Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign upHacked again? PGP key? #16
Comments
reelsense
changed the title from
PGP key?
to
Hacked again? PGP key?
Aug 31, 2016
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
jdhoek
Sep 1, 2016
Definitely consider signing the releases, but also the corresponding git tags for released versions. It helps if you can integrate the signing into the release part of the software build.
Most people won't check the signatures, but those who do will warn you if the signatures cannot be verified or are missing.
jdhoek
commented
Sep 1, 2016
|
Definitely consider signing the releases, but also the corresponding git tags for released versions. It helps if you can integrate the signing into the release part of the software build. Most people won't check the signatures, but those who do will warn you if the signatures cannot be verified or are missing. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
reelsense
Sep 1, 2016
Including a sig is the best practice, and these are practices they need to know and care about.
What is the functional difference between a checksum and a signature?
- Checksums ensure data integrity.
- Digital signatures ensure data authenticity.
When downloading a file, errors may occur during that process. Malware also could modify the downloaded file if you're machine is infected. The file's fingerprint (checksum) is there to tell you that the file is not altered.
An attacker may host a malicious version of transmission on his website and makes it available to download. Verifying the checksum in this case is useless: the only way for you to be sure that you did not download a malicious version of transmission is to check its signature(s).
reelsense
commented
Sep 1, 2016
•
edited
Edited 1 time
-
reelsense
edited Sep 2, 2016 (most recent)
edited
-
Sep 2, 2016 (most recent)
|
Including a sig is the best practice, and these are practices they need to know and care about. What is the functional difference between a checksum and a signature?
When downloading a file, errors may occur during that process. Malware also could modify the downloaded file if you're machine is infected. The file's fingerprint (checksum) is there to tell you that the file is not altered. An attacker may host a malicious version of transmission on his website and makes it available to download. Verifying the checksum in this case is useless: the only way for you to be sure that you did not download a malicious version of transmission is to check its signature(s). |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
sandstrom
Sep 1, 2016
Some more ideas on security:
- Static hosting will increase security
- Move to Github Pages or
- static website on S3 + CloudFront (if so Middleman is a good tool).
- I'd shutdown trac.transmissionbt.com and use Github (it's very old, likely loads of security holes).
- Similar for phpbb, I'd suggest moving to Discourse.
- Signing of releases (as others have mentioned).
- Look into keybase.io (useful for code signing and verification).
sandstrom
commented
Sep 1, 2016
•
edited
Edited 1 time
-
sandstrom
edited Sep 3, 2016 (most recent)
edited
-
Sep 3, 2016 (most recent)
|
Some more ideas on security:
|
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
reelsense
Sep 1, 2016
They moved to github pages a day after the 2nd hack. 1 out of 7 complete.
Here is their keybase.io invite. If some one steals it, I'll know who you are...
reelsense
commented
Sep 1, 2016
•
edited
Edited 1 time
-
reelsense
edited
Sep 1, 2016 (most recent)
edited
-
Sep 1, 2016 (most recent)
|
They moved to github pages a day after the 2nd hack. 1 out of 7 complete. Here is their keybase.io invite. If some one steals it, I'll know who you are... |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
reelsense
Sep 1, 2016
@sandstrom What are the attack vectors against using a sub domain? Link? I just want to know.
reelsense
commented
Sep 1, 2016
|
@sandstrom What are the attack vectors against using a sub domain? Link? I just want to know. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
sandstrom
Sep 2, 2016
@reelsense Nothing major but there are some things outlined here: https://github.com/blog/1452-new-github-pages-domain-github-io
sandstrom
commented
Sep 2, 2016
|
@reelsense Nothing major but there are some things outlined here: https://github.com/blog/1452-new-github-pages-domain-github-io |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
NetOperatorWibby
Sep 3, 2016
I have a couple Keybase invites in case someone steals the one above. Just got my computer fixed, but that came at the cost of a new SSD, which means I need to download Transmission again. Found this repo so I'm gonna build from scratch.
I was going to suggest creating a self-hosted Gitlab instance but actually, putting everything on GitHub is a great idea moving forward. Server security can be learned in the meantime.
NetOperatorWibby
commented
Sep 3, 2016
|
I have a couple Keybase invites in case someone steals the one above. Just got my computer fixed, but that came at the cost of a new SSD, which means I need to download Transmission again. Found this repo so I'm gonna build from scratch. I was going to suggest creating a self-hosted Gitlab instance but actually, putting everything on GitHub is a great idea moving forward. Server security can be learned in the meantime. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
reelsense
Sep 13, 2016
TrueOS has started signing their releases today. I hope Transmission is next.
reelsense
commented
Sep 13, 2016
|
TrueOS has started signing their releases today. I hope Transmission is next. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
reelsense
Sep 29, 2016
Linux Mint was hacked the same way as Transmission in early 2016 and now PGP signs their releases.
reelsense
commented
Sep 29, 2016
•
edited
Edited 1 time
-
reelsense
edited
Sep 29, 2016 (most recent)
edited
-
Sep 29, 2016 (most recent)
|
Linux Mint was hacked the same way as Transmission in early 2016 and now PGP signs their releases. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
mikedld
Sep 29, 2016
Member
Thanks for the idea to everyone. We get the message though, lots of people sign their releases; reiterating won't make it happen any sooner ;)
|
Thanks for the idea to everyone. We get the message though, lots of people sign their releases; reiterating won't make it happen any sooner ;) |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
reelsense
Oct 20, 2016
@dotnetCarpenter steal the Keybase invite? Or is he connected to Transmission?
Thank you!
reelsense
commented
Oct 20, 2016
•
edited
Edited 1 time
-
reelsense
edited
Oct 20, 2016 (most recent)
edited
-
Oct 20, 2016 (most recent)
|
@dotnetCarpenter |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
dotnetCarpenter
Oct 20, 2016
@reelsense Sorry. I stole it. Didn't know about keybase and checked it out. Since I stole it, let me redeem myself. Here is a new invite: https://keybase.io/inv/0e8b87e5fc
dotnetCarpenter
commented
Oct 20, 2016
|
@reelsense Sorry. I stole it. Didn't know about keybase and checked it out. Since I stole it, let me redeem myself. Here is a new invite: https://keybase.io/inv/0e8b87e5fc |
reelsense commentedAug 31, 2016
What is the PGP key for this project and where are the sig files for the releases? Sign your releases too.