Last week, an attacker compromised several key servers belonging to Linux distribution maker Debian Project, an event that seems to mirror problems Microsoft had 2 years ago when attackers compromised its network. The Debian incursion, however, was more dramatic: The project's bug-tracking, mail-list, Web server, and security-component servers were compromised. But in the aftermath of the attack, Debian officials said the code for its Linux distribution was unchanged. "Fortunately, open-source developers tend to be very good at keeping cryptographic signatures on files and multiple backups to make sure that everything stays all right," Debian Cofounder Ian Murdoch told eWEEK. Murdoch claims that the attacker was really just interested in Debian's most recent Linux release, which is due this week. Arguably, the same might be said of the people who tried to attack Microsoft's network. Allegedly, those attackers were after the Windows source code, although Microsoft denies that they ever got that far. Attacks on Microsoft servers tend to get a lot of press, but last week's attack on Debian isn't the first time this year that someone attacked an open-source stalwart's infrastructure. An intruder attacked Richard Stallman's Free Software Foundation (FSF) in March, although the attack wasn't discovered until months later. This time, at least, Debian quickly noticed the attack. Most interesting to me, given the current security climate, is a comment Murdoch made about this kind of attack and the safety of open-source software (OSS). "This kind of attack is inevitable in open source," he noted. "The sad thing about the break-in is that it was probably done by an archetypical 15-year-old in a basement with nothing better to do." Debian Stable Release Manager Joey Schulze echoed this opinion. "You cannot eliminate all problems, unfortunately," he said. "Every GNU/Linux distribution is vulnerable, [and] even OpenBSD faces vulnerabilities, however [it's] quite seldom." And astonishingly, an IDC analyst actually called the break-in a "compliment," a platitude I'm pretty sure no one used during the Microsoft attack. "Someone felt that [breaking into Debian's servers] was hard enough to do to be worth doing," he said, apparently with no sense of irony or hypocrisy. "This is one more line of evidence that Linux is coming into the mainstream. The fact that it was caught and dealt with showed the strength of the [OSS] community." Does this double standard confuse and infuriate anyone else?
BTW, love the google ads at the bottom of the page for Linux servers. I highly recommend grabbing one to replace your *truly* insecure Windows server.
Jeremy Spokane November 24, 2003
Let's put aside the double-standard aspect for a second and examine the response from a historical perspective:
-"This kind of attack is inevitable in open source" -"You cannot eliminate all problems" -"Someone felt that [breaking into Debian's servers] was hard enough to do to be worth doing"
These three quotes run counter to the conventional wisdom of Linux we've been led to believe since Torvalds and open source became the darlings of the pre-dot com bomb Internet!
-Since at least 1997, Linux advocates have publicly claimed that the more egalitarian ethic of Linux users prevents any attacks on open source servers, but now those same people are telling us that "[e]very GNU/Linux distribution is vulnerable"? -Many a Linux fanatic will tell you that running Linux means your networks will be impervious to a virus or hacker because you can limit user resources and everything is locked down in Linux by default. Now those same fanatics are shrugging and mumbling: "You cannot elminate all problems"? -The Linux elitists I've encountered since I began observing the tech industry have always scoffed at the notion that Windows is a target because of it's popularity, but now those same elitists are claiming an attack on the Debian source code servers is "one more line of evidence that Linux is coming into the mainstream"?
I know Torvalds, Stallman, and Raymond are the quirky and lovable leaders of "The Revolution" and can sell magazines (NOTE: Isn't it odd that a Linux user will buy an overpriced magazine full of ads with only four pages of Linux love but refuse to pay fifty bucks for an OEM copy of an operating system that is inarguably much more useful), but when are we going to see an expose about the hypocrisy of Linux on the cover of "Time" and "Wired"?
You know who else sells magazines? You guessed it: FRANK STALLONE!
Scott McCollum November 24, 2003
What double standard? Debian is put together by volunteers and is one of the 200 or so linux distributions. A couple of servers hacked and quickly dectected doesn't compare to the millions of MS servers / PCs compromised by worms, trojans and viruses (some affecting Microsoft Central itself).
Old Quote: "Microsoft was completely hosed (from Slammer). It took them two days to get out from under it," said Bruce Schneier, chief technology officer of Counterpane Internet Security, a network monitoring service provider. "It's as hypocritical as you can get."
Try to keep the incident in perspective.
Regards rob
monkymind November 24, 2003
You're a $%^#ing idiot.
Any OS can and will be cracked, however instances of this happening are far less frequent in Linux than in Microsoft Windows. The Debian development team should be applauded for being so open about the whole incident when other organisations (though surely not the great and powerful Microsoft right?) would have covered it up.
This article was so childish and petty it was almost comical.
Editor's note: Your posting, in contrast, was mature and well-balanced. I bow to your well-constructed arguments. --Paul
... November 24, 2003
Wasn't this basically a case of someone's username/password being abused rather then an actually security hole in Debian? Personally I'm not infuriated by the double standard here because I just don't see it.
You don't have to hack into the Debian servers in order to get access to the source code.
Mark Mruss November 24, 2003
Considering that this was a straight-up password compromise, why is this a double standard? Compromises of Microsoft's systems have typically been due to misconfigured or unpatched systems, not a hard thing given the typically poor default configuration or maze of patches required to secure Microsoft's software. When this occurs in mainstream open source, it typically requires a heck of a lot more technical expertise.
I'm more infuriated by Windows apologists such as yourself who seem to think the status-quo that Microsoft provides is good enough. It's not. If nothing else you should thank your stars that Linux provides some competition to force MS to improve their offerings.
I compare it to AMD vs Intel. You wouldn't see the low prices that Intel now offers if AMD wasn't a credible threat keeping them on their toes. Likewise, Microsoft has no incentive to improve if they don't have someone offering their customers a credible alternative (and in the server space this is true, no comment on the desktop). Competition is good, and i wish ms apologists would wise up to that fact.
John James November 24, 2003
nope. ..in fact your argument is meaningless in this context. hacking into Microsoft may expose carefully guarded secrets, but hacking into Debian will only reveal what is already known in CVS.
name November 24, 2003
i see
mike November 24, 2003
Yes, i'm outraged and the obvious bias demonstrated in this article, is that not also a double standard? As a journalist it is your reponsibility to provide balanced and "unbiased" coverage of any story, regardless of your or your sites affliation or target audience.
You seem to purposely fail to highlight the key difference between these incidences. One, microsoft provides closed source, therefore their break-in also presented the possiblity that a hacker would have leaked the windows source to the world, an obvious disaster for microsoft. Also because windows code is secret if code was compromised no microsoft customer would have the tools or ability to realize the code had been compromised, therefor the chance of discovery is much lower.
On the flip side the linux is open source there was not trade secret to steal, no damage done if the code was leaked to the net. The only concern was the hacker inserting compromising code into the source, but again the situation is entirely differeent, since all files in the distrubutions have a generated cyrpto key the added lines would never have gotten very far with out someone noticing the crypto keys didn't match. The file check in system of the FSF is a perfect example of how the crypto key's saved the day, because it was those keys that allowed their system to automaticly detect an unauthorized change had occured in the code.
And the most striking difference, the linux teams were up front about their security problem they announced it, they warned their users. If i remember correctly the fact that microsoft was compromised was leaked in the first place, they tried to hide it, this causes suspsion and makes a much juicer story.
Keith November 24, 2003
The difference is that Debian's servers are managed by volunteers that don't have billions of dollars to throw at the security. Even so, they have had far fewer breakins that Microsoft.
So tell me again, why are you paying all that licensing money to Microsoft?
You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor?
Register now
Picking a favorite product from an impressive crowd of competitive offerings is never an easy task, and such was the case with our Editors' Best and Community Choice awards this year. ...
An often irreverent look at some of the week's other news, including some post-PDC some soul searching, a Google Chrome OS announcement and a Microsoft response, Windows 7 off to a supposedly strong start, the Jonas Brothers and Xbox 360, and so much more ...
Free CDs Offer Fundamental Content for IT Pros Are you up to speed on the latest technologies and solutions? Don't miss out on your chance to get up to speed quickly on fundamental, in-depth information on some of the hottest topics in our library of content.
Let Your Users Reset Their Own Passwords: Free Download Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.
Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!
Deep Dive into VMware vSphere, eLearning Series Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Register
BTW, love the google ads at the bottom of the page for Linux servers. I highly recommend grabbing one to replace your *truly* insecure Windows server.
Jeremy Spokane November 24, 2003