[opensuse] Re: Interactive Firewall Needed
On Wed, 06 May 2009 22:43:24 +0200, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wednesday, 2009-05-06 at 20:02 -0000, Jim Henderson wrote:
On Wed, 06 May 2009 21:44:16 +0200, Carlos E. R. wrote:
I think jdd may refer to the checksum that the rpm database keeps and which can be used to learn if a file has been changed since installed. However, if you want to use checksums for security checking, you have to store them in external, RO media, and use a live CD to do the checking, not the system which is being audited.
Perhaps, I don't know if the rpm database uses md5sum or not,
It does.
but even if it does, the md5sum algorithm is well known and could be implemented into the piece of software that's checking.
Of course that also assumes that all executables are accounted for in the rpm database.
They are. All files, executables or not. Have a look at man rpm, "verify-options".
Oh, cool, so if I install wings3d by downloading the .run.gz, gunzip it and run it, rpm knows about it? (I'm being sarcastic here - I know that it doesn't). Only files that are installed from RPMs are included in the rpm database. So that would be things like wings3d, xpis for firefox, etc....All contain executable code, and are not tracked in the rpm database. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday, 2009-05-06 at 20:48 -0000, Jim Henderson wrote:
Of course that also assumes that all executables are accounted for in the rpm database.
They are. All files, executables or not. Have a look at man rpm, "verify-options".
Oh, cool, so if I install wings3d by downloading the .run.gz, gunzip it and run it, rpm knows about it? (I'm being sarcastic here - I know that it doesn't).
Obviously not! Where did you see I said that? We where taling about the rpm database, which obviously only includes files installed from an rpm. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkoB+UsACgkQtTMYHG2NR9UatwCfaJDSXvyfSr2m1CHt0PjsYmEG ciAAn3Rj/5d6mCDLnrmxs0OxiRiaUdlw =hGhq -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, 06 May 2009 22:55:37 +0200, Carlos E. R. wrote:
Of course that also assumes that all executables are accounted for in the rpm database.
They are. All files, executables or not. Have a look at man rpm, "verify-options".
Oh, cool, so if I install wings3d by downloading the .run.gz, gunzip it and run it, rpm knows about it? (I'm being sarcastic here - I know that it doesn't).
Obviously not! Where did you see I said that? We where taling about the rpm database, which obviously only includes files installed from an rpm.
I was talking about checksumming any executable, sorry if I wasn't clear on that. But the quoted section above does document the discussion - I said "All executables" and you said "they are". I didn't qualify my statement as "all executables installed using RPM technologies", I said "all executables". :-) Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
But the quoted section above does document the discussion - I said "All executables" and you said "they are". I didn't qualify my statement as "all executables installed using RPM technologies", I said "all executables". :-)
what is an executable? Something with the X bit set? Shell scripts aren't executed, they are interpreted, yet they have the X bit set.. Likewise, I can take a binary, which is executable, and remove the X bit from it, but it is still executable, according to some definition.. I think the idea here is that the program providing protection needs to generate a list of good checksums initially, sign that list, then check against it each time - new programs are queried, the list updated, etc. The obvious problem is this: What if a program you want to use for the first time is actually "infected" (for some definition of infected)? Presumably you'll allow the program, because you, nor your security system, have any way of knowing what the "proper" checksum should be.. I kind of agree with the purists that security should be left to those who understand it, but at the same time, that removes the usefulness of a computer from those who don't understand security, and I also buy the arguments of the pragmatists that to require the end user (ignorant, or otherwise) to understand security is akin to requiring all motorists to understand how their engine works - just not practical these days - and no end user is going to want to do the equivalent of taking their car to the garage to get it services - ie, getting a knowledgable 3rd party in to continually monitor and manage their system - it'd cost too much - the 3rd party would need a huge service desk, and a tightly integrated system so that "problems" (ie, applications requesting access to the net) could be observed and the end user request access, etc, etc, be serviced with minimal delay.. Starting to sound like a bit of a pipe dream.. I don't know what the silver bullet will be - clearly neither approach works right - windows works and is easy, but is as insecure as, well, windows, on the other hand, Linux can be really secure, but ends up being hard to use for the folk who don't want to know what a kernel is, etc, etc.. Phil -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, 2009-05-07 at 10:50 +1200, Philip Dowie wrote:
what is an executable? Something with the X bit set? Shell scripts aren't executed, they are interpreted, yet they have the X bit set.. Likewise, I can take a binary, which is executable, and remove the X bit from it, but it is still executable, according to some definition..
I think the idea here is that the program providing protection needs to generate a list of good checksums initially, sign that list, then check against it each time - new programs are queried, the list updated, etc.
The obvious problem is this: What if a program you want to use for the first time is actually "infected" (for some definition of infected)? Presumably you'll allow the program, because you, nor your security system, have any way of knowing what the "proper" checksum should be..
I kind of agree with the purists that security should be left to those who understand it, but at the same time, that removes the usefulness of a computer from those who don't understand security, and I also buy the arguments of the pragmatists that to require the end user (ignorant, or otherwise) to understand security is akin to requiring all motorists to understand how their engine works - just not practical these days - and no end user is going to want to do the equivalent of taking their car to the garage to get it services - ie, getting a knowledgable 3rd party in to continually monitor and manage their system - it'd cost too much - the 3rd party would need a huge service desk, and a tightly integrated system so that "problems" (ie, applications requesting access to the net) could be observed and the end user request access, etc, etc, be serviced with minimal delay.. Starting to sound like a bit of a pipe dream..
I don't know what the silver bullet will be - clearly neither approach works right - windows works and is easy, but is as insecure as, well, windows, on the other hand, Linux can be really secure, but ends up being hard to use for the folk who don't want to know what a kernel is, etc, etc..
The whole time people are trying to bring Linux to the mass, but because of lack of tools to make it as easy as MS-Windows is, this approach fails. Fact is that consumers expect MS-Windows easiness and because that's not available, they stick to what the know and/or perceived to understand. So, some party can offer MS-Windows like tools for average consumers - not being corporate users. While the basic Linux/OSS distribution can still serve the more secure variants - e.g. without Personal Firewalls etc. Frans. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (4)
-
Carlos E. R. -
Frans de Boer -
Jim Henderson -
Philip Dowie