| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: adam at hif.hu (Szilveszter Adam) Subject: Call for discussion Jason Coombs wrote: > A closed source database application offering known good hashes and forensic > details of files published by vendors... These people are headed in a positive > direction, but the closed source part bothers me for some reason. <...huge snip...> Of course I was not surprised to see that Tripwire Inc was behind this intiative. It could really boost use of their technology and give it a higher profile in general. But I as I come to think of it, this idea seems less and less feasible to me. The problems as I see them are: - You would need to include *huge* number of files for this database to be a meaningful resource. Just look at how many files are there eg in an average software package. All of them need to be added to the database, and when a new version comes out, you have to do it again. How long are you going to keep the info? Ideally, it should be held close to infinitely, since no one can tell when a particular version is no longer used anywhere. The database technology would need to be very efficient to be able to quickly give you results, since verification times must be as short as possible etc. - While this approach may function somewhat with closed-source software whose vendors agree to directly forward the relevant info to the database, it will not work well for other closed source software, since there is no known-good baseline to work from. There were cases when a vendor's distribution medium was infected with a virus for example. So simpy saying "this must be good, it came on the official CD" is not enough. - In the open-source world, this approach would not work at all. While closed-source software only has a limited number of publicly available versions, with open source, you can have as many as there are users. Therefore, the only method in this case is to use a *local* repository to store your own hashes (the quoted text hints at this when talking about "appliances") but this is already possible today and nothing new. - Generally, accessing this database for checking of authenticity over the Internet (if offered) is problematic (not to mention the ability to add new hashes to it, there the security implications are so grave that I dare not to speculate about them) since there is no really good way to make sure that the results you get are really authentic, and safe from tampering. This may be solved when the database is local and under your control. But again, this is something that already exists. - Is it just me, but while people seem kicking and screaming about how NGSCB/TCPA will limit their freedoms and make them dependent on outside influence for their systems to work, this proposed system would meet no resistance from tha same people? Sure, there would be no obligation to use it, but you had better do so, if you wanna be "secure", right?... Just my HUF 0.02... Regards Sz.
Powered by blists - more mailing lists