[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian audititing tool?

[ Would you please stop those Ccs to me?]

On 00-12-21 Colin Phipps wrote:
> On Thu, Dec 21, 2000 at 03:30:25PM +0100, Christian Kurz wrote:
> > > > > Hence my comment.  "Less-clueful" intruders won't modify
> > > > > /var/lib/dpkg/info/package.md5sums ; debsums will catch these people,
> > > > > but will not help if the cracker is smart.
> > > > 
> > > > No, as it would say that if this md5sums will be wide spread, someone
> > > > will write a tool to modify binaries without modifying the md5sum and
> > > > then you have the problem again...

> This is not possible, that's the point of using md5sums in this case, it's 
> computationally infeasible to construct a different file with the same 
> md5sum.

Sure, I haven't read the Schneier so far, but I'm not sure about this.

> > > > ...or even create a tool that replaces the
> > > > md5sum in the file /var/lib/dpkg/info/package.md5sum with a new one

> Which is why you would have to get the list of md5sums from a trusted source.

> > No, I tried to explain why it also won't work for the "less-careful"
> > intruders, as they will use tools to hide their changes.

> Some intruders will be careless or ignorant and it'll catch them. Others 
> will be smart and it won't. Assuming at least some hackers are careless it's 
> still worthwhile, in the absence of a perfect solution.

Well and the one that you won't catch to much more damage to your system
and create a higher risk then the one you catch. 

> > > if I were trying to do mirror authentication, I'd ship apt with an
> > > official .debian.org public key, and then ask .debian.org whether a
> > > the public key presented by a mirror was kosher.  There are other ways
> > > of doing it...
> > 
> > puiblic key? GnuPG or PGP? Or do you mean ssh or what kind of public key
> > do you think of? Also this would impose that everyone downloads package
> > from only one .debian.org server and this would generate a lot of
> > traffic and resources on this machine. Or otherwise you have to convince
> > every admin of .debian.org to generate a public key and install them all
> > when you install apt.

> No, you just sign all the packages on master.debian.org with this official 
> key, and then mirror both the files and their signatures (as kernel.org do).

And who will create this key? Who will have the passphrase? Who will
sign the packages? How do you make sure that the signatures get's not

Ein "Nein" ausgesprochen mit der tiefsten Überzeugung ist besser
und größer als ein "Ja" um zu gefallen oder noch schlimmer, um
Schwierigkeiten zu umgehen.
  -- Mahatma Gandhi

Reply to: