• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Suggestions
#21
I have a Long Post For you but i have been using the wizard for a short time and its amazing. But it could be even better So i have a few suggestions. And in light of whats been going on in the addon community it appears there may be a need for some additional security measures to help protect builders and users.

For the record I Am not Encouraging anyone to download or use kodi for obtaining pirated content. there are plenty of legal uses for kodi and builds without using addons that provide pirate content.

optional md5 support for verifying downloaded builds. But this could also be beneficial if it could be used with notifications and maybe even apks and other sections of the wizard like advanced settings. This helps guard against file corruption or even tampering by a 3rd party. You can deploy this wizard over SSL/TLS as far back as kodi 15 that i know of. a builder probably should be using ssl if they were to use md5.

There is a Fork of SPMC called FTMC and it has Better support for Modern TLS. and 17.3 has the modern Libraries for it. With that being Said Deploying your wizard and repositories over a secure connection is recommended. I would Advise anyone Setting up Your wizard to Be using At-least FTMC16.1+ or Kodi 17.x for the best TLS support. You can use SSL in older versions of kodi but you have to change your webserver configuration to use less secure ciphers that may be easily compromised so its best to stay up to date.

The Ability to USE AES Encrypted zip or 7z files to enable a true "password protection" (and maybe even a way to predefine the archive password in a file somewhere in the user data )
I wont elaborate on why we can use encrypted archives to an advantage but i am sure you can use your imagination as to why adding in a few layers of Privacy/Encryption could be beneficial to Server providers and End users. (Remember the NSA and other government organizations undermined the Security of SSL/TLS before) (This can also help builders/uploaders/server providers reduce excessive downloads and can help them give the option of plausible deniability of the contents of the stored archive on the server, as it would be encrypted . this would probably be a lot harder then it sounds because i dont know of any python script or package that handles AES encrypted zip files.

One of the Coolest Functions in Your Addon is the Ability to Upload Logs However When Sending that Data Via The internet and uploading it to a public pastebin can also put the uploader at risk to leaking potentially sensitive information. In the Interest of Security I have a Few Suggestions. The Ability to encrypt those logs with a gpg key before the script posts them to the bin would be beneficial to people who have there own builds. as you can pre-define an email address for the logs to be emailed to. In the Case of builders they can include the proper settings in the addon data folder for the plugin and even include a predefined file containing a public key to encrypt that information so that it cant fall into a 3rd parties hands. (You could probably even turn this into a way for people to send feedback about a build to its creator via an email)

GPG/PGP Basically insures that a message can only be read by its intended recipient (If only Hillary Clinton and her staff were using that then maybe the covfefeian species wouldnt have been able to leak there
internal emails, but i wont bring politics into the matter)

https://pypi.python.org/pypi/gnupg

https://pypi.python.org/pypi/python-gnupg/0.4.0 < Another python gpg plugin

https://www.mailvelope.com/en/ >>>> Open source Simple GPG encryption for your webmail in a browser addon (A simple way to decrypt those messages)

I know this goes a bit off topic but I would Encourage users/developers/boxsellers/ To use Signal and Whatsapp for there Phone calling and texting. and use gpg for your emails its a good way to ensure privacy of your communications. Signal and Whatsapp Use the Same protocol but some favor one of the other, In my opinion Signal is a more secure app but a lot of people use whatsapp. They both use the Same encryption protocol and the providers of those services can not read or decrypt those messages. It also offers free international and local calling so its a good way to stay in touch with your friends around the world as well.
People should use gpg for there emails that way they cant be used by an adversary at a later time to force a person to make a decision under duress. These apps are simple to use and Signal was used by Edward Snowden Big Grin

Alternatively i host a fully encrypted pastebin at https://paste.basedsec.pro and its hosted by an open source application called Private Bin and not even the server admins can read the pastes unless they have the paste link. This could be useful with the qrcode function you have in the wizard. and if a builder wanted to host there own encrypted pastebin and keep those logs secure this would be a seemless way to do it Layering it with Gpg makes for some real high tinfoilhat-ish security.
https://github.com/PrivateBin/PrivateBin
It also happens to use JSON like the Ubuntu paste site and my site i mentioned above does allow api posts so if you would like to try to implement support to post to privatebin installations feel free to use mine. please just keep the log expire time at 7-10 days so my database stays light. Bear in mind I have a rate limit in place of 3 seconds in between posts
https://github.com/PrivateBin/PrivateBin/wiki/API

One way gpg could be implemented into the Log emailer is if you were to release a copy of the php script you have hosted on the aftermath wizard site (and redact any potential mail credentials) the script could be modified to where it could encrypt that data on the server with a key and then email it.

Releasing that script would also allow Builders to use their own Mail Relays instead of your relay. This would be beneficial to Both Builders and users. and it would also add a little bit of security. when ever someone uploads a log via aftermath it passes the users address and a copy of the wizard and kodi log urls through your server. and an Adversary could intercept that connection and record every single log that passes through your script and could even get an idea of what users were running what addons and have an ip address to associate with them (this can be bad if the data isnt encrypted).

Simply put not using encryption in todays internet is like having unprotected intercourse with an escort.

Also are you aware that your Wizard appears to make 7 requests to the wizard and maybe even the zip file when connecting to the server. Is it possible for you to optimize the wizard to be less excessive when checking for changes. This can waste bandwidth and if this wizard were deployed on a Build, especially one with a large user base it could also look like a DDoS attack to an Experienced System/Network administrator because of the excessive requests and could draw unwanted attention to a build. This can be reduced already by configuring the check for updates to be every 3-5 days but even when it checks then it still makes excessive requests

Oh The Ability to have the wizard automatically download and install an updated version of the build its looking for and attempt force close or reload profile and make that configurable in the settings. It would make things less excessive if it could be configured to Automatically Download if a user selects the option and if it could also just force close or reload when its done it would kind of just reduce a few clicks and such for people that just dont want to have to push a lot of buttons


And Finally Can I buy you a Beer?


Thanks
Based_Skid
  Reply
#22
Suggestion for next update take themes off as they don't work! And if they do nobody on the forum want's to share how. Not a moan just an observation, still a cracking wizard.
  Reply
#23
I think Themes do work. there's a guide on themes at Aftermathwizard.net I also believe there are a couple of youtube videos on it.

Sent from my SM-N910F using Tapatalk
[Image: nansig_arb.png]
  Reply
#24
Terror, I did ask if u where the same guy that was talking to me on Twitter. The theme code was wrote to work for dabutchers dapulse build. I told the guy how to fix it and what to do.

Sent from my SM-N920V using Tapatalk
[Image: nansig_surfacingx.png]
  Reply
#25
My bad I'm am thee noob in noobsandnerds! my apologies for not understanding your tweet SurfacingX and thanx for your imput ARBTT. Note to oneself (read and understand before commenting) Off now to misunderstand Dabutcher and Dapulse builds.
  Reply
#26
wizard is pretty awesome as it is!

id simply like the updated trakt backup addons, Covenant/Bubbles etc.

& is it at all possible to enable .7z builds? - that would be amazing as the size is much smaller.

---

is there a changelog to what is already coming to the next version? - id be very interested to give it a read. :-)
[Image: MFB-Banner.jpg?dl=1]
  Reply
#27
As far as I'm aware .7z is not supported on Android so would be no good for Android devices and I'd imagine that's what the majority of people are using these wizards for.

I say it's not supported, that's not totally true... it can be supported via an external app but I'm fairly sure it's not supported natively so to get any 7zip support you'd need to install a bunch of stuff on your device to first of all make it compatible. Even then you've still got to somehow send through the relevant params from Kodi through to the external app so pretty sure it wouldn't be an easy/worthwhile task unfortunately.

I may well be wrong there but I'm pretty sure that used to be the case when I investigated it a year or two back.
IMPORTANT:
NO LOG == NO PROBLEM
Away
  Reply
#28
(08-05-2017, 12:04 PM)whufclee Wrote: As far as I'm aware .7z is not supported on Android so would be no good for Android devices and I'd imagine that's what the majority of people are using these wizards for.

I say it's not supported, that's not totally true... it can be supported via an external app but I'm fairly sure it's not supported natively so to get any 7zip support you'd need to install a bunch of stuff on your device to first of all make it compatible. Even then you've still got to somehow send through the relevant params from Kodi through to the external app so pretty sure it wouldn't be an easy/worthwhile task unfortunately.

I may well be wrong there but I'm pretty sure that used to be the case when I investigated it a year or two back.

Most AMLOGIC Devices have busybox onboard the system and some of them have a broken SUD and dont even prompt for root and just grant it.

You can probably use a shell command. I know that you can use .tar.gz Archive 


If your system has root id imagine you can run shell scripts from an addon. You may have to adjust your USRDR to match your Android User Data Folder, And you May need to change the kodi directory if you use a fork. but This would work on 97% of amlogic devices running 4.4 or later. And on 6.0 you would have to go into permissions and Turn on the Superuser Permission for the SuperSU or Super user app. Somehow they messed that up and it can break root on 6.0 or later AMLOGIC based devices

Code:
import xbmc
import xbmcaddon, xbmcgui, xbmcplugin, os, sys, xbmcvfs, re, shutil
os.system("su -c 'sh /storage/emulated/legacy/Download/tgz.sh'")

Shell Script Example:
Code:
#!/system/bin/sh
USRDR=/storage/emulated/legacy/
busybox tar xzf $USRDR/Download/kodibuild.tar.gz -C $USRDR/Android/data/org.xbmc.kodi
am force-stop org.xbmc.kodi
  Reply
#29
(09-16-2017, 07:49 PM)Based_Skid Wrote:
(08-05-2017, 12:04 PM)whufclee Wrote: As far as I'm aware .7z is not supported on Android so would be no good for Android devices and I'd imagine that's what the majority of people are using these wizards for.

I say it's not supported, that's not totally true... it can be supported via an external app but I'm fairly sure it's not supported natively so to get any 7zip support you'd need to install a bunch of stuff on your device to first of all make it compatible. Even then you've still got to somehow send through the relevant params from Kodi through to the external app so pretty sure it wouldn't be an easy/worthwhile task unfortunately.

I may well be wrong there but I'm pretty sure that used to be the case when I investigated it a year or two back.

Most AMLOGIC Devices have busybox onboard the system and some of them have a broken SUD and dont even prompt for root and just grant it.

You can probably use a shell command. I know that you can use .tar.gz Archive 


If your system has root id imagine you can run shell scripts from an addon. You may have to adjust your USRDR to match your Android User Data Folder, And you May need to change the kodi directory if you use a fork. but This would work on 97% of amlogic devices running 4.4 or later. And on 6.0 you would have to go into permissions and Turn on the Superuser Permission for the SuperSU or Super user app. Somehow they messed that up and it can break root on 6.0 or later AMLOGIC based devices

Code:
import xbmc
import xbmcaddon, xbmcgui, xbmcplugin, os, sys, xbmcvfs, re, shutil
os.system("su -c 'sh /storage/emulated/legacy/Download/tgz.sh'")

Shell Script Example:
Code:
#!/system/bin/sh
USRDR=/storage/emulated/legacy/
busybox tar xzf $USRDR/Download/kodibuild.tar.gz -C $USRDR/Android/data/org.xbmc.kodi
am force-stop org.xbmc.kodi




Don't get me wrong i love the out of the box thinking but counting on "a device maybe having busybox"  + " and that it just so happens to have a magical working but borked su" is just a pipe dream lol.

The one major problem with this is that it only covers AMLOGIC Devies... What about all the other android devices? What about all the other Operating Systems?
BTW AMLOGIC doesnt have a borked SUD, they just have a working su binary with no "Android App" to manage it (Security Risk &/or Pre rooted Android Device, YES!)
Quote:Most AMLOGIC Devices have busybox onboard the system and some of them have a broken SUD and dont even prompt for root and just grant it.


Now if you can:    compile or come up with a static busybox binary for each CPU arch + that works on all versions of android "Newer android has some stupid PIE crap that stops non Pie binaries from running" + static binaries of tar for windows, linux, mac osx, and whatever other systems the wizard would be used on.... Then that may just work! Dont forget that with android you would then have to put that busybox in an area where you can actually execute it. so you would have to inject it into xbmc://* and chmod it so anyone can run it.

BUT WAIT!!! WHY BUSYBOX?!  Android generally comes with tar built in doesnt it?
Code:
[email protected]:[~/IPTV]:# adb shell which tar
/system/bin/tar


As far as 7z goes for android yes i have compiled binaries for android and also have windows and linux not sure what else. but again you now run into the same headache from up above. I even think the " IARL " addon has static 7z binaries.


Now for the same reason you need to inject a binary to /data/data/org.xbmc.kodi you would need to do the same for your script. with or without su you cant execute stuff from the sdcard (May be possible on old ass android versions.... Honestly i dont Remember cause who the hell wants to be using 4.* Android when you can be on Android 7?)
Code:
os.system("su -c 'sh /storage/emulated/legacy/Download/tgz.sh'")

But you can
Code:
cat /sdcard/Download/tgz.sh | /system/bin/sh -


Unelss you have root or adb  this command wont work
Code:
am force-stop org.xbmc.kodi

If You Did Have Root or ADB This would Kill Kodi And Auto Restart It
Code:
am start -S -n org.xbmc.kodi/.Splach

The Python Way To Kill Kodi (In Your Addon)
Code:
os._exit(1)



Alright now that i have covered A-Z. What i wanna know is:
What does "Tar" have to do with your OG post about encrypting zipped up build files?? Huh
Last I checked (Today) Tar has no encryption/password protecting of its compressed files lol Tongue Big Grin
[Image: iiNT3LiiG3NCii-Logo.jpg?dl=1]
  Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)