Status - update

[speeding_ant]

Heh, that's quite funny 

[Mettbrot]

I think what he's getting at is that there is the potential for someone to post a malicious plugin, which has the ability to run anything it wished - as all commands executed via the webGUI are run as root. Javascript has nothing to do with it.

sadly for 10 posts you are the first one (excluding Joe - he is always damn fast  :) ) to realy elaborate on the (serious) problem.

There is a distinct lack of security surrounding the webGUI, however it was never designed to be open to the world. If you're in an enterprise network, simple segregate it.

I had never a problem with the webGUI beeing visible to everyone in the LAN, but the plugin manager kind of removes the barrier between the safe local network atmosphere and the wiki place where just everyone can insert their crap ;-)

 

 

And seriously guys, if you want to brag about your system or be mad at each other for their oppinion take it to irc or something 

[PeterB]

... when I open the log utility (not the window from the link in the upper right corner) and start to scroll the log will immediately jump back to the top making it impossible to inspect the log.

 

Well, I'm running APCUPSD 3.14.10 and the new interface, but I don't see your "jump back to the top" problem.  In fact, I left the log page displayed for 24 hours with the latest entry displayed at the bottom of the page, the display didn't change at all in those 24 hours.  I then refreshed the page - the same log entries were left visible, but the scroll bar had jumped up slightly, indicating that there are more entires to view by scrolling down.  So, I have to report that I cannot replicate the fault you are describing.  However, I do not, and never have, run SF.

[PeterB]

... if you cant 'trust' the website you are going to.. maybe you shouldn't be going there?

 

But how do you know before you "go there"?  It isn't that long since the Lime Tech website was hacked - that attack could, easily, have been more malicious.

[Frank1940]

... if you cant 'trust' the website you are going to.. maybe you shouldn't be going there?

 

But how do you know before you "go there"?  It isn't that long since the Lime Tech website was hacked - that attack could, easily, have been more malicious.

 

As I recall, that 'Hacker' merely posted a banner announcing what he had done.  The attacks that I worried about are those which leave no trace of unauthorized access.  They just leave behind whatever malware they are distributing on that 'visit'.  (And it can happen to any site!  I seem to recall that even the White House website has been hacked...)

 

A note to TOM.  Please do NOT allow the plugin manger to automatically download updates to any plugin.  I want to control exactly when (and if) a plugin is updated!

[PeterB]

that attack could, easily, have been more malicious.

 

As I recall, that 'Hacker' merely posted a banner announcing what he had done.  The attacks that I worried about are those which leave no trace of unauthorized access.  They just leave behind whatever malware they are distributing on that 'visit'.  (And it can happen to any site!  I seem to recall that even the White House website has been hacked...)

 

A note to TOM.  Please do NOT allow the plugin manger to automatically download updates to any plugin.  I want to control exactly when (and if) a plugin is updated!

 

Agreed!

[zoggy]

appears the current plugin manage just loads the page: http://lime-technology.com/wiki/index.php/UnRAID_Plugins

there are so many things wrong with this approach...

[dandirk]

Just fyi... not a big deal...

 

Drives not attached to array could use their own section...  They look to appear below the total.  Now granted I was clearing the drive but it only got 7% in 5 hours so I cancelled it to run more tests and restarted the array while I was testing etc...

 

Snapshot attached.

[Thornwood]

Won't the md5 make sure we don't get problems? Similar to unmenu?

[jumperalex]

Where are you getting this MD5 from?  If it is from the same editable-by-all plug-in page you have only proven that you downloaded the correct malware package.

[jbartlett]

If you're paranoid about web browsing, the best solution (and only solution for the seriously paranoid) is to create a VM, set it up exactly how you want, and make a backup of the VM hard drive. Only surf using the VM which is isolated from your personal network. If you suspect anything suspicious, replace the VM hard drive with the backup.

 

Come to think of it, this should be the only way people browse adult sites.

[jumperalex]

Just to keep things going OT ... Adult sites are not the primary vector for infection everyone likes to think they are.  Good old popular white bread, butter, and apple pie sites are just as risky if not more so.  Or to be specific, their advertisement banners are via hacked third part ad distribution networks.  Attackers go for numbers and you get numbers by going to what is popular. So yes very popular porn sites will indeed be prime targets.  But so are major news, shopping, blog, and social network sites. 

 

Oh yeah and since everyone "knows" porn sites are risky they all take precautions making those visitors slightly harder to get at, but everyone visiting The New York Times ... well everyone "knows" the NYT is a safe place to surf.  Right?

[speeding_ant]

If you're paranoid about web browsing, the best solution (and only solution for the seriously paranoid) is to create a VM, set it up exactly how you want, and make a backup of the VM hard drive. Only surf using the VM which is isolated from your personal network. If you suspect anything suspicious, replace the VM hard drive with the backup.

 

Come to think of it, this should be the only way people browse adult sites.

 

Snapshots work well here

[garycase]

If you're paranoid about web browsing, the best solution (and only solution for the seriously paranoid) is to create a VM, set it up exactly how you want, and make a backup of the VM hard drive. Only surf using the VM which is isolated from your personal network. If you suspect anything suspicious, replace the VM hard drive with the backup.

 

Come to think of it, this should be the only way people browse adult sites.

 

Snapshots work well here

 

Agree -- VMware's Snapshots are perfect for this use.    In fact I do virtually all my browsing in a "VM for Browsing" virtual machine -- and simply reset it to the "baseline" snapshot when I'm done (takes ~ 5 seconds).

 

[Harpz]

LOL I have to wonder what some of you guys are looking at that requires you to be so protective / anal that you have a VM just for browsing.

 

Jesus I wouldn't worry about big brother watching you browse for porn or great granny's  recipe for spicy anal lube, I'd worry about the satellites up there reading your brain waves.

 

Quick get them tin foil hats back on guys.

 

Enough crap can we get back on topic please.

[Thornwood]

Doods chill it was just a question to see if we could create a fix so we could allow Tom to move forward. Right now if  I think about it he truly is in full control and starting a --- is pointless.

 

So my question is could we do something to protect our code from bad things and still implement the plugin manager that Tom would seem to want us to have as a tool?

[speeding_ant]

LOL I have to wonder what some of you guys are looking at that requires you to be so protective / anal that you have a VM just for browsing.

 

Jesus I wouldn't worry about big brother watching you browse for porn or great granny's  recipe for spicy anal lube, I'd worry about the satellites up there reading your brain waves.

 

Quick get them tin foil hats back on guys.

 

Enough crap can we get back on topic please.

 

Ha! Classic! No, I don't use a VM for my web surfing. Was just pointing out that copying 10Gb every time you wish to revert back to a VM state is very time consuming and inefficient 

[Harpz]

hehe indeed it is, I look forward to the next version of the GUI and hope it includes various fixes and improvements.

 

I also look forward to getting the sleep and mail plugins back from SF stand alone versions hint hint especially the sleep plugin.

 

Keep up the great work.

[Joe L.]

Where are you getting this MD5 from?  If it is from the same editable-by-all plug-in page you have only proven that you downloaded the correct malware package.

The MD5 works, but ONLY if the site hosting the file and the MD5 is secure.  A publicly editable WIKI is most certainly NOT secure.  It is abut the worst possible solution.

 

unMENU's package manager is fairly safe as for the packages it initially advertises in its package manager, as it is using a repository on code.google.com  that is not publicly editable and MD5 checksums for the packages it downloads from slackware repositories..  (I alone control it)  You do have to trust me however, to not put damaging code in a plugin.   

 

Basically, Lime-tech needs a secure, controllable plugin repository.

 

If you do download a package.conf or plugin.plg file from somewhere else other than a trusted repository, you should inspect it for malware.  the files are all text files, and you can inspect them with any editor.  If you have questions as to their function, ask.

[PeterB]

Where are you getting this MD5 from?  If it is from the same editable-by-all plug-in page you have only proven that you downloaded the correct malware package.

 

Ideally, the md5s should be held on a different site from the data, separately controlled.

[Mettbrot]

Some (rather old) but yet interesting info on the plugin manager http://download.lime-technology.com/develop/news.php :-P

This would solve all of the problems.

[BRiT]

To limit the exposure of a single site being hacked to host malicious plugins, there should be at least 2 sites on different physical systems and networks that host the same plugin information. Any change to them on one site would not be reflected in the other site. Think of it as parity for plugins.

 

Yes, it makes the task of updating a plugin hosted a bit more complex since you need to update at least two different sites, but unless both are compromised the changes would be detectable.

[whiteatom]

You are by far the minority here. While I agree a GUI this simple shouldn't *require* Javascript to run, you must have a terrible existence on the internet without it - as ajax is now used extensively to prevent page reloads on many websites. Eg, Google...

I feel sorry for you.  My browser will run circles around any browser you are using.

Do you feel sorry for me because I have an automatic coffee maker too? And that I keep my beer in a fridge instead of an icebox? Javascript is the way of the future my friend... Backwards compatibility with 1980's web browsers is not a priority for Tom. Speeding_ant is right in this one.

[jbartlett]

It's a few years old and likely has an error margin but eh, take it as you will. I would also assume that as the younger generation gets older, the numbers will drop.

 

 

ETA: Source from Yahoo's website analytic of believed real users.

[zoggy]

funny thing about this conversation, firefox 23 disabled the 'disable javascript' option (and by default turns javascript back on)

 

http://www.netmagazine.com/news/firefox-23-hide-disable-javascript-option-132851