[sf-lug] Advantages of distro package regimes

Charles N Wyble charles at thewybles.com
Wed Dec 26 13:09:46 PST 2007

Kristian Erik Hermansen wrote:
> On Dec 26, 2007 1:33 PM, Charles N Wyble <charles at thewybles.com> wrote:
>> Your comments above imply that you know something about the security of
>> medibuntu. If you know of a vulnerability in there systems or processes
>> and do not report it to them you are doing a disservice to the
>> community. I certainly hope this is not the case?
> It has nothing to do with specific vulnerabilities, although even if I
> did know something, it does not mean I am bad for not reporting it.

Well that is highly debatable.  I believe that failing to report a 
vulnerability especially in something so widely used as the medibuntu 
3rd party repository is doing a disservice to the community.

> There are rampant vulnerabilities all over the place, and once you
> start looking, it becomes almost a full time job to report all of them
> that you see. 

I am well aware of that. I am not some newbie. I have handled a number 
of security incidents at various organizations.

>  In fact, some people make careers in vulnerability
> reporting or affiliated commercial ventures. 

Yep they sure do. 

>  I have reported lots of
> vulnerabilities, and most of the time, no one cares unless it is
> something really nefarious.

Well I go back to my original argument that a vulnerability in 
medibuntu.org would be fairly nefarious.

>   Now, let's just say that I could attack
> medibuntu.org?  OK, so I still don't have the private GPG key perhaps,
> but a lot of users routinely override that APT warning.

Certainly. Just like users click through prompts without looking etc.

>   In this
> sense, here is one thing I see wrong with medibuntu that is obvious.
> And remember, the more eyes on the resource, the more bugs that will
> be revealed (this is bug finding 101).

I am well aware of peer review and bug fixing. You don't need to point 
that out to me. I have led several enterprise software projects and a 
couple open source ones.

> The domain was recently registered, and only for a year.  Do a whois
> if you like to verify. 

No need. I don't think you would lie about something so easily verified :)

>  Also notice that they do implement
> ClientTransferProhibited, but not ClientUpdateProhibited.  If I cared
> enough, I am sure I could social engineer an update to the DNS records
> to point at my rogue server. 

You certainly could. DNS attacks are very common.

>  With the amount of traffic going to
> Ubuntu.com every day, this may not be possible (number of eyes).
> However, most people set medibuntu and forget it.  It could be a
> matter of days before anyone noticed that it was being redirected.  I
> would do it on a holiday weekend if I wanted to be really sneaky.
> These things do happen.

Yes they do. And its something to keep an eye out for. Some people have 
automated checks in place for this sort of thing, depending on there 
threat profile etc.

> Additionally, Medibuntu has a very large attack surface.  This is not
> a good thing.  What do I mean?  Here is some evidence for you to
> contemplate...

Have you ever heard of a honeypot? The nmap output below is quite common 
on systems that are running honeypot software.

More information about the sf-lug mailing list