Re: bad package that's fishing bitbucket emails

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: bad package that's fishing bitbucket emails

Michael Foord-3
Hello mt,

It doesn't appear to be a clone, but embedding bitbucket - and the Python package *seems* genuine.

The correct place to report issues with pypi is the tracker (no-one on this webmaster alias is involved in the administration of pypi):

        http://sourceforge.net/tracker/?group_id=66150&atid=513503

For *discussing* PyPI issues, which seems wise for this particular question, the catalog-sig email list is the right place:

        http://www.python.org/community/sigs/current/catalog-sig/

I've copied them in on this email

All the best,

Michael Foord

On 29 Mar 2012, at 11:15, m t wrote:

> hi,
> this package in pypi doesn't redirect to bitbucket, but a cloned site that fishes bitbucket emails:
> http://pypi.python.org/pypi/Octopoda/.0.1
>
> might want to look into it,
> mt
>


--
http://www.voidspace.org.uk/


May you do good and not evil
May you find forgiveness for yourself and forgive others
May you share freely, never taking more than you give.
-- the sqlite blessing
http://www.sqlite.org/different.html





_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
Reply | Threaded
Open this post in threaded view
|

Re: bad package that's fishing bitbucket emails

M.-A. Lemburg
Michael Foord wrote:
> Hello mt,
>
> It doesn't appear to be a clone, but embedding bitbucket - and the Python package *seems* genuine.

The site hosts an illegal copy of the bitbucket site and redirects the logins
not to bitbucket, but to the code.thejeshgn.com:

http://code.thejeshgn.com/account/signin/

Needless to mention that the login info is sent in clear as well...

I think we should inform Atlassian about this.

> The correct place to report issues with pypi is the tracker (no-one on this webmaster alias is involved in the administration of pypi):
>
> http://sourceforge.net/tracker/?group_id=66150&atid=513503
>
> For *discussing* PyPI issues, which seems wise for this particular question, the catalog-sig email list is the right place:
>
> http://www.python.org/community/sigs/current/catalog-sig/
>
> I've copied them in on this email
>
> All the best,
>
> Michael Foord
>
> On 29 Mar 2012, at 11:15, m t wrote:
>
>> hi,
>> this package in pypi doesn't redirect to bitbucket, but a cloned site that fishes bitbucket emails:
>> http://pypi.python.org/pypi/Octopoda/.0.1
>>
>> might want to look into it,
>> mt
>>
>
>
> --
> http://www.voidspace.org.uk/
>
>
> May you do good and not evil
> May you find forgiveness for yourself and forgive others
> May you share freely, never taking more than you give.
> -- the sqlite blessing
> http://www.sqlite.org/different.html
>
>
>
>
>
> _______________________________________________
> Catalog-SIG mailing list
> [hidden email]
> http://mail.python.org/mailman/listinfo/catalog-sig

--
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Mar 29 2012)
>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________
2012-04-03: Python Meeting Duesseldorf                      5 days to go

::: Try our new mxODBC.Connect Python Database Interface for free ! ::::


   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/
_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
Reply | Threaded
Open this post in threaded view
|

Re: bad package that's fishing bitbucket emails

M.-A. Lemburg
M.-A. Lemburg wrote:

> Michael Foord wrote:
>> Hello mt,
>>
>> It doesn't appear to be a clone, but embedding bitbucket - and the Python package *seems* genuine.
>
> The site hosts an illegal copy of the bitbucket site and redirects the logins
> not to bitbucket, but to the code.thejeshgn.com:
>
> http://code.thejeshgn.com/account/signin/
>
> Needless to mention that the login info is sent in clear as well...
>
> I think we should inform Atlassian about this.

Looks like he cloned bitbucket for all his bitbucket repos:

http://code.thejeshgn.com/

and happily proxies requests through his site.

>> The correct place to report issues with pypi is the tracker (no-one on this webmaster alias is involved in the administration of pypi):
>>
>> http://sourceforge.net/tracker/?group_id=66150&atid=513503
>>
>> For *discussing* PyPI issues, which seems wise for this particular question, the catalog-sig email list is the right place:
>>
>> http://www.python.org/community/sigs/current/catalog-sig/
>>
>> I've copied them in on this email
>>
>> All the best,
>>
>> Michael Foord
>>
>> On 29 Mar 2012, at 11:15, m t wrote:
>>
>>> hi,
>>> this package in pypi doesn't redirect to bitbucket, but a cloned site that fishes bitbucket emails:
>>> http://pypi.python.org/pypi/Octopoda/.0.1
>>>
>>> might want to look into it,
>>> mt
>>>
>>
>>
>> --
>> http://www.voidspace.org.uk/
>>
>>
>> May you do good and not evil
>> May you find forgiveness for yourself and forgive others
>> May you share freely, never taking more than you give.
>> -- the sqlite blessing
>> http://www.sqlite.org/different.html
>>
>>
>>
>>
>>
>> _______________________________________________
>> Catalog-SIG mailing list
>> [hidden email]
>> http://mail.python.org/mailman/listinfo/catalog-sig
>

--
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Mar 29 2012)
>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________
2012-04-03: Python Meeting Duesseldorf                      5 days to go

::: Try our new mxODBC.Connect Python Database Interface for free ! ::::


   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/
_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
Reply | Threaded
Open this post in threaded view
|

Re: bad package that's fishing bitbucket emails

Yuval Greenfield
I really dislike this tomfoolery with bitbucket, you can see that jgrid.org is also a DNS redirection or something. It's bad security practice by bitbucket to allow this imo.

Users should be trained for consistent address bars with HTTPS only, not all these useless copies with strange url's.

Yuval

On Thu, Mar 29, 2012 at 12:56 PM, M.-A. Lemburg <[hidden email]> wrote:
M.-A. Lemburg wrote:
> Michael Foord wrote:
>> Hello mt,
>>
>> It doesn't appear to be a clone, but embedding bitbucket - and the Python package *seems* genuine.
>
> The site hosts an illegal copy of the bitbucket site and redirects the logins
> not to bitbucket, but to the code.thejeshgn.com:
>
> http://code.thejeshgn.com/account/signin/
>
> Needless to mention that the login info is sent in clear as well...
>
> I think we should inform Atlassian about this.

Looks like he cloned bitbucket for all his bitbucket repos:

http://code.thejeshgn.com/

and happily proxies requests through his site.

>> The correct place to report issues with pypi is the tracker (no-one on this webmaster alias is involved in the administration of pypi):
>>
>>      http://sourceforge.net/tracker/?group_id=66150&atid=513503
>>
>> For *discussing* PyPI issues, which seems wise for this particular question, the catalog-sig email list is the right place:
>>
>>      http://www.python.org/community/sigs/current/catalog-sig/
>>
>> I've copied them in on this email
>>
>> All the best,
>>
>> Michael Foord
>>
>> On 29 Mar 2012, at 11:15, m t wrote:
>>
>>> hi,
>>> this package in pypi doesn't redirect to bitbucket, but a cloned site that fishes bitbucket emails:
>>> http://pypi.python.org/pypi/Octopoda/.0.1
>>>
>>> might want to look into it,
>>> mt
>>>
>>
>>
>> --
>> http://www.voidspace.org.uk/
>>
>>
>> May you do good and not evil
>> May you find forgiveness for yourself and forgive others
>> May you share freely, never taking more than you give.
>> -- the sqlite blessing
>> http://www.sqlite.org/different.html
>>
>>
>>
>>
>>
>> _______________________________________________
>> Catalog-SIG mailing list
>> [hidden email]
>> http://mail.python.org/mailman/listinfo/catalog-sig
>

--
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Mar 29 2012)
>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________
2012-04-03: Python Meeting Duesseldorf                      5 days to go

::: Try our new mxODBC.Connect Python Database Interface for free ! ::::


  eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
   D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
          Registered at Amtsgericht Duesseldorf: HRB 46611
              http://www.egenix.com/company/contact/
_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig


_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
Reply | Threaded
Open this post in threaded view
|

Re: bad package that's fishing bitbucket emails

Michael Foord-3

On 29 Mar 2012, at 12:04, Yuval Greenfield wrote:

> I really dislike this tomfoolery with bitbucket, you can see that jgrid.org is also a DNS redirection or something. It's bad security practice by bitbucket to allow this imo.
>
> Users should be trained for consistent address bars with HTTPS only, not all these useless copies with strange url's.
>


That's not relevant as to whether or not the package in question should be removed from PyPI though.

