| 1 |
Alan McKinnon <alan.mckinnon <at> gmail.com> writes: |
| 2 |
|
| 3 |
> > But why not just use a simple script: |
| 4 |
|
| 5 |
> > <scriptname> package.just.downloaded package.just.downloaded.DIGESTS |
| 6 |
|
| 7 |
|
| 8 |
Right now, I perform manual inspections, which are essential only if deemed |
| 9 |
essential, proned to (visual inspection) mistakes and time consuming. It |
| 10 |
there is (which I'm unaware of) scripts, programs, gui-interfaces and such |
| 11 |
that greatly simplify this manual spot checking random approach? |
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
> > |
| 16 |
http://arstechnica.com/information-technology/2014/04/openssl-code-beyond-repair-claims-creator-of-libressl-fork/ |
| 17 |
> |
| 18 |
> Thanks, now I understand better the question you are asking. |
| 19 |
|
| 20 |
|
| 21 |
Ok, cleaning up of this tool (openssl code) is but one part of the work that |
| 22 |
needs to be done. The Rat is well qualified to clean up this code. |
| 23 |
|
| 24 |
|
| 25 |
> I don't think it can be solved at all in the general case, |
| 26 |
> for two reasons. |
| 27 |
|
| 28 |
ems fight'n words...... |
| 29 |
|
| 30 |
|
| 31 |
> One, the internet and it's core protocols are inherently not worthy of |
| 32 |
> trust. There just isn't any way to prove that traffic is what it claims |
| 33 |
> to be and no crypto verification built into the core of it. You either |
| 34 |
> trust the traffic or you don't, but there's nothing inherent in the |
| 35 |
> traffic to help you decide. So, all the download protocols have security |
| 36 |
> checking bolted on afterwards by individual apps. These apps may or may |
| 37 |
> not be compatible with each other and may or may not do their checks |
| 38 |
> similarly from one protocol to the next. Somebody would have to garner |
| 39 |
> enough support so that all the major projects doing file and data |
| 40 |
> transfers agree on some way to implement crypto checks. Good luck with |
| 41 |
> that if they do agree on something, we have the second problem. |
| 42 |
> |
| 43 |
> Internet downloads have an inherent problem - you download an unknown |
| 44 |
> bunch of bits from somewhere and can't fully trust the result. You can |
| 45 |
> check hashes against the downloaded file, but you have to get them from |
| 46 |
> somewhere. And the method to get them is the same as getting the data |
| 47 |
> file itself - a bunch of bits from somewhere and you can't trust it. How |
| 48 |
> can you download trusted hash data from a source where you don't trust |
| 49 |
> the regular downloads? Can't work; two no trusts don't make a one trust. |
| 50 |
> |
| 51 |
> And who's global hash store of all known hashes of all known |
| 52 |
> downloadables would you trust anyway? The NSAs? |
| 53 |
> |
| 54 |
> Best you can do is make something for the specific case. The Gentoo tree |
| 55 |
> and distfiles can be GPG signed and if you agree to trust Gentoo's keys |
| 56 |
> then you are good to go and it can be automated (which is the easy bit |
| 57 |
> btw). |
| 58 |
> |
| 59 |
> For the general case/ I can't see that work at all. I trust Gentoo with |
| 60 |
> Gentoo, but I don't see myself ever trusting $ARB_3RD_PARTY |
| 61 |
> with $EVERYTHING |
| 62 |
|
| 63 |
|
| 64 |
Your comments are well received and I do not even disagree with your points. |
| 65 |
I think you need to relax, grab your favorite beverage, recline and put |
| 66 |
on your "deep thinking hat". Perhaps a foot massage from your least |
| 67 |
productive underling would set your mind at ease? |
| 68 |
|
| 69 |
|
| 70 |
So, let us assume you are correct in everything you have stated. But, |
| 71 |
try on this idea and shoot away. Note in this context, I use the terms |
| 72 |
code=package=sofware=download, so as to focus on the 10,000 foot view |
| 73 |
of the idea, not the minutia. |
| 74 |
|
| 75 |
|
| 76 |
Premiss: |
| 77 |
Any individual code/software/package/download can be hacked as can it's |
| 78 |
keys/hashes, regardless of where they are located. But, it would be very |
| 79 |
difficult for an interloper, to inject into such codes at a thousand |
| 80 |
differnet locations without detection. Note, at each repository, hashes |
| 81 |
can be regenerated and had better match the hashes of the the orignation |
| 82 |
site(s). |
| 83 |
|
| 84 |
Proposal: |
| 85 |
So rather than a static singular check-point of where you code check, why |
| 86 |
not develop checking tools that check the integrity of any given piece of |
| 87 |
code, from many multiple locations? (Fault tolerance via redundancy, if |
| 88 |
you like). |
| 89 |
|
| 90 |
|
| 91 |
Possible solution: |
| 92 |
1) Source archives usually contain revision histories and sync those up with |
| 93 |
revision releases. So mantain a master list of hashes/keys on their sources |
| 94 |
in the form of a histogram. So a code periodically updated n(10) times |
| 95 |
would have n(10) hashes with n(10) timestamps as the basis of the |
| 96 |
histogram. Think of a digial (camera) histogram. [1] This would develop a |
| 97 |
histogram of changes in the hashes for a given code/package not only at the |
| 98 |
sourcecode reporsitory, but also at those institutional repositories who |
| 99 |
generate their own hashes/keys and link them to release date-time-stamps; |
| 100 |
had better have convergence with the development sources. |
| 101 |
|
| 102 |
Now we would not only have the hashes, which can be manually checked |
| 103 |
anywhere anytime, but a historm image check, based on the historical dates |
| 104 |
where the code is known to have changed. Every code changes does not have to |
| 105 |
be included, only significant, period releases. Code could be check by a |
| 106 |
bit by bit number by number approach, as well as a single image that is a |
| 107 |
compilation of those bits into the form of a histogram. [2] |
| 108 |
|
| 109 |
The archive sites (common download repositories) should be able to check |
| 110 |
histograms each time a code they offer is changed. Nothing would stop |
| 111 |
capable users from using these sorts of tools too. Please observe: these |
| 112 |
"histograms", particularly if well distributed across the net, would greatly |
| 113 |
enhance forensic and integrity ensurance efforts. |
| 114 |
|
| 115 |
|
| 116 |
2) The individual could mantain a master list of hashes/keys on their |
| 117 |
(gentoo) system(s). Yes they would have to be periodically updated, but an |
| 118 |
archival database approach, complete with timestamps when a particular codes |
| 119 |
hask/key changes, would be logged, per package. This could probably be a |
| 120 |
compliment to portage. |
| 121 |
|
| 122 |
|
| 123 |
3) For every (non-gentoo users also) individual, a distributed checking tool |
| 124 |
could be develop to simulataneously check against dozens or hundreds of |
| 125 |
hashes from random sites against their copy of the hash/key. It'd be pretty |
| 126 |
hard to hack many of those sources in a coordinated fashion. |
| 127 |
|
| 128 |
|
| 129 |
For the paranoid usb stick(s) could be used to house the hashes for |
| 130 |
transient usage/updates. The pathelogically paranoic could download, drop |
| 131 |
the their ether connection, insert the usb(s) and perform hash, code and |
| 132 |
system checks. |
| 133 |
|
| 134 |
|
| 135 |
Nothing in this scenario would stop tainted code from the original |
| 136 |
development team. But wait, holy_oscars_batman, the fact that those |
| 137 |
(trusted) codes are developed in an open fashion where other folks can audit |
| 138 |
the sources, historically and concurrently, should drasitcally reduce |
| 139 |
nefarious codes, as we currently have evidence to support. |
| 140 |
|
| 141 |
|
| 142 |
So, what a torrent_style tool that uses a distributed hashes/keys to check |
| 143 |
code integrity; is possible? |
| 144 |
|
| 145 |
Surely the code histogram idea is possible? |
| 146 |
|
| 147 |
|
| 148 |
James |
| 149 |
|
| 150 |
|
| 151 |
[1] http://digital-photography-school.com/understanding-histograms/ |
| 152 |
|
| 153 |
[2] Not the proper forum here to refine this part, but, Z and fourier |
| 154 |
transforms make quick, easy work for this sort of quick image parsing. |
Archives