It looks like in the latest #nvdasr alphas, it's now sending all of your addons to be scanned by VirusTotal.
-
It looks like in the latest #nvdasr alphas, it's now sending all of your addons to be scanned by VirusTotal. I did not give permission for this, and I do not want this. How long until NVDA stops addons it doesn't approve from running at all? For now I have virustotal.com blocked at the router. There seems to be no other way to block this.
'scanResults': {'scanUrl': 'www.virustotal.com/gui/file/2a83b713e38596cfbcb3f98b5eb91530ddfd0e9319907c6119cbbbe08f7acc88', 'malicious': 0, 'undetected': 67, 'harmless': 0, 'suspicious': 0, 'failure': 0, 'timeout': 0, 'confirmedTimeout': 0, 'typeUnsupported': 9}}
Traceback (most recent call last):
File "addonStore\models\scanResults.pyc", line 31, in fromDict
KeyError: 'virusTotal'
#screenreader #a11y #nvda #accessibility@fastfinge @pixelate This only applies to Add-on Store add-ons, and it is done as part of the GitHub Actions workflows that run on nvaccess/addon-datastore. Unless you *choose* to visit the VirusTotal URL, your machine is entirely unaffected
-
@fastfinge @pixelate This only applies to Add-on Store add-ons, and it is done as part of the GitHub Actions workflows that run on nvaccess/addon-datastore. Unless you *choose* to visit the VirusTotal URL, your machine is entirely unaffected
@saschacowley @pixelate Then why is my machine reaching out to that virustotal URL that showed up in the log snip and timing out? -
It looks like in the latest #nvdasr alphas, it's now sending all of your addons to be scanned by VirusTotal. I did not give permission for this, and I do not want this. How long until NVDA stops addons it doesn't approve from running at all? For now I have virustotal.com blocked at the router. There seems to be no other way to block this.
'scanResults': {'scanUrl': 'www.virustotal.com/gui/file/2a83b713e38596cfbcb3f98b5eb91530ddfd0e9319907c6119cbbbe08f7acc88', 'malicious': 0, 'undetected': 67, 'harmless': 0, 'suspicious': 0, 'failure': 0, 'timeout': 0, 'confirmedTimeout': 0, 'typeUnsupported': 9}}
Traceback (most recent call last):
File "addonStore\models\scanResults.pyc", line 31, in fromDict
KeyError: 'virusTotal'
#screenreader #a11y #nvda #accessibility@fastfinge As far as I know, the store does this when someone submits an addon, not NVDA.
-
It looks like in the latest #nvdasr alphas, it's now sending all of your addons to be scanned by VirusTotal. I did not give permission for this, and I do not want this. How long until NVDA stops addons it doesn't approve from running at all? For now I have virustotal.com blocked at the router. There seems to be no other way to block this.
'scanResults': {'scanUrl': 'www.virustotal.com/gui/file/2a83b713e38596cfbcb3f98b5eb91530ddfd0e9319907c6119cbbbe08f7acc88', 'malicious': 0, 'undetected': 67, 'harmless': 0, 'suspicious': 0, 'failure': 0, 'timeout': 0, 'confirmedTimeout': 0, 'typeUnsupported': 9}}
Traceback (most recent call last):
File "addonStore\models\scanResults.pyc", line 31, in fromDict
KeyError: 'virusTotal'
#screenreader #a11y #nvda #accessibility@fastfinge If that’s the security they’re talking about implementing for corporate environments, that’s definitely going to backfire.
-
It looks like in the latest #nvdasr alphas, it's now sending all of your addons to be scanned by VirusTotal. I did not give permission for this, and I do not want this. How long until NVDA stops addons it doesn't approve from running at all? For now I have virustotal.com blocked at the router. There seems to be no other way to block this.
'scanResults': {'scanUrl': 'www.virustotal.com/gui/file/2a83b713e38596cfbcb3f98b5eb91530ddfd0e9319907c6119cbbbe08f7acc88', 'malicious': 0, 'undetected': 67, 'harmless': 0, 'suspicious': 0, 'failure': 0, 'timeout': 0, 'confirmedTimeout': 0, 'typeUnsupported': 9}}
Traceback (most recent call last):
File "addonStore\models\scanResults.pyc", line 31, in fromDict
KeyError: 'virusTotal'
#screenreader #a11y #nvda #accessibility@fastfinge well, I figure I’d end up cloning the repo at some point.
The scan results object (including URL) is part of the add-on view model. Without forcing myself to read more Python, but also having noticed that object is deserialized from JSON, it seems most likely that the store server sends the client the fully auditable virus scan results.
Did you find any communication to VirusTotal in your logs?
-
@fastfinge well, I figure I’d end up cloning the repo at some point.
The scan results object (including URL) is part of the add-on view model. Without forcing myself to read more Python, but also having noticed that object is deserialized from JSON, it seems most likely that the store server sends the client the fully auditable virus scan results.
Did you find any communication to VirusTotal in your logs?
@fastfinge clarifying my last question: in your firewall logs, because this is not communication with that domain.
-
@saschacowley @pixelate Then why is my machine reaching out to that virustotal URL that showed up in the log snip and timing out?
@fastfinge @pixelate Uh, that is weird and bad. HAVE you considered filing a ticket?
-
@fastfinge clarifying my last question: in your firewall logs, because this is not communication with that domain.
The add-on data model:
nvda/source/addonStore/models/addon.py at master · nvaccess/nvda
NVDA, the free and open source Screen Reader for Microsoft Windows - nvda/source/addonStore/models/addon.py at master · nvaccess/nvda
GitHub (github.com)
The scan results model where the URL comes up:
nvda/source/addonStore/models/scanResults.py at master · nvaccess/nvda
NVDA, the free and open source Screen Reader for Microsoft Windows - nvda/source/addonStore/models/scanResults.py at master · nvaccess/nvda
GitHub (github.com)
-
It looks like in the latest #nvdasr alphas, it's now sending all of your addons to be scanned by VirusTotal. I did not give permission for this, and I do not want this. How long until NVDA stops addons it doesn't approve from running at all? For now I have virustotal.com blocked at the router. There seems to be no other way to block this.
'scanResults': {'scanUrl': 'www.virustotal.com/gui/file/2a83b713e38596cfbcb3f98b5eb91530ddfd0e9319907c6119cbbbe08f7acc88', 'malicious': 0, 'undetected': 67, 'harmless': 0, 'suspicious': 0, 'failure': 0, 'timeout': 0, 'confirmedTimeout': 0, 'typeUnsupported': 9}}
Traceback (most recent call last):
File "addonStore\models\scanResults.pyc", line 31, in fromDict
KeyError: 'virusTotal'
#screenreader #a11y #nvda #accessibility@fastfinge You're most likely hitting this issue that was fixed: https://github.com/nvaccess/nvda/issues/19984
Reading that and the linked PRs, you might need to delete the .json file for some addons for that error to go away. -
@fastfinge well, I figure I’d end up cloning the repo at some point.
The scan results object (including URL) is part of the add-on view model. Without forcing myself to read more Python, but also having noticed that object is deserialized from JSON, it seems most likely that the store server sends the client the fully auditable virus scan results.
Did you find any communication to VirusTotal in your logs?
@MostlyBlindGamer I did. It could have been unrelated; there's a lot of stuff going on this network. But what would be the point of just including the URL to the results? I can just put anything I want in the manifest and say it passes. For it to mean anything, NVDA has to reach out and check. So this is either a privacy violation, or total security theatre. Not good either way. -
@MostlyBlindGamer I did. It could have been unrelated; there's a lot of stuff going on this network. But what would be the point of just including the URL to the results? I can just put anything I want in the manifest and say it passes. For it to mean anything, NVDA has to reach out and check. So this is either a privacy violation, or total security theatre. Not good either way.
@fastfinge who puts it in there?
If it’s the developer, I’d check server-side, before making it available in the store. I don’t have a problem with sharing the URL with the client for transparency and auditing.
If NVDA do the check, that would only be server-side.
There’s no reason to have all the clients hammering VirusTotal servers.
I’d run a packet sniffer and navigate through the store to confirm the possibility that they’re doing something very silly. -
@fastfinge who puts it in there?
If it’s the developer, I’d check server-side, before making it available in the store. I don’t have a problem with sharing the URL with the client for transparency and auditing.
If NVDA do the check, that would only be server-side.
There’s no reason to have all the clients hammering VirusTotal servers.
I’d run a packet sniffer and navigate through the store to confirm the possibility that they’re doing something very silly.@MostlyBlindGamer It looks like it gets put there when it's uploaded to the store. But I develop addons that aren't distributed via the store, because of silly NVDA rules. So I can just put whatever I want there. And I haven't actually tested to see what happens if I upload an addon to the store with the virustotal keys already included. -
@fastfinge who puts it in there?
If it’s the developer, I’d check server-side, before making it available in the store. I don’t have a problem with sharing the URL with the client for transparency and auditing.
If NVDA do the check, that would only be server-side.
There’s no reason to have all the clients hammering VirusTotal servers.
I’d run a packet sniffer and navigate through the store to confirm the possibility that they’re doing something very silly.@MostlyBlindGamer I don't even know why they're doing this. If you don't have a virus scanner enabled on your computer, this will not save you. Any addon can just download remote code whenever it wants to. That is, in fact, how most addon update checkers work. So even if you audit the results, it's completely meaningless unless you also audit all the code. The only thing this does is give users a false sense of security. -
@fastfinge I really hope that's a temporary thing they forgot to take out or something. The intent of keeping users safe is nice, but I feel like uploading things I chose to download to a random virus checker that I didn't approve or ask for is a really bad move.
@alexhall It was mentioned in the What's New document, so it probably isn't an accident. @fastfinge
-
@MostlyBlindGamer I don't even know why they're doing this. If you don't have a virus scanner enabled on your computer, this will not save you. Any addon can just download remote code whenever it wants to. That is, in fact, how most addon update checkers work. So even if you audit the results, it's completely meaningless unless you also audit all the code. The only thing this does is give users a false sense of security.
@fastfinge it’s about the [puts on sunglasses] optics.
[The Who blares in the background] -
@fastfinge it’s about the [puts on sunglasses] optics.
[The Who blares in the background]@MostlyBlindGamer Yeah, but I know you've deceived me, Now here's a surprise. I know that you have, 'Cause there's magic in my eyes. I can see for miles and miles, And miles and miles... -
It looks like in the latest #nvdasr alphas, it's now sending all of your addons to be scanned by VirusTotal. I did not give permission for this, and I do not want this. How long until NVDA stops addons it doesn't approve from running at all? For now I have virustotal.com blocked at the router. There seems to be no other way to block this.
'scanResults': {'scanUrl': 'www.virustotal.com/gui/file/2a83b713e38596cfbcb3f98b5eb91530ddfd0e9319907c6119cbbbe08f7acc88', 'malicious': 0, 'undetected': 67, 'harmless': 0, 'suspicious': 0, 'failure': 0, 'timeout': 0, 'confirmedTimeout': 0, 'typeUnsupported': 9}}
Traceback (most recent call last):
File "addonStore\models\scanResults.pyc", line 31, in fromDict
KeyError: 'virusTotal'
#screenreader #a11y #nvda #accessibilityAn actual security solution:
* allow user reviews of addons
* allow users to report addons
* remove addons from the store after X number of reports
* have a reputation system for addon developers (How many addons? How many versions? How long have they been around?)
* allow high reputation developers to do code reviews of other addons and submit the results
This would help for addons in the store. For addons not in the store, users are on their own. However, even for non-store addons, NVDA could do things that would reduce risk:
* Check PGP keys. An addon that claims it was by fastfinge but isn't signed by my PGP key won't run. Public keyservers already exist; NVDA doesn't need to build infrastructure, or in any way gatekeep or endorse developers to do this.
* reserve addon names: fastfinge is the known developer of unspoken-ng. So flag a big warning before running a version of unspoken-ng developed by BobTheBad man. And don't run a version of unspoken-ng not signed by fastfinge's known PGP key at all.
There are ways to let users understand if an addon can be trusted, or how much, and who made it, without centralizing on the store, pointlessly scanning with VirusTotal, etc. NVDA addon security based on restricting functionality is never going to work. So instead, we need to create the tools to build trust models of developers, and know exactly who wrote and signed off on the code we're running. -
R relay@relay.mycrowd.ca shared this topic
-
An actual security solution:
* allow user reviews of addons
* allow users to report addons
* remove addons from the store after X number of reports
* have a reputation system for addon developers (How many addons? How many versions? How long have they been around?)
* allow high reputation developers to do code reviews of other addons and submit the results
This would help for addons in the store. For addons not in the store, users are on their own. However, even for non-store addons, NVDA could do things that would reduce risk:
* Check PGP keys. An addon that claims it was by fastfinge but isn't signed by my PGP key won't run. Public keyservers already exist; NVDA doesn't need to build infrastructure, or in any way gatekeep or endorse developers to do this.
* reserve addon names: fastfinge is the known developer of unspoken-ng. So flag a big warning before running a version of unspoken-ng developed by BobTheBad man. And don't run a version of unspoken-ng not signed by fastfinge's known PGP key at all.
There are ways to let users understand if an addon can be trusted, or how much, and who made it, without centralizing on the store, pointlessly scanning with VirusTotal, etc. NVDA addon security based on restricting functionality is never going to work. So instead, we need to create the tools to build trust models of developers, and know exactly who wrote and signed off on the code we're running.The blindness community is also quite interconnected. If we wanted to, a "web of trust" would be more possible for us than other communities. We regularly gather at conventions (NFB, ACB, Sight Village, Zero Project, etc.) so with accessible, easy to use and understand tools, keysigning parties could easily happen. We've already moved to the #Fediverse because it's more accessible, and obviously better for our needs. Let's keep thinking differently about centralization and privacy; we might discover there are other methods that will work better for us and our needs, without restricting our rights, privacy, or functionality. -
R relay@relay.publicsquare.global shared this topic
-
It looks like in the latest #nvdasr alphas, it's now sending all of your addons to be scanned by VirusTotal. I did not give permission for this, and I do not want this. How long until NVDA stops addons it doesn't approve from running at all? For now I have virustotal.com blocked at the router. There seems to be no other way to block this.
'scanResults': {'scanUrl': 'www.virustotal.com/gui/file/2a83b713e38596cfbcb3f98b5eb91530ddfd0e9319907c6119cbbbe08f7acc88', 'malicious': 0, 'undetected': 67, 'harmless': 0, 'suspicious': 0, 'failure': 0, 'timeout': 0, 'confirmedTimeout': 0, 'typeUnsupported': 9}}
Traceback (most recent call last):
File "addonStore\models\scanResults.pyc", line 31, in fromDict
KeyError: 'virusTotal'
#screenreader #a11y #nvda #accessibility@jaybird110127 @fastfinge Yep it is. Should have been optional on our systems.