Michael

> Yuval
>
> On Thu, Mar 29, 2012 at 12:56 PM, M.-A. Lemburg <[hidden email]> wrote:
> M.-A. Lemburg wrote:
> > Michael Foord wrote:
> >> Hello mt,
> >>
> >> It doesn't appear to be a clone, but embedding bitbucket - and the Python package *seems* genuine.
> >
> > The site hosts an illegal copy of the bitbucket site and redirects the logins
> > not to bitbucket, but to the code.thejeshgn.com:
> >
> > http://code.thejeshgn.com/account/signin/
> >
> > Needless to mention that the login info is sent in clear as well...
> >
> > I think we should inform Atlassian about this.
>
> Looks like he cloned bitbucket for all his bitbucket repos:
>
> http://code.thejeshgn.com/
>
> and happily proxies requests through his site.
>
> >> The correct place to report issues with pypi is the tracker (no-one on this webmaster alias is involved in the administration of pypi):
> >>
> >>      http://sourceforge.net/tracker/?group_id=66150&atid=513503
> >>
> >> For *discussing* PyPI issues, which seems wise for this particular question, the catalog-sig email list is the right place:
> >>
> >>      http://www.python.org/community/sigs/current/catalog-sig/
> >>
> >> I've copied them in on this email
> >>
> >> All the best,
> >>
> >> Michael Foord
> >>
> >> On 29 Mar 2012, at 11:15, m t wrote:
> >>
> >>> hi,
> >>> this package in pypi doesn't redirect to bitbucket, but a cloned site that fishes bitbucket emails:
> >>> http://pypi.python.org/pypi/Octopoda/.0.1
> >>>
> >>> might want to look into it,
> >>> mt
> >>>
> >>
> >>
> >> --
> >> http://www.voidspace.org.uk/
> >>
> >>
> >> May you do good and not evil
> >> May you find forgiveness for yourself and forgive others
> >> May you share freely, never taking more than you give.
> >> -- the sqlite blessing
> >> http://www.sqlite.org/different.html
> >>
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> Catalog-SIG mailing list
> >> [hidden email]
> >> http://mail.python.org/mailman/listinfo/catalog-sig
> >
>
> --
> Marc-Andre Lemburg
> eGenix.com
>
> Professional Python Services directly from the Source  (#1, Mar 29 2012)
> >>> Python/Zope Consulting and Support ...        http://www.egenix.com/
> >>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
> >>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
> ________________________________________________________________________
> 2012-04-03: Python Meeting Duesseldorf                      5 days to go
>
> ::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
>
>
>   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
>    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
>           Registered at Amtsgericht Duesseldorf: HRB 46611
>               http://www.egenix.com/company/contact/
> _______________________________________________
> Catalog-SIG mailing list
> [hidden email]
> http://mail.python.org/mailman/listinfo/catalog-sig
>


--
http://www.voidspace.org.uk/


May you do good and not evil
May you find forgiveness for yourself and forgive others
May you share freely, never taking more than you give.
-- the sqlite blessing
http://www.sqlite.org/different.html





_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
Reply | Threaded
Open this post in threaded view
|

Re: bad package that's fishing bitbucket emails

Robert Kern-2
In reply to this post by M.-A. Lemburg
On 3/29/12 11:56 AM, M.-A. Lemburg wrote:

> M.-A. Lemburg wrote:
>> Michael Foord wrote:
>>> Hello mt,
>>>
>>> It doesn't appear to be a clone, but embedding bitbucket - and the Python package *seems* genuine.
>>
>> The site hosts an illegal copy of the bitbucket site and redirects the logins
>> not to bitbucket, but to the code.thejeshgn.com:
>>
>> http://code.thejeshgn.com/account/signin/
>>
>> Needless to mention that the login info is sent in clear as well...
>>
>> I think we should inform Atlassian about this.
>
> Looks like he cloned bitbucket for all his bitbucket repos:
>
> http://code.thejeshgn.com/
>
> and happily proxies requests through his site.

Are we sure this is not just an instance of this supported feature of Bitbucket?

http://confluence.atlassian.com/display/BITBUCKET/Using+your+Own+bitbucket+Domain+Name

--
Robert Kern

"I have come to believe that the whole world is an enigma, a harmless enigma
  that is made terrible by our own mad attempt to interpret it as though it had
  an underlying truth."
   -- Umberto Eco

_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
m t
Reply | Threaded
Open this post in threaded view
|

Re: bad package that's fishing bitbucket emails

m t
In reply to this post by M.-A. Lemburg
hi,
i already contacted atlassian, but you have more weight on this than me
i don't know when/if they'd get to my email!
mt
On Mar 29, 2012, at 3:48 AM, M.-A. Lemburg wrote:

> Michael Foord wrote:
>> Hello mt,
>>
>> It doesn't appear to be a clone, but embedding bitbucket - and the Python package *seems* genuine.
>
> The site hosts an illegal copy of the bitbucket site and redirects the logins
> not to bitbucket, but to the code.thejeshgn.com:
>
> http://code.thejeshgn.com/account/signin/
>
> Needless to mention that the login info is sent in clear as well...
>
> I think we should inform Atlassian about this.
>
>> The correct place to report issues with pypi is the tracker (no-one on this webmaster alias is involved in the administration of pypi):
>>
>> http://sourceforge.net/tracker/?group_id=66150&atid=513503
>>
>> For *discussing* PyPI issues, which seems wise for this particular question, the catalog-sig email list is the right place:
>>
>> http://www.python.org/community/sigs/current/catalog-sig/
>>
>> I've copied them in on this email
>>
>> All the best,
>>
>> Michael Foord
>>
>> On 29 Mar 2012, at 11:15, m t wrote:
>>
>>> hi,
>>> this package in pypi doesn't redirect to bitbucket, but a cloned site that fishes bitbucket emails:
>>> http://pypi.python.org/pypi/Octopoda/.0.1
>>>
>>> might want to look into it,
>>> mt
>>>
>>
>>
>> --
>> http://www.voidspace.org.uk/
>>
>>
>> May you do good and not evil
>> May you find forgiveness for yourself and forgive others
>> May you share freely, never taking more than you give.
>> -- the sqlite blessing
>> http://www.sqlite.org/different.html
>>
>>
>>
>>
>>
>> _______________________________________________
>> Catalog-SIG mailing list
>> [hidden email]
>> http://mail.python.org/mailman/listinfo/catalog-sig
>
> --
> Marc-Andre Lemburg
> eGenix.com
>
> Professional Python Services directly from the Source  (#1, Mar 29 2012)
>>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
> ________________________________________________________________________
> 2012-04-03: Python Meeting Duesseldorf                      5 days to go
>
> ::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
>
>
>   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
>    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
>           Registered at Amtsgericht Duesseldorf: HRB 46611
>               http://www.egenix.com/company/contact/
>

_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
Reply | Threaded
Open this post in threaded view
|

Re: bad package that's fishing bitbucket emails

M.-A. Lemburg
In reply to this post by Robert Kern-2
Robert Kern wrote:

> On 3/29/12 11:56 AM, M.-A. Lemburg wrote:
>> M.-A. Lemburg wrote:
>>> Michael Foord wrote:
>>>> Hello mt,
>>>>
>>>> It doesn't appear to be a clone, but embedding bitbucket - and the Python package *seems* genuine.
>>>
>>> The site hosts an illegal copy of the bitbucket site and redirects the logins
>>> not to bitbucket, but to the code.thejeshgn.com:
>>>
>>> http://code.thejeshgn.com/account/signin/
>>>
>>> Needless to mention that the login info is sent in clear as well...
>>>
>>> I think we should inform Atlassian about this.
>>
>> Looks like he cloned bitbucket for all his bitbucket repos:
>>
>> http://code.thejeshgn.com/
>>
>> and happily proxies requests through his site.
>
> Are we sure this is not just an instance of this supported feature of Bitbucket?
>
> http://confluence.atlassian.com/display/BITBUCKET/Using+your+Own+bitbucket+Domain+Name

Oh dear, they even promote such use... what a poor security model :-(

You were right:

$ dig code.thejeshgn.com

; <<>> DiG 9.7.4-P1 <<>> code.thejeshgn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34768
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 2

;; QUESTION SECTION:
;code.thejeshgn.com.            IN      A

;; ANSWER SECTION:
code.thejeshgn.com.     3600    IN      CNAME   bitbucket.org.
bitbucket.org.          360     IN      A       207.223.240.181
bitbucket.org.          360     IN      A       207.223.240.182

--
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Mar 29 2012)
>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________
2012-04-03: Python Meeting Duesseldorf                      5 days to go

::: Try our new mxODBC.Connect Python Database Interface for free ! ::::


   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/
_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
m t
Reply | Threaded
Open this post in threaded view
|

Re: bad package that's fishing bitbucket emails

m t
In reply to this post by Michael Foord-3
the other question is whether there are any others in pypi, and how to effectively detect them
mt

On Mar 29, 2012, at 4:06 AM, Michael Foord wrote:

>
> On 29 Mar 2012, at 12:04, Yuval Greenfield wrote:
>
>> I really dislike this tomfoolery with bitbucket, you can see that jgrid.org is also a DNS redirection or something. It's bad security practice by bitbucket to allow this imo.
>>
>> Users should be trained for consistent address bars with HTTPS only, not all these useless copies with strange url's.
>>
>
>
> That's not relevant as to whether or not the package in question should be removed from PyPI though.
>
> Michael
>
>> Yuval
>>
>> On Thu, Mar 29, 2012 at 12:56 PM, M.-A. Lemburg <[hidden email]> wrote:
>> M.-A. Lemburg wrote:
>>> Michael Foord wrote:
>>>> Hello mt,
>>>>
>>>> It doesn't appear to be a clone, but embedding bitbucket - and the Python package *seems* genuine.
>>>
>>> The site hosts an illegal copy of the bitbucket site and redirects the logins
>>> not to bitbucket, but to the code.thejeshgn.com:
>>>
>>> http://code.thejeshgn.com/account/signin/
>>>
>>> Needless to mention that the login info is sent in clear as well...
>>>
>>> I think we should inform Atlassian about this.
>>
>> Looks like he cloned bitbucket for all his bitbucket repos:
>>
>> http://code.thejeshgn.com/
>>
>> and happily proxies requests through his site.
>>
>>>> The correct place to report issues with pypi is the tracker (no-one on this webmaster alias is involved in the administration of pypi):
>>>>
>>>>     http://sourceforge.net/tracker/?group_id=66150&atid=513503
>>>>
>>>> For *discussing* PyPI issues, which seems wise for this particular question, the catalog-sig email list is the right place:
>>>>
>>>>     http://www.python.org/community/sigs/current/catalog-sig/
>>>>
>>>> I've copied them in on this email
>>>>
>>>> All the best,
>>>>
>>>> Michael Foord
>>>>
>>>> On 29 Mar 2012, at 11:15, m t wrote:
>>>>
>>>>> hi,
>>>>> this package in pypi doesn't redirect to bitbucket, but a cloned site that fishes bitbucket emails:
>>>>> http://pypi.python.org/pypi/Octopoda/.0.1
>>>>>
>>>>> might want to look into it,
>>>>> mt
>>>>>
>>>>
>>>>
>>>> --
>>>> http://www.voidspace.org.uk/
>>>>
>>>>
>>>> May you do good and not evil
>>>> May you find forgiveness for yourself and forgive others
>>>> May you share freely, never taking more than you give.
>>>> -- the sqlite blessing
>>>> http://www.sqlite.org/different.html
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Catalog-SIG mailing list
>>>> [hidden email]
>>>> http://mail.python.org/mailman/listinfo/catalog-sig
>>>
>>
>> --
>> Marc-Andre Lemburg
>> eGenix.com
>>
>> Professional Python Services directly from the Source  (#1, Mar 29 2012)
>>>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
>> ________________________________________________________________________
>> 2012-04-03: Python Meeting Duesseldorf                      5 days to go
>>
>> ::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
>>
>>
>>  eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
>>   D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
>>          Registered at Amtsgericht Duesseldorf: HRB 46611
>>              http://www.egenix.com/company/contact/
>> _______________________________________________
>> Catalog-SIG mailing list
>> [hidden email]
>> http://mail.python.org/mailman/listinfo/catalog-sig
>>
>
>
> --
> http://www.voidspace.org.uk/
>
>
> May you do good and not evil
> May you find forgiveness for yourself and forgive others
> May you share freely, never taking more than you give.
> -- the sqlite blessing
> http://www.sqlite.org/different.html
>
>
>
>
>
>

_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
Reply | Threaded
Open this post in threaded view
|

Re: bad package that's fishing bitbucket emails

Michael Foord-3

On 29 Mar 2012, at 12:37, m t wrote:

> the other question is whether there are any others in pypi, and how to effectively detect them

Even if the package hosting is unethical it doesn't mean we *must* remove them from pypi. We should only do that if it is malicious (of course if we can't *tell* whether or not it is malicious it becomes a difficult question).

Michael

> mt
>
> On Mar 29, 2012, at 4:06 AM, Michael Foord wrote:
>
>>
>> On 29 Mar 2012, at 12:04, Yuval Greenfield wrote:
>>
>>> I really dislike this tomfoolery with bitbucket, you can see that jgrid.org is also a DNS redirection or something. It's bad security practice by bitbucket to allow this imo.
>>>
>>> Users should be trained for consistent address bars with HTTPS only, not all these useless copies with strange url's.
>>>
>>
>>
>> That's not relevant as to whether or not the package in question should be removed from PyPI though.
>>
>> Michael
>>
>>> Yuval
>>>
>>> On Thu, Mar 29, 2012 at 12:56 PM, M.-A. Lemburg <[hidden email]> wrote:
>>> M.-A. Lemburg wrote:
>>>> Michael Foord wrote:
>>>>> Hello mt,
>>>>>
>>>>> It doesn't appear to be a clone, but embedding bitbucket - and the Python package *seems* genuine.
>>>>
>>>> The site hosts an illegal copy of the bitbucket site and redirects the logins
>>>> not to bitbucket, but to the code.thejeshgn.com:
>>>>
>>>> http://code.thejeshgn.com/account/signin/
>>>>
>>>> Needless to mention that the login info is sent in clear as well...
>>>>
>>>> I think we should inform Atlassian about this.
>>>
>>> Looks like he cloned bitbucket for all his bitbucket repos:
>>>
>>> http://code.thejeshgn.com/
>>>
>>> and happily proxies requests through his site.
>>>
>>>>> The correct place to report issues with pypi is the tracker (no-one on this webmaster alias is involved in the administration of pypi):
>>>>>
>>>>>    http://sourceforge.net/tracker/?group_id=66150&atid=513503
>>>>>
>>>>> For *discussing* PyPI issues, which seems wise for this particular question, the catalog-sig email list is the right place:
>>>>>
>>>>>    http://www.python.org/community/sigs/current/catalog-sig/
>>>>>
>>>>> I've copied them in on this email
>>>>>
>>>>> All the best,
>>>>>
>>>>> Michael Foord
>>>>>
>>>>> On 29 Mar 2012, at 11:15, m t wrote:
>>>>>
>>>>>> hi,
>>>>>> this package in pypi doesn't redirect to bitbucket, but a cloned site that fishes bitbucket emails:
>>>>>> http://pypi.python.org/pypi/Octopoda/.0.1
>>>>>>
>>>>>> might want to look into it,
>>>>>> mt
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> http://www.voidspace.org.uk/
>>>>>
>>>>>
>>>>> May you do good and not evil
>>>>> May you find forgiveness for yourself and forgive others
>>>>> May you share freely, never taking more than you give.
>>>>> -- the sqlite blessing
>>>>> http://www.sqlite.org/different.html
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Catalog-SIG mailing list
>>>>> [hidden email]
>>>>> http://mail.python.org/mailman/listinfo/catalog-sig
>>>>
>>>
>>> --
>>> Marc-Andre Lemburg
>>> eGenix.com
>>>
>>> Professional Python Services directly from the Source  (#1, Mar 29 2012)
>>>>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>>>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>>>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
>>> ________________________________________________________________________
>>> 2012-04-03: Python Meeting Duesseldorf                      5 days to go
>>>
>>> ::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
>>>
>>>
>>> eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
>>>  D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
>>>         Registered at Amtsgericht Duesseldorf: HRB 46611
>>>             http://www.egenix.com/company/contact/
>>> _______________________________________________
>>> Catalog-SIG mailing list
>>> [hidden email]
>>> http://mail.python.org/mailman/listinfo/catalog-sig
>>>
>>
>>
>> --
>> http://www.voidspace.org.uk/
>>
>>
>> May you do good and not evil
>> May you find forgiveness for yourself and forgive others
>> May you share freely, never taking more than you give.
>> -- the sqlite blessing
>> http://www.sqlite.org/different.html
>>
>>
>>
>>
>>
>>
>
>


