Re: Compromising Debian Repositories

[adrelanos <adrelanos@riseup.net>]

Volker Birk:
> On Sat, Aug 03, 2013 at 09:16:40AM +0000, adrelanos wrote:
>> That should help to defeat any kind of sophisticated backdoor on build
>> machines.
> 
> Really?
> 
> How do you detect, if maintainer's patches contain backdoors?

Someone else builds the same package (binary) and detects a different
checksum. - That required deterministic builds.

> If I would
> want to attack Debian, I would try to become the maintainer of one of
> the most harmless, most used packages. And believe me, you wouldn't see
> at the first glance, that this source code patch is containing a
> backdoor. I think, it's easy to do this at least while backporting
> security fixes – but not only. And, additionally: there is plausible
> deniability of doing so intentionally.

I'll agreed. But I am more concerned about things you don't know, zero
days, rootkits injecting themselves while building.

> We're all making mistakes, don't
> we?

Sure.

> And we're all remembering the issue with key generation,

> I assume.
> Attacks on the build process don't seem to be the hugest threats.

Why not? Lets make up an example. And attacker only need to compromise
the machine which builds the Apache server, doing so with a zero day the
attacker bought, lets say thats 10.000 $ or 100.000 $ - within budget of
three letter agencies and other criminals. An "investment". A
compromised Apache who's SSL traffic has an added weakness by the
backdoor is most profitable for economic espionage.

> Not to mention the build tool chains.

Thats probably a separate issue.