Re: [cmake-developers] malware?
On Fri, 24 Jul 2015 11:40:09 -0400, Chuck Atkins said: I just checked the cmake.org download and was able to verify the following: cmake-3.2.3-Darwin-x86_64.dmg - 27949121 Bytes - MD5 97c26048e9b3e242951bb5b1ff88da9e cmake-3.3.0-Darwin-x86_64.dmg - 22628082 Bytes - MD5 232ae38586f3e6b665f9b7ac281167a0 I checked from both inside and outside Kitware's network as to verify internal and external were the same. Are these the same for the files you downloaded from cmake.org? Can you try to download from a different machine to verify it's not a local problem? If you're trying to detect imposter binaries, don't use md5. In fact, don't use md5 ever for anything: https://en.wikipedia.org/wiki/MD5#Security I get the following for my cmake download: $ shasum -a 256 /Users/sean/Downloads/cmake-3.3.0-Darwin-x86_64.dmg 0282d6f139f5292c2bb9b3d600df6b7db242d8f53c4ab8d1e6ddff76402e0eab /Users/sean/Downloads/cmake-3.3.0-Darwin-x86_64.dmg Cheers, -- Sean McBride, B. Eng s...@rogue-research.com Rogue Researchwww.rogue-research.com Mac Software Developer Montréal, Québec, Canada -- Powered by www.kitware.com Please keep messages on-topic and check the CMake FAQ at: http://www.cmake.org/Wiki/CMake_FAQ Kitware offers various services to support the CMake community. For more information on each offering, please visit: CMake Support: http://cmake.org/cmake/help/support.html CMake Consulting: http://cmake.org/cmake/help/consulting.html CMake Training Courses: http://cmake.org/cmake/help/training.html Visit other Kitware open-source projects at http://www.kitware.com/opensource/opensource.html Follow this link to subscribe/unsubscribe: http://public.kitware.com/mailman/listinfo/cmake-developers
Re: [cmake-developers] malware?
Hi David, I just checked the cmake.org download and was able to verify the following: cmake-3.2.3-Darwin-x86_64.dmg - 27949121 Bytes - MD5 97c26048e9b3e242951bb5b1ff88da9e cmake-3.3.0-Darwin-x86_64.dmg - 22628082 Bytes - MD5 232ae38586f3e6b665f9b7ac281167a0 I checked from both inside and outside Kitware's network as to verify internal and external were the same. Are these the same for the files you downloaded from cmake.org? Can you try to download from a different machine to verify it's not a local problem? Thanks - Chuck On Fri, Jul 24, 2015 at 1:04 AM, David Powell d...@telus.net wrote: hi I downloaded cmake an hour ago from cmake.org and found myself with an unwanted piece of software called “advanced mac cleaner”, an app that was hard to get rid of. I’m not certain it came from your site but it happened at the same time and I can’t think of any other explanation.. The download file from cmake.org (supposedly the latest stable dmg for mac) was much bigger (30MB) than the cmake file I subsequently downloaded from github. -- Powered by www.kitware.com Please keep messages on-topic and check the CMake FAQ at: http://www.cmake.org/Wiki/CMake_FAQ Kitware offers various services to support the CMake community. For more information on each offering, please visit: CMake Support: http://cmake.org/cmake/help/support.html CMake Consulting: http://cmake.org/cmake/help/consulting.html CMake Training Courses: http://cmake.org/cmake/help/training.html Visit other Kitware open-source projects at http://www.kitware.com/opensource/opensource.html Follow this link to subscribe/unsubscribe: http://public.kitware.com/mailman/listinfo/cmake-developers -- Powered by www.kitware.com Please keep messages on-topic and check the CMake FAQ at: http://www.cmake.org/Wiki/CMake_FAQ Kitware offers various services to support the CMake community. For more information on each offering, please visit: CMake Support: http://cmake.org/cmake/help/support.html CMake Consulting: http://cmake.org/cmake/help/consulting.html CMake Training Courses: http://cmake.org/cmake/help/training.html Visit other Kitware open-source projects at http://www.kitware.com/opensource/opensource.html Follow this link to subscribe/unsubscribe: http://public.kitware.com/mailman/listinfo/cmake-developers
Re: [cmake-developers] malware?
-Original Message- From: cmake-developers [mailto:cmake-developers-boun...@cmake.org] On 24/07/15 07:04, David Powell wrote: hi I downloaded cmake an hour ago from cmake.org http://cmake.org/ and found myself with an unwanted piece of software called advanced mac cleaner, an app that was hard to get rid of. I'm not certain it came from your site but it happened at the same time and I can't think of any other explanation.. The download file from cmake.org http://cmake.org/ (supposedly the latest stable dmg for mac) was much bigger (30MB) than the cmake file I subsequently downloaded from github. I don't know about that, but I just noticed that cmake.org allows HTTP (non-HTTPS) downloads. HTTP has no form of cryptographic authentication or verification, and it's incredibly easy for a MitM to attach malware to your downloads. IMO, the HTTP downloads should be removed ASAP. Two other ideas that don't require HTTPS hosting of large binary files: * On Windows, cryptographically sign the setup program using Authenticode. When the UAC prompts for elevation, Windows will show it signed by Kitware instead of a yellow warning Unknown. Probably the other operating systems have a first-class way of doing something like this as well. Downside: certificates cost some modest amount of money to renew every year. * Post SHA-1 hashes of the EXEs/DMGs/tarballs on the CMake web site, and post them over HTTPS. But downside here is that many users won't bother to check this (e.g. Windows has no well-known in-built utility for calculating a file hash). I agree the current situation of unsigned files available over HTTP only is not really ideal. Perhaps this would be a good opportunity for looking at enhancements to CMake itself in the area of code signing (e.g. code signing of individual target EXEs/DLLs, and code signing of the final setup EXE package by CPack) that hides the various operating-system-specific ways of doing this? Then, CMake itself can be modified to be built with these new features, if available. A quick Google search of cmake.org for code signing didn't yield much in the way of previous discussion or existing features... Best regards, James Johnston -- Powered by www.kitware.com Please keep messages on-topic and check the CMake FAQ at: http://www.cmake.org/Wiki/CMake_FAQ Kitware offers various services to support the CMake community. For more information on each offering, please visit: CMake Support: http://cmake.org/cmake/help/support.html CMake Consulting: http://cmake.org/cmake/help/consulting.html CMake Training Courses: http://cmake.org/cmake/help/training.html Visit other Kitware open-source projects at http://www.kitware.com/opensource/opensource.html Follow this link to subscribe/unsubscribe: http://public.kitware.com/mailman/listinfo/cmake-developers
Re: [cmake-developers] malware?
If you're trying to detect imposter binaries, don't use md5. Fair enough, it was more force of habit than anything. Regardless, the file size seems way off I get the following for my cmake download: $ shasum -a 256 /Users/sean/Downloads/cmake-3.3.0-Darwin-x86_64.dmg 0282d6f139f5292c2bb9b3d600df6b7db242d8f53c4ab8d1e6ddff76402e0eab /Users/sean/Downloads/cmake-3.3.0-Darwin-x86_64.dmg Confirmed: [chuck.atkins@hal9000 tmp]$ shasum -a 256 cmake-3.3.0-Darwin-x86_64.dmg 0282d6f139f5292c2bb9b3d600df6b7db242d8f53c4ab8d1e6ddff76402e0eab cmake-3.3.0-Darwin-x86_64.dmg -- Powered by www.kitware.com Please keep messages on-topic and check the CMake FAQ at: http://www.cmake.org/Wiki/CMake_FAQ Kitware offers various services to support the CMake community. For more information on each offering, please visit: CMake Support: http://cmake.org/cmake/help/support.html CMake Consulting: http://cmake.org/cmake/help/consulting.html CMake Training Courses: http://cmake.org/cmake/help/training.html Visit other Kitware open-source projects at http://www.kitware.com/opensource/opensource.html Follow this link to subscribe/unsubscribe: http://public.kitware.com/mailman/listinfo/cmake-developers
Re: [cmake-developers] malware?
An additional and obvious security measure is to cryptographically sign each file release with a detached armored signature, e.g., gpg --default-key keyid --detach-sign --armor cmake-3.3.0.tar.gz where keyid is a CMake release manager identification key (also created and distributed by gpg). The above command creates a small file called cmake-3.3.0.tar.gz.asc which security-conscious users download along with the tarball itself. They can then verify every byte of both downloads and that the correct crytographic signature from the CMake release manager was applied using gpg --verify cmake-3.3.0.tar.gz.asc Most important open-source projects (and even many unimportant ones like PLplot, :-) ) routinely apply this security measure for release tarballs, but for some reason up to now, Kitware has not. Alan __ Alan W. Irwin Astronomical research affiliation with Department of Physics and Astronomy, University of Victoria (astrowww.phys.uvic.ca). Programming affiliations with the FreeEOS equation-of-state implementation for stellar interiors (freeeos.sf.net); the Time Ephemerides project (timeephem.sf.net); PLplot scientific plotting software package (plplot.sf.net); the libLASi project (unifont.org/lasi); the Loads of Linux Links project (loll.sf.net); and the Linux Brochure Project (lbproject.sf.net). __ Linux-powered Science __ -- Powered by www.kitware.com Please keep messages on-topic and check the CMake FAQ at: http://www.cmake.org/Wiki/CMake_FAQ Kitware offers various services to support the CMake community. For more information on each offering, please visit: CMake Support: http://cmake.org/cmake/help/support.html CMake Consulting: http://cmake.org/cmake/help/consulting.html CMake Training Courses: http://cmake.org/cmake/help/training.html Visit other Kitware open-source projects at http://www.kitware.com/opensource/opensource.html Follow this link to subscribe/unsubscribe: http://public.kitware.com/mailman/listinfo/cmake-developers
[cmake-developers] malware?
hi I downloaded cmake an hour ago from cmake.org http://cmake.org/ and found myself with an unwanted piece of software called “advanced mac cleaner”, an app that was hard to get rid of. I’m not certain it came from your site but it happened at the same time and I can’t think of any other explanation.. The download file from cmake.org http://cmake.org/ (supposedly the latest stable dmg for mac) was much bigger (30MB) than the cmake file I subsequently downloaded from github. -- Powered by www.kitware.com Please keep messages on-topic and check the CMake FAQ at: http://www.cmake.org/Wiki/CMake_FAQ Kitware offers various services to support the CMake community. For more information on each offering, please visit: CMake Support: http://cmake.org/cmake/help/support.html CMake Consulting: http://cmake.org/cmake/help/consulting.html CMake Training Courses: http://cmake.org/cmake/help/training.html Visit other Kitware open-source projects at http://www.kitware.com/opensource/opensource.html Follow this link to subscribe/unsubscribe: http://public.kitware.com/mailman/listinfo/cmake-developers
Re: [cmake-developers] malware?
On 24/07/15 07:04, David Powell wrote: hi I downloaded cmake an hour ago from cmake.org http://cmake.org/ and found myself with an unwanted piece of software called “advanced mac cleaner”, an app that was hard to get rid of. I’m not certain it came from your site but it happened at the same time and I can’t think of any other explanation.. The download file from cmake.org http://cmake.org/ (supposedly the latest stable dmg for mac) was much bigger (30MB) than the cmake file I subsequently downloaded from github. I don't know about that, but I just noticed that cmake.org allows HTTP (non-HTTPS) downloads. HTTP has no form of cryptographic authentication or verification, and it's incredibly easy for a MitM to attach malware to your downloads. IMO, the HTTP downloads should be removed ASAP. signature.asc Description: OpenPGP digital signature -- Powered by www.kitware.com Please keep messages on-topic and check the CMake FAQ at: http://www.cmake.org/Wiki/CMake_FAQ Kitware offers various services to support the CMake community. For more information on each offering, please visit: CMake Support: http://cmake.org/cmake/help/support.html CMake Consulting: http://cmake.org/cmake/help/consulting.html CMake Training Courses: http://cmake.org/cmake/help/training.html Visit other Kitware open-source projects at http://www.kitware.com/opensource/opensource.html Follow this link to subscribe/unsubscribe: http://public.kitware.com/mailman/listinfo/cmake-developers
