warning to list

Gregory G Carter gcarter at aesgi.com
Tue Oct 26 04:53:17 UTC 2004


"All he wants to know is that he's putting potentially buggy, 
late-night-coffee-build, eat-your-data-alive packages on his computer 
BUT that if he loses data it will be to a devel problem and not some 
cracker."

Mmm....I do this all the time with Windows software.

They still crack Windows with perfectly signed packages from Microsoft.  
I do not see signatures as such a big deal, therefore as they have not 
really impacted code security of Microsoft products. 

In FACT, I do not see how signing binaries helps really in dealing with 
secure code for end users.

I get perfectly crackable code, with authentic Microsoft PGP keys in 
every service pak update for Windows 2000 for example...and XP.

Signed by Microsoft and of course, Doesn't Mean Jack.   The best a 
signed package can do is tell you where it is from.  But, it doesn't 
make your code any less crackable or any more secure.

If you believe that, then your a fool.  Code should be suspicious by 
default, and if you can't look at it, don't install it.

Works everytime for myself anyway.  By looks I mean of course a 
procedure that allows you to look which usually is running said code 
first on a secured platform, watching what it does on the net while it 
is running and of course, doing a profile and looking at what code it 
spends the majority of its time executing.

Unfortunately, I am sorry to say, by end user I do not mean Mary in 
Accounting.  I mean hired Systems and Network Admins.

In the US, the typical admin or network guy doesn't know jack about 
code.  A sorry state of affairs that I am sure out sourcing will fix 
quickly in the next 3-4 years, thank goodness.  Then we will have only 
the die hards left with initmate code knowledge in IT departments that 
can properly deploy software for end users like Mary in accounting.

I assume we will push Windows out to the edge along with other 
propritary binaries so that IT departments run on core open source 
code.  Right now that is a dream....but it will be a reality very 
shortly after we conquor the desktop.

The only thing that I know of that can make a difference in code 
security is actually being able to look at it, understand it and fix 
it.  If we take for a given, that software development is buggy with 
either closed or open source products then we have a basis for improving 
the situation by giving the source code and build tools away with the 
application so users can perform there own security checks if they wish, 
according to their own exhaulted standards.

That is the promise of Open Source Software.  That is where the REAL 
security begins, with the SOURCE CODE.

Which is why closed proprietary binary software will NEVER be as secure 
as Open Source Software.

So I do not think signed keys are all that important given the history 
of signed packages transporting crackable code all over the place.  If 
people would use practical deployment procedures, we wouldn't need 
signed packages for Linux in the first place.

Not something many would like to hear, but I think security in general 
has not improved in computing because we have all of these not required 
methods that make us THINK the code is safe  (i.e. Oooo...the package is 
digitally signed so its OK....), but in reality do not address the 
primary issues of why executables are a risk....lack of source code.

IMHO.

-gc

Rodolfo J. Paiz wrote:

>On Mon, 2004-10-25 at 14:46 -0400, Ricardo Veguilla wrote:
>  
>
>>I can't believe you are making this argument.*You* "forced" yourself
>>when *you* decided to use an unsupported beta.
>>    
>>
>
>For the love of Pete, people, chill a little. You're arguing against
>something that Matías NEVER SAID, damn it.
>
>All the guy said is that he's happy to use a test version, fully
>understands his risks and has taken appropriate precautions, BUT feels
>that not signing the Rawhide RPM packages exposes him to the small, but
>greater than zero, risk of someone tampering with a package hosted on a
>mirror somewhere. He seems to feel that this is a small but unnecessary
>risk that could easily be avoided by simple additional security measures
>which would improve the status quo and which have not been taken.
>
>All he wants to know is that he's putting potentially buggy, late-night-
>coffee-build, eat-your-data-alive packages on his computer BUT that if
>he loses data it will be to a devel problem and not some cracker.
>
>Beating the hell out of him for using test versions isn't doing *ANYONE*
>any good... reread his post on what he does to keep his data safe, how
>he runs his systems, and how long he's been running beta OS releases,
>and he *clearly* is doing this will full knowledge and acceptance of the
>risks involved.
>
>Read the posts carefully. Argue intelligently and coherently. Or be
>quiet. Not just Ricardo, either... there were a couple other "you're not
>fit to run Rawhide" posts which were no more intelligent.
>
>Sheesh.
>
>  
>




More information about the test mailing list