lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: Microsoft win2003server phone home 

On Mon, 04 Aug 2003 10:37:20 -1000, Jason Coombs said:
> > Closing down *most* of these exposures is why the 'rpm' package manager
> > supports using PGP to sign the packages...
> 
> You *do* realize that digital signatures can be forged with theft of private
> keys, right?

Yep, fully aware of that.  On the other hand, there's the *presumption* that
the machine that RedHat or Sendmail do the signing on is somewhat more hardened
than the externally-visible server that the files live on.

I was also aware of all the other points you brought up - which is why I said "*most*
of the holes" - the note was getting quite long enough already. (As it was, I axed a
mention of the Verisign/Microsoft cert whoops due to length - if I hadn't scared the OP
off the concept of automated updates already, adding more to the list wouldn't change
matters).

On the flip side, *most* of the interesting MITM attacks on code update require the
attacker to wait for the target to do an update.  For the *vast* majority of systems
on the Internet, the benefit of having recently patched code or AV-scanner signatures
*far* outweighs the risks of actually being targeted during an update.  There is, indeed,
no absolute security - it's all about minimizing *total* risk.

Remember - you're downloading the update (code or AV) to fix a *known* exposure.
How bad a burn would Mimail have had if people *didnt* have automated AV updates?
How much less of a burn would CodeRed or Nimda have had if more people had
visited WindowsUpdate on a regular basis?

It's the same issue as vaccinating children against diseases - yes, some very small
percentage of children do have nasty side effects from the various vaccines.  But
that needs to be balanced against the dangers of not being vaccinated at all....
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030804/336f2779/attachment.bin

Powered by blists - more mailing lists