Page 1 of 1

Test USM the hash ?

Posted: 13 Jan 2015, 18:09
by KnallKopf
Test USM the hashsums and will the hashums veryfie by Certificates from Slackware ?

Exist some mechanism to veryfie some impotant users ?
For example how can i am be shure that brokenman are the real brokenman ?
For example the real brokenman was died on a polonium intoxication or make holiday on Guantamo.
And some security-service-guy find your porteus account and foist me a virus that delete my porn collection,
this will be crap.

Re: Test USM the hash ?

Posted: 13 Jan 2015, 23:38
by brokenman
At the moment USM does not verify hashsums. It only uses the existing well known slackware repositories so it is as secure as the slackware repositories themselves. While I can assure you I am the real brokenman and have not overdosed on any hallucinogen, I can not speak for the maintainers of the slackware packages. There are certainly many attack vectors if you consider the examples you gave, but should I wake up in Guantanamo one morning I will use my one phone call to notify USM users. As for the porn collection ... backup, backup and backup.

Re: Test USM the hash ?

Posted: 14 Jan 2015, 02:47
by KnallKopf
While I can assure you I am the real brokenman
says the copy of brokenman ?
but i have no choice i must trust you.
But generally I think it is good users have puplic gpg-keys,
then exist theoretical possibility to verify the work.

Ok i thing when this will be real than say the copy of brokenman that the key was lost and
here are the new key and i trust than because i do not want to miss Porteus.
Therefore, i trust you that you are inform the community from Guantanamo if this will real.
There are certainly many attack vectors

no the only one that is are a real danger, is malware in a important module,
or have you see a virus that infect a readonly CD, or a ejected USB-stick.
I think another good methode, when booting from HDD, are the use of mopt=noatime,nodiratime,suid,dev,exec,async,ro cheatcode.
and one module should not be copy2ram, so it is not possible to remount the bootpartition.
Or am I wrong there ?

What I mean to say is Porteus is very secure (or you can say it is secure) from outside.
But when the enemy came from inside then there is not even a second line of defense.

Re: Test USM the hash ?

Posted: 14 Jan 2015, 17:59
by Bogomips
But that's the case all around. When one uses apt-get, it's also risky. Could be a mole in Debian, have someone slip an innocuous looking module into usr/bin or usr/lib, and Bob's your uncle, or at least Uncle Sam :evil:

Re: Test USM the hash ?

Posted: 14 Jan 2015, 20:18
by brokenman
Yes Bogomips. While we are building a distro from precompiled upstream sources, security is at best just an illusion. A nice warm blanket that we wrap ourselves in and tell ourselves we are safe. To cite an example just look at the bash bug, badbios and the openssl debacle from a few months ago. Some pretty baseline attack vectors laying within some fundamental packages went unnoticed for years. I do plan to implement the GPG checks in USM in the future if it makes users feel safer.