Am 25.11.19 um 12:35 schrieb Patrick Schleizer:
How often did you see initrd being infected?
recently only once. So the attackers may change their vector; they have
already done so multiple times.
Not using apt/dpkg comes at the expense of not being able to fully
verify the whole system. What if there are outdated packages on the
system which aren't available from anymore from repository? Using
snapshot.debian.org?
I have just extended debcheckroot to also support file repos. Now it can
check 100% of the packages I have installed. That was necessary because
f.i. the printer driver is vendor specific and can not be fetched from
an online repo. I will publish that as debcheckroot v2.2 soon. Outdated
packages are a problem though; I have supposed that Debian would
maintain sha256sums for packages not available online any more. However
I do not see any good possibility to resolve this without support from
the distributors. However I am not sure whether outdated updates would
still be available on snapshot.debian.org; I would not believe so,
though perhaps anyone else reading this list could help us. If it is not
about updates but about singleton packages one could download specific
packages from snapshot by hand if you really come across having
installed such a package.
Also, for quickly repeatable verification it would be best to prepare as
much as possible in background / during upgrade. Other tasks can be done
at the same time. Then booting from read-only to debcheckroot purposes
could safe a lot time. The less time it needs, the more it gets within
reach to automate the process without sacrificing much boot time.
Also by not using apt/dpkg, any packages downloaded would have to be gpg
verified manually.
I also don't see debcheckroot make use of gpg signature verification of
downloaded files?
Reinventing apt is difficult. See these attack on package managers:
https://www2.cs.arizona.edu/stork/packagemanagersecurity/attacks-on-package-managers.html
Package metadata could be outdated. Downloaded package contents could be
malicious or altered to pass verification.
Yes, tor is no ultimate remedy to this. As long as there are little
downloads anonymity may be compromised. The best way to shield against
such attacks may be to first generate sha256sum lists in a singleton
boot and then later on use them in another boot so that no malware from
unpacking packages can persist in memory. However that is no remedy to
altered package content. The only way I know to avoid this is to only
install from blue ray media without using online updates.
That article https://www.elstel.org/software/GnuPG-usage.html.en starts
with "How to use GnuPG securely". That isn't the best way to communicate
"Key signatures are not trustworthy in general" which is a pretty broad
claim.
If "Key signatures are not trustworthy in general" then all apt package
downloads could be considered compromised since APT relies on gnupg for
verification. With that was true, and with mindset, and that being
unfixable, we could as well as give up.
Yes, that is what I presume. apt can install compromised updates. I know
this is at least an attack vector for Windows. To repeat it I would at
least doubt if not presume about any key which is stored online that it
is compromised. Most times people connect with ssh to such machines and
have a local certificate on the computer from which they connect. The
certificate can be copied and the password will be keylogged. Only a
very few people employ security strategies like switching keyboard and
monitor to a computer where you do not web-browse or email. I have
devices for that but most people don´t and as long as the distributors
do not advertise it I presume that they do not follow such a strategy.
Finally it would still be possible to get the key by physical access to
that computer. I would also believe that for a distro like Debian this
would pay of for intelligence services.
To me personally I don´t have a defeatist mindset even not if the
NSA/CIA or similar services are attacking me. They have once deleted the
partition table on a computer used only offline to analyse some rootkit.
Those who hack me also have physical access to my computers. There is no
way for a defeatist mindset though as I can not let my human rights
including that to live be violated.
To a rootkit hunter which laymen can use it's a long way to go. Some
debcheckroot is targeted at technically experienced users.
That's sad. Understood.
No it isn´t. People who care about security need to acquaint themselves
with some basic facts on how the system they use is working. As it is
Linux all the information should be available for the interested user. -
and people do not only need to do so for use of debcheckroot.
No way to
hunt rootkits authored by the NSA otherwise.
Yes, forget about NSA and alike. Let's not assume quasi-omnipotent
attackers. That leads to defeatist mindset which isn't productive.
I have already commented on this.
Why couldn't it be fully automated without manual interpretation needed?
That is not so easy to answer but an unsuspecting novice user simply
will not be safe. There are just too many pitfalls. You do not need to
know much but you need to understand some crucial facts to my believe.
The thing why you can not automate this is that there is a hack for any
automation how it can be bypassed. Whenever I have found something it
was due to some unexpected action taken by me and not because the tools
were so super. The NSA has a billion budget (correct me if someone knows
the exact amount) and you won´t be smarter in programming than they are.
Usability and popularity. Both hard. Software is only step 1.
Full disk encryption is proven effective. If one travels and a bag gets
stolen by a criminal, no data can be accessed.
Keyloggers are really bad but unrelated from that.
My attack scenarios always include key loggers. They are a too valuable
tool for intelligence to miss this possibility. On the other hand my
equipment hasn´t been stolen yet. Nonetheless anyone needs to know his
enemies and what kind of attacks to shield against.
Yes, Android has security features which are working fine, reliable,
would be replicable on Linux desktops in principle, but aren't yet.
That's the point of that writeup.
https://www.whonix.org/wiki/Kicksecure#iPhone_and_Android_Level_Security_for_Linux_Desktop_Distributions
debcheckroot could help getting something like verified boot for Debian.
Well it is GPLv3. Anyone who would like to extend or develop it into
some other direction is free to do so if he has enough energy and
resources to do so.
I hope I have sufficiently answered you questions and your points of
discussion. If not simply re-ask.