The fact that there's a "naked sudo" hole is brutal. Forgive me if I misunderstand the problem, but how could *anyone* ship a distribution with a passwordless sudo? That seems like it requires deliberate malice to even set up.
On Thu, Feb 6, 2014 at 2:18 PM, KheOps <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Dear all, > > The uVirtus live distribution was publicized back in September as a > secure live OS specifically designed for Syrians. It stems from the idea > of having a one-click easy to use VPN client that uses OpenVPN over > Obfsproxy. > > After testing it and discovering a few issues, I spent some more time in > order to dig a bit more into its security. > > I noticed numerous worrying security issues, and in overall it does not > appear to me as really responsible to recommend it instead of, say, > Tails. Issues include for instance holes that may help an attacker > compromise the user's machine by gaining root access and weak protection > against data leaking in cleartext out of the VPN. > > I published a report that lists all the issues I could find and tried to > assess their seriousness. I hope it is detailed and precise enough. > > It is available here in English: > > https://press.telecomix.ceops.eu/en/posts/Review_of_security_issues_in_uVirtus_2.0/ > > And in Arabic (sorry for the long link): > > https://press.telecomix.ceops.eu/ar/posts/%D9%85%D8%B1%D8%A7%D8%AC%D8%B9%D8%A9_%D9%84%D9%82%D8%B6%D8%A7%D9%8A%D8%A7_%D9%86%D8%B8%D8%A7%D9%85_uvirtus_2.0_%D8%A7%D9%84%D8%A3%D9%85%D9%86%D9%8A%D8%A9/ > > We should thank Ameer, a Telecomix friend who spent a lot of time on > translating it, but also giving me hints and correcting some English > mistakes. > > We hope this helps to better assess uVirtus security and maybe feed the > thinking for possible future versions. > > Sorry for the TLS certificate warning you will probably get in your > browser, it is signed with the CA you'll find there: > > https://github.com/TelecomixSyria/TheSouq/tree/master/resources/ssl-ca/2012-2014 > > and its SHA1 fingerprint is > C2:00:C7:9B:2C:9F:88:31:8B:A9:9E:B4:37:27:4E:93:75:8A:A7:6B. > > With datalove! > KheOps > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.22 (GNU/Linux) > > iQEcBAEBAgAGBQJS9AoeAAoJEK9g/8GX/m3dpRkH/1rN/nDEjY2kJqhEMqaIwkiq > PqJzXxhvSuMTYn9WXcA5kh9xH+OCBu2uSfTfm9ewfAO8W4C4Jx5AO8jgyo3bjFEP > usJE8m7vaKZVnVUrzqyxMBuutxyljear+qn6r86i5FRbIoob582QAZM7+bunotOr > bc5oUBgaq+KHx0p6yxohQw07MLaDwzXviu0lFcsRqMRfGzAMWFx3y8pGLUwS1Tiz > S3jR+Vs+s80NBHmMhPK3HkB2qsMowC8tZlYaMLzuFqocoKsTyE3CCMz9R6Xw05HT > aR5pSsbVuEvgMyhlqCJoVD8YD4qde8E5hxZrONZk4GKTIPDc90bgGW8FH/zmPqI= > =h+MA > -----END PGP SIGNATURE----- > -- > Liberationtech is public & archives are searchable on Google. Violations > of list guidelines will get you moderated: > https://mailman.stanford.edu/mailman/listinfo/liberationtech. > Unsubscribe, change to digest, or change password by emailing moderator at > [email protected]. > -- Sahar Massachi c: (585) 313-6649 t: twitter.com/sayhar w: saharmassachi.com
-- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
