Re: Microsoft win2003server phone home

[Valdis.Kletnieks () vt edu]

On Mon, 04 Aug 2003 10:37:20 -1000, Jason Coombs said:
> > Closing down *most* of these exposures is why the 'rpm' package manager
> > supports using PGP to sign the packages...
>
> You *do* realize that digital signatures can be forged with theft of private
> keys, right?

Yep, fully aware of that.  On the other hand, there's the *presumption* that
the machine that RedHat or Sendmail do the signing on is somewhat more hardened
than the externally-visible server that the files live on.

I was also aware of all the other points you brought up - which is why I said "*most*
of the holes" - the note was getting quite long enough already. (As it was, I axed a
mention of the Verisign/Microsoft cert whoops due to length - if I hadn't scared the OP
off the concept of automated updates already, adding more to the list wouldn't change
matters).

On the flip side, *most* of the interesting MITM attacks on code update require the
attacker to wait for the target to do an update.  For the *vast* majority of systems
on the Internet, the benefit of having recently patched code or AV-scanner signatures
*far* outweighs the risks of actually being targeted during an update.  There is, indeed,
no absolute security - it's all about minimizing *total* risk.

Remember - you're downloading the update (code or AV) to fix a *known* exposure.
How bad a burn would Mimail have had if people *didnt* have automated AV updates?
How much less of a burn would CodeRed or Nimda have had if more people had
visited WindowsUpdate on a regular basis?

It's the same issue as vaccinating children against diseases - yes, some very small
percentage of children do have nasty side effects from the various vaccines.  But
that needs to be balanced against the dangers of not being vaccinated at all....

Attachment: _bin
Description: