Re: [pmwiki-users] Infected Cookbook Recipes?
Perhaps the issue is not just digitally signing the files: that would be enough in a closed environment, where a just a restricted bunch of developers uploads a few files. Here, due to the (almost) totally open approach (which is a positive thing, indeed), not only pages but also recipes are continually (even slightly) modified[1], by virtually anybody, thus deceiving any practical way to "certify" the code. I am afraid that I exposed a problem which, though real (and possibly severe), cannot be easily solved. So, while there are other priorities, it is maybe better to forget it. Luigi [1] Just a simple example: Cookbook/DictIndex ___ pmwiki-users mailing list pmwiki-users@pmichaud.com http://www.pmichaud.com/mailman/listinfo/pmwiki-users
Re: [pmwiki-users] Infected Cookbook Recipes?
[EMAIL PROTECTED] wrote: > While I see pmwiki site under spam attack, and after having restored a > couple of web pages, I'm troubling myself with the following > (dreadful) thought: is there a sort of security > lock/code/flag/hash/signature/whatever allowing people to trust > (somehow) the recipes the community upload/download and let run inside > its servers? > Valid concern, although I don't know how tempting a target we are. A Two-part Solution: First, Maintainers and/or watchers monitor their recipe pages with Notify. Many already do this. Yes, they'd have to password their watchlist. (Anyone knowlegable enough to infect a recipe would know how to edit a watchlist.) Second, Watch for Uploads. There are some 3rd party recipes that do this already, but I don't know how they work. It might be easiest to say that an upload counts as changing all pages that reference it, which then triggers Notify. If you get notified of a change you didn't make,... This method still puts the onus on the page maintainer(s), but it requires no more work than they already do when they volunteer to watch and/or maintain a page. For legitimate updates, they get an email saying something they already know (and maybe some other watchers sending them email to double-check). It fails when a recipe doesn't have a maintainer and/or watcher. Sandy ___ pmwiki-users mailing list pmwiki-users@pmichaud.com http://www.pmichaud.com/mailman/listinfo/pmwiki-users
Re: [pmwiki-users] Infected Cookbook Recipes?
On Sep 22, 2008, at 11:32 AM, Christophe David wrote: > The only > difficulty is to make sure a public key actually belongs to the > "right" person and is not fake. FYI, you can verify a person's identity online by asking them to share with you a Trufina ID card (see trufina.com). Randy ___ pmwiki-users mailing list pmwiki-users@pmichaud.com http://www.pmichaud.com/mailman/listinfo/pmwiki-users
Re: [pmwiki-users] Infected Cookbook Recipes?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 >> But in order to sign the files, the public key for the signature would have to be posted somewhere! That is the purpose of keyservers like http://pgp.mit.edu . In order to make sure a public key actually belongs to the "right" person, public keys can be signed by others to create a "web of trust". It would be a good idea that active recipe authors sign each others key. All that seems a bit complicated when explained, but is in fact nearly completely hidden by the software extensions/addons that handle the complexity. All this is absolutely not new nor specific to PmWiki recipes... The techniques and the software are in daily use for many years by hundreds of thousands of persons for email, file transfer, etc. Automated software upgrades rely on them too: GPG is standard on most Linux distributions and used to validate the software distributed by the repositories. >>Perhaps the author's profile page would be a good place to put that, the author could password protect this page? Public keys may, by definition, be distributed to anyone. The only difficulty is to make sure a public key actually belongs to the "right" person and is not fake. Hence the web of trust. Therefore, the (signed by others) public keys of the recipe authors could also be posted on pmwiki.org, and/or on their own site, and/or on key servers, etc. As an example, here is my public key: https://www.christophedavid.org/w/c/w.php/Main/CDAPubkey >> But if we do that, why not simply put the MD5 hashes on the author's profile page instead? Because you lack the "web of trust". If you get a public key and can validate that several persons you trust have signed it (meaning "I certify this key belongs to xyz"), then you should feel confident. If you just have a hash, you cannot be sure it has not been calculated by the person who modified the file to insert some nasty code. Christophe -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFI18hiyu9YWMK6LU8RAsZ1AKCEPCIojebCBAWcA6u86x6z5ECGegCfWOUW On2r0psH/6sYtiD7ailQ260= =VCXK -END PGP SIGNATURE- ___ pmwiki-users mailing list pmwiki-users@pmichaud.com http://www.pmichaud.com/mailman/listinfo/pmwiki-users
Re: [pmwiki-users] Infected Cookbook Recipes?
> I would not like this extra work. Yes, I see. I didn't necessaily mean extra work, actually. I just envisioned that any obstinate, although not refined, attack, consisting in polluting recipes with dangerous scripts, would bring pmwiki.org life to its end in not more than a few weeks. I fancied that there is maybe a way to "flag" uploaded files somehow, in the most automated way. And for this, just for this (my skills and imagination being both quite low) I "summoned" the community. Perhaps there is some imaginative guy around who finds an uncommon but practical way to avoid problems. Sorry, I did not want to bother, or otherwise stir these early autumn days. Luigi ___ pmwiki-users mailing list pmwiki-users@pmichaud.com http://www.pmichaud.com/mailman/listinfo/pmwiki-users
Re: [pmwiki-users] Infected Cookbook Recipes?
But in order to sign the files, the public key for the signature would have to be posted somewhere! Perhaps the author's profile page would be a good place to put that, the author could password protect this page? But if we do that, why not simply put the MD5 hashes on the author's profile page instead? -Martin --- On Mon, 9/22/08, Christophe David <[EMAIL PROTECTED]> wrote: > From: Christophe David <[EMAIL PROTECTED]> > Subject: Re: [pmwiki-users] Infected Cookbook Recipes? > To: "Hans" <[EMAIL PROTECTED]> > Cc: "PmWiki Users" > Date: Monday, September 22, 2008, 9:12 AM > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > > But it is quite a bit of extra work, and it forces a > user to install > > GPG in order to use the recipe. > > No: the user gets a .zip file containing the recipe that > can be used > directly. If *and only if* he wants to validate it, he can > use GPG. > > The developer would just upload a zip file instead of a php > file. > > Many files are already distributed on the internet with a > signature > file: look for example at PasswordSafe on > > http://sourceforge.net/project/showfiles.php?group_id=41019&package_id=33169&release_id=623132 > > http://passwordsafe.sourceforge.net/ > > Each file is supplied with a signature. > > Christophe > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFI15nKyu9YWMK6LU8RAvjoAJ0RYYZ6bx1Vem3XWcwvitcUDttv4wCggaxR > JmuczuYKnBa2whdQjG0d7yY= > =A/sn > -END PGP SIGNATURE- > > ___ > pmwiki-users mailing list > pmwiki-users@pmichaud.com > http://www.pmichaud.com/mailman/listinfo/pmwiki-users ___ pmwiki-users mailing list pmwiki-users@pmichaud.com http://www.pmichaud.com/mailman/listinfo/pmwiki-users
Re: [pmwiki-users] Infected Cookbook Recipes?
Another idea would be to review and then hash scripts now and then - for example at times of major releases. Doesn't necessarily have to be the script author who does this. Recipes would keep the most recent scrutinized version available for download. An official recipe installer would then ensure that the scripts in the "last scrutinized release" hash correctly. That might protect a significant number of people who would choose to be safe. The fewer who might download a virus, the less of a target the scripts would be. One downside to this approach is that it would retard adoption of the last version of scripts. But you'd have to compare that to the chilling consequences that the discovery of a virus would have on the adoption rate. I wonder how other projects handle this problem. Maybe Pmwiki has it because it's so oriented to customization. Randy On Sep 22, 2008, at 2:49 AM, Hans wrote: > Monday, September 22, 2008, 12:15:22 AM, Neil Herber (nospam) wrote: > >> I suppose authors could post an MD5 hash of the cookbook item, > > ... I would not like this extra work. ___ pmwiki-users mailing list pmwiki-users@pmichaud.com http://www.pmichaud.com/mailman/listinfo/pmwiki-users
Re: [pmwiki-users] Infected Cookbook Recipes?
>> But it is quite a bit of extra work Forgot to add that signing a file is typically done by right clicking in the file manager and typing a passphrase ;-) The sign/encrypt/decrypt functions of GPG are very well integrated for most platforms, file managers, browsers and email clients with free add-ons. Christophe ___ pmwiki-users mailing list pmwiki-users@pmichaud.com http://www.pmichaud.com/mailman/listinfo/pmwiki-users
Re: [pmwiki-users] Infected Cookbook Recipes?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > But it is quite a bit of extra work, and it forces a user to install > GPG in order to use the recipe. No: the user gets a .zip file containing the recipe that can be used directly. If *and only if* he wants to validate it, he can use GPG. The developer would just upload a zip file instead of a php file. Many files are already distributed on the internet with a signature file: look for example at PasswordSafe on http://sourceforge.net/project/showfiles.php?group_id=41019&package_id=33169&release_id=623132 http://passwordsafe.sourceforge.net/ Each file is supplied with a signature. Christophe -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFI15nKyu9YWMK6LU8RAvjoAJ0RYYZ6bx1Vem3XWcwvitcUDttv4wCggaxR JmuczuYKnBa2whdQjG0d7yY= =A/sn -END PGP SIGNATURE- ___ pmwiki-users mailing list pmwiki-users@pmichaud.com http://www.pmichaud.com/mailman/listinfo/pmwiki-users
Re: [pmwiki-users] Infected Cookbook Recipes?
Monday, September 22, 2008, 1:45:23 PM, Christophe David wrote: > In order to avoid any problem with CR/LF sequences when downloading > php files, the most reliable way would be to provide users with a zip > file containing > - - the recipe (.php) > - - the signature of the recipe (.sig) > In order to check the file has not been modified, a user will obtain > your public key from a key server or your own site, and run GPG to > validate the signature. > This can be made nearly transparent using one of the various GPG > front-ends and integration tools. > I hope it is clearer ;-) thanks yes. But it is quite a bit of extra work, and it forces a user to install GPG in order to use the recipe. ~Hans ___ pmwiki-users mailing list pmwiki-users@pmichaud.com http://www.pmichaud.com/mailman/listinfo/pmwiki-users
Re: [pmwiki-users] Infected Cookbook Recipes?
Christophe David wrote: > You can encrypt and/or sign?. > > In this case, we would just sign so that anyone can check it has not > been altered. > > A signature can be sent within a text (like the signature of this mail > (BEGIN PGP - END PGP), or can be separate. > > In order to avoid any problem with CR/LF sequences when downloading > php files, the most reliable way would be to provide a zip file > containing the recipe (recipe.zip containing recipe.php), and to sign > this zip file. This will generate a signature (.sig) file that ha > > ___ > pmwiki-users mailing list > pmwiki-users@pmichaud.com > http://www.pmichaud.com/mailman/listinfo/pmwiki-users > > The problem Hans was pointing out ( IMHO ) is that he not so keen on adding effort for sending a reciepe. IMHO a signature file that one can check would be sufficient. my own 2c. ___ pmwiki-users mailing list pmwiki-users@pmichaud.com http://www.pmichaud.com/mailman/listinfo/pmwiki-users
Re: [pmwiki-users] Infected Cookbook Recipes?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Oops, hit the wrong key - mail sent while editing >> never mind, i understand now: >> the script becomes an encrypted piece of text, and needs to be >> decrypted before use. You can encrypt and/or sign. In this case, we would just sign so that anyone can check that the recipe has not been altered. A signature can be sent within a text (like the signature of this mail (see BEGIN PGP - END PGP), or can be separate. In order to avoid any problem with CR/LF sequences when downloading php files, the most reliable way would be to provide users with a zip file containing - - the recipe (.php) - - the signature of the recipe (.sig) In order to check the file has not been modified, a user will obtain your public key from a key server or your own site, and run GPG to validate the signature. This can be made nearly transparent using one of the various GPG front-ends and integration tools. I hope it is clearer ;-) Christophe -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFI15M/yu9YWMK6LU8RApPKAJ99AoI6/pMxPTLBRkekS6kqKhOAtQCghHT6 /+Z4x+88P5SskxG2y8M8vrs= =boAy -END PGP SIGNATURE- ___ pmwiki-users mailing list pmwiki-users@pmichaud.com http://www.pmichaud.com/mailman/listinfo/pmwiki-users
Re: [pmwiki-users] Infected Cookbook Recipes?
> never mind, i understand now: > the script becomes an encrypted piece of text, and needs to be > decrypted before use. You can encrypt and/or sign?. In this case, we would just sign so that anyone can check it has not been altered. A signature can be sent within a text (like the signature of this mail (BEGIN PGP - END PGP), or can be separate. In order to avoid any problem with CR/LF sequences when downloading php files, the most reliable way would be to provide a zip file containing the recipe (recipe.zip containing recipe.php), and to sign this zip file. This will generate a signature (.sig) file that ha ___ pmwiki-users mailing list pmwiki-users@pmichaud.com http://www.pmichaud.com/mailman/listinfo/pmwiki-users
Re: [pmwiki-users] Infected Cookbook Recipes?
Monday, September 22, 2008, 1:11:27 PM, Hans wrote: > sorry, I do not understand these tools. > Is a GPG signature added to the code in a script, or does the script > need to be packaged in some special container, which is signed? > If it is the first, how does it prevent anyone to copy and use in > their own modified script? > If it is the latter than it is a considerable extra burden for > publishing a recipe script. I really just want to upload updated > recipe scripts, without having to bother about packages. > I try even to avoid zipping things if possible. never mind, i understand now: the script becomes an encrypted piece of text, and needs to be decrypted before use. Hans ___ pmwiki-users mailing list pmwiki-users@pmichaud.com http://www.pmichaud.com/mailman/listinfo/pmwiki-users
Re: [pmwiki-users] Infected Cookbook Recipes?
Monday, September 22, 2008, 9:37:56 AM, Christophe David wrote: > If a recipe developer is willing to do that little extra work, a GPG > signature for the recipe would be all that is required. The > developer's public key can be made available on any key server so that > anyone could check the recipe has not be altered in any way. > http://www.gnupg.org/ > http://getfiregpg.org/ sorry, I do not understand these tools. Is a GPG signature added to the code in a script, or does the script need to be packaged in some special container, which is signed? If it is the first, how does it prevent anyone to copy and use in their own modified script? If it is the latter than it is a considerable extra burden for publishing a recipe script. I really just want to upload updated recipe scripts, without having to bother about packages. I try even to avoid zipping things if possible. ~Hans ___ pmwiki-users mailing list pmwiki-users@pmichaud.com http://www.pmichaud.com/mailman/listinfo/pmwiki-users
Re: [pmwiki-users] Infected Cookbook Recipes?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > I'm troubling myself with the following > (dreadful) thought: is there a sort of security > lock/code/flag/hash/signature/whatever allowing people to trust > (somehow) the recipes the community upload/download and let run inside > its servers? If a recipe developer is willing to do that little extra work, a GPG signature for the recipe would be all that is required. The developer's public key can be made available on any key server so that anyone could check the recipe has not be altered in any way. http://www.gnupg.org/ http://getfiregpg.org/ (+ many front-ends and integration tools) Christophe -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFI11kzyu9YWMK6LU8RAkSzAJ96Bu+E25A+twnAN+Qk1K3AQhKtnACfbRrx 2bmv+LOR2v79XqiX9QxJF+o= =LJaq -END PGP SIGNATURE- ___ pmwiki-users mailing list pmwiki-users@pmichaud.com http://www.pmichaud.com/mailman/listinfo/pmwiki-users
Re: [pmwiki-users] Infected Cookbook Recipes?
Monday, September 22, 2008, 12:15:22 AM, Neil Herber (nospam) wrote: > I suppose authors could post an MD5 hash of the cookbook item, but in an > area strictly under their control, otherwise the cracker would just > upload a new MD5 along with the malicious script. > For example, Hans could post the MD5 hashes on his website for the > cookbook entries he has on the PmWiki site. > However, any such scheme means more work for the authors. Exactly. And since I am mentioned, I would not like this extra work. If I am required/requested to create MD5 hashes and upload these to my own website, I would rather upload the scripts just there, and not on pmwiki.org, since I have full control who may upload on my site. But I always preferred to support pmwiki.org's cookbook. I know I can maintain a cookbook page and have the download link pointing to my own site. This may be quite a good solution, for me, at any rate, and for others with own sites, if a need to tighter file security is really required. Alternatively uploads on pmwiki.org could be on a per page basis, and the cookbook page maintainer could set an upload password for the page. But this may well evoke far too much maintenance work for Patrick. One other not foolproof way for someone worried about file integrity may be to check the file upload date against the version date as stated on the cookbook page. A page listing the recent file uploads in the cookbook group may be useful too. If uploads are done on a per page basis, perhaps one could set a notification on new file uploads to the page similar to notifications on changes to a page. I know PmWiki has not got the mechanism for this, but it may be a useful addition. ~Hans ___ pmwiki-users mailing list pmwiki-users@pmichaud.com http://www.pmichaud.com/mailman/listinfo/pmwiki-users
Re: [pmwiki-users] Infected Cookbook Recipes?
[EMAIL PROTECTED] wrote: > While I see pmwiki site under spam attack, and after having restored a > couple of web pages, I'm troubling myself with the following > (dreadful) thought: is there a sort of security > lock/code/flag/hash/signature/whatever allowing people to trust > (somehow) the recipes the community upload/download and let run inside > its servers? > > Live example: I trust Hans and, due to the very many enhancements and > updates of Fox over time, I often happen to download and let the > latest Fox run at my site. Of course there is no way for me to > scrutinize the code (far too technical), so: how do I know that any > John Hacker hasn't just uploaded a malicious version of Fox, with that > couple of lines added which are perhaps enough to open a backdoor or > do harm in any way? > > In case there is no security barrier at all, I humbly suggest some ad > hoc brainstorming should be welcome. > > Luigi > I suppose authors could post an MD5 hash of the cookbook item, but in an area strictly under their control, otherwise the cracker would just upload a new MD5 along with the malicious script. For example, Hans could post the MD5 hashes on his website for the cookbook entries he has on the PmWiki site. However, any such scheme means more work for the authors. (Whoops! Sent original to Luigi only. Sorry.) -- Neil Herber Corporate info at http://www.eton.ca/ ___ pmwiki-users mailing list pmwiki-users@pmichaud.com http://www.pmichaud.com/mailman/listinfo/pmwiki-users