Debian: Attack Didn't Harm Source Code

[InfoSec News <isn () c4i org>]

http://www.eweek.com/article2/0,4149,1394538,00.asp

By Steven J. Vaughan-Nichols 
November 21, 2003 

Despite a cracker incursion into Debian Project servers this week,
representatives of the Debian Linux distribution said the open-source
code behind it remains untouched.

Ian Murdoch, chairman of Progeny Linux Systems Inc. and founder of
Debian, told eWEEK.com, "Fortunately, open-source developers tend to
be very good at keeping cryptographic signatures on files and multiple
backups to make sure that everything stays all right."

For Debian, Murdoch said, the attack "is more a matter of
inconvenience, since the organization was about to release the latest
version of Debian this Friday."

This is not the first time an open-source site has been attacked by
crackers. In March of this year, the Free Software Foundation Inc.'s
GNU Project ftp servers were attacked. This assault, which caused no
damage to the code, was only discovered months afterwards.

In the Debian case, though, the break-in was discovered within 24
hours. The cracker had gained access to four machines: "master," the
bug-tracking system; "murphy," the mailing-list manager; "gluck," the
Web server and Concurrent Versions System (CVS) system; and "klecker,"  
which houses security, quality assurance and search-engine code.  
Martin Schulze, a Debian spokesman, reported that the Debian source
code archives themselves were "not affected by this compromise."

"This kind of attack is inevitable in open source," Murdoch said.  
"We've increased security. At the beginning of Debian, becoming a
developer was as easy as sending me an e-mail, but these days there
are checks and balances in place to make sure that only real
developers get in and that the code stays clean."

Some posters at popular Linux news and discussion site Slashdot joked
that either The SCO Group Inc. was trying to break in and "steal the
source to prove once and for all that Linux has stolen their patents"  
or "are trying to break in to insert patented code into Linux code, so
they'd have a leg to stand on in the court." However, Murdoch said,
"The sad thing about the break-in is that it was probably done by an
archetypical 15-year-old in a basement with nothing better to do. If
that same kid channeled his energy and skills in a creative rather
than destructive way, he could achieve real recognition as an
open-source programmer."

Dan Kusnetzky, IDC vice president for system software research, told
eWEEK.com, "In one sense, people could take this as a backhanded
complement: Someone felt that [breaking into Debian's servers] was
hard enough to do to be worth doing. This is one more line of evidence
that Linux is coming into the mainstream." And, at the same time, "The
fact that it was caught and dealt with showed the strength of the
open-source software community."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.