|
|
Subscribe / Log in / New account

Security

GUADEC: Danny O'Brien on privacy, encryption, and the desktop

By Jake Edge
August 4, 2010

Journalist and digital rights activist Danny O'Brien came to GUADEC to try to educate GNOME hackers about the threats facing journalists, their computers, and their online communication from governments and organized crime. But free software can help, so he wanted to outline the features that he thinks could be added to desktops to help secure them and protect the privacy of all users, not just journalists. Part of his job as internet advocacy coordinator for the Committee to Protect Journalists (CPJ) is to talk to internet developers and "persuade them to think about how journalists in repressive regimes are affected" by the choices those developers make.

[Danny O'Brien]

O'Brien has written for multiple publications including Wired UK and the Need To Know email newsletter that he founded, which ceased publication in 2007. He has also worked for the Electronic Frontier Foundation (EFF) as activist coordinator and most recently its international outreach coordinator. He is now with CPJ, which is an organization that seeks to protect journalists from various threats, both physical and in the online world. "They know the levers of power to get people out of trouble, or to stop them from getting into it", he said.

He started out by explaining that journalists do not understand recursion as he found out when he tried to unpack GUADEC (GNOME users' and developers' European conference) for his boss. The use of an acronym as the first word of an unpacked acronym was problematic enough, but when tried to explain that GNOME is (or was) the GNU Network Object Model Environment, he sensed he was getting in a bit too deep. Then he had to try to explain "GNU's Not Unix".

The problems that many in the online and free software worlds have been concerned about for years are finally becoming mainstream he said. "Powerful forces are trying to stop the spread of information online", and that message is finally starting to get out. He put up the recent xkcd comic ("It's the world's tiniest open-source violin") as an example of one place where those concerns are starting to get some mainstream attention.

He pointed to a number of different attacks against the computers of journalists, generally from governments, but sometimes also from organized crime syndicates. It's not just repressive regimes that target journalists, he said, noting reports on the CPJ website regarding Japanese journalists who have been subjected to governmental pressure and mistreatment.

One of the more insidious attacks against journalists' computers was an email sent to foreign journalists based in Shanghai and Beijing from a fictional editor for The Straits Times. The email was a credible request for assistance in contacting people on a list contained in a PDF attachment—a PDF with a zero-day exploit that installed spyware on the computer. It was not just the foreign correspondents who were targeted, however, as the email was also sent to the native Chinese assistants of the correspondents, which is a list that would be difficult to generate—unless a large intelligence agency was involved.

Another common tactic used by governments to intimidate and spy on journalists is to raid the offices of a television/radio station or publication because the organization supposedly owes back taxes. All of the computer equipment is then seized for evidence. A variation of that scheme was recently used in Kyrgyzstan where a television station was raided due to alleged software "piracy" and all of the computers were confiscated. Whether tax or copyright violation charges are ever filed is irrelevant because the government is really after the information stored on the computers.

Free software hackers have more of an interest in these kinds of problems "than just not [being] the ones affected". There are things that free software already does fairly well because those hackers "have an interest in creating secure systems", but there's more that could be done. It makes sense for it to be the free software community that fixes these problems, because it is "not beholden to big interests", O'Brien said.

So what is the "low hanging fruit"? Encryption is one area that is relatively well covered, at least for the web, with TLS. It provides security for both publishers, readers, and commenters that is protected from even "state-sized interceptors". It makes simple censorship more difficult. The well-known Great Firewall of China looks for keywords, while the lesser-known Great English Firewall matches URLs to a list of child pornography sites; each of those censorship methods is blocked by encrypting web traffic.

But there all sorts of internet protocols that are plaintext. "Since we don't use telnet any more, why should our code?" He was disappointed that the Telepathy communication framework doesn't ship with Off-the-Record (OTR) encryption support because it makes his job harder when recommending tools to journalists.

He mentioned some Russian journalists that he had talked to who don't talk on the telephone because they believe it to be bugged. They also only use Gmail over HTTPS, "which is fine if you trust Google", but they switched to using Yahoo Messenger "because they heard good things about it"—unfortunately Messenger isn't encrypted. O'Brien said that the reason they didn't know that it "is less secure is because their desktop isn't telling them".

SSL certificates are another area of concern. Certificates can be forged by governments or other entities and then used in targeted attacks to intercept encrypted communications. The journalists that O'Brien deals with are the "canaries in a coal mine" for these kinds of problems. It is a "challenge for user experience" to alert the user to things like changed certificates, but there are also technical barriers as the libraries often don't return that kind of status to the applications.

He would like to see desktops have some sort of "advocate" for user security that would check and report on privacy and security issues with the software being used. User privacy and security are "pervasive concerns that should live on the desktop", O'Brien said. The desktop is becoming more intertwined with the web so it would be very beneficial to have some kind of active monitoring that is "sitting there checking that the systems are secure".

When someone wants to communicate with multiple friends, why does the data have to be sent to a central server, he asked. He would like to see the desktop become a "first-class player on the internet" by communicating in a decentralized, peer-to-peer fashion.

The organizations that know they don't want people to have privacy recognize that the desktop is the gatekeeper. A person's desktop is their "heart of trust", he said. "We have a responsibility to take the freedom that we take for granted and give it to people whose only privacy is their desktop".

O'Brien came to GUADEC because he believes that the project can help solve the problems in the privacy and security areas. GNOME has the "user experience chops" to make these kinds of changes, while continuing to produce a usable desktop. While he is particularly focused on journalists, the changes he advocates would be useful to many, but making them usable too will be a big challenge.

Comments (27 posted)

Brief items

Quote of the week

I think the whole reason many early [OLPC] laptops went out locked was that the local projects thought that somehow a locked laptop was "more secure" or "better" than an unlocked one. Field experience has proven the opposite. Unlocked laptops give the project more control, easier support, and more options.
-- John Gilmore

Comments (none posted)

Vixie: Taking back the DNS

Paul Vixie has posted an article introducing DNS response policy zones (DNS RPZ), a sort of blacklist mechanism for domain names. "ISC is not in the business of identifying good domains or bad domains. We will not be publishing any reputation data. But, we do publish technical information about protocols and formats, and we do publish source code. So our role in DNS RPZ will be to define 'the spec' whereby cooperating producers and consumers can exchange reputation data, and to publish a version of BIND that can subscribe to such reputation data feeds. This means we will create a market for DNS reputation but we will not participate directly in that market."

Comments (18 posted)

New vulnerabilities

cabextract: code execution

Package(s):cabextract CVE #(s):CVE-2010-2801
Created:August 4, 2010 Updated:September 28, 2010
Description: An unspecified "programming error" in cabextract apparently opens an code execution vulnerability by way of a maliciously-crafted Microsoft Cabinet file.
Alerts:
Gentoo 201312-09 cabextract 2013-12-14
Fedora FEDORA-2010-14634 cabextract 2010-09-15
Fedora FEDORA-2010-14722 cabextract 2010-09-15
Fedora FEDORA-2010-14634 libmspack 2010-09-15
Fedora FEDORA-2010-14722 libmspack 2010-09-15
Mandriva MDVSA-2010:154 cabextract 2010-08-16
Pardus 2010-109 cabextract 2010-08-11
Debian DSA-2087-1 cabextract 2010-08-04

Comments (none posted)

freetype: arbitrary code execution

Package(s):freetype CVE #(s):CVE-2010-2541
Created:July 30, 2010 Updated:January 20, 2011
Description: From the Red Hat advisory:

Several buffer overflow flaws were found in the FreeType demo applications. If a user loaded a carefully-crafted font file with a demo application, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application.

Alerts:
SUSE SUSE-SU-2012:0553-1 freetype2 2012-04-23
Gentoo 201201-09 freetype 2012-01-23
MeeGo MeeGo-SA-10:31 freetype 2010-10-09
Debian DSA-2105-1 freetype 2010-09-07
SUSE SUSE-SR:2010:016 yast2-webclient-patch_updates, perl, openldap2, opera, freetype2/libfreetype6, java-1_6_0-openjdk 2010-08-26
openSUSE openSUSE-SU-2010:0549-1 freetype2 2010-08-25
Fedora FEDORA-2010-15705 freetype 2010-10-05
Ubuntu USN-972-1 freetype 2010-08-17
CentOS CESA-2010:0577 freetype 2010-08-16
CentOS CESA-2010:0578 freetype 2010-08-03
Pardus 2010-100 freetype 2010-08-02
Red Hat RHSA-2010:0578-01 freetype 2010-07-30
Red Hat RHSA-2010:0577-01 freetype 2010-07-30

Comments (1 posted)

kernel: dns_resolver upcall security issue

Package(s):kernel CVE #(s):CVE-2010-2524
Created:August 3, 2010 Updated:June 20, 2011
Description: From the Red Hat bugzilla:

CIFS has the ability to chase MS-DFS referrals. In order to do this it has to be able to resolve hostnames into IP addresses. For this, it uses the keys API to upcall to the cifs.upcall userspace helper. It then resolves the name and hands the address back to the kernel.

The dns_resolver upcall currently used by CIFS is susceptible to cache stuffing. It's possible for a malicious user to stuff the keyring with the results of a lookup, and then trick the server into mounting a server of his choosing.

Alerts:
Oracle ELSA-2013-1645 kernel 2013-11-26
Debian DSA-2264-1 linux-2.6 2011-06-18
Ubuntu USN-1083-1 linux-lts-backport-maverick 2011-03-03
Ubuntu USN-1074-2 linux-fsl-imx51 2011-02-28
Ubuntu USN-1074-1 linux-fsl-imx51 2011-02-25
MeeGo MeeGo-SA-10:38 kernel 2010-10-09
Fedora FEDORA-2010-18983 kernel 2010-12-17
openSUSE openSUSE-SU-2010:0664-1 Linux 2010-09-23
SUSE SUSE-SA:2010:040 kernel 2010-09-13
Mandriva MDVSA-2010:172 kernel 2010-09-09
Fedora FEDORA-2010-14235 kernel 2010-09-08
SUSE SUSE-SA:2010:039 kernel 2010-09-08
openSUSE openSUSE-SU-2010:0592-1 kernel 2010-09-08
Ubuntu USN-1000-1 kernel 2010-10-19
CentOS CESA-2010:0610 kernel 2010-08-11
Red Hat RHSA-2010:0610-01 kernel 2010-08-10
Fedora FEDORA-2010-11412 kernel 2010-07-27
Fedora FEDORA-2010-11462 kernel 2010-07-27

Comments (none posted)

kvirc: arbitrary command execution

Package(s):kvirc CVE #(s):CVE-2010-2785
Created:August 2, 2010 Updated:August 17, 2010
Description: From the Debian advisory:

It was discovered that incorrect parsing of CTCP commands in kvirc, a KDE-based IRC client, could lead to the execution of arbitrary IRC commands against other users.

Alerts:
Gentoo 201402-20 kvirc 2014-02-21
SUSE SUSE-SR:2010:015 gpg2, krb5, kvirc, libpcsclite1/pcsc-lite, libpython2_6-1_0, libvorbis, libwebkit, squidGuard, strongswan 2010-08-17
Pardus 2010-115 kvirc 2010-08-12
Fedora FEDORA-2010-11524 kvirc 2010-07-30
Fedora FEDORA-2010-11506 kvirc 2010-07-30
openSUSE openSUSE-SU-2010:0459-1 kvirc 2010-08-02
SUSE SUSE-SR:2010:014 OpenOffice_org, apache2-slms, aria2, bogofilter, cifs-mount/samba, clamav, exim, ghostscript-devel, gnutls, krb5, kvirc, lftp, libpython2_6-1_0, libtiff, libvorbis, lxsession, mono-addon-bytefx-data-mysql/bytefx-data-mysql, moodle, openldap2, opera, otrs, popt, postgresql, python-mako, squidGuard, vte, w3m, xmlrpc-c, XFree86/xorg-x11, yast2-webclient 2010-08-02
Debian DSA-2078-1 kvirc 2010-07-31

Comments (none posted)

libmikmod: arbitrary code execution

Package(s):libmikmod CVE #(s):CVE-2010-2546 CVE-2009-3995
Created:August 2, 2010 Updated:January 20, 2011
Description: CVE-2009-3995 describes a set of heap-based buffer overflows in libmikmod. It turns out that the upstream fix did not entirely close this vulnerability, necessitating another round of updates.
Alerts:
Gentoo 201203-10 libmikmod 2012-03-05
MeeGo MeeGo-SA-10:29 libmikmod 2010-10-09
CentOS CESA-2010:0720 mikmod 2010-10-10
Ubuntu USN-995-1 libmikmod 2010-09-29
Red Hat RHSA-2010:0720-01 mikmod 2010-09-28
Fedora FEDORA-2010-13702 libmikmod 2010-08-30
CentOS CESA-2010:0720 mikmod 2010-09-29
CentOS CESA-2010:0720 mikmod 2010-09-29
Mandriva MDVSA-2010:151 libmikmod 2010-08-16
Debian DSA-2081-1 libmikmod 2010-08-01

Comments (none posted)

libwebkit: multiple vulnerabilities

Package(s):libwebkit CVE #(s):CVE-2010-1386 CVE-2010-1392 CVE-2010-1405 CVE-2010-1407 CVE-2010-1416 CVE-2010-1417 CVE-2010-1418 CVE-2010-1421 CVE-2010-1422 CVE-2010-1501 CVE-2010-1664 CVE-2010-1665 CVE-2010-1758 CVE-2010-1759 CVE-2010-1760 CVE-2010-1761 CVE-2010-1762 CVE-2010-1767 CVE-2010-1770 CVE-2010-1771 CVE-2010-1774
Created:August 2, 2010 Updated:March 2, 2011
Description: The webkit 1.2.3 release fixes a large number of security-related bugs.
Alerts:
Mandriva MDVSA-2011:039 webkit 2011-03-02
MeeGo MeeGo-SA-10:37 webkit 2010-10-09
openSUSE openSUSE-SU-2011:0024-1 webkit 2011-01-12
SUSE SUSE-SR:2011:002 ed, evince, hplip, libopensc2/opensc, libsmi, libwebkit, perl, python, sssd, sudo, wireshark 2011-01-25
Fedora FEDORA-2010-14419 webkitgtk 2010-09-10
Fedora FEDORA-2010-14409 webkitgtk 2010-09-10
SUSE SUSE-SR:2010:015 gpg2, krb5, kvirc, libpcsclite1/pcsc-lite, libpython2_6-1_0, libvorbis, libwebkit, squidGuard, strongswan 2010-08-17
Pardus 2010-106 qt 2010-08-11
openSUSE openSUSE-SU-2010:0458-1 libwebkit 2010-08-02

Comments (none posted)

mapserver: multiple vulnerabilities

Package(s):mapserver CVE #(s):CVE-2010-2539 CVE-2010-2540
Created:August 2, 2010 Updated:August 26, 2010
Description: From the Debian advisory:

A stack-based buffer overflow in the msTmpFile function might lead to arbitrary code execution under some conditions. (CVE-2010-2539)

It was discovered that the CGI debug command-line arguments which are enabled by default are insecure and may allow a remote attacker to execute arbitrary code. Therefore they have been disabled by default. (CVE-2010-2540)

Alerts:
Fedora FEDORA-2010-12266 mapserver 2010-08-07
Debian DSA-2078-1 mapserver 2010-07-31

Comments (none posted)

moin: cross-site scripting

Package(s):moin CVE #(s):CVE-2010-2487
Created:August 3, 2010 Updated:August 25, 2010
Description: From the Debian advisory:

It was discovered that moin, a python clone of WikiWiki, does not sufficiently sanitize parameters when passing them to the add_msg function. This allows a remote attackers to conduct cross-site scripting (XSS) attacks for example via the template parameter.

Alerts:
Gentoo 201210-02 moinmoin 2012-10-18
Ubuntu USN-977-1 moin 2010-08-25
Debian DSA-2083-1 moin 2010-08-02

Comments (none posted)

tomcat: multiple vulnerabilities

Package(s):tomcat5 CVE #(s):CVE-2009-2696 CVE-2010-2227
Created:August 3, 2010 Updated:February 14, 2011
Description: From the Red Hat advisory:

The Tomcat security update RHSA-2009:1164 did not, unlike the erratum text stated, provide a fix for CVE-2009-0781, a cross-site scripting (XSS) flaw in the examples calendar application. With some web browsers, remote attackers could use this flaw to inject arbitrary web script or HTML via the "time" parameter. (CVE-2009-2696)

A flaw was found in the way Tomcat handled the Transfer-Encoding header in HTTP requests. A specially-crafted HTTP request could prevent Tomcat from sending replies, or cause Tomcat to return truncated replies, or replies containing data related to the requests of other users, for all subsequent HTTP requests. (CVE-2010-2227)

Alerts:
Gentoo 201206-24 tomcat 2012-06-24
Pardus 2011-38 tomcat-servlet-api 2011-02-14
Fedora FEDORA-2010-16528 tomcat6 2010-10-20
Fedora FEDORA-2010-16248 tomcat6 2010-10-14
Fedora FEDORA-2010-16270 tomcat6 2010-10-14
openSUSE openSUSE-SU-2010:0616-1 tomcat 2010-09-16
SUSE SUSE-SR:2010:017 java-1_4_2-ibm, sudo, libpng, php5, tgt, iscsitarget, aria2, pcsc-lite, tomcat5, tomcat6, lvm2, libvirt, rpm, libtiff, dovecot12 2010-09-21
Mandriva MDVSA-2010:177 tomcat5 2010-09-12
Mandriva MDVSA-2010:176 tomcat5 2010-09-12
Ubuntu USN-976-1 tomcat6 2010-08-25
CentOS CESA-2010:0580 tomcat5 2010-08-03
Red Hat RHSA-2010:0583-01 tomcat5 2010-08-02
Red Hat RHSA-2010:0582-01 tomcat5 2010-08-02
Red Hat RHSA-2010:0580-01 tomcat5 2010-08-02

Comments (none posted)

Page editor: Jonathan Corbet
Next page: Kernel development>>


Copyright © 2010, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds