Bear Giles <[EMAIL PROTECTED]> wrote: > The problem isn't in *producing* a package, it's in *acquiring* that > package later. What happens if someone successfully attacks a site > immediately before you mirror it?
What happens if someone replaces a PGP signature? Answer: people notice. [Consider an advanced attack, launched from a "router" which changes certain packets "in-flight" so that some files, when downloaded, are different from what's on the server, for some range of client ip addresses. I don't know if script kiddies have a toy that does this yet, but it'll happen eventually.] > MD5 checksums aren't adequate, since the attacker can forge new ones. > Cryptographically signed checksums don't help, since the software (at > time of export) can't include the software to verify them. Downloading > PGP from the ZA site won't help because you can't verify *its* checksum. If you can trust the debian packages, you can trust an md5sum contained in one of those packages. Perhaps a distributed auditing system (like what was used for the RSA challenge, but instead periodically downloading files and verifying md5sums) would be a good thing -- to set off alarms after a site has been cracked. [If no alarms go off for some period of time after you've downloaded a fresh copy of the system, you can be reasonably confident that you got a good copy and that the signatures you have are probably the correct ones.] Perhaps useful would be independent "signature clearinghouses" which let you check md5sums without talking to the site you got your packages from. [The more paranoid might want to check against a large number of sites, and might want an auditing system to be in place as well.] > > Bootstrapping is hard -- best you can do for the general case is compare > > notes after you've gotten a secure system up. > > And that, it seems, is exactly the "problem" that this program seeks > to "fix." Obviously it can't fix the problem for the past. However, it might help in the future... [Perhaps more important: security oriented technology can only be a part of a secure system.] -- Raul