Open Source Security

trojanrabbit

Recently it emerged that the PyPI repository had been infiltrated by some rogue code (1) – trojans that used the well-known Internet trick of typosquatting to infiltrate unsuspecting systems.

I just probably spewed out a bunch of garbage you don’t understand, so let me fill in the gray areas.

PyPI – This is the package repository for the Python programming language. For example, suppose I came up with a useful library for listing the contents of web page and called it webDir. Suppose I wanted to share it.  PyPI is where I would upload it, and other developers that had a reason to want to view the contents of a web page would be able to download it and use it as part of their own programs.

Typosquatting – This is a popular way to get someone to trust something untrustworthy. It relies on the fact that people are imperfect and sometimes type in words incorrectly.  Predict how people might do so, and you can create a web domain to intercept those typos and do … things. It’s been used for web pages quite frequently, but in the case of PyPI it can also be used for software libraries. Suppose you created a library called webdir (lower case D) that did the same thing but ALSO installed a virus. All you would need would be for a few unsuspecting developers to request the wrong package the right way a few times to get entrée to some interesting stuff.

So what happened is there were over a half a dozen instances of packages similar to webdir that got uploaded to PyPI and downloaded a few thousand times. They did exactly what the right packages do, but also added some code that – fortunately, this time – didn’t do anything malevolent, but could have without anyone’s knowledge.

Here’s the interesting parts.

  1. I read so many Python oriented blogs. And yet only one has mentioned this.
  2. At least five non-programmer blogs have mentioned this.

What the actual hell?

The Python “foundation” that maintains this repository say that they can’t help it – they have only two volunteers that support this repository, and they aren’t gatekeepers, they just take the crap that gets uploaded at face value and moves it on, provided it has all the right tic marks filled out. I could upload Professor Zola to PyPI and it would be okay as long as I filled out all the right forms.

They had no recommendations, no apologies, no plans. All they had were excuses.

I want to mention once again that a software language that forms a major part of the backbone of the greater internet has been infiltrated with trojans, twice, and that the people that maintain it have no plans for preventing it again, nor do the people that use it feel the least bit concerned.

One group of people, by the way, suggested that maybe keys would be good. You know, checksums by another name.  The problems with this are:

  1. All packages are already uploaded with properly formed MD5 checksums.
  2. The checksum verifies only that the file has not been modified after it was uploaded by the creator.

So, basically, “This virus is 100% authentic”.

PyPI can only be trusted if:

  1. All uploads are scanned and validated by people with domain knowledge.
  2. A separate authenticity repository (or something like it) is maintained to track the fingerprints of the legitimate, vetted packages on PyPI.
  3. Somebody works there that knows enough about the ecosystem to get alarmed when seeing ‘lmxl’ uploaded and claiming to be ‘lxml’.

The good news for now is that this time around, the compromise was limited to Python 2 users.  The next one will probably not be so limited.

By the way, if you are a sysadmin of a system that uses Python (for example, a RHEL system that uses Yum to manage its own packages), here’s a program that will let you know if you have been compromised.

from __future__ import print_function
import pip
packages = sorted(["{}".format(i.key) for i in pip.get_installed_distributions()])
fakes = ['acqusition', 'apidev-coop', 'bzip', 'crypt', 'django-server', 'pwd', 'setup-tools', 'telnet', 'urlib3', 'urllib']
for fake in fakes:
    if fake in packages:
        print ("""Found {} in you installed packeges, please delete {} from system.""".format(fake, fake))
    else:
        print("{} was not found on your system.".format(fake))



(1) – BTW, outstanding punage on the part of El Reg – Python variable typing is, after all, considered to be very loose. Poor, one might say.

Advertisements

They reported it. It must be true.

security-breach-hack-hackers-epsilon-640x0There’s a distinction to be made between a “reported breach” and a “verified breach” that allegedly obtained user data.

“Verified” generally means that a known e-journalist took the time to verify that the information contained in the “reported” breach was, in fact, accurate.

But often the e-journalist doesn’t have access to the data or even a source to confirm that the breach is real, so the e-journalist will often downplay any breach reports that they haven’t verified (or seen solid confirmation of) because it downplays their brand.

To an e-journalist, the brand is more important than the facts.

The problem is, the real world doesn’t give two shits if they verified it or not. If actual data was breached, then it is available on the Silk Road or reasonable facsimile. End of story.

So the question to you, the user, is this: did you have an account there?

If the answer is yes, then change your password at the very least.

That is the survival guide to the internet, in a nutshell, right there.

The Conservative Worldview is Anathema to the Internet

A few weeks ago, some fuckstick Thought Leader of the #gamerGate movement got his Trusted status removed by Twitter because he was abusive. This is not my opinion, it’s his own admission. He admits to being abusive on Twitter, and wants that to be endorsed by Twitter.

To be clear: he’s still allowed to post, abuse, whatever those little douchcanoes do on Twitter – he can still do it.

But he no longer bears the mark of a trusted poster on Twitter. That’s it. His user icon no longer has a little blue checkmark overlaid on it. That’s the extent of the Liberal Machine’s impact on his ability to spew offal into your face.

And that really pissed him off.

nopetroopers

Monkeyballs himself showed up at the White House (not White Horse) to actually spring the question at an official press conference as to what the Obama administration thought of fine sociopaths like himself being censored by such Liberal Establishments and what the Administration thought of this methodical silencing of the Conservative Movement.

Unfortunately for us, the Press Secretary didn’t call him names and insult his mother on national TV. But he sure looked like he wanted to.

So let’s be clear on this, Righties. The culture of the Greater Internet has no place for you right now. Our Nation operates on principles that are somewhat more egalitarian than Conservative wisdom itself would be able to tolerate.

The reason you feel that the Internet is censoring you is because we ARE. We have no room for you or your pathetic worldview. And we are showing you the door. Site by site, forum by forum, we’re cleaning up and pushing you out of our venues.

Oh, don’t worry. You still have the right to express yourself. We’re not going anywhere near your Klan meetings, or your Lynching parties, or your book burnings. You can have those. Enjoy, as only a Conservative can.

But the Internet is ours. And we will continue to defend it.

Someday you’ll grow up and understand that it’s possible to be in favor of small government and financial conservatism without also being in favor of bullying, inequality among peers, and religious intolerance. And when that happens, we’ll welcome you back to our ranks, and we will each benefit from your returning to the ranks of Humanity.

But right now, your worldview sucks and you’re just not welcome as long as you bring that to table. Sorry.

Some would say that this methodical exclusion of Conservative cockwaffles is itself a form of bullying.  Well … no it isn’t. Listen, I’ve been bullied. I know what it’s like.  You’re being excluded, not bullied. Totally different thing.  I’ve also been excluded, and it feels totally different. Lot less bleeding, for one thing.