Ubuntu in the news: Suspected Weekend Hacker Attack on Ubuntu
Matt Zimmerman
mdz at ubuntu.com
Mon Jul 24 15:49:35 BST 2006
On Mon, Jul 24, 2006 at 11:23:45AM -0300, Derek Broughton wrote:
> James Troup wrote:
>
> > Christian Jensen <cj2003 at debian-news.net> writes:
> >
> >> If the hackers somehow manage to get Ubuntu to download updates from
> >> another, non-conspicuous place, and then somehow hack this other
> >> place, they could push updates to Ubuntu and these users would
> >> innocently install them.
> >
> > This isn't correct: the Ubuntu archive is cryptographically signed.
> > Compromising a mirror (or even archive.ubuntu.com itself) wouldn't
> > allow an attacker to push out updates as they wouldn't be able to sign
> > them with the Ubuntu archive key and as a result the package
> > management software on your system would refuse to install them.
>
> No, it wouldn't, and surely you know better. All the package management
> software I've used so far _warns_ you when you install something that's
> unsigned. Virus makers have quite adequately proven that users will ignore
> such warnings.
It wouldn't allow an attacker to push out updates *without the user being
informed of this risk*. Trying to prevent them from doing so entirely turns
out to be self-defeating, because they either don't care or will defeat the
system to install the updates themselves.
--
- mdz
More information about the sounder
mailing list