Several computers supporting the 10-year-old Linux development project Debian were compromised by hackers late last week, causing a delay in the release of the latest distribution of the operating system and disrupting services for the project’s 1,100-plus developers.
Leaders of the open-source software project disclosed the hack — which compromised Debian bug tracking, e-mail, security and other services — and were working to reinstate Debian sites and services this week.
“This is a very unfortunate incident to report about,” said a statement on the Debian.org site.
Some might view the hack — which comes after reports of the Free Software Foundation’s GNU project servers being compromised last spring — as a black eye for open-source software development. But it is also a “badge of honor” and a sign that Linux is coming of age, IDC analyst Dan Kusnetzky told LinuxInsider.
“They have been successful to a point that they are now a target of such things,” he said. “It’s a sign that their product is in serious use.”
Compromise Cleanup
Officials with Debian, an open-source Linux distribution project started in 1993 by Ian Murdoch, said they had “a reasonable overview of what happened to the various Debian servers” and indicated they were working to address the issues.
The group said services run by the compromised servers were shut off and the Debian archive would need to be verified from trusted sources before it was available again.
“All services on those machines have been shut down or moved to different machines so we can take the necessary time to determine what happened and restore the machines,” a Debian leader said in a posting.
The group indicated it would explain exactly what happened and how to prevent future compromises when it has all the facts.
Bad Guy’s Back Door
Independent security expert Ryan Russell told LinuxInsider that the Debian hack, as well as other open-source development compromises, are part of a trend.
“One of the things we’re seeing lately is a lot more open source and related security projects being attacked,” Russell said.
Russell said the goal of the open-source attacks appears to be the placement of back-door programs that attackers can leverage later when the software is in use.
Proof of Process
Kusnetzky said the Debian hack was a disappointment, but added that it proved the development project’s security checks and balances, as well as the ability to respond quickly, are all working properly.
“It appears the procedure worked and this didn’t go anywhere,” he said. “The fact that the process of review caught this and eradicated it shows the process is working.”
Kusnetzky, who said motivation for the attack ranges from political to “ego boost,” indicated that the overall impact on Debian will be positive, as the Linux distribution is now on a road already traveled by major software makers such as Microsoft, IBM and Sun.
Badge of Hacker
Kusnetzky said the fact that the Debian project was attacked will likely have no bearing on the software distribution, but added that the incident might cause some to stay away from open-source software.
Russell said that, in a perverse way, the hack and any attempts to place back-door access into Linux distributions indicate a sense of legitimacy for the open-source movement. Russell cautioned that the placement of back-door code can be subtle, as was the case with a recent effort to compromise the Linux kernel.
“It’s disappointing in the sense that one would hope these projects — which are free, are used and loved by developers — would get some slack,” Russell said. “That doesn’t appear to be the case.”