Yuri
2017-Dec-10 19:47 UTC
http subversion URLs should be discontinued in favor of https URLs
On 12/10/17 11:36, Igor Mozolevsky wrote:> If I give my bank card and PIN to someone who I don't trust, I can't > complain that my bank doesn't take adequate precautions if that person > drains my bank account! You choose to go down a route that*you* know is > compromised!1. The user has set up the subversion source trees based on the *current advice* here for anonymous checkout: https://wiki.freebsd.org/PortsSubversionPrimer> % svn co http://svn.freebsd.org/ports/head /usr/ports2. The user heard that Tor improves his anonymity, and decided to use it. 3. The user updated the sources through Tor and got hacked. Where did this user go wrong, or where has he been irresponsible? The fact that this page https://wiki.freebsd.org/PortsSubversionPrimer still recommends http is appalling! Yuri
Igor Mozolevsky
2017-Dec-10 19:52 UTC
http subversion URLs should be discontinued in favor of https URLs
On 10 December 2017 at 19:47, Yuri <yuri at rawbw.com> wrote:> On 12/10/17 11:36, Igor Mozolevsky wrote: > > If I give my bank card and PIN to someone who I don't trust, I can't > complain that my bank doesn't take adequate precautions if that person > drains my bank account! You choose to go down a route that **you** know is > compromised! > > > 1. The user has set up the subversion source trees based on the *current > advice* here for anonymous checkout: https://wiki.freebsd.org/ > PortsSubversionPrimer > > > % svn co http://svn.freebsd.org/ports/head /usr/ports > > 2. The user heard that Tor improves his anonymity, and decided to use it. > > 3. The user updated the sources through Tor and got hacked. > > Where did this user go wrong, or where has he been irresponsible? > > > The fact that this page https://wiki.freebsd.org/PortsSubversionPrimer still recommends http is appalling! > >The freebsd wiki doesn't recommend Tor, does it?! If the user was so badly educated about Tor, why is it FreeBSD's problem, honestly? What you're saying is no different, than "Alice" doesn't want to download FreeBSD herself, so she asks "Eve" to get her a CD with the source code. Unbeknownst to Alice, Eve replaces a bunch of files on the CD and present the CD to Alice as a bona fide copy. The problem in the chain is Eve (or Tor, in your case) not where Eve got the CD from! This discussion is turning circular and, quite frankly, ridiculous! -- Igor M.
Poul-Henning Kamp
2017-Dec-10 19:57 UTC
http subversion URLs should be discontinued in favor of https URLs
-------- In message <898df78d-c0b1-9e9f-0630-2665c3939960 at rawbw.com>, Yuri writes:>3. The user updated the sources through Tor and got hacked. > >Where did this user go wrong, or where has he been irresponsible?He trusted Tor? In 2006 Steven Murdochs "Hot or Not" work in TCP timers revealed that a LOT of the Tor network is on a longitude compatible with a "Bandit of The Beltway" location. If you still, elleven years later, seriously belive that Tor is trustworthy, you shouldn't be allowed near any kind of security decision. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk at FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
Michelle Sullivan
2017-Dec-10 22:49 UTC
http subversion URLs should be discontinued in favor of https URLs
Yuri wrote:> On 12/10/17 11:36, Igor Mozolevsky wrote: >> If I give my bank card and PIN to someone who I don't trust, I can't >> complain that my bank doesn't take adequate precautions if that person >> drains my bank account! You choose to go down a route that*you* know is >> compromised! > > > 1. The user has set up the subversion source trees based on the > *current advice* here for anonymous checkout: > https://wiki.freebsd.org/PortsSubversionPrimer > >> % svn co http://svn.freebsd.org/ports/head /usr/ports > > 2. The user heard that Tor improves his anonymity, and decided to use it. > > 3. The user updated the sources through Tor and got hacked. > > Where did this user go wrong, or where has he been irresponsible? >User gets an email saying his banking details are compromised, and to update them now. User clicks the link and gives banking details to phishing site as well as having a keylogger and rootkit installed during the process. User has bank account hacked. Where did the bank go wrong? Bank installs secondary security to prevent phishing/user realises the site is phishing and puts in false details or aborts the input... Keylogger is still on their system though because that was installed on the first click before the page was updated because of a compromised Microsoft code signing certificate... Where did the bank or the user go wrong? Maybe instead, user takes their phone into the local Maccas and uses the hotspot there, as part of the sign-in they get a compromised app from a local hacker that has been stalking the hotspot... Ding ding ding we have a winner... can't trust the network, just like the Tor case... etc etc etc Michelle