Security
LinuxCon: FreedomBox update and plans
Bdale Garbee is well-known in the free software world for a number of
different things: his work with Debian (including a term as project
leader), his work as HP's open source and Linux chief technologist,
membership on several boards (the Linux Foundation among them), and a lot more.
He's also known for giving talks at various conferences about another
passion of his, model rocketry, and specifically how open hardware and
software can be used to control and track those rockets. So when he said
that his LinuxCon talk
was a rare example of a "talk I would rather give than a rocket
talk
", it's a pretty good indicator of how important he thinks the
topic, FreedomBox, is.
![[Bdale Garbee]](https://static.lwn.net/images/2011/lcna-garbee-sm.jpg)
The FreedomBox project is an effort to create personal servers that will run on cheap, "plug computer" hardware. While the software will be designed to run on hardware installed in the home or elsewhere, the focus is on in-home use. In some jurisdictions, Garbee said, there is a big difference between how data stored on a computer in the home vs. one elsewhere is treated in a legal sense.
The project also wants to "contribute to privacy-respecting
alternatives to social networking
". In today's world, people are
uploading personal data to services like Facebook without any real
guarantees that the data will still be there in the future, and that they will
always have access to it. In addition, the terms of service can change
over time, as do the privacy settings and policies. Garbee was careful to
point that the project (and the FreedomBox Foundation) would
not necessarily be creating these social networking alternatives, but would
be collaborating with those who are.
Another important part of the FreedomBox idea is to support mesh networking. As we have seen in the news recently, activists and political protestors in various places are too dependent on centralized services, especially communications services. We already have the technology to build mesh networks that could be used to route around repressive governments, or just repressive ISPs, he said. If two neighbors have different ISPs, with different filtering policies, a mesh network between them could potentially avoid those problems.
Debian and FreedomBox
There is a "high correlation
" between the goals of the Debian
distribution and those of the FreedomBox, Garbee said. There is also
"no better place to find a strong technical infrastructure
"
than in Debian. In something of an aside, he also noted that while Linux was celebrating its 20th
anniversary at the conference, Debian is celebrating its 18th
anniversary, which is truly "mind-boggling
", he said. There
is no Debian company or corporation, it is made up of individual volunteers.
It also runs on all of the relevant architectures. All of these things explain
why the FreedomBox software is Debian-based.
In addition to all of that, there is a fair amount of truth to the
statement that "all free software gets packaged for Debian
",
he said,
which gives the project a good base. It can use the same bug tracker and
build environment that Debian uses as well. Many of the pieces that are
needed for FreedomBox are already packaged or being worked on within the
distribution.
But FreedomBox does not plan to be a Debian derivative, and will instead do
all of its work within the distribution. One of the goals is that every
stable release of Debian will have "everything needed to create
FreedomBoxes
", Garbee said. So users can either buy a plug computer
and install FreedomBox themselves, buy an off-the-shelf plug computer with
the software pre-installed, or find a cast-off computer and install it
there. One of the big advantages of that approach, he said, is that no
matter how successful the FreedomBox project ends up being, all of the work
and code will always be available in Debian.
The foundation
The FreedomBox Foundation (FBF) was founded by Eben Moglen, who has "done a
great job articulating the need
" for such a device. Moglen asked
Garbee to join the board of the foundation in order to establish and chair
a technical advisory committee (TAC). The TAC exists "to make the
board understand what the technical issues are
", he said, and it is
not a "top-down design group
". That work will be done in the
soon-to-be-established working groups.
The FBF is not a large organization with "a lot of resources and an
army of coders
", Garbee said. The technology is not really the hard
part, he said, at least for most of the people in the room. The much harder
part will be the user experience because the FreedomBox has a "much
broader audience than just those who are building it
". If those
others can't understand how to use it, "we will have failed
".
So far, that's an area where, unfortunately, not a lot of work has been
done yet, he said.
