Last week, an attacker compromised several key servers belonging to Linux distribution maker Debian Project, an event that seems to mirror problems Microsoft had 2 years ago when attackers compromised its network. The Debian incursion, however, was more dramatic: The project's bug-tracking, mail-list, Web server, and security-component servers were compromised. But in the aftermath of the attack, Debian officials said the code for its Linux distribution was unchanged.
"Fortunately, open-source developers tend to be very good at keeping cryptographic signatures on files and multiple backups to make sure that everything stays all right," Debian Cofounder Ian Murdoch told eWEEK. Murdoch claims that the attacker was really just interested in Debian's most recent Linux release, which is due this week. Arguably, the same might be said of the people who tried to attack Microsoft's network. Allegedly, those attackers were after the Windows source code, although Microsoft denies that they ever got that far.
Attacks on Microsoft servers tend to get a lot of press, but last week's attack on Debian isn't the first time this year that someone attacked an open-source stalwart's infrastructure. An intruder attacked Richard Stallman's Free Software Foundation (FSF) in March, although the attack wasn't discovered until months later. This time, at least, Debian quickly noticed the attack.
Most interesting to me, given the current security climate, is a comment Murdoch made about this kind of attack and the safety of open-source software (OSS). "This kind of attack is inevitable in open source," he noted. "The sad thing about the break-in is that it was probably done by an archetypical 15-year-old in a basement with nothing better to do." Debian Stable Release Manager Joey Schulze echoed this opinion. "You cannot eliminate all problems, unfortunately," he said. "Every GNU/Linux distribution is vulnerable, [and] even OpenBSD faces vulnerabilities, however [it's] quite seldom." And astonishingly, an IDC analyst actually called the break-in a "compliment," a platitude I'm pretty sure no one used during the Microsoft attack. "Someone felt that [breaking into Debian's servers] was hard enough to do to be worth doing," he said, apparently with no sense of irony or hypocrisy. "This is one more line of evidence that Linux is coming into the mainstream. The fact that it was caught and dealt with showed the strength of the [OSS] community." Does this double standard confuse and infuriate anyone else?