When I post - I will be happy for donations
162QsQNozzpF242K3n7nXuzkBAtbjcsbQF
Topic: SourceForge mirror hacked. Bitcoin could be next target. - page 2. (Read 4477 times)
I will post a new script + a php version to put it on a shared hosting - for people who have just that...
When I post - I will be happy for donations
162QsQNozzpF242K3n7nXuzkBAtbjcsbQF
When I post - I will be happy for donations
162QsQNozzpF242K3n7nXuzkBAtbjcsbQF
The script checks whether the SHA256SUMS.asc file is correctly signed or not, and then ignores the result and continues whether or not the signature is valid.
Yes, you are right, script is very basic (I'm not a programmer, really) and does not check signature validity.
forgive my ignorance, but uh
what about bit torrent?
what about bit torrent?
The script checks whether the SHA256SUMS.asc file is correctly signed or not, and then ignores the result and continues whether or not the signature is valid.
Just import Gavin's key once, rather than once each time you run the script.
Yes, I think it only imports it once, if file is not present.
Just import Gavin's key once, rather than once each time you run the script.
I'm also thinking in setting up a script which every hour will download and PGP verify the files, and send an alarm by email if see any problem. Do you think that procedure can be helpful ?
Absolutely. That is a perfect example of decentralized action at work... we need as many people as possible checking these things.
This script will download and verify the bitcoin installer, and send an email if any problem found. Mailutils package is needed.
Code:
#!/bin/bash
cd /path to files/
if [ ! -f gavinandresen.asc ]
then
wget http://bitcoin.org/gavinandresen.asc
fi
rm -f SHA256SUMS.asc
rm -f bitcoin-0.7.0-win32-setup.exe
wget http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.7.0/SHA256SUMS.asc
wget http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.7.0/bitcoin-0.7.0-win32-setup.exe
gpg --import gavinandresen.asc
gpg --verify SHA256SUMS.asc
sha256sum bitcoin-0.7.0-win32-setup.exe > shafile.txt
cat SHA256SUMS.asc |grep bitcoin-0.7.0-win32-setup.exe > shafile2.txt
if diff shafile.txt shafile2.txt >/dev/null ; then
echo ""
else
echo "Verify problem !" | mail -s Bla [email protected]
fi
This link might be helpful on Sourceforge mirrors:
http://sourceforge.net/apps/trac/sourceforge/wiki/Mirrors
http://sourceforge.net/apps/trac/sourceforge/wiki/Mirrors
I'm also thinking in setting up a script which every hour will download and PGP verify the files, and send an alarm by email if see any problem. Do you think that procedure can be helpful ?
Absolutely. That is a perfect example of decentralized action at work... we need as many people as possible checking these things.I'm also thinking in setting up a script which every hour will download and PGP verify the files, and send an alarm by email if see any problem. Do you think that procedure can be helpful ?
Absolutely. That is a perfect example of decentralized action at work... we need as many people as possible checking these things.
I understand PGP is secure, but it's not convenient for the average Joe. I bet that the great majority of users never checked a download before. While a dedicated server, opposed to github, can be audited and verified by dev team at the file level before each download.
Gavin would probably say something like, "You want to do it?"
Sure, why not, though Jeff is right on the DDoS issues. I'm also thinking in setting up a script which every hour will download and PGP verify the files, and send an alarm by email if see any problem. Do you think that procedure can be helpful ?
I understand PGP is secure, but it's not convenient for the average Joe. I bet that the great majority of users never checked a download before. While a dedicated server, opposed to github, can be audited and verified by dev team at the file level before each download.
Gavin would probably say something like, "You want to do it?"
Checking PGP signatures is fine, but I suspect this is not a procedure an average user will be doing.
Is not possible to setup a dedicated, hardened and fully audited server, only for bitcoin updates repository ?
Is not possible to setup a dedicated, hardened and fully audited server, only for bitcoin updates repository ?
A single server doesn't help much against DDoS, and bitcoin sites have often been DDoS victims in the past.
Multiple servers + active admin team can do it... but at that point you've just reinvented SourceForge or CloudFlare.
If you go through a DDoS hardened proxy, you are back to trusting SF/CF/...
Checking PGP signatures is fine, but I suspect this is not a procedure an average user will be doing.
Is not possible to setup a dedicated, hardened and fully audited server, only for bitcoin updates repository ?
Is not possible to setup a dedicated, hardened and fully audited server, only for bitcoin updates repository ?
This was discussed a while back. Bitcoin devs considered hosting downloads on github which uses SSL and is more secure, but is attackable.
Maximum security is to use PGP.
I understand PGP is secure, but it's not convenient for the average Joe. I bet that the great majority of users never checked a download before. While a dedicated server, opposed to github, can be audited and verified by dev team at the file level before each download.
Checking PGP signatures is fine, but I suspect this is not a procedure an average user will be doing.
Is not possible to setup a dedicated, hardened and fully audited server, only for bitcoin updates repository ?
Is not possible to setup a dedicated, hardened and fully audited server, only for bitcoin updates repository ?
This was discussed a while back. Bitcoin devs considered hosting downloads on github which uses SSL and is more secure, but is attackable.
Maximum security is to use PGP.
Checking PGP signatures is fine, but I suspect this is not a procedure an average user will be doing.
Is not possible to setup a dedicated, hardened and fully audited server, only for bitcoin updates repository ?
Is not possible to setup a dedicated, hardened and fully audited server, only for bitcoin updates repository ?
Obviously the hackers are going to change the hash on the site as well. How do you know you have a good hash? That is the problem.
Using Gavin's PGP signature you can test the SHA256SUMS.asc file to see if the hash in the file is legit.
EDIT: See this thread https://bitcointalksearch.org/topic/having-problems-verifying-bitcoin-download-with-gpg4win-69355
Obviously the hackers are going to change the hash on the site as well. How do you know you have a good hash? That is the problem.
Make sure you use pgp to test your download before installing bitcoin.
http://www.phpmyadmin.net/home_page/security/PMASA-2012-5.php
http://www.phpmyadmin.net/home_page/security/PMASA-2012-5.php
Quote
Summary
One server from the SourceForge.net mirror system was distributing a phpMyAdmin kit containing a backdoor.
Description
One of the SourceForge.net mirrors, namely cdnetworks-kr-1, was being used to distribute a modified archive of phpMyAdmin, which includes a backdoor. This backdoor is located in file server_sync.php and allows an attacker to remotely execute PHP code. Another file, js/cross_framing_protection.js, has also been modified.
Severity
We consider this vulnerability to be critical.
One server from the SourceForge.net mirror system was distributing a phpMyAdmin kit containing a backdoor.
Description
One of the SourceForge.net mirrors, namely cdnetworks-kr-1, was being used to distribute a modified archive of phpMyAdmin, which includes a backdoor. This backdoor is located in file server_sync.php and allows an attacker to remotely execute PHP code. Another file, js/cross_framing_protection.js, has also been modified.
Severity
We consider this vulnerability to be critical.
Jump to: