[TriLUG] The sad state of sysadmin in the age of containers

Sean Alexandre via TriLUG trilug at trilug.org
Fri Mar 13 13:35:50 EDT 2015


On Fri, Mar 13, 2015 at 11:20:27AM -0400, Sean Alexandre via TriLUG wrote:
> From:
> The sad state of sysadmin in the age of containers
> http://www.vitavonni.de/blog/201503/2015031201-the-sad-state-of-sysadmin-in-the-age-of-containers.html

I should probably highlight that my post comes from some one else's blog, from
the link at the top of my post.

I'm enjoying the responses. I've learned alot from this mailing list over the
years, and was interested to see what people thought about this.

I have to say I don't do much with containers, because I've felt like it was
more than enough just to get security/stability right for the machines
I already run.  I didn't want to build the "stack" higher without securing the
lower pieces first, and I'm still focused on that.

I think the problem is actually worse than what op describes. Even without
containers, things are bad.

One example is trying to build OpenWRT. I did this recently for a router
I have. I wanted the latest patches. The build environment is awful for
security. It uses Buildroot, and downloads each package separately from
upstream without any real integrity checks (except for MD5 hashsum checks, over
HTTP.) For example dnsmasq is downloaded from http://thekelleys.org.uk/dnsmasq/
and only has an MD5 sum checked. This would be easy to MITM, for an adversary
interested in owning as many boxes as they can [1-2].That might be the NSA
today, or others less capable in the future. [3]

Another angle on this is I was curious to see whether the packages I use are
signed upstream. Some are. Many aren't. I picked packages randomly so this may
be more anecdotal than anything. And, I did it last year. But, I found these
were signed: Linux kernel, gcc, binutils, bash, mutt, gpg, ssh, keepassx,
openvpn, tcpdump. These were not: GNOME, xorg, firmware-iwlwifi, liferea, mpop.

On the encouraging side, it's nice to see the strong support Debian has for
package signing. They're working on reproducible builds as well [4], and so is
Tor [5-6] and BitCoin [7].

[1] How the NSA Plans to Infect ‘Millions’ of Computers with Malware
    https://firstlook.org/theintercept/2014/03/12/nsa-plans-infect-millions-computers-malware/
[2] QUANTUM attacks
    https://en.wikipedia.org/wiki/Tailored_Access_Operations#QUANTUM_attacks
[3] Nicholas Weaver Explains how QUANTUM Works
    https://www.schneier.com/blog/archives/2014/03/nicholas_weaver.html
[4] ReproducibleBuilds
    https://wiki.debian.org/ReproducibleBuilds
[5] Deterministic Builds Part One: Cyberwar and Global Compromise
    https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise
[6] Deterministic Builds Part Two: Technical Details
    https://blog.torproject.org/blog/deterministic-builds-part-two-technical-details
[7] Gitian
    https://gitian.org/


More information about the TriLUG mailing list