jimbobway (OP)
Legendary
Offline
Activity: 1304
Merit: 1015
|
|
September 26, 2012, 05:06:49 PM |
|
Make sure you use pgp to test your download before installing bitcoin. http://www.phpmyadmin.net/home_page/security/PMASA-2012-5.phpSummary
One server from the SourceForge.net mirror system was distributing a phpMyAdmin kit containing a backdoor.
Description
One of the SourceForge.net mirrors, namely cdnetworks-kr-1, was being used to distribute a modified archive of phpMyAdmin, which includes a backdoor. This backdoor is located in file server_sync.php and allows an attacker to remotely execute PHP code. Another file, js/cross_framing_protection.js, has also been modified.
Severity
We consider this vulnerability to be critical.
|
|
|
|
Blinken
|
|
September 26, 2012, 09:12:49 PM |
|
Obviously the hackers are going to change the hash on the site as well. How do you know you have a good hash? That is the problem.
|
Bitcoin ♦♦♦ Trust in Mathematics, Not Bankers ♦♦♦
|
|
|
jimbobway (OP)
Legendary
Offline
Activity: 1304
Merit: 1015
|
|
September 26, 2012, 09:19:23 PM |
|
Obviously the hackers are going to change the hash on the site as well. How do you know you have a good hash? That is the problem.
Using Gavin's PGP signature you can test the SHA256SUMS.asc file to see if the hash in the file is legit. EDIT: See this thread https://bitcointalk.org/index.php?topic=69355.0
|
|
|
|
gusti
Legendary
Offline
Activity: 1099
Merit: 1000
|
|
September 26, 2012, 09:36:37 PM |
|
Checking PGP signatures is fine, but I suspect this is not a procedure an average user will be doing. Is not possible to setup a dedicated, hardened and fully audited server, only for bitcoin updates repository ?
|
If you don't own the private keys, you don't own the coins.
|
|
|
jimbobway (OP)
Legendary
Offline
Activity: 1304
Merit: 1015
|
|
September 26, 2012, 09:39:25 PM |
|
Checking PGP signatures is fine, but I suspect this is not a procedure an average user will be doing. Is not possible to setup a dedicated, hardened and fully audited server, only for bitcoin updates repository ?
This was discussed a while back. Bitcoin devs considered hosting downloads on github which uses SSL and is more secure, but is attackable. Maximum security is to use PGP.
|
|
|
|
gusti
Legendary
Offline
Activity: 1099
Merit: 1000
|
|
September 26, 2012, 09:50:48 PM |
|
Checking PGP signatures is fine, but I suspect this is not a procedure an average user will be doing. Is not possible to setup a dedicated, hardened and fully audited server, only for bitcoin updates repository ?
This was discussed a while back. Bitcoin devs considered hosting downloads on github which uses SSL and is more secure, but is attackable. Maximum security is to use PGP. I understand PGP is secure, but it's not convenient for the average Joe. I bet that the great majority of users never checked a download before. While a dedicated server, opposed to github, can be audited and verified by dev team at the file level before each download.
|
If you don't own the private keys, you don't own the coins.
|
|
|
jgarzik
Legendary
Offline
Activity: 1596
Merit: 1099
|
|
September 26, 2012, 09:51:45 PM |
|
Checking PGP signatures is fine, but I suspect this is not a procedure an average user will be doing. Is not possible to setup a dedicated, hardened and fully audited server, only for bitcoin updates repository ?
A single server doesn't help much against DDoS, and bitcoin sites have often been DDoS victims in the past. Multiple servers + active admin team can do it... but at that point you've just reinvented SourceForge or CloudFlare. If you go through a DDoS hardened proxy, you are back to trusting SF/CF/...
|
Jeff Garzik, Bloq CEO, former bitcoin core dev team; opinions are my own. Visit bloq.com / metronome.io Donations / tip jar: 1BrufViLKnSWtuWGkryPsKsxonV2NQ7Tcj
|
|
|
jimbobway (OP)
Legendary
Offline
Activity: 1304
Merit: 1015
|
|
September 26, 2012, 09:53:52 PM |
|
I understand PGP is secure, but it's not convenient for the average Joe. I bet that the great majority of users never checked a download before. While a dedicated server, opposed to github, can be audited and verified by dev team at the file level before each download.
Gavin would probably say something like, "You want to do it?"
|
|
|
|
gusti
Legendary
Offline
Activity: 1099
Merit: 1000
|
|
September 26, 2012, 10:03:34 PM |
|
I understand PGP is secure, but it's not convenient for the average Joe. I bet that the great majority of users never checked a download before. While a dedicated server, opposed to github, can be audited and verified by dev team at the file level before each download.
Gavin would probably say something like, "You want to do it?" Sure, why not, though Jeff is right on the DDoS issues. I'm also thinking in setting up a script which every hour will download and PGP verify the files, and send an alarm by email if see any problem. Do you think that procedure can be helpful ?
|
If you don't own the private keys, you don't own the coins.
|
|
|
jgarzik
Legendary
Offline
Activity: 1596
Merit: 1099
|
|
September 26, 2012, 10:07:06 PM |
|
I'm also thinking in setting up a script which every hour will download and PGP verify the files, and send an alarm by email if see any problem. Do you think that procedure can be helpful ?
Absolutely. That is a perfect example of decentralized action at work... we need as many people as possible checking these things.
|
Jeff Garzik, Bloq CEO, former bitcoin core dev team; opinions are my own. Visit bloq.com / metronome.io Donations / tip jar: 1BrufViLKnSWtuWGkryPsKsxonV2NQ7Tcj
|
|
|
Gavin Andresen
Legendary
Offline
Activity: 1652
Merit: 2301
Chief Scientist
|
|
September 26, 2012, 10:13:49 PM |
|
I'm also thinking in setting up a script which every hour will download and PGP verify the files, and send an alarm by email if see any problem. Do you think that procedure can be helpful ?
Absolutely. That is a perfect example of decentralized action at work... we need as many people as possible checking these things. I was just about to say the same thing; if there were multiple people all over the world downloading and checking the binaries against the PGP signatures that would be a wonderful thing, and would be much more robust against all the various attacks that might happen (DNS poisoning on some subset of the Internet, compromising one mirror, etc etc etc).
|
How often do you get the chance to work on a potentially world-changing project?
|
|
|
jimbobway (OP)
Legendary
Offline
Activity: 1304
Merit: 1015
|
|
September 26, 2012, 10:15:15 PM |
|
|
|
|
|
gusti
Legendary
Offline
Activity: 1099
Merit: 1000
|
|
September 26, 2012, 11:52:48 PM |
|
I'm also thinking in setting up a script which every hour will download and PGP verify the files, and send an alarm by email if see any problem. Do you think that procedure can be helpful ?
Absolutely. That is a perfect example of decentralized action at work... we need as many people as possible checking these things. This script will download and verify the bitcoin installer, and send an email if any problem found. Mailutils package is needed. #!/bin/bash
cd /path to files/
if [ ! -f gavinandresen.asc ] then wget http://bitcoin.org/gavinandresen.asc fi
rm -f SHA256SUMS.asc rm -f bitcoin-0.7.0-win32-setup.exe
wget http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.7.0/SHA256SUMS.asc wget http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.7.0/bitcoin-0.7.0-win32-setup.exe
gpg --import gavinandresen.asc gpg --verify SHA256SUMS.asc
sha256sum bitcoin-0.7.0-win32-setup.exe > shafile.txt cat SHA256SUMS.asc |grep bitcoin-0.7.0-win32-setup.exe > shafile2.txt
if diff shafile.txt shafile2.txt >/dev/null ; then echo "" else echo "Verify problem !" | mail -s Bla xxx@yyyy.com fi
|
If you don't own the private keys, you don't own the coins.
|
|
|
jgarzik
Legendary
Offline
Activity: 1596
Merit: 1099
|
|
September 26, 2012, 11:57:19 PM |
|
Just import Gavin's key once, rather than once each time you run the script.
|
Jeff Garzik, Bloq CEO, former bitcoin core dev team; opinions are my own. Visit bloq.com / metronome.io Donations / tip jar: 1BrufViLKnSWtuWGkryPsKsxonV2NQ7Tcj
|
|
|
gusti
Legendary
Offline
Activity: 1099
Merit: 1000
|
|
September 26, 2012, 11:58:49 PM |
|
Just import Gavin's key once, rather than once each time you run the script.
Yes, I think it only imports it once, if file is not present.
|
If you don't own the private keys, you don't own the coins.
|
|
|
dooglus
Legendary
Offline
Activity: 2940
Merit: 1333
|
|
September 27, 2012, 04:58:58 AM |
|
The script checks whether the SHA256SUMS.asc file is correctly signed or not, and then ignores the result and continues whether or not the signature is valid.
|
Just-Dice | ██ ██████████ ██████████████████ ██████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████ ██████████████ ██████ | Play or Invest | ██ ██████████ ██████████████████ ██████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████ ██████████████ ██████ | 1% House Edge |
|
|
|
Draino
|
|
September 27, 2012, 05:04:38 AM |
|
forgive my ignorance, but uh
what about bit torrent?
|
|
|
|
gusti
Legendary
Offline
Activity: 1099
Merit: 1000
|
|
September 27, 2012, 11:03:34 AM |
|
The script checks whether the SHA256SUMS.asc file is correctly signed or not, and then ignores the result and continues whether or not the signature is valid.
Yes, you are right, script is very basic (I'm not a programmer, really) and does not check signature validity.
|
If you don't own the private keys, you don't own the coins.
|
|
|
intel-core-i7
Member
Offline
Activity: 86
Merit: 10
|
|
September 28, 2012, 03:09:00 AM |
|
I will post a new script + a php version to put it on a shared hosting - for people who have just that... When I post - I will be happy for donations 162QsQNozzpF242K3n7nXuzkBAtbjcsbQF
|
If you like what I do - donate : 1MWoRs6wKyJLLYm7gjrWeTcipCrCTneCRE | torchat: g7hzmvlpjygbiage
|
|
|
kokojie
Legendary
Offline
Activity: 1806
Merit: 1003
|
|
September 28, 2012, 03:53:08 AM |
|
Can't someone just create a monitoring script, using PHP, and tell us if the current file is valid? Everyone can run this on their own server or host it for others.
|
btc: 15sFnThw58hiGHYXyUAasgfauifTEB1ZF6
|
|
|
|