tcpdump mailing list archives
Re: [WT-CHANGES] tcpdump.org mirrors
From: Grant Bayley <gbayley () ausmac net>
Date: Tue, 19 Nov 2002 09:16:00 +1100 (EST)
On Thu, 14 Nov 2002, mlh wrote:
Grant Bayley wrote:I run the main mirror of tcpdump at wiretapped.net (no relation to wiretapped.us) in Australia. We rsync from cvs.tcpdump.org, and have removed the entire tcpdump.org tree and disabled rsync updates until we hear from Michael Richardson at tcpdump.org.Couldn't the verifying of signatures be done as part of mirroring. This would limit the damage and provide an early warning system.
Hi, Someone else already asked this question on our local 2600-list: http://www.2600.org.au/cgi-bin/archive?mss:16708:200211:khamidfmjgmpjndmlgea Click the -> next to "View by Thread" to jump forward through the responses. To summarise the answers: - none of the existing mirroring software (rsync, fmirror, lftp etc) provide such a facility, and hence the only way to verify things would be to manually check each and every file. For an archive of some considerable size, the mirror admin would spend 24 hours a day just checking signatures/cryptographic hashes. (this same problem applies to scanning for viruses - none of the software has hooks for it...) - this idea pre-assumes that there are signatures and cryptographic hashes for every source code file on sites like tcpdump.org. There aren't. Consider that the attacker could have trojaned the daily or weekly snapshots, for which there are no signatures/hashes. If the attacker was in less of a hurry, they could have modified a file in the CVS repository directly (ie no cvs commit, and hence a log - just edit the files directly) and just waited for the next release, in which case when it's packaged, checksummed and signed correctly, the trojan goes right under everyone's radar. Additional comment: We limited the damage here with a quick response after the compromise was noticed. Aside from Michael keeping the main server a little more up-to-date with patches (grin), I'm not sure there's anything that could or would have been done differently. Grant --------------------------------------- Grant Bayley gbayley () ausmac net -Admin @ AusMac Archive, Wiretapped.net www.ausmac.net www.wiretapped.net --------------------------------------- - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- tcpdump.org mirrors Grant Bayley (Nov 13)
- Re: tcpdump.org mirrors Joseph W. Shaw II (Nov 13)
- Re: tcpdump.org mirrors Michael Richardson (Nov 18)
- Re: [WT-CHANGES] tcpdump.org mirrors mlh (Nov 18)
- Re: [WT-CHANGES] tcpdump.org mirrors Michael Richardson (Nov 18)
- Re: [WT-CHANGES] tcpdump.org mirrors Grant Bayley (Nov 18)
- Re: [WT-CHANGES] tcpdump.org mirrors Grant Bayley (Nov 18)
- Re: tcpdump.org mirrors Michael Richardson (Nov 18)
- Re: tcpdump.org mirrors Grant Bayley (Nov 18)
- Re: tcpdump.org mirrors Joseph W. Shaw II (Nov 13)