[sf-lug] Advantages of distro package regimes

Charles N Wyble charles at thewybles.com
Wed Dec 26 13:09:46 PST 2007 

Kristian Erik Hermansen wrote:
> On Dec 26, 2007 1:33 PM, Charles N Wyble <charles at thewybles.com> wrote:
>   
>> Your comments above imply that you know something about the security of
>> medibuntu. If you know of a vulnerability in there systems or processes
>> and do not report it to them you are doing a disservice to the
>> community. I certainly hope this is not the case?
>>     
>
> It has nothing to do with specific vulnerabilities, although even if I
> did know something, it does not mean I am bad for not reporting it.
>   

Well that is highly debatable.  I believe that failing to report a 
vulnerability especially in something so widely used as the medibuntu 
3rd party repository is doing a disservice to the community.

> There are rampant vulnerabilities all over the place, and once you
> start looking, it becomes almost a full time job to report all of them
> that you see. 

I am well aware of that. I am not some newbie. I have handled a number 
of security incidents at various organizations.

>  In fact, some people make careers in vulnerability
> reporting or affiliated commercial ventures. 

Yep they sure do. 

>  I have reported lots of
> vulnerabilities, and most of the time, no one cares unless it is
> something really nefarious.

Well I go back to my original argument that a vulnerability in 
medibuntu.org would be fairly nefarious.

>   Now, let's just say that I could attack
> medibuntu.org?  OK, so I still don't have the private GPG key perhaps,
> but a lot of users routinely override that APT warning.

Certainly. Just like users click through prompts without looking etc.

>   In this
> sense, here is one thing I see wrong with medibuntu that is obvious.
> And remember, the more eyes on the resource, the more bugs that will
> be revealed (this is bug finding 101).
>   

I am well aware of peer review and bug fixing. You don't need to point 
that out to me. I have led several enterprise software projects and a 
couple open source ones.

> The domain was recently registered, and only for a year.  Do a whois
> if you like to verify. 

No need. I don't think you would lie about something so easily verified :)

>  Also notice that they do implement
> ClientTransferProhibited, but not ClientUpdateProhibited.  If I cared
> enough, I am sure I could social engineer an update to the DNS records
> to point at my rogue server. 

You certainly could. DNS attacks are very common.

>  With the amount of traffic going to
> Ubuntu.com every day, this may not be possible (number of eyes).
> However, most people set medibuntu and forget it.  It could be a
> matter of days before anyone noticed that it was being redirected.  I
> would do it on a holiday weekend if I wanted to be really sneaky.
> These things do happen.
>   

Yes they do. And its something to keep an eye out for. Some people have 
automated checks in place for this sort of thing, depending on there 
threat profile etc.

> Additionally, Medibuntu has a very large attack surface.  This is not
> a good thing.  What do I mean?  Here is some evidence for you to
> contemplate...
>
>   


Have you ever heard of a honeypot? The nmap output below is quite common 
on systems that are running honeypot software.

More information about the sf-lug mailing list