Fedora servers hacked - Are signed packages valid? - Linux

This is a discussion on Fedora servers hacked - Are signed packages valid? - Linux ; * Moshe Goldfarb. peremptorily fired off this memo: > On Fri, 22 Aug 2008 22:20:52 -0400, Linonut wrote: > IOW the same arguments could be used each time the Linvocates squeal with > delight when a Windows server gets hacked. ...

+ Reply to Thread
Page 2 of 3 FirstFirst 1 2 3 LastLast
Results 21 to 40 of 48

Thread: Fedora servers hacked - Are signed packages valid?

  1. Re: Fedora servers hacked - Are signed packages valid?

    * Moshe Goldfarb. peremptorily fired off this memo:

    > On Fri, 22 Aug 2008 22:20:52 -0400, Linonut wrote:
    > IOW the same arguments could be used each time the Linvocates squeal with
    > delight when a Windows server gets hacked.


    Indeed.

    > To the people infected it doesn't matter.....


    Which is why Windows' gross insecurity on the /client/ side /does/
    matter, and /grossly/ so.

    It's a case for the Better Business Bureau, basically consumer fraud in
    my opinion.

    --
    Nothing is so firmly believed as that which we least know.
    -- Michel de Montaigne

  2. Re: Fedora servers hacked - Are signed packages valid?

    * The Ghost In The Machine peremptorily fired off this memo:

    > Mirrors are an exception to the Linux insulation from
    > viruses; they carry files which are installed as root.


    Huh? All computers have files installed as root.

    Are you saying the distro files for distribution to third
    parties are installed as root?

    No way.

    > All binary-based distros are vulnerable if they don't
    > implement checking methods (I would hope most do by now),
    > or if those checking methods are hacked (as they might have
    > been in this case, though it's far from clear whether the
    > key's passphrase was compromised or not -- or whether the
    > hackers used it if it was).
    >
    > Source-based distros are also vulnerable, though the
    > viruses would have to be entirely different.


    Moshe's simply pulling a variation on the patented Erik Funkenbusch
    "security is binary" claim.

    In other words, avoid nuance so that you can equate two situations,
    whether you know they are the same, or not.

    --
    Fortune's Contribution of the Month to the Animal Rights Debate:
    I'll stay out of animals' way if they'll stay out of mine.
    "Hey you, get off my plate"
    -- Roger Midnight

  3. Re: Fedora servers hacked - Are signed packages valid?

    * Moshe Goldfarb. peremptorily fired off this memo:

    > On Fri, 22 Aug 2008 22:22:09 -0400, Linonut wrote:
    >
    >> * Moshe Goldfarb. peremptorily fired off this memo:
    >>
    >>> On Fri, 22 Aug 2008 11:22:47 -0500, JEDIDIAH wrote:
    >>>
    >>>> Yes... "hacked" as opposed to being automatically exploited by
    >>>> some virus, worm or trojan.
    >>>
    >>> The result is the same.

    >>
    >> That's like comparing yourself to Clogwog.

    >
    > The result is the same......
    > You are either hacked or not....


    I see you subscribe to the Erik Funkenbusch school of "Security is
    Binary".

    In other words, another FUDster.

    --
    He that composes himself is wiser than he that composes a book.
    -- B. Franklin

  4. Re: Fedora servers hacked - Are signed packages valid?

    * Moshe Goldfarb. peremptorily fired off this memo:

    > On Fri, 22 Aug 2008 22:23:45 -0400, Linonut wrote:
    >
    >> I call bull****. It sounds like Red Hat /does/ know.

    >
    > If they do know do you expect them to fess up anymore than Microsoft would
    > fess up?


    Of course. Get this... Red Hat is actually /part/ of the community.

    --
    If you go out of your mind, do it quietly, so as not to disturb those
    around you.

  5. Re: Fedora servers hacked - Are signed packages valid?

    * Moshe Goldfarb. peremptorily fired off this memo:

    > Additionally, look at Roy Schestowitz who had a Linux based server spewing
    > infected trojans to unsuspecting people for almost a month before he
    > finally realized he wasn't the smartest fish in the sea and what many
    > people were telling him was true....




    I thought the server he used was /not/ under his control.

    --
    I got vision, and the rest of the world wears bifocals.
    -- Butch Cassidy

  6. Re: Fedora servers hacked - Are signed packages valid?

    On Sat, 23 Aug 2008 10:30:42 -0400, Linonut wrote:

    > * Moshe Goldfarb. peremptorily fired off this memo:
    >
    >> On Fri, 22 Aug 2008 22:20:52 -0400, Linonut wrote:
    >> IOW the same arguments could be used each time the Linvocates squeal with
    >> delight when a Windows server gets hacked.

    >
    > Indeed.
    >
    >> To the people infected it doesn't matter.....

    >
    > Which is why Windows' gross insecurity on the /client/ side /does/
    > matter, and /grossly/ so.
    >
    > It's a case for the Better Business Bureau, basically consumer fraud in
    > my opinion.


    It's really more of a case of ignorant end users and it doesn't always have
    to be Windows users either it's just that Windows dominates the market.

    When Linux gets a big enough desktop market share the same thing is going
    to happen.
    It may not be the Linux kernel that get hacked, it could be firefox or
    Amarok or a tainted package management system etc.

    However, it will mostly boil down to ignorance on the part of the user.


    --
    Moshe Goldfarb
    Collector of soaps from around the globe.
    Please visit The Hall of Linux Idiots:
    http://linuxidiots.blogspot.com/

  7. Re: Fedora servers hacked - Are signed packages valid?

    On Sat, 23 Aug 2008 10:33:26 -0400, Linonut wrote:

    > * The Ghost In The Machine peremptorily fired off this memo:
    >
    >> Mirrors are an exception to the Linux insulation from
    >> viruses; they carry files which are installed as root.

    >
    > Huh? All computers have files installed as root.
    >
    > Are you saying the distro files for distribution to third
    > parties are installed as root?
    >
    > No way.
    >
    >> All binary-based distros are vulnerable if they don't
    >> implement checking methods (I would hope most do by now),
    >> or if those checking methods are hacked (as they might have
    >> been in this case, though it's far from clear whether the
    >> key's passphrase was compromised or not -- or whether the
    >> hackers used it if it was).
    >>
    >> Source-based distros are also vulnerable, though the
    >> viruses would have to be entirely different.

    >
    > Moshe's simply pulling a variation on the patented Erik Funkenbusch
    > "security is binary" claim.
    >
    > In other words, avoid nuance so that you can equate two situations,
    > whether you know they are the same, or not.


    Actually I do believe security is binary, but let's not start that one up
    again

    What I am saying is that it doesn't matter in the scheme of things what was
    hacked, how it was hacked and so forth. The point is it *was* hacked.

    Obviously to the people running the thing it matters how, but looking at
    the big picture it's not as important.

    --
    Moshe Goldfarb
    Collector of soaps from around the globe.
    Please visit The Hall of Linux Idiots:
    http://linuxidiots.blogspot.com/

  8. Re: Fedora servers hacked - Are signed packages valid?

    On Sat, 23 Aug 2008 10:34:12 -0400, Linonut wrote:

    > * Moshe Goldfarb. peremptorily fired off this memo:
    >
    >> On Fri, 22 Aug 2008 22:22:09 -0400, Linonut wrote:
    >>
    >>> * Moshe Goldfarb. peremptorily fired off this memo:
    >>>
    >>>> On Fri, 22 Aug 2008 11:22:47 -0500, JEDIDIAH wrote:
    >>>>
    >>>>> Yes... "hacked" as opposed to being automatically exploited by
    >>>>> some virus, worm or trojan.
    >>>>
    >>>> The result is the same.
    >>>
    >>> That's like comparing yourself to Clogwog.

    >>
    >> The result is the same......
    >> You are either hacked or not....

    >
    > I see you subscribe to the Erik Funkenbusch school of "Security is
    > Binary".


    Yes I do...
    You are either secure or you are not secure.
    However, in real life and as long as humans are involved, you are never
    really secure so it's a moot point anyway.

    > In other words, another FUDster.


    It's not FUD, it's the truth.


    --
    Moshe Goldfarb
    Collector of soaps from around the globe.
    Please visit The Hall of Linux Idiots:
    http://linuxidiots.blogspot.com/

  9. Re: Fedora servers hacked - Are signed packages valid?

    On Sat, 23 Aug 2008 10:34:49 -0400, Linonut wrote:

    > * Moshe Goldfarb. peremptorily fired off this memo:
    >
    >> On Fri, 22 Aug 2008 22:23:45 -0400, Linonut wrote:
    >>
    >>> I call bull****. It sounds like Red Hat /does/ know.

    >>
    >> If they do know do you expect them to fess up anymore than Microsoft would
    >> fess up?

    >
    > Of course. Get this... Red Hat is actually /part/ of the community.


    They are also a business that has to protect their reputation to a degree.
    You swallowed too much kool aid on this Linonut.
    --
    Moshe Goldfarb
    Collector of soaps from around the globe.
    Please visit The Hall of Linux Idiots:
    http://linuxidiots.blogspot.com/

  10. Re: Fedora servers hacked - Are signed packages valid?

    On Sat, 23 Aug 2008 10:35:46 -0400, Linonut wrote:

    > * Moshe Goldfarb. peremptorily fired off this memo:
    >
    >> Additionally, look at Roy Schestowitz who had a Linux based server spewing
    >> infected trojans to unsuspecting people for almost a month before he
    >> finally realized he wasn't the smartest fish in the sea and what many
    >> people were telling him was true....

    >
    >
    >
    > I thought the server he used was /not/ under his control.


    It is/was.
    Which is why he spent days going through whatever to fix it.
    Those are his words.


    --
    Moshe Goldfarb
    Collector of soaps from around the globe.
    Please visit The Hall of Linux Idiots:
    http://linuxidiots.blogspot.com/

  11. Re: Fedora servers hacked - Are signed packages valid?

    On Aug 22, 10:23*pm, Linonut wrote:
    > * Moshe Goldfarb. peremptorily fired off this memo:
    >
    > > On Fri, 22 Aug 2008 23:50:01 GMT, thufir wrote:
    > > It doesn't matter.
    > > The server was hacked.
    > > The damage has been done and nobody knows the extent to which this damage
    > > has spread.

    >
    > I call bull****. *It sounds like Red Hat /does/ know.
    >
    > --
    > Every living thing wants to survive.
    > * * * * * * * * -- Spock, "The Ultimate Computer", stardate 4731.3


    They can only make an estimated guess.
    Does not change the fact.
    They were hacked.


  12. Re: Fedora servers hacked - Are signed packages valid?

    Psyc Geek (TAB) wrote:

    > On Aug 22, 10:23┬*pm, Linonut wrote:
    >> * Moshe Goldfarb. peremptorily fired off this memo:
    >>
    >> > On Fri, 22 Aug 2008 23:50:01 GMT, thufir wrote:
    >> > It doesn't matter.
    >> > The server was hacked.
    >> > The damage has been done and nobody knows the extent to which this
    >> > damage has spread.

    >>
    >> I call bull****. ┬*It sounds like Red Hat /does/ know.
    >>
    >> --
    >> Every living thing wants to survive.
    >> -- Spock, "The Ultimate Computer", stardate 4731.3

    >
    > They can only make an estimated guess.


    Bull****. They can easily verify the MD5 of every executeable file on their
    servers

    > Does not change the fact.
    > They were hacked.


    Yes. And they found out fast
    --
    It's not about, 'Where do you want to go today?' It's more like,
    'Where am I allowed to go today?'


  13. Re: Fedora servers hacked - Are signed packages valid?

    * Moshe Goldfarb. peremptorily fired off this memo:

    > On Sat, 23 Aug 2008 10:30:42 -0400, Linonut wrote:
    >
    >> Which is why Windows' gross insecurity on the /client/ side /does/
    >> matter, and /grossly/ so.
    >>
    >> It's a case for the Better Business Bureau, basically consumer fraud in
    >> my opinion.

    >
    > It's really more of a case of ignorant end users and it doesn't always have
    > to be Windows users either it's just that Windows dominates the market.


    Nope. The problem is that Microsoft markets their Windows consumer
    systems as easy-to-use appliances, but they are not.

    > When Linux gets a big enough desktop market share the same thing is going
    > to happen.


    Still trotting out that old saw. Pray tell how many Linux systems,
    percentagewise, are zombies?

    > It may not be the Linux kernel that get hacked, it could be firefox or
    > Amarok or a tainted package management system etc.
    >
    > However, it will mostly boil down to ignorance on the part of the user.


    There will always be some ignorance. But Linux is more lean (even
    without considering the burden of anti-virus and built-in firewalls) and
    better designed for security.

    Servers? Knowledgeable admins make them roughly equivalent in Linux and
    Windows.

    Desktop? No contest. Linux wins.

    --
    I love being married. It's so great to find that one special person
    you want to annoy for the rest of your life.
    -- Rita Rudner

  14. Re: Fedora servers hacked - Are signed packages valid?

    * Moshe Goldfarb. peremptorily fired off this memo:

    > Actually I do believe security is binary, but let's not start that one up
    > again
    >
    > What I am saying is that it doesn't matter in the scheme of things what was
    > hacked, how it was hacked and so forth. The point is it *was* hacked.
    >
    > Obviously to the people running the thing it matters how, but looking at
    > the big picture it's not as important.


    I'm giving up on this one. I maintain my position.

    --
    "What George Washington did for us was to throw out the British, so that we
    wouldn't have a fat, insensitive government running our country. Nice try
    anyway, George."
    -- D. J. on KSFO/KYA

  15. Re: Fedora servers hacked - Are signed packages valid?

    In article <_aVrk.15310$De7.8193@bignews7.bellsouth.net>,
    Linonut wrote:

    > * Moshe Goldfarb. peremptorily fired off this memo:
    >
    > > Additionally, look at Roy Schestowitz who had a Linux based server spewing
    > > infected trojans to unsuspecting people for almost a month before he
    > > finally realized he wasn't the smartest fish in the sea and what many
    > > people were telling him was true....

    >
    >
    >
    > I thought the server he used was /not/ under his control.


    His files were under his control. He may or may not have been able to
    fix the underlying problem (e.g., update whatever program was letting
    people modify his files), depending exactly on how his hosting provider
    worked, but he could have taken his files down until the problem was
    fixed.

    That's what I did when I found that spammers were storing images on my
    photo gallery on a shared hosting site. I removed my gallery
    completely, to await a fix to the gallery software to close the hole
    that let unauthorized people add photos.

    --
    --Tim Smith

  16. Re: Fedora servers hacked - Are signed packages valid?

    * Moshe Goldfarb. peremptorily fired off this memo:

    > On Sat, 23 Aug 2008 10:34:12 -0400, Linonut wrote:
    >
    >> I see you subscribe to the Erik Funkenbusch school of "Security is
    >> Binary".

    >
    > Yes I do...
    > You are either secure or you are not secure.
    > However, in real life and as long as humans are involved, you are never
    > really secure so it's a moot point anyway.
    >
    >> In other words, another FUDster.

    >
    > It's not FUD, it's the truth.


    Not in the /least/.

    http://www.infosec.co.uk/files/The_security_onion.pdf

    http://www.thetechherald.com/article...-your-security

    http://www.winsec.biz/Sec_prn_NeedForSec.htm

    http://www.theregister.co.uk/securit...dows_vs_linux/

    The bottom line is that there are many layers to security.

    Binary, my ass.

    --
    Humanity has advanced, when it has advanced, not because it has been sober,
    responsible, and cautious, but because it has been playful, rebellious, and
    immature.
    -- Tom Robbins

  17. Re: Fedora servers hacked - Are signed packages valid?

    In article
    <05a2b262-7a3a-498d-98e5-a1bbc81c8758@c58g2000hsc.googlegroups.com>,
    "Psyc Geek (TAB)" wrote:
    > > > It doesn't matter.
    > > > The server was hacked.
    > > > The damage has been done and nobody knows the extent to which this damage
    > > > has spread.

    > >
    > > I call bull****. *It sounds like Red Hat /does/ know.

    ....
    > They can only make an estimated guess.
    > Does not change the fact.
    > They were hacked.


    Hence, they changed the signing key (and presumably are using a
    different pass phrase on the new key). If they now resign the packages
    with the new key (after making sure the packages are right, of course),
    and update the user base to use the new key and stop recognizing the old
    key as valid, they should be reasonably safe, even if the attackers were
    in longer than Red Hat thinks they were, and did get the old signing key
    and pass phrase.

    I say reasonably safe rather than absolutely safe, because an attacker
    with an old signing key and pass phrase might still be able to do some
    pretty annoying things, due to design and administrative flaws in the
    package management and distribution system, as was discussed here a few
    months ago.

    --
    --Tim Smith

  18. Re: Fedora servers hacked - Are signed packages valid?

    * Moshe Goldfarb. peremptorily fired off this memo:

    > On Sat, 23 Aug 2008 10:34:49 -0400, Linonut wrote:
    >
    > They are also a business that has to protect their reputation to a degree.
    > You swallowed too much kool aid on this Linonut.


    What Kool-Aid? It's my own observations of Red Hat.

    Unlike Microsoft, much of their source-code is out there for everyone to
    see.

    I don't see where Red Hat has any *family jewels* they can protect from
    scrutiny.

    --
    Where humor is concerned there are no standards -- no one can say what
    is good or bad, although you can be sure that everyone will.
    -- John Kenneth Galbraith

  19. Re: Fedora servers hacked - Are signed packages valid?

    * Peter K÷hlmann peremptorily fired off this memo:

    > Psyc Geek (TAB) wrote:
    >>
    >> They can only make an estimated guess.

    >
    > Bull****. They can easily verify the MD5 of every executeable file on their
    > servers
    >
    >> Does not change the fact.
    >> They were hacked.

    >
    > Yes. And they found out fast


    And that is precisely the point. You will always have attempts on your
    systems. Not only do you need protection in place, you need auditing.

    --
    Give him an evasive answer.

  20. Re: Fedora servers hacked - Are signed packages valid?

    On Sat, 23 Aug 2008 12:57:52 -0400, Linonut wrote:

    > * Moshe Goldfarb. peremptorily fired off this memo:
    >
    >> On Sat, 23 Aug 2008 10:30:42 -0400, Linonut wrote:
    >>
    >>> Which is why Windows' gross insecurity on the /client/ side /does/
    >>> matter, and /grossly/ so.
    >>>
    >>> It's a case for the Better Business Bureau, basically consumer fraud in
    >>> my opinion.

    >>
    >> It's really more of a case of ignorant end users and it doesn't always have
    >> to be Windows users either it's just that Windows dominates the market.

    >
    > Nope. The problem is that Microsoft markets their Windows consumer
    > systems as easy-to-use appliances, but they are not.


    They *are* easy to use.

    Current systems come with antivirus etc already installed and set up.
    They can't however account for and protect users who circumvent the
    programs for convenience sake.


    >> When Linux gets a big enough desktop market share the same thing is going
    >> to happen.

    >
    > Still trotting out that old saw. Pray tell how many Linux systems,
    > percentagewise, are zombies?


    Very few desktop ones because Linux is pretty much under the radar.
    As for servers, the people managing servers on both sides (win/lin)
    typically have better skills and thus the exploits at that level are far
    fewer than desktop zombies.



    >> It may not be the Linux kernel that get hacked, it could be firefox or
    >> Amarok or a tainted package management system etc.
    >>
    >> However, it will mostly boil down to ignorance on the part of the user.

    >
    > There will always be some ignorance. But Linux is more lean (even
    > without considering the burden of anti-virus and built-in firewalls) and
    > better designed for security.


    I agree with that statement.
    Windows was designed for ease of use, backward compatability and the basic
    architecture was never designed with high security in mind.

    However, look what is happening with Vista which has much better security
    features.
    People are turning them off because they become bothersome. UAC for one.


    > Servers? Knowledgeable admins make them roughly equivalent in Linux and
    > Windows.


    See above.
    I agree.

    > Desktop? No contest. Linux wins.


    It's because of the lack of targets, the fact that most people running
    Linux *ARE* more knowledgeable than the typical Windows person.

    When this changes, it will be an entirely different ball game.


    --
    Moshe Goldfarb
    Collector of soaps from around the globe.
    Please visit The Hall of Linux Idiots:
    http://linuxidiots.blogspot.com/

+ Reply to Thread
Page 2 of 3 FirstFirst 1 2 3 LastLast