On 3 April 2013 14:39, Rob Weir <robw...@apache.org> wrote: > We're starting to take a deeper look at what is required to integrate code > signing into the OpenOffice build and release process. As you probably know > operating systems, especially Windows and MacOS, are now checking for > digital signatures and by default prevent users from installing programs > that are not signed. We see similar checks being integrated into > anti-virus scanners and even web browsers now. > > One of the things that has come out in discussions is how large a target > OpenOffice is, to hackers. We're on track to have 50 million downloads in > our first year. If someone is able to get a virus or a trojan into our > code, they have the ability to cause a huge amount of damage. And if we > are also signing our code, then this damage can propagate even faster, > since the OS's "let down their guard" somewhat when dealing with signed > code. (Signed code == trust). > > Of course, none of this has ever happened with OpenOffice, but with the > stature and reach we have, it is reasonable to believe that we could be a > target of opportunity for someone wishing to cause trouble. We should > always keep this in mind and make sure that we are taking reasonable > precautions to prevent this from happening. > > One vulnerability, in theory, is that we have over 100 committers (123 to > be exact) who have permission to modify the source code in Subversion. > Each account is protected by a self-selected passcode. It is not clear to > me that we even have requirements on password complexity or expiration > policies. In any case, the weakness of this approach is not necessarily > what you might think -- brute force attack on the password. If someone > wants to initiate a "spear phishing" attack against a committer, it would > be something like: > > 1) Standard phishing: a spoofed note from Apache Infra, with some invented > story that asks you to change your password but first enter your old one > for confirmation. It leads you to a fake, non-Apache website. > > 2) If you use the same passcode on multiple web services and one of them is > compromised, say by retrieving the passcode hashes, then it is easy to do > offline dictionary attacks (rainbow tables, etc.) and figure out your > Apache password. > > 3) If you lose control of your laptop, at a conference, bar, hotel, > whatever, even temporarily, someone can gain access to your Subversion > account, via applications that cache credentials, like TortoiseSVN. > > 4) Similar to #3, but by taking control of your laptop via remote means, > i.e., via a virus loaded on to your machine via another vulnerability. >
None of these things have happened to us yet, but all of these things are > possible. > > So how do we reduce this risk? There are a few things we do or should be > doing already. > > 1) Be careful on the machines that you use Subversion from. Treat it like > a machine where you access your bank account from. If you are visiting > risky sites or downloading and installing software from dubious places, > then you are putting your Apache account at risk. > > 2) Use a high-complexity Apache passcode, one not used by you on any other > service. > > 3) Change your passcode periodically, say every 90 days. > 4) On laptops be sure to set a strong login password, but also where > available also a separate harddrive password. These should also be strong > passwords, not reused, and should be periodically changed. > > For those who are building binaries for distribution, the above guidance is > even more critical. > > Of course, we also protect the code through our CTR process. All active > coders should be subscribed to the commits list and should be reviewing the > changes that are made there. Trust the code, not the person. Remember, if > we ever are attacked then it will be through someone's compromised > account. So if you see an odd check-in, say, from Juergen, don't just > accept it saying "Juergen knows what he is doing". If it is odd, then it > should be challenged. > > All of the above should already be going on today. But I'd like to propose > one change to our current process that will, I think, greatly increase > security. This would be to restrict SVN authorization for the code to only > the subset of committers who are actively coding. We should give this > authorization freely to committers who request it. But today we have 123 > committers, some of whom have never used Subversion, and some (like me) who > edit /site and /ooo-site but never touch the code. So we probably have 90 > or more accounts that don't need access to the source code tree. Since > such used accounts are unlikely to be following the best practices outlined > above (changing passwords periodically, etc.) then they are even more > risky. We lose nothing by removing authorization for those users, in order > to reduce the risk profile. Of course, on request we can easily restore > access. But the idea would be to keep the bullets separate from the gun by > default, to reduce the risk of accidents. > > One way of implementing this would be to look at all commits for the past 6 > months (or 1 year?) and remove authorization on /trunk, /tag and /branches > for those who have not made commits. But preserve authorization for the > website directories. > With the knowledge I have, it should be no problem making 2 types of committers, but I am not sure it would really fit the "apache way". In my opinion, it is fair to say, that if a committer has not made any commits for 6 months, the commit access is placed on hold until requested. But we have to very carefull not make it even harder to become/be committer, compare us a bit with LO, there I can have commit access within less than a day. rgds jan I > > Thoughts? > > -Rob >