[Ardour-Users] MacBook Air/Ardour

Paul Davis paul at linuxaudiosystems.com
Wed Aug 22 11:28:05 PDT 2018 

On Wed, Aug 22, 2018 at 1:47 PM, David Kastrup <dak at gnu.org> wrote:

> Paul Davis <paul at linuxaudiosystems.com> writes:
>
> > On Wed, Aug 22, 2018 at 8:29 AM, David Kastrup <dak at gnu.org> wrote:
> >
> >>
> >> I went to the Download page.
> >>
> >> "Click to get Email with a link to a free/demo copy of Ardour 5.12 for
> >> Linux 64 bit".
> >>
> >> There are so many opportunities for man-in-the-middle attacks here that
> >> it isn't funny.
> >>
> >
> > Instead of karping, why don't you propose whatever you think is a better
> > solution, keeping in mind that at some point the user will tell their web
> > browser to vist a URL.
>
> The classic "it's not our security practices that are a problem but the
> people who report on them" spiel.  Now of course it is more satisfactory
> to insult people than websites.


Did I insult you? I don't think so, and certainly mean to do so. I am not
lauding our security practices at all. I am asking what you would do
differently, and better.


> At any rate, an obvious improvement
> over sending around links to click is to send verification codes to be
> entered in a text field of the web site.  That makes intercepting the
> Email less of an attack vector.
>

So they intercept the email (by successfully impersonating the DNS server
of what are generally large corporations or institutions), they edit the
email, and then they forward the result to the user. The newly edited link
contains a URL that looks like an Ardour download, the user downloads it,
runs the "installer" and boom, their machine is compromised?

Problem is, there's nothing particularly special about email here, and from
everything I have read about MiM attacks, email is an uncommon approach to
this.

Are you suggesting that no email should ever contain a link back to the
originating website, for fear that it is compromised?


> > We do publish sha5sum's for the nightly builds, but the vast majority
> > of people wouldn't have any idea how to even check them.
>
> Sure, base security relying on educated and smart people is not a
> winning move.
>

We're not relying on smart/educated people for security. I'm noting that
anytime a user downloads a program that they WILL execute on their machine
(because they believe that to be the purpose of downloading it), there are
so many potential attack vectors that in the end, security without at least
some level of motivation on the part of the downloader to avoid attacks is
never going to be very robust.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ardour.org/pipermail/ardour-users-ardour.org/attachments/20180822/760cef94/attachment-0001.html>

More information about the Ardour-Users mailing list