Re: Improved Debian Project Emergency Communications
Rick Moen, 2003-11-29 05:20:16 +0100 : Quoting Roland Mas ([EMAIL PROTECTED]): /me suggests the Debian Planet and Debian Help (both .org) websites. ^^^ Session initialisation failed. Problems? I didn't go further either. I blame the site for not working unless you accept its cookies, and I'm too lazy to double-check this hypothesis. Roland. -- Roland Mas One... two... one, two, many, lots! -- Lias, in Soul music (Terry Pratchett) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Improved Debian Project Emergency Communications
Quoting Roland Mas ([EMAIL PROTECTED]): [http://www.debianhelp.org/ :] I didn't go further either. I blame the site for not working unless you accept its cookies, and I'm too lazy to double-check this hypothesis. Sadly, that hypothesis doesn't check out, so I think the site is effectively hung. -- Cheers, Don't use Outlook. Outlook is really just a security Rick Moenhole with a small e-mail client attached to it. [EMAIL PROTECTED]-- Brian Trosko in r.a.sf.w.r-j -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Improved Debian Project Emergency Communications
Quoting Rick Moen ([EMAIL PROTECTED]): [http://www.debianhelp.org/ :] Sadly, that hypothesis doesn't check out, so I think the site is effectively hung. And no soon do I say that than I notice the site being usable again! -- Cheers, Reality is not optional. Rick Moen -- Thomas Sowell [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Improved Debian Project Emergency Communications (was Re: communication structures crumbled)
Karsten M. Self wrote: It had to be re-installed. You probably know that since you've read the announcement we were able to send out before the machine was taken down for reinstallation. That announcement wasn't delivered for all users until _after_ murphy was resurrected. I myself got the debian-security-announce message mailed Nov 21 on 25 Nov 2003 15:16:56 -0800. That's true since murphy was powered down for a re-install in the middle of its delivery. The (same) mail on debian-announce should have been delivered by that time. Regards, Joey -- Have you ever noticed that General Public Licence contains the word Pub? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Improved Debian Project Emergency Communications
Rick Moen, 2003-11-29 05:20:16 +0100 : Quoting Roland Mas ([EMAIL PROTECTED]): /me suggests the Debian Planet and Debian Help (both .org) websites. ^^^ Session initialisation failed. Problems? I didn't go further either. I blame the site for not working unless you accept its cookies, and I'm too lazy to double-check this hypothesis. Roland. -- Roland Mas One... two... one, two, many, lots! -- Lias, in Soul music (Terry Pratchett)
Re: Improved Debian Project Emergency Communications
Quoting Roland Mas ([EMAIL PROTECTED]): [http://www.debianhelp.org/ :] I didn't go further either. I blame the site for not working unless you accept its cookies, and I'm too lazy to double-check this hypothesis. Sadly, that hypothesis doesn't check out, so I think the site is effectively hung. -- Cheers, Don't use Outlook. Outlook is really just a security Rick Moenhole with a small e-mail client attached to it. [EMAIL PROTECTED]-- Brian Trosko in r.a.sf.w.r-j
Re: Improved Debian Project Emergency Communications
Quoting Rick Moen ([EMAIL PROTECTED]): [http://www.debianhelp.org/ :] Sadly, that hypothesis doesn't check out, so I think the site is effectively hung. And no soon do I say that than I notice the site being usable again! -- Cheers, Reality is not optional. Rick Moen -- Thomas Sowell [EMAIL PROTECTED]
Re: Improved Debian Project Emergency Communications (was Re: communication structures crumbled)
Karsten M. Self wrote: It had to be re-installed. You probably know that since you've read the announcement we were able to send out before the machine was taken down for reinstallation. That announcement wasn't delivered for all users until _after_ murphy was resurrected. I myself got the debian-security-announce message mailed Nov 21 on 25 Nov 2003 15:16:56 -0800. That's true since murphy was powered down for a re-install in the middle of its delivery. The (same) mail on debian-announce should have been delivered by that time. Regards, Joey -- Have you ever noticed that General Public Licence contains the word Pub?
Re: Improved Debian Project Emergency Communications (was Re: communication structures crumbled)
On Friday 28 November 2003 13:14, Karsten M. Self wrote: That announcement wasn't delivered for all users until _after_ murphy was resurrected. I myself got the debian-security-announce message mailed Nov 21 on 25 Nov 2003 15:16:56 -0800. Hm, I got that late too, but the (unsigned) announcement got to debian-announce before the takedown. First I want to say that the Debian project, in extremely adverse circumnstances, comported itself well, disseminated information, if not fully effectively, well beyond its nominal capacity with both web and email services offline. Disclosures were timely, informative, and helpful, while restraining themselves to established facts and working within constraints of an as yet ongoing investigation. Very few organizations can claim as much. Not only this, but it appears at this point that the crown jewels -- the Debian archives and mirrored distribution points themselves -- were _not_ compromised. Commendable. Absolutely! I'll disagree with Martin's comment that the server compromise didn't constitute a security issue despite the lack of an archive compromise. Security affecting Debian servers _potentially_ affects Debian packages. Yes, and I think the point needs emphasis that even if the archives are not compromised, what has happened to the Debian servers is very relevant to the security of all Debian users. My first thought when heared about the compromise was ouch, that probably means, I'm vulnerable too. I considered for a moment to take my main server offline. The problem is of course that we all run the much of the same software that is on the Debian machines. Unless there are something generic that is a known problem (such as a sniffed password), or something that is special to one of the servers (e.g. BTS), the attacker might be able to use the attack he used on the Debian servers on pretty much _any_ Debian box. That's really scary. I learnt on /. that it had been a password compromise, so that meant, it was in the generic class of problems. We're always vulnerable towards that. But, we're all likely to be vulnerable to the local exploit used to gain root. Besides, it was /. :-) For these reasons, I think it is fair to say that any compromise on the Debian servers is very relevant to the security of all users. And that was the information I was missing earlier, to what extent I would myself be vulnerable. Also, I'm not a regular IRC user, so it didn't occur to me at the time that it was an alternative for gathering information. Besides, how is it with signatures on IRC? Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Improved Debian Project Emergency Communications (was Re: communication structures crumbled)
On Fri, Nov 28, 2003 at 01:52:14PM +0100, Kjetil Kjernsmo wrote: I learnt on /. that it had been a password compromise, so that meant, it was in the generic class of problems. We're always vulnerable towards that. But, we're all likely to be vulnerable to the local exploit used to gain root. Besides, it was /. :-) From the report I just read, sniffed password compromise to get in... but an as yet unknown privilege escalation from user to root once on board. -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware software system design, security and networking, systems programming and Admin Have Laptop, Will Travel -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Improved Debian Project Emergency Communications
Quoting Roland Mas ([EMAIL PROTECTED]): /me suggests the Debian Planet and Debian Help (both .org) websites. ^^^ Session initialisation failed. Problems? -- Cheers,A: No. Rick Moen Q: Should I include quotations after my reply? [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Improved Debian Project Emergency Communications (was Re: communication structures crumbled)
On Fri, Nov 28, 2003 at 04:14:19AM -0800, Karsten M. Self wrote: I'll disagree with Martin's comment that the server compromise didn't constitute a security issue despite the lack of an archive compromise. For someone well versed in Debian procedures, it might have been plausible that the archives themselves weren't compromised. For a typical user, I don't think this was the case. For the typical user's management or clients, it's very likely _not_ the case, and a timely positive statement of status would be very, very helpful. Security affecting Debian servers _potentially_ affects Debian packages. As it was, I cleared my locale package cache and stopped updates on hearing about the compromise. It wasn't for another few hours that I was aware that the archive was reportedly _not_ compromised. In the absense of any information, the security status of Debian project packages in the event of a known or rumored server compromise is at best unknown. It wasn't clear to me that the packages that I had downloaded were safe, and it even wasn't clear after reading that the archives were safe. I suggest some phrase like packages in the debian archive or just debian packages. The reason is that archive usually means something covering (ancient) history. I initially thought it referred to the mailing list archives. If I'd thought harder, I might have thought it referred to past debian packages (which I think are provided via snapshot.debian.org?? I've never used them). Perhaps I should have known better, but since the confusion seems pretty easy, and pretty easy to fix, I suggest fixing it if we should ever have such an unfortunate incident again. Thanks to all those who worked so hard to detect, and then correct, this problem. Ross Boylan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Improved Debian Project Emergency Communications
Karsten M. Self, 2003-11-28 13:30:28 +0100 : [...] - Where to provide information. Personal websites and news channels served well, but an advance statement of here's where you should turn in the event of an emergency would be useful. /me suggests the Debian Planet and Debian Help (both .org) websites. As far as I can see, Debian Planet has had this story since the 22nd of November. Roland. -- Roland Mas Two elephants fell off a cliff. Boom, boom. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Improved Debian Project Emergency Communications (was Re: communication structures crumbled)
On Friday 28 November 2003 13:14, Karsten M. Self wrote: That announcement wasn't delivered for all users until _after_ murphy was resurrected. I myself got the debian-security-announce message mailed Nov 21 on 25 Nov 2003 15:16:56 -0800. Hm, I got that late too, but the (unsigned) announcement got to debian-announce before the takedown. First I want to say that the Debian project, in extremely adverse circumnstances, comported itself well, disseminated information, if not fully effectively, well beyond its nominal capacity with both web and email services offline. Disclosures were timely, informative, and helpful, while restraining themselves to established facts and working within constraints of an as yet ongoing investigation. Very few organizations can claim as much. Not only this, but it appears at this point that the crown jewels -- the Debian archives and mirrored distribution points themselves -- were _not_ compromised. Commendable. Absolutely! I'll disagree with Martin's comment that the server compromise didn't constitute a security issue despite the lack of an archive compromise. Security affecting Debian servers _potentially_ affects Debian packages. Yes, and I think the point needs emphasis that even if the archives are not compromised, what has happened to the Debian servers is very relevant to the security of all Debian users. My first thought when heared about the compromise was ouch, that probably means, I'm vulnerable too. I considered for a moment to take my main server offline. The problem is of course that we all run the much of the same software that is on the Debian machines. Unless there are something generic that is a known problem (such as a sniffed password), or something that is special to one of the servers (e.g. BTS), the attacker might be able to use the attack he used on the Debian servers on pretty much _any_ Debian box. That's really scary. I learnt on /. that it had been a password compromise, so that meant, it was in the generic class of problems. We're always vulnerable towards that. But, we're all likely to be vulnerable to the local exploit used to gain root. Besides, it was /. :-) For these reasons, I think it is fair to say that any compromise on the Debian servers is very relevant to the security of all users. And that was the information I was missing earlier, to what extent I would myself be vulnerable. Also, I'm not a regular IRC user, so it didn't occur to me at the time that it was an alternative for gathering information. Besides, how is it with signatures on IRC? Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Re: Improved Debian Project Emergency Communications (was Re: communication structures crumbled)
On Fri, Nov 28, 2003 at 01:52:14PM +0100, Kjetil Kjernsmo wrote: I learnt on /. that it had been a password compromise, so that meant, it was in the generic class of problems. We're always vulnerable towards that. But, we're all likely to be vulnerable to the local exploit used to gain root. Besides, it was /. :-) From the report I just read, sniffed password compromise to get in... but an as yet unknown privilege escalation from user to root once on board. -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware software system design, security and networking, systems programming and Admin Have Laptop, Will Travel --
Re: Improved Debian Project Emergency Communications (was Re: communication structures crumbled)
On Fri, Nov 28, 2003 at 04:14:19AM -0800, Karsten M. Self wrote: I'll disagree with Martin's comment that the server compromise didn't constitute a security issue despite the lack of an archive compromise. For someone well versed in Debian procedures, it might have been plausible that the archives themselves weren't compromised. For a typical user, I don't think this was the case. For the typical user's management or clients, it's very likely _not_ the case, and a timely positive statement of status would be very, very helpful. Security affecting Debian servers _potentially_ affects Debian packages. As it was, I cleared my locale package cache and stopped updates on hearing about the compromise. It wasn't for another few hours that I was aware that the archive was reportedly _not_ compromised. In the absense of any information, the security status of Debian project packages in the event of a known or rumored server compromise is at best unknown. It wasn't clear to me that the packages that I had downloaded were safe, and it even wasn't clear after reading that the archives were safe. I suggest some phrase like packages in the debian archive or just debian packages. The reason is that archive usually means something covering (ancient) history. I initially thought it referred to the mailing list archives. If I'd thought harder, I might have thought it referred to past debian packages (which I think are provided via snapshot.debian.org?? I've never used them). Perhaps I should have known better, but since the confusion seems pretty easy, and pretty easy to fix, I suggest fixing it if we should ever have such an unfortunate incident again. Thanks to all those who worked so hard to detect, and then correct, this problem. Ross Boylan
Re: Improved Debian Project Emergency Communications
Karsten M. Self, 2003-11-28 13:30:28 +0100 : [...] - Where to provide information. Personal websites and news channels served well, but an advance statement of here's where you should turn in the event of an emergency would be useful. /me suggests the Debian Planet and Debian Help (both .org) websites. As far as I can see, Debian Planet has had this story since the 22nd of November. Roland. -- Roland Mas Two elephants fell off a cliff. Boom, boom.
Re: Improved Debian Project Emergency Communications
Quoting Roland Mas ([EMAIL PROTECTED]): /me suggests the Debian Planet and Debian Help (both .org) websites. ^^^ Session initialisation failed. Problems? -- Cheers,A: No. Rick Moen Q: Should I include quotations after my reply? [EMAIL PROTECTED]