[TriLUG] Fwd: Trust issues with RH and Debian package managers

Mike Johnson mike at enoch.org
Mon Dec 17 18:40:17 EST 2001


Lisa Lorenzin [lorenzin at 1000plus.com] wrote:
> 
> mike forwarded this to me, and it seemed worth passing on.  magic lantern,
> anyone? :(

And here was my (rather annoyed) response to the original poster.

Mike




dfeldman [dfeldman at ziplip.com] wrote:
 
> Second, I produced trojaned .deb and .rpm files.  The .deb file was
> trivial to modify, as only a checksum stood between me and a valid hacked
> version.  The .rpm was a bit more difficult, because RedHat signs their
> packages with a PGP key.  However, once I rebuilt the package and did not
> sign it with PGP, I had a fixed package.

So, you got around the mechanism RedHat put in place to protect
against this very issue by removing the mechanism.
 
> Fourth, I went to the Redhat box and did an 'rpm -U' pointed at the
> updates.redhat.com server.  I got my trojanned RPM back, with no warnings
> or prompts to tell me it hasn't been signed.  And I had an ftp server with
> a new backdoor up in a matter of minutes.

Because you had removed the signature.  Had you not ignored the fact
that there was no signature, or the signature was invalid, you would
not have had an ftp server with a new backdoor.
 
> As a matter of comparison, my Windows 2000 box has no such vulnerability.
> The first time I went to Windows Update, I checked the box that said
> "always trust content from Microsoft Corporation."  Therefore, only
> Microsoft's real certificate will be accepted by my machine.  Even if the
> FBI forces Verisign to issue an impostor certificate, it will be detected
> and thwarted.

This is a poor example.  Microsoft signs their packages.  Oh look,
Red Hat signs their packages, yet you removed the signature and
chose to ignore the fact that it was not there.  You're also choosing
to ignore that were the FBI going to force someone into doing
something, they would force Microsoft into signing a trojaned
package and releasing that.  And lookee, you automatically trust
this package.

Now, were Red Hat to release a security update, the signatures
would be posted on a public mailing list.  When you download the
update, you can compare the signature of of the file you grabbed
with what was in the e-mail (or on Red Hat's website).  If you
were sent an update through your transparent proxy, the signature
would not match.  Either that, or Red Hat released a general
trojan to everyone (which, I'm sure, would violate the warrent
the FBI had to get force Red Hat into releasing the trojan).

Of course, the transparent proxy could re-write every web page and
e-mail that contained the signature to match the trojaned package.
Of course, you could always look at the source (you'd only need
to read the patch).  Then, simply compile from source after it
proves clean.  In the Mircosoft example, you couldn't fall back
to source.  I'm not gonna scream and yell that closed source
sucks, but your statement that Microsoft handles this any better
than Linux vendors is false.
 
> Linux distributions need to band together and find a trusted individual who
> will be responsible for signing all packages and verifying that they do not
> contain backdoors.  That is the only way to solve this issue.  Personally,
> I nominate Eric Raymond, because of his widespread respect from the
> community and business leaders alike.  Additionally, he is a staunch
> libertarian and would not cave to government pressure to insert backdoors
> into something that he has signed.  I believe that by charging the
> distribution vendors a small fee per package, ESR can again achieve
> financial success for himself and his family.

Linux distributions do not need to band together (nor will they
ever).  They each need to handle this issue themselves.  Red Hat
handles it just fine.  It sounds like debian needs some work (but
I'm basing this solely on the unverified claims of yourmessage),
but the could certainly use a similar method to Red Hat.

Your solution to this 'problem' is also flawed.  ESR is, in the
end, a citizen of the United States and subject to all laws of
the nation.  A court order would require him to comply, or go
to jail.  While he's in jail, I doubt that he would be signing
any packages, so all of the sudden, no security updates could
be released.  Of course, someone else could step in and sign,
but that's now another party to trust, another signature to
trust.  Why is this better than the various Linux distributions
signing their own packages?
 
> This is a serious issue for Linux users and I believe it should have been
> addressed years ago.  That said, now is not too late and definitely not too
> early.  I look forward to seeing this feature in all future releases of the
> major Linux distributions.

It has already been addressed by various distributions.  Red Hat
addressed it when they started signing their packages, yet you
dismissed this with a wave of your hand.

-- 
"Yeah it is! Cause he's bakin' in the...kitchen of darkness!  A pie of
lost souls...until it's golden brown!" -- Moltar on Space Ghost



More information about the TriLUG mailing list