git@vger.kernel.org mailing list mirror (one of many)
 help / color / mirror / code / Atom feed
From: Jeff King <peff@peff.net>
To: "Ævar Arnfjörð Bjarmason" <avarab@gmail.com>
Cc: Martin Langhoff <martin.langhoff@gmail.com>,
	Git Mailing List <git@vger.kernel.org>
Subject: Re: Git ransom campaign incident report - May 2019
Date: Thu, 16 May 2019 00:27:39 -0400	[thread overview]
Message-ID: <20190516042739.GH4596@sigill.intra.peff.net> (raw)
In-Reply-To: <8736lfwnks.fsf@evledraar.gmail.com>

On Wed, May 15, 2019 at 08:59:47PM +0200, Ævar Arnfjörð Bjarmason wrote:

> 
> On Wed, May 15 2019, Martin Langhoff wrote:
> 
> > Spotted this on the internet...
> >
> > https://github.blog/2019-05-14-git-ransom-campaign-incident-report/
> >
> > Haven't hacked on git for a while, and I am not affiliated with any of
> > the stakeholders. However, reading it, I wanted to slam my head on the
> > desk.
> >
> > IIRC, git will sanely store a password elsewhere if it gets to prompt
> > for it. Should we be trying to unpack usernames/passwords from HTTP
> > urls, and DTRT with them?
> >
> > Are there other ways this could be made better?
> 
> I think we should do nothing.

I think so, too.

But just brainstorming, one thing we _could_ do is issue a warning when
we see a password in a URL and say "hey, what you're doing isn't
fantastic; considering using a credential helper".

Of course I suspect there are many cases where people _do_ need to store
the password in plaintext, because an automated system needs to fetch
with it. They can use the plaintext git-credential-store, but it's
slightly more hassle. And it doesn't really _solve_ the problem (though
perhaps it would be harder to accidentally expose it with your web
server!).

> Or, for GitLab/GitHub etc. to discourage use of https API tokens in
> favor of SSH deploy keys. OpenSSH goes out of its way to not allow you
> to provide paswords in URLs, on the command-line etc. in anticipation of
> exactly this sort of scenario. Even then I've seen users write say
> docker images where they manage to hardcode an SSH private key in a
> public image out of convenience or lazyness (say needing "git clone"
> something during the image build).

You can have limited-access https tokens, too. But I don't think those
or deploy keys fix the fundamental problem, because that read access is
sufficient. The ransom is not "give us bitcoin or we will delete your
code, lock you out of your account, etc". Those things can easily be
fixed by complaining to the service provider, who has backups. The
ransom is "give me bitcoin or I will share your code with the world".
So whatever token the server has to do a fetch is enough to steal the
code (though I think deploy keys can be repo-specific, and I'm not sure
if http tokens are; that expands the attack to _all_ of the user's
repos, not just the one the server cares about).

I don't know how many people who git by this actually even want to fetch
to the server, though. They might just have blindly rsync'd up their
local checkout, and the deploy server actually never needed to know
about git in the first place.

-Peff

  reply	other threads:[~2019-05-16  4:31 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-05-15 17:49 Git ransom campaign incident report - May 2019 Martin Langhoff
2019-05-15 18:59 ` Ævar Arnfjörð Bjarmason
2019-05-16  4:27   ` Jeff King [this message]
2019-05-17 19:39     ` Johannes Schindelin
2019-05-17 22:20       ` Jeff King
2019-05-17 23:13         ` Martin Langhoff
2019-05-19  5:07         ` Jeff King
2019-05-19  5:10           ` [PATCH 1/3] transport_anonymize_url(): support retaining username Jeff King
2019-05-19 23:28             ` Eric Sunshine
2019-05-20 16:14             ` René Scharfe
2019-05-20 16:36             ` Johannes Schindelin
2019-05-20 16:43             ` Johannes Schindelin
2019-05-19  5:12           ` [PATCH 2/3] clone: avoid storing URL passwords in config Jeff King
2019-05-19  5:16           ` [PATCH 3/3] clone: auto-enable git-credential-store when necessary Jeff King
2019-05-20 11:28             ` Eric Sunshine
2019-05-20 12:31               ` Jeff King
2019-05-20 16:48                 ` Johannes Schindelin
2019-05-20 13:56             ` Ævar Arnfjörð Bjarmason
2019-05-20 14:08               ` Jeff King
2019-05-20 15:17                 ` Ævar Arnfjörð Bjarmason
2019-05-20 15:24                   ` Jeff King
2019-05-20 17:08             ` Ævar Arnfjörð Bjarmason
2019-05-20 14:43           ` Git ransom campaign incident report - May 2019 Johannes Schindelin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: http://vger.kernel.org/majordomo-info.html

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190516042739.GH4596@sigill.intra.peff.net \
    --to=peff@peff.net \
    --cc=avarab@gmail.com \
    --cc=git@vger.kernel.org \
    --cc=martin.langhoff@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://80x24.org/mirrors/git.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).