Re: Have I caught a firmware attack in the act? Or am I just paranoid?
On 17/08/2019 12:18, Elmar Stellnberger wrote:
to be safe the key
handling policy needs to be offline enforced
There have been various attempts to encourage / simplify the use of
offline keys, but it isn't currently required in Debian, and some of
them only suggest keeping the master key (not the signing subkey, which
is enough to upload packages) offline.
(non-trust warning: these are anyone-can-post areas)
https://wiki.debian.org/GnuPG
https://wiki.debian.org/OpenPGP/CleanRoomLiveEnvironment
https://lists.debian.org/debian-project/2017/08/threads.html#00011
Also, firmware attacks can reach offline keys.
However:
Intelligence can not spoof all downloads - there is always a
certain percentage of downloads which get the original data; i.e. they
only spoof the download if they know who is downloading.
Individual developers' keys are used to protect uploads (from that
developer to the Debian archive), but downloads (from that archive to a
user, i.e. apt upgrade/install) are protected by a tree of hashes signed
by the archive's own key (see /var/lib/apt/lists).
Hence, stealing an individual developer's key doesn't let an attacker
target specific people; it does let them upload as that developer, but
if they do, *everyone* sees their version of that package. As you note,
this makes them more likely to be caught.
To get a malware package to only a specific person, they would need
either a stolen *archive* key, or a bug/backdoor in apt that makes it
accept signatures it shouldn't.
Proposal to keep a log of the official hashes, which would allow the
target of such an attack to prove it was an attack:
https://debconf19.debconf.org/talks/66-software-transparency-improving-package-manager-security/
Reply to: