All posts by James Crook

Compromised Download Partner

Compromised Download Partner

For about 3 hours on August 2nd 2016 our download server was serving a hacked copy of Audacity that contained malware. This was due to hackers obtaining the password of one of our developers and using it to upload the malware.

We have now replaced the 2.1.2 hacked windows installer and disabled that hacked account on FossHub.com – We are taking the incident very seriously indeed. We are working hard, in collaboration with FossHub.com, to do what we can to help prevent such an incident in future. In many ways Audacity is a soft target for hackers – and attractive as a target because of the large number of downloads.

We are a community of developers, documentation writers, support and help people, not a commercial outfit with a dedicated security team with strong security protocols. We did not have the right safeguards in place, namely, to monitor external files.  We clearly have not been vigilant enough. Over the next few weeks we will be working to become a safer, more secure organisation.

We are really sorry that we let you down. If you were hit by this malware download, please accept our sincere apologies. We are now doing our best to learn from it, even if the cost to us is some loss of the community spirit.

James Crook (on behalf of the Audacity team).
August 3rd 2016.

UPDATE by FOSSHUB.COM, 2016-08-03, 11.10am GMT:

Last night we had a security incident caused by a group of hackers that allowed them to log-in to FossHub developer *through* an user that was compromised. Shortly after, we noticed two users that were compromised. They simply logged-in using their passwords and this allowed them to escalate.

The attackers uploaded a malware file on Classic Shell page which was downloaded approximately 300 times. We removed the file in several minutes and we changed all passwords for all services we had.

They targeted the largest projects listed on FossHub: Audacity and Classic Shell. We reacted promptly for Audacity installer but for Classic Shell, several hundred users were able to download the malware infected version.

We have been in contact with Google, PNAP and other providers.

Several hours later, we noticed the attackers were able to gain access through an FTP account and we decided to shut down the main server immediately to prevent any further infection/damage.

FossHub.com is down on purpose until we are able to identify the way hackers were able to escalate.

Therefore, we are currently in the process of reinstalling everything, change all access rights, passwords and run up under new security rules.

The attackers tried to gain access to DNSMadeEasy (our DNS provider), to CloudFlare, personal emails, CDN services etc. The login-logs shows no successful logins, only FAILED attempts.

To keep this short, we will keep all services down until further notice.

I would like to say that we “apologize” but I would lie not to admit it is the worst day ever for me (personally) and all FossHub team members.

After this incident, everything will change on our side. I am disappointed that despite of trying to build the image of one of the cleanest sites on the web we are here.

I will email everyone after we are back, now we are under a pile of work, thank you!

Regards, Sam – FossHub

UPDATE BY Audacity Team’s Security Group – 2016-08-03 11:15 GMT:

We can confirm that, except for one external developer account on FossHub.com, no Audacity Team infrastructure was compromised.

Classic Shell and Audacity windows .exe downloads were replaced by the attacker[s] with an MBR-overwriting trojan.

Some tips for safer downloading:

Install Antivirus and Firewalls. We cannot make recommendations, but you can review this website: http://www.av-comparatives.org/

You can also verify ALL files you download using https://virustotal.com/, which provides a multi-antivirus URL and File verification service.

Also, please make sure deceptive advertisement do not trick you into clicking them, making you believe they will provide the download file you were looking for. Review the entire web page before clicking on anything. Especially deceptive Advertising. We support the Advertising industry, but not the Malware Industry.

If you have any doubts or questions, please feel free to contact us.

UPDATE from Audacity Team Security Group – 20160803-12:54 GMT:

Oldfoss.com was also compromised. Audacity Team contacted FossHub.com to let them know. Site www.oldfoss.com has been put offline.

In the news: Reporting on the Breach

This news item at softpedia is one of the more informative about the breach.

Audacity 2.1.2 Released

Jan 20th, 2016: Audacity 2.1.2 Released

Audacity 2.1.2 replaces all previous versions.

We’ve made several improvements to the spectrogram view of tracks which are particularly valuable for vocal work. Thanks to Paul Licameli.

  • New option ‘Spectral Reassignment’. This algorithm deduces a ‘finer’ spectrogram for vocal work.
  • Improvements to Pitch (EAC) – cleaner (sharper) display.
  • Spectrogram Settings are now available per-track.

We put a lot of work into upgrading the key wxWidgets library we use from version 2.8.12 to version 3.0.2. This fixes many bugs in Audacity on Linux. Thanks particularly to Martin Steghöfer, Leland Lucius, David Avery.

Because there was so much work involved in moving to wx3 we were unable to make many of the other changes we wanted to make for 2.1.2.  Fuller details on the changes since 2.1.1 can be found in the 2.1.2 Release Notes.

Audacity 2.1.1 Released

July 15, 2015: Audacity 2.1.1 Released

Audacity 2.1.1 replaces all previous versions.

  • The most visible new feature is scrubbing and seeking, including backwards play. Updates to Quick-Play also help with finding a precise position in the audio.
  • You can now install plug-ins without restarting Audacity or add and remove any effect or generator from the menus.
  • Over 50 bugs have been addressed with this release. Edits are now processed much faster in longer projects of a few hours duration.
  • Effects now have presets. A new Limiter replaces the Hard Limiter effect. There’s a new version of Vocal Removal, a cross-fade effect for combining clips on the same track and ‘classic filters’ available as an opt-in effect.

There’s also been lots of work behind the scenes, including VI usability enhancements and upgrade to new libraries. Fuller details on the changes since 2.1.0 can be found in the 2.1.1 Release Notes.

Audacity 2.1.0 Released

March 29, 2015: Audacity 2.1.0 Released

Audacity 2.1.0 replaces all previous versions.

  • For a long time, we have wanted Real-Time Preview for effects. It seemed nearly unachievable without major restructuring. But with Audacity 2.1.0, we have it in LADSPA, VST, and Audio Unit (OS X) effects! Thanks to Leland Lucius for these great new capabilities!
  • Much improved Noise Reduction effect replaces Noise Removal. Thanks to new contributor Paul Licameli!
  • Lots of other improvements to effects, also thanks to Leland, including:
    • VST: FXB preset banks, hosting multiple plug-ins
    • All effects can now be used in Chains, and can be sorted on name, publisher, or class.
    • Most Nyquist effects now have Preview button.
  • Redesigned Meter Toolbars show a lot more information in smaller area. Thanks, Leland Lucius and James Crook!
  • Spectral Selection in Spectrogram view. Thanks to Paul Licameli!

Audacity 2.1.0 also has lots of other improvements and bug fixes. Many thanks to all the QA folks for helping hone these, especially Gale Andrews, Steve Daulton, Peter Sampson, and Bill Wharrie. See the 2.1.0 Release Notes for details.

Audacity 2.0.6 Released

September 29, 2014: Audacity 2.0.6 Released

Audacity 2.0.6 replaces all previous versions.

Improvements:

  • better user interface for Keyboard Preferences
  • streamlining of several Menus
  • LV2 now supported on all platforms, and improved VST settings interface
  • translations updated, including adding Tamil language
  • other improvements, including to import/export and ease of installation on Mac OS X

Bug Fixes:

See 2.0.6 Release Notes for all the details.

Audacity 2.0 Released

March 13, 2012: Audacity 2.0 Released!

The Audacity Team is elated to announce the release of Audacity 2.0 for Windows, Mac, GNU/Linux, and other operating systems. Audacity 2.0 replaces all previous versions. It is derived from version 1.3.14, but is no longer a Beta version, and has major improvements over 1.2.6. See New Features and Release Notes for detailed information.

Google Summer of Code (GSoC) 2009 completed

September 01, 2009: Google Summer of Code (GSoC) 2009 completed

Audacity 1.3.9 (Beta) for Windows, Mac and Linux/Unix released today contains many bug fixes contributed by our two Google Summer of Code (GSoC) 2009 students, and brings us much closer to the goal of a new Stable 2.0 release.

As well as bug fixing, the students’ projects involved work on experimental “scripting” and “pre-record level detection” features that will appear in future Audacity versions. We congratulate both students on successful completion of their projects and thank everyone else involved in mentoring, testing and administration.

Future Beta Releases: We will have one or two more Beta releases in the very near future so as to get maximum possible feedback on code stability prior to 2.0 release. Please help us by trying the new Beta releases and letting us know of any problems you find. You can subscribe to receive news of these releases. Advanced users can also help us greatly by downloading our Nightly Builds and testing our fixes as we make them.

Bug Fixes in 1.3.9 include:

  • VST effects support crashed or slowed Audacity
  • Failure to launch on some Windows XP machines
  • Crashes importing files via drag or Recent Files
  • (Mac OS X)  Files greater than 16-bit or 64000 Hz did not import using QuickTime filter
  • AAC exports silenced
  • Generating audio in existing track fitted project to window
  • View menu items/shortcuts disabled when playing/recording
  • Unwanted interactions between linked audio and label tracks
  • Various other interface and effects bugs

See New in Audacity 1.3.9 for more on 1.3.9 and the Beta series. Note: This release does not support Windows 98 or ME, for which 1.3.7 is still available.