Hacker News new | ask | show | jobs
by SchizoDuckie 3807 days ago
This just sounds like a bad idea to me. Why would you publish all this very sensitive machine info to a third party to retrieve that list? This would be a goldmine if they got hacked.

Also, don't tell your users to blindly pipe curl to sh, ever.

It would be a much better design if it worked the other way around: Aggregate recent security patches into a database and send those to the servers, and have them do a local compare of vulnerabilities. You could charge for the database access and still keep your business model.
3 comments
dchanm 3807 days ago
Hi, the shell script is an implementation of our API. You can implement your own client against our API endpoints. This gives you complete control of what package data you send to us. If you only care about OpenSSL, you can create a machine with only OpenSSL and we will notify you when that is out of date.

https://patchworksecurity.com/docs/

The current infrastructure segregates the user and machine data. A compromise of both machines would allow an attacker to recreate the mappings between users and their machines. We're hoping that this service will reduce the time your infrastructure is vulnerable because you know immediately when something goes out of date.

Lastly, we wanted to make it really simple for a user to get setup on our service which resulted in the curl | sh idiom. The source code for the script is on GitHub

https://github.com/PatchworkSecurity/cleansweep/blob/master/...

link
dchanm 3807 days ago
"It would be a much better design if it worked the other way around: Aggregate recent security patches into a database and send those to the servers, and have them do a local compare of vulnerabilities. You could charge for the database access and still keep your business model."

There is definitely value in having an aggregate database with recent security information. We agree that there are certain customers who would prefer / require an on-premise solution. Selling database access is something that we have considered, but haven't looked into deeply.

There is no restriction that the data must come from your local machine. You can integrate with our API to create a machine that has ``all'' packages for Ubuntu version X. We will then notify you when packages are outdated and you can act on that locally. Granted this still leaks the version of Ubuntu you are running, but we will have no insight into what each of your machines are actually running.

Thanks for raising these concerns.

link
jacobscott 3807 days ago
What's the difference between downloading and executing a binary, installing a package (apt-get, pip, gem, etc), and curl | sh which makes the later so bad?
link
DoubleMalt 3807 days ago
A package is downloaded completely from the net, then checked for it's signature. A network transmission is by orders of magnitude less safe with regards to corruption of the payload.
link
SchizoDuckie 3807 days ago
This article sums it up better than i can do. http://www.seancassidy.me/dont-pipe-to-your-shell.html
link
jacobscott 3807 days ago
Thanks, this makes sense!
link