Re: Infrastructure report, 2008-08-22 UTC 1200

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Aug 22, 2008 at 4:54 PM, Michael J Gruber
<michaeljgruber+gmane@xxxxxxxxxxx> wrote:

>
> As Paul pointed out, the keys are different, and the Fedora key was not
> in use (no passphrase typed in) during the critical time frame.

Yep. Just wondering how the attacker retrieved the passphrase for Red Hat.

Looking at this paper[1], gpg is quite safe regarding its memory use
while processing
the passphrase. Except if you use a terminal that will intercept and
store the passphrase
somewhere in memory ;-)

Could be very interesting to know how the attacker was able to catch
the passphrase.
(maybe via a bash_history containing the passphrase typed in the shell
prompt ;-)

[1] http://philosecurity.org/pubs/davidoff-clearmem-linux.pdf

> Funny
> thing is:
>
> - Fedora's key will be changed, not RHEL's, which has been compromised.
> - High security private keys are best kept in bare metal and used on
> boxes without incoming network. This doesn't seem to apply to the
> package signing keys.

This is a very good point. Signing key should be done on a dedicated
system where
there is no permanent network connectivity.  Maybe that could be a
good enhancement
for the future ;-)

Thanks for the feedback,

adulau

-- 
-- Alexandre Dulaunoy (adulau) -- http://www.foo.be/
-- http://www.foo.be/cgi-bin/wiki.pl/Diary
-- "Knowledge can create problems, it is not through ignorance
-- that we can solve them" Isaac Asimov

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux