Within the past 36 hours, four of the Debian Project’s main Web servers for bug tracking, mailing lists, security and Web searches were breached, the open-source group said.
Joey Schulze, Debian Project stable release manager, e-mailed members of the organization’s discussion list explaining that the machines were being taken down.
The Debian Project servers run on its own operating system, version 3.0/i386, with current security updates.
Some services provided by the servers have been mirrored at other sites, but Schulze told internetnews.com he doesn’t expect the original machines to be running before Monday, with the possible exception of the security.debian.org and master servers.
Project Debian is a 10-year-old variant of the Linux kernel, popular among the independent, or “enthusiast,” crowd of programmers. The breach underlines that any operation system, even Linux — often held up as a benchmark in security compared to other operating systems (namely Microsoft) — is vulnerable to hacks.
“Today’s software has a high degree of complexity and you cannot eliminate all problems, unfortunately,” Schulze said. “Every GNU/Linux distribution is vulnerable, even OpenBSD faces vulnerabilities, however, quite seldom.”
Rick Stevenson, CEO of embedded Linux security manufacturer Snapgear, said Linux is a secure platform to run your system from, and the likely reason for the breach is maintenance-related.
“We don’t know what the details are yet, but it’s most likely that the breach was totally due to a slip up by a systems administrator than inherent system insecurity in Linux,” he said. “Chances are much greater that is was just that someone left a hole open and forgot to apply a patch.”