Re: Securely downloading Ubuntu
On Mon, Jan 28, 2008 at 10:39:03AM -0700, Neal McBurnett wrote: On Mon, Jan 28, 2008 at 05:20:52PM +, Matt Zimmerman wrote: On Mon, Jan 28, 2008 at 09:28:48AM -0700, Neal McBurnett wrote: (I'm all in favor of moving to SHA256 or whatever is considered best practice these days. I've just not heard that MD5 is really as broken as I think Chris suggests here.) One easy thing to do is to also publish sha256 sums of the CD images, so if MD5 preimage attacks are developed, that would help. I think we should do that now, and consider a hash function in a different class also (whirlpool?). Shipping more hash functions in the base install would help a lot in a crisis, so users have what they need to validate software updates. I guess coreutils has the md5 and sha families well covered, but again, something different like whirlpool could help a lot some day. Perhaps we should publish detached signatures for each ISO rather than signing MD5SUMS? From what I've heard, the main principle for dealing with hash issues is algorithm agility - i.e. making it easy for folks to use multiple algorithms. Publishing detached signatures is a way to make the user interface easier (perhaps) for folks that want to validate the gpg signature. But I would think many (especially those without a good way to trust the gpg key, as noted previously) would want to just be able to validate hashes. I would still argue for the use of multiple hash algorithms, and I guess for gpg that means multiple detached signatures, one per hash algorithm. And some are not supported by all versions of gpg I'd suggest we publish a CHECKSUMS file with a good assortment of hashes in text format, and also sign that. There are two reasons for checking the hashes: Authentication - the downloaded image is in fact the official one provided by the Ubuntu project, unaltered Integrity - the downloaded image hasn't been randomly corrupted in transit (it happens that verifying authenticity ensures integrity as a side effect) Authentication, I believe, would be better served by signing the image directly. This both avoids an attack on the intervening checksums in MD5SUMS and provides a cryptographically stronger check. I believe the .gpg format already supports multiple signatures with different algorithms, so this would be reasonably future-proof. Integrity is served well enough by the existing MD5 hashes, which are still extremely robust against unintentional corruption. The above is based on only a very basic understanding of cryptography, however, so corrections are welcome from folks with more experience in this area. -- - mdz -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: libapache-asp-perl (LP #145741)
On Mon, Jan 28, 2008 at 03:02:25PM +, Dan Sheridan wrote: I'd like to see this package re-added to Hardy. What is the best approach? Should I prepare an updated package with trimmed dependencies and upload to REVU? Should it be renamed libapache2-asp-perl? On Mon, 2008-01-28 at 11:06 -0500, Mathias Gug wrote: Uploading a new package to REVU is a good start. Renaming it to libapache2-asp-perl or libapache2-mod-asp-perl is a good idea. I saw this response first, so a new package is now up on REVU. On Mon, 2008-01-28 at 13:15 -0500, Scott Kitterman wrote: If it's in Debian still, either ask for a synch or prepare a merge debdiff as required. I saw this response second. I've uploaded a debdiff to LP #145736... the name change is probably a mistake in the light of the existence of Apache2::ASP. Dan. -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Securely downloading Ubuntu
On Jan 29, 2008, at 1:16 PM, Colin Watson wrote: Do you know what the state of cryptanalytic research is on Whirlpool? My concern is that the MD5/SHA family, for all its faults, has been extremely extensively cryptanalysed, and at least we know where we stand, while the other families are still relatively unknown. That's correct. Whirlpool is AES-based, which is slightly reassuring, but its designers have to my knowledge never presented it in an academic conference; even so, it passed quite some scrutiny when it was submitted to (and subsequently selected by) the NESSIE project. For high-security applications, combining a SHA-2 variant and either RIPEMD-160 or Whirlpool is sufficient to satisfy even the professionally paranoid among us. I chose a SHA-256+Whirlpool combination for signature verification in the OLPC firmware. -- Ivan Krstić [EMAIL PROTECTED] | http://radian.org -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Securely downloading Ubuntu
On Mon, Jan 28, 2008 at 09:28:48AM -0700, Neal McBurnett wrote: On Mon, Jan 28, 2008 at 04:44:05PM +0200, Lars Wirzenius wrote: On ti, 2008-01-22 at 19:32 +, Chris Lamb wrote: However, the MD5 digest algorithm is utterly broken How broken is it? Can one reasonably expect that a well-provisioned attacker can create an MD5SUMS file that has the wrong content but still matches the GnuPG signature? The current state of the art allows people to easily create two files with the same MD5 (a hash collision). But no one has claimed to be able to create a file that matches the MD5 of a file that someone else created (a preimage attack): http://en.wikipedia.org/wiki/MD5 http://en.wikipedia.org/wiki/Preimage_attack To take advantage of the existing vulnerability (hash collision), the attacker would have to be also be able to modify the ISO that is published on the Ubuntu sites. If they can do that, we have more important things to worry about. They could also set up a malicious Ubuntu mirror, and perhaps use attacks such as DNS poisoning to substitute for a prominent mirror. However, the presence of GPG signatures on the MD5SUMS files means that conscientious users who verify the signatures are safe from hash collision attacks, and an attacker would require a second-preimage attack on MD5 in order to produce a compromised image. (Plus, of course, they would need a second-preimage attack that is sufficiently flexible to produce a valid working ISO with malicious contents, which probably makes it a couple of orders of magnitude harder.) I think the main risk for Ubuntu would be the latter kind of attack, if it is ever developed. Cryptographers are nervous about not only MD5, but also all the functions in the same class, which includes SHA-1 and SHA-256. The latter ones use more bits and thus have more life in them than MD5, but the field is in a lot of turmoil. Yes. Also note that combining SHA1 or SHA256 with MD5 does not give you anything like the sum of the difficulty of breaking both independently; on the contrary, an attack on MD5 gets you quite some distance towards breaking SHA* as well. It's been a while since I did the maths, but IIRC MD5 + SHA1 only provides six bits of security over SHA1 alone. The reason to continue providing MD5 is that the tools to verify them are better-deployed than those for better hash algorithms, so they continue to be significantly better than nothing. (I'm all in favor of moving to SHA256 or whatever is considered best practice these days. I've just not heard that MD5 is really as broken as I think Chris suggests here.) One easy thing to do is to also publish sha256 sums of the CD images, so if MD5 preimage attacks are developed, that would help. See my other mail in response to Matt on the subject. (In short: I agree, but there are some infrastructural fixes that need to happen first.) I think we should do that now, and consider a hash function in a different class also (whirlpool?). Do you know what the state of cryptanalytic research is on Whirlpool? My concern is that the MD5/SHA family, for all its faults, has been extremely extensively cryptanalysed, and at least we know where we stand, while the other families are still relatively unknown. On Tue, Jan 22, 2008 at 07:32:32PM +, Chris Lamb wrote: Is it actually possible to securely download Ubuntu? A typical mirror contains an MD5SUMS and an associated MD5SUMS.gpg [0]. However, the MD5 digest algorithm is utterly broken and the key is signed by just a handful of people anyway[1], only two of which I (visually) recognise as having anything to do with the Ubuntu project. Remember, anyone can sign a key on a public keyring, so most of those sigs are probably from volunteers. While of course there's no reason you should believe me from this mail alone, although https://launchpad.net/~ubuntu-cdimage/+members may help, the only relevant signature (i.e. one from an administrator of the CD image build system) on the cdimage key 1024D/FBB75451 right now is mine. However, that should be good enough for most people who care about GPG as my key is in the top 100 or so in the worldwide strong set, so almost anyone who's signed keys outside an isolated group should have a trust path to the cdimage key. But all the user needs is a trust path from their trusted keys to the key in question, and since it is signed by Ubuntu Archive Master Signing Key [EMAIL PROTECTED] users should be able to have that. (Also signed by me. That key has special arrangements to defend against its compromise, and is never kept on a network-connected system.) But the warning on the https://help.ubuntu.com/community/VerifyIsoHowto page is an issue: WARNING: This key is not certified with a trusted signature! That ftpmaster key is already on installed systems, right? I would think we could preinstall system keyrings and give instructions that would be
Re: metashell - User Friendly Shell
Hi, On Mon, Jan 28, 2008 at 10:38:11PM -0500, Justin Wray wrote: Exacly, there are plenty of ways to determine a mime-type, and plenty of other ways to open a file in a default application. But I think everyone is missing the point. I'll break it down, these functionalities are not built into the shell and require package X, and setting X, to work, something a new user may not know about, or better yet even have installed and configured. Any decent Linux distribution ought to update mailcap automatically when new programs are installed. Debian and Ubuntu do. Further, your argument that people should install metashell seems to be based on the assumption that installing metashell is easier than installing mime-support. Is that the case? The point of all of my comments is this: metashell is not a project with a goal simply to open files. It is a project with the ideas of creating a user-friendly command-line environment. That uses intuitive commands (or lack there of) to complete tasks. While all at the same time allowing the well-versed *nix admins complete complex tasks without hesitating. I really hope after reading this email, everyone better understand the goals of metashell, and the diffrence of usings it verses an external application like 'see'. Does metashell currently support features other than opening files based on MIME type? If not, it is a see competitor trapped in a shell's body, and it thus makes sense to compare metashell to see. -Forest -- Forest Bond http://www.alittletooquiet.net signature.asc Description: Digital signature -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: USB drives and unmounting
Nobody know? This is still pretty annoying not knowing when can you really take out the USB, forcing you to wait just to be safe. On Jan 16, 2008 2:44 PM, Vadim Peretokin [EMAIL PROTECTED] wrote: So, no technical people can tell what's exactly wrong? On Jan 7, 2008 5:56 AM, sigurd wien [EMAIL PROTECTED] wrote: I filed a bug about this a while back: https://bugs.launchpad.net/ubuntu/+source/hal/+bug/34140 It has been an issue since a kernel update in breezy. I was working fine before that. On Jan 7, 2008 2:18 AM, Mackenzie Morgan [EMAIL PROTECTED] wrote: Whether or not it shows up probably has to do with how much data is waiting in the buffer to be written. If it's just a couple megabytes, it probably writes them quickly enough that it doesn't need to tell you to wait, whereas if it has a lot to write it tells you it's working so you don't just yank it out before it finishes. Is it just me, or does the popup usually stop mid-sentence? I'm pretty sure the last word on there is or or something that means there's more to this sentence. On Jan 6, 2008 3:12 PM, Jonathan Musther [EMAIL PROTECTED] wrote: Definitely. Sometimes it doesn't even show up, it's a bit random. On Jan 7, 2008 8:34 AM, Sidarth Dasari [EMAIL PROTECTED] wrote: Vadim Peretokin wrote: Hi, I wondering if any of the technical-minded people could please take a look at this thread: http://ubuntuforums.org/showthread.php?t=655136 Which is discussing the difficulties posed when unmounting removable media. The problem at hand is that the writing data to device popups seem to appear randomly, and also offer no progress bar, leaving you wondering if the thing is frozen, or is it safe to remove or no. Thanks! I also agree that it is a bit confusing. There should at least be a progress bar or some output that shows what its doing. -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss -- Slingshot - a unique game everyone enjoys - and it's free :-) http://www.slingshot-game.org -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss -- Mackenzie Morgan Linux User #432169 ACM Member #3445683 http://ubuntulinuxtipstricks.blogspot.com -my blog of Ubuntu stuff apt-get moo -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: USB drives and unmounting
On Jan 29, 2008 12:53 PM, Vadim Peretokin [EMAIL PROTECTED] wrote: Nobody know? This is still pretty annoying not knowing when can you really take out the USB, forcing you to wait just to be safe. When you unmount the drive, it's safe to remove when the icon disappears from your desktop. If you are using the command line, it's safe to remove when it no longer appears to be mounted. -- Chris In 39 years, I have never written these words in a movie review, but here they are: You owe it to yourself to see this film. If you do not, and you have grandchildren, you should explain to them why you decided not to. -- Roger Ebert, reviewing Al Gore's documentary, An Inconvenient Truth -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
ufw firewall
ufw is a new firewall application that has recently been uploaded to universe. The goal is to have an easy to use firewall application for end users, while at the same time not get in the sysadmin's way. It is now in a state for wider testing. Important notes: * currently only host-based * cli * its disabled by default on installation * package integration is not (yet) implemented Please test and file bug reports in [1]. See [2], 'man ufw', and /usr/share/doc/ufw/README for more details. Jamie [1] https://bugs.launchpad.net/ubuntu/+source/ufw/ [2] https://wiki.ubuntu.com/UbuntuFirewall -- Email: [EMAIL PROTECTED] IRC: jdstrand signature.asc Description: Digital signature -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Securely downloading Ubuntu
MD5 is pretty weak these days, and getting worse. I demonstrated an
attack on MD5 recently using the academic research supplied. You can
find my original posting from December at the link below. I also
include the important parts below...
http://seclists.org/fulldisclosure/2007/Dec/0004.html
I know of many commercial security products which still utilize MD5 to
prove integrity of the data they distribute to customers. This should
no longer be considered appropriate. Now that tools are readily
available to exploit newer MD5 collision research, I think it is safe
to say that the public should retire its usage for good.
Read the most recent research regarding chosen-prefix collisions:
http://www.win.tue.nl/hashclash/EC07v2.0.pdf
A concrete example for your perusal:
khermans_at_khermans-laptop:/tmp$ wget
http://www.win.tue.nl/hashclash/SoftIntCodeSign/HelloWorld-colliding.exe
--04:36:32--
http://www.win.tue.nl/hashclash/SoftIntCodeSign/HelloWorld-colliding.exe
= `HelloWorld-colliding.exe'
Resolving www.win.tue.nl... 131.155.70.190
Connecting to www.win.tue.nl|131.155.70.190|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 41,792 (41K) [application/octet-stream]
100%[] 41,792 109.16K/s
04:36:33 (108.92 KB/s) - `HelloWorld-colliding.exe' saved [41792/41792]
khermans_at_khermans-laptop:/tmp$ wget
http://www.win.tue.nl/hashclash/SoftIntCodeSign/GoodbyeWorld-colliding.exe
--04:36:37--
http://www.win.tue.nl/hashclash/SoftIntCodeSign/GoodbyeWorld-colliding.exe
= `GoodbyeWorld-colliding.exe'
Resolving www.win.tue.nl... 131.155.70.190
Connecting to www.win.tue.nl|131.155.70.190|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 41,792 (41K) [application/octet-stream]
100%[] 41,792 127.20K/s
04:36:38 (126.82 KB/s) - `GoodbyeWorld-colliding.exe' saved [41792/41792]
khermans_at_khermans-laptop:/tmp$ ls -lsha *.exe
44K -rw-r--r-- 1 khermans khermans 41K 2007-11-23 01:08
GoodbyeWorld-colliding.exe
44K -rw-r--r-- 1 khermans khermans 41K 2007-11-23 01:08 HelloWorld-colliding.exe
khermans_at_khermans-laptop:/tmp$ strings HelloWorld-colliding.exe | tail
SetFilePointer
MultiByteToWideChar
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
SetStdHandle
CloseHandle
KERNEL32.dll
Hello World ;-)
khermans_at_khermans-laptop:/tmp$ strings GoodbyeWorld-colliding.exe | tail
SetFilePointer
MultiByteToWideChar
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
SetStdHandle
CloseHandle
KERNEL32.dll
Goodbye World :-(
khermans_at_khermans-laptop:/tmp$ md5sum HelloWorld-colliding.exe | awk
'{print $1}' | tee hw
18fcc4334f44fed60718e7dacd82dddf
khermans_at_khermans-laptop:/tmp$ md5sum GoodbyeWorld-colliding.exe | awk
'{print $1}' | tee gw
18fcc4334f44fed60718e7dacd82dddf
khermans_at_khermans-laptop:/tmp$ cmp hw gw
khermans_at_khermans-laptop:/tmp$ echo $?
0
There you have it. Surely a GPL'd tool implementing this attack style
will be available shortly. And since Chinese researchers have been
attacking SHA-1 lately, should SHA-256 be considered the proper
replacement? I am unsure :-(
--
Kristian Erik Hermansen
Know something about everything and everything about something.
--
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
