Github Vulnerabilities and Bitcoin

[bb113]

GitHub, one of the largest repositories of commercial and open source software on the web, has been hacked. Over the weekend, developer Egor Homakov exploited a gaping vulnerability in GitHub that allowed him (or anyone else with basic hacker know-how) to gain administrator access to projects such as Ruby on Rails, Linux, and millions of others. Homakov could’ve deleted the entire history of projects such as jQuery, Node.js, Reddit, and Redis.

http://www.extremetech.com/computing/120981-github-hacked-millions-of-projects-at-risk-of-being-modified-or-deleted

Could bitcoin be attacked via github? I have no idea... tell me.

[1713944637]

1713944637

[1713944637]

1713944637

[1713944637]

1713944637

[1713944637]

1713944637

[marked]

Not to mention the possibility of all the RAILS hosted applications that could be affected by the method of attack used.

marked

[theymos]

Every developer has his own SHA1-protected git data, so bad code couldn't have been introduced easily.

IIRC bitcoin.org is served from Github, so a worst-case breach of Github could cause some damage.

[kjlimo]

But this would just affect the client program that users download, so some people would be downloading some random program that could do harmful things to their computer, yes?

This could happen to any software available for download.  However, this is an issue because we're using a free service for an open source program.

So this would require some secure distributor to deliver/support the software that is obtained by new users?

[Gavin Andresen]

But this would just affect the client program that users download, so some people would be downloading some random program that could do harmful things to their computer, yes?

That is always a risk, which is why next to the downloads there is a gpg-signed SHASUMS.asc file.

To check the integrity of the download you should:

+ Check the signature on the SHASUMS.asc file:

Code:

$ gpg --verify SHASUMS.asc 
gpg: Signature made Wed Feb 29 20:51:40 2012 EST using RSA key ID 1FC730C1
gpg: Good signature from "Gavin Andresen (CODE SIGNING KEY) <gavinandresen@gmail.com>"

+ Make sure the checksum for the downloaded file matches the checksum in the SHASUMS.asc file:

Code:

$ shasum bitcoin-0.6.0rc2-macosx.dmg
7ab035250ad32a95adf12f2bf8751df9adae0ad4  bitcoin-0.6.0rc2-macosx.dmg
$ grep macosx SHASUMS.asc 
7ab035250ad32a95adf12f2bf8751df9adae0ad4  bitcoin-0.6.0rc2-macosx.dmg

[marked]

That is always a risk, which is why next to the downloads there is a gpg-signed SHASUMS.asc file.

where? it isn't on the http://bitcoin.org homepage. The PGP keys for the devs are, but not that file. And if you click the download links from the top right hand corner then you get nowhere near to being able to get the SHASUMS.asc file unless you know how sourceforge works.

http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.5.2/SHASUMS.asc/download

+ Check the signature on the SHASUMS.asc file:

Code:

$ gpg --verify SHASUMS.asc 
gpg: Signature made Wed Feb 29 20:51:40 2012 EST using RSA key ID 1FC730C1
gpg: Good signature from "Gavin Andresen (CODE SIGNING KEY) <gavinandresen@gmail.com>"

+ Make sure the checksum for the downloaded file matches the checksum in the SHASUMS.asc file:

Code:

$ shasum bitcoin-0.6.0rc2-macosx.dmg
7ab035250ad32a95adf12f2bf8751df9adae0ad4  bitcoin-0.6.0rc2-macosx.dmg
$ grep macosx SHASUMS.asc 
7ab035250ad32a95adf12f2bf8751df9adae0ad4  bitcoin-0.6.0rc2-macosx.dmg

That doesn't verify it at all - it verifies that the files signature was created by someone who had a key that was used to create the signatures of the file, and called themselves gavinandresen@gmail.com. That does not mean that Gavin actually created the key.

$ gpg --verify SHASUMS.asc
gpg: Signature made Wed Feb 29 20:51:40 2012 EST using RSA key ID 1FC730C1
gpg: Good signature from "Gavin Andresen (CODE SIGNING KEY) <gavinandresen@gmail.com>"

To be verified you need to know that the key really belongs to GAVIN ANDRESEN and therefore you must find a way to obtain the key not via the github site, or the bitcoin.org site in a manner that is trusted. i.e Gavin's keyID (the bit highlighed in bold above - using RSA key ID 1FC730C1 ) must be authenticated by him in some form that is trusted (#bitcoin-otc, PM on this site, phone conversation, other users who have WOT verified the key etc.)

Even via here it can't really be trusted as forum admins can view and edit messages without a user being aware.

To be 100% certain you would need to be physically near Gavin whilst he performed a key operation (e.g. signing a file) using that key or a subkey. Everything else is just reduced trust, and how much you are willing to take on that reduction.

And everyone wonders why GPG and PGP never took off...


marked

[rjk]

pgp.mit.edu is neither bitcoin.org nor github.com. Same goes for Surfnet. Put away your tinfoil hat.

[marked]

pgp.mit.edu is neither bitcoin.org nor github.com. Same goes for Surfnet. Put away your tinfoil hat.

who said anything about the pgp keyservers being compromised? They've just got a second set of keys belonging to a gavinandresen@gmail.com

Explain to me the part that I've clearly missed... starting from scratch and having just heard of bitcoin and wanting a verified signature for the exec from the developer, how do you go about it?

At which point are you relying on knowing gavin's key id, and when/how was it obtained?

Is there at any time a naive user may not have followed your steps?

And everyone wonders why GPG and PGP never took off...

and I reiterate.

marked, wondering if you are greenend related?

[rjk]

pgp.mit.edu is neither bitcoin.org nor github.com. Same goes for Surfnet. Put away your tinfoil hat.

who said anything about the pgp keyservers being compromised? They've just got a second set of keys belonging to a gavinandresen@gmail.com

Explain to me the part that I've clearly missed... starting from scratch and having just heard of bitcoin and wanting a verified signature for the exec from the developer, how do you go about it?

At which point are you relying on knowing gavin's key id, and when/how was it obtained?

Is there at any time a naive user may not have followed your steps?

I'm not saying they could be hacked, I am saying that they ought to be used for verification. Basic PGP, check the keyservers, and the more the merrier.

[da2ce7]

I'm not saying they could be hacked, I am saying that they ought to be used for verification. Basic PGP, check the keyservers, and the more the merrier.

Yep... That is why we cross-sign pgp keys once we have verifed the owner of them. 

[finway]

This is huge.

[JoelKatz]

To be verified you need to know that the key really belongs to GAVIN ANDRESEN and therefore you must find a way to obtain the key not via the github site, or the bitcoin.org site in a manner that is trusted. i.e Gavin's keyID (the bit highlighed in bold above - using RSA key ID 1FC730C1 ) must be authenticated by him in some form that is trusted (#bitcoin-otc, PM on this site, phone conversation, other users who have WOT verified the key etc.)

Authenticating the key ID is not sufficient. Creating your own key with the same ID as a given key is much easier than mining a Bitcoin block. You either need to obtain the key from a trusted source, validate the key with cross-signatures with keys you've validated from trusted sources, or validate at least 24 hex digits from the key fingerprint.

[nonsh]

It's trivial to fake gpg short key ids:
http://www.asheesh.org/note/debian/short-key-ids-are-bad-news.html
http://yro.slashdot.org/story/11/12/27/0044242/gnupg-short-id-collision-has-occurred

[ralree]

It took me a bit to realize this was a thread from the dead.  Scared me!