It is currently October 18th, 2021, 11:23 am

it firm softserve hacked locked down plundered

Release announcements and important news from the developers.
User avatar
Brian
Developer
Posts: 2272
Joined: November 24th, 2011, 1:42 am
Location: Utah

Re: it firm softserve hacked locked down plundered

Post by Brian »

After reading some of the articles on this, there are some big holes in the story.

Most articles mention that "the attackers replaced Rainmeter.dll with a malicious version". The is a big red flag to me for several reasons. This implies the system was already "exploited" in some way....or worse, the bad guys had physical access to the machine. The attacker would have to know that Rainmeter was present on the system to "exploit" anything. This should have been the main focus of the story since the attacker got into the system somehow.

If Rainmeter was previously installed on this system (and not by the attackers), then that IT person should be fired. Most professional companies do not allow "unauthorized" programs to be installed on critical machines. If it was a standard Rainmeter installation, then a UAC prompt would have occurred when the file was replaced - unless the IT person turned that off. It also seems to strange to go to the trouble of producing a hacked version of Rainmeter.dll when access to the system had already happened (or was planned). Once you have access to the machine, you can do things like this in a much easier way.

I guess another possibility is that the IT person somehow did not get Rainmeter from rainmeter.net, or was tricked into downloading and running the malicious version. I would like to think a quality IT person would not do that, but you never know.

Anyway....

It's unfortunate that Rainmeter was the chosen medium to do this. Any open-source program could have been used.

The Rainmeter installer as well as Rainmeter.exe and Rainmeter.dll are all digitally signed, but that doesn't mean you cannot compile your own version of Rainmeter and make any changes you want. That is the nature of open source software.

We will discuss internally any options that we have (if any).

-Brian
User avatar
jsmorley
Developer
Posts: 22368
Joined: April 19th, 2009, 11:02 pm
Location: Fort Hunt, Virginia, USA

Re: it firm softserve hacked locked down plundered

Post by jsmorley »

It always was our intention that Rainmeter be open source, which means that anyone can get the source code and compile a version that does whatever they like. We have no control over that, nor should we.

Just be sure that you only install Rainmeter that you get from https://www.rainmeter.net/, and never, ever turn off UAC on your computer.

And as Brian said, anyone who allows Rainmeter to be installed on a company computer(s) should immediately be fired. It is not designed, nor intended, to be used in a commercial environment.
User avatar
jsmorley
Developer
Posts: 22368
Joined: April 19th, 2009, 11:02 pm
Location: Fort Hunt, Virginia, USA

Re: it firm softserve hacked locked down plundered

Post by jsmorley »

If you want to be sure, you can view the "Properties" of the Rainmeter installer that you get from https://www.rainmeter.net.

Check the "Digital Signatures", and be sure it looks like this:


1.jpg


While anyone can get the source code for Rainmeter and can compile their own version, what they can't do is digitally sign the executables with our certificate. If there is no digital certificate for the version you get from somewhere, or if the certificate doesn't match this one, then don't run it.

The installer itself, and all the .exe and .dll executables deployed by the installer, are digitally signed.
You do not have the required permissions to view the files attached to this post.
User avatar
SilverAzide
Rainmeter Sage
Posts: 1615
Joined: March 23rd, 2015, 5:26 pm

Re: it firm softserve hacked locked down plundered

Post by SilverAzide »

Huh...
More specifically, the damage was reportedly contained to the mail system and some of the auxiliary test environments.
Maybe this is why DeviantArt just perma-banned me for being a "spammer", which is pretty laughable.
Gadgets Wiki GitHub More Gadgets...
User avatar
Yincognito
Rainmeter Sage
Posts: 4064
Joined: February 27th, 2015, 2:38 pm
Location: Terra Yincognita

Re: it firm softserve hacked locked down plundered

Post by Yincognito »

Yeah, actually the whole thing is laughable, even though it had serious consequences:

- it's not about using Rainmeter at your work place - there's nothing wrong with it in my view (yeah, I know, I again disagree with the official stance and recommendations on this, but this is what having a mind of my own looks like) - it's the downright incompetent employee which downloaded Rainmeter from an untrusted source (basically anything other than this site) or allowed subsequent modifications of the files locally (if that was the case)
- the DeviantArt spammer thing is again probably due to incompetence, since these "decisions" are nowadays actually based on some flawed automated process that just counts whatever traffic and takes one route or another depending on an X>Y approach without any relevant additional parameters (just like the stupid automated responses to questions on Microsoft sites)

In the end, I see that incompetence of all kinds is actually rewarded (which is why these people get into those positions) in the "modern world" and when it comes to place the blame, all of what a clueless nuthead in some office will understand is "don't use this app here or there or ever" or "ban this account or that account cause too much 'suspicious' traffic". In other words, they probably won't bother to look deeper into the matter and solve the root problem, but adopt a superficial stance and make it easier for themselves. This will, of course, result in the problem happening again next time, as no valuable lesson or conclusion will be extracted from these events.

Sorry if my opinion was different from others. :confused:
User avatar
redorbroder
Posts: 5
Joined: September 14th, 2020, 8:54 am

Re: it firm softserve hacked locked down plundered

Post by redorbroder »

Hello!
Found out the other day SilverAzide was missing which led me here.

