|
Title: Github Vulnerabilities and Bitcoin Post by: bb113 on March 06, 2012, 12:55:13 AM Quote GitHub, one of the largest repositories of commercial and open source software on the web, has been hacked. Over the weekend, developer Egor Homakov exploited a gaping vulnerability in GitHub that allowed him (or anyone else with basic hacker know-how) to gain administrator access to projects such as Ruby on Rails, Linux, and millions of others. Homakov could’ve deleted the entire history of projects such as jQuery, Node.js, Reddit, and Redis. http://www.extremetech.com/computing/120981-github-hacked-millions-of-projects-at-risk-of-being-modified-or-deleted Could bitcoin be attacked via github? I have no idea... tell me. Title: Re: Github Vulnerabilities and Bitcoin Post by: marked on March 06, 2012, 02:17:47 AM Not to mention the possibility of all the RAILS hosted applications that could be affected by the method of attack used.
marked Title: Re: Github Vulnerabilities and Bitcoin Post by: theymos on March 06, 2012, 02:26:37 AM Every developer has his own SHA1-protected git data, so bad code couldn't have been introduced easily.
IIRC bitcoin.org is served from Github, so a worst-case breach of Github could cause some damage. Title: Re: Github Vulnerabilities and Bitcoin Post by: kjlimo on March 06, 2012, 02:50:19 AM But this would just affect the client program that users download, so some people would be downloading some random program that could do harmful things to their computer, yes?
This could happen to any software available for download. However, this is an issue because we're using a free service for an open source program. So this would require some secure distributor to deliver/support the software that is obtained by new users? Title: Re: Github Vulnerabilities and Bitcoin Post by: Gavin Andresen on March 06, 2012, 04:02:40 PM But this would just affect the client program that users download, so some people would be downloading some random program that could do harmful things to their computer, yes? That is always a risk, which is why next to the downloads there is a gpg-signed SHASUMS.asc file.To check the integrity of the download you should: + Check the signature on the SHASUMS.asc file: Code: $ gpg --verify SHASUMS.asc + Make sure the checksum for the downloaded file matches the checksum in the SHASUMS.asc file:gpg: Signature made Wed Feb 29 20:51:40 2012 EST using RSA key ID 1FC730C1 gpg: Good signature from "Gavin Andresen (CODE SIGNING KEY) <gavinandresen@gmail.com>" Code: $ shasum bitcoin-0.6.0rc2-macosx.dmg 7ab035250ad32a95adf12f2bf8751df9adae0ad4 bitcoin-0.6.0rc2-macosx.dmg $ grep macosx SHASUMS.asc 7ab035250ad32a95adf12f2bf8751df9adae0ad4 bitcoin-0.6.0rc2-macosx.dmg Title: Re: Github Vulnerabilities and Bitcoin Post by: marked on March 06, 2012, 09:43:29 PM That is always a risk, which is why next to the downloads there is a gpg-signed SHASUMS.asc file. where? it isn't on the http://bitcoin.org homepage. The PGP keys for the devs are, but not that file. And if you click the download links from the top right hand corner then you get nowhere near to being able to get the SHASUMS.asc file unless you know how sourceforge works. http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.5.2/SHASUMS.asc/download Quote + Check the signature on the SHASUMS.asc file: Code: $ gpg --verify SHASUMS.asc + Make sure the checksum for the downloaded file matches the checksum in the SHASUMS.asc file:gpg: Signature made Wed Feb 29 20:51:40 2012 EST using RSA key ID 1FC730C1 gpg: Good signature from "Gavin Andresen (CODE SIGNING KEY) <gavinandresen@gmail.com>" Code: $ shasum bitcoin-0.6.0rc2-macosx.dmg 7ab035250ad32a95adf12f2bf8751df9adae0ad4 bitcoin-0.6.0rc2-macosx.dmg $ grep macosx SHASUMS.asc 7ab035250ad32a95adf12f2bf8751df9adae0ad4 bitcoin-0.6.0rc2-macosx.dmg That doesn't verify it at all - it verifies that the files signature was created by someone who had a key that was used to create the signatures of the file, and called themselves gavinandresen@gmail.com. That does not mean that Gavin actually created the key. Quote $ gpg --verify SHASUMS.asc gpg: Signature made Wed Feb 29 20:51:40 2012 EST using RSA key ID 1FC730C1 gpg: Good signature from "Gavin Andresen (CODE SIGNING KEY) <gavinandresen@gmail.com>" To be verified you need to know that the key really belongs to GAVIN ANDRESEN and therefore you must find a way to obtain the key not via the github site, or the bitcoin.org site in a manner that is trusted. i.e Gavin's keyID (the bit highlighed in bold above - using RSA key ID 1FC730C1 ) must be authenticated by him in some form that is trusted (#bitcoin-otc, PM on this site, phone conversation, other users who have WOT verified the key etc.) Even via here it can't really be trusted as forum admins can view and edit messages without a user being aware. To be 100% certain you would need to be physically near Gavin whilst he performed a key operation (e.g. signing a file) using that key or a subkey. Everything else is just reduced trust, and how much you are willing to take on that reduction. And everyone wonders why GPG and PGP never took off... marked Title: Re: Github Vulnerabilities and Bitcoin Post by: rjk on March 06, 2012, 09:46:53 PM pgp.mit.edu is neither bitcoin.org nor github.com. Same goes for Surfnet. Put away your tinfoil hat.
Title: Re: Github Vulnerabilities and Bitcoin Post by: marked on March 06, 2012, 10:18:35 PM pgp.mit.edu is neither bitcoin.org nor github.com. Same goes for Surfnet. Put away your tinfoil hat. who said anything about the pgp keyservers being compromised? They've just got a second set of keys belonging to a gavinandresen@gmail.com Explain to me the part that I've clearly missed... starting from scratch and having just heard of bitcoin and wanting a verified signature for the exec from the developer, how do you go about it? At which point are you relying on knowing gavin's key id, and when/how was it obtained? Is there at any time a naive user may not have followed your steps? Quote And everyone wonders why GPG and PGP never took off... and I reiterate. marked, wondering if you are greenend related? Title: Re: Github Vulnerabilities and Bitcoin Post by: rjk on March 06, 2012, 11:01:25 PM pgp.mit.edu is neither bitcoin.org nor github.com. Same goes for Surfnet. Put away your tinfoil hat. who said anything about the pgp keyservers being compromised? They've just got a second set of keys belonging to a gavinandresen@gmail.com Explain to me the part that I've clearly missed... starting from scratch and having just heard of bitcoin and wanting a verified signature for the exec from the developer, how do you go about it? At which point are you relying on knowing gavin's key id, and when/how was it obtained? Is there at any time a naive user may not have followed your steps? I'm not saying they could be hacked, I am saying that they ought to be used for verification. Basic PGP, check the keyservers, and the more the merrier. Title: Re: Github Vulnerabilities and Bitcoin Post by: da2ce7 on March 07, 2012, 03:52:18 AM I'm not saying they could be hacked, I am saying that they ought to be used for verification. Basic PGP, check the keyservers, and the more the merrier. Yep... That is why we cross-sign pgp keys once we have verifed the owner of them. :) Title: Re: Github Vulnerabilities and Bitcoin Post by: finway on March 07, 2012, 08:58:59 AM This is huge.
Title: Re: Github Vulnerabilities and Bitcoin Post by: JoelKatz on March 07, 2012, 09:13:39 AM To be verified you need to know that the key really belongs to GAVIN ANDRESEN and therefore you must find a way to obtain the key not via the github site, or the bitcoin.org site in a manner that is trusted. i.e Gavin's keyID (the bit highlighed in bold above - using RSA key ID 1FC730C1 ) must be authenticated by him in some form that is trusted (#bitcoin-otc, PM on this site, phone conversation, other users who have WOT verified the key etc.) Authenticating the key ID is not sufficient. Creating your own key with the same ID as a given key is much easier than mining a Bitcoin block. You either need to obtain the key from a trusted source, validate the key with cross-signatures with keys you've validated from trusted sources, or validate at least 24 hex digits from the key fingerprint.Title: Re: Github Vulnerabilities and Bitcoin Post by: nonsh on October 02, 2012, 01:22:20 AM It's trivial to fake gpg short key ids:
http://www.asheesh.org/note/debian/short-key-ids-are-bad-news.html http://yro.slashdot.org/story/11/12/27/0044242/gnupg-short-id-collision-has-occurred Title: Re: Github Vulnerabilities and Bitcoin Post by: ralree on October 02, 2012, 04:16:48 AM It took me a bit to realize this was a thread from the dead. Scared me!
|