Timeline for DNS spoofing of linux distribution repositories
Current License: CC BY-SA 3.0
13 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Jun 16, 2020 at 9:49 | history | edited | CommunityBot | Commonmark migration | |
| Jul 31, 2014 at 7:54 | history | edited | Levite | CC BY-SA 3.0 | Removed unnecessary monologue in the *Background* section |
| Jul 29, 2014 at 12:12 | answer | added | Levite | timeline score: 3 | |
| Jul 29, 2014 at 9:30 | comment | added | Levite | @AndrewRussell: Many nice ideas thx! The official email will most likely be the best way to cover my liability. (Of course I would still like to know, that the system is kept safe as well.) Changing the update schedule is definately also a good thought! | |
| Jul 29, 2014 at 8:34 | comment | added | Andrew Russell | Only apply security update repository automatically, which reduces the chance of defects. And why dont you schedule your manager to operate during business hours? This allows you to leave your employer with reasonable security and limited risk profiles if they dont have active patch management. You can also send your employer a official warning that these servers require active patch management, and without that they are likely to have stability and security issues, just to cover your liability. | |
| Jul 29, 2014 at 6:53 | answer | added | Dillinur | timeline score: -1 | |
| Jul 29, 2014 at 4:11 | answer | added | Joe Sniderman | timeline score: 4 | |
| Jul 28, 2014 at 21:55 | history | tweeted | twitter.com/#!/StackSecurity/status/493877498879672320 | ||
| Jul 28, 2014 at 15:14 | comment | added | Steve Dodier-Lazaro | Debian/*Buntu/Mint: Aptitude/Apt-get would require confirmation before you install an unsigned packet, so the update manager would wait on you. Arch: Pacman would not allow unsigned packages and yaourt would require manual updates that indicate the packets are unsupported and you're doing things at your own risk. | |
| Jul 28, 2014 at 15:07 | answer | added | K-Yo | timeline score: 2 | |
| Jul 28, 2014 at 14:41 | comment | added | Levite | @pyramids: Well I am at least considering it. The longer back-story is, that this is for a company I will "soon" be leaving, and I am not sure that they would apply any updates at all, after that point. So at least if something breaks through an automatic update, they will notice & try to fix it. Otherwise the machine will (most likely) be left without updates from that point on, which seems more dangerous to me - but this is an entirely different story ^^ - I am still looking for other possibilities though! But you have some really good points there (+1)!! | |
| Jul 28, 2014 at 14:02 | comment | added | user27909 | I believe (but have not checked) that all distributions offering online updates via a packet manager do this with strong cryptographic signatures, so in theory your plan should be sound (save system compromise at the organization in charge of the update packages or some serious bug in a crypto library or packet manager). In practice: Do you really want to commit to always installing every update not only without testing it first, but also whilst you may be asleep and unavailable to at least start solving any instant hickup? | |
| Jul 28, 2014 at 7:38 | history | asked | Levite | CC BY-SA 3.0 |