D-Link Accidentally Publishes Private Code Signing Keys 67
New submitter bartvbl writes: As part of the GPL license, D-Link makes its firmware source code available for many of its devices. When looking through the files I accidentally stumbled upon 4 different private keys used for code signing. Only one — the one belonging to D-Link itself — was still valid at the time. I have successfully used this key to sign an executable as D-Link. A Dutch news site published the full story (translated to english with Google Translate).
Hahahaha (Score:1)
"annoyed grunt" (Score:2)
Re: (Score:1)
Yes... this is a very common mistake.
Someone checks in their entire source tree without realizing that it includes their private keys.
Happens all the time.
Re: (Score:2)
http://it.slashdot.org/story/1... [slashdot.org]
Re: (Score:1)
Signing keys establish the identity of the company. Those keys should be held by an authority and representative of the company, and no-one else. IT usually answers directly to the board so that's probably a good place to leave the key.
And someone on the board usually has an underperforming nephew hired into a developer position who is tasked with signing the software when the board can't be bothered to remember how to sign a release or patch once every month. And since the nephew isn't all that bright, he'll stick the private keys in the code repo. The circle of life.
Re: (Score:2)
Except when you're second?
Re: (Score:2)
Palm, meet forehead.
Yup. Not an inexpensive uh-oh.
Hack D-Link Private Code Signing Keys (Score:1)
Revoked the keys, but is this still exploitable? (Score:4, Interesting)
They revoked the keys in question in some time in September.
But if you disconnect the machine from the internet, or otherwise block the connection to the server that provides revocation information, will the Windows system still see an executable signed with the revoked key as valid?
I'm not an expert. Genuinely asking.
Re: (Score:2, Interesting)
if you disconnect the machine from the internet, or otherwise block the connection to the server that provides revocation information, will the Windows system still see an executable signed with the revoked key as valid?
Yes, that is exactly how it works. To give an example of how weak this security control is, Google Chrome no longer even bothers, ignoring revocation lists completely. [computerworld.com]
Re:Revoked the keys, but is this still exploitable (Score:5, Informative)
Google Chrome no longer even bothers, ignoring revocation lists completely.
That's not quite what your article says. It says that google stopped checking with the cecurity authority using the Online Certificate Status Protocol. However, the article also says that chrome replaced that with a local list of revoked certificates that can be updated without restarting the browser. So, chrome still does keep track of revoked certificates.
Re: (Score:2)
Yeah, because a locally cached list is anywhere near as accurate as checking each cert as it is used. In fact, there are plenty of sites with bad certs that work just fine in Chrome because they aren't on the list.
But who would ever visit one of those sites?
Re: (Score:1)
The HTTPS webserver asks the OCSP server for a signed by CA & timestamped message every few hours to validate the certificate serial it is using is still valid (i.e. the certificate has not been revoked by CA).
The HTTPS webserver then provides this extra bit of signed information to the browser during the TLS handshake.
So now the load on the OCSP scales better (by website, not by all web users), has minimal latency impact (just t
FAA router lockdown (Score:2)
It's surprisingly common for someone to accidentally publish their private signing key.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
It was clarified in the GPLv3, but it is unclear in the GPLv2 and from my understanding is still being debated.
Re: (Score:1)
Surely the GPL requires all the source code required to build the supplied binary.
No it doesn't! You can publish code snippets under the GPL that don't compile at all until incorporated into something else. It's a source code license, not a binary license. If a binary is supplied it's a courtesy not a requirement.
Looks to me like the GPL requires those signing keys to be published if the source cannot be built into a running program without them.
Where, exactly did you look and find that misinformation? The word "compiler", not even compile, occurs once in the entire text of the GPL in the definitions section.
Re: (Score:2)
There is no requirement that code be correct, functional, or compilable.
From GPLv2: "For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable." Are you arguing over whether the provided source code is "for" a particular work? And to what extent do "the scripts used to control compilation and installation" include signing keys?
Re: (Score:2)
Re:Surely the GPL requires all source to build. (Score:4, Informative)
There is NOTHING in the GPL (v1, v2 nor v3, nor any sub license alternative) that says the source code has to compile or that an executable be supplied with source code to use the GPL. The quote you reference (and I read it too, I've read the GPL numerous times!) states that if you DO supply a binary, i.e., "executable work", you must also supply all the source files including compiler scripts used for that binary when you distribute under the GPL. There is nothing in the GPL that says the code has to be executable, has to function correctly, nor has to compile from what you distribute under the GPL. The GPL is a copyright license, not a consumer protection law. It just states that if you code it, the source is made available to anyone that wants to use it or modify it, and that the modifications stay under the ascribed GPL license. That's all, nothing else, thank you for playing. Don't let the door hit you on the way out.
