search

arriven / db1000n

MIT License
1.17k stars 201 forks source link

Why encrypted jobs? #394

Closed Fahrenheit2539 closed 2 years ago

Fahrenheit2539 commented 2 years ago

One of the jobs in the config is encrypted.

{ "type": "encrypted", "args": { "format": "json", "data": ...

Base64 decoding shown following header: age-encryption.org/v1 -> scrypt yKFNmP9oNK38ps7grEA12A 18

I'm curious why? That does not help to build the trust, I'm not going to recommend this tool to anyone (despite fully supporting its mission until) we figure this out.

arriven commented 2 years ago

@Fahrenheit2539 you have an option to skip those jobs completely via --skip-encrypted commandline flags (see implementation) specifically so that you don't have to blindly trust me or other maintainers but there are multiple benefits to having encrypted jobs. I cannot really talk about all of the benefits (for various reasons) but we can speculate that those jobs could use vulnerabilities that are not publicly disclosed yet (and thus exposing them could pose a risk at innocent companies that are also using affected software) or that it's just better if the receiving end of those attacks don't have a quick and easy way to examine what's targeting them and thus have harder time building their defense

We could also setup a process where external independent security experts would validate both the code, the executable, and the encrypted config. For the config we'd need to validate that those sources can be trusted before we provide them with the content of those configs - let me know if you know anyone who's interested and I'll try to put them in contact with appropriate people

Fahrenheit2539 commented 2 years ago

Thanks, really appreciate quick response! Your arguments make sense, don't think you want to add more bureaucracy in this fast-moving process.

What would help is updating docs to briefly mention this. I'll send a PR in the evening (US time)

Sent from Outlookhttps://aka.ms/qtex0l Mail for Windows Mobile 11

From: Bohdan @.> Sent: Tuesday, March 22, 2022 8:25:46 AM To: Arriven/db1000n @.> Cc: Alex @.>; Mention @.> Subject: Re: [Arriven/db1000n] Why encrypted jobs? (Issue #394)

@Fahrenheit2539https://github.com/Fahrenheit2539 you have an option to skip those jobs completely via --skip-encrypted commandline flags (see implementationhttps://github.com/Arriven/db1000n/blob/06d290b70c1b8818254fd5fcac53720cad8417ac/src/jobs/utils.go#L94-L96) specifically so that you don't have to blindly trust me or other maintainers but there are multiple benefits to having encrypted jobs. I cannot really talk about all of the benefits (for various reasons) but we can speculate that those jobs could use vulnerabilities that are not publicly disclosed yet (and thus exposing them could pose a risk at innocent companies that are also using affected software) or that it's just better if the receiving end of those attacks don't have a quick and easy way to examine what's targeting them and thus have harder time building their defense

We could also setup a process where external independent security experts would validate both the code, the executable, and the encrypted config. For the config we'd need to validate that those sources can be trusted before we provide them with the content of those configs - let me know if you know anyone who's interested and I'll try to put them in contact with appropriate people

— Reply to this email directly, view it on GitHubhttps://github.com/Arriven/db1000n/issues/394#issuecomment-1075322362, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AAZZBREC5TOWXXBHARY6PCTVBHQ7VANCNFSM5RLC42NQ. You are receiving this because you were mentioned.Message ID: @.***>

arriven commented 2 years ago

I don't think that it would require a lot of bureaucracy, especially on my side. I would most likely delegate the trust establishment to someone else (whom I already trust).

And it would be beneficial to get some feedback from experts anyway at some point - I plan to continue working on this project even after the war ends, haven't seen any open tools that allow orgs to easily stress test their DDoS protection at scale (legally it's the projects purpose from the very beginning, we can just say that we're outsourcing this stress test right now)

Fahrenheit2539 commented 2 years ago

Can send me an email to fahrenheit2539 at hotmail.com? Interested to discuss how can I help.