tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [WT-CHANGES] tcpdump.org mirrors

From: Grant Bayley <gbayley () ausmac net>
Date: Tue, 19 Nov 2002 09:16:00 +1100 (EST)
On Thu, 14 Nov 2002, mlh wrote:


Grant Bayley wrote:

I run the main mirror of tcpdump at wiretapped.net (no relation to
wiretapped.us) in Australia.  We rsync from cvs.tcpdump.org, and have
removed the entire tcpdump.org tree and disabled rsync updates until we
hear from Michael Richardson at tcpdump.org.


Couldn't the verifying of signatures be done as
part of mirroring.

This would limit the damage and provide an early warning system.


Hi,

Someone else already asked this question on our local 2600-list:

http://www.2600.org.au/cgi-bin/archive?mss:16708:200211:khamidfmjgmpjndmlgea

Click the -> next to "View by Thread" to jump forward through the
responses.

To summarise the answers:

- none of the existing mirroring software (rsync, fmirror, lftp etc)
provide such a facility, and hence the only way to verify things would be
to manually check each and every file.  For an archive of some
considerable size, the mirror admin would spend 24 hours a day just
checking signatures/cryptographic hashes.  (this same problem applies to
scanning for viruses - none of the software has hooks for it...)

- this idea pre-assumes that there are signatures and cryptographic hashes
for every source code file on sites like tcpdump.org.  There aren't.
Consider that the attacker could have trojaned the daily or weekly
snapshots, for which there are no signatures/hashes.  If the attacker was
in less of a hurry, they could have modified a file in the CVS repository
directly (ie no cvs commit, and hence a log - just edit the files
directly) and just waited for the next release, in which case when it's
packaged, checksummed and signed correctly, the trojan goes right under
everyone's radar.

Additional comment:

We limited the damage here with a quick response after the compromise was
noticed.  Aside from Michael keeping the main server a little more up-to-date
with patches (grin), I'm not sure there's anything that could or would
have been done differently.

Grant

---------------------------------------
Grant Bayley         gbayley () ausmac net
-Admin @ AusMac Archive, Wiretapped.net
 www.ausmac.net      www.wiretapped.net
---------------------------------------

-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: