Joined: June 2006
||Posted: July 08 2006,19:45
|Quote (crusadingknight @ July 08 2006,14:53)|
|Could you possibly explain more? I don't understand how letters and numbers relate to apt-get, and apt-get to exploits... |
I've never encountered a problem where downloading dependencies from a secure server was a security hole, so I must be misunderstanding your idea. (From what I gather, you're talking about somebody editting the sources file, and then executing sudo apt-get with a specific package to install it, and the garbled comfirmation would be the protection? If that's the case, usually somebody getting access to the sources file and sudo could do whatever they want anyway, but I'm likely completely misunderstanding your idea.)
Go to Yahoo and sign up for an email account. Scroll down the signup form, just before the Terms of Service agreement will be some random letters and numbers, distorted and with lines running through them. Refresh the page and see a different collection of letters and numbers.
Each of those on Yahoo is a single graphic. For DSL I would suggest graphics for each character. The system would randomly select the files, copy them with randomly changed names and display a random number of them, from 8 to 16. The distortion would prevent OCR and the random name would prevent file name analysis. The random mumber of characters presented might be overkill, might not.
Ultimately, such a system could be defeated by determined and very skilled hackers. But, it would keep out any script kiddies who manage to stumble into connecting to one's machine. It would also warn one if someone inserts an instalation file into /root.
What I'm talking about is this:
the instalation portion of apt-get is a script that has no way of knowing if it was called by a human at the keyboard or by another script, possibly malicious.
The problem is very similar to a website that does not want robotware using the site. So they show a word, collection of letters or numbers _as_graphics._ A robot can't see the graphics, so it can't respond properly (type in the word, letters or numbers). The graphics are usually distorted in some way to prevent optical character recognition software from defeating the security.
Go sign up for a Yahoo mail account to see this in action.
BTW - If DSL did this, I think other distros would pick it up. Nothing like imitation being the sincerest form of flattery...