Here's some more info for you. [gnu.org]
And since you're obviously too lazy to bother to follow links to find information on the web, here:
Re: (Score:2)
GPLv2 section 3. If binary, then also source (Score:2)
If you distribute GPL software which you got from someone else, you may only do so under the GPL license. Section 3 of the GPLv2 says:
----
3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable source code
-----
In other words, you may distribute the binary only if you also distribute the complet
Re: (Score:2)
Unless D-Link uses GPL software in such a way that they are bound to the copyleft terms of the GPL (e.g. they use portions of GPL-bound source code inside their own), as copyright holder they are free to distribute whatever portion they want, in any way they want, to whomever they want. It does not have to be the full software or any signing keys.
This is because the creator of the software is still the copyright holder, so they are the ones who would be a valid plaintiff to any copyright infringement lawsu
Re: (Score:2)
Re: (Score:2)
That didn't contradict what I said. It's just another reason the GPL would not cause them any issue.
Re: (Score:2)
Re: (Score:2)
No prob
Re: (Score:2)
Re: (Score:2)
It's possible to lock the radio processor in this manner without locking the router processor in this manner.
Reminds me of story about a graphics chip company (Score:5, Interesting)
I'll leave the company name out (mostly to protect my source B-) )
This was in the early part of the cycle of:
- A handful of companies made graphics accelerator chips..
- A BUNCH of new companies also made graphics accelerator chips.
- There was a shakeout and only a few survived - not necessarily many - or any - of the original handful.
The company in question was one of the original few.
The hardware was good. But much of the performance advantages were due to some good algorithms in the driver, which were applicable to other good, bad, or moderate capability hardware, rather than depending on special features of the company's product.
As with many Silicon Valley companies, where the value added was so high that the administration could be utterly wacky or clueless and the company would still survive for years, this one had some managers make some dumb decisions.
One dumb decision was to try to save money by limiting the personnel to one new floppy disk per month. So the developers kept reusing the disks they had, when they shouldn't.
As a result, the golden master for an object-only release of the driver was built on a used disk, which had once held the complete sources of the driver in question. Apparently the "reformat" process used didn't overwrite the sectors - but the manufacturing process that cloned the golden master DID copy those sectors.
A customer tried an undelete utility and found almost the entire source code. Oops!
This news got out. Over the next couple years the great algorithms went from being a valuable trade secret (much of the company's "secret sauce") to a de facto industry standard.
Re: (Score:2)
Re: (Score:2)
>One dumb decision was to try to save money by limiting the personnel to one new floppy disk per month
Wow, this has got to be one of the most hilarious cases of "penny-wise, pound-foolish" I've ever heard.
Floppy disks were cheap, even back then! They were practically a drop in the ocean when it comes to the budget of even small companies. What were these managers thinking?
Re: (Score:2)
Floppy disks were cheap, even back then! They were practically a drop in the ocean when it comes to the budget of even small companies. What were these managers thinking?
They also organized groups of developers and QA people to be sure the lights in the bathrooms were turned off. Compare the cost of the time of a highly trained and highly paid (pre-H1-B flood) engineer spent on checking a bathroom light to the cost of leaving it on even over a weekend. Then think of the time spent by the lot of them in th
Good for them! (Score:3)
D-Link and GPL (Score:5, Insightful)
I'd just like to point out, before Dlink get too much criticism, that there are many companies that avoid this situation by violating the terms of the GPL by not making the source code available or even displaying the terms of the license.
Ok, Dlink made a mistake, however I think it is a good thing that they being sincere to the terms of the license. Well done Dlink, they will fix the problem and I will be happy to buy their products over other vendors who violate the terms of the GPL.
Re: (Score:1)
Like this one
https://trac.ffmpeg.org/ticket... [ffmpeg.org]
Blue Iris Video Security Software
Perspective Software
No indication of GPL use. Claims work as his own.
From the download package, BlueIris.exe is UPX compressed. Decompress, then investigate 22 MB file with strings.exe.
libswresample license: GPL version 2 or later
libswscale license: GPL version 2 or later
libavcodec license: GPL version 2 or later
libavformat license: GPL version 2 or later
libavutil license: GPL version 2 or
Re: (Score:2, Insightful)
Like this one
https://trac.ffmpeg.org/ticket... [ffmpeg.org]
Blue Iris Video Security Software
Perspective Software
No indication of GPL use. Claims work as his own.
From the download package, BlueIris.exe is UPX compressed. Decompress, then investigate 22 MB file with strings.exe.
libswresample license: GPL version 2 or later
libswscale license: GPL version 2 or later
libavcodec license: GPL version 2 or later
libavformat license: GPL version 2 or later
libavutil license: GPL version 2 or later
Compile strings discovered:
--enable-gpl --cpu=i686 --prefix=/c/msys/1.0/ffmpeg/build --enable-libx264
Here's something fun to do. Tell PayPal that BlueIris is violating term 9c of the user agreement (since they take PayPal for their registration fee):
PayPal User Agreement [paypal.com]