now | writings | rss | github | twitter | contact

posted to status updates via twitter on jan 22nd, 2018 and commented on 97 times
Comments? Contact me via Twitter or e-mail.

97 Comments

David (authentic, via ) on january 22nd, 2018 at 17:27:42:

You're damn if you do and you're damn if you don't...

1⃣🕋⛓️ Social Entrepreneur (authentic, via ) on january 22nd, 2018 at 17:28:10:

Funny tho I never saw configure asking for root password.

𝓓𝓪𝓷 𝓔𝓵𝓵𝓲𝓼 (authentic, via ) on january 23rd, 2018 at 05:36:56:

@jcs sudo make install

Fleischmann (authentic, via ) on january 23rd, 2018 at 06:25:41:

@Nolaan_boy @jcs naa, don't do that. Pollutes your systemroot. Configure with --prefix="somewhere in your homefolder" and make install without sudo.

1⃣🕋⛓️ Social Entrepreneur (authentic, via ) on january 23rd, 2018 at 06:30:04:

@danellis @jcs It's the way to go. I cannot expect them to RTFM tho.... 🙄

Stephen Harris (authentic, via ) on january 23rd, 2018 at 07:49:35:

@danellis @Nolaan_boy @jcs On my machine I typically do

sudo mkdir /usr/local/appname
sudo chown sweh.sweh /usr/local/appname

And then configure for that target.

1⃣🕋⛓️ Social Entrepreneur (authentic, via ) on january 23rd, 2018 at 07:52:34:

@ChiefDetektor @danellis @jcs Great technique! I'll try it.
Also http://user.group? Or : ?

Stephen Harris (authentic, via ) on january 23rd, 2018 at 07:56:46:

@ChiefDetektor @danellis @jcs Linux coreutils "chown" accepts both syntaxes. I think one came from BSD and one from SysV, but I might be misremembering. POSIX specifies : so, really, that should be used for compatibility (just in case a username has a . in it).

1⃣🕋⛓️ Social Entrepreneur (authentic, via ) on january 23rd, 2018 at 07:59:15:

@ChiefDetektor @danellis @jcs On an unrelated note, you ever used (managed) systemd sandbox?

1⃣🕋⛓️ Social Entrepreneur (authentic, via ) on january 23rd, 2018 at 08:00:27:

@ChiefDetektor @danellis @jcs I need a sandbox mechanism for those Electron app cancer.

Stephen Harris (authentic, via ) on january 23rd, 2018 at 08:04:33:

@ChiefDetektor @danellis @jcs No, I've never used it.

𝓓𝓪𝓷 𝓔𝓵𝓵𝓲𝓼 (authentic, via ) on january 24th, 2018 at 11:44:58:

@Nolaan_boy @jcs Depends who you're installing it for. And what decade it is.

1⃣🕋⛓️ Social Entrepreneur (authentic, via ) on january 23rd, 2018 at 06:30:16:

@jcs That's not configure...

𝓓𝓪𝓷 𝓔𝓵𝓵𝓲𝓼 (authentic, via ) on january 24th, 2018 at 11:44:15:

@jcs Running something created by an obfuscated shell script is broadly equivalent to running an obfuscated shell script.

1⃣🕋⛓️ Social Entrepreneur (authentic, via ) on january 24th, 2018 at 12:01:36:

@jcs What's your point? Because following your logic you shouldnt even trust the source code, because so much lines = obfuscated!
And FYI configure is also generated. If you're not satisfied/trusting the one provided you can still write your http://configure.am 😉

Chris Ridd (authentic, via ) on january 23rd, 2018 at 04:10:15:
Jose manuel de arce (authentic, via ) on january 23rd, 2018 at 05:20:50:

@maishsk Yeah, or just issue ye old configure; make; make install

Bernd Schuller (authentic, via ) on january 23rd, 2018 at 05:38:34:

TBH, it has been ages since I've done that... is trusting the distros and their repos better or worse?

chris (authentic, via ) on january 23rd, 2018 at 05:50:17:

Well confirm the hash first wildman!

Topper Bowers (authentic, via ) on january 23rd, 2018 at 06:01:21:

And forget to compare the md5 on that source that the https gave you for free :)

Paul Harvey (authentic, via ) on january 23rd, 2018 at 06:17:10:

@jcs ... transport security != provenance of content delivered over the transport...

Topper Bowers (authentic, via ) on january 23rd, 2018 at 06:30:43:

@jcs Totally true. ./configure doesn’t give you that either :)

Paul Harvey (authentic, via ) on january 23rd, 2018 at 06:33:43:

@jcs I get it, but there are many work environments out there where human-curated and validated provenance for checking signatures and shasums on source tarballs is a thing. There’s even some gradle integration, if you’re a java shop, for example.

Paul Harvey (authentic, via ) on january 23rd, 2018 at 06:36:15:

@jcs I know we implicitly trust the upstream authors (and the control of their signing keys, etc) but you have to anchor trust somewhere. And it doesn’t have to be a https web server that can detect curl | sh and start a reverse shell instead of the tarball you’d be served w/just curl

Topper Bowers (authentic, via ) on january 23rd, 2018 at 06:57:38:

@jcs I was giving a tongue-in-cheek answer to a funny tweet. You are absolutely right. However, I don't think *most* current systems give you "much" more protection than curl |. I have really high hopes for systems like firefox update and cothority.

Paul Harvey (authentic, via ) on january 23rd, 2018 at 14:59:11:

@jcs There’s a lot that can and is being done in secure software development; I suspect we’ll see “supply chain” attacks pick up in 2018. On the app updating side, TUF has been around for a while now and I’ve been impressed with @CiPHPerCoder’s Chronicle https://paragonie.com/blog/2017/07/chronicle-will-make-you-question-need-for-blockchain-technology

Paul Harvey (authentic, via ) on january 23rd, 2018 at 15:07:10:

@jcs @CiPHPerCoder There’s a loud portion of developer culture with unsafe practices in many many ways... blind curl | sh, being unable to say where a software component came from (or what the licenses are) are some of them. But that’s not everyone.. others have been, continue to do better

Paul Harvey (authentic, via ) on january 23rd, 2018 at 15:09:04:

@jcs @CiPHPerCoder For the users, distros like Debian have per-contributor signing keys for pushing software into controlled build environments and you as the end user can be reasonably sure that if the package manager says it’s trusted, it came through their infra & process

Paul Harvey (authentic, via ) on january 23rd, 2018 at 15:11:23:

@jcs @CiPHPerCoder Debian in particular has the reproducible builds project and enough process in place that they are able to have consensus builds soon. Most packages build exactly the same, bit-for-bit, on any machine

Paul Harvey (authentic, via ) on january 23rd, 2018 at 15:14:34:

@jcs @CiPHPerCoder It taskes a lot of work to get even this far and trust is still involved, but I go a little crazy when people assume https:// is the end of the road for what software & security engineering discipline has to offer :P

Topper Bowers (authentic, via ) on january 23rd, 2018 at 15:16:38:

@jcs @CiPHPerCoder For sure and trusting your distro packages is waaaaay safer. I’d argue that installing a random repo and installing a package from there is not actually much safer.

Topper Bowers (authentic, via ) on january 23rd, 2018 at 15:18:42:

@jcs @CiPHPerCoder But anyway I think we agree on 99% and I think you put out a bunch of great info here.

Topper Bowers (authentic, via ) on january 23rd, 2018 at 15:15:00:

@jcs @CiPHPerCoder Thanks for the link! Seems similar to trillian. I’m all about those projects. I worry about incentives when it comes to the “non-Blockchain.” I wonder if there’s an intermediate idea where you just pay someone a dime to co-sign your ledger.

Stian Soiland-Reyes (authentic, via ) on january 24th, 2018 at 07:04:43:

@tobowers @jcs @CiPHPerCoder Particularly just blindly adding third-party dependencies..
https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5

Scott Arciszewski (authentic, via ) on january 24th, 2018 at 07:06:11:

@csirac2 @tobowers @jcs No cryptography protocol can fix stupidity, but it can at least hold the dependency developers accountable.

Turing Girl (authentic, via ) on january 24th, 2018 at 07:03:43:

@tobowers @jcs Also Test and Eval labs. We have to verify what we are putting on there is what we put on there.

PuffySecurity (authentic, via ) on january 23rd, 2018 at 20:26:43:

@jcs Linux Mint: A bit who, the Linux Mint repo was hacked and hosed a malicious ISO, but never changed the SHA256 sun on the website

FYI: An attacker will nave no problem finding a hash collision I’m MD5 or SHA1 they are both completely broken.

Topper Bowers (authentic, via ) on january 24th, 2018 at 00:09:37:

@jcs Which is why I chose md5 for my joke answer :). There are a lot of good points below though and state of the art security does provide reasonable trust... just that state of the art hasn’t been evenly distributed yet.

PuffySecurity (authentic, via ) on january 24th, 2018 at 11:28:03:

@jcs Can’t keep myself from pointing out that SHA2-256bit is not the _Sate Of the Art_ hashing algo

It is the minimum acceptable hashing algo

You need to look into SHA3

Stian Soiland-Reyes (authentic, via ) on january 24th, 2018 at 07:00:13:

@jcs Have you got a handy curl slip to do that? :)
(btw, sha256 for the win)
For Apache software releases we always recommend GPG verification against KEYS file (downloaded over https!)
https://www.apache.org/info/verification.html

ʃɐm Wilʃon (authentic, via ) on january 23rd, 2018 at 06:06:38:

You can install an IDE plugin from an SV company that’ll upload all of your ~ to their servers and then give you an embedded terminal with helpful keylogger to `sudo make install` with ANSI colors.

Jeremy Derr (authentic, via ) on january 23rd, 2018 at 06:10:22:

@jessfraz I want to make a joke that downloading it with wget instead is more secure, but someone will probably think I’m serious.

Steven L (authentic, via ) on january 23rd, 2018 at 21:45:30:

@jcs @jessfraz wget uses https, bash doesn't.
QED.

Steven L (authentic, via ) on january 23rd, 2018 at 21:53:24:

@jcs @jessfraz pic.twitter.com/jUzCQaZgEG

Roman (authentic, via ) on january 23rd, 2018 at 06:29:54:

@littleidea 300Kb shell script will get you a production kubernetes setup up and running

mirabilos (authentic, via ) on january 23rd, 2018 at 06:32:17:

CONFIGURE_STYLE= autogen

Vincent Dahmen (authentic, via ) on january 23rd, 2018 at 06:43:57:

I wonder if there is a tool for managing programs as packages...

RotoPenguinCoin (authentic, via ) on january 23rd, 2018 at 08:59:37:

@jcs It’s called SETUP.EXE

Paul Seyfert (authentic, via ) on january 23rd, 2018 at 07:06:52:

that's also the solution to copy and pasting code from your webbrowser to your shell.

Deon Moolman (authentic, via ) on january 23rd, 2018 at 07:53:53:

but.. all my friends recommended it to me! .. with the same text... over twitter... oh...

Daniel Bohannon (authentic, via ) on january 23rd, 2018 at 08:03:51:

@JamesHovious You had me at "obfuscated shell script" ;)

James Hovious (authentic, via ) on january 23rd, 2018 at 08:21:04:

@jcs *unless it was obfuscated by DaaS. Then it's definitely safe 😉

Daniel Bohannon (authentic, via ) on january 23rd, 2018 at 08:22:44:

@jcs What is this DaaS you speak of?

Fred Wenzel (authentic, via ) on january 24th, 2018 at 02:23:20:

@JamesHovious @jcs Really, you foolishly missed out on asking "was ist DaaS"?

Daniel Bohannon (authentic, via ) on january 24th, 2018 at 05:23:20:

@JamesHovious @jcs Well-played, Fred...haha.

Stefan Rusterholz (authentic, via ) on january 23rd, 2018 at 09:40:35:

@steveklabnik naaa, for good measure, check the md5 of the code against the md5 - which you get from the same place as the code…

Some(@steveklabnik) (authentic, via ) on january 23rd, 2018 at 09:45:53:

@jcs md5sum “rm -rf *”

Paul Crowley (authentic, via ) on january 23rd, 2018 at 09:41:56:

Is anyone working on a fix to this? Can containers be made convenient enough to alleviate this problem?

Emily Pixels (authentic, via ) on january 23rd, 2018 at 10:33:05:

You can serve different results to wget piped into a shell than regular wget or a webpage peeking at the file, so it’s still a somewhat worse idea

Smashed Patriarch (authentic, via ) on january 23rd, 2018 at 11:13:23:

The bar for making a source tarball with a configure script do evil (or even anything) is far higher than curling one out to bash. Either way you are still shitting you own bed if you don't use a package manager.

NinjaCyborg (authentic, via ) on january 23rd, 2018 at 11:19:32:

@charltones Neeeeeeeeeeerrrrrrrrrrdddddddd

Rob Charlton (authentic, via ) on january 25th, 2018 at 01:10:04:

@jcs Was this ever in doubt?

Dr David Martin (authentic, via ) on january 23rd, 2018 at 14:37:58:

@widdowquinn not 'sudo ./configure && make install' ?

Petr Peller 🐙 console.log("HERE"); (authentic, via ) on january 24th, 2018 at 08:28:11:

@jcs @widdowquinn What's sudo? I always log in as root.

JaxxAI (authentic, via ) on january 23rd, 2018 at 15:07:02:

@cybergibbons Randomly install WordPress plugins and Google Chrome addins. Install the most obscure Android apps from developers you've never heard of. Run any old code from random sources. It's how we roll in 2018.

Spikier Caterpillar (authentic, via ) on january 23rd, 2018 at 15:12:37:

Buried deep within the resultant Makefiles will be something like:

curl -o /tmp/getdeps https://someplace.example/mydeps
curl -o /tmp/getdeps.sums https://someplace.example/mydeps.sums
md5sum -c /tmp/getdeps.sums
chmod 755 /tmp/getdeps
sh /tmp/getdeps

Tyler Kavanaugh (authentic, via ) on january 23rd, 2018 at 15:17:32:

@megarush1024 Both of these sound like absolutely horrible ideas.

Willy Lee (authentic, via ) on january 23rd, 2018 at 15:22:19:

@necrobuffalo I'll just add this unknown ppa to apt

GI Jack (authentic, via ) on january 23rd, 2018 at 15:46:39:

Welp run Arch Linux. Use the package from AUR, and have a little faith the maintainers read the ./configure scripts. Mostly not. Or if there is no PKGBUILD, be kind and carefully audit before you post and always use VALIDGPGKEYS= and sha256 sums

GI Jack (authentic, via ) on january 23rd, 2018 at 15:47:35:

Saves a lot of time, as you only have to check a few pieces of software, and other people can check other pieces of software, and it becomes a group effort. Then again, the vast bulk of PKGBUILDs on AUR are questionable quality

GI Jack (authentic, via ) on january 23rd, 2018 at 15:48:57:

But OP makes a valid point. Same difference. even with make, itself scriptable. You can hide malware in anything.

Still doesn't negate the concept of reading 10 lines of bash you wget before executing it. That bash will also probably call ./configure as well.

Mark van der Loo (authentic, via ) on january 23rd, 2018 at 15:47:42:

Surely you mean "sudo ./configure" 😃

Tim H (authentic, via ) on january 23rd, 2018 at 17:53:23:

@RouteLastResort THANK YOU

jessecooper (authentic, via ) on january 23rd, 2018 at 18:23:01:

http://Pivpn.io - the first instruction ::: INSTALLATION :::
curl -L https://install.pivpn.io | bash

PuffySecurity (authentic, via ) on january 23rd, 2018 at 19:24:23:

The reason people are told to download & run scripts instead of `curl | bash` is because the CGI application knows that you are piping into bash, so the CGI app can send you different data if it knows your piping into bash instead of writing to a file.

Lexi :3 (authentic, via ) on january 24th, 2018 at 15:15:43:

@jcs How does the CGI application know that you're piping into bash, or piping into any process at all?

PuffySecurity (authentic, via ) on january 24th, 2018 at 15:55:04:

@jcs “Pipe Injector

Node.js script that can detect when "curl ... | bash" is being used and serve a different file than normal. This is an implementation of this article https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/

https://github.com/MylesJohnson/Pipe-Injector/blob/master/README.md

Daniel Sato (authentic, via ) on january 25th, 2018 at 00:21:23:

@binaryDiv @jcs Well this is going to keep me up at night.

Mike Spooner (authentic, via ) on january 29th, 2018 at 12:11:06:

@binaryDiv @jcs How does it know it is bash, as opposed to zsh, ash, SVR4 ksh, dtksh, or "dd of=/etc/shadow" or even ncftp (in upload-elsewhere mode)? It doesn't.

PuffySecurity (authentic, via ) on january 23rd, 2018 at 19:32:45:

“Node.js script that can detect when "curl ... | bash" is being used and serve a different file than normal.”

https://github.com/MylesJohnson/Pipe-Injector/blob/master/README.md

Kornel (authentic, via ) on january 24th, 2018 at 07:16:59:

@jcs It doesn't matter. The point is that nobody audits the downloaded source either way.

PuffySecurity (authentic, via ) on january 24th, 2018 at 11:25:34:

@jcs They do if the code the complied is doing something which looks malicious

Someone who dose not read the source code for a program which is behaving maliciously is an idiot, and irrelevant to the conversation.

Kornel (authentic, via ) on january 25th, 2018 at 09:45:08:

@jcs If you audit only after you notice malicious activity, that's generally too late — you're pwnd already. Calling victims idiots is an immature and ineffective approach to security.

PuffySecurity (authentic, via ) on january 25th, 2018 at 10:52:40:

@jcs I agree that it suck when you have to recover from an attack.

However, it is far easier to figure out what has gone wrong if you can read the source code you complied the binary from, rather than using IDA Pro.

Kornel (authentic, via ) on january 25th, 2018 at 10:58:27:

@jcs ./configure scripts are plain text. Still, I think it doesn't matter, as you may be one of very few people on the entire planet inclined to audit them manually.

Greg Hurrell (authentic, via ) on january 23rd, 2018 at 20:16:44:

I think the main risk is not malice but that a line like “rm -rf /tmp/tmpfile” gets cut off after the first slash due to a network interruption.

Buck Wheat (authentic, via ) on january 23rd, 2018 at 21:33:42:

Don't forget to specify http on that download too

Peter J. Jones (authentic, via ) on january 23rd, 2018 at 21:59:12:

Nixpkgs runs ./configure in a chroot jail with no network connection.

Momo (authentic, via ) on january 24th, 2018 at 05:15:51:

@jcs And then it probably runs "make", hopefully in that same jail, and you get a binary file that you still need to trust. Seriously, curl | bash is no worse than any other method that doesn't involve a trusted third person checking the code.

Saqib Rokadia (authentic, via ) on january 24th, 2018 at 02:15:10:

@derekslager I think you missed a sudo in there. Also an untrusted source is an untrusted source no matter the execution pattern. Either learn how to read obfuscated shell scripts or find a different means to trust the solution for the problem you are trying to solve.

Luke (authentic, via ) on january 24th, 2018 at 03:18:38:

This sounds related to an issue I read somewhere where someone complained about a script that, run after curl d/l, installed a compilation tool for a language from a reputable source.

Natanael Copa (authentic, via ) on january 24th, 2018 at 07:03:47:

No, that could do something dangerous. Instead download the precompiled binary and then blindly execute the 100MB .exe

Stian Soiland-Reyes (authentic, via ) on january 24th, 2018 at 07:06:10:

it's also easy to modify a web server to differentiate on User-Agent header; return a "kind" version to browsers and an evil one to curl.

0xvext (authentic, via ) on january 24th, 2018 at 07:19:25:

@hexwaxwing Wcgw?

Franziska (authentic, via ) on january 24th, 2018 at 09:18:08:

@masterbaseAT But you don't run ./configure as root, as opposed to curl | sudo bash

Joaquin Menchaca (authentic, via ) on january 24th, 2018 at 10:23:27:

I just download them to see if any inspirational trixy-hobbitz bashisms used...

Luka Pusic (authentic, via ) on january 24th, 2018 at 11:56:58:

Or run sudo npm install -g.