Archive for the Category Open-source

 
 

The benefits of a compromise (?)

I learned by Slashdot that some of the Ubuntu servers have been hacked. As some of the comments to the Slashdot post suggests, that is no catastrophe itself (but it quickly can be). Everyone makes mistakes, and prevention eventually fails. They are not alone. What matters is wheather or not they have the routines, tools and processes in place to investigate, analyse and limit the damage.

What is interesting is that we actually get to know that they have been compromised, and that raises some questions: Does knowing about the compromise increase or decrease my trust in the Ubuntu source? Let us look at what the announcement gives us:

Knowledge of the breach lets us

  • Choose wheather or not to apply future updates of fear that they might contain backdoors, at least until the scope of the compromise is fully determined.
  • If considered necessary by -us-, choose wheather to withdraw all ubuntu boxes and replace them with another distribution or OS
  • Watch and see how the Ubuntu community and sponsors, e.g. Conical, reacts to this. How serious they are with security and how well their processes and routines are for handling these kind of emergency situations.
  • be somewhat assured that the Ubuntu servers and its administrators are competent enough to detect the compromise, and yeah, that can be hard.

If things were as yesterday, with no breach, what knowledge does that give us?

  • Can they detect a compromise if there were one? Do they have the necessary tools and processes to do so?
  • Are the servers compromised? The source code? Are there backdoors in the software?
  • Should we react? How? What might be compromised?
  • …. etc

The point is, without any other information, an announcement of a compromise yields us with more information to make decisions than a company that has no apparent security issues. This is a fundamental problem with security. It’s similar with vulnerabilities: a company anouncing a vulnerability in their software at least proves that they are looking, the absence of one proves nothing. I’m not saying I wish more companies were compromised, but I wished they reported once they were. The companies that are not can have other things to show that their customers can be assured that they have the necessary tools and processes in place. I come to think of information security frameworks such as ISO 17799 and similar standards witch at least proves that a companies is putting some effort into security.

To sum the post up. The following weeks will tell more of Ubuntu’s security-priorities than some of their un-compromised rivals.

August 15th, 2007 | theory, Open-source, Security | 0 Comments