Re: [Gnu-arch-users] signed archives and key management

[James Blackwell]

(/me silently "Muhahaha! Muhahahaha! Mwaahaha's" to himself)


> At this point, James can completely compromise any or all of those
> mirrors at will.  The only thing you would notice is that as you're
> downloading revisions, it would show that they were signed by him, not
> by the original author.  If you're using a script which makes GPG
> quieter (and it's hard not to :)), then you wouldn't even see that.


Muhaha! Muhahahah! MuhahahAHAHA! Muha--crap! I've been busted!

> This isn't to pick on James - I don't think he'd do such a thing.  You
> could instead imagine the mirrors.sourcecontrol.net machine being
> cracked.  It's a good example of how easy it is for security to be
> compromised, even though we're using signatures.

Yeah, but you're right. That possibility could exist. I could be a wolf
in sheep's clothing, somebody could sneak through the firewalls on other
machines, break into my laptop.... things can, and sometimes gnu happen.

Good: 
1. Clearly told everybody I'm only backing up once a month.
2. Minimized the services running on SC. 
3. Have apache set up as one account, the web docs by another 
   account, and the mirroring by a third account.
4. Removed all passwords from /etc/shadow
5. For what little it's worth, installed Debian's harden-*
6. Put on Linux-2.6.1
7. Disabled inetd.
8. Update the machine every few days.


Bad:

1. Given out accounts to people that have arch archives
2. Not set up an intrusion detection system.
3. Not firewalled off snmpd yet (needed for mrtg)


However, things aren't as bad as you make them out to be: 


1. The mirror makes absolutely no promises about the integrety of the 
archives. All that it does is carry through the original signatures as 
signed from the site that is mirrored from.  So in the case of signed
archives, the threat is not at mirrors.sc.net, but at the originating
source.

2. The mirror never, ever signs an archive. In fact, it can't because
the mirror doesn't even have a secret and public key.

3. If we put me back into the bad guy role, I don't get anywhere. If I
use my key, then when people figure out archives have been cracked, then
the police have my (well signed key) as evidence to track me down. If I
make a brand new key, the signature will fail because nobody has its
public key. :) 

4. [censored]


-- 
James Blackwell      Using I.T. to bring more             570-407-0488
Owner, Inframix      business to your business     http://inframix.com

GnuPG (ID 06357400) AAE4 8C76 58DA 5902 761D  247A 8A55 DA73 0635 7400