Lately I’ve been talking a lot about the supply chain risk. You import some software, and are suddenly importing their business model and practices. Well, we’ve just had another ‘shenanigan’ unveiled. And its got some good drama. https://github.com/dominictarr/event-stream/issues/116

In a nutshell there is some package which is relatively stable. The original developer doesn’t use it anymore, its stagnant, but people are still using it. Someone comes alone, offers to take over the maintaining, its handed off.

The new dev makes a quick minor fix, updates the package. And then… makes some evil changes, pushes them on top of that version and then hides it.

And now all your bitcoin are belong to unknown dev #2.

And lots of things are broken. One person in the thread (perhaps a troll) is complaining because he has some software which has pinned the dependency to the bad version, and now won’t build in their CI.

Millions of people have installed this software, somewhere, everywhere, no real way to say.

Since there is no signing, we can’t say what was in github when it was published, or if it came from github or elsewhere, so the source is murky. There’s some encryption, some patching of dependencies. You could have this and not know. You can’t trust the ‘npm ls’ to show the truth.

So this brings up the question of open source governance. A strong project that is hard to breach has multiple maintainers, who are unrelated to each other, and who it takes more than one of reviewing a commit to get it approved. Is this something you look for when you choose your immediate upstreams? Do your upstreams look for this? Do their upstreams? And so on. The tree is both deep and wide.

Red team only has to get it right once, blue team needs to be right 100% of the time.

Commence worrying in 3…2…1.

Hint: you want your email to be encrypted in transit. Now, lets take a look at some stats. From my earlier post about ‘Why is Canada less encrypted than the US‘?, and from Google’s Transparency Report, we dig into Sympatico. This is Bell Canada‘s brand for Internet. We see that there is no encrypted email exchanged to Bell from Google (so your friend with a Gmail account mails you on your Sympatico account).

Gobsmacked, I double checked this. First we find the mail exchanger (as below), and then we head to https://www.checktls.com/. Story checks out. Bell does not allow encryption in transit of your email, from anywhere in the world.

$ nslookup
> set q=mx
> sympatico.ca.
Server:		127.0.0.53
Address:	127.0.0.53#53

Non-authoritative answer:
sympatico.ca	mail exchanger = 0 mxmta.owm.bell.net.

 

Phishing has hit the halfway point on encryption. This means that being TLS-encrypted is no indication a site is real or not (its an indication that it is exactly what it says it is, but not what it might appear as).

Ironically, they might be stronger than the average web site. If we look at whynothttps.com, we find some big ticket names that are not encrypted. I’m looking at you bbc.com (interestingly they do support encryption, but don’t turn it on unless you force it). There’s a workaround (install HTTPS Everywhere as a chrome add-on).

Now, the percent of pages fetched, and of browsing time, is high. See the Google Transparency report. But this is an 80/20 type thing. A small number of sites capture the majority of time, but its the other sites that you get phished and leaked from.

Lets take a look by country. For Canada, there’s a set of non-https sites. Some are owned by our federal government (http://www.cic.gc.ca/). Who’s up for taking their favourite site, checking whether it:

  1. Is available in HTTPS
  2. Is *only* available in HTTPS (or redirects all non HTTPS to the HTTPS version)
  3. Has HSTS enabled?
  4. Has a strong certificate?

Its easy, head on over to https://www.ssllabs.com/ssltest/analyze.html and run a quick check. If its not an A, maybe write to their IT admin and ask why not.

Courtesy of our friends @ Google and their Transparency Report we see that Canada is 89% encrypted to Google. Good, but not great when you realise the UK is 97% encrypted. What could drive this difference? I would think device-types and ages would be similar. This traffic is a bellwether of other encrypted traffic, and we want it to be 100%.

Anyone got any comment?

Image result for moebius stripTomorrow (Tues 27, 2018) we’re going to have the next meetup to talk Continuous Integration. Got a burning desire to rant about the flakiness of an infinite number of shell scripts bundled into a container and shipped to a remote agent that is more or less busy at different hours?

Wondering if its better to use Travis, Circle, Gitlab, Jenkins, with a backend of OpenStack, Kubernetes, AWS, …?

We’ve got 3 short prepared bits of material and a chance to snoop around the shiny new offices of SSIMWAVE.

So, in the Greater Waterloo area and got some time tomorrow night to talk tech? Check the link.