lol

2024-08-07 22:53:27 +02:00 · 2024-08-07 22:53:27 +02:00 · 5017917a68
parent b76ffc648d
commit 5017917a68
4 changed files with 56 additions and 41 deletions
--- a/docs/posts/curlpipebash.md
+++ b/docs/posts/curlpipebash.md
@ -5,36 +5,38 @@ unlisted: true

 # Using curl | bash safely

+> The post you're about to read is the result of the research of \[REDACTED\] foxes in a trenchcoat.
 > I don't know what I'm doing.
-> This is
 >
-> Take everything I say here with a wheelbarrow of salt. Do your own research. Don't trust *one* random peron on the internet with your infrastructure.
+> Take everything I say here with a wheelbarrow of salt. 
+> Do your own research.
+> Don't trust *one* person's opinion with the security your infrastructure.

 In April of 2024 I wrote [a post](./old-curlpipebash.md) on Fedi explaining that using `curl | bash` was not a security risk.
 I based my original argument on the fact that you ultimately have to trust the person that provides you the code.
+A bit later, I discussed on the same topic with 2 people in a Matrix channel.
+They exposed me to an attack vector that makes using `curl | bash` actually potentially dangerous.
+This caused me to do further research on the topic, and ultimately write this post.

-<!-- discuss on ? -->
-A bit later, I discussed on the same topic in a Matrix channel.
-The people involved showed me how it was actually a bit risky to use `curl | bash`.
-This is what caused me to do research on the topic and write this post.
 <!-- which is true, but *incomplete*. -->
-But is it actually dangerous ?
-Is the cake a lie ? <!-- ? -->
-Well, as you could probably imagine, it turns out that the answer actually is, "it depends".
+<!-- But is it actually dangerous ? -->
+<!-- Is the cake a lie ? -->
+<!-- Well, as you could probably imagine, it turns out that the answer actually is, "it depends". -->
+<!-- I'll talk about what the actual dangers of using `curl | bash` are, and how we can mitigate them. -->

-I'll talk about what the actual dangers of using `curl | bash` are, and how we can mitigate them.
+> TL;DR: If you're here because you just want to download software, go for it.
+You're *probably* going to be just fine.
+If you're interested in information security or want to implement a `curl | bash` script however, please read the rest.

-> TL;DR: If you're here because you just want to download software, go for it. You're *probably* going to be just fine. If you're interested in learning or want to implement a `curl | bash` script however, please read the rest.
+## Terminology

-## Terminology DONE
-
- Software artifact: Stuff that comes out of your repository: code, shell scripts, binaries, etc. In this blog post I will focus on the shell script that installs your binaries more than anything else.
+- Software artifact: Stuff that comes out of your repository: code, shell scripts, binaries, etc.
+In this blog post I will focus on the shell script that installs your binaries more than anything else.

 - Signing authority: a server that hosts the artifact's cryptographic hash or signature.
-
 - Artifact provider: a server that serves the artifact directly to us.

-## Surface attack DONE
+## Attack surface

 We can establish a simplified supply chain for a software artifact:

@ -47,11 +49,11 @@ We can establish a simplified supply chain for a software artifact:

 An malicious actor could compromise the supply chain by attacking:

- (1): The machine the artifact is built on;
- (2): The connection beteen the artifact builder and the server;
- (3): The machine the server is served to client by;
- (4): The connection beteen the server and the client;
- (5): The client that requests the artifact.
+1. The machine the artifact is built on;
+2. The connection beteen the artifact builder and the server;
+3. The machine the server is served to client by;
+4. The connection beteen the server and the client;
+5. The client that requests the artifact.

 For the purpose of this post however, the attack vectors (1), (2) and (5) are out of scope, which leaves us with only (3) and (4).

@ -59,14 +61,15 @@ For the purpose of this post however, the attack vectors (1), (2) and (5) are ou

 Precisely. *Most of the time*.

-## An example script DONE
+## An example script
+
+We'll use this script as an example for the rest of this post:

 ```bash
 curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install
 ```

-This script installs the Determinate Nix installer, an installer for the Nix package manager.
-We'll use this as an example for the rest of this blog post. Let's break it down a bit:
+This script installs the Determinate Nix installer, an alternative installer for the Nix package manager. Let's break it down a bit:

 - `curl`: Call the cUrl commande line utility; This will create a HTTPS request;
 - `--proto '=https'`:
@ -84,6 +87,8 @@ At first glance, this seeems like a secure way to run the installer.
 However, this script does't check that the script you're downloading is what it should be.
 If the server is compromised in some way, we could be downloading malware instead.

+## Securing our infrastructure
+
 We can mitigate this risk by using a method used by most package managers, which is using 2 different servers with different functions:

 - One that hosts the artifact's cryptographic hash or signature (here called *signing authority*);
@ -142,26 +147,33 @@ An example infrastructure would look like this:
    - Domain: `install-determinate.systems`

 > Notice the artifact is now in a different domain (`install-determinate.systems`) and not in a subdomain like it was previously (`install.determinate.systems`).
+> That means that both servers need to use 2 very different SSL certificates.

 Now, compromising this part of the supply chain has become extremely hard. The attacker will either:

 - Need technical knowledge in NixOS, RHEL, Nginx and Apache, as well as compromising an entire CDN (TODO);
- Compromise both of the sysadmin's machines through social engineering;
- ...
+- Compromise both of the sysadmin's machines by hacking them or through social engineering;
+- TODO
 - Use several of the methods listed above.

-Now, it would be a lot more feasible to attack another part of the supply chain, which is a subject for another blog post.
+Now, it would be a lot more feasible to attack another part of the supply chain, which is a subject for another post.

 ## Implementing curl | bash safely

 > You've spent so much time explaining that `curl | bash` is insecure, why would we bother making a secure version of it ?

 Because the other way around this is to package your software for every distro and package manager under the sun, which is a task which simply imagining sends shivers down my spine.
+<!-- check wording -->

-Making a shell script that leverages this infrastructure isn't actually hard at all. Most of the work is around creating two resilient and independent servers. What we have to do is simply to check the artifact provider's response against a hash or a signature provided by the signing authority.
+Making a shell script that leverages this infrastructure isn't actually that hard.
+Most of the work is around creating two resilient and independent servers.
+What we have to do is simply to check the artifact provider's response against a hash or a signature provided by the signing authority.

+<!-- TODO: host scripts on the blog -->
 ```bash
+# good script
 CURL=$(curl --tlsv1.3 https://pastebin.com/raw/Tity9gDQ)
+# bad script
 # CURL=$(curl --tlsv1.3 https://pastebin.com/raw/xYTmzaMQ)

 EXPECTED='caa42ef74ba42d3d097bfcd7c718cd22ca807c1116ce1f86b00ecce9337858d7  -'
@ -178,6 +190,8 @@ This can be minified a bit, but it's more readable like that.

 ### Updating the script

+<!-- TODO check howto do that -->
+
 When a new artifact is available, the artifact provider has to start hosting it.
 Then, the signing authority needs to get the artifact's hash (dirctly from the source) and then update the way the script is displayed (git repo or website).

--- a/docs/posts/nixos-wifi-agenix.md
+++ b/docs/posts/nixos-wifi-agenix.md
@ -29,7 +29,7 @@ Tell your NixOS config to import it:
  };
 ```

-## Import the secrets into NixOS
+## Importing the secrets into NixOS

 Now tell NetworkManager to ensure your profile is installed.
 To achieve this we'll be using `networking.networkmanager.ensureProfiles.profiles` and `networking.networkmanager.ensureProfiles.environmentFiles`:
--- a/docs/posts/old-curlpipebash.md
+++ b/docs/posts/old-curlpipebash.md
@ -1,18 +1,19 @@
 ---
-date: 2024-05-22
+date: 2024-08-22
 unlisted: true
 ---

 # curl | bash: original post

-> TODO
-> WARNING: this post has been written in April of 2024 because
+> **WARNING**: this post has been written in April of 2024.
 >
 > I put this post here because I had deleted it from fedi before thinking it'd be better to have it available *somewhere*.
 >
-> Most of the points I made here are valid, but I've realied that as a whole this is bullshit. My tone is unnecessarily heated and
+> Most of the points I made here are valid, but I've realized that as a whole this is bullshit.
+> In retrospect, my tone was unnecessarily heated and I did kinda miss the point.
 >
-> My opinion has since changed; see my newer [blog post](./curlpipebash.md). cya
+> I ain't proud of this one but I do want to keep it accesible for posterity.
+> My opinion has since changed; see my [blog post](./curlpipebash.md) about this. cya

 For those that go crying on social media about an application telling you to `curl | bash` or even to `curl | sudo bash` because you're running arbitrary code as root:

--- a/haml/main.haml
+++ b/haml/main.haml
@ -96,7 +96,7 @@

    -# 88x31 badges
    %br
-    people i like
+    cool people/creatures
    %br

    %a.badge(href="https://xeiaso.net")