Just as an FYI: Sneaker net is the process of putting what you want on removable media, walking over to an isolated box, and transferring the data to the non-networked machine. Sneakers - Walking, I'm sure you get the idea. :) Steven Senior Network Nazi -----Original Message----- From: Steffen Dettmer [mailto:steffen@dett.de] Sent: Monday, August 14, 2000 12:43 AM To: suse-security@suse.com Subject: Re: [suse-security] autorpm and latest secure files * dproc wrote on Sun, Aug 13, 2000 at 17:10 -0400:
On Sat, 12 Aug 2000, Kurt Seifried wrote:
the attacker would have to break into the SuSE machine used to sign packages. I assume this machine is NOT online, i.e. they have removable media such as a jaz drive to move the data, meaning <SNIP>
I am sure key security at suse and redhat is good. But I know that Roman and Marc and Thomas all sign email announcements with the same security@suse.com private key. I suspect that Red Hat is the same.
Well, BTW, does anybody knows about the SuSE Signing Policy? I _assume_ they use offline machines in a secured enviroment for any action with their private key, but I don't know. It would be important to know it before it's possible to trust any key.
I expect my guess that they have their own copies was wrong. It is perfectly reasonable that they carry their email on sneakernet to an isolated signing machine, sign it, then copy the signed email back to their networked workstation.
I don't know what the term "sneakernet" exactly means. But if it's some kind of networking connection, it cannot be secure, since it seems to be possible to hack the workstation of such an operator and intrude into this network. If those workstations are behind a firewall, it's possible to break the firewall (or use some trojaner or whatever to get around). Finally, even if they would use unplugged stations for signing in a safe enviroment you have to rely on the integrity on all persons that are authorized to use the private key. The list of all authorized persons may be a long one...
Even if their security is weaker than this 'best practice' gpg/pgp signing is still *a good thing*.
Yep, I think so too. I think getting MD5 sums from a secured source (that is _not_ normal email but i.e. signed mails, https or similar) is as secure as gpg/pgp signing, but not useable in production, this you have to verify the md5 manually on each station you receive this packages by unsecured ways like FTP or NFS (if you want to go for sure), which is impossible. But it's possible to install a key and verifying a fingerprint once for each station. In a network with some 10K hosts it's a different story of course. But usually 95% of those machines have to rely on the integrety on some internal servers (i.e. NFS...) and offer or use local (insecure) services, so it should be possible and neccesary to use some distribution feature. A friend of me had build such a thing, where the workstations can be installed useing a special boot floppy which installs a cpio-archive via nfs and updates config (...) via SSH useing some authorized_keys. Of course there the security depends on the security of the NFS server, but it's a working way... oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel. --------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com