--
http://www.voidspace.org.uk/


May you do good and not evil
May you find forgiveness for yourself and forgive others
May you share freely, never taking more than you give.
-- the sqlite blessing
http://www.sqlite.org/different.html





_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
m t
Reply | Threaded
Open this post in threaded view
|

Re: bad package that's fishing bitbucket emails

m t
i partly agree, but i think it's pretty obvious what the intent is
the package on pypi has a malicious purpose
if you can't trust the one end of the chain of events, there's no point in debating the integrity of the other end
the aspect of trust was broken, the person and their code become untrustworthy from now on
i was one second away from sending my credentials, so i might be biased here :)
mt

On Mar 29, 2012, at 4:43 AM, Michael Foord wrote:

>
> On 29 Mar 2012, at 12:37, m t wrote:
>
>> the other question is whether there are any others in pypi, and how to effectively detect them
>
> Even if the package hosting is unethical it doesn't mean we *must* remove them from pypi. We should only do that if it is malicious (of course if we can't *tell* whether or not it is malicious it becomes a difficult question).
>
> Michael
>
>> mt
>>
>> On Mar 29, 2012, at 4:06 AM, Michael Foord wrote:
>>
>>>
>>> On 29 Mar 2012, at 12:04, Yuval Greenfield wrote:
>>>
>>>> I really dislike this tomfoolery with bitbucket, you can see that jgrid.org is also a DNS redirection or something. It's bad security practice by bitbucket to allow this imo.
>>>>
>>>> Users should be trained for consistent address bars with HTTPS only, not all these useless copies with strange url's.
>>>>
>>>
>>>
>>> That's not relevant as to whether or not the package in question should be removed from PyPI though.
>>>
>>> Michael
>>>
>>>> Yuval
>>>>
>>>> On Thu, Mar 29, 2012 at 12:56 PM, M.-A. Lemburg <[hidden email]> wrote:
>>>> M.-A. Lemburg wrote:
>>>>> Michael Foord wrote:
>>>>>> Hello mt,
>>>>>>
>>>>>> It doesn't appear to be a clone, but embedding bitbucket - and the Python package *seems* genuine.
>>>>>
>>>>> The site hosts an illegal copy of the bitbucket site and redirects the logins
>>>>> not to bitbucket, but to the code.thejeshgn.com:
>>>>>
>>>>> http://code.thejeshgn.com/account/signin/
>>>>>
>>>>> Needless to mention that the login info is sent in clear as well...
>>>>>
>>>>> I think we should inform Atlassian about this.
>>>>
>>>> Looks like he cloned bitbucket for all his bitbucket repos:
>>>>
>>>> http://code.thejeshgn.com/
>>>>
>>>> and happily proxies requests through his site.
>>>>
>>>>>> The correct place to report issues with pypi is the tracker (no-one on this webmaster alias is involved in the administration of pypi):
>>>>>>
>>>>>>   http://sourceforge.net/tracker/?group_id=66150&atid=513503
>>>>>>
>>>>>> For *discussing* PyPI issues, which seems wise for this particular question, the catalog-sig email list is the right place:
>>>>>>
>>>>>>   http://www.python.org/community/sigs/current/catalog-sig/
>>>>>>
>>>>>> I've copied them in on this email
>>>>>>
>>>>>> All the best,
>>>>>>
>>>>>> Michael Foord
>>>>>>
>>>>>> On 29 Mar 2012, at 11:15, m t wrote:
>>>>>>
>>>>>>> hi,
>>>>>>> this package in pypi doesn't redirect to bitbucket, but a cloned site that fishes bitbucket emails:
>>>>>>> http://pypi.python.org/pypi/Octopoda/.0.1
>>>>>>>
>>>>>>> might want to look into it,
>>>>>>> mt
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> http://www.voidspace.org.uk/
>>>>>>
>>>>>>
>>>>>> May you do good and not evil
>>>>>> May you find forgiveness for yourself and forgive others
>>>>>> May you share freely, never taking more than you give.
>>>>>> -- the sqlite blessing
>>>>>> http://www.sqlite.org/different.html
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Catalog-SIG mailing list
>>>>>> [hidden email]
>>>>>> http://mail.python.org/mailman/listinfo/catalog-sig
>>>>>
>>>>
>>>> --
>>>> Marc-Andre Lemburg
>>>> eGenix.com
>>>>
>>>> Professional Python Services directly from the Source  (#1, Mar 29 2012)
>>>>>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>>>>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>>>>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
>>>> ________________________________________________________________________
>>>> 2012-04-03: Python Meeting Duesseldorf                      5 days to go
>>>>
>>>> ::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
>>>>
>>>>
>>>> eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
>>>> D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
>>>>        Registered at Amtsgericht Duesseldorf: HRB 46611
>>>>            http://www.egenix.com/company/contact/
>>>> _______________________________________________
>>>> Catalog-SIG mailing list
>>>> [hidden email]
>>>> http://mail.python.org/mailman/listinfo/catalog-sig
>>>>
>>>
>>>
>>> --
>>> http://www.voidspace.org.uk/
>>>
>>>
>>> May you do good and not evil
>>> May you find forgiveness for yourself and forgive others
>>> May you share freely, never taking more than you give.
>>> -- the sqlite blessing
>>> http://www.sqlite.org/different.html
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>
>
> --
> http://www.voidspace.org.uk/
>
>
> May you do good and not evil
> May you find forgiveness for yourself and forgive others
> May you share freely, never taking more than you give.
> -- the sqlite blessing
> http://www.sqlite.org/different.html
>
>
>
>
>
>

