 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
Saw this on slashdot: http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html They make some interesting points, but in the end it's a pretty weak attack, and wouldn't work in the real world. First, I don't think any package manger will "downgrade" without significant user intervention, so just providing access to old filelists (and the files themselves) is not sufficient to install broken software on a client. That leaves the DoS attack where you could simply prevent clients from upgrading. The problem there is that yum, apt, etc, all use rotating mirrors, so a given client would have to somehow keep getting "bad guy" mirrors (just once getting to a "good guy" mirror and they get the critical updates). You'd have to have a significant number of these "dummy" servers to keep clients from updating, and by that point you'd be detected (it would be trivial to identify "dummy" servers once you know that you need to look). Matt -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. _______________________________________________ Discuss mailing list [hidden email] http://lists.blu.org/mailman/listinfo/discuss
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
