evidence that somebody had had unauthorised access to the machines. They did *not* bring the servers down, Debian took them down in order to secure them and check the integrity of all files. This type of attack is quite common -- but most companies would just sweep it under the carpet rather than making public announcements and going to lots of trouble to ensure the integrity of their servers. Developers were notified of this problem within 40 minutes - a public announcement was made within 12 hours. This is increadibly fast reaction -- the debian admins deverve much credit for their actions

Its not a security hole, its a feature!

Well, no, I am not infuriated. Microsoft and Free Software community attitude vs security have always been very different. Microsoft usually see security breaches as problems that can compromise their marketing strategy. We see security breaches as ineluttable facts. There is no such a thing as a completely secure system and the best you can do is to tell everybody the truth and have them apply latests security fixes and know how to protect their systems, before and *after* the crack. So they already have different (double) standards. As it is right to judge them according to their standards, and no, I am not infuriated .;) (To be completely honest, note that I am a Debian developer, so I am quite partial even if it try not to be.)

Trying to compare a security issue with Microsoft usual security issues and prettending this is worse is not right. You can for example compare the thousands of users and admins who have to patch their windows systems every week for serious security updates constantly to let their system remain stable for another day, examples, nimda, blaster, etc... (go check windows update site) I am a Windows and Linux admin and believe me having to maintain Windows is a complete pain in the ars.. while linux IS NOT, surely it has security issues alright like every software in the world has, if you pretend it to be perfect is to admit Linux is much greater than Windows it is because it already is... but you have to be more severe with statistics and realize windows can not yet be compared to Linux in security,and stability and taking advantage if the hardware. And you still wonder why I say all this and why windows security announcements are much more critizied... well...linux is free, made by people not for profit and in their free time, you pay for Windows license and support... Windows should be much better and stable than Linux.

suaveness from your mîuth... the opensource "way" is the only chance for progress, of course the "corporate" software has his part from "CS".

What double standard are you talking about? Windows and Linux are two very different operating systems with completely different methods of delivery and maintenance. A hack upon a linux server was inevitable. Only a fool would believe that any computer system is beyond being breached. The difference here is that the user (potentially) could fix the problem his or herself without waiting for Microsoft. If my roof is leaking, I don't want to have to wait for the guy who built my house to fix it. The user can also share this problem with the Linux community for assistance, resulting in much quicker and more complete bug fixes. And, if I'm correct, I do believe that Microsoft has had far more security issues than Linux has had or will have.

"Fortunately, open-source developers " Where on earth did you get this comment? The Debian project has NOTHING to do with 'Open Source' as far as development goes. The Debian project is concerned with Free Software (http://www.gnu.org/philosophy/free-sw.html). Although the open source movement share many things in common with the Free Software movement and I'm sure that many truly open source programs are included in this distribution I must stress that it should read 'Free Software and Open Source'. Oh, and don't call us hackers criminals please. The people who break security are called crackers nowadays. The word 'hacker' was MIT slang for a clever person who liked to solve problems while making people laugh. To be honest, a hacker need not touch a computer or know anything about them. If youre interested you can learn more here (knowing about it will avoid confusion in the future): http://www.stallman.org/articles/on-hacking.html

First: "This kind of attack is inevitable" is probably true as any high profile site will make an attractive target. But withstanding the attack is what counts. MS based sites don't seem to do well at this. Specially when their admins don't know how vulnerable they are until AFTER someone forces their vendor to admit it & get around to providing a patch. Second: The attack & successfull penetration of MS's own site also got access to their certificate servers. The inherited trust nature means that all machines who ever answered "yes" when prompted "allways trust stuff from Bill" became potentially wide open. I would say that's serious. Thirdly: Someone suggested that if Bill ordered his techies to find holes in OSS then they would bring it all down. This is a company that has been found untrustworthy by courts, former partners and their own government. Do you really think they aren't already trying ? Lastly: Security is something between 0% and 100% but not inclusive. Nothing is 100% Nobody ever said Linux was. But Linux has proven to be better that even Microsoft's own configuration of their 'crown jewels' site. What hope to normal Windows admins have when they aren't allowed to look inside their own systems for weaknesses ? - Not that they "own" their systems that is.

I'm not into Linux...yet, but it could happen. But Paul's bitter attitude towards Linux gives me pause for thought. Paul I like windows and use it. But there's room for more than Windows, particularily when one has to buy so much software to keep everything together and working properly. Systemworks is pretty much standard equipment to fix broken link and of course there's anti-virus upgrades and updates. On 4 PCs it gets expensive. Software is beginning to cost more than hardware under the Windows realm. Is it any wonder that folks are considering Linux as a cheaper alternative for some applications? Paul you ought to deal with your bitter attitude before it robs you of your health. You're taking this Linux thing far too personal. Just a word for the wise. Editor's note: Yikes. I don't have a "bitter attitude" toward Linux at all. Heck, I love Linux. But as with the Mac, the one thing I don't really respect is the Linux community, which is largely engaged in a campaign to smeer Windows and Microsoft, whether its deserved or not. Linux is a great, and quickly improving operating system. But like Mac OS X (and yes, XP), it's not perfect, or applicable to all users. It will get there. --Paul

Why is it okay for Microsoft to downplay a break-in, but not for a linux vendor to do the same? In both cases, the vendor has something to gain by putting a positive spin on a negative event. It is in fact a compliment to both Linux and Microsoft that there are break-ins on their OS's. Both are big targets, and so are feathers in the caps of the miscreants with no lives and no girlfriends (or boyfriends for that matter). Both are working hard to harden their OS's and lock them down, meaning that they are even more of a challenge for these same people. To be quite honest, Stallman's focus is on the sharing of intellecual property rather than the locking down of it, so it isn't all that surprising that a break-in would have gone un-noticed for a while. It is, after all, a philosophical thing. Given these differences, I fail to see where the double standard lay. Is it perhaps in the small minds of the OS zealots on all (there are moree than 2) sides of the fence that feel compelled to staunchly defend their OS against all attacks, be they real (or as in this case) imagined? Let's not forget that all of the players have their parts. The Microsoft faithful would rightly point out that without Microsoft, there most likely wouldn't be computers in so many homes and businesses today. It was DOS, after all, that was the OS on those personal computers. Without Apple's influence, we would still be married to the command line. Without the Open Source Community we would be without many things we have come to rely on like Usenet, E-mail, and the forum we are now using, the World Wide Web. I am an Information Technology Professional, so I don't have the luxury of choosing a side in this fray. I have real people to support with real business needs. I have to find the right tool for the right job. Perhaps posting abrasive comments are a similar tool for IT Journalists....

There is no such thing as a totaly secure system. Unless it is powered off. Hopefully developers learned from the process used to hack their systems and are able to prevent it in the future, helping everyone that runs that OS. The double standard refered to here is with a misunderstanding. That being, if the hacker would have notified Debian developers prior to hacking the system, it would have been patched. To get Microsoft to recognise a problem, their systems have to be hacked. Example being the remote exploit found by Eeye a few years back. Microsoft was notified of the issue, without response. To get Microsoft to fix the issue, they had to release the expoit on the internet.

What are you people religious zealots? People could break into Linux because they can see the source so they can see how to get in. In contrast, people can break into MS Servers, not because they can see source, but because it's so poorly written. Double standard my butt. You're wearing blinders.

Not really, I mean the OSS is a pathalogically optimistic animal. And why shouldn't they be? Regardless of any holes the system might have, it's still free, and they have many skilled and willing people to plug the hole with that outcome in mind rather than their next paycheck. Not sure why this would infuriate anyone... they're not trying to claim or sell anything, it's Debian!!!

Your Comments (required):I'd much rather hear about the break-in of the Diebold ATM machines which are run by Windows XP Embeded. What's 'left' in your wallet????????

This is just the tip of the iceberg!There have been huge and countless attacks on the inherently insecure stolen code Linux from the get go. The only problem? The mainstream liberal anti_Microsoft media simply refuse to report these massive linux security holes and breaches, while at the same time blowing the slightest security incident involving Windows out of all proportion. Lets face it, the FUD department of the open sore movement is worse than anything George Owell could have dreamed off in his book 1984. The open sore movemnet is certainly more expert at disinformation than the propaganda and disinfmation departments of the Nazi Germany's Goebbels propaganda machine and Stalnist Russia's KGB combined! Open sore movement outta be ashamed of themselves.

Pathetc linux troll : "They did *not* bring the servers down, Debian took them down in order to secure them and check the integrity of all files." When did a security attach have to include "bringing down" a server? A security breah is a security breach. It can be for all kinds of reasons especially stealing data.. You linux fanatics are worse than Al Quaeda Only thing is, you are a great source of amusement to anyone who is unlucky enough to come across your strident, fanatic, feverish, religious rantings. Editor's note: That's hilarious. If humans had to bring servers down because of an attack, isn't that really the same thing as an attack bringing down the servers? No? --Paul

I'm still amazed after all of these years that people ignore the most basic fact: Microsoft is used on 95% of the PCs in the world and is therefore an easy target. Of course there are security holes, but all of the hacking will make a more secure OS in the long-run. If Linux ever gets half as popular as Windows, the security leaks and holes will be flushed out by more use and more hacking. Same path that Windows has gone down. Plain and simple truth. I applaud Debian for being honest and open very early on. In the case of Microsoft, they have a much wider and diverse audience that must be addressed very carefully. If Microsoft were to release information right away, before getting the detail together and having a fix in the works, what would happen if it turned not to be a real security breach? Think of the anger and panic it could cause. I applaud Microsoft for being more diligent, especially lately with Trustworthy Computing. They, as a behemoth, are working on changing. I have been managing and developing software in IT for 10 years, administering Solaris, AIX, HP-UX, DG-UX, SCO and Linux for all of that time. I also work very closely with Microsoft and Windows products. I work both sides of the fence because it is a reality in business these days. They both have there place and they both have flaws and security issues because they are software, written by people.

Double standard? 1. Anyone who works with security knows that there is no such thing as 100% safe. 2. Everybody knows linux has security flaws, althought they are less frequent and a lot harder to find. 3. Debian GNU/Linux is an open source distribution. So, everbody gets the see the source code, even when its released. Even if they did change the code, it woudn't make a diference, all you had to do is download the new version and make new packages out of those. I don't see any standarts. The diference is that for Debian, it makes no diference if you break the system or not. Debian isn't a company which depends on its server, its more than that. its a network of users. You can break the server, but you would need a LOT more efford to break the network which keeps the whole thing alive.

"Someone felt that [breaking into Debian's servers] was hard enough to do to be worth doing," - I think that is a joke. I guessed you missed it as well as the jokes about SCO trying to insert their patented code into Debian. As for a double standard, I think they only exist in your head Mr. Thurrott. A security problem is a security problem no matter what others *make* you think. The difference between something like Debian and Windows is that one is open source and the other one isn't. Both will have holes in it *but* the holes in Windows tend to be obfuscated (ie. no source code). This means that it takes longer for Windows bugs to surface which in turn means that Windows probably has more explotable holes than the base Debian system. You should also realize that most of the exploits in Debian/Linux are local exploits. Most of the patches I have seen from Microsoft only seem to deal with remote exploits. To deal with local and remote exploits, systems have to be hardened. Look at something like www.grsecurity.net or PAX. But above all, *ALL* software has holes in it. Do you happen to read the licenses of software you install? *ALL* of them have something that states that the software comes with NO WARRANTY. Microsft's, IBM's, GNU's or otherwise. Oh, and if you have just awakened to the real world where all software has bugs, you should look at http://www.debian.org/security/ for some patches that were issued to some software in Debian. So please don't believe in propaganda spread by either Microsoft or "Linux advocates". ALL software is buggy. For what it is worth, I would never run a MS server in production - the risks for me are too great. Linux with some extra security patches is a much cleaner server environment. - Adam PS. It is Martin Schulze not Joey Schulze that is the Debian Release Manager. Joey is his IRC alias.

Sure, it's a double standard. However, it's natural for people to go easy on the underdog fighting the 1600 lb. gorilla that engages in deceitful, monopolistic business practices. The impression I've gotten is that this was a social engineering attack, which would mean that It's Not The Software, unlike the Microsoft break-in, which used a flaw in the software.

Infuriate? What infuriates me is the absolute blindness of this web site. There is never a compliment to Linux or UNIX in general on this site. The author is a pure lemming who believes Microsoft is the end all be all of computing. Microsoft makes bloated software that is impossible to troubleshoot and offers only marginal benefits to anyone.

Nice try :). The architecture of the Debian project itself shows just how secure the use of Open Source software can be. Imagine if the Windows operating system and thousands of other pieces of software were developed and put together collaboratively over the Internet. Would anyone hazard a guess as to whether this way of working would even be doable with Microsoft software? Systems based on Linux/BSD/Apache and alike don't get much press when they are broken into because there simply aren't that many of them. It can take a very long time to hack a secured Linux/BSD system, and most of them are done through social engineering and people obtaining passwords by non-technical means. I'm quite pleased to say that I have had a lot of these types of phone calls :). Anyone want to hazard a guess as to how many Windows based systems are compromised externally through the software itself? Debian is an open development project, so naturally there will be a breach eventually. Unfortunately, even when you try and lock down a Windows-based system and when you have internal secrecy on your side Microsoft insists on developing components that allow people near free-hand into your systems. Worse still, it can be weeks or months before anyone actually realises. Windows is no good at security, even in a closed environment, let alone in an open one like Debian. Debian and other open source projects have always had attacks on their servers - mostly people looking for free space to set up Internet Relay Chat servers (and these people don't care whether they exploit Windows, Linux, BSD, Solaris or BarbieOS) which is common with Windows. The fact that it has taken so long for anything serious to happen in this kind of development infrastructure is a big, big compliment.

The honesty demonstrated and speed of reporting Debian have demonstrated is really commendable, but because the hop from local user to root level is still unexplained, any linux user (not just debian) need to be vigilant, as there could be a widespread, and as of yet undiscovered flaw that explains this step.

Nope.

1. I agree there is a double standard. 2. I wonder how many time microsoft would have been compromised it it also provide accounts for hundereds of its users accross the world to work in its systems ? 3. If nobody except Microsoft new about the compromise, will they publish it on there website ? 4. Has the fact that Microsoft had a security problem 2years a go prompted it to prevent simmilar problems for it's customers ? Debian fan.

Huh.. and just as ms is gearing up an expensive "Open source isn't secure" campaign.... truly fortuitous I'm sure.

Annoys the hell out of me. It stands to sense that the more popular/publicly available something is, the more likely it is to be hacked. Admittedly Windows isn't perfect (although I have no issues at all with XP - I can USE my PC, not spend ages configuring & compiling kernels) yet Linux users harp on about security and lack of breaches in Linux as if it's perfect - it would be interesting to see what happened if it had the same exposure as Windows and maybe this is a sign of things to come. In a sadistic way, I hope it is :)

Double standard ?? Well friend, we the open source community acknowledge all our failures as well as successes. If any Microsoft was cracked had been cracked would they be as clear and humble to admit it ? Leave alone admitting, what our people at Debian project done is truly exemplary they've even neatly chalked out the modus operandi of the cracker and updated us about what rectiying measures have been taken. I clearly remember when there was much news about a vulnerability discovered in Apache 1.3.16 but believe it or not it was duly patched and a new release was put up on all the mirrors within 20 minutes after it was reported! Is this possible with Microsoft ? Never! Always we see that whenever a virus is rampant or there is big vulnerability and few important servers have been cracked and what do we hear from Microsoft ? They coolly put the blame on the victim servers' admins saying they failed to patch it! Can not Mr. Bill Gates earnestly spend one hundredth of what he is earning on salvaging windows and its allied softwares' security ?

Microsoft also makes billions of dollars from its customers so we expect better code than we currently get from Microsoft. As a reseller I cannot always charge my customers to fix Microsoft's mistakes.

I (linux user) feel that what happened is a dent in linux-as-a-safe-OS credibility. At least the Debian guys were honest. Indeed, linux is going mainstream... Hopefully Microsoft will understand this as well and finally regard linux as a genuine competitor OS and not as a dangerous anarchistic product made by zealots. Competition is good! It will keep microsoft, apple, linux distributors etc. sharp, so that we (the users) will profit with good and safe software.

This bug was known and unpatched for 2 months before this incident. Now Gentoo has been hacked as has been FSF. I wonder how many other Linux servers have been hacked without admitting it and how many have been compromised without knowing it.

I'm kinda amused by that "infuriate anyone else" bit at the end: [a] Looking at other coverage of this on other web sites indicates that the IDC comment had been prefixed with some with some fairly significant caveats which (at least for me) completely change the flavor of the comment. [b] The double-standard concept cuts both ways -- if no one pointed out that Microsoft was felt to be a significant challenge, that's probably because no one felt the need to point this out. Or: what that comment says to me is that the IDC analyst was thinking Debian had previously been beneath notice. Which is why I'm amused -- the idea that anyone could be infuriated by the idea that Microsoft is beneath notice is... well... ludicrous.

Since Debian and all free/open source software projects are so open and on top of security issues, then they must have been able to track down IP addresses and such to find out the name of the person that broke into their servers by now... You'd had almost a month so when are you going to open up and tell everyone the name of the great hacker that forced the reboot of the Debian servers? Or is that suddenly "too open" for you guys?

the attack was possible only by a linux kernel version specific issue, no any other previous of next vesrions are vulnerable. I think if Microsoft will ever publish their source code to the public, their products will be made out of the internet because of such hacks, attacks, exploits and viruses. Take care.

You are an idiot. I should charge you for the 2 minutes I spent reding your "article".

The most interesthing in this affair, has been the transparency whith has been treated. Not resembling what usualy occurs in others ambiances. That improbes the confidence in the in the model and in the team. For me all is OK. ("chapeau"). -- vitruvio@idecnet.com --

It's more interesting this "fact" that an "archetypical 15-year-old" having "nothing better to do" may have cracked four linux boxes, in contrast to... how many? millions of machines being cracked by a brainless piece of automated code like the MYDOOM.A or any other worm/virus still lurking on the internet, thanks to insecure-by-definition operating systems. I think Debian cannot be flawed for this incident, as neither Microsoft cannot be flawed for being insecure from the beginning of it`s existence. Don`t mix things thar are impossible to mix. Source code is a good thing because it`s transparent. Can we all say the same about proprietary code?

The attack was detected, all its effects corrected, and improved security installed to prevent it from happening again - all with 60 hours of the first attack attempt. Patches were made available to users at that time. If Microsoft ever gets as good as this in detecting breakins and supplying patches to its customers, you'll have a right to complain about "double standards". Until then, face it: the Open Source community DOES do this better than Microsoft.