Re: Preventing screen capturing in Xenocara?

2018-03-06 Thread Theodoros 
Excuse me; quick read bites back. My mind went directly to the human factor.

That process limitation would be nice to have +1

​​

‐‐‐ Original Message ‐‐‐

On March 7, 2018 5:34 AM, Jyri Hovila \[iki\]  wrote:

> ​​
> 
> Dear everyone,