Open Source Security

trojanrabbit

Recently it emerged that the PyPI repository had been infiltrated by some rogue code (1) – trojans that used the well-known Internet trick of typosquatting to infiltrate unsuspecting systems.

I just probably spewed out a bunch of garbage you don’t understand, so let me fill in the gray areas.

PyPI – This is the package repository for the Python programming language. For example, suppose I came up with a useful library for listing the contents of web page and called it webDir. Suppose I wanted to share it.  PyPI is where I would upload it, and other developers that had a reason to want to view the contents of a web page would be able to download it and use it as part of their own programs.

Typosquatting – This is a popular way to get someone to trust something untrustworthy. It relies on the fact that people are imperfect and sometimes type in words incorrectly.  Predict how people might do so, and you can create a web domain to intercept those typos and do … things. It’s been used for web pages quite frequently, but in the case of PyPI it can also be used for software libraries. Suppose you created a library called webdir (lower case D) that did the same thing but ALSO installed a virus. All you would need would be for a few unsuspecting developers to request the wrong package the right way a few times to get entrée to some interesting stuff.

So what happened is there were over a half a dozen instances of packages similar to webdir that got uploaded to PyPI and downloaded a few thousand times. They did exactly what the right packages do, but also added some code that – fortunately, this time – didn’t do anything malevolent, but could have without anyone’s knowledge.

Here’s the interesting parts.

  1. I read so many Python oriented blogs. And yet only one has mentioned this.
  2. At least five non-programmer blogs have mentioned this.

What the actual hell?

The Python “foundation” that maintains this repository say that they can’t help it – they have only two volunteers that support this repository, and they aren’t gatekeepers, they just take the crap that gets uploaded at face value and moves it on, provided it has all the right tic marks filled out. I could upload Professor Zola to PyPI and it would be okay as long as I filled out all the right forms.

They had no recommendations, no apologies, no plans. All they had were excuses.

I want to mention once again that a software language that forms a major part of the backbone of the greater internet has been infiltrated with trojans, twice, and that the people that maintain it have no plans for preventing it again, nor do the people that use it feel the least bit concerned.

One group of people, by the way, suggested that maybe keys would be good. You know, checksums by another name.  The problems with this are:

  1. All packages are already uploaded with properly formed MD5 checksums.
  2. The checksum verifies only that the file has not been modified after it was uploaded by the creator.

So, basically, “This virus is 100% authentic”.

PyPI can only be trusted if:

  1. All uploads are scanned and validated by people with domain knowledge.
  2. A separate authenticity repository (or something like it) is maintained to track the fingerprints of the legitimate, vetted packages on PyPI.
  3. Somebody works there that knows enough about the ecosystem to get alarmed when seeing ‘lmxl’ uploaded and claiming to be ‘lxml’.

The good news for now is that this time around, the compromise was limited to Python 2 users.  The next one will probably not be so limited.

By the way, if you are a sysadmin of a system that uses Python (for example, a RHEL system that uses Yum to manage its own packages), here’s a program that will let you know if you have been compromised.

from __future__ import print_function
import pip
packages = sorted(["{}".format(i.key) for i in pip.get_installed_distributions()])
fakes = ['acqusition', 'apidev-coop', 'bzip', 'crypt', 'django-server', 'pwd', 'setup-tools', 'telnet', 'urlib3', 'urllib']
for fake in fakes:
    if fake in packages:
        print ("""Found {} in you installed packeges, please delete {} from system.""".format(fake, fake))
    else:
        print("{} was not found on your system.".format(fake))



(1) – BTW, outstanding punage on the part of El Reg – Python variable typing is, after all, considered to be very loose. Poor, one might say.

Advertisements

Fallen Heroes

BMRightRemember the OS Wars?

Back in the 80s and 90s my computing platform of choice was the Amiga, a feisty platform that offered lightweight realtime preemptive multitasking for a really good price. Along the way it established itself as the premiere platform for video and graphics, going so far as to become the platform that authored the graphics for the TV series “Babylon 5”.

Back then it was possible to be passionate about operating systems and computer vendors, as apposed to today’s excercise in choosing one shade of mediocrity over another.

My sweetie recently aquired for me the sticker you see above, the famous Amiga rainbow checkmark.  I fly this flag with pride, but also with regret.

Commodore and the Amiga suffered from mediocre management that managed to destroy the legacy of an extraordinary team of developers. That is my regret. That today we are met with a choice between two or three flavors of library paste and for some reason people manage to generate loyalty for one over the other.  Not me. I know what we lost.

What we lost is for the chance to see a better computing world. Even if you’re a Mac Head, your OS would have been better by virtue of having some actual competition. AmigaDOS alive and well and on its own would have pushed everyone to do better.

So I fly this particular geek flag in rememberance if the world that could have been rather than the world that was. Because we had hope, and fire, and ambition, and passion. And it was betrayed by a bunch of guys in the Caymans.

They reported it. It must be true.

security-breach-hack-hackers-epsilon-640x0There’s a distinction to be made between a “reported breach” and a “verified breach” that allegedly obtained user data.

“Verified” generally means that a known e-journalist took the time to verify that the information contained in the “reported” breach was, in fact, accurate.

But often the e-journalist doesn’t have access to the data or even a source to confirm that the breach is real, so the e-journalist will often downplay any breach reports that they haven’t verified (or seen solid confirmation of) because it downplays their brand.

To an e-journalist, the brand is more important than the facts.

The problem is, the real world doesn’t give two shits if they verified it or not. If actual data was breached, then it is available on the Silk Road or reasonable facsimile. End of story.

So the question to you, the user, is this: did you have an account there?

If the answer is yes, then change your password at the very least.

That is the survival guide to the internet, in a nutshell, right there.

The Conservative Worldview is Anathema to the Internet

A few weeks ago, some fuckstick Thought Leader of the #gamerGate movement got his Trusted status removed by Twitter because he was abusive. This is not my opinion, it’s his own admission. He admits to being abusive on Twitter, and wants that to be endorsed by Twitter.

To be clear: he’s still allowed to post, abuse, whatever those little douchcanoes do on Twitter – he can still do it.

But he no longer bears the mark of a trusted poster on Twitter. That’s it. His user icon no longer has a little blue checkmark overlaid on it. That’s the extent of the Liberal Machine’s impact on his ability to spew offal into your face.

And that really pissed him off.

nopetroopers

Monkeyballs himself showed up at the White House (not White Horse) to actually spring the question at an official press conference as to what the Obama administration thought of fine sociopaths like himself being censored by such Liberal Establishments and what the Administration thought of this methodical silencing of the Conservative Movement.

Unfortunately for us, the Press Secretary didn’t call him names and insult his mother on national TV. But he sure looked like he wanted to.

So let’s be clear on this, Righties. The culture of the Greater Internet has no place for you right now. Our Nation operates on principles that are somewhat more egalitarian than Conservative wisdom itself would be able to tolerate.

The reason you feel that the Internet is censoring you is because we ARE. We have no room for you or your pathetic worldview. And we are showing you the door. Site by site, forum by forum, we’re cleaning up and pushing you out of our venues.

Oh, don’t worry. You still have the right to express yourself. We’re not going anywhere near your Klan meetings, or your Lynching parties, or your book burnings. You can have those. Enjoy, as only a Conservative can.

But the Internet is ours. And we will continue to defend it.

Someday you’ll grow up and understand that it’s possible to be in favor of small government and financial conservatism without also being in favor of bullying, inequality among peers, and religious intolerance. And when that happens, we’ll welcome you back to our ranks, and we will each benefit from your returning to the ranks of Humanity.

But right now, your worldview sucks and you’re just not welcome as long as you bring that to table. Sorry.

Some would say that this methodical exclusion of Conservative cockwaffles is itself a form of bullying.  Well … no it isn’t. Listen, I’ve been bullied. I know what it’s like.  You’re being excluded, not bullied. Totally different thing.  I’ve also been excluded, and it feels totally different. Lot less bleeding, for one thing.

Your place

That’s a great MMO you wrote there. I’m sure your mother is very proud.

But look at  this.

It’s the size and shape of a grand piano. It was launched at over six times the speed of a bullet at a pea being orbited by a BB over three billion miles away. And when it got there, it put down the phone and snapped tons of pictures while skimming past the pea and the BB at 30,000 MPH. All on its own. And then, it located Earth and let us know it was okay.

Your lovely Web App bears about as much resemblance to “computer science” as “Chopsticks” does to Wagner’s Rings saga when compared to what these programming Titans did. 

Giants walk amongst us, and it is during weeks such as these that we are forcefully reminded of our place in the programming universe.  I don’t care how sweet your Android app is.  It is fit for little else but a sacrifice to the Programming Gods that gave us this.

nh-pluto-surface-scale

Everything I Needed to Cope, I Learned from Arthur Dent

We all have internal defense mechanisms. We usually don’t develop them on purpose.  They just happen.

Mine came from, for starters, the absurdity of British science fiction and comedy.  It started with Monty Python.  Then I met Arthur Dent and the crew of the Heart of Gold. Such wonderful fodder for the imagination opened doors to other absurdist corridors.

For whatever reason, I found that my personal issues became far less threatening if I could wrap them up in absurd concepts, and reading such ridiculous stories provided me with more ammunition with which to fight that which bugged me.

Science Fiction and Fantasy provided the most magnificent vistas of such absurdity, though often it was couched in context that didn’t really fit in my modern landscape. But it often contained contextual handles that let me wire bits of it into my reality.

A lot of authors have absurdist chops without being known as absurdist authors. But they’ve found ways to hang absurdist concepts out there in the middle of serious-ish stories. Have a look at early Heinlein, or Niven’s Ringworld-era stories.  Heck, Niven even took an absurdist fan protest against The Ringworld’s concepts (“The Ringworld is unstable!”) and made it a plot element of a sequel.

Point being of all this, don’t let anyone tell you this stuff isn’t worth spending your time on.  What’s the point of Hamlet if you can’t relate? Shakespeare or Nietzsche might be Srs Bsns, but they’re also pretty much useless in helping you develop mental defenses against, well, pretty much anything. 

I mean, unless happiness is something you need defense against.