[conspire] Re: [vox] Password NOT stolen at linuxworld

Rick Moen rick at linuxmafia.com
Mon Aug 11 15:51:56 PDT 2003 

[Ryan posted this to LUGOD's vox mailing list.  I'll be sending him
a copy of this post. It turns out that the earlier surmise about 
where the break-in originated was premature, but entirely new questions
have been raised, about Debian's "testing" branch (currently "sarge"):]

Quoting Ryan Castellucci (ryan+lugod at cal.net):

> On Mon, Aug 11, 2003 at 02:16:15PM -0700, Dmitriy wrote:
> > On Mon, Aug 11, 2003 at 01:42:08PM -0700, Ryan Castellucci wrote:
> > > OK, guys, here's the scoop... Somebody 0wned my system at
> > > work, running debian testing. Installed this lovely password
> > 
> > Testing is inherently insecure.  _Don't_ run testing on any
> > publically accessible computers.  It doesn't get security updates.
> > 
> > If you are lucky you will get one after a week.  If you are not, the
> > update can range anywhere from two weeks (all conditions for going
> > into testing are satisiied and update is uploaded with normal
> > urgency) to months (like waiting for new glibc to go into testing).
> > 
> > So, I'd say you were asking to be 0wned.
> 
> I claim IGNORANCE!!!!
> 
> I was not aware of this, I sure wish someone had told me. I needed
> newer versions of several packages that were not available in stable.
> Would I be better off running sid in the future?

Ryan, I have this topic covered at
http://linuxmafia.com/~rick/linux-info/debian-testing-security .

The Debian-testing algortithm for auto-populating "testing" from 
packages in "unstable" is described in the Debian Testing FAQ, 
which I have mirrored at http://linuxmafia.com/debian/testingfaq.html ,
and will clarify why _automatic_ security updates cannot fully cover
"testing".  Please note emphasis:  It's actually dead-simple to keep 
that branch secure.  You just don't get the packages auto-delivered.
I'll explain.

Essentially, if you run "testing", you should subscribe to the
low-traffic (announce-only) debian-security-announce mailing list,
browse the alerts as they come in, and semi-manually retrieve and apply 
any updates relevant to your system, as you hear about them.  You 
can make that easy by using "pinning" to make packages from unstable=sid
accessible via apt-get (as described in
http://linuxmafia.com/debian/tips), such that you can type (e.g.)
"apt-get -b unstable install libc6", without otherwise leaving the 
"testing" track.

Glancing through the security advisories and doing an occasional 
specific apt-get of the above sort suffices to fix the perceived 
security pitfall:  If people weren't so spoiled by Debian Policy and the
apt tool suite, it wouldn't even be perceived as a problem, I think.
Heavens knows, it's easier to keep my testing-branch servers secure
than they were when they ran other distributions, previously.

Running testing isn't "asking to be owned".  By contrast, running
testing _plus_ failing to read debian-security-announce _is_ that,
arguably.

Just some perspective for you -- which Dmitriy's post did not provide,
albeit furnishing quite correct information as far as it went.

-- 
Cheers,              First they came for the verbs, and I said nothing, for
Rick Moen            verbing weirds language.  Then, they arrival for the nouns
rick at linuxmafia.com  and I speech nothing, for I no verbs. - Peter Ellis

More information about the conspire mailing list