-
Notifications
You must be signed in to change notification settings - Fork 150
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Code Review lulzlabs Radio AirChat - By kritik #7
Comments
from original module Crypt::CBC
we pinged Dr.Stein about CBC, (also asking to include other digest algos rather than md5 Note: There's no bool types in Perl. you can define or undef variables and use that. so we used strings for fun, comment aside: check always how the randomness of your own system performs. that would be a critical part of the whole thing. love you all guise <3333 |
also about that blog. they are wrong sometimes. for example: "When looking at the code, it looks like it's using RSA public key crypto to exchange keys with peers (via radio?). However, it's not using it at all."
this is how it happens: you decide to encrypt a message using the public key of remote target. in the other side: "Another problem is, that all key material is being stored on disk without permission setting or checking. So the script will use the current umask, which would be 0644 for most users, therefore leaving the keys open to fetch for other users of the system." "Despite being a tool for encrypted radio communication the script contains code for Twitter publishing (with hardcoded API keys but they can be changed though), it fetches RSS feeds from various websites (hardcoded URIs of course), e.g. from NY Times. it helps to get some basic news from internet if someone in the network can get some basic internet axx and decide to share it... "The script uses both whitespace and tabs for indentation. As a result the overall code looks messy" It's good if ppl quickly check the code. it would be better if they really test it little bit at least also.... but yeah discussing which one should be the definitive random generator is really cool. |
Has the code been updated to address these security concerns? |
Hi there, I updated the blog entry about the hardcoded key issue. Crypt::CBC indeed doesn't use the key parameter if you modify the passphrase parameter afterwards. This might not be good style but it works (I tested it). So, I hereby appologize for my invalid conclusions about security. best, |
Kritik the code reviewer concluded that the current code as it stands security wise "is completely useless". Adding that "If the author(s) fix at least the hardcoded key and random number generation issue, then the tool could have a future."
tl;dr: Messy code. Not enough comments. Ignorance of perl software distribution standards. Inconsistent style and programming paradigms. Insecure.
Security tldr: Encrypts "randomly generated ephemeral key using RSA", but ignores and use instead the "hardcoded key for symmetric encryption".
SOURCE http://www.daemon.de/blog/2014/04/25/351/code-review-lulzlabs-radio-airchat/
The text was updated successfully, but these errors were encountered: