Don't trust Ubuntu, Fedora, OpenSuSE, CentOS, and Debian mirrors! - Linux

This is a discussion on Don't trust Ubuntu, Fedora, OpenSuSE, CentOS, and Debian mirrors! - Linux ; Ouch: > Summary: They created a fake company name, leased a server at a hosting provider, and got it added to the official mirrors for Ubuntu, Fedora, OpenSuSE, CentOS, and Debian. If they had wanted, they could have spread malware ...

+ Reply to Thread
Results 1 to 17 of 17

Thread: Don't trust Ubuntu, Fedora, OpenSuSE, CentOS, and Debian mirrors!

  1. Don't trust Ubuntu, Fedora, OpenSuSE, CentOS, and Debian mirrors!


    Ouch:

    >


    Summary:

    They created a fake company name, leased a server at a hosting
    provider, and got it added to the official mirrors for Ubuntu,
    Fedora, OpenSuSE, CentOS, and Debian. If they had wanted, they
    could have spread malware to thousands of Linux systems.

    Digital signatures don't make you safe, because the evil mirror can
    still give you old signed files, making you "update" to an older,
    buggy, version of packages.

    --
    --Tim Smith

  2. Re: Don't trust Ubuntu, Fedora, OpenSuSE, CentOS, and Debian mirrors!

    In comp.os.linux.advocacy, Tim Smith

    wrote
    on Thu, 10 Jul 2008 16:26:39 -0700
    :
    >
    > Ouch:
    >
    >>

    >
    > Summary:
    >
    > They created a fake company name, leased a server at a hosting
    > provider, and got it added to the official mirrors for Ubuntu,
    > Fedora, OpenSuSE, CentOS, and Debian. If they had wanted, they
    > could have spread malware to thousands of Linux systems.
    >
    > Digital signatures don't make you safe, because the evil mirror can
    > still give you old signed files, making you "update" to an older,
    > buggy, version of packages.
    >


    As one can plainly see, Microsoft Windows Vista is far
    more secure, as it:

    [1] Has no mirrors; everything's controlled by Microsoft.
    [2] Has everything signed only by Microsoft.



    BTW....Gentoo signs its Manifest files, which are themselves
    lists of hashes of downloadable files. metadata.xml and ChangeLog
    are also included in this list. An evil mirror would have some
    issues trying to introduce malware without the system installer's
    knowledge, although one could do goofy stuff such as

    # ebuild /usr/portage/.../[].ebuild unpack

    # ebuild /usr/portage/.../[].ebuild compile test preinst install \
    postinst

    or some such. Most people using Gentoo just do emerge... ;-)
    I use ebuild unpack on occasion to poke around source, if
    it's malfunctioning or I'm curious.

    One can override one's own digests but those overrides would
    be lost on the next tree sync.

    One also assumes that Debian and Fedora have similar controls
    on their download packages.

    But never mind that; obviously Linux is "less secure" since
    no one understands these controls and they're not GUI-based
    and "automatic".

    --
    #191, ewill3@earthlink.net
    Useless C/C++ Programming Idea #992381111:
    while(bit&BITMASK) ;
    ** Posted from http://www.teranews.com **

  3. Re: Don't trust Ubuntu, Fedora, OpenSuSE, CentOS, and Debian mirrors!

    * Tim Smith peremptorily fired off this memo:

    > Ouch:
    >
    >>

    >
    > Summary:
    >
    > They created a fake company name, leased a server at a hosting
    > provider, and got it added to the official mirrors for Ubuntu,
    > Fedora, OpenSuSE, CentOS, and Debian. If they had wanted, they
    > could have spread malware to thousands of Linux systems.
    >
    > Digital signatures don't make you safe, because the evil mirror can
    > still give you old signed files, making you "update" to an older,
    > buggy, version of packages.


    Protecting Yourself
    Things You Can Do Today:

    * Use repositories you trust. Use only mirrors that belong to
    reputable organizations. Don't randomly choose mirrors, even
    from official lists. The official lists of public repositories
    often contain many superficially verified mirrors.

    I pretty much stick with us.debian.org.

    I'm not sure the authors go far enough, though. You have to be watchful
    of your system behavior, at all times. It may change (even if due to
    bugs rather than malice.)

    --
    [ ] Always trust content from debian.org
    [ ] Always trust content from microsoft.com

  4. Re: Don't trust Ubuntu, Fedora, OpenSuSE, CentOS, and Debian mirrors!

    On 2008-07-11, The Ghost In The Machine wrote:

    > BTW....Gentoo signs its Manifest files, which are themselves
    > lists of hashes of downloadable files. metadata.xml and ChangeLog
    > are also included in this list. An evil mirror would have some
    > issues trying to introduce malware without the system installer's
    > knowledge, although one could do goofy stuff such as


    I update portage from a server at Swinburne University of Technology in
    Melbourne Australia and have been doing so for 4 years.

    I get my packages from my local Pacific Net (My own ISP) Mirror...

    If the hash from Swinburne doesn't match then the package from Pacific
    Net doesn't get installed... simple.

    This is FUD... sounds like the latest Microsoft attack against Linux...

    Because we all know that Microsoft's products are _so_ much more secure
    than the GNU/Linux stuff.

    > or some such. Most people using Gentoo just do emerge... ;-)
    > I use ebuild unpack on occasion to poke around source, if
    > it's malfunctioning or I'm curious.


    Yeah, so do I.

    > One can override one's own digests but those overrides would
    > be lost on the next tree sync.


    I've never done it, and I've been running Gentoo for years.

    > One also assumes that Debian and Fedora have similar controls
    > on their download packages.
    >
    > But never mind that; obviously Linux is "less secure" since
    > no one understands these controls and they're not GUI-based
    > and "automatic".
    >


    Har har har...



    --
    Regards,

    Gregory.
    Gentoo Linux - Penguin Power

  5. Re: Don't trust Smith's bull**** FUD

    Homer wrote:
    > Verily I say unto thee, that Gregory Shearman spake thusly:
    >
    >> This is FUD...

    >
    > Of course it is.
    >
    > As the article even admits, packages are signed. Those signing keys are
    > already on the host system (installed with the distro), and not obtained
    > from the mirror. If the packages fail the GPG check then they won't be
    > installed. Period.




    > Fedora also uses a service daemon for YUM called yum-updatesd, which
    > polls for updates once every hour (default setting):
    >
    > [main]
    > # how often to check for new updates (in seconds) run_interval = 3600
    >
    > So on Fedora systems, at least, a compromised mirror would likely have a
    > maximum effect of merely delaying an update to a connecting system by
    > two hours. Given that most people don't even update every day, much less
    > every two hours, somehow I don't think there's a problem.
    >
    > This whole farce is not even news. It's nothing at all, but one of
    > Smith's little FUD injections.
    >
    >> sounds like the latest Microsoft attack against Linux...

    >
    > I wouldn't put it past them.


    Ubuntu and Debian have similar mechanisms to Fedora and YUM (APT and
    SYNAPTIC), which are key based, and when I was using SuSE, YAST.

    They all work reliably. This type FUD won't travel far, fortunately.
    Linux now has sufficient installed base with sufficient IT dispersion. It
    is the desktop market monopoly that the FUD-meisters want to protect.

    I surmise that the only place Timmy serves is a feeding mechanism for
    trolling activity from the others, and to distract advocacy.

    --
    HPT

  6. Re: Don't trust Smith's bull**** FUD

    On Fri, 11 Jul 2008 05:09:51 -0600, High Plains Thumper wrote:

    > Homer wrote:
    >> Verily I say unto thee, that Gregory Shearman spake thusly:
    >>
    >>> This is FUD...

    >>
    >> Of course it is.
    >>
    >> As the article even admits, packages are signed. Those signing keys are
    >> already on the host system (installed with the distro), and not obtained
    >> from the mirror. If the packages fail the GPG check then they won't be
    >> installed. Period.

    >
    >
    >
    >> Fedora also uses a service daemon for YUM called yum-updatesd, which
    >> polls for updates once every hour (default setting):
    >>
    >> [main]
    >> # how often to check for new updates (in seconds) run_interval = 3600
    >>
    >> So on Fedora systems, at least, a compromised mirror would likely have a
    >> maximum effect of merely delaying an update to a connecting system by
    >> two hours. Given that most people don't even update every day, much less
    >> every two hours, somehow I don't think there's a problem.
    >>
    >> This whole farce is not even news. It's nothing at all, but one of
    >> Smith's little FUD injections.
    >>
    >>> sounds like the latest Microsoft attack against Linux...

    >>
    >> I wouldn't put it past them.

    >
    > Ubuntu and Debian have similar mechanisms to Fedora and YUM (APT and
    > SYNAPTIC), which are key based, and when I was using SuSE, YAST.
    >

    As does Mandriva. urpmi reports invalid signatures & won't download, let
    alone install.

    > They all work reliably. This type FUD won't travel far, fortunately.
    > Linux now has sufficient installed base with sufficient IT dispersion. It
    > is the desktop market monopoly that the FUD-meisters want to protect.
    >
    > I surmise that the only place Timmy serves is a feeding mechanism for
    > trolling activity from the others, and to distract advocacy.


    Seconded!

    --
    Why don't you smegging-well smeg off,
    you annoying little smeggy smegging smegger!
    --Rimmer to dispensing machine--
    "Only the Good" -- Red Dwarf

  7. Neither HPT nor Willy can read, it seems

    In article ,
    William Poaster wrote:

    > On Fri, 11 Jul 2008 05:09:51 -0600, High Plains Thumper wrote:
    > > Ubuntu and Debian have similar mechanisms to Fedora and YUM (APT and
    > > SYNAPTIC), which are key based, and when I was using SuSE, YAST.
    > >

    > As does Mandriva. urpmi reports invalid signatures & won't download, let
    > alone install.


    Perhaps you should both get someone who can actually read to take a look
    at

    >


    and explain it to you. From the FAQ there:

    Q: My package manager uses signatures, so I'm not vulnerable right?

    A: Unfortunately, you are vulnerable. This attack works by giving
    old versions of correctly signed files to the package manager.

    --
    --Tim Smith

  8. Re: Neither HPT nor Willy can read, it seems

    On Fri, 11 Jul 2008 10:00:42 -0700, Tim Smith wrote:

    > In article ,
    > William Poaster wrote:
    >
    >> On Fri, 11 Jul 2008 05:09:51 -0600, High Plains Thumper wrote:
    >>> Ubuntu and Debian have similar mechanisms to Fedora and YUM (APT and
    >>> SYNAPTIC), which are key based, and when I was using SuSE, YAST.
    >>>

    >> As does Mandriva. urpmi reports invalid signatures & won't download, let
    >> alone install.

    >
    > Perhaps you should both get someone who can actually read to take a look
    > at
    >
    >>

    >
    > and explain it to you. From the FAQ there:
    >
    > Q: My package manager uses signatures, so I'm not vulnerable right?
    >
    > A: Unfortunately, you are vulnerable. This attack works by giving
    > old versions of correctly signed files to the package manager.


    They are just using the Schestowitz method of throwing up a smokescreen of
    lies and hoping that the rest of the Linux loon COLA gang will join in the
    parade with *atta boy* replies...

    It's classic Linux *advocacy*.

    LIEing for LIEnix strikes again.
    --
    Moshe Goldfarb
    Collector of soaps from around the globe.
    Please visit The Hall of Linux Idiots:
    http://linuxidiots.blogspot.com/

  9. Re: Don't trust Ubuntu, Fedora, OpenSuSE, CentOS, and Debian mirrors!

    In comp.os.linux.advocacy, Gregory Shearman

    wrote
    on 11 Jul 2008 04:00:05 GMT
    :
    > On 2008-07-11, The Ghost In The Machine wrote:
    >
    >> BTW....Gentoo signs its Manifest files, which are themselves
    >> lists of hashes of downloadable files. metadata.xml and ChangeLog
    >> are also included in this list. An evil mirror would have some
    >> issues trying to introduce malware without the system installer's
    >> knowledge, although one could do goofy stuff such as

    >
    > I update portage from a server at Swinburne University of Technology in
    > Melbourne Australia and have been doing so for 4 years.
    >
    > I get my packages from my local Pacific Net (My own ISP) Mirror...
    >
    > If the hash from Swinburne doesn't match then the package from Pacific
    > Net doesn't get installed... simple.
    >
    > This is FUD... sounds like the latest Microsoft attack against Linux...


    Sure smells like it, at that. Still, it's a possible
    attack vector if the distro doesn't implement some sort
    of verification program such as digital signatures.

    I would hope most of the major ones do by now.

    >
    > Because we all know that Microsoft's products are _so_ much more secure
    > than the GNU/Linux stuff.
    >
    >> or some such. Most people using Gentoo just do emerge... ;-)
    >> I use ebuild unpack on occasion to poke around source, if
    >> it's malfunctioning or I'm curious.

    >
    > Yeah, so do I.
    >
    >> One can override one's own digests but those overrides would
    >> be lost on the next tree sync.

    >
    > I've never done it, and I've been running Gentoo for years.


    I've fiddled a bit with overlays, mostly because I have
    a Ming cross-compiler.

    >
    >> One also assumes that Debian and Fedora have similar controls
    >> on their download packages.
    >>
    >> But never mind that; obviously Linux is "less secure" since
    >> no one understands these controls and they're not GUI-based
    >> and "automatic".
    >>

    >
    > Har har har...
    >


    Indeed; if this keeps up we're going to have to follow
    the ancient Egyptians.

    --
    #191, ewill3@earthlink.net
    Windows. When it absolutely, positively, has to crash.
    ** Posted from http://www.teranews.com **

  10. Re: Neither HPT nor Willy can read, it seems

    In comp.os.linux.advocacy, Moshe Goldfarb.

    wrote
    on Fri, 11 Jul 2008 13:30:51 -0400
    :
    > On Fri, 11 Jul 2008 10:00:42 -0700, Tim Smith wrote:
    >
    >> In article ,
    >> William Poaster wrote:
    >>
    >>> On Fri, 11 Jul 2008 05:09:51 -0600, High Plains Thumper wrote:
    >>>> Ubuntu and Debian have similar mechanisms to Fedora and YUM (APT and
    >>>> SYNAPTIC), which are key based, and when I was using SuSE, YAST.
    >>>>
    >>> As does Mandriva. urpmi reports invalid signatures & won't download, let
    >>> alone install.

    >>
    >> Perhaps you should both get someone who can actually read to take a look
    >> at
    >>
    >>>

    >>
    >> and explain it to you. From the FAQ there:
    >>
    >> Q: My package manager uses signatures, so I'm not vulnerable right?
    >>
    >> A: Unfortunately, you are vulnerable. This attack works by giving
    >> old versions of correctly signed files to the package manager.

    >
    > They are just using the Schestowitz method of throwing up a smokescreen of
    > lies and hoping that the rest of the Linux loon COLA gang will join in the
    > parade with *atta boy* replies...
    >
    > It's classic Linux *advocacy*.
    >
    > LIEing for LIEnix strikes again.


    [1] Is Windows vulnerable to a similar attack? Why or why not?
    [2] How many distros are vulnerable to this attack?
    [3] Explain in detail how one would mount such an attack,
    assuming one does not have access to the signature key
    but *does* have access to DNS[*] impersonation methods.
    [4] Discuss whether Linux distros which compile source locally
    are still vulnerable to any of the attacks detailed in [2]
    and/or [3].
    [*] such are simpler than one might think, requiring merely
    editing of /etc/hosts, or specifying an "evil" DNS
    server in /etc/resolv.conf.

    --
    #191, ewill3@earthlink.net
    Q: "Why is my computer doing that?"
    A: "Don't do that and you'll be fine."
    ** Posted from http://www.teranews.com **

  11. [H]omer can't read either, it seems

    In article , Homer
    wrote:
    > >>> A: Unfortunately, you are vulnerable. This attack works by giving
    > >>> old versions of correctly signed files to the package manager.

    >
    > Smith, you are a raving ****wit.
    >
    > How exactly is "giving old versions" an "attack", especially when newer
    > versions are available in a rotating pool of mirrors?

    ....
    > It's some idiot who thinks that "giving old versions" on a single mirror
    > will somehow destroy every Linux installation on planet earth.
    >
    > I'm not sure who is more idiotic; the twit who wrote that garbage to
    > begin with, or the brain-damaged Windows "evangelists" who swallowed it.


    How unsurprising. [H]omer, who has clearly not actually went and read
    the original site, is now an expert on the matter.

    If [H]omer had bothered to read the site, he would have seen the example
    of how the evil mirror can stop logging, corrupt databases, and stop
    mail delivery on Fedora and Ubuntu systems.

    --
    --Tim Smith

  12. Re: Neither Smith nor Flatty can think, it seems

    In comp.os.linux.advocacy, Homer

    wrote
    on Fri, 11 Jul 2008 21:37:32 +0100
    :
    > Verily I say unto thee, that The Ghost In The Machine spake thusly:
    >> In comp.os.linux.advocacy, Moshe Goldfarb.
    >> wrote on Fri, 11 Jul 2008 13:30:51 -0400
    >> :
    >>> On Fri, 11 Jul 2008 10:00:42 -0700, Tim Smith wrote:

    >
    >>>> Perhaps you should both get someone who can actually read to take
    >>>> a look at

    > [...]
    >>>> A: Unfortunately, you are vulnerable. This attack works by giving
    >>>> old versions of correctly signed files to the package manager.

    >
    > Smith, you are a raving ****wit.
    >
    > How exactly is "giving old versions" an "attack", especially when newer
    > versions are available in a rotating pool of mirrors?


    Old versions may be vulnerable to a specific type of
    compromise/attack, depending on the version (and the
    package). For example, 3.0.0.0 of Firefox had an issue
    IIRC, and it was quickly patched, yielding 3.0.0.1.

    I'd have to look to see how precisely Gentoo handles updates.

    It may depend on who's doing the rotation in the mirrors, as well.

    >
    >>> It's classic Linux *advocacy*.

    >
    > It's classic Widiot Trolling from a bunch of reprobates with the
    > combined IQ of a lump of putty.


    Please. Silly Putty at least had some intelligence. ;-) Well,
    OK, it could lift Sunday Morning comics images...

    >
    >> [1] Is Windows vulnerable to a similar attack?

    >
    > It's not any kind of "attack".


    I'd consider it such; the general idea is to compromise
    a computer system, or a distro distribution system.
    Of course, there's a fair number of issues here.

    The actual discussion is a form of FUD attack as well,
    instilling (or attempting to) The Big Lie regarding
    vulnerability to mismatches and/or package file
    impersonations.

    Fortunately, I've already disproven it in Gentoo and
    noted the relative simplicity. ISO images have
    had side files with md5sums for years anyway, and
    distros could very simply automate the process,
    and presumably most have already done so.

    In Gentoo's case, there's the further complication of the
    tree versus the download files; the download files are
    actually mirrored not by Gentoo but by others (usually,
    the original provider of the package). The .ebuild files,
    of course, are part of the Gentoo-managed tree, and the
    manifest is also. Things can get a little out of sync
    if the distributor of the tool gets a little sloppy --
    Sun in particular has had issues in the past, and the
    installation instructions occasionally mention renaming
    a file after downloading it.

    >
    > It's some idiot who thinks that "giving old versions" on a single mirror
    > will somehow destroy every Linux installation on planet earth.


    It would take a lot of doing, even given a mirror's and
    a distro's vulnerability. For starters, there are over
    500 distros out there, each with a set of mirrors. Granted,
    only 10-30 of them are probably worth worrying about (the rest of
    them are for specialty purposes, presumably).

    >
    > I'm not sure who is more idiotic; the twit who wrote that garbage to
    > begin with, or the brain-damaged Windows "evangelists" who swallowed it.
    >


    I get the feeling Moshe just likes to tag along for the hell of it. :-P

    --
    #191, ewill3@earthlink.net
    Linux. Because life's too short for a buggy OS.
    ** Posted from http://www.teranews.com **

  13. Re: Neither Smith nor Flatty can think, it seems

    On Fri, 11 Jul 2008 21:37:32 +0100, Homer wrote:

    > Verily I say unto thee, that The Ghost In The Machine spake thusly:
    >> In comp.os.linux.advocacy, Moshe Goldfarb.
    >> wrote on Fri, 11 Jul 2008 13:30:51 -0400
    >> :
    >>> On Fri, 11 Jul 2008 10:00:42 -0700, Tim Smith wrote:

    >
    >>>> Perhaps you should both get someone who can actually read to take
    >>>> a look at

    > [...]
    >>>> A: Unfortunately, you are vulnerable. This attack works by giving
    >>>> old versions of correctly signed files to the package manager.

    >
    > Smith, you are a raving ****wit.
    >
    > How exactly is "giving old versions" an "attack", especially when newer
    > versions are available in a rotating pool of mirrors?
    >
    >>> It's classic Linux *advocacy*.

    >
    > It's classic Widiot Trolling from a bunch of reprobates with the combined
    > IQ of a lump of putty.
    >
    >> [1] Is Windows vulnerable to a similar attack?

    >
    > It's not any kind of "attack".
    >
    > It's some idiot who thinks that "giving old versions" on a single mirror
    > will somehow destroy every Linux installation on planet earth.
    >
    > I'm not sure who is more idiotic; the twit who wrote that garbage to begin
    > with, or the brain-damaged Windows "evangelists" who swallowed it.


    Both, because neither *really* knows wtf they're talking about.

    --
    Why don't you smegging-well smeg off,
    you annoying little smeggy smegging smegger!
    --Rimmer to dispensing machine--
    "Only the Good" -- Red Dwarf

  14. Re: Don't trust Smith's bull**** FUD

    On 2008-07-11, Homer wrote:
    > Verily I say unto thee, that Gregory Shearman spake thusly:
    >
    > This whole farce is not even news. It's nothing at all, but one of
    > Smith's little FUD injections.


    I saw it first on Slashdot a day or so ago. It looked like FUD then and
    it looks even more like FUD now.

    >
    >> sounds like the latest Microsoft attack against Linux...

    >
    > I wouldn't put it past them.


    Nor I. Lately they seem to be getting more and more desperate, the
    Microsoft trolls (Quark, DFS, Moshe) more and more shrill... or should
    that be "shill".


    --
    Regards,

    Gregory.
    Gentoo Linux - Penguin Power

  15. Re: [H]omer can't read either, it seems

    On 2008-07-11, Tim Smith wrote:
    > In article , Homer
    > wrote:
    >> >>> A: Unfortunately, you are vulnerable. This attack works by giving
    >> >>> old versions of correctly signed files to the package manager.

    >>
    >> Smith, you are a raving ****wit.
    >>
    >> How exactly is "giving old versions" an "attack", especially when newer
    >> versions are available in a rotating pool of mirrors?

    > ...
    >> It's some idiot who thinks that "giving old versions" on a single mirror
    >> will somehow destroy every Linux installation on planet earth.
    >>
    >> I'm not sure who is more idiotic; the twit who wrote that garbage to
    >> begin with, or the brain-damaged Windows "evangelists" who swallowed it.

    >
    > How unsurprising. [H]omer, who has clearly not actually went and read
    > the original site, is now an expert on the matter.
    >
    > If [H]omer had bothered to read the site, he would have seen the example
    > of how the evil mirror can stop logging, corrupt databases, and stop
    > mail delivery on Fedora and Ubuntu systems.
    >


    Tell ya what... you wake me up when you have more than a "proof of
    concept".

    I actually read the FUD article... as well as the Slashdot discussion...
    there's nothing in it to worry about of course.


    --
    Regards,

    Gregory.
    Gentoo Linux - Penguin Power

  16. Re: [H]omer can't read either, it seems

    * Gregory Shearman peremptorily fired off this memo:

    > On 2008-07-11, Tim Smith wrote:
    >>
    >> If [H]omer had bothered to read the site, he would have seen the example
    >> of how the evil mirror can stop logging, corrupt databases, and stop
    >> mail delivery on Fedora and Ubuntu systems.

    >
    > Tell ya what... you wake me up when you have more than a "proof of
    > concept".
    >
    > I actually read the FUD article... as well as the Slashdot discussion...
    > there's nothing in it to worry about of course.


    You might as well worry about malware inserting a proxy server into your
    Internet Explorer setup.

    --
    QOTD:
    "Our parents were never our age."

  17. Re: Smith really is completely retarded, it seems

    On Sat, 12 Jul 2008 12:22:05 +0100, Homer wrote:


    >>> If [H]omer had bothered to read the site

    >
    > Oh shut the **** up, Smith. I read the site including it's stupid "FAQ"
    > and "other attacks" pages, and the whole thing is a bunch of crap.


    Linux advocacy at it's best.......



    --
    Moshe Goldfarb
    Collector of soaps from around the globe.
    Please visit The Hall of Linux Idiots:
    http://linuxidiots.blogspot.com/

+ Reply to Thread