Search found 30 matches

by TerraFrost
Wed Mar 10, 2010 10:59 pm
Forum: [3.x][Archive] RFCs
Topic: [RFC] Secure Automatic Upgrades
Replies: 21
Views: 27303

Re: [RFC] Secure Automatic Upgrades

The package managers like those being used by Linux distributions basically work the same way and most people use those on a daily basis. But to run my package manager I become root, by default I don't have the appropriate access credentials to overwrite all the binaries on my system. You'd have to...
by TerraFrost
Wed Mar 10, 2010 6:42 pm
Forum: [3.x][Archive] RFCs
Topic: [RFC] Secure Automatic Upgrades
Replies: 21
Views: 27303

Re: [RFC] Secure Automatic Upgrades

bantu wrote:Slightly off-topic, but does Wordpress actually sign their packages for the auto updater right now?
Doesn't look like it:

http://wordpress.org/support/topic/338010
by TerraFrost
Wed Mar 10, 2010 3:56 am
Forum: [3.x][Archive] RFCs
Topic: [RFC] Secure Automatic Upgrades
Replies: 21
Views: 27303

Re: [RFC] Secure Automatic Upgrades

The person packaging the release would, after prepping the packages on their local machine, take a hash of the package (hash_file) and encrypt the hash with their locally stored private key. The packages and their respective signatures would then be uploaded to phpbb.com. The private key would never...
by TerraFrost
Wed Mar 10, 2010 3:13 am
Forum: [3.x][Archive] RFCs
Topic: [RFC] Secure Automatic Upgrades
Replies: 21
Views: 27303

Re: [RFC] Secure Automatic Upgrades

The only thing they'd be able to change would be the signature. The public keys would be included in each phpBB install and although downloads made while the hacked website was up could have altered public keys, already deployed installations would not. The private key, presumably, wouldn't be store...
by TerraFrost
Tue Mar 09, 2010 8:28 pm
Forum: [3.x][Archive] RFCs
Topic: [RFC] Secure Automatic Upgrades
Replies: 21
Views: 27303

Re: [RFC] Secure Automatic Upgrades

Nice catch! I've updated the RFC to say SHA256 but any algorithm supported by hash() should work. phpseclib doesn't support all the algorithms that hash() does but I figure I'll update that at some point. Whirlpool was designed by the people who did AES. It's best cryptanalysis (according to it's wi...
by TerraFrost
Tue Mar 09, 2010 5:12 pm
Forum: [3.x][Archive] RFCs
Topic: [RFC] Secure Automatic Upgrades
Replies: 21
Views: 27303

Re: [RFC] Secure Automatic Upgrades

What if the signature checking code contains a bug and does not work correctly? What if there is a bug allowing signature checking to be bypassed? What if the signature itself happens to be weak (see Debian ssl vulnerability)? The signature checking code is fairly well vetted. You can verify at lea...
by TerraFrost
Tue Mar 09, 2010 5:09 am
Forum: [3.x][Archive] RFCs
Topic: [RFC] Secure Automatic Upgrades
Replies: 21
Views: 27303

[RFC] Secure Automatic Upgrades

If you've ever used Wordpress, you're probably aware of how, when a new version is released, Wordpress can automatically download and install the update for you. As convenient as that is, it does present a small problem. In particular, if phpbb.com or wordpress.com or whatever were hacked, an attack...
by TerraFrost
Mon Jun 30, 2008 11:02 pm
Forum: Announcements and News
Topic: EasyMOD v0.4.0 released (for phpBB 2.0.x)
Replies: 0
Views: 18228

EasyMOD v0.4.0 released (for phpBB 2.0.x)

EasyMOD v0.4.0 We're very pleased to release EasyMOD version 0.4.0 Introduction EasyMOD is an automatic MOD installer. It does in seconds what used to be the laborious and time-consuming task of manually editing files. EM will install EasyMOD Compliant (EMC) MODs and will try to install all other M...
by TerraFrost
Sat Sep 30, 2006 11:55 pm
Forum: Installing MODs with EasyMOD
Topic: Nightrider
Replies: 37
Views: 18720

Re: Nightrider

And if EM was broken, I could understand the attempts to kill it. But EM is not the problem. If Ptirhiik or any other MOD author decided to change AFTER, ADD statements to ADD AFTER, should EM be blamed for not recognizing the command??? Ptirhiik isn't doing that, though. As far as I know, your bas...
by TerraFrost
Sat Sep 30, 2006 10:12 pm
Forum: Installing MODs with EasyMOD
Topic: Nightrider
Replies: 37
Views: 18720

Re: Nightrider

I really don't think this statement could get much clearer. Either the Author's MOD installs correctly using EM or it does not get approved. I see no exceptions or ambiguities here in this statement... Look at the line you underlined: if their MOD fails to [correctly] install with EM on a virgin ph...