While doing some "research" on FBI's "Magic Lantern", I came across this article on NewOrder (http://neworder.box.sk) which has brought a VERY interesting point to notice:
"<emphasis>Trust Issues with RH and Debian Package Managers</emphasis>", the most striking quote being : "..Linux distributions need to band together and find a trusted individual who will be responsible for signing all packages and verifying that they do not contain backdoors. That is the only way to solve this issue..." Please read the whole article which I have inlined for archival purposes: <quote article> Trust Issues with RH and Debian Package Managers ------------------------------------------------ Summary ------- "Magic Lantern" supposedly allows an FBI agent to access a computer without requiring any physical access to it. The exact method is not yet known, but rumors talk about some hacking work done while the program "installs" itself on the target machine. The following is a proposed method on how this might work, and is brought to the public's view in order to make it clear how easy it is currently to create such a program. Details ------- To test the feasibility of such a scheme you need to set up a stock Debian 2.2r3 box, and a stock Red Hat 7.2 box. Both should be based on the installation CDs produced at least a few months ago, so they will both be vulnerable to the wu-ftpd exploit and would need to be upgraded for production use. The goal is simple: To play the part of the FBI, and trick our machines into accepting a trojaned version of the new wu-ftpd package. First, we set up a transparent proxy on our gateway box, which is used to split our cable modem connection amongst our connecting machines. We used a program called "squirm" to rewrite URLs ending in .deb or .rpm so that they would be redirected to the local web server, from which the trojaned .deb and .rpm files would be served. Second, we produced trojaned .deb and .rpm files. The .deb file was trivial to modify, as only a checksum stood between a valid hacked version and us. The .rpm was a bit more difficult, because RedHat signs their packages with a PGP key. However, once we rebuilt the package and did not sign it with PGP, we had a fixed package. Third, we went to the Debian box and typed 'apt-get update ; apt-get upgrade'. After a few routine prompts, none of which triggered security alerts, the box was rooted by our "custom" package. Fourth, we went to the Redhat box and did an 'rpm -U' pointed at the updates.redhat.com server. We got the trojaned RPM back, with no warnings or prompt to warn that it hasn't been signed. In addition, we had an ftp server with a new backdoor up in a matter of minutes. To summarize, the FBI can easily set up a transparent proxy between you and the Internet, and trick your OS into installing malware. You are damned if you do and you are damned if you don't, because you need to download the wuftpd-of-the-week sometime. As a matter of comparison, our Windows 2000 box has no such vulnerability. The first time we went to Windows Update, we checked the box that said, "Always trust content from Microsoft Corporation." Therefore, only Microsoft's real certificate will be accepted by our machine. Even if the FBI forces Verisign to issue an impostor certificate, it will be detected and thwarted. Linux distributions need to band together and find a trusted individual who will be responsible for signing all packages and verifying that they do not contain backdoors. That is the only way to solve this issue. This is a serious issue for Linux users and we believe it should have been addressed years ago. That said, now is not too late and definitely not too early. We look forward to seeing this feature in all future releases of the major Linux distributions. </quote article> Though I doubt the authenticity of the article (no offense), yet, the above shall not be far from the truth. You might say that "Hey! If the user was naive enough to download things from an untrusted host, he should .." But that's NOT the case. (Wonder where "squirm" can be ...) Why ? Because I myself can demonstate DNS hijacking targeting a network, wherein I can fool every OS on the network into believing that it's connected to the right "http://www.redhat.com/.."; which has the correct IP say "64.9.45.5", but using the DNS Hijacking utility redirect the network to "202.09.8.24" ! I am not joking. You can get the gist of it at Robert Graham's site.. Moreover, of how many .tar.gz's that we download from the net do we really check the MD5 Digest? Many sites even do not list the MD5 Digest, leave alone sign the packages using PGP. Writing Keyloggers for the Windows OS was always easy once you got the hang of Hooks, but now keyloggers are being written for Linux too. Check out the "Linux KeyLogger" which is a *userspace* keylogger and hooks onto the keyboard hardware interrupt directly ! Don't worry ! "Magic Lantern" should be targeted at specific users(who may interest the FBI..) and *not* all of us, but do think of what something similar might do! The time is now ripe to go easy on writing everyone's own version of his favourite document processor, and focus more on standards, regression testing, quality and DOCUMENTATION! The days, when people had to find out what to do with a program, by reading the source code are over. With so many languages popping up evey alternate day and so many coders falling in love with one or the other "cool language"... Let's take some time to think.... Regards Subhobroto Sinha __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com -- To unsubscribe, send mail to [EMAIL PROTECTED] with the body "unsubscribe ilug-cal" and an empty subject line. FAQ: http://www.ilug-cal.org/node.php?id=3
