Kurt Seifried discusses how Apache.org was compromised, offering
that part of a growing problem we face in computer security is
trust: “The SSH protocol is used to secure these connections with
strong encryption, which provides a tunnel between the two
communicating machines. Furthermore, it is assumed that the end
developer’s machine is secure, and that there are no keystroke
loggers running, or items like KeyGhost hooked up to the machine.
Herein lies a problem. More and more people are using machines that
are not always secure or should not be considered “trusted.”
“The number of publicly available terminals in
libraries, educational computer labs, cafe’s and other places has
exploded in the last few years. The vast majority of these machines
are not very well secured, ranging from Linux machines in a private
cubicle (where LILO was not locked down) to windows machines that
will cheerfully boot from a floppy disk.While breaking into these systems and logging passwords is
probably not going to help you break into a specific site, if you
throw out a large enough net you will catch something of interest
eventually. This is especially true for more populous systems such
as ISP shell servers and university servers (which are notorious
for being poorly secured). Once you have a shell account on a
system it becomes much easier to exploit any security flaws, local
or remote.”