Fedora servers hacked - Are signed packages valid? - Linux

This is a discussion on Fedora servers hacked - Are signed packages valid? - Linux ; On Sat, 23 Aug 2008 12:59:30 -0400, Linonut wrote: > * Moshe Goldfarb. peremptorily fired off this memo: > >> Actually I do believe security is binary, but let's not start that one up >> again >> >> What I ...

+ Reply to Thread
Page 3 of 3 FirstFirst 1 2 3
Results 41 to 48 of 48

Thread: Fedora servers hacked - Are signed packages valid?

  1. Re: Fedora servers hacked - Are signed packages valid?

    On Sat, 23 Aug 2008 12:59:30 -0400, Linonut wrote:

    > * Moshe Goldfarb. peremptorily fired off this memo:
    >
    >> Actually I do believe security is binary, but let's not start that one up
    >> again
    >>
    >> What I am saying is that it doesn't matter in the scheme of things what was
    >> hacked, how it was hacked and so forth. The point is it *was* hacked.
    >>
    >> Obviously to the people running the thing it matters how, but looking at
    >> the big picture it's not as important.

    >
    > I'm giving up on this one. I maintain my position.


    Haha!

    Let's just differ on this one

    --
    Moshe Goldfarb
    Collector of soaps from around the globe.
    Please visit The Hall of Linux Idiots:
    http://linuxidiots.blogspot.com/

  2. Re: Fedora servers hacked - Are signed packages valid?

    * Tim Smith peremptorily fired off this memo:

    > I say reasonably safe rather than absolutely safe, because an attacker
    > with an old signing key and pass phrase might still be able to do some
    > pretty annoying things, due to design and administrative flaws in the
    > package management and distribution system, as was discussed here a few
    > months ago.


    The virtue of Debian's packaging system is that they'll never be able to
    figure it out .

    There's an awful lot to Debian package layout and administration, as I'm
    finding out. :-(

    The sig is false!

    --
    I am NOT a nut....

  3. Re: Fedora servers hacked - Are signed packages valid?


    "Peter Köhlmann" wrote in message
    news:48b035a5$0$11740$9b4e6d93@newsspool1.arcor-online.net...
    > Psyc Geek (TAB) wrote:
    >
    >> On Aug 22, 10:23 pm, Linonut wrote:
    >>> * Moshe Goldfarb. peremptorily fired off this memo:
    >>>
    >>> > On Fri, 22 Aug 2008 23:50:01 GMT, thufir wrote:
    >>> > It doesn't matter.
    >>> > The server was hacked.
    >>> > The damage has been done and nobody knows the extent to which this
    >>> > damage has spread.
    >>>
    >>> I call bull****. It sounds like Red Hat /does/ know.
    >>>
    >>> --
    >>> Every living thing wants to survive.
    >>> -- Spock, "The Ultimate Computer", stardate 4731.3

    >>
    >> They can only make an estimated guess.

    >
    > Bull****. They can easily verify the MD5 of every executeable file on
    > their
    > servers


    Assuming they have a valid MD5 to compare it to. Otherwise not so easy.


    >> Does not change the fact.
    >> They were hacked.

    >
    > Yes. And they found out fast


    Define "fast" in this context. How do you know they found out fast - because
    Redhat attempted to do damage control in their press release and claimed
    that they found out fast. Of course they're going to say they found this
    fast - but it doesn't mean it's true.




    ** Posted from http://www.teranews.com **

  4. Re: Fedora servers hacked - Are signed packages valid?

    Ezekiel wrote:

    >
    > "Peter Köhlmann" wrote in message
    > news:48b035a5$0$11740$9b4e6d93@newsspool1.arcor-online.net...
    >> Psyc Geek (TAB) wrote:
    >>
    >>> On Aug 22, 10:23 pm, Linonut wrote:
    >>>> * Moshe Goldfarb. peremptorily fired off this memo:
    >>>>
    >>>> > On Fri, 22 Aug 2008 23:50:01 GMT, thufir wrote:
    >>>> > It doesn't matter.
    >>>> > The server was hacked.
    >>>> > The damage has been done and nobody knows the extent to which this
    >>>> > damage has spread.
    >>>>
    >>>> I call bull****. It sounds like Red Hat /does/ know.
    >>>>
    >>>> --
    >>>> Every living thing wants to survive.
    >>>> -- Spock, "The Ultimate Computer", stardate 4731.3
    >>>
    >>> They can only make an estimated guess.

    >>
    >> Bull****. They can easily verify the MD5 of every executeable file on
    >> their
    >> servers

    >
    > Assuming they have a valid MD5 to compare it to. Otherwise not so easy.
    >


    Well, just lets assume they have. Because they do

    >>> Does not change the fact.
    >>> They were hacked.

    >>
    >> Yes. And they found out fast

    >
    > Define "fast" in this context.


    Well, fast. As in "a short time"
    Not the "MS short time (tm)" which ranges anywhere from 5 weeks to several
    years

    > How do you know they found out fast -
    > because Redhat attempted to do damage control in their press release and
    > claimed that they found out fast. Of course they're going to say they
    > found this fast - but it doesn't mean it's true.
    >


    And just because a widiot like you claims otherwise, it is not true either.
    And guess what: I put the word of Redhat several miles above anything you
    and your ilk will claim
    --
    Support bacteria -- it's the only culture some people have!


  5. Re: Fedora servers hacked - Are signed packages valid?


    "Peter Köhlmann" wrote in message
    news:48b2c825$0$20705$9b4e6d93@newsspool4.arcor-online.net...
    > Ezekiel wrote:
    >
    >>
    >> "Peter Khlmann" wrote in message
    >> news:48b035a5$0$11740$9b4e6d93@newsspool1.arcor-online.net...
    >>> Psyc Geek (TAB) wrote:
    >>>
    >>>> On Aug 22, 10:23 pm, Linonut wrote:
    >>>>> * Moshe Goldfarb. peremptorily fired off this memo:
    >>>>>
    >>>>> > On Fri, 22 Aug 2008 23:50:01 GMT, thufir wrote:
    >>>>> > It doesn't matter.
    >>>>> > The server was hacked.
    >>>>> > The damage has been done and nobody knows the extent to which this
    >>>>> > damage has spread.
    >>>>>
    >>>>> I call bull****. It sounds like Red Hat /does/ know.
    >>>>>
    >>>>> --
    >>>>> Every living thing wants to survive.
    >>>>> -- Spock, "The Ultimate Computer", stardate 4731.3
    >>>>
    >>>> They can only make an estimated guess.
    >>>
    >>> Bull****. They can easily verify the MD5 of every executeable file on
    >>> their
    >>> servers

    >>
    >> Assuming they have a valid MD5 to compare it to. Otherwise not so easy.
    >>

    >
    > Well, just lets assume they have. Because they do


    Let's ASSUME they don't. Just because *you* claim that they do doesn't mean
    squat.


    >>>> Does not change the fact.
    >>>> They were hacked.
    >>>
    >>> Yes. And they found out fast

    >>
    >> Define "fast" in this context.

    >
    > Well, fast. As in "a short time"
    > Not the "MS short time (tm)" which ranges anywhere from 5 weeks to several
    > years
    >
    >> How do you know they found out fast -
    >> because Redhat attempted to do damage control in their press release and
    >> claimed that they found out fast. Of course they're going to say they
    >> found this fast - but it doesn't mean it's true.
    >>

    >
    > And just because a widiot like you claims otherwise, it is not true
    > either.
    > And guess what: I put the word of Redhat several miles above anything you
    > and your ilk will claim


    Oh yes - Poor Peter. Once again he can't back up his claim so he needs to
    resort to a childish ad hominem attack with is "widiot" tripe. The *FACT* is
    that there is actual proof that Redhat found this out quickly as Peter
    claims. All we have is a Redhat PR person spinning the company line in order
    to do some damage control with claims that it was found out quickly. They
    are also so very sure the keys weren't compromised. They are so sure in fact
    that they are going to replace the keys that they know have not been
    compromised.

    Any moron who believes this spin from a PR damage control expert is probably
    the same moron that's looking to buy a slightly used bridge.





    ** Posted from http://www.teranews.com **

  6. Re: Fedora servers hacked - Are signed packages valid?

    In comp.os.linux.advocacy, Linonut

    wrote
    on Sat, 23 Aug 2008 10:33:26 -0400
    :
    > * The Ghost In The Machine peremptorily fired off this memo:
    >
    >> Mirrors are an exception to the Linux insulation from
    >> viruses; they carry files which are installed as root.

    >
    > Huh? All computers have files installed as root.


    To be more precise...the files filched from a mirror
    are intended to be installed on the user's unit using an
    administrative user's account, which in Linux's case is
    traditionally root.

    The files themselves are possibly owned by "distro", and
    the ftp or http daemon is probably a different user in a
    group common to "distro", allowing read-only access to that
    group. It is also possible the files are world-readable.

    I'd have to check.

    >
    > Are you saying the distro files for distribution to third
    > parties are installed as root?
    >
    > No way.


    Not sure what third parties would be involved here apart
    from other mirrors. Your objection is valid as far as it
    goes but I meant something entirely different. ;-)

    I would hope mirrors can do a verification pass on copied
    files, though the best I can do there is to put '.md5'
    files in a known place on the root server; these would
    not mirror (not really necessary) and would serve as a
    flag to indicate file corruption.

    Certain "rainbow attacks", however, might make life
    interesting. I don't know the details but .md5 isn't
    perfect; there's a 1 in 2^128 probability that the file
    is wrong even though the checksums match. There's not a
    lot one can do about that chance except encrypt the entire
    file, though 2^128 would take longer than the age of the
    Universe to crack using brute-force methods (the age of
    the Universe is at the very most 80 billion years[*],
    or 2.52 * 10^18 seconds (give or take a few millennia);
    2^128 = 3.40 * 10^38).

    But that's what makes rainbow attacks so dangerous;
    obviously they don't take quite that long... ;-)

    And of course corrupting the source mirror means
    propagated corruption to all other mirrors, if they
    do no checking beyond ensuring that the file size
    is correct.

    >
    >> All binary-based distros are vulnerable if they don't
    >> implement checking methods (I would hope most do by now),
    >> or if those checking methods are hacked (as they might have
    >> been in this case, though it's far from clear whether the
    >> key's passphrase was compromised or not -- or whether the
    >> hackers used it if it was).
    >>
    >> Source-based distros are also vulnerable, though the
    >> viruses would have to be entirely different.

    >
    > Moshe's simply pulling a variation on the patented Erik Funkenbusch
    > "security is binary" claim.


    Security is an onion, at that, and in some cases hard
    to peel. Which part of the system was compromised?
    Looks like a server daemon and part of the data repository,
    at the very most; the rest of the server should be OK
    with any luck.

    >
    > In other words, avoid nuance so that you can equate two situations,
    > whether you know they are the same, or not.
    >


    Nuances are valid -- though I'm frankly not sure precisely
    what occurred in the Fedora case. Sounds like someone
    took advantage of a server vulnerability, filched some
    information (a private key, among other things), but was
    unable to use some of it. Several variants are possible.

    [1] The user was able to change some files on the master,
    but was unable to sign them.

    [2] The user was able to change some files on the master,
    and did not bother to sign them.

    [3] The user was able to change some files on the master,
    and signed them using a "lookalike" certificate.
    For example, one might use fed0ra -- note the zero --
    or "fedora " or some other such variant. The casual
    user may not notice this variation, though the casual
    user might not even *see* the verification process,
    as the tool -- rpm in Fedora's case -- simply takes
    the public key from a file in a known spot, if I'm not
    totally mistaken. In the case of using a file, the
    flaw becomes distressingly obvious, with mysterious
    failures (until the user checks thereinto) when
    unpacking the .rpm file -- since the certificate will
    not verify.

    So which was it?
    [*] there are certain inconsistencies in the
    measurement/theory that are best discussed elsewhere.
    Many use 15 or 20 billion years, as that's the part we
    can readily see with current telescopes. Sol is about
    4.5 - 5 billion years old; Earth about 4.5 billion
    years old. This is therefore a rather conservative
    (for my purposes) value -- and it obviously falls
    a little short. ;-)

    --
    #191, ewill3@earthlink.net
    Linux sucks efficiently, but Windows just blows around
    a lot of hot air and vapor.
    ** Posted from http://www.teranews.com **

  7. Re: Fedora servers hacked - Are signed packages valid?

    In comp.os.linux.advocacy, Moshe Goldfarb.

    wrote
    on Sat, 23 Aug 2008 14:25:05 -0400
    :
    > On Sat, 23 Aug 2008 12:57:52 -0400, Linonut wrote:
    >
    >> * Moshe Goldfarb. peremptorily fired off this memo:
    >>
    >>> On Sat, 23 Aug 2008 10:30:42 -0400, Linonut wrote:
    >>>
    >>>> Which is why Windows' gross insecurity on the /client/ side /does/
    >>>> matter, and /grossly/ so.
    >>>>
    >>>> It's a case for the Better Business Bureau, basically consumer fraud in
    >>>> my opinion.
    >>>
    >>> It's really more of a case of ignorant end users and it doesn't always have
    >>> to be Windows users either it's just that Windows dominates the market.

    >>
    >> Nope. The problem is that Microsoft markets their Windows consumer
    >> systems as easy-to-use appliances, but they are not.

    >
    > They *are* easy to use.


    And easily secured, through third-party software and hardware.
    NAT routers in particular block all packet attacks.

    That this security comes at additional cost may be a factor,
    but it is a comparative problem, not a positive one; Linux
    does not beat Windows here in terms of capability, but
    might in terms of performance.

    >
    > Current systems come with antivirus etc already installed and set up.
    > They can't however account for and protect users who circumvent the
    > programs for convenience sake.


    No system can. One hopes for reasonably defaults so that
    the neophyte user gets a clue while reading through the
    documentation presented as part of the installation
    process -- assuming there is one (most Windows boxes
    are preinstalls, after all; very convenient but the user
    jumping onto the Internet might not get all of the nuances).

    >
    >
    >>> When Linux gets a big enough desktop market share the same thing is going
    >>> to happen.

    >>
    >> Still trotting out that old saw. Pray tell how many Linux systems,
    >> percentagewise, are zombies?

    >
    > Very few desktop ones because Linux is pretty much under the radar.


    Linux *is* under the radar. Windows is very noisy, and
    even without the adverts helpfully provided by Microsoft,
    would get a fair amount of press just because of the
    security issues -- if the press reports it properly,
    anyway (many news reports simply mention "PCs" instead of
    "Microsoft Windows-installed PCs", presumably to save a
    few column lines).

    > As for servers, the people managing servers on both sides (win/lin)
    > typically have better skills and thus the exploits at that level are far
    > fewer than desktop zombies.


    Which are predominantly Windows machines, as far as I know.

    >
    >
    >
    >>> It may not be the Linux kernel that get hacked, it could be firefox or
    >>> Amarok or a tainted package management system etc.
    >>>
    >>> However, it will mostly boil down to ignorance on the part of the user.

    >>
    >> There will always be some ignorance. But Linux is more lean (even
    >> without considering the burden of anti-virus and built-in firewalls) and
    >> better designed for security.

    >
    > I agree with that statement.
    > Windows was designed for ease of use, backward compatability and the basic
    > architecture was never designed with high security in mind.
    >
    > However, look what is happening with Vista which has much better security
    > features.
    > People are turning them off because they become bothersome. UAC for one.


    It's the wrong form of security. ;-)

    >
    >
    >> Servers? Knowledgeable admins make them roughly equivalent in Linux and
    >> Windows.

    >
    > See above.
    > I agree.
    >
    >> Desktop? No contest. Linux wins.

    >
    > It's because of the lack of targets, the fact that most people running
    > Linux *ARE* more knowledgeable than the typical Windows person.
    >
    > When this changes, it will be an entirely different ball game.
    >


    I'm not sure about that. One issue with Windows is that Exchange is
    (or rather was) extremely vulnerable because of a flaw in its
    *preview* pane.

    --
    #191, ewill3@earthlink.net
    Warning: This encrypted signature is a dangerous munition.
    Please notify the US government immediately upon reception.
    0000 0000 0000 0000 0001 0000 0000 0000 ...
    ** Posted from http://www.teranews.com **

  8. Re: Fedora servers hacked - Are signed packages valid?

    In comp.os.linux.advocacy, Peter Köhlmann

    wrote
    on Sat, 23 Aug 2008 18:07:01 +0200
    <48b035a5$0$11740$9b4e6d93@newsspool1.arcor-online.net>:
    > Psyc Geek (TAB) wrote:
    >
    >> On Aug 22, 10:23*pm, Linonut wrote:
    >>> * Moshe Goldfarb. peremptorily fired off this memo:
    >>>
    >>> > On Fri, 22 Aug 2008 23:50:01 GMT, thufir wrote:
    >>> > It doesn't matter.
    >>> > The server was hacked.
    >>> > The damage has been done and nobody knows the extent to which this
    >>> > damage has spread.
    >>>
    >>> I call bull****. *It sounds like Red Hat /does/ know.
    >>>
    >>> --
    >>> Every living thing wants to survive.
    >>> -- Spock, "The Ultimate Computer", stardate 4731.3

    >>
    >> They can only make an estimated guess.

    >
    > Bull****. They can easily verify the MD5 of every executeable file on their
    > servers


    That MD5 can also be changed, if the hacker's smart enough
    to realize it is there and it's allowed to be changeable.
    Best bet I can think of is to set up the server off the
    network, generate the MD5 list, burn it to a CD-ROM using
    a CD burner, and then use a read-only CD drive.

    An alternative is to put the MD5 list on a central server,
    off the main Internet.

    Both might be a bit paranoid; unless a local root attack
    is possible on the server it's generally sufficient to
    just make the files world-readable.

    >
    >> Does not change the fact.
    >> They were hacked.

    >
    > Yes. And they found out fast


    How fast, just out of curiosity? Are we talking 4 hours fast,
    as in the case of the teardrop attack?

    --
    #191, ewill3@earthlink.net
    Warning: This encrypted signature is a dangerous munition.
    Please notify the US government immediately upon reception.
    0000 0000 0000 0000 0001 0000 0000 0000 ...
    ** Posted from http://www.teranews.com **

+ Reply to Thread
Page 3 of 3 FirstFirst 1 2 3