Test USM the hash ?

Talk here about security in general. Posting illegals software is prohibited. All stuffs in this forum must be considered as for "Educational purpose only".
KnallKopf
Samurai
Samurai
Posts: 134
Joined: 18 Sep 2012, 20:56
Distribution: Porteus 64bit KDE4
Location: Absurdistan

Test USM the hash ?

Post#1 by KnallKopf » 13 Jan 2015, 18:09

Test USM the hashsums and will the hashums veryfie by Certificates from Slackware ?

Exist some mechanism to veryfie some impotant users ?
For example how can i am be shure that brokenman are the real brokenman ?
For example the real brokenman was died on a polonium intoxication or make holiday on Guantamo.
And some security-service-guy find your porteus account and foist me a virus that delete my porn collection,
this will be crap.

User avatar
brokenman
Site Admin
Site Admin
Posts: 6105
Joined: 27 Dec 2010, 03:50
Distribution: Porteus v4 all desktops
Location: Brazil

Re: Test USM the hash ?

Post#2 by brokenman » 13 Jan 2015, 23:38

At the moment USM does not verify hashsums. It only uses the existing well known slackware repositories so it is as secure as the slackware repositories themselves. While I can assure you I am the real brokenman and have not overdosed on any hallucinogen, I can not speak for the maintainers of the slackware packages. There are certainly many attack vectors if you consider the examples you gave, but should I wake up in Guantanamo one morning I will use my one phone call to notify USM users. As for the porn collection ... backup, backup and backup.
How do i become super user?
Wear your underpants on the outside and put on a cape.

KnallKopf
Samurai
Samurai
Posts: 134
Joined: 18 Sep 2012, 20:56
Distribution: Porteus 64bit KDE4
Location: Absurdistan

Re: Test USM the hash ?

Post#3 by KnallKopf » 14 Jan 2015, 02:47

While I can assure you I am the real brokenman
says the copy of brokenman ?
but i have no choice i must trust you.
But generally I think it is good users have puplic gpg-keys,
then exist theoretical possibility to verify the work.

Ok i thing when this will be real than say the copy of brokenman that the key was lost and
here are the new key and i trust than because i do not want to miss Porteus.
Therefore, i trust you that you are inform the community from Guantanamo if this will real.
There are certainly many attack vectors

no the only one that is are a real danger, is malware in a important module,
or have you see a virus that infect a readonly CD, or a ejected USB-stick.
I think another good methode, when booting from HDD, are the use of mopt=noatime,nodiratime,suid,dev,exec,async,ro cheatcode.
and one module should not be copy2ram, so it is not possible to remount the bootpartition.
Or am I wrong there ?

What I mean to say is Porteus is very secure (or you can say it is secure) from outside.
But when the enemy came from inside then there is not even a second line of defense.

Bogomips
Full of knowledge
Full of knowledge
Posts: 2564
Joined: 25 Jun 2014, 15:21
Distribution: 3.2.2 Cinnamon & KDE5
Location: London

Re: Test USM the hash ?

Post#4 by Bogomips » 14 Jan 2015, 17:59

But that's the case all around. When one uses apt-get, it's also risky. Could be a mole in Debian, have someone slip an innocuous looking module into usr/bin or usr/lib, and Bob's your uncle, or at least Uncle Sam :evil:
Linux porteus 4.4.0-porteus #3 SMP PREEMPT Sat Jan 23 07:01:55 UTC 2016 i686 AMD Sempron(tm) 140 Processor AuthenticAMD GNU/Linux
NVIDIA Corporation C61 [GeForce 6150SE nForce 430] (rev a2) MemTotal: 901760 kB MemFree: 66752 kB

User avatar
brokenman
Site Admin
Site Admin
Posts: 6105
Joined: 27 Dec 2010, 03:50
Distribution: Porteus v4 all desktops
Location: Brazil

Re: Test USM the hash ?

Post#5 by brokenman » 14 Jan 2015, 20:18

Yes Bogomips. While we are building a distro from precompiled upstream sources, security is at best just an illusion. A nice warm blanket that we wrap ourselves in and tell ourselves we are safe. To cite an example just look at the bash bug, badbios and the openssl debacle from a few months ago. Some pretty baseline attack vectors laying within some fundamental packages went unnoticed for years. I do plan to implement the GPG checks in USM in the future if it makes users feel safer.
How do i become super user?
Wear your underpants on the outside and put on a cape.

Post Reply