got out as bad Classic Shell downloads.
But I agree with Bill's sentiments completely. I explained more
at the top of the Home and Download pages.
Someone can edit further if they wish.
Post by Bill UnruhGreat. It would help to list which three hours (or make it 5 to make sure you
get the overlap region) it was, so that worried people can check and be
relieved or panic as the case may be. It would also help to make clear what was
done to ensure that nothing slipped by. For example did they do a test run the
day before, and slip in some tiny hole into audacity that they could use to
subvert it in the future? Ie, to reassure people, they need to know lhow
thoroughly the infection was stemmed. They are forgiving and if they see that
you really did do a lot to make sure things are OK now, they will even forgive
a discovery that something slipped by, but if they think that the process
was perfunctory, they will not. The explanation now posted does go part way there.
How sure can you be that other downloads are not at issue? Can you point
people who were damaged to places where they can find out how to recover from
those damages?
The FosHub note seems to say that noone downloaded the damaged version of
Audacity (but did download the Shell). Is that correct? You might ask people
to notify you if they did download on Aug 2.
The "use different passwords" advice, though certainly good advice, is really
irrelevant to the users. It was not their fault, or their using bad passwords,
if they downloaded or ran an infected version. It may be part of the reason
why the infected version was uploaded but that is in a sense your problem, not
the user's problem. The users need to know that in future your system will be
sufficiently robust, that even if a developer password is compromised, it
will still not
result in the user being damaged.
Also, that link on the main page should state what it is about. Simply
saying "Click here"
without explaining why, is a classic malware tactic. You need to give them a
reason to click there-- telling them why they should. "Audacity Malware
Compromise on FosHub Aug 2. Please click here for more
information" or something like that.
Post by Arturo 'Buanzo' BusleimanThere. Added a very prominent link on top of the main page. Is that
visible enough? We have no interest in
hiding a security incident. I have worked with IT security for the past 20
years, and I *HATE* security
through obscurity and FUD.
On Wed, Aug 3, 2016 at 9:06 AM, Arturo 'Buanzo' Busleiman
But I will move it to front-page for this week.
On Wed, Aug 3, 2016 at 9:06 AM, Arturo 'Buanzo' Busleiman
The link is right there, on the "RECENT POSTS". Left side menu.
I would agree that there should be an item on the main audacitytam.org site,
and on the audacityteam.org/download site. If you are sure that the 2.1.2 is
OK, you can say that, but you have to be upfront and open about it.
(Johson and
Johanson re poisoned tylenol, Maple foods in Canada re the Lysteria). Not
being upfront (eg Blackberry-- it took 4 days for them ) can easily
be a deathknell.
Noone will see the special web page unless they are looking for it, and it
looks like you are hiding the problem. Because of the potentially disasterous
consequences for someone who downloaded the hacked version, you
really need to
warn them fast. (Do you have logs as to who downloaded it from you?
Can you send out
warnings?)
And are you really really sure that you got all the malware-- that they did
not sneak in some hidden treasure elesewhere than the obvious?
William G. Unruh __| Canadian Institute for|____ Tel: +1(604)822-3273
Physics&Astronomy _|___ Advanced Research _|____ Fax: +1(604)822-5324
UBC, Vancouver,BC _|_ Program in Cosmology |____
Canada V6T 1Z1 ____|____ and Gravity ______|_
www.theory.physics.ubc.ca/
On Wed, Aug 3, 2016 at 10:26 AM, James Crook
Many of you will already know that we were hit by
hackers yesterday.
Vaughan's credentials were compromised, and a malware
laden upload
placed on our FossHub site. I have put a post about it
on our
http://www.audacityteam.org/hacked-download/
I can't see this from Audacity's home page.
Info that I found by googling said that the hacked versions of audacity
and classic shell overwrite the MBR.
Is that the case?
If so, there needs to be a clear warning about this on Audacity's home
page,
David.
We are going to be tightening up on security in conjunction with
FossHub. Some of the work we do for this will have an impact on
schedule for 2.1.3. We need to make it much harder for
a hacker to
place a bad download there. We also need to make it
easier for
users to
check and for us to be alerted to problems. As RM for
2.1.3 I am
making
signing of the windows installer an essential, not an
optional for
2.1.3. We need additionally to show the 'signed by' name on the
download page. Hackers could easily sign with some
other plausible
looking credentials, so we need to guard against that.
Upping
security
will take us some time. I am estimating that getting the signing
properly and securely sorted out will add a month to our
2.1.3
release
schedule - and it is not the only measure we need to take.
--James
------------------------------------------------------------------------------
_______________________________________________
audacity-devel mailing list
https://lists.sourceforge.net/lists/listinfo/audacity-devel
------------------------------------------------------------------------------
_______________________________________________
audacity-devel mailing list
https://lists.sourceforge.net/lists/listinfo/audacity-devel
------------------------------------------------------------------------------
_______________________________________________
audacity-devel mailing list
https://lists.sourceforge.net/lists/listinfo/audacity-devel