Full Disclosure mailing list archives
Re: Microsoft win2003server phone home
From: Valdis.Kletnieks () vt edu
Date: Mon, 04 Aug 2003 17:13:00 -0400
On Mon, 04 Aug 2003 10:37:20 -1000, Jason Coombs said:
Closing down *most* of these exposures is why the 'rpm' package manager supports using PGP to sign the packages...You *do* realize that digital signatures can be forged with theft of private keys, right?
Yep, fully aware of that. On the other hand, there's the *presumption* that the machine that RedHat or Sendmail do the signing on is somewhat more hardened than the externally-visible server that the files live on. I was also aware of all the other points you brought up - which is why I said "*most* of the holes" - the note was getting quite long enough already. (As it was, I axed a mention of the Verisign/Microsoft cert whoops due to length - if I hadn't scared the OP off the concept of automated updates already, adding more to the list wouldn't change matters). On the flip side, *most* of the interesting MITM attacks on code update require the attacker to wait for the target to do an update. For the *vast* majority of systems on the Internet, the benefit of having recently patched code or AV-scanner signatures *far* outweighs the risks of actually being targeted during an update. There is, indeed, no absolute security - it's all about minimizing *total* risk. Remember - you're downloading the update (code or AV) to fix a *known* exposure. How bad a burn would Mimail have had if people *didnt* have automated AV updates? How much less of a burn would CodeRed or Nimda have had if more people had visited WindowsUpdate on a regular basis? It's the same issue as vaccinating children against diseases - yes, some very small percentage of children do have nasty side effects from the various vaccines. But that needs to be balanced against the dangers of not being vaccinated at all....
Attachment:
_bin
Description:
Current thread:
- Microsoft win2003server phone home gyrniff (Aug 04)
- Re: Microsoft win2003server phone home Gaurav Kumar (Aug 04)
- Re: Microsoft win2003server phone home manohar singh (Aug 04)
- Re: Microsoft win2003server phone home Gaurav Kumar (Aug 04)
- Re: Microsoft win2003server phone home Mike Garegnani (Aug 04)
- Re: Microsoft win2003server phone home Matthew Murphy (Aug 04)
- Re: Microsoft win2003server phone home manohar singh (Aug 04)
- Re: Microsoft win2003server phone home martin scherer (Aug 04)
- Re: Microsoft win2003server phone home Valdis . Kletnieks (Aug 04)
- RE: Microsoft win2003server phone home Jason Coombs (Aug 04)
- Re: Microsoft win2003server phone home Valdis . Kletnieks (Aug 04)
- Re: Microsoft win2003server phone home Valdis . Kletnieks (Aug 04)
- Re: Microsoft win2003server phone home Gaurav Kumar (Aug 04)
- <Possible follow-ups>
- Re: Microsoft win2003server phone home Orochford (Aug 04)