Lope
Posts: 70
Joined: Tue Jul 02, 2013 7:53 pm

Rasbian is a completely INSECURE operating system

Mon May 04, 2015 11:13 am

I've just opened a horrible can of worms, I don't even know where to start.
In Rasberry Pi's spirit of education, and the intended audience of Linux technology newbies, I will start off by giving a very brief introduction into internet security. And we should all see ourselves as learners. Living is learning. The expert mind sees very few possibilities while the beginner's mind sees many.

Let's start with some security basics.
Linux is an open source operating system, and most of the software is open source. That means you don't have to trust the author of the software, with what they're doing with your computer. Whether they're spying on you, (capturing your keystrokes, recording videos, sound of you or sending your files back to them) or using your hardware for their nefarious purposes (hacking, botnets, DDOS attacks, etc), because you can review the source code yourself.
So as long as you can read and understand the source code, you don't need to trust the authors.
But reading source code and compiling everything manually is time consuming.
You might for example trust the package maintainers for Debian or Raspbian.
APT is a package system designed to facillitate the secure distribution of pre-compiled package binaries.
You can download binaries (non-human readable code, for your computer to run) from people you have decided to trust.
APT uses GPG keys. Public key encryption. The package author has created a keypair for themself. They make their public key available to you.
When you have the package author's public key, you can confirm that the package you have received, has come from them, unaltered because they have signed it with their private key. (and you hope that their private key has not been stolen by an attacker)

APT allows for efficient distribution of packages. Instead of millions of users always updating and downloading their package lists from 1 Debian server etc (and overloading it) the packages are mirrored around the world. They are hosted for low cost, served over insecure HTTP connections. After your apt-get downloads a package from an insecure HTTP connection to any mirror or even the main archive, it checks the packages against the public key.

This means even if the server you download packages from is been hacked, and an attacker has provided fake/compromised/infected packages on that server for you to download, you're OK because apt-get will see that they're not signed by the author.
This trust is based on the assumption that you have the author's real private key, and that their private key has not been compromised and that the author's computer has not been compromised. Hopefully the author's computer is secure, they encrypt their data, use strong passwords and use secure software.
Even if someone does a man-in-the-middle attack on your HTTP connection while you do an apt-get update, or an apt-get install, apt-get will notice that the information you've received has not been signed correctly.

So APT, when used as it's designed, is secure.

Now that you're familiar with APT's security features, let's have a look at HTTP and HTTPS
HTTP is the internet protocol for serving web pages. It was invented long ago and it is completely vulnerable to man-in-the-middle attacks.
Your TCP connection to a server, might jump between 50 servers along the way. A man in the middle attack can be performed at any one of those 50 servers or on the links between them.
The data can be changed. You might go to http://mybank.com and an attacker serves up a fake copy of your bank's website grabs requests your password. Bye bye money.

There are 3 massive security problems with HTTP
1. Privacy: Anyone in the middle can read your communications (they can see your password, your bank balance, and other financial information)
2. Validity: The data can be changed in transit (man-in-the-middle-attack) (you might try to pay bank account number 123, and the attacker changes the beneficiary account number to 456, or the attacker steals your money, and shows you a fake balance, etc)
3. Authenticity: You have no way of knowing if the data you receive (the website, or file) comes from the server/company/person you're actually trying to communicate with.

HTTPS like APT, solves this problem with public key encryption.
When you try to go to http://mybank.com mybank sends you a HTTP 301 response "Moved permanently" and a Location header, telling your web browser to go to https://mybank.com
Your web browser will automatically go to https://mybank.com and establish a SSL connection (tunnel) for the HTTP data to flow through.

HTTPS ensures
1. Nobody can see any of the information you're sending to the bank, or what they're sending you.
2. Nobody can change any of the contents (that they can't even read) because your web-browser will detect that the data is invalid.
3. You know that the server you're trying to communicate with IS the author of the information you have received, because it has signed the information using it's private key.

Very similar to APT. Problem solved, right?
Well yes, encryption works if you use it properly, otherwise it's worthless.

Most of the Raspberry pi repositories have completely undermined APT security, and thus, every Raspberry Pi is insecure

This is a bold claim. As far as I can tell, it is true. Please investigate for yourself.

I first discovered the problem when I went to this page
https://www.raspbian.org/RaspbianRepository

Raspbian.org suggests this completely insecure command
wget http://archive.raspbian.org/raspbian.public.key -O - | sudo apt-key add -

They want your Raspberry Pi to trust a public key, that they're going to send you, using absolutely no security of any kind.
That public key, that supposedly comes from archive.raspbian.org and bounces through many many servers and network links before it gets to you, could be changed many times... and your computer wouldn't have the faintest idea.

So Raspbian.org has just BROKEN APT SECURITY, completely.

You know, it wouldn't be so bad... if it was some random user on a forum suggesting to use insecure http:// to get a public key. (as they do, because most of the time, it's the only mechanism available)
But the fact that Raspbian.org! is giving this insecure advice is shocking!

This is how it's supposed to happen if someone foolishly makes a HTTP request for a public key (just like the bank example)
1. You request http://[/b]archive.raspbian.org/raspbian.public.key
2. archive.raspbian.org responds with 301 Moved permanently. then redirects you to make a HTTPS connection. or better "400 Bad Request" so you can realize your mistake!
3. you connect to https://archive.raspbian.org/raspbian.public.key and receive the a public key that you can trust has not been changed, and is authentic, given to you by archive.raspbian.org.

I did this, but I can't recommend you do it. You will see why...
apt-key list #now you will see all your GPG keys
#don't run these commands, unless you know what you're doing
apt-key del 'Mike Thompson (Raspberry Pi Debian armhf ARMv6+VFP) <mpthompson@gmail.com>'
apt-key del 'Raspberry Pi Archive Signing Key'
apt-key del 'Collabora Raspbian Archive Signing Key <daniels@collabora.com>'
apt-key del 'Wolfram Research, Inc. (WolframEngine Raspbery Pi signing key) <raspbian@wolfram.com>'
"Great, now we will add trustworthy GPG keys" I thought... right? well no, because they're NOT AVAILABLE!

Not only is correct security practise not followed. Secure public keys are not even frikkin available!

Even though https://www.raspbian.org/RaspbianRepository tells you to run an insecure command... you can make it secure by adding an 's'
wget https://archive.raspbian.org/raspbian.public.key -O - | sudo apt-key add -

This means that every novice user will be fooled into making their Raspberry Pi insecure.
This means
* None of their data may be considered private/secure (passwords, financial records, intellectual property, whatever)
* They could be robbed (see above point)
* Their computer may be used for destructive/nefarious purposes.

But it gets even worse.
Even people who are familiar with the security basics discussed in this forum post are currently unable (as far as I can tell) to securely obtain Rasberry Pi GPG keys.
The Rasberry Pi authors have undermined APT security to such an extent, which makes me question, and even if they now start to behave responsibly with regards to security whether they should even be trusted.
Because it seems that they are either not trustworthy at all, or completely incompetent. Neither of these qualities are very assuring in terms of me wanting to have such a device on my network or trust it with my data.

everyone can try these commands
cd /tmp
wget https://archive.raspbian.org/raspbian.public.key
#okay great, that worked, so non-novice users can obtain the GPG key securely.

wget https://archive.raspberrypi.org/debian/raspberrypi.gpg.key
#archive.rasberrypi.org does not even SSL functional!!! Nevermind ALLOWING GPG keys to be downloaded insecurely. They ONLY serve GPG keys insecurely!

wget https://repository.wolfram.com/raspbian/raspbian@wolfram.com.gpg.pub-key
#the repository.wolfram.com server does not even have an SSL HTTP server installed at all.
This is a sad sad state of affairs. Raspberry Pi is a fundamentally insecure operating system.

If you found this interesting, you may find this TED talk and links interesting
TED Talk: Edward Snowden: Here's how we take back the Internet
NSA Intercepts Internet Devices, Implants "Backdoor" - Leaked Document
Debian bugdoored by NSA

If you try the wget commands I've listed above, your comments would be helpful to back-up what I'm saying (GPG keys are served over HTTP and are not available over a HTTPS connection), so that they can not quickly fix these issues and then try deny it.

The only way Rasberry Pi and Raspbian, wolfram etc can redeem themselves (in my opinion) is to do the following
1. Acknowledge that they were using very bad security practices and apologize.
2. Deny all HTTP requests for GPG keys with either 301 Moved Permanently or 400 Bad Request.
3. Make GPG keys available via HTTPS
4. Make some kind of statement about their security practices so that we can have some kind of trust that their private keys are secure.
5. Take security more seriously in general.

There is no excuse for Rasberry Pi to completely fail at security as an OS thinking Rasberry Pi is just a toy.
1. RasberryPi has many industrial customers
2. If security has been weakened so that the NSA can exploit it, as Edward Snowden says, then anyone who is determined enough will find the same exploits and exploit it for their own purposes, any government around the world, hackers, etc.
3. Raspberry Pi is used by many people all over the world for all kinds of things, and they would like to be able to trust the Rasberry Pi with their data and trust it to be on their network etc.
4. Students using Rasberry Pi as a learning tool should be learning basic security practices.

Security is no an optional nice-to-have.
Encryption is not only for terrorists.
Security is a basic requirement for computers and anyone using them.
Last edited by Lope on Mon May 04, 2015 12:52 pm, edited 5 times in total.

User avatar
Jednorozec
Posts: 809
Joined: Sun Nov 24, 2013 2:17 pm
Location: Deposit, NY

Re: Rasbian is a completely INSECURE operating system

Mon May 04, 2015 11:43 am

When something like this http://c2.com/cgi/wiki?TheKenThompsonHack is possible there is no computer security anywhere.
The most important leg of a three legged stool is the one that's missing.
It's called thinking. Why don't you try it sometime?

Lope
Posts: 70
Joined: Tue Jul 02, 2013 7:53 pm

Re: Rasbian is a completely INSECURE operating system

Mon May 04, 2015 11:52 am

While it is of great importance that people are aware of the Ken Thompson Hack. Your defeatist attitude, while convenient for those who would like to weaken security, is not realistic.

1. Read that whole URL that you linked, you will see that KTH is not flawless.
2. Consider the fact that NSA tries to weaken security at many different levels in many locations. If the KTH was enough there would be absolutely no need to go to the trouble of all the other attacks. They have thousands of employees constantly trying to weaken or break the security of thousands of software programs. Bugdoors, backdoors, exploits. Their efforts are vast. If they had weakened the endpoints sufficiently they would not bother trying to weaken the RNG's. And if they had successfully weakened encryption algorithms there would be no need to weaken the RNG's. I suggest you make use of this deductive logic. This is a very, very important point and do not underestimate it.

The only useful thing about your attitude is that you should not assume your computer is secure. But that does not mean it is pointless to take reasonable steps to secure it anyway. If you utilized the same logic then you should not bother locking your car or having a car alarm because your car is insecure (windows are made of glass, etc). Or similarly for your house, why lock your house when locks can be picked?
You could expand the defeatist attitude into any area of life? Why bother being healthy when you're going to die anyway?

Let's be reasonable and practical.
Last edited by Lope on Mon May 04, 2015 11:59 am, edited 1 time in total.

Heater
Posts: 15990
Joined: Tue Jul 17, 2012 3:02 pm

Re: Rasbian is a completely INSECURE operating system

Mon May 04, 2015 11:58 am

So in summary your point is:

The creators of Raspbian should employ HTTPS, or other means by which authenticity can be assured.

Sounds like a good idea to me.

The title of this thread is then incorrect. Raspbian as an OS may be as secure as it can be. It's the distribution mechanism that may be flawed.

I like to think we have security by other means. With 5 million Pi users out there I suspect that if some weird back door was introduced my the middle man attack you propose then someone would soon notice and we would very soon know all about it.

As all ways, security is not just about using particular technologies, it requires eternal vigilance on the part of the users.
Memory in C++ is a leaky abstraction .

fruit-uk
Posts: 609
Joined: Wed Aug 06, 2014 4:19 pm
Location: Suffolk, UK

Re: Rasbian is a completely INSECURE operating system

Mon May 04, 2015 11:59 am

When can we expect to see your contributions?

Sleep Mode zZ
Posts: 319
Joined: Sun Aug 19, 2012 5:56 am
Location: Finland

Re: Rasbian is a completely INSECURE operating system

Mon May 04, 2015 12:05 pm

Your critique would maybe valid if every Raspbian installation would get their key from that http-address - and did then use it to verify future packages with it. They do not. So it is not relevant for Raspbian's security. Every new Raspbian install of course does have the key already. You can get the key with wget if you want it for some other purposes - and are free to use https - but it does not play a important role in Raspbian's security at that point.

It would be good to hear a scenario of a possible attack.

Heater
Posts: 15990
Joined: Tue Jul 17, 2012 3:02 pm

Re: Rasbian is a completely INSECURE operating system

Mon May 04, 2015 12:11 pm

The Ken Thompson Hack, or more correctly his paper on talk "Reflections on Trusting trust" is trotted out all the time by those who want to suggest that trying to achieve computer security is pointless. Ironically that talk was given in 1984.

There are ways around it https://www.schneier.com/blog/archives/ ... _trus.html

Anyway that is not scope of the proposition of this thread.
Memory in C++ is a leaky abstraction .

Heater
Posts: 15990
Joined: Tue Jul 17, 2012 3:02 pm

Re: Rasbian is a completely INSECURE operating system

Mon May 04, 2015 12:14 pm

fruit-uk,
When can we expect to see your contributions?
To whom are you speaking and what would like contributed?
Memory in C++ is a leaky abstraction .

Lope
Posts: 70
Joined: Tue Jul 02, 2013 7:53 pm

Re: Rasbian is a completely INSECURE operating system

Mon May 04, 2015 12:20 pm

Heater wrote:So in summary your point is:
The title of this thread is then incorrect. Raspbian as an OS may be as secure as it can be. It's the distribution mechanism that may be flawed.
Once insecure APT packages have been distributed to your OS, your OS is insecure.
Sleep Mode zZ wrote:Your critique would maybe valid if every Raspbian installation would get their key from that http-address - and did then use it to verify future packages with it. They do not.
On the contrary, I have seen various responses to questions in the forums, where people suggest running commands like this
wget http://raspberry-something -O - | apt-key add -

Novices trying to get their Raspberry Pi working will not think twice about running commands like that. While your point is fair that someone who has downloaded a fresh Raspbian install (that they assume they can trust) will already have the GPG keys and in normal use they would not update their GPG keys using the insecure HTTP mechanisms provided by the Raspberry package maintainers.

However. You can not automatically trust Raspbian installs that you download from raspberry Pi's server. Have a look at the latest Noobs download URL:
http://director.downloads.raspberrypi.org/NOOBS/images/NOOBS-2015-02-18/NOOBS_v1_4_0.zip
HTTP, once again.
Technically you could check the SHA-1 sum... is the average user going to do that?
I think for the average user, if it unzips, they think "success".
You could also grab a torrent, which is secure because it employs automatic checksumming. But Raspberry Pi has nullified the security of the BitTorrent protocol as well by serving you the torrent file over a HTTP connection... again!
http://downloads.raspberrypi.org/raspbian/images/raspbian-2015-02-17/2015-02-16-raspbian-wheezy.zip.torrent

Raspberry Pi and associated package maintainers have repeatedly botched the built-in security of these protocols. That it really makes it hard for me to trust that the Raspberry Pi people are going to follow good security practices, for example looking after their private keys.
If they have botched GPG key distribution so badly, what else?
Last edited by Lope on Mon May 04, 2015 12:53 pm, edited 4 times in total.

Lope
Posts: 70
Joined: Tue Jul 02, 2013 7:53 pm

Re: Rasbian is a completely INSECURE operating system

Mon May 04, 2015 12:24 pm

Heater wrote:fruit-uk,
When can we expect to see your contributions?
To whom are you speaking and what would like contributed?
How about we stay on topic: Rasbian Security.
Instead of hijacking this thread, you're welcome to start your own thread where you can talk all about who's making contributions and how great they are.

ame
Posts: 3172
Joined: Sat Aug 18, 2012 1:21 am
Location: New Zealand

Re: Rasbian is a completely INSECURE operating system

Mon May 04, 2015 12:34 pm

tl;dr do you have any EVIDENCE this is happening?

(also, please spell Raspbian properly, it'll make people more likely to think you know what you are talking about).

Heater
Posts: 15990
Joined: Tue Jul 17, 2012 3:02 pm

Re: Rasbian is a completely INSECURE operating system

Mon May 04, 2015 12:37 pm

What is the worry here? Raspbian and it's distribution are as secure as anyone knows how to make it as far as I can tell.

If I want to install Raspbian I do this:

1) Go to the downloads page at https://www.raspberrypi.org/downloads/

Not the https there. Presumably I have a secure, authenticated, connection. At least my browser does not complain.

2) I download the zip file.

3) On that same secure download page is the SHA-1 hash of the downloaded zip file:
SHA-1: b71d7b61f44e9bd582df71c9be494c271c97650f

4) I verify that the file I have just downloaded has the same SHA-1 sum as indicated on the secure download page:

Code: Select all

$ sha1sum 2015-02-16-raspbian-wheezy.zip 
b71d7b61f44e9bd582df71c9be494c271c97650f  2015-02-16-raspbian-wheezy.zip
$ 
5) OK, it matches. I can confidently flash my SD with that.

Note: by using the cryptographically sound SHA-1 hash as a check, obtained from a secure website, it does not matter if the zip file itself came via an insecure channel.

I suggest, Lope, that you change the name of this thread from the inflammatory "RASBIAN IS A COMPLETELY INSECURE OPERATING SYSTEM" to something that suggests that the downloads may be insecure if people have no idea what they are doing.

I suspect there may well be a problem in the documentation surrounding all this and certainly those who think a computer means Windows will have no idea.
Memory in C++ is a leaky abstraction .

Sleep Mode zZ
Posts: 319
Joined: Sun Aug 19, 2012 5:56 am
Location: Finland

Re: Rasbian is a completely INSECURE operating system

Mon May 04, 2015 12:39 pm

Lope wrote:
Sleep Mode zZ wrote:Your critique would maybe valid if every Raspbian installation would get their key from that http-address - and did then use it to verify future packages with it. They do not.
On the contrary, I have seen various responses to questions in the forums, where people suggest running commands like this
wget http://rasberry-something -O - | apt-key add -
Where? I can't find those posts on this forum...

Seriously, how many users have deleted their apt-keys and then downloaded new ones? What purpose could there be for doing that? If some totally clueless user would do that and compromise their system, I'm sure there are easier ways to attack them and their Raspbian system. Giving a wrong apt-key and then giving them fake packages to compromise their system with the ultimate goal of stealing their money? Would not there be shorter and easier ways to compromise the computer and bank account of someone who types in their terminal anything other people want?

fruit-uk
Posts: 609
Joined: Wed Aug 06, 2014 4:19 pm
Location: Suffolk, UK

Re: Rasbian is a completely INSECURE operating system

Mon May 04, 2015 12:44 pm

Heater wrote:fruit-uk,
When can we expect to see your contributions?
To whom are you speaking and what would like contributed?
The original poster... who seems to have many criticisms but little in the way of a constructive path forward

Heater
Posts: 15990
Joined: Tue Jul 17, 2012 3:02 pm

Re: Rasbian is a completely INSECURE operating system

Mon May 04, 2015 12:50 pm

Lope,
Once insecure APT packages have been distributed to your OS, your OS is insecure.
That is true. Now, where did those insecure APT packages come from? Presumably not from the initial installation as I outlined above.
I have seen various responses to questions in the forums, where people suggest running commands like this
wget http://rasberry-something -O - | apt-key add -
Ah yes, users get root on their machines and then install random junk off the net. Especially junk that can run as root there after.

How is this Raspbians fault?
You can not automatically trust Rasbian installs that you download from rasberry Pi's server
Perhaps not automatically. But very easily, see my post above. As I said security is a matter of vigilance not technology.
Technically you could check the SHA-1 sum... is the average user going to do that?
Perhaps the average user should be educated as to the need to make such checks. Hey, education is the point of the Pi, right?
You could also grab a torrent.
There is nothing wrong with using that channel.
This GPG keys over HTTP is such a massive fail. That it really makes it hard for me to trust that the Rasberry Pi people
Who do you mean by "the Raspberry Pi people"?

As we have determined, Raspbian is distributed in about as secure a manner as is possible. If users want to install other random junk as root then there is not much that can be done.

What are you suggesting could be done to close up this whole you are positing?
Memory in C++ is a leaky abstraction .

fruitoftheloom
Posts: 23403
Joined: Tue Mar 25, 2014 12:40 pm
Location: Delightful Dorset

Re: Rasbian is a completely INSECURE operating system

Mon May 04, 2015 1:01 pm

To the OP Loopee, I find this whole post sensationalist and dis-tasteful.

Seems to me to much reading (Googling) and picking up pointers to justify the reason for posting.

I an glad it was moved to Off-Topic, though removing would of been better IMO

Any Operating System whether based on Linux, Unix, NT, OSX, BSD etcetera etcetera has insecurities, but is the insecurity an issue ?? probably for 99.9999999999% of users NOT.

:roll:
Rather than negativity think outside the box !
RPi 4B 4GB (SSD Boot)..
Asus ChromeBox 3 Celeron is my other computer...

Heater
Posts: 15990
Joined: Tue Jul 17, 2012 3:02 pm

Re: Rasbian is a completely INSECURE operating system

Mon May 04, 2015 1:02 pm

Sleep Mode zZ,

You know, Lope has a point, I did a quick google site search for "apt-key add" on the forums here. There are many hits. And one of the first dodgy install instructions I find is this one (does not actually add a key):

Code: Select all

wget http://prdownloads.sourceforge.net/webadmin/webmin-1.580.tar.gz
gunzip webmin-1.580.tar.gz
tar xf webmin-1.580.tar
cd webmin-1.580
sudo ./setup.sh /usr/local/webmin
From here: viewtopic.php?f=63&t=6096

BANG! You are owned. Who knows what that package contains?

What to do about that?
Memory in C++ is a leaky abstraction .

Heater
Posts: 15990
Joined: Tue Jul 17, 2012 3:02 pm

Re: Rasbian is a completely INSECURE operating system

Mon May 04, 2015 1:04 pm

Why are moved to "off topic"? The title of this post maybe inflammatory and the case presented sketchy but the security issues are real.
Memory in C++ is a leaky abstraction .

Lope
Posts: 70
Joined: Tue Jul 02, 2013 7:53 pm

Re: Rasbian is a completely INSECURE operating system

Mon May 04, 2015 1:10 pm

fruit-uk wrote:The original poster... who seems to have many criticisms but little in the way of a constructive path forward
How about reading my first post, which points out serious security failings and suggests obvious solutions?
Sleep Mode zZ wrote: Where? I can't find those posts on this forum...
You can currently find about 7500 such examples on the internet
https://www.google.com/search?q="apt-ke ... spberry+pi

And about 400 on this forum
https://www.google.com/search?q="apt-ke ... errypi.org

Many people who google a problem, and find a suggested solution online, will try the solution without posting on that forum. So you can multiply these numbers by x to get an idea of how many users have done this.

The simple fact that you cannot ignore is that Raspberry Pi has botched security. Not for everyone, yes. But for those who run these commands or download the distro zip files (most users), and don't verify the zip files with the SHA1 hash (most users).

The commands to add GPG keys from an insecure source are suggested to many thousands of people all over the internet, also suggested by the official Raspbian Repository.

The suggestions, themselves, while they misinform novices regarding security practice, would be harmless, if Raspberry Pi package maintainers set up their servers in a responsible manner, and did not supply GPG keys and torrents over insecure HTTPS.

Lope
Posts: 70
Joined: Tue Jul 02, 2013 7:53 pm

Re: Rasbian is a completely INSECURE operating system

Mon May 04, 2015 1:24 pm

fruitoftheloom wrote:To the OP Loopee, I find this whole post sensationalist and dis-tasteful.
What's it going to take to wake up? How about examining the factual information presented that you can confirm for yourself instead of attempting personal attacks?
fruitoftheloom wrote: Seems to me to much reading (Googling) and picking up pointers to justify the reason for posting.
It's called substantiation.
fruitoftheloom wrote:I an glad it was moved to Off-Topic, though removing would of been better IMO
Sweep the dirt under the carpet. Where nobody will find it. Well done.

And as for your last comment about most systems being insecure, see my post above about defeatist attitudes. And as for your comment about security not being important for 99.9999% of users, what a load of crap.

To sum up your post, you make personal attacks, want to see security problems hidden away or deleted entirely, you promote a defeatist attitude and dismissing the idea of security entirely. What a sad waste of space your post is.

Lope
Posts: 70
Joined: Tue Jul 02, 2013 7:53 pm

Re: Rasbian is a completely INSECURE operating system

Mon May 04, 2015 1:29 pm

Heater wrote:Sleep Mode zZ,

You know, Lope has a point, I did a quick google site search for "apt-key add" on the forums here. There are many hits. And one of the first dodgy install instructions I find is this one (does not actually add a key):

Code: Select all

wget http://prdownloads.sourceforge.net/webadmin/webmin-1.580.tar.gz
gunzip webmin-1.580.tar.gz
tar xf webmin-1.580.tar
cd webmin-1.580
sudo ./setup.sh /usr/local/webmin
From here: viewtopic.php?f=63&t=6096

BANG! You are owned. Who knows what that package contains?

What to do about that?
You have presented another significant issue regarding bad security advice. However, that is bad advice from a 3rd party. The whole topic that I have presented here is with regard to bad security practices, performed by the Raspberry Pi website and package repositories.
We can't stop random people giving bad advice online. But as per my suggestions that I've made in this thread, the Raspberry Pi website and package repositories can take simple steps to eliminate their insecurity relating to distribution of GPG keys and torrents.

User avatar
ukscone
Forum Moderator
Forum Moderator
Posts: 4225
Joined: Fri Jul 29, 2011 2:51 pm
Contact: Website

Re: Rasbian is a completely INSECURE operating system

Mon May 04, 2015 1:33 pm

locking as thread is degenerating

plugwash
Forum Moderator
Forum Moderator
Posts: 3621
Joined: Wed Dec 28, 2011 11:45 pm

Re: Rasbian is a completely INSECURE operating system

Tue May 05, 2015 1:49 pm

Unlocking and moving to the raspbian forum as I belive there are real issues here that need to be discussed.

plugwash
Forum Moderator
Forum Moderator
Posts: 3621
Joined: Wed Dec 28, 2011 11:45 pm

Re: Rasbian is a completely INSECURE operating system

Tue May 05, 2015 2:18 pm

Lope wrote:
HTTPS like APT, solves this problem with public key encryption.
When you try to go to http://mybank.com mybank sends you a HTTP 301 response "Moved permanently" and a Location header, telling your web browser to go to https://mybank.com
Your web browser will automatically go to https://mybank.com and establish a SSL connection (tunnel) for the HTTP data to flow through.

HTTPS ensures
1. Nobody can see any of the information you're sending to the bank, or what they're sending you.
2. Nobody can change any of the contents (that they can't even read) because your web-browser will detect that the data is invalid.
3. You know that the server you're trying to communicate with IS the author of the information you have received, because it has signed the information using it's private key.
Well it ensures all of that provided that you trust the certificate authorities. It's certainly better than plain http but there is always a fundamental bootstrapping problem with these things. Who do you trust to tell you what is trustworthy. If someone manages to get a MITM box in on the server side (rather than the client side) they can easilly buy a ssl cert in your name. Most SSL cert vendors idea of domain ownership verification is to send an email to postmaster@domain.
Most of the Raspberry pi repositories have completely undermined APT security, and thus, every Raspberry Pi is insecure
I think you are overstating the case. Yes there can be a risk if people are using a compromised internet connection at the time of setup and yes that could possiblly be improved (though ultimately there is a limit to what you can do about user stupidity). Security is not a black and white thing, there are risks that can be reduced but you can't eliminate them.

I first discovered the problem when I went to this page
https://www.raspbian.org/RaspbianRepository

Raspbian.org suggests this completely insecure command
wget http://archive.raspbian.org/raspbian.public.key -O - | sudo apt-key add -

They want your Raspberry Pi to trust a public key, that they're going to send you, using absolutely no security of any kind.
That public key, that supposedly comes from archive.raspbian.org and bounces through many many servers and network links before it gets to you, could be changed many times... and your computer wouldn't have the faintest idea.
Sorry about that, that page was written before we had https, fixed the page.
This is how it's supposed to happen if someone foolishly makes a HTTP request for a public key (just like the bank example)
1. You request http://[/b]archive.raspbian.org/raspbian.public.key
2. archive.raspbian.org responds with 301 Moved permanently. then redirects you to make a HTTPS connection. or better "400 Bad Request" so you can realize your mistake!
3. you connect to https://archive.raspbian.org/raspbian.public.key and receive the a public key that you can trust has not been changed, and is authentic, given to you by archive.raspbian.org.
That doesn't really help much. If a man in the middle can mess with a http download they can also mess with a redirect.
I did this, but I can't recommend you do it. You will see why...
apt-key list #now you will see all your GPG keys
#don't run these commands, unless you know what you're doing
apt-key del 'Mike Thompson (Raspberry Pi Debian armhf ARMv6+VFP) <mpthompson@gmail.com>'
apt-key del 'Raspberry Pi Archive Signing Key'
apt-key del 'Collabora Raspbian Archive Signing Key <daniels@collabora.com>'
apt-key del 'Wolfram Research, Inc. (WolframEngine Raspbery Pi signing key) <raspbian@wolfram.com>'
I really don't see the point in this. If you trust the image you should trust the keys contained inside, if you don't trust the image then removing the keys is kind of pointless. The raspberry pi foundation provide (over https) a sha1 hash that can be used to verify the image, if people choose not to verify said hash there isn't much we can do.

wget https://archive.raspberrypi.org/debian/raspberrypi.gpg.key
#archive.rasberrypi.org does not even SSL functional!!! Nevermind ALLOWING GPG keys to be downloaded insecurely. They ONLY serve GPG keys insecurely!

wget https://repository.wolfram.com/raspbian/raspbian@wolfram.com.gpg.pub-key
#the repository.wolfram.com server does not even have an SSL HTTP server installed at all.
To rpf people, can you make an authoritative set of GPG keys you include in your image available over https somewhere? I know https isn't perfect but it's miles better than plain http.

Sleep Mode zZ
Posts: 319
Joined: Sun Aug 19, 2012 5:56 am
Location: Finland

Re: Rasbian is a completely INSECURE operating system

Tue May 05, 2015 2:47 pm

Lope wrote: Most of the Raspberry pi repositories have completely undermined APT security, and thus, every Raspberry Pi is insecure

This is a bold claim. As far as I can tell, it is true. Please investigate for yourself.

I first discovered the problem when I went to this page
https://www.raspbian.org/RaspbianRepository

Raspbian.org suggests this completely insecure command
wget http://archive.raspbian.org/raspbian.public.key -O - | sudo apt-key add -

They want your Raspberry Pi to trust a public key, that they're going to send you, using absolutely no security of any kind.
No they do not want that. The text reads, "If needed, the Raspbian public key can be stored into your apt-get keyring using the following command:[...]". "If needed" - and most people never need to do that. If you need do to that - you probably understand the security implications. The fact that an uninformed new user might do that is not really very relevant because there are so many other more serious and direct vulnerabilities that he/she might be social engineered to do.

Your scenario limits the attacker to those that 1) are in position to do a man in the middle attack - during the key-add as well as the subsequent apt-activity that will lead to fake packages. If the victim can communicate to the Raspbian repositories outside of the middle man's control - there will some error because of the wrong keys and the victim will see that there is something wrong with his/her system.

2) Get the victim to update or install new packages with his/her apt program which now accepts a wrong key.

3) Still being in the middle of the communication, the attacker gives fake packages (that he/she have packaged beforehand) that introduces some vulnerabilities and gives control of the victim's Raspbian system to the attacker.

4) Now at last the attacker is free to rob the victims bank account etc.

The question then is, why would any attacker go through such lengths when he could as well get the victim to install some malware right of the bat? Would that be any harder than to get him/her to delete their apt-key and add a new - apparently from the Raspbian site - when he/she is willing to copy and paste instructions to the terminal without understanding them?

I see that they have now updated the instruction to https - that is nice. But having http there was never such as security catastrophe as you presented it to be.
Lope wrote: That public key, that supposedly comes from archive.raspbian.org and bounces through many many servers and network links before it gets to you, could be changed many times... and your computer wouldn't have the faintest idea.
To actually be a man in the middle, the only real places to do that, are next to either end of the connection. That limits the possible attackers quite a bit. The traffic between the end points can take many routes, and not all packets in the connection have to go the same route.
Lope wrote: So Raspbian.org has just BROKEN APT SECURITY, completely.
No they had not.
Last edited by Sleep Mode zZ on Tue May 05, 2015 5:14 pm, edited 2 times in total.

Return to “Raspberry Pi OS”