Re: [work] Integrity of Debian packages

To: Andrew Pollock <debian-lists@andrew.net.au>
Cc: debian-security@lists.debian.org
Subject: Re: [work] Integrity of Debian packages
From: Gary MacDougall <gary@freeportway.com>
Date: Thu, 06 Mar 2003 21:21:21 -0500
Message-id: <[🔎] 3E680221.8040302@freeportway.com>
In-reply-to: <[🔎] 20030307013315.GA27646@daedalus.andrew.net.au>
References: <[🔎] 20030307013315.GA27646@daedalus.andrew.net.au>

If the FBI has the power, time and energy to install a proxy between myrouterand my ISP to spoof a package host (i.e. security.debian.org) just toroot my servers, then theyare clearly a heck of lot more "geeky" than I thought. Hell, why gothrough that trouble,why not just grab my traffic and sniff all my packet's... sheesh. Ifthey can spoof a proxyon me, then they certianly can put a line sniffer between me and myISP... isn't that

easier?!?!

This is silly to blame the FBI. I'd be far more concerned about theaverage knucklehead

trying to do this maliciously than thinking the FBI would do it... please.

As I agree that there should be a level of protection on apt-get, or any"auto update" system,its up to the person doing the update to check the things they'reupdating if they are thatparanoid. If your really concerned about this, don't apt-get, downloadthe deb's and

eyeball the deb's yourself.

This line caugh my eye and made me laugh a little:

>As a matter of comparison, our Windows 2000 box has no suchvulnerability. The first time we went to>Windows Update, we checked the box that said, "Always trust contentfrom Microsoft Corporation.">Therefore, only Microsoft's real certificate will be accepted by ourmachine. Even if the FBI forces>Verisign to issue an impostor certificate, it will be detected andthwarted.

Hahahahahahahahaha... So when I hit "Yes" to trust Microsoft all myworries and fears go away...ya right.

The article was written in December 2001, two years ago and over 100 IISpatches later. In hindsight,had the author concentrated on IIS and its lack of security, and pointedout that the Internet is slowedto a crawl since every IT idiot maintaing IIS won't patch they'resoftware or doAN AUTO UPDATE!!! It's a contradiction to the original problem beingstated!!! hahahahaha.

I don't know about you, but I'd love to have a dime for every time somefrickin' worm crawl's oneof my Apache boxes trying to buffer overflow or malform it thinking itsIIS....Hell, I'd be rich.

This stuff is silly. I'll take my chances with apt-get and know that mysystem is update to date.


g.



Andrew Pollock wrote:

Hi,
One of my friends sent me this URL, it's an oldie, and the topic ingeneral has been discussed before, but this article certainly does raisesome concerns.
http://www.astalavista.com/privacy/library/magic-lantern/fbi.shtml

Andrew

Reply to:

Follow-Ups:
- Re: [work] Integrity of Debian packages
  - From: Peter Cordes <peter@llama.nslug.ns.ca>
- Re: [work] Integrity of Debian packages
  - From: Andrew Pollock <debian-lists@andrew.net.au>
- Re: [work] Integrity of Debian packages
  - From: Blars Blarson <blarson@blars.org>

References:
- Integrity of Debian packages
  - From: Andrew Pollock <debian-lists@andrew.net.au>

Prev by Date: Re: Integrity of Debian packages
Next by Date: Re: Integrity of Debian packages
Previous by thread: Integrity of Debian packages
Next by thread: Re: [work] Integrity of Debian packages
Index(es):
- Date
- Thread