[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Compromising Debian Repositories

On Sun, Aug 04, 2013 at 05:13:51PM +0100, Daniel Sousa wrote:
First of all, they could apply that change (calling it a patch was not one of
my greatest ideas) for every update they do, it's not necesserily a one time
thing. It's also much easier (and probably much dangerous) to write some code
that doesn't need to be cryptic, you can just write whatever you want instead
of trying to find something that can pass as a mistake (although this seams a
fun thing to do)

If we're being all cloak-and-dagger and reveling in the possibility of the NSA infiltrating the archive, why wouldn't you assume 1) the desire for plausible deniability and 2) competence? A simple exploitable bug in a sensitive service gets you root access, why do you need something more fancy? History has shown that remote root vulnerabilities can survive in for quite a while in some pretty old code. I don't think we need to focus on someone trying to insert individual malicious binaries into the archive until that actually becomes the more straightforward and less risky attack vector.

Mike Stone

Reply to: