Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

package manager attacks



 Saw this on slashdot: 
http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html

They make some interesting points, but in the end it's a pretty weak attack, 
and wouldn't work in the real world. 

First, I don't think any package manger will "downgrade" without significant 
user intervention, so just providing access to old filelists (and the files 
themselves) is not sufficient to install broken software on a client. 

That leaves the DoS attack where you could simply prevent clients from 
upgrading.  The problem there is that yum, apt, etc, all use rotating 
mirrors, so a given client would have to somehow keep getting "bad guy" 
mirrors (just once getting to a "good guy" mirror and they get the critical 
updates).  You'd have to have a significant number of these "dummy" servers 
to keep clients from updating, and by that point you'd be detected (it would 
be trivial to identify "dummy" servers once you know that you need to look). 

Matt 

-- 
This message has been scanned for viruses and 
dangerous content by MailScanner, and is 
believed to be clean. 

_______________________________________________ 
Discuss mailing list 
[hidden email] 
http://lists.blu.org/mailman/listinfo/discuss
 


BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org