Re: [qubes-users] QSB #46: APT update mechanism vulnerability

Alexandre Belgrand wrote on 1/29/19 8:13 AM: Le mardi 29 janvier 2019 à 09:51 +0200, Ilpo Järvinen a écrit : Yeah yeah, the only modification was that chip as claimed in the article? Magically all the necessary signal pins were routed to its location but nothing else was changed (and you cannot

Re: [qubes-users] QSB #46: APT update mechanism vulnerability

Le mardi 29 janvier 2019 à 02:24 -0800, goldsm...@riseup.net a écrit : > To Alexandre > So you found this stuff on the internet and were gullible enough to > swallow it, hook line and sinker, without first verifying its > authenticity. I suppose your allegations against the Debian Team's >

Re: getting rid of ME on modern CPUs (Re: [qubes-users] QSB #46: APT update mechanism vulnerability)

Like I said, we need to reverse engineer. On Mon, 28 Jan 2019 17:56:17 + Holger Levsen wrote: >On Mon, Jan 28, 2019 at 11:46:55AM -0600, Stuart Perkins wrote: >> Up to a certain manufacture, you can go to coreboot and lose the ME >> entirely. After that point, setting the HAP bit may be

Re: [qubes-users] QSB #46: APT update mechanism vulnerability

On 2019-01-28 21:51, Alexandre Belgrand wrote: > Le lundi 28 janvier 2019 à 13:08 -0800, goldsm...@riseup.net a écrit : >> To Alexandre Belgrand >> >> I'm intrigued how you know can catagorically state "CAs and GNU/Linux >> distributions are #1 targets for national >> intelligence agencies". This

Re: [qubes-users] QSB #46: APT update mechanism vulnerability

Jan 28, 2019, 9:25 PM by alexandre.belgr...@mailbox.org: > Le lundi 28 janvier 2019 à 16:47 +0100, > qubes-...@tutanota.com > > a > écrit : > >> What do you yourself use? >> > Hope I can answer too. > > I use an X230 with Intel ME disabled from BIOS. It costs

Re: [qubes-users] QSB #46: APT update mechanism vulnerability

Le mardi 29 janvier 2019 à 09:51 +0200, Ilpo Järvinen a écrit : > Yeah yeah, the only modification was that chip as claimed in the > article? > Magically all the necessary signal pins were routed to its location > but nothing else was changed (and you cannot have that many pins in > that sized

Re: [qubes-users] QSB #46: APT update mechanism vulnerability

On Tue, 29 Jan 2019, Alexandre Belgrand wrote: > Le mardi 29 janvier 2019 à 00:59 +0200, Ilpo Järvinen a écrit : > > There are many technical reasons raising from plain > > physics/electronics > > which make an attack chip of that size with the described > > capabilities to > > seem quite

Re: [qubes-users] QSB #46: APT update mechanism vulnerability

Le mardi 29 janvier 2019 à 00:59 +0200, Ilpo Järvinen a écrit : > There are many technical reasons raising from plain > physics/electronics > which make an attack chip of that size with the described > capabilities to > seem quite utopistic (and the article therefore bogus). ...But of > course

Re: [qubes-users] QSB #46: APT update mechanism vulnerability

On Mon, 28 Jan 2019, Alexandre Belgrand wrote: > Le lundi 28 janvier 2019 à 13:08 -0800, goldsm...@riseup.net a écrit : > > I'm intrigued how you know can catagorically state "CAs and GNU/Linux > > distributions are #1 targets for national > > China: >

Re: [qubes-users] QSB #46: APT update mechanism vulnerability

Le lundi 28 janvier 2019 à 13:08 -0800, goldsm...@riseup.net a écrit : > I'm intrigued how you know can catagorically state "CAs and GNU/Linux > distributions are #1 targets for national China:

Re: [qubes-users] QSB #46: APT update mechanism vulnerability

Le lundi 28 janvier 2019 à 13:08 -0800, goldsm...@riseup.net a écrit : > To Alexandre Belgrand > > I'm intrigued how you know can catagorically state "CAs and GNU/Linux > distributions are #1 targets for national > intelligence agencies". This is classified information and therefore > only

Re: [qubes-users] QSB #46: APT update mechanism vulnerability

Le lundi 28 janvier 2019 à 16:47 +0100, qubes-...@tutanota.com a écrit : > What do you yourself use? Hope I can answer too. I use an X230 with Intel ME disabled from BIOS. It costs about 160€ on the second hand market and it has pretty decent hardware. Lenovo claims that Intel ME can be

Re: [qubes-users] QSB #46: APT update mechanism vulnerability

On 2019-01-27 14:33, Alexandre Belgrand wrote: > Le dimanche 27 janvier 2019 à 13:11 +, Holger Levsen a écrit : >> I *believe* they probably misunderstood evil32.com and it's fallout. > > CAs and GNU/Linux distributions are #1 targets for national > intelligence agencies. > > Debian

getting rid of ME on modern CPUs (Re: [qubes-users] QSB #46: APT update mechanism vulnerability)

On Mon, Jan 28, 2019 at 11:46:55AM -0600, Stuart Perkins wrote: > Up to a certain manufacture, you can go to coreboot and lose the ME entirely. > After that point, setting the HAP bit may be your best option. We need > someone to to reverse engineer the ME and implement enough of it in

Re: [qubes-users] QSB #46: APT update mechanism vulnerability

On Mon, 28 Jan 2019 16:47:08 +0100 (CET) wrote: >Jan 27, 2019, 5:04 PM by alexandre.belgr...@mailbox.org: > >> Le dimanche 27 janvier 2019 à 16:47 +, unman a écrit : >> >>> I'd be interested to know what system has been graced with your >>> approval. >>> If you believe all this, then

Re: [qubes-users] QSB #46: APT update mechanism vulnerability

Jan 27, 2019, 5:04 PM by alexandre.belgr...@mailbox.org: > Le dimanche 27 janvier 2019 à 16:47 +, unman a écrit : > >> I'd be interested to know what system has been graced with your >> approval. >> If you believe all this, then what makes you think that national >> intelligence agencies

Re: [qubes-users] QSB #46: APT update mechanism vulnerability

Le dimanche 27 janvier 2019 à 16:47 +, unman a écrit : > I'd be interested to know what system has been graced with your > approval. > If you believe all this, then what makes you think that national > intelligence agencies haven't infiltrated *bsd, coreboot and any > other > system you can

Re: [qubes-users] QSB #46: APT update mechanism vulnerability

On Sun, Jan 27, 2019 at 03:33:11PM +0100, Alexandre Belgrand wrote: > Le dimanche 27 janvier 2019 à 13:11 +, Holger Levsen a écrit : > > I *believe* they probably misunderstood evil32.com and it's fallout. > > CAs and GNU/Linux distributions are #1 targets for national > intelligence

Re: [qubes-users] QSB #46: APT update mechanism vulnerability

Le dimanche 27 janvier 2019 à 13:11 +, Holger Levsen a écrit : > I *believe* they probably misunderstood evil32.com and it's fallout. CAs and GNU/Linux distributions are #1 targets for national intelligence agencies. Debian developers are not using smartcards to store their GPG keys,

Re: [qubes-users] QSB #46: APT update mechanism vulnerability

On Sun, Jan 27, 2019 at 01:11:37PM +, Holger Levsen wrote: > On Sun, Jan 27, 2019 at 12:54:26AM +, unman wrote: > > > Keep in mind that all PGP Debian/Ubuntu signing keys have been stolen > > Do you have *any* evidence for this claim? > > I *believe* they probably misunderstood evil32.com

Re: [qubes-users] QSB #46: APT update mechanism vulnerability

On Sun, Jan 27, 2019 at 12:54:26AM +, unman wrote: > > Keep in mind that all PGP Debian/Ubuntu signing keys have been stolen > Do you have *any* evidence for this claim? I *believe* they probably misunderstood evil32.com and it's fallout. -- tschüß, Holger

Re: [qubes-users] QSB #46: APT update mechanism vulnerability

On Sat, Jan 26, 2019 at 11:42:27AM +0100, Alexandre Belgrand wrote: > Le mercredi 23 janvier 2019 ŕ 18:05 +0100, Marek Marczykowski-Górecki a > écrit : > > We have just published Qubes Security Bulletin (QSB) #46: > > APT update mechanism vulnerability. > > Keep in mind that all PGP Debian/Ubuntu

Re: [qubes-users] QSB #46: APT update mechanism vulnerability

On 01/26/2019 05:42 AM, Alexandre Belgrand wrote: Le mercredi 23 janvier 2019 à 18:05 +0100, Marek Marczykowski-Górecki a écrit : We have just published Qubes Security Bulletin (QSB) #46: APT update mechanism vulnerability. Keep in mind that all PGP Debian/Ubuntu signing keys have been stolen

Re: [qubes-users] QSB #46: APT update mechanism vulnerability

Le mercredi 23 janvier 2019 à 18:05 +0100, Marek Marczykowski-Górecki a écrit : > We have just published Qubes Security Bulletin (QSB) #46: > APT update mechanism vulnerability. Keep in mind that all PGP Debian/Ubuntu signing keys have been stolen and injection may occur during apt-get

Re: [qubes-users] QSB #46: APT update mechanism vulnerability

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Thu, Jan 24, 2019 at 01:10:42AM +, js...@bitmessage.ch wrote: > Marek Marczykowski-Górecki: > > Summary > > > > > > The Debian Security Team has announced a security vulnerability > > (DSA-4371-1) in the Advanced Package Tool (APT).

Re: [qubes-users] QSB #46: APT update mechanism vulnerability

Marek Marczykowski-Górecki: Summary The Debian Security Team has announced a security vulnerability (DSA-4371-1) in the Advanced Package Tool (APT). The vulnerability lies in the way APT performs HTTP redirect handling when downloading packages. Exploitation of this vulnerability

[qubes-users] QSB #46: APT update mechanism vulnerability

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Dear Qubes Community, We have just published Qubes Security Bulletin (QSB) #46: APT update mechanism vulnerability. The text of this QSB is reproduced below. This QSB and its accompanying signatures will always be available in the Qubes Security