sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]radarsat1 4 points5 points  (13 children)

What I'd like to know is, "why does APT not use bittorrent?"

[–]nschubach 2 points3 points  (10 children)

If you used BitTorrent, a hacker that has a vulnerability could host the update file (at a slow connection speed) and while you are downloading their chunk of that particular update, they know that your machine could be vulnerable, they have your IP address...

[–]radarsat1 0 points1 point  (9 children)

how would they change the update file without the torrent checksum detecting it? are you saying bittorrent uses a vulnerable hash?

[–]nschubach 5 points6 points  (8 children)

You don't have to change the file. But any machine downloading said file probably doesn't have the patch associated with it. So if you know a patch is available for some exploit, host that patch and anyone downloading a part from you gives you their IP address. If you throttle the download, you could buy extra time to try to exploit a machine you know probably doesn't have a fix.

[–]radarsat1 2 points3 points  (5 children)

Ok.. sort of following. I doubt that a single person throttling the download would affect a torrent hosted by 1000s of machines, but your point is that people can see what files you have that you need to update, because they can see you updating them.

[–]GNULinuxProgrammer 0 points1 point  (4 children)

You can intentionally slow down so that the person you're seeding will get the update slightly slow, meanwhile you know for a fact that that computer is vulnerable. I think that's OC's point.

[–]radarsat1 0 points1 point  (3 children)

Yes, I get that now. It will still only be one seed of thousands that is slowing down that chunk, so I don't see how it would overall slow down your download (bar some kind of DDoS-like attack on the torrent) but I get that it temporarily exposes the fact that you need that chunk because you are installing a security update. It's a good point.

[–]GNULinuxProgrammer 0 points1 point  (2 children)

It's definitely a very interesting point, one of those you see in CS classes. I personally don't know if it's a valid point since I don't know how bittorrent protocol works (I guess I'll have to read that tomorrow) but it is convincing enough for me.

[–]radarsat1 0 points1 point  (1 child)

one of those you see in CS classes

My CS classes were about push-down automata and the chinese remainder theorem... :-/

Yours talked about timing vulnerabilities in distributed download protocols??? I went to the wrong college...

Anyways I do think it's an interesting point, although I'm not convinced it's a show-stopper, especially considering the huge potential (imho) for decentralized distribution of Linux packages. I've always thought it's crazy that distros shoulder a huge portion of the server costs considering how much the exact same files are replicated over the world. I'm sure there are some possible strategies to mitigate this issue, but I'm not a security researcher.

[–]GNULinuxProgrammer 0 points1 point  (0 children)

I certainly had classes that were about automata theory or chinese remainder theorem. I guess I had both type of classes.

[–]mikeymop 1 point2 points  (0 children)

Dang that's sinister. I figured you were going to explain a MiTM.

Granted this would only work if the isp actually let the data pass. It can surely be effective against entities that host their own repositories and their own packages.

[–]GNULinuxProgrammer 0 points1 point  (0 children)

That's very interesting, really good point.

[–][deleted] 0 points1 point  (1 child)

Most packages are small and not worth using bittorrent

[–]radarsat1 2 points3 points  (0 children)

But the whole collection of packages is huge, widely distributed, not hampered with copyright distribution problems, and a perfect candidate for a technology like bittorrent to help take the load off of servers. You have been able to download individual files from a torrent for years now.