Re: [Clamav-users] Why is ClamAV signature file so unpopular?
On Mon, Dec 01, 2008 at 09:04:37AM CET, Dave Warren <[EMAIL PROTECTED]> said: > > The only way a key can be completely trusted is if it's provided > completely independently of the download infrastructure, hosted > elsewhere entirely, requiring a compromise of two unique and unrelated > systems. Or the key should be signed by enough people to give a trust path to the user. -- Erwan ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Why is ClamAV signature file so unpopular?
In message <[EMAIL PROTECTED]> "David F. Skoll" <[EMAIL PROTECTED]> was claimed to have wrote: >Dave Warren wrote: > >> True, but you could make it realistic enough to fool most of the people, >> most of the time, especially with a readme.txt noting that the new >> versions are signed slightly differently. > >People who bother to download the .sig file in the first place probably >won't be fooled. And they won't believe an unsigned readme.txt file. The readme file wouldn't be unsigned, it would be signed by the new key since it's naturally impossible to sign anything with the old key once the old key has been lost. Anyone in a position to compromise the sourceforge distribution model could probably make it look good enough to fool the majority of people who would at best glance at the status and move on. It's human nature to assume when we're told "this is legit" by an authority to assume it's legit without investigating that authority. Sure, not everyone is fooled, but I'd put money down that you'd fool at least 50% of those who do bother to check the sig, and over 90% of those who don't even bother with the sig today even if they started looking at sigs. The only way a key can be completely trusted is if it's provided completely independently of the download infrastructure, hosted elsewhere entirely, requiring a compromise of two unique and unrelated systems. -- Dave Warren, [EMAIL PROTECTED] Office: (403) 775-1700 / (888) 300-3480 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Why is ClamAV signature file so unpopular?
Dave Warren wrote: > True, but you could make it realistic enough to fool most of the people, > most of the time, especially with a readme.txt noting that the new > versions are signed slightly differently. People who bother to download the .sig file in the first place probably won't be fooled. And they won't believe an unsigned readme.txt file. Regards, David. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Why is ClamAV signature file so unpopular?
In message <[EMAIL PROTECTED]> Jan Pieter Cornet
<[EMAIL PROTECTED]> was claimed to have wrote:
>On Sat, Nov 29, 2008 at 02:52:53PM -0800, Dave Warren wrote:
>> >When I go to the download page for ClamAV at SourceForge,
>> >I observe that the signature file ("clamav-0.*.*.tar.gz.sig")
>> >is downloaded less than 10% of the time that the source code
>> >("clamav-0.*.*.tar.gz") is downloaded. I find this strange,
>> >especially for anti-malware software, whose users presumably
>> >think about security more than the average SourceForge visitor.
>>
>> If you can't trust SourceForge for the source, what makes you think you
>> can trust the signature file?
>
>Because it's PGP signed. It's not just an md5 hash.
>
>> Anyone in a position to compromise one would almost definitely be able
>> to compromise the other.
>
>Sure. But it would be suspect if gpg/pgp says:
>
>Good Signature by Snake Oil <[EMAIL PROTECTED]>.
True, but you could make it realistic enough to fool most of the people,
most of the time, especially with a readme.txt noting that the new
versions are signed slightly differently.
This sort of thing happens legitimately often enough that there isn't
any real practical way to tell if it's real or not other then to wait a
decent amount of time for the original author to notice and post a
contrary statement.
--
Dave Warren, [EMAIL PROTECTED]
Office: (403) 775-1700 / (888) 300-3480
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: [Clamav-users] Why is ClamAV signature file so unpopular?
On Sat, Nov 29, 2008 at 02:52:53PM -0800, Dave Warren wrote:
> >When I go to the download page for ClamAV at SourceForge,
> >I observe that the signature file ("clamav-0.*.*.tar.gz.sig")
> >is downloaded less than 10% of the time that the source code
> >("clamav-0.*.*.tar.gz") is downloaded. I find this strange,
> >especially for anti-malware software, whose users presumably
> >think about security more than the average SourceForge visitor.
>
> If you can't trust SourceForge for the source, what makes you think you
> can trust the signature file?
Because it's PGP signed. It's not just an md5 hash.
> Anyone in a position to compromise one would almost definitely be able
> to compromise the other.
Sure. But it would be suspect if gpg/pgp says:
Good Signature by Snake Oil <[EMAIL PROTECTED]>.
--
Jan-Pieter Cornet <[EMAIL PROTECTED]>
!! Disclamer: The addressee of this email is not the intended recipient. !!
!! This is only a test of the echelon and data retention systems. Please !!
!! archive this message indefinitely to allow verification of the logs. !!
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: [Clamav-users] Why is ClamAV signature file so unpopular?
In message <[EMAIL PROTECTED]> Paul Kosinski
<[EMAIL PROTECTED]> was claimed to have wrote:
>When I go to the download page for ClamAV at SourceForge,
>I observe that the signature file ("clamav-0.*.*.tar.gz.sig")
>is downloaded less than 10% of the time that the source code
>("clamav-0.*.*.tar.gz") is downloaded. I find this strange,
>especially for anti-malware software, whose users presumably
>think about security more than the average SourceForge visitor.
If you can't trust SourceForge for the source, what makes you think you
can trust the signature file?
Anyone in a position to compromise one would almost definitely be able
to compromise the other.
--
Dave Warren, [EMAIL PROTECTED]
Office: (403) 775-1700 / (888) 300-3480
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: [Clamav-users] Why is ClamAV signature file so unpopular?
On Fri, Nov 28, 2008 at 04:12:11PM CET, Paul Kosinski <[EMAIL PROTECTED]> said:
> When I go to the download page for ClamAV at SourceForge,
> I observe that the signature file ("clamav-0.*.*.tar.gz.sig")
> is downloaded less than 10% of the time that the source code
> ("clamav-0.*.*.tar.gz") is downloaded. I find this strange,
> especially for anti-malware software, whose users presumably
> think about security more than the average SourceForge visitor.
When I install through the ports systems on freebsd, the port
downloads the source, but the signature was made available by the port
maintainer, and is not downloaded from sourceforge.
--
Erwan
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: [Clamav-users] Why is ClamAV signature file so unpopular?
On Fri, Nov 28, 2008 at 15:12, Paul Kosinski <[EMAIL PROTECTED]> wrote:
> When I go to the download page for ClamAV at SourceForge,
> I observe that the signature file ("clamav-0.*.*.tar.gz.sig")
> is downloaded less than 10% of the time that the source code
> ("clamav-0.*.*.tar.gz") is downloaded. I find this strange,
> especially for anti-malware software, whose users presumably
> think about security more than the average SourceForge visitor.
Some of that may be down to things like FreeBSD, where the package
maintainer fingerprints the download when they prepare the
package/port and it is that fingerprint that is checked when you
install.
--
Please keep list traffic on the list.
Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche
Mark Twain - "It usually takes me more than three weeks to prepare a
good impromptu speech."
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: [Clamav-users] Why is ClamAV signature file so unpopular?
On Fri, Nov 28, 2008 at 6:12 PM, Paul Kosinski <[EMAIL PROTECTED]> wrote:
> When I go to the download page for ClamAV at SourceForge,
> I observe that the signature file ("clamav-0.*.*.tar.gz.sig")
> is downloaded less than 10% of the time that the source code
> ("clamav-0.*.*.tar.gz") is downloaded. I find this strange,
> especially for anti-malware software, whose users presumably
> think about security more than the average SourceForge visitor.
We trust the site, and Kojm:-)
--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
"Okay guys. This is Kenya. You pay taxes because you feel philanthropic,
unlike our MPs!"
-- Kenneth Marende, Speaker, 10th Parilament.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
[Clamav-users] Why is ClamAV signature file so unpopular?
When I go to the download page for ClamAV at SourceForge,
I observe that the signature file ("clamav-0.*.*.tar.gz.sig")
is downloaded less than 10% of the time that the source code
("clamav-0.*.*.tar.gz") is downloaded. I find this strange,
especially for anti-malware software, whose users presumably
think about security more than the average SourceForge visitor.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
