Ubuntu in the news: Suspected Weekend Hacker Attack on Ubuntu
Derek Broughton
news at pointerstop.ca
Mon Jul 24 15:23:45 BST 2006
James Troup wrote:
> Christian Jensen <cj2003 at debian-news.net> writes:
>
>> If the hackers somehow manage to get Ubuntu to download updates from
>> another, non-conspicuous place, and then somehow hack this other
>> place, they could push updates to Ubuntu and these users would
>> innocently install them.
>
> This isn't correct: the Ubuntu archive is cryptographically signed.
> Compromising a mirror (or even archive.ubuntu.com itself) wouldn't
> allow an attacker to push out updates as they wouldn't be able to sign
> them with the Ubuntu archive key and as a result the package
> management software on your system would refuse to install them.
No, it wouldn't, and surely you know better. All the package management
software I've used so far _warns_ you when you install something that's
unsigned. Virus makers have quite adequately proven that users will ignore
such warnings.
--
derek
More information about the sounder
mailing list