 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
Kristian Erik Hermansen wrote: > On Fri, Jul 11, 2008 at 5:17 PM, Matthew Gillen <[hidden email]> wrote: >> Saw this on slashdot: >> http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html >> >> They make some interesting points, but in the end it's a pretty weak attack, >> and wouldn't work in the real world. > > Actually, this appears to be a quite valid attack method, especially > if you sit on the network with the machine(s) you want to attack. I > think this type of stuff has been discussed previously, but they just > did more formal academic research and published it. It wouldn't be > too difficult to write a tool that does this, if they haven't already > released their code. > >> First, I don't think any package manger will "downgrade" without significant >> user intervention, so just providing access to old filelists (and the files >> themselves) is not sufficient to install broken software on a client. > > I think the main point is that you are installing valid signed > software -- just a more outdated package. In fact, a proof of concept > to install an old openssl package would be quite disastrous!!! What I > don't understand is why APT doesn't match up the version requested > with the DEB info within the package. If I request version 1.2.3, > someone MITMs me, and then I receive a valid signed 1.2.0 package, wtf > didn't APT say "you bait and switched me dude!!!" and then fail? > Hrmm...
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
