Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Security Software

Check Who Signed Off On Your Software 25

Posted by timothy from the autographs-for-accountability dept.
An anonymous reader submits "The Software Sig Page encourages software maintainers to publish verifiable signatures for released software and to build the web of trust among software maintainers and software users. If you're afraid of downloading a trojaned OpenSSH, being 0wned while capturing packets, compiling an MTA as well as a backdoor on your system, not being able to trust tools you use every day, or never having a chance from the moment your OS boots, then you want some level of assurance that the software you use is everything the mainatainers expected you to have and no more. Look and check the MD5 and PGP signatures that come with software you download."
This discussion has been archived. No new comments can be posted.

Check Who Signed Off On Your Software More

Check Who Signed Off On Your Software

Comments Filter:

  • This seems like an issue for OSS (Score:3, Interesting)

    by ObviousGuy ( 578567 ) <ObviousGuy@hotmail.com> on Friday January 30, 2004 @04:53AM (#8132888) Homepage Journal
    If you have the actual shrink-wrapped product CD with appropriate holograms, this isn't an issue.

    If you're downloading god-knows-what from the Internet, you're taking a big chance, and this latest idea is probably pretty good for those people.
  • I always thought that people checking the MD5SUMS were paranoid freaks, but now I can see why it would be a good idea. I, for one, will now be checking my downloads.

  • Good for a small market (Score:5, Insightful)

    by Mork29 ( 682855 ) <keith DOT yelnick AT us DOT army DOT mil> on Friday January 30, 2004 @05:03AM (#8132912) Journal
    Lets face it, the average user doesn't know what an MD5 checksum or PGP even are. It's a sad thing, because most security tools are easy to use, and would make the internet a safer place, but the fact of the matter is that you still have people opening up e-mail viruses that are an attachment with a notepad icon. [symantec.com] Although if you know how you should, we need to find a safe delivery system that's a bit easier for the average joe, who seems to enjoy living on the edge, downloading lots of shareware, and clicking on every e-mail attachment they get.

  • BSD ports tree required MD5 check (Score:4, Informative)

    by dwoolridge ( 69316 ) on Friday January 30, 2004 @05:05AM (#8132918) Journal
    At least for FreeBSD, package maintainers must create an MD5 signature for packages that are downloaded (from source or mirror). If you try to build a port with a signature mismatch, the build bails. So, not only does the source site's code need to be trojaned, but the ports tree entry has to be modified too (and the sysadmin has to update the ports tree).

    Since Gentoo has a ports-style package management system, perhaps it does something similar.

  • be aware of what you are checking.. (Score:5, Informative)

    by molo ( 94384 ) on Friday January 30, 2004 @05:39AM (#8133002) Journal
    You should be careful how much trust you put into these signatures. MD5 sums only tell you that the file hasn't been modified between the download server and your computer. If the software was trojaned, the MD5 sum can be changed to match the new trojaned software.

    If there is a PGP signature, but it is from an untrusted key, that is no better than a MD5 sum. Anyone can create a PGP key with any name on it and upload it to the public keyservers. The real authentication comes from the web-of-trust. Of course, there are some mitigating factors.. like having the author sign with the same key for previous releases and then you notice that the key has changed. That can help, but only if you are vigilant.

    The web-of-trust is the real important factor here. If you are a software distributor, try to get your keys signed by multiple people in the well-connected group.

    If you are a software user, see if you can find a key that you trust enough to sign it.. either by a face-to-face identification verification (with a signature that you can upload to the keyservers), or by using a well-accepted key in the well-connected set and signing it LOCALLY (so that it doesn't get uploaded to the keyservers and pollute the trusted set for other users). Something from the top-50 signed keys [kjsl.com] would be suitable:.

    Sites like biglumber.com [biglumber.com] maintain a list of people interested in key signings in different localities. This is a big help in getting some signatures and connecting yourself to the well-connected-set of keys.

    Also, if you want to check the path of trust between two keys, check out the PGP Pathfinder [earth.li]. An example is the path from Werner Koch (GPG author) to Phil Zimmerman (PGP author) [earth.li].

    This will enable you to build up your web-of-trust, which really indicates that the keys belong to who they say they do. PGP is your friend, use it wisely.

    -molo
  • ..are pgp signed.

    -K

  • It's not the trojans that worry me (Score:4, Insightful)

    by Tom7 ( 102298 ) on Friday January 30, 2004 @11:45AM (#8135109) Homepage Journal
    In truth, I'm more afraid of accidental errors made by developers with good intentions (as have shown up in just about every security-critical C program I've ever used) than trojans slipped in my miscreants. Sadly, digital signatures and hashes can do nothing to help me here...

  • The web of trust (Score:4, Insightful)

    by looseBits ( 556537 ) on Friday January 30, 2004 @12:28PM (#8135536)
    If my PGP key has a hundred signatures, that doesn't make me a nice guy and it doesn't mean that I don't write software with Comet Cursor like features. All it means is that I am who I say I am. If Osama bin Laden or John Ashcroft came into my house and asked me to sign their key, I would but that doesn't mean I would trust software written by either of them.

  • Mediocre solutions (Score:5, Informative)

    by Anonymous Coward on Friday January 30, 2004 @01:39PM (#8136399)
    You should obtain the MD5 signature for software from a different place than you received the software from.

    This is a best-case scenario with MD5sums, and even a best case is pretty worthless. Debian up until very recently has relied on MD5sums, which are little more than a false sense of security. Yes, if the person who uploads a trojaned package forgets to update the MD5sum that goes along with it, you will know. The problem is they won't forget, they will update it, and you won't know what hit you. The advantage comes when you download the MD5sum from another site like they recommend here. Not only does the attacker have to break a second site's security (assuming they can't just break it once higher upstream, defeating this weak method of security), they have to know which site to break into to upload the MD5 to or else you will get the right one and know.

    The problem is, MD5 never protected from man in the middle attacks. Anyone between you and the internet (or some kid in the next dorm room) can simply hijack your connection (dns spoofing works great, they are close and can give a response to your dns request faster than the real server, and give their own IP address). Then once you are connected to them, they just become a transparent proxy for the site you are supposed to be using. Your software updater asks for a package that the attacker has pre-prepared, sends that instead of what you expected, and when you ask for the md5 (no matter who you ask) they pretend to be the source and give you the hacked MD5. Using MD5 for security like this is like eating leather when you run out of food. It is not acceptable.

    So what is? PGP? Yes and no. PGP allows you to trust that a developer believes that their binary and source are good. What if that developer has been trojaned? Well, I guess everybody else who uses that software is too. Look at the recent debian hack. If the exploit the attacker used worked on 64-bit systems, the main machine that signs and distributes compiled binaries would have been hacked. Great, now we have PGP signed trojans. Clearly using PGP does not make you bulletproof.

    So what do we do? I know many will be happy with nonsense like "nothing is perfect", hell, people used to argue against encryption on those grounds on the debian mailing lists. The argument went like this. People know that MD5 is insecure, so it keeps them on their toes, but people think PGP is perfect and might get lazy. Uh huh. Lets keep the system broken so that we know there is at all times a gaping hole in our system that would make the goatse man jealous.

    Here is what I think we should do. First require developers to sign their source code before release. That is just a first step. Second, have many reviewers. Lots of people read patches before they apply them to be sure that there are no back doors. These people should also sign the patches. Once there are enough signatures on source saying it is good, a distributed compilation takes place. Again signatures are compared, this time of the binaries (or a tarball of them). Yes there will be a few complications, the compiler systems will need to be similar enough to produce exact code, or the insignificant portions of the binary can be ignored in the checksum - whatever, we can handle that problem. As long as everyone uses the same version of GCC, or it is at least specified which one was used (and which switches were used for ./configure) there can now be many signed binary packages that are practically as transparent as the source code.

    Who trusts who might seem like a big deal, but really it isn't. Debian can require that the source code is verified by certain people before being compiled, and the binaries signed by certain people before official distribution. The NSA will likely choose completely different people to check source code, and have their own compile farms. Who will I trust? Well put it this way. I would want to know what both Debian and the NSA have to say, especially if they disagree. I will listen

  • Sounds like we need some kind of trusted computing paradigm. I hear a company who's name starts with M and ends with icrosoft is working on something like that. We can trust them, I'm sure.

Slashdot Top Deals

"More software projects have gone awry for lack of calendar time than for all other causes combined." -- Fred Brooks, Jr., _The Mythical Man Month_

Close