_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
Reply | Threaded
Open this post in threaded view
|

Re: bad package that's fishing bitbucket emails

Michael Foord-3

On 29 Mar 2012, at 13:32, m t wrote:

> i partly agree, but i think it's pretty obvious what the intent is
> the package on pypi has a malicious purpose
> if you can't trust the one end of the chain of events, there's no point in debating the integrity of the other end
> the aspect of trust was broken, the person and their code become untrustworthy from now on
> i was one second away from sending my credentials, so i might be biased here :)

It seems like the project is using a deliberate bitbucket feature and is unlikely to be either malicious or unethical.

All the best,

Michael

> mt
>
> On Mar 29, 2012, at 4:43 AM, Michael Foord wrote:
>
>>
>> On 29 Mar 2012, at 12:37, m t wrote:
>>
>>> the other question is whether there are any others in pypi, and how to effectively detect them
>>
>> Even if the package hosting is unethical it doesn't mean we *must* remove them from pypi. We should only do that if it is malicious (of course if we can't *tell* whether or not it is malicious it becomes a difficult question).
>>
>> Michael
>>
>>> mt
>>>
>>> On Mar 29, 2012, at 4:06 AM, Michael Foord wrote:
>>>
>>>>
>>>> On 29 Mar 2012, at 12:04, Yuval Greenfield wrote:
>>>>
>>>>> I really dislike this tomfoolery with bitbucket, you can see that jgrid.org is also a DNS redirection or something. It's bad security practice by bitbucket to allow this imo.
>>>>>
>>>>> Users should be trained for consistent address bars with HTTPS only, not all these useless copies with strange url's.
>>>>>
>>>>
>>>>
>>>> That's not relevant as to whether or not the package in question should be removed from PyPI though.
>>>>
>>>> Michael
>>>>
>>>>> Yuval
>>>>>
>>>>> On Thu, Mar 29, 2012 at 12:56 PM, M.-A. Lemburg <[hidden email]> wrote:
>>>>> M.-A. Lemburg wrote:
>>>>>> Michael Foord wrote:
>>>>>>> Hello mt,
>>>>>>>
>>>>>>> It doesn't appear to be a clone, but embedding bitbucket - and the Python package *seems* genuine.
>>>>>>
>>>>>> The site hosts an illegal copy of the bitbucket site and redirects the logins
>>>>>> not to bitbucket, but to the code.thejeshgn.com:
>>>>>>
>>>>>> http://code.thejeshgn.com/account/signin/
>>>>>>
>>>>>> Needless to mention that the login info is sent in clear as well...
>>>>>>
>>>>>> I think we should inform Atlassian about this.
>>>>>
>>>>> Looks like he cloned bitbucket for all his bitbucket repos:
>>>>>
>>>>> http://code.thejeshgn.com/
>>>>>
>>>>> and happily proxies requests through his site.
>>>>>
>>>>>>> The correct place to report issues with pypi is the tracker (no-one on this webmaster alias is involved in the administration of pypi):
>>>>>>>
>>>>>>>  http://sourceforge.net/tracker/?group_id=66150&atid=513503
>>>>>>>
>>>>>>> For *discussing* PyPI issues, which seems wise for this particular question, the catalog-sig email list is the right place:
>>>>>>>
>>>>>>>  http://www.python.org/community/sigs/current/catalog-sig/
>>>>>>>
>>>>>>> I've copied them in on this email
>>>>>>>
>>>>>>> All the best,
>>>>>>>
>>>>>>> Michael Foord
>>>>>>>
>>>>>>> On 29 Mar 2012, at 11:15, m t wrote:
>>>>>>>
>>>>>>>> hi,
>>>>>>>> this package in pypi doesn't redirect to bitbucket, but a cloned site that fishes bitbucket emails:
>>>>>>>> http://pypi.python.org/pypi/Octopoda/.0.1
>>>>>>>>
>>>>>>>> might want to look into it,
>>>>>>>> mt
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> http://www.voidspace.org.uk/
>>>>>>>
>>>>>>>
>>>>>>> May you do good and not evil
>>>>>>> May you find forgiveness for yourself and forgive others
>>>>>>> May you share freely, never taking more than you give.
>>>>>>> -- the sqlite blessing
>>>>>>> http://www.sqlite.org/different.html
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Catalog-SIG mailing list
>>>>>>> [hidden email]
>>>>>>> http://mail.python.org/mailman/listinfo/catalog-sig
>>>>>>
>>>>>
>>>>> --
>>>>> Marc-Andre Lemburg
>>>>> eGenix.com
>>>>>
