| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200308042113.h74LD0QI009819@turing-police.cc.vt.edu> From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu) Subject: Microsoft win2003server phone home On Mon, 04 Aug 2003 10:37:20 -1000, Jason Coombs said: > > Closing down *most* of these exposures is why the 'rpm' package manager > > supports using PGP to sign the packages... > > You *do* realize that digital signatures can be forged with theft of private > keys, right? Yep, fully aware of that. On the other hand, there's the *presumption* that the machine that RedHat or Sendmail do the signing on is somewhat more hardened than the externally-visible server that the files live on. I was also aware of all the other points you brought up - which is why I said "*most* of the holes" - the note was getting quite long enough already. (As it was, I axed a mention of the Verisign/Microsoft cert whoops due to length - if I hadn't scared the OP off the concept of automated updates already, adding more to the list wouldn't change matters). On the flip side, *most* of the interesting MITM attacks on code update require the attacker to wait for the target to do an update. For the *vast* majority of systems on the Internet, the benefit of having recently patched code or AV-scanner signatures *far* outweighs the risks of actually being targeted during an update. There is, indeed, no absolute security - it's all about minimizing *total* risk. Remember - you're downloading the update (code or AV) to fix a *known* exposure. How bad a burn would Mimail have had if people *didnt* have automated AV updates? How much less of a burn would CodeRed or Nimda have had if more people had visited WindowsUpdate on a regular basis? It's the same issue as vaccinating children against diseases - yes, some very small percentage of children do have nasty side effects from the various vaccines. But that needs to be balanced against the dangers of not being vaccinated at all.... -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030804/336f2779/attachment.bin
Powered by blists - more mailing lists