Code: Select all

Rainmeter-4.4-r3404-beta.exe
Opening "Issuer Statement" links to
https://secure.comodo.net/CPS
Browsers I tested (Firefox, Chrome, Waterfox) blocks the site? 
Is this normal?
All certificate looks identical to screenshots shown in here.

Thanks for any info and hopefully SilverAzide will be back soon!

Best regards,
redorbroder
User avatar
jsmorley
Developer
Posts: 22368
Joined: April 19th, 2009, 11:02 pm
Location: Fort Hunt, Virginia, USA

Re: it firm softserve hacked locked down plundered

Post by jsmorley »

Yincognito wrote: September 13th, 2020, 11:23 pm Yeah, actually the whole thing is laughable, even though it had serious consequences:

- it's not about using Rainmeter at your work place - there's nothing wrong with it in my view (yeah, I know, I again disagree with the official stance and recommendations on this, but this is what having a mind of my own looks like) - it's the downright incompetent employee which downloaded Rainmeter from an untrusted source (basically anything other than this site) or allowed subsequent modifications of the files locally (if that was the case)
- the DeviantArt spammer thing is again probably due to incompetence, since these "decisions" are nowadays actually based on some flawed automated process that just counts whatever traffic and takes one route or another depending on an X>Y approach without any relevant additional parameters (just like the stupid automated responses to questions on Microsoft sites)

In the end, I see that incompetence of all kinds is actually rewarded (which is why these people get into those positions) in the "modern world" and when it comes to place the blame, all of what a clueless nuthead in some office will understand is "don't use this app here or there or ever" or "ban this account or that account cause too much 'suspicious' traffic". In other words, they probably won't bother to look deeper into the matter and solve the root problem, but adopt a superficial stance and make it easier for themselves. This will, of course, result in the problem happening again next time, as no valuable lesson or conclusion will be extracted from these events.

Sorry if my opinion was different from others. :confused:
Image


My point has always been that it doesn't make sense to "deploy" Rainmeter in a business environment, as it simply can't be "controlled" by a central authority, someone responsible for security of the network and computers in a company. It is designed to be under the control of the ultimate end-user of the computer, and simply can't effectively be locked-down in any way. So given that, and given that a poorly designed or even purposefully evil skin that some less-sophisticated user can download and install from anywhere in the world can do great harm to both the individual computer and the overall company network, I would NEVER allow it to be used in any environment where security is a concern.

Even if you can be sure that every computer has a version of the Rainmeter executables that are directly from us, and are safe, and fully tested and verified, that is only half the battle. How do you stop an end-user from downloading a badly behaved skin from some Russian website and installing it? Any security administrator in a company that simply trusts that end-users are going to know what they are doing, and takes a "hands off" approach to protecting the company assets is a waste of a salary. Just go ahead and file for bankruptcy now, and save time.

It's going to depend a great deal on how computers are deployed and used in a given company, how many end-users you are trying to wrangle into reasonably safe behavior, and what your threshold for risk is, but make no mistake. Rainmeter is not particularly "secure" in a business environment.
User avatar
jsmorley
Developer
Posts: 22368
Joined: April 19th, 2009, 11:02 pm
Location: Fort Hunt, Virginia, USA

Re: it firm softserve hacked locked down plundered

Post by jsmorley »

Using it in a company setting aside, I will say that we go to some considerable lengths to ensure that when used on your home computer, as a "hobbyist" piece of software that you enjoy tinkering with, Rainmeter is quite "safe". As long as you get the software from us and nowhere else, and take some care about the skins you download and install (or even better, write yourself), and as always have a decent nightly backup of your system, Rainmeter is perfectly safe to use.
User avatar
SilverAzide
Rainmeter Sage
Posts: 1615
Joined: March 23rd, 2015, 5:26 pm

Re: it firm softserve hacked locked down plundered

Post by SilverAzide »

redorbroder wrote: September 14th, 2020, 9:05 am Hello!
Found out the other day SilverAzide was missing which led me here.
[snip]
Thanks for any info and hopefully SilverAzide will be back soon!

Best regards,
redorbroder
Hi redorbroder!
I'm still alive, just not on DeviantArt. They have shown zero interest in working with me to get my account reactivated, but I'm not sure I really care. Yincognito is right I think, probably some algorithm decided I was a spammer and nuked my account. The Gadgets are still on the Rainmeter forums and on my GitHub site. Thanks, and good hearing from you again!
Last edited by SilverAzide on September 14th, 2020, 12:25 pm, edited 1 time in total.
Gadgets Wiki GitHub More Gadgets...
User avatar
jsmorley
Developer
Posts: 22368
Joined: April 19th, 2009, 11:02 pm
Location: Fort Hunt, Virginia, USA

Re: it firm softserve hacked locked down plundered

Post by jsmorley »

SilverAzide wrote: September 14th, 2020, 12:23 pm Hi redorbroder!
I'm still alive, just not on DeviantArt. They have shown zero interest in working with me to get my account reactivated, but I'm not sure I really care. The Gadgets are still on the Rainmeter forums and on my GitHub site. Thanks, and good hearing from you again.
No real explanation for why your account was banned?