Mailinglist Archive: opensuse-security (601 mails)

< Previous Next >
RE: [suse-security] autorpm and latest secure files
  • From: "Magus Ba'al" <magusbaal@xxxxxxxxxxxxxx>
  • Date: Mon, 14 Aug 2000 06:07:42 -0700
  • Message-id: <NEBBJBFNBDJGHPBLIBKMAEDOCDAA.magusbaal@xxxxxxxxxxxxxx>
Just as an FYI:

Sneaker net is the process of putting what you want on removable media,
walking over to an isolated box, and transferring the data to the
non-networked machine. Sneakers - Walking, I'm sure you get the idea. :)

Steven
Senior Network Nazi



-----Original Message-----
From: Steffen Dettmer [mailto:steffen@xxxxxxx]
Sent: Monday, August 14, 2000 12:43 AM
To: suse-security@xxxxxxxx
Subject: Re: [suse-security] autorpm and latest secure files


* dproc wrote on Sun, Aug 13, 2000 at 17:10 -0400:
> On Sat, 12 Aug 2000, Kurt Seifried wrote:

> > the attacker would have to break into the SuSE machine used
> > to sign packages. I assume this machine is NOT online, i.e.
> > they have removable media such as a jaz drive to move the
> > data, meaning
> <SNIP>
>
> I am sure key security at suse and redhat is good. But I know that
> Roman and Marc and Thomas all sign email announcements with the same
> security@xxxxxxxx private key. I suspect that Red Hat is the same.

Well, BTW, does anybody knows about the SuSE Signing Policy? I
_assume_ they use offline machines in a secured enviroment for
any action with their private key, but I don't know. It would be
important to know it before it's possible to trust any key.

> I expect my guess that they have their own copies was wrong. It is
> perfectly reasonable that they carry their email on sneakernet to an
> isolated signing machine, sign it, then copy the signed email back to
> their networked workstation.

I don't know what the term "sneakernet" exactly means. But if
it's some kind of networking connection, it cannot be secure,
since it seems to be possible to hack the workstation of such an
operator and intrude into this network. If those workstations are
behind a firewall, it's possible to break the firewall (or use
some trojaner or whatever to get around).

Finally, even if they would use unplugged stations for signing in
a safe enviroment you have to rely on the integrity on all
persons that are authorized to use the private key. The list of
all authorized persons may be a long one...

> Even if their security is weaker than this 'best practice' gpg/pgp
> signing is still *a good thing*.

Yep, I think so too. I think getting MD5 sums from a secured
source (that is _not_ normal email but i.e. signed mails, https
or similar) is as secure as gpg/pgp signing, but not useable in
production, this you have to verify the md5 manually on each
station you receive this packages by unsecured ways like FTP or
NFS (if you want to go for sure), which is impossible. But it's
possible to install a key and verifying a fingerprint once for
each station.

In a network with some 10K hosts it's a different story of
course. But usually 95% of those machines have to rely on the
integrety on some internal servers (i.e. NFS...) and offer or use
local (insecure) services, so it should be possible and neccesary
to use some distribution feature. A friend of me had build such a
thing, where the workstations can be installed useing a special
boot floppy which installs a cpio-archive via nfs and updates
config (...) via SSH useing some authorized_keys. Of course there
the security depends on the security of the NFS server, but it's
a working way...

oki,

Steffen

--
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.

---------------------------------------------------------------------
To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
For additional commands, e-mail: suse-security-help@xxxxxxxx


< Previous Next >
Follow Ups
References