Re: [SLE] [OT] backdoors in GPL'd code. Unlikely. - was Re: [SLE]Kaspersky Anti-Virus for Linux Workstation
Carlos:
Glad to hear that based on your study, YOU runs a "--checksig"
before installing any new package. I know "fou4s" does (unless you turn that feature off).
On {SuSE-Security} list, I asked the question if "kpackage" runs a "checksig". No one replied back that it did, and I don't have the skills yet to determine on my own if it does. (Maybe next year...)
However, I for one do run rpm -v --checksig on all
my downloaded packages, before using "kpackage" to install them.
--- doesn't mean I couldn't be fooled.
For example, someone could come in my house while I was sleeping
and change my key ring, but frankly I have other things to worry about...
like how to get the new Gome2 packages installed.
************
"Carlos E. R."
The 03.02.25 at 14:50, zentara wrote:
Another worry which is gaining attention is switching DNS servers to feed you bad code. Say for instance, some evil person on the network, knows you go to "such and such mirror" to get your binary rpms. When you login they could redirect to a bogus nameserver, which will send you to a "bogus mirror" of the real site, filled with tampered rpms. Then once they know you've downloaded their worm, they let you connect again to the real site. The original site is totally innocent. How often do you check the md5sums of the files you download from a mirror, against the md5sums listed on the original server?
I (Carlos E.R.) have been analysing how YOU works, and I know it runs this test after it downloads a patch (on all of them), and before trying to install any of them:
rpm --checksig /usr/local/update/i386/update/8.1/rpm/i586/arts-1.0.4-4.i586.patch.rpm
According to the rpm man page:
SIGNATURE CHECKING The general form of an rpm signature check command is
rpm --checksig
+ This checks the PGP signature of package
to ensure its integrity and origin. PGP configuration infor mation is read from configuration files. See the section on PGP SIGNATURES for details. Thus, that man in the middle attack has been thought off :-)
*****snip****
-- Cheers, Carlos Robinson
When I run "rpm --checksig" I add a -v to it so I know who signed the package. I did check my SuSE keyring against their website, and against several public key mirrors using "gpg" What I didn't do is call up, for example, Roman Drahmueller
Ok, Just my $00.2
The 03.02.26 at 01:08, GarUlbricht7@netscape.net wrote: (By the way, for some reason your message did not link to the rest of the thread :-? )
Carlos:
Glad to hear that based on your study, YOU runs a "--checksig" before installing any new package. I know "fou4s" does (unless you turn that feature off).
It is on file /usr/share/YaST2/clients/online_update_load.ycp.
On {SuSE-Security} list, I asked the question if "kpackage" runs a "checksig". No one replied back that it did, and I don't have the skills yet to determine on my own if it does. (Maybe next year...)
I used a crude, brute force, aproach to examine how YOU works: I simply watch processes started on the terminal I'm running you (text mode) with an script: #!/bin/sh terminal=tty5 while true ; do ps -t$terminal f > WatchYast.log_1 if ! cmp --silent WatchYast.log_1 WatchYast.log_2 ; then set `date "+%x %X"` echo "*********************************************" $1 $2 >> WatchYast. echo "*********************************************" $1 $2 cat WatchYast.log_1 >> WatchYast.log cp WatchYast.log_1 WatchYast.log_2 cat WatchYast.log_1 fi sleep 1 done If the output from ps changes from one second to next, I save it to a file. I had to do it this way because I don't know beforehand which program or PID to watch, otherwise I would have used strace or ptrace. Maybe that could be used with "kpackage".
However, I for one do run rpm -v --checksig on all my downloaded packages, before using "kpackage" to install them. --- doesn't mean I couldn't be fooled.
Well, "checksig" only guarantees that it has ben signed, and the signature is true. Perhaps it could be signed by someone else whose key is on your root pgp signature ring file. This I don't know if it checked.
For example, someone could come in my house while I was sleeping and change my key ring, but frankly I have other things to worry about... like how to get the new Gome2 packages installed.
True... not worth to be too paranoic. Or maybe yes :-? If the computer holds the key to your bank account... -- Cheers, Carlos Robinson
participants (3)
-
Carlos E. R.
-
Curtis Rey
-
GarUlbricht7@netscape.net