Re: [work] Integrity of Debian packages

Thu, 06 Mar 2003 20:40:18 -0600

If the FBI has the power, time and energy to install a proxy between my router and my ISP to spoof a package host (i.e. security.debian.org) just to root my servers, then they are clearly a heck of lot more "geeky" than I thought. Hell, why go through that trouble, why not just grab my traffic and sniff all my packet's... sheesh. If they can spoof a proxy on me, then they certianly can put a line sniffer between me and my ISP... isn't that 
easier?!?!
This is silly to blame the FBI. I'd be far more concerned about the average knucklehead 
trying to do this maliciously than thinking the FBI would do it... please.
As I agree that there should be a level of protection on apt-get, or any "auto update" system, its up to the person doing the update to check the things they're updating if they are that paranoid. If your really concerned about this, don't apt-get, download the deb's and 
eyeball the deb's yourself.

This line caugh my eye and made me laugh a little:
>As a matter of comparison, our Windows 2000 box has no such vulnerability. The first time we went to >Windows Update, we checked the box that said, "Always trust content from Microsoft Corporation." >Therefore, only Microsoft's real certificate will be accepted by our machine. Even if the FBI forces >Verisign to issue an impostor certificate, it will be detected and thwarted.
Hahahahahahahahaha... So when I hit "Yes" to trust Microsoft all my worries and fears go away...ya right.
The article was written in December 2001, two years ago and over 100 IIS patches later. In hindsight, had the author concentrated on IIS and its lack of security, and pointed out that the Internet is slowed to a crawl since every IT idiot maintaing IIS won't patch they're software or do AN AUTO UPDATE!!! It's a contradiction to the original problem being stated!!! hahahahaha.
I don't know about you, but I'd love to have a dime for every time some frickin' worm crawl's one of my Apache boxes trying to buffer overflow or malform it thinking its IIS....Hell, I'd be rich.
This stuff is silly. I'll take my chances with apt-get and know that my system is update to date. 

g.



Andrew Pollock wrote:


Hi,
One of my friends sent me this URL, it's an oldie, and the topic in general has been discussed before, but this article certainly does raise some concerns. 

http://www.astalavista.com/privacy/library/magic-lantern/fbi.shtml

Andrew

Reply via email to