[sf-lug] update from computer newbie
Rick Moen
rick at linuxmafia.com
Fri Jul 7 22:11:33 PDT 2006
Quoting Asheesh Laroia (asheesh at asheesh.org):
> Is it a live CD you made? If not, why do you trust it?
{chuckle} You're one of those _smart_ people; I can tell.
It's a really good question; as the saying goes, "Adjust your paranoia
to suit." When you see ISOs available for download, you see md5sums
or sha1sums (hash values) that you can download to check them, but
that's mostly to verify download integrity and make sure you haven't
garbled some bits in transition. You as one of those smart people would
then ask, "Well, why do you trust the hash values?" That's an other
good question.
Security is, in a word, difficult. One methold people use to validate
hash values is to offer them for download in a file that's
cryptographically signed by a special signing key (gpg or whatnot).
You would of course ask, right on cue, "Why do you trust that gpg key?"
And that's a third good question. One traditional answer is that it's a
key that's been posted on some corporate Web site for a long time, with
the private half of the key guarded closely, and can be checked against
previously downloaded values and against values included on the
company's CD or DVD merchandise. An alternative answer is what the
Debian Project does with packages, where various package-maintainers'
keys have been signed by other people, and those by other people, etc.,
such that you probably can follow a trail of signatures from one you
yourself trust.
But security is difficult. See also: "Viruses and Trojans and Worms,
Oh My! Linux Security and the Bad Guys' Tools" on
http://linuxmafia.com/presentations/
More information about the sf-lug
mailing list