There are other tasks that the FBF is taking on, such as fund-raising, outreach, and publicity. Those things are important and are a persistent problem for any non-profit organization, he said. Another non-obvious thing that the FBF can do is "industry relations". At some point, hardware vendors should be willing to build and ship products with FreedomBox pre-installed. That may require NDAs, which is not something that most free software developers want to deal with.
The TAC has been formed with Garbee as the chair. Five others are on the committee as well: Jacob Appelbaum, who is security researcher and core member of the Tor project; Sam Hartman, a Debian developer and security consultant; Sascha Meinrath, author and mesh networking researcher; Rob Savoye, GNU toolchain hacker and embedded systems developer; and Matt Zimmerman, who is a Debian developer and former CTO at Canonical.
Over the coming weeks, Garbee said, various working groups will be
established to work on the disparate pieces that make up FreedomBox. There
are a lot of different conversations going on in the mailing list, and they
are often getting derailed by people who are focusing on a different piece
of the problem. These working groups will likely be "instantiated as
separate mailing lists
" and will be tasked with a specific piece of
the problem. The output may be code, packages, or recipes, he said.
Garbee is "looking forward to getting them going
".
DreamPlug reference platform
The DreamPlug has been chosen as the initial reference platform for FreedomBox. Part of the requirements for the FBF's Kickstarter fundraising campaign was to deliver hardware to some donors, and the DreamPlug will fill that role. While the hardware is reasonable overall, he said, there are still some frustrating things from a free software perspective. Marvell created most of the hardware inside the DreamPlug, and has generally worked well with the community, but there were still some driver and source availability problems. Most of those have been resolved except for a firmware blob that is required to run the Marvell wireless uAP device.
The idea behind the choice of the DreamPlug is to pick a specific target, and the hardware is fairly capable. It has a 1.2 GHz ARM processor, with 512M of RAM, 2M flash for u-boot, and 2G of flash for filesystems. There are also lots of IO ports, including two gigabit Ethernet interfaces, two USB 2.0 ports, an eSATA 2.0 port, an SD socket, and more. It also has audio inputs which didn't seem useful at first, he said, until someone pointed out that they could be used for random number generation.
Technical progress
One of the areas that has been extensively discussed within the project is
the idea of "establishing trust
". OpenPGP keys are "about
as good as it gets
" in terms of storing public/private
key pairs, he said, but the trust relationship problem still isn't solved.
Noting that the target audience may be more likely to have smartphones, the
project is narrowing in on solutions that would allow an initial key exchange
using the display and cameras of smartphones. A phone app could gather
these keys up when people meet face-to-face and then allow them to be
installed on the FreedomBox.
In addition, lots of work on the FreedomBox went on at the hackfest that preceded DebConf11 in Banja Luka, Bosnia and Herzegovina at the end of July. The focus was on assembling an initial development image for the DreamPlug and identifying and integrating an application into that image. While lots of progress was made, and an application was identified (an XMPP-based secure chat client), they didn't quite get there during the hackfest. There were also several FreedomBox talks at the conference itself and Garbee recommended viewing the videos of those talks.
Going forward, he said the team is "single-digit days
" from
releasing initial development images for both the DreamPlug and for x86
virtualization for those who don't have the hardware. There is ongoing work
to use Monkeysphere for
identity management with OpenPGP keys. Work on selecting and integrating
specific applications that deliver "functionality implied by our
vision
" is underway, starting with the secure XMPP-based chat
stack. The plan is to do periodic releases until "we achieve
1.0
", Garbee said, but he won't say when that will happen,
"Debian-style
".
There are a number of ways for interested folks to get involved, starting
with being "conscious about privacy and other freedoms in all that
you do
", he said. Experimenting with the software and helping to
refine the list
of alternatives to the proprietary cloud services would be
helpful. Joining a working group or helping to select Debian packages (and
determine the right configuration for them) are additional ways to help.
Of course, financial contributions to the FBF are always welcome.
In answer to audience questions, Garbee reiterated that Debian was chosen
for pragmatic reasons and there is no reason that others couldn't put the
FreedomBox stack on top of other distributions. He did not want the FBF to
have to set up distribution infrastructure or be saddled with long-term
security updates, and basing on Debian avoided that. He also said that
off-the-shelf FreedomBoxes are "at least a year away
", and it
could be longer than that.
[ I would like to thank the Linux Foundation for assistance with travel costs for LinuxCon. ]
Brief items
Security quotes of the week
Nasty Apache denial of service vulnerability
The Apache project has sent out an advisory warning of an easily-exploited denial of service vulnerability in all versions of the Apache server. "An attack tool is circulating in the wild. Active use of this tool has been observed. The attack can be done remotely and with a modest number of requests can cause very significant memory and CPU usage on the server. The default Apache HTTPD installation is vulnerable. There is currently no patch/new version of Apache HTTPD which fixes this vulnerability. This advisory will be updated when a long term fix is available." A fix is expected "within 48 hours"; a number of workarounds are provided in the advisory for those who cannot wait.
New vulnerabilities
bugzilla: multiple vulnerabilities
| Package(s): | bugzilla | CVE #(s): | CVE-2011-2379 CVE-2011-2380 CVE-2011-2979 CVE-2011-2381 CVE-2011-2978 CVE-2011-2977 | ||||||||||||||||
| Created: | August 22, 2011 | Updated: | October 10, 2011 | ||||||||||||||||
| Description: | From the CVE entries:
Cross-site scripting (XSS) vulnerability in Bugzilla 2.4 through 2.22.7, 3.0.x through 3.3.x, 3.4.x before 3.4.12, 3.5.x, 3.6.x before 3.6.6, 3.7.x, 4.0.x before 4.0.2, and 4.1.x before 4.1.3, when Internet Explorer before 9 or Safari before 5.0.6 is used for Raw Unified mode, allows remote attackers to inject arbitrary web script or HTML via a crafted patch, related to content sniffing. (CVE-2011-2379) Bugzilla 2.23.3 through 2.22.7, 3.0.x through 3.3.x, 3.4.x before 3.4.12, 3.5.x, 3.6.x before 3.6.6, 3.7.x, 4.0.x before 4.0.2, and 4.1.x before 4.1.3 allows remote attackers to determine the existence of private group names via a crafted parameter during (1) bug creation or (2) bug editing. (CVE-2011-2380) Bugzilla 4.1.x before 4.1.3 generates different responses for certain assignee queries depending on whether the group name is valid, which allows remote attackers to determine the existence of private group names via a custom search. NOTE: this vulnerability exists because of a CVE-2010-2756 regression. (CVE-2011-2979) CRLF injection vulnerability in Bugzilla 2.17.1 through 2.22.7, 3.0.x through 3.3.x, 3.4.x before 3.4.12, 3.5.x, 3.6.x before 3.6.6, 3.7.x, 4.0.x before 4.0.2, and 4.1.x before 4.1.3 allows remote attackers to inject arbitrary e-mail headers via an attachment description in a flagmail notification. (CVE-2011-2381) Bugzilla 2.16rc1 through 2.22.7, 3.0.x through 3.3.x, 3.4.x before 3.4.12, 3.5.x, 3.6.x before 3.6.6, 3.7.x, 4.0.x before 4.0.2, and 4.1.x before 4.1.3 does not prevent changes to the confirmation e-mail address (aka old_email field) for e-mail change notifications, which makes it easier for remote attackers to perform arbitrary address changes by leveraging an unattended workstation. (CVE-2011-2978) Bugzilla 3.6.x before 3.6.6, 3.7.x, 4.0.x before 4.0.2, and 4.1.x before 4.1.3 on Windows does not delete the temporary files associated with uploaded attachments, which allows local users to obtain sensitive information by reading these files. NOTE: this issue exists because of a regression in 3.6. (CVE-2011-2977) | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
crypt_blowfish: crackable password hashing
| Package(s): | crypt_blowfish | CVE #(s): | CVE-2011-2483 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 19, 2011 | Updated: | November 15, 2013 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the openSUSE advisory:
The implementation of the blowfish based password hashing method had a bug affecting passwords that contain 8bit characters (e.g. umlauts). Affected passwords are potentially faster to crack via brute force methods. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ecryptfs-utils: denial of service
| Package(s): | ecryptfs-utils | CVE #(s): | CVE-2011-3145 | ||||||||||||||||||||||||||||||||
| Created: | August 23, 2011 | Updated: | January 19, 2012 | ||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
It was discovered that eCryptfs incorrectly handled permissions when modifying the mtab file. A local attacker could use this flaw to manipulate the mtab file, and possibly unmount arbitrary locations, leading to a denial of service. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
gimp: heap corruption
| Package(s): | gimp | CVE #(s): | CVE-2011-2896 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 22, 2011 | Updated: | September 28, 2012 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
GIF image file format readers in various open source projects are based on the GIF decoder implementation written by David Koblas. This implementation contains a bug in the LZW decompressor, causing it to incorrectly handle compressed streams that contain code words that were not yet added to the decompression table. LZW decompression has a special case (a KwKwK string) when code word may match the first free entry in the decompression table. The implementation used in this GIF reading code allows code words not only matching, but also exceeding the first free entry. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: arbitrary command execution
| Package(s): | kernel | CVE #(s): | CVE-2011-2905 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 18, 2011 | Updated: | November 28, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
It was reported that perf would look for configuration files in /etc/perfconfig, ~/.perfconfig, and ./config. If ./config is not a perf configuration file, perf could fail or possibly do unexpected things. If a privileged user was tricked into running perf in a directory containing a malicious ./config file, it could possibly lead to the execution of arbitrary commands. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2011-2695 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 23, 2011 | Updated: | September 13, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry:
Multiple off-by-one errors in the ext4 subsystem in the Linux kernel before 3.0-rc5 allow local users to cause a denial of service (BUG_ON and system crash) by accessing a sparse file in extent format with a write operation involving a block number corresponding to the largest possible 32-bit unsigned integer. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kiwi: multiple vulnerabilities
| Package(s): | kiwi | CVE #(s): | CVE-2011-2225 CVE-2011-2226 CVE-2011-2644 CVE-2011-2645 CVE-2011-2646 CVE-2011-2647 CVE-2011-2648 CVE-2011-2649 CVE-2011-2650 CVE-2011-2651 CVE-2011-2652 | ||||||||
| Created: | August 18, 2011 | Updated: | December 15, 2011 | ||||||||
| Description: | From the SUSE advisory:
SUSE Studio was prone to several cross-site-scripting (XSS) and shell quoting issues.
| ||||||||||
| Alerts: |
| ||||||||||
nip2: privilege escalation
| Package(s): | nip2 | CVE #(s): | CVE-2010-3364 | ||||||||||||||||||||
| Created: | August 23, 2011 | Updated: | January 27, 2014 | ||||||||||||||||||||
| Description: | From the CVE entry:
The vips-7.22 script in VIPS 7.22.2 places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse shared library in the current working directory. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
system-config-printer: arbitrary code execution
| Package(s): | system-config-printer | CVE #(s): | CVE-2011-2899 | ||||||||||||||||||||||||
| Created: | August 23, 2011 | Updated: | September 23, 2011 | ||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
It was found that system-config-printer did not properly sanitize NetBIOS and workgroup names when searching for network printers. A remote attacker could use this flaw to execute arbitrary code with the privileges of the user running system-config-printer. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
zabbix: cross-site scripting
| Package(s): | zabbix | CVE #(s): | CVE-2011-2904 | ||||||||||||
| Created: | August 18, 2011 | Updated: | August 24, 2011 | ||||||||||||
| Description: | From the Red Hat bugzilla:
A vulnerability was reported in Zabbix where input passed to the "backurl" parameter in acknow.php is improperly sanitized before being returned to the user. This could be used to facilitate a cross-site scripting attack. This flaw is fixed in Zabbix 1.8.6 | ||||||||||||||
| Alerts: |
| ||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>