On Fri, July 11, 2008 7:40 am, Arthur Corliss wrote:
> On Fri, 11 Jul 2008, Mike Tibor wrote:
>
>> I can't get to the original article Slashdot references since it appears
>> to be slashdotted at the moment. :-) However, having maintained AKLUG's
>> Red Hat mirror for a few years I can confirm that anyone can fire up a
>> mirror and be listed in a release announcement. Nobody was ever really
>> concerned about that because the package signatures should have prevented
>> a malicious mirror admin from tampering with them.
>
> :-) Read below...
>
>> Arthur, can you give a quick summary of the original article?
>
> This focused primarily on "replay" attacks. In short, a mirror could easily
> serve up older packages with known flaws in lieu of the updated one and none
> of the major tools (APT, YUM, YaST, etc.) would catch it, since there's no
> way to "retire" known bad packages.
>
> Also, a mirror could simply not carry a lot of the security updates
> published, leaving a lot of users vulnerable while feeling safe in that they
> think they're up to date.
>
> He also linked to another report about endless data attacks, extraneous
> dependencies, etc.
I haven't RTFA, but the comments on slashdot point out that when
you become aware of updates and conscientiously give the update
command, you're advertising that the computer at your IP address
is running a vulnerable package. If you request the update from
a malicious mirror, it can target your IP and have a rootkit
installed before you have a chance to update the package.
Now THAT's scary.
-- Bryan Medsker bryanm@acsalaska.net --------- To unsubscribe, send email to <aklug-request@aklug.org> with 'unsubscribe' in the message body.Received on Fri Jul 11 16:41:14 2008
This archive was generated by hypermail 2.1.8 : Fri Jul 11 2008 - 16:41:14 AKDT