LWN Weekly Edition
Front pageSecurity
Kernel development
Distributions
Development
Announcements
->One big page
This page
Previous weekFollowing week
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
SecurityInternet censorship and OONIInternet "censorship" is often associated with repressive governments filtering the traffic of their citizens, but it goes well beyond that. Internet service providers sometimes filter—or alter—the traffic that they carry, companies restrict employees based on keywords and URLs, courts naïvely order certain URLs to be blocked, and so on. But it is difficult for any particular internet user to know just what it is they can't get at. That problem is what the Tor Open Observatory of Network Interference (OONI) project is hoping to help solve. The overall goal for the OONI project is "to collect data which shows an accurate representation of network interference on the Filternet we call the internet", according to the web site. One obvious, though time consuming, way to do that is to gather information from multiple different "locations" on the internet, and that is what OONI has set out to do. Of course, the OONI project itself can only reach out so far, so the intent is to enlist other participants—essentially "crowdsourcing" the data collection. There are other internet censorship tracking projects—Google's Transparency Report and Herdict for example—but the OONI project's README notes that other efforts either use a closed methodology or closed software. As befits a Tor project, though, OONI is fully open source. No top-level LICENSE file for OONI is present at the moment, but one would guess it will be similar to Tor's permissive license. The core piece (ooni-probe) is written as a framework in Python, with an eye toward contributions of additional tests (called "plugoos") and reports. "Tests" are meant to detect censorship events by comparing the results obtained locally with some kind of experimental control. That control could be obtained via the Tor network, for example, or via some other means. The tests can use various kinds of "assets", which might include lists of URLs, IP addresses and ports, or keywords, as their input. Current tests include checking that Tor bridges are functioning, determining whether HTTP "Host" field filtering is occurring, checking for DNS tampering, doing address and port scans, detecting Squid proxies, and so on. While there are plenty of tests that could be added, seemingly the area needing the most attention right now is the "reports". Currently, test failures are essentially just written to an unstructured text log file, which can be stored locally or uploaded to a server. Tools to interpret the data and to provide higher-level visualizations of the types and locations of internet censorship are planned. While the OONI code is under heavy development, the project can already claim some successes. ooni-probe was used to detect eight blocked web sites for internet users in Bethlehem, West Bank. The probe scanned more than one million sites and found that users are blocked from eight news sites "whose reporting is critical of [Palestinian Authority] President Mahmoud Abbas". In addition, ooni-probe found that T-Mobile USA's Web Guard "feature" blocks access to much more than the advertised categories. In particular, sites for Tor, the Internet Archive WaybackMachine, Chinese sports news, French economics and financial news, a Japanese URL shortener, and many others, were blocked though they didn't fall into any of the listed categories: "Alcohol, Mature Content, Violence, Drugs, Pornography, Weapons, Gambling, Suicide, Guns, Hate, Tobacco, Ammunition". OONI is just getting started, but it is clearly a welcome addition to the internet landscape. In order for John Gilmore's famous quote ("The Net interprets censorship as damage and routes around it"—which seems to be an informal slogan for OONI) to be true, the internet, or really its users and operators, must be aware of where that censorship is occurring and how it is being applied. With tools like OONI (and the others, though it's unclear why they aren't more transparent), routing around that censorship will be easier. The free flow of information on the internet depends on being able to do so.
Brief items Security quotes of the week
> Is chkrootkit confused?
-- Alan
Cox
Yes and no. It correctly detects that your /sbin/init is something hideous and nasty, but fails to realise that it's something hideous and nasty that Fedora ships 8)
If the Order stands, Twitter will be put in the untenable position of
either providing user communications and account information in response to
all subpoenas or attempting to vindicate its users’ rights by moving to
quash these subpoenas itself--even though Twitter will often know little or
nothing about the underlying facts necessary to support their users’
argument that the subpoenas may be improper.
-- Twitter
stands up for its users
As long as the Air Force pinky-swears it didn’t mean to, its drone fleet
can keep tabs on the movements of Americans, far from the battlefields of
Afghanistan, Pakistan or Yemen. And it can hold data on them for 90 days —
studying it to see if the people it accidentally spied upon are actually
legitimate targets of domestic surveillance.
-- Spencer Ackerman
An Apple programmer, apparently by accident, left a debug flag in the most recent version of the Mac OS X operating system. In specific configurations, applying OS X Lion update 10.7.3 turns on a system-wide debug log file that contains the login passwords of every user who has logged in since the update was applied. The passwords are stored in clear text.
-- Emil Protalinski
An important PHP security updatePHP 5.3.12 and 5.4.2 have been released to fix a nasty security hole that was disclosed somewhat sooner than planned. Essentially, it allows any remote attacker to pass command-line arguments to the PHP interpreter behind a web page—but only in the (hopefully rare) setups where PHP is invoked via the CGI mechanism. "If you are using Apache mod_cgi to run PHP you may be vulnerable. To see if you are just add ?-s to the end of any of your URLs. If you see your source code, you are vulnerable. If your site renders normally, you are not."
Linux Format censored over 'Learn to Hack' feature (bit-tech)Bit-tech reports that Barnes & Noble pulled the last issue of Linux Format magazine because of an article featuring hacking techniques. "Issue 154 of Linux Format magazine had as its cover feature a piece entitled 'Learn to Hack,' walking readers through the use of the Metasploit Framework exploitation toolkit to gain access to computer systems running a variety of operating systems. The article also covered password cracking, network sniffing, and man-in-the-middle attacks over encrypted protocols. More importantly, the guide also covered how best to protect your systems from the self-same attacks, providing readers with information that the publication hoped would help keep them safe from the ne'er-do-wells inhabiting the seedier sides of the net." Future, Linux Format's parent company, has made the article available online.
New vulnerabilities argyllcms: code execution
asterisk: denial of service
flash-player: code execution
horizon: multiple vulnerabilities
kernel: denial of service
mahara: insecure default/privilege escalation
mozilla-https-everywhere: no SSL switch for some URLs
openconnect: denial of service
php: code execution
python3: multiple vulnerabilities
Page editor: Jake Edge |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||