[clug] How you know your Free or Open Source Software Project is doomed to FAIL

Scott Ferguson scott.ferguson.clug at gmail.com
Thu Jul 30 12:51:50 UTC 2015


On 30/07/15 18:31, Michael Cohen wrote:
> On 30 July 2015 at 08:38, Carlo Hamalainen <carlo at carlo-hamalainen.net> wrote:
>>
>>
>> On 30 July 2015 4:30:40 pm AEST, James Ring <sjr at jdns.org> wrote:
>>> Well, they'd have to poison the DNS and also convince one of the
>>> certificate authorities trusted by wget to issue a SSL certificate
>>> with Google's name on it to the attacker.
>>
>> Like this?
>>
>> https://www.techdirt.com/articles/20130910/10470024468/flying-pig-nsa-is-running-man-middle-attacks-imitating-googles-servers.shtml
>>
> 
> Of course if they can do this its game over for all software, not only
> open source software and not only those that use curl | sh. Therefore
> this link is not relevant to the present discussion.
> 
> Michael.
> 

Good point.

I disagree, mildly.
'If' you value the integrity of a given machine highly you 'could'
hard-code the DNS (put it in /etc/hosts).

DNS (cache) poisoning is not something new or occult. DNSSEC is another
alternative worth considering. (again) set your standards to suit your
requirements (providing you know your requirements). VM is not hard.

If, as is likely an opponent like the NSA, can control routing - but you
combine DNSSEC (which Google uses) with SSL, then NSA has to step up
their game. Their resources are not infinite.

Alternative DNS verification schemes won't solve all problems (nothing
does). You can't control routing outside of your local network (and
maybe not even there).

Regardless of which method you use to authenticate the relationship
between the (alleged) owner of an SSL certificate, and the host, or what
containment you use to execute the code - it's not over if you can
verify *what* you are receiving.

What that you define as verify is another issue. Shamir's 2nd law cuts
both ways i.e. the more we have to expend to defend against attacks the
more the opponent/s have to expend to cover all possible defences (sort of).

Forewarned is forearmed - not automatically a reason to give up
defending or protecting.

tl;dr?
It's not game over (IMO, and that of more qualified people than I)

Note: if, as I vaguely recall, I mentioned ARP poisoning in previous
posts today - I should have written DNS cache poisoning - one of several
methods used to reroute internet requests and downloads.


Kind regards


--
"I use readability tools, I also try and employ critical thought, and I
rely strongly on proofreaders. I'm not a professional writer. I've used
none of those things when writing this, and it only "seemed" OK after a
quick re-read, except in this case where I didn't even do a re-read - my
apologies in advance for all the very likely errors."
~ standard weasel disclaimer



More information about the linux mailing list