cyber-"terrorism"?

Matthew Byng-Maddick ukcrypto at lists.colondot.net
Wed, 18 Sep 2002 10:09:48 +0100 

On Wed, Sep 18, 2002 at 12:52:22AM +0100, alastair wrote:
> Do you check the signature on the package you download and install? What
> about scanning the source code for a trojan before compiling, installing
> and loading? How do you know 'that' service you run isn't vulnerable? Do
> you subscribe to 'bugtraq'? What about all the 'underground' 'black hat'
> channels?

You raise here an interesting point. In December, I gave a talk on a now
dormant project I was working on at the time, to apply non-binary trust
to software distributions via a public-key infrastructure sitting on top
of PGP keys. At the start of the talk, I asked two questions of the 40 or
so people there. The first was "put your hand up if you actually bother to
check the .asc that comes with a piece of software you download". Of this
audience, probably 5 people put their hands up.

Of those 5, I then asked how many actually bothered to do detailed checking
of the key that signed it? None put their hands up. So, if you want to trojan
a binary on an FTP site, create a key with the same UIDs, and a few more
keys with which to sign this key, and upload them to the keyservers.
People will check the signature on the package, but are unlikely to check
the key, and you win. This is not significantly more difficult.

There's also an element of "On what principle do you base your trust?". In
general, most of the bigger software developers have reputations to keep
up. For example, much as Theo de Raadt is probably a pain to have to deal
with when you are trying to use his code, and much as the OpenSSH code is
unreadable, it doesn't often have vulnerabilities in the code, and Theo
has a reputation for enforcing security-correctness (even if he doesn't
enforce usability-correctness).

A given systems administrator ought to be able to make his own judgements
however, and the signing web needs to allow him to do this.

The above is really off-topic for UK-Crypto, unfortunately. Slightly more
on-topic, this recent worm, and the capabilities of DDoS have made me
wonder whether not enforcing a secure machine policy (given the effects
that it can have on neighbours) should be subject to a negligence claim
(say by the target of the DDoS)? This is obviously open massively to
abuse, but the current clue level of some "systems administrators", or
as you more helpfully term them, "Linux users", makes it possible that
someone else's cluelessness/negligence can deny my service, which is
obviously not a good thing. What is UK-Crypto's opinion on this?

MBM

-- 
Matthew Byng-Maddick         <mbm@colondot.net>           http://colondot.net/