[conspire] computer security

Rick Moen rick at linuxmafia.com
Tue Mar 9 15:56:29 PST 2021 

Quoting Paul Zander (paulz at ieee.org):

>  Part way through it says:
> we have to somehow convinced the user to download and install our
> awesome new game Which translates to "installing random software".  In
> the Windoz world getting software online means going to all sorts of
> places.  Even "legitimate" websites play games, like have a box
> pre-checked to download some other thing, like McAfee, at the same
> time.  In Linux, virtually every thing most people need is available
> as a package from a standard repository for Debian, Ubuntu or other. 
> And using the package manager takes care of dependencies on other
> libraries so it is more likely that the newly downloaded program will
> run without manual fussing.  

Of course, this is a key part of why almost all IT journalism (cribbing
from antimalware / computer security firms' press releases) is basically
useless:  It takes for granted that any user will blithely install & run
software for nowhere-in-particular written by nobody-in-particular 
(and probably do so with system privilege) _because_ that is the
cultural norm among MS-Windows users.

There's nothing inherently particularly secure about Unix; never was.
It was in origin, after all, basically yet another academic one-off.  
Mostly what helps is (1) careful clarity about privilege, (2) a cultural
norm that software _not_ vetted by distro package maintainers is
dangerous, and (3) clarity about when one is executing code.

Item #2 is a powerful protection, in particular.   We hear all the time 
from these IT-press bozos that "all that's necessary to subvert Unix
security is to convince a user to run untrustworthy code with root
authority" -- but, in the Unix culture, that's about the same as saying
"All that's necessary to get someone to commit suicide is to convince
him/her to aim a loaded gun at his/her head and pull the trigger."  As
in, sure, that's obviously true as stated, but the blithe assumption
that _everyone_ is gullible and stupid is eye-roll-worthy.

> Of course this is not totally cyber-proof.

{sigh}

Shooting the loaded gun does indeed drill a hole, yes.

> I recall a few years back that a major Linux repository was hacked.

No, I'm betting you didn't.

As mentioned downthread, some source tarballs at kernel.org were
trojaned briefly during the famous incident, _but_ that did not succeed
in infiltrating the kernel git repo, where all check-ins are
SHA1-signed, and even compomise of hosts holding the repo could not
suffice to break the repo-hosted source integrity.

That was a shell-level breakin via a stole key from one kernel dev, that
permitted the host compromise.  If memory serves, the suspect tarballs 
did not validate to signature hashes, by the way, so _even_ people who
checked out Linux kernel tarballs instead of doing git pulls had the
means readily at hand to detect the brief fraud.

Likewise, when a zero-day kernel exploit got used to briefly take over a
couple of Debian Project hosts and a couple of Gentoo Project ones, the
intruders were not able to compromise crypto signed distro package contents,
for pretty much the same reasons.

http://linuxmafia.com/~rick/faq/ lists very similar incidents where 
shared hosts got rooted that hosted dev trees / tarballs of the
following codebases that are or were frequently used on Ix:

o  Wietse Venema's TCP wrappers
o  sendmail
o  SquirrelMail
o  ProFTPD
o  vsftpd

In every case, PGP-signed checksums were either suspiciously lacking for
the trojaned replacement tarballs, or failed to validate, thus making
the (brief) forgeries easy to spot.

Of course, if you naively download upstream source code (why?) and
naively ignore code-signing (why?), then you might have gotten bitten
during the brief period before the dev noticed and corrected the
host-level compromise.  But then, as my saying goes, you have bigger
problems.

As pointed out on my (above-cited) anti-virus software for my Linux
page, if you are terribly, terribly worried about compromise of software
distribution chains on Linux distributions, then you are going to be
_really_ frightened when you hear about the risks you face with
proprietary software and platforms, as they are rather more
considerable.

>

More information about the conspire mailing list