>>>>> Professional Python Services directly from the Source  (#1, Mar 29 2012)
>>>>>>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>>>>>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>>>>>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
>>>>> ________________________________________________________________________
>>>>> 2012-04-03: Python Meeting Duesseldorf                      5 days to go
>>>>>
>>>>> ::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
>>>>>
>>>>>
>>>>> eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
>>>>> D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
>>>>>       Registered at Amtsgericht Duesseldorf: HRB 46611
>>>>>           http://www.egenix.com/company/contact/
>>>>> _______________________________________________
>>>>> Catalog-SIG mailing list
>>>>> [hidden email]
>>>>> http://mail.python.org/mailman/listinfo/catalog-sig
>>>>>
>>>>
>>>>
>>>> --
>>>> http://www.voidspace.org.uk/
>>>>
>>>>
>>>> May you do good and not evil
>>>> May you find forgiveness for yourself and forgive others
>>>> May you share freely, never taking more than you give.
>>>> -- the sqlite blessing
>>>> http://www.sqlite.org/different.html
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>> --
>> http://www.voidspace.org.uk/
>>
>>
>> May you do good and not evil
>> May you find forgiveness for yourself and forgive others
>> May you share freely, never taking more than you give.
>> -- the sqlite blessing
>> http://www.sqlite.org/different.html
>>
>>
>>
>>
>>
>>
>
>


--
http://www.voidspace.org.uk/


May you do good and not evil
May you find forgiveness for yourself and forgive others
May you share freely, never taking more than you give.
-- the sqlite blessing
http://www.sqlite.org/different.html





_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
Reply | Threaded
Open this post in threaded view
|

Re: bad package that's fishing bitbucket emails

"Martin v. Löwis"
In reply to this post by m t
> i partly agree, but i think it's pretty obvious what the intent is
> the package on pypi has a malicious purpose

I completely disagree. The package *clearly* has a good intent,
and the package author has no malicious plans with it.

> if you can't trust the one end of the chain of events, there's no  
> point in debating the integrity of the other end
> the aspect of trust was broken, the person and their code become  
> untrustworthy from now on
> i was one second away from sending my credentials, so i might be  
> biased here :)

And no harm would have been done in sending your credentials - the
package author would not have been able to obtain them.

Regards,
Martin


_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig
m t
Reply | Threaded
Open this post in threaded view
|

Re: bad package that's fishing bitbucket emails

m t
In reply to this post by Michael Foord-3
hi,
yuval and michael were right (attached below is bitbucket's reply), i definitely over-reacted
hopefully there is some way for you guys to automatically detect nefarious packages from entering pypi
thanks for the communication, top-notch
good job with the feedback and discussion,
mt

and here is bitbucket's reply to my notifying them of that repo:

Brodie Rao, Mar 29 13:07 (PDT):
Hi mt,

I don't think that user's phishing; he's just using our CNAME feature that lets him point a domain name to his Bitbucket profile and repositories.

You'll get different opinions from other people on the Bitbucket team, but I'm personally not a fan of the feature because of the confusing security implications it has (as you've found out). It does indeed lead you to log into the site using his domain name.

We may look into improving how logins work on CNAMEs in the future. For now, you can still view his repositories on bitbucket.org directly. I recommend doing that if you don't trust the owner of the domain name.

If you have any other questions, let me know.

Thanks,
Brodie


_______________________________________________
Catalog-SIG mailing list
[hidden email]
http://mail.python.org/mailman/listinfo/catalog-sig