Non-official site with a tampered version of KeePass(security.infoteam.ch) |
Non-official site with a tampered version of KeePass(security.infoteam.ch) |
the comparatively small userbase is actually an underappreciated security feature of linux ;)
i'm sure that if installcore supported linux, then the linux binaries would also be bundlers.
Hopefull it will be blocked by the browsers using the safe browsing list.
https://i0.wp.com/keepass.fr/wp-content/uploads/2018/05/keep...
So maybe we can report it here too:
https://en.wordpress.com/abuse/
Only works if you put this as URL though:
Look like it's a copy paste of the .com one, with same download links.
I've had discussions with coworkers on why they shouldn't look up "free online json beautifier" and dump thousands of lines of crown jewels into them (http too). Meanwhile we're doing web dev and JSON responses are autoformatted in Firefox dev tools so there's an amazingly convenient and perfectly safe alternative right there...
How do we impart urgency with this kind of stuff?
From their FAQ:
> No, thank you. Even if you can find one (most of them seem to have been registered already, by people who didn't ask whether we actually wanted it before they applied), we're happy with the PuTTY web site being exactly where it is. It's not hard to find (just type ‘putty’ into google.com and we're the first link returned), and we don't believe the administrative hassle of moving the site would be worth the benefit.
https://keepass.fr/ https://7zip.fr https://audacity.fr https://gparted.fr https://keepass.fr https://nc3354.nexylan.net https://paintnet.fr
Original keepass downloads are hosted on sourceforge which has not had the best history of integrity the way I see it.
https://sourceforge.net/blog/brief-history-sourceforge-look-...
I think 7zip has a way for you to check the hash signature with just a right click on the file so thats dandy
Not implying you are but there is plenty of software where that is how they expect users to verify the integrity of the download. Useful for checking bit errors, but in the event that someone has replaced the binary then they could probably also replace the checksum...
Anyway, this wouldn't be the first time an open source software is packaged with some adware. Unsavory, but I think within the limits of the license.
Source : am french
One time I downloaded the wrong google chrome which was ironic because I was on google searching it.
Other examples that come to mind with different sites are popcorn.sh vs popcorn-time.to. There not the same repository.
Normally I just do a sanity check by checking the domain URL and checking if it has authority.
If its on sourceforge... I just assume its malware or has bundled PUPware on it, run it through antivirus and SHA/MD5 checks.
Ninite.com is pretty convenient I hope they don't get comprimised one of these days and get sold to a shady vendor
They're lookin for that syntax highlighted and interactive experience you know.
this is so short sighted, especially for software used to admin productive systems
I was thinking about all the times I had to download a windows ISO. And how microsoft had openly published what the checksum values were so I could verify this after downloading from a 3rd party
I would need to do more research here you make a good point
Then you're not going to the good people. Stop going through intermediaries, go straight for the source (package specific issues on Ubuntu must be reported to Ubuntu -like python not recognizing a new module-, but bad code inside the package must be dealt with with upstream).
> Half the time the developers are extremely resistant to changes and believe the change is wrong/unnecessary, or the current state is already correct, or that the changes are too big and/or not worth it, [...]
That's why I take the habit of jumping on IRC first, talking with devs a bit and trying to understand why I find a specific piece of code problematic.
I was trying to add support for i686 on an AUR package I maintain; quickly dismissed "we don't support i686 anymore anyway, just slap comments in your PKGBUILD and ship it".
I was working with the btrfs(8) util, which has the most horrific interface ever designed; "OK, we're not hostile to a new interface design, but you'll have to provide a comprehensive explanation of what you want and how it should behave".
And finally, documentation usually gets merged real fast (recently on cbsd(8) and nextcloud).[0][1]
* Being open source protects against a malicious developer. Otherwise there is nothing preventing him to build the binary with a different source, and send the passwords to his own server.
* Signed code archive prevents against a compromised hosting site.
You're not really going to get around having to install "something" to sync your passwords if you want to have your passwords synced
You could use something like Syncthing if you just don't want to trust any company with your data
Otherwise, I cant really suggest a solution either
Sorry, I hope it's clear now.
> You're not really going to get around having to install "something" to sync your passwords if you want to have your passwords synced
Huh? This is obviously wrong; I'm doing literally this with KeePass. I haven't installed anything, and it has a plugin to sync directly with Google Drive that doesn't mess with or care about anything in the rest of the system.
I created a keepass/syncthing directory somewhere inside my home directory, and I told Syncthing to sync only that directory. And the directory only contains the Keepass database plus a few Syncthing log files and such.
Additionally, I was not personally aware of any way to "sync directly" other than using the Google Drive desktop client (https://www.google.com/drive/download/) and storing the database file in the synced folder. It sounds like you're saying Keepass has some direct integration with Google Drive?
All of that said, I am really not invested in this issue - I use multiple cloud sync services and it doesn't bother me.
Indeed it has a plugin for this, yeah. That's exactly what I'm saying. https://sourceforge.net/projects/kp-googlesync/