Bitcoin Forum
December 08, 2016, 04:08:49 AM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Github Vulnerabilities and Bitcoin  (Read 2415 times)
bb113
Hero Member
*****
Offline Offline

Activity: 728


View Profile
March 06, 2012, 12:55:13 AM
 #1

Quote
GitHub, one of the largest repositories of commercial and open source software on the web, has been hacked. Over the weekend, developer Egor Homakov exploited a gaping vulnerability in GitHub that allowed him (or anyone else with basic hacker know-how) to gain administrator access to projects such as Ruby on Rails, Linux, and millions of others. Homakov could’ve deleted the entire history of projects such as jQuery, Node.js, Reddit, and Redis.

http://www.extremetech.com/computing/120981-github-hacked-millions-of-projects-at-risk-of-being-modified-or-deleted

Could bitcoin be attacked via github? I have no idea... tell me.
1481170129
Hero Member
*
Offline Offline

Posts: 1481170129

View Profile Personal Message (Offline)

Ignore
1481170129
Reply with quote  #2

1481170129
Report to moderator
1481170129
Hero Member
*
Offline Offline

Posts: 1481170129

View Profile Personal Message (Offline)

Ignore
1481170129
Reply with quote  #2

1481170129
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
marked
Full Member
***
Offline Offline

Activity: 168



View Profile
March 06, 2012, 02:17:47 AM
 #2

Not to mention the possibility of all the RAILS hosted applications that could be affected by the method of attack used.

marked
theymos
Administrator
Legendary
*
Offline Offline

Activity: 2492


View Profile
March 06, 2012, 02:26:37 AM
 #3

Every developer has his own SHA1-protected git data, so bad code couldn't have been introduced easily.

IIRC bitcoin.org is served from Github, so a worst-case breach of Github could cause some damage.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
kjlimo
Legendary
*
Offline Offline

Activity: 1498


View Profile WWW
March 06, 2012, 02:50:19 AM
 #4

But this would just affect the client program that users download, so some people would be downloading some random program that could do harmful things to their computer, yes?

This could happen to any software available for download.  However, this is an issue because we're using a free service for an open source program.

So this would require some secure distributor to deliver/support the software that is obtained by new users?

CampBX for buying BTCs, Coinbase for selling BTCs or Vircurex or Cryptsy for trading alternate cryptocurrencies like DOGEs

PM me with any questions on these sites!  Happy to help!

Bitcoin Poker at Seals                  Strike Sapphire Casino  Free games every hour & day!
  Get Free Bitcoins here.

Spondoolies-Tech or KnC Miner for the fastest mining hardware available!

Bitpay to help your business accept bitcoin payments!
Gavin Andresen
Legendary
*
Offline Offline

Activity: 1652


Chief Scientist


View Profile WWW
March 06, 2012, 04:02:40 PM
 #5

But this would just affect the client program that users download, so some people would be downloading some random program that could do harmful things to their computer, yes?
That is always a risk, which is why next to the downloads there is a gpg-signed SHASUMS.asc file.

To check the integrity of the download you should:

+ Check the signature on the SHASUMS.asc file:
Code:
$ gpg --verify SHASUMS.asc
gpg: Signature made Wed Feb 29 20:51:40 2012 EST using RSA key ID 1FC730C1
gpg: Good signature from "Gavin Andresen (CODE SIGNING KEY) <gavinandresen@gmail.com>"
+ Make sure the checksum for the downloaded file matches the checksum in the SHASUMS.asc file:
Code:
$ shasum bitcoin-0.6.0rc2-macosx.dmg
7ab035250ad32a95adf12f2bf8751df9adae0ad4  bitcoin-0.6.0rc2-macosx.dmg
$ grep macosx SHASUMS.asc
7ab035250ad32a95adf12f2bf8751df9adae0ad4  bitcoin-0.6.0rc2-macosx.dmg


How often do you get the chance to work on a potentially world-changing project?
marked
Full Member
***
Offline Offline

Activity: 168



View Profile
March 06, 2012, 09:43:29 PM
 #6

That is always a risk, which is why next to the downloads there is a gpg-signed SHASUMS.asc file.
where? it isn't on the http://bitcoin.org homepage. The PGP keys for the devs are, but not that file. And if you click the download links from the top right hand corner then you get nowhere near to being able to get the SHASUMS.asc file unless you know how sourceforge works.

http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.5.2/SHASUMS.asc/download

Quote
+ Check the signature on the SHASUMS.asc file:
Code:
$ gpg --verify SHASUMS.asc
gpg: Signature made Wed Feb 29 20:51:40 2012 EST using RSA key ID 1FC730C1
gpg: Good signature from "Gavin Andresen (CODE SIGNING KEY) <gavinandresen@gmail.com>"
+ Make sure the checksum for the downloaded file matches the checksum in the SHASUMS.asc file:
Code:
$ shasum bitcoin-0.6.0rc2-macosx.dmg
7ab035250ad32a95adf12f2bf8751df9adae0ad4  bitcoin-0.6.0rc2-macosx.dmg
$ grep macosx SHASUMS.asc
7ab035250ad32a95adf12f2bf8751df9adae0ad4  bitcoin-0.6.0rc2-macosx.dmg

That doesn't verify it at all - it verifies that the files signature was created by someone who had a key that was used to create the signatures of the file, and called themselves gavinandresen@gmail.com. That does not mean that Gavin actually created the key.

Quote
$ gpg --verify SHASUMS.asc
gpg: Signature made Wed Feb 29 20:51:40 2012 EST using RSA key ID 1FC730C1
gpg: Good signature from "Gavin Andresen (CODE SIGNING KEY) <gavinandresen@gmail.com>"

To be verified you need to know that the key really belongs to GAVIN ANDRESEN and therefore you must find a way to obtain the key not via the github site, or the bitcoin.org site in a manner that is trusted. i.e Gavin's keyID (the bit highlighed in bold above - using RSA key ID 1FC730C1 ) must be authenticated by him in some form that is trusted (#bitcoin-otc, PM on this site, phone conversation, other users who have WOT verified the key etc.)

Even via here it can't really be trusted as forum admins can view and edit messages without a user being aware.

To be 100% certain you would need to be physically near Gavin whilst he performed a key operation (e.g. signing a file) using that key or a subkey. Everything else is just reduced trust, and how much you are willing to take on that reduction.

And everyone wonders why GPG and PGP never took off...


marked
rjk
Sr. Member
****
Offline Offline

Activity: 420


1ngldh


View Profile
March 06, 2012, 09:46:53 PM
 #7

pgp.mit.edu is neither bitcoin.org nor github.com. Same goes for Surfnet. Put away your tinfoil hat.

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
marked
Full Member
***
Offline Offline

Activity: 168



View Profile
March 06, 2012, 10:18:35 PM
 #8

pgp.mit.edu is neither bitcoin.org nor github.com. Same goes for Surfnet. Put away your tinfoil hat.

who said anything about the pgp keyservers being compromised? They've just got a second set of keys belonging to a gavinandresen@gmail.com

Explain to me the part that I've clearly missed... starting from scratch and having just heard of bitcoin and wanting a verified signature for the exec from the developer, how do you go about it?

At which point are you relying on knowing gavin's key id, and when/how was it obtained?

Is there at any time a naive user may not have followed your steps?

Quote
And everyone wonders why GPG and PGP never took off...

and I reiterate.

marked, wondering if you are greenend related?

rjk
Sr. Member
****
Offline Offline

Activity: 420


1ngldh


View Profile
March 06, 2012, 11:01:25 PM
 #9

pgp.mit.edu is neither bitcoin.org nor github.com. Same goes for Surfnet. Put away your tinfoil hat.

who said anything about the pgp keyservers being compromised? They've just got a second set of keys belonging to a gavinandresen@gmail.com

Explain to me the part that I've clearly missed... starting from scratch and having just heard of bitcoin and wanting a verified signature for the exec from the developer, how do you go about it?

At which point are you relying on knowing gavin's key id, and when/how was it obtained?

Is there at any time a naive user may not have followed your steps?

I'm not saying they could be hacked, I am saying that they ought to be used for verification. Basic PGP, check the keyservers, and the more the merrier.

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
da2ce7
Legendary
*
Offline Offline

Activity: 1218


Live and Let Live


View Profile
March 07, 2012, 03:52:18 AM
 #10

I'm not saying they could be hacked, I am saying that they ought to be used for verification. Basic PGP, check the keyservers, and the more the merrier.

Yep... That is why we cross-sign pgp keys once we have verifed the owner of them.  Smiley

One off NP-Hard.
finway
Hero Member
*****
Offline Offline

Activity: 714


View Profile
March 07, 2012, 08:58:59 AM
 #11

This is huge.

JoelKatz
Legendary
*
Offline Offline

Activity: 1386


Democracy is vulnerable to a 51% attack.


View Profile WWW
March 07, 2012, 09:13:39 AM
 #12

To be verified you need to know that the key really belongs to GAVIN ANDRESEN and therefore you must find a way to obtain the key not via the github site, or the bitcoin.org site in a manner that is trusted. i.e Gavin's keyID (the bit highlighed in bold above - using RSA key ID 1FC730C1 ) must be authenticated by him in some form that is trusted (#bitcoin-otc, PM on this site, phone conversation, other users who have WOT verified the key etc.)
Authenticating the key ID is not sufficient. Creating your own key with the same ID as a given key is much easier than mining a Bitcoin block. You either need to obtain the key from a trusted source, validate the key with cross-signatures with keys you've validated from trusted sources, or validate at least 24 hex digits from the key fingerprint.

I am an employee of Ripple.
1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ BM-NBM3FRExVJSJJamV9ccgyWvQfratUHgN
nonsh
Newbie
*
Offline Offline

Activity: 14


View Profile
October 02, 2012, 01:22:20 AM
 #13

It's trivial to fake gpg short key ids:
http://www.asheesh.org/note/debian/short-key-ids-are-bad-news.html
http://yro.slashdot.org/story/11/12/27/0044242/gnupg-short-id-collision-has-occurred
ralree
Hero Member
*****
Offline Offline

Activity: 518


Manateeeeeeees


View Profile
October 02, 2012, 04:16:48 AM
 #14

It took me a bit to realize this was a thread from the dead.  Scared me!

1MANaTeEZoH4YkgMYz61E5y4s9BYhAuUjG
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!