[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Have I caught a firmware attack in the act? Or am I just paranoid?

The key question about it is how the archive keys are handled. I believe that keeping such a key offline would be a whole lot of work. It would perhaps also help to have it on a gpg-Smartcard.

Am 23.08.19 um 09:10 schrieb Rebecca N. Palmer:
On 17/08/2019 12:18, Elmar Stellnberger wrote:
to be safe the key handling policy needs to be offline enforced

There have been various attempts to encourage / simplify the use of offline keys, but it isn't currently required in Debian, and some of them only suggest keeping the master key (not the signing subkey, which is enough to upload packages) offline.

(non-trust warning: these are anyone-can-post areas)

Also, firmware attacks can reach offline keys.


Intelligence can not spoof all downloads - there is always a certain percentage of downloads which get the original data; i.e. they only spoof the download if they know who is downloading.

Individual developers' keys are used to protect uploads (from that developer to the Debian archive), but downloads (from that archive to a user, i.e. apt upgrade/install) are protected by a tree of hashes signed by the archive's own key (see /var/lib/apt/lists).

Hence, stealing an individual developer's key doesn't let an attacker target specific people; it does let them upload as that developer, but if they do, *everyone* sees their version of that package.  As you note, this makes them more likely to be caught.

To get a malware package to only a specific person, they would need either a stolen *archive* key, or a bug/backdoor in apt that makes it accept signatures it shouldn't.

Proposal to keep a log of the official hashes, which would allow the target of such an attack to prove it was an attack: https://debconf19.debconf.org/talks/66-software-transparency-improving-package-manager-security/

Reply to: