l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2008 Aug 21 10:17

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] Linux file/module security proposal.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] Linux file/module security proposal.

>>>>> On Wed, 20 Aug 2008 22:29:57 -0700, Bill Broadley <bill@cse.ucdavis.edu> said:

BB> So would you use such a mirror to protect against trojan binaries
BB> and kernel modules?  Why?  Why not?  Can you think of a better
BB> approach?

Well, it all comes down to how much of the system the hacker owns.  If
he has root on your machine he's likely inserted a kernel module to hide
things or change things (many of them actually still report proper
md5sums for a hacked binary because they've hacked the kernel to be
different for reading vs executing something).  So online scanning is
actually not necessarily effective (and taking a machine down on a
regular basis to boot off a trusted medium to do scanning is obviously
not ideal, especially for servers).

You have to trust someone to get your software from.  It may be that you
can set up a building repository as you've described, but as you say you
have to trust it (more than you trust the original site).  Unless it's
more secure than the original distribution site it doesn't help you.
Plus as you rebuild a ton of packages, what's to say that the sources
you're pulling from don't have trojans in it?  Rebuilding the package
doesn't help if it's coming from the same sources.

Finally, if they have root on your local machine, there is nothing
preventing them from installing bogus GPG keys or worse binaries that
report they've checked the signature but actually don't.  The
cryptographic checks *only* work if your machine hasn't been broken into
in the first place.  Afterward, it's far too late.

"In the bathtub of history the truth is harder to hold than the soap,
 and much more difficult to find."  -- Terry Pratchett
vox-tech mailing list

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.