Security of ap-get


Forum: Apt-get
Topic: Security of ap-get
started by: newby
Posted by newby on July 08 2006,15:18
As we all know from Windoz the ability to automatically install software is one of the biggest security holes in the universe.

May I suggest using the website trick of displaying a series of distorted letter and number graphics for people to type in as a foil against such an exploit?  The code won't take much space, but the graphics might be a problem in 50k.  Perhaps an auto install of the graphics from website, hard drive, USB key, or floppy at boot time.

Hope this helps...

EDIT: P.S. No, not "paranoia."  I just have a brother who is a security expert.  8-o
Posted by crusadingknight on July 08 2006,18:53
Could you possibly explain more? I don't understand how letters and numbers relate to apt-get, and apt-get to exploits... ???

I've never encountered a problem where downloading dependencies from a secure server was a security hole, so I must be misunderstanding your idea. (From what I gather, you're talking about somebody editting the sources file, and then executing sudo apt-get with a specific package to install it, and the garbled comfirmation would be the protection? If that's the case, usually somebody getting access to the sources file and sudo could do whatever they want anyway, but I'm likely completely misunderstanding your idea.)
Posted by newby on July 08 2006,19:45
Quote (crusadingknight @ July 08 2006,14:53)
Could you possibly explain more? I don't understand how letters and numbers relate to apt-get, and apt-get to exploits... ???

I've never encountered a problem where downloading dependencies from a secure server was a security hole, so I must be misunderstanding your idea. (From what I gather, you're talking about somebody editting the sources file, and then executing sudo apt-get with a specific package to install it, and the garbled comfirmation would be the protection? If that's the case, usually somebody getting access to the sources file and sudo could do whatever they want anyway, but I'm likely completely misunderstanding your idea.)

Go to Yahoo and sign up for an email account.  Scroll down the signup form, just before the Terms of Service agreement will be some random letters and numbers, distorted and with lines running through them.  Refresh the page and see a different collection of letters and numbers.

Each of those on Yahoo is a single graphic.  For DSL I would suggest graphics for each character.  The system would randomly select the files, copy them with randomly changed names and display a random number of them, from 8 to 16.  The distortion would prevent OCR and the random name would prevent file name analysis.  The random mumber of characters presented might be overkill, might not.

Ultimately, such a system could be defeated by determined and very skilled hackers.  But, it would keep out any script kiddies who manage to stumble into connecting to one's machine.  It would also warn one if someone inserts an instalation file into /root.

What I'm talking about is this:

the instalation portion of apt-get is a script that has no way of knowing if it was called by a human at the keyboard or by another script, possibly malicious.

The problem is very similar to a website that does not want robotware using the site.  So they show a word, collection of letters or numbers _as_graphics._  A robot can't see the graphics, so it can't respond properly (type in the word, letters or numbers).  The graphics are usually distorted in some way to prevent optical character recognition software from defeating the security.

Go sign up for a Yahoo mail account to see this in action.

BTW - If DSL did this, I think other distros would pick it up.  Nothing like imitation being the sincerest form of flattery...
Posted by crusadingknight on July 08 2006,22:21
Quote (newby @ July 08 2006,15:45)
the instalation portion of apt-get is a script that has no way of knowing if it was called by a human at the keyboard or by another script, possibly malicious.

I don't see why - anything with the permissions to use apt-get has the permissions to kill your hard drive using dd, rm -rf /, using wget to download it's own executable to download an exploit, etc. Once an intruder had that kind of permissions, I doubt they'd go about altering sources.list to get it, rather than simply installing or running their chosen exploit. apt-get is hardly a security risk... (if you have robotware running commands as root, then it's usually too late to rescue your system.) I have never heard of anyone who gained access to a machine wasting their time (before tripwire, etc. catches them) attempting to install exploits via apt-get.

All technical arguments aside - such inconveniences are very hard on those who are visually impaired.
Posted by newby on July 09 2006,05:16
Quote (crusadingknight @ July 08 2006,18:21)
Quote (newby @ July 08 2006,15:45)
the instalation portion of apt-get is a script that has no way of knowing if it was called by a human at the keyboard or by another script, possibly malicious.


I have never heard of anyone who gained access to a machine wasting their time (before tripwire, etc. catches them) attempting to install exploits via apt-get.

All technical arguments aside - such inconveniences are very hard on those who are visually impaired.

You're absolutely right about the visually imapired.  That's why the good sites have a link for an audio file.  Again, a robot is unlikely to be able to understand an audio file, only a human will.

You may be right that other exploits will be more attractive.  But, the last step in almost any exploit is the instalation step.  Put robust protection there and one will stop a lot of malware.  It's probably not even in ap-get, probably down in the kernel.
Posted by kerry on July 09 2006,05:58
Linux is not windows. security is alot better, you can set a root password and anything trying to install or run from root will ask for a password. apt-get has features, like gpg,md5sum, required to be root,etc.. so it is very unlikely to exploit. DSL uses sudo for root access but this can be changed by the user so security is really up to you. Alot of people coming from windows expect there system to be already full of holes just waiting to be exploited, after you use linux for a good while you will find this is not the case with linux. I personally haven't used a firewall or antivirus,antispyware or anything else that would be required for windows for well over 3 years.

About the only thing you should do is use your system and thank robert and jhon that your not using a windows system with tons of exploits.
Posted by crusadingknight on July 09 2006,12:35
Quote (newby @ July 09 2006,01:16)
You may be right that other exploits will be more attractive.  But, the last step in almost any exploit is the instalation step.  Put robust protection there and one will stop a lot of malware.  It's probably not even in ap-get, probably down in the kernel.

That's why *nix has root. The robust protection already is in the kernel - Don't run user sessions as root. If you're really worried about the security of you system, you can keep up to date on existing exploits at < http://www.debian.org/security/ >.
Powered by Ikonboard 3.1.2a
Ikonboard © 2001 Jarvis Entertainment Group, Inc.