Search Members Help

» Welcome Guest
[ Log In :: Register ]

Mini-ITX Boards Sale, Fanless BareBones Mini-ITX, Bootable 1G DSL USBs, 533MHz Fanless PC <-- SALE $200 each!
Get The Official Damn Small Linux Book. DSL Market , Great VPS hosting provided by Tektonic
Pages: (2) </ [1] 2 >/

[ Track this topic :: Email this topic :: Print this topic ]

 reply to topic new topic new poll
Topic: Security of ap-get, use the common method of...< Next Oldest | Next Newest >
newby Offline





Group: Members
Posts: 171
Joined: June 2006
Posted: July 08 2006,15:18 QUOTE
As we all know from Windoz the ability to automatically install software is one of the biggest security holes in the universe.

May I suggest using the website trick of displaying a series of distorted letter and number graphics for people to type in as a foil against such an exploit?  The code won't take much space, but the graphics might be a problem in 50k.  Perhaps an auto install of the graphics from website, hard drive, USB key, or floppy at boot time.

Hope this helps...

EDIT: P.S. No, not "paranoia."  I just have a brother who is a security expert.  8-o
Back to top
Profile PM 
crusadingknight Offline





Group: Members
Posts: 65
Joined: Nov. 2005
Posted: July 08 2006,18:53 QUOTE
Could you possibly explain more? I don't understand how letters and numbers relate to apt-get, and apt-get to exploits... ???

I've never encountered a problem where downloading dependencies from a secure server was a security hole, so I must be misunderstanding your idea. (From what I gather, you're talking about somebody editting the sources file, and then executing sudo apt-get with a specific package to install it, and the garbled comfirmation would be the protection? If that's the case, usually somebody getting access to the sources file and sudo could do whatever they want anyway, but I'm likely completely misunderstanding your idea.)

--------------
System:
eTower 566.12, 32MB RAM, 7GB HD, 200MB swap, 1x USB v.1, Intel 810GFX, Intel 810 Audio.
Recompiled so far: Pretty much everything. I think I'll have to do a remaster to cut the growing bloat off my system.
Back to top
Profile PM WEB MSN 
newby Offline





Group: Members
Posts: 171
Joined: June 2006
Posted: July 08 2006,19:45 QUOTE
Quote (crusadingknight @ July 08 2006,14:53)
Could you possibly explain more? I don't understand how letters and numbers relate to apt-get, and apt-get to exploits... ???

I've never encountered a problem where downloading dependencies from a secure server was a security hole, so I must be misunderstanding your idea. (From what I gather, you're talking about somebody editting the sources file, and then executing sudo apt-get with a specific package to install it, and the garbled comfirmation would be the protection? If that's the case, usually somebody getting access to the sources file and sudo could do whatever they want anyway, but I'm likely completely misunderstanding your idea.)

Go to Yahoo and sign up for an email account.  Scroll down the signup form, just before the Terms of Service agreement will be some random letters and numbers, distorted and with lines running through them.  Refresh the page and see a different collection of letters and numbers.

Each of those on Yahoo is a single graphic.  For DSL I would suggest graphics for each character.  The system would randomly select the files, copy them with randomly changed names and display a random number of them, from 8 to 16.  The distortion would prevent OCR and the random name would prevent file name analysis.  The random mumber of characters presented might be overkill, might not.

Ultimately, such a system could be defeated by determined and very skilled hackers.  But, it would keep out any script kiddies who manage to stumble into connecting to one's machine.  It would also warn one if someone inserts an instalation file into /root.

What I'm talking about is this:

the instalation portion of apt-get is a script that has no way of knowing if it was called by a human at the keyboard or by another script, possibly malicious.

The problem is very similar to a website that does not want robotware using the site.  So they show a word, collection of letters or numbers _as_graphics._  A robot can't see the graphics, so it can't respond properly (type in the word, letters or numbers).  The graphics are usually distorted in some way to prevent optical character recognition software from defeating the security.

Go sign up for a Yahoo mail account to see this in action.

BTW - If DSL did this, I think other distros would pick it up.  Nothing like imitation being the sincerest form of flattery...
Back to top
Profile PM 
crusadingknight Offline





Group: Members
Posts: 65
Joined: Nov. 2005
Posted: July 08 2006,22:21 QUOTE
Quote (newby @ July 08 2006,15:45)
the instalation portion of apt-get is a script that has no way of knowing if it was called by a human at the keyboard or by another script, possibly malicious.

I don't see why - anything with the permissions to use apt-get has the permissions to kill your hard drive using dd, rm -rf /, using wget to download it's own executable to download an exploit, etc. Once an intruder had that kind of permissions, I doubt they'd go about altering sources.list to get it, rather than simply installing or running their chosen exploit. apt-get is hardly a security risk... (if you have robotware running commands as root, then it's usually too late to rescue your system.) I have never heard of anyone who gained access to a machine wasting their time (before tripwire, etc. catches them) attempting to install exploits via apt-get.

All technical arguments aside - such inconveniences are very hard on those who are visually impaired.

--------------
System:
eTower 566.12, 32MB RAM, 7GB HD, 200MB swap, 1x USB v.1, Intel 810GFX, Intel 810 Audio.
Recompiled so far: Pretty much everything. I think I'll have to do a remaster to cut the growing bloat off my system.
Back to top
Profile PM WEB MSN 
newby Offline





Group: Members
Posts: 171
Joined: June 2006
Posted: July 09 2006,05:16 QUOTE
Quote (crusadingknight @ July 08 2006,18:21)
Quote (newby @ July 08 2006,15:45)
the instalation portion of apt-get is a script that has no way of knowing if it was called by a human at the keyboard or by another script, possibly malicious.


I have never heard of anyone who gained access to a machine wasting their time (before tripwire, etc. catches them) attempting to install exploits via apt-get.

All technical arguments aside - such inconveniences are very hard on those who are visually impaired.

You're absolutely right about the visually imapired.  That's why the good sites have a link for an audio file.  Again, a robot is unlikely to be able to understand an audio file, only a human will.

You may be right that other exploits will be more attractive.  But, the last step in almost any exploit is the instalation step.  Put robust protection there and one will stop a lot of malware.  It's probably not even in ap-get, probably down in the kernel.
Back to top
Profile PM 
6 replies since July 08 2006,15:18 < Next Oldest | Next Newest >

[ Track this topic :: Email this topic :: Print this topic ]

Pages: (2) </ [1] 2 >/ 		reply to topic new topic new poll
Quick Reply: Security of ap-get

Do you wish to enable your signature for this post?
Do you wish to enable emoticons for this post?
Track this topic
View All Emoticons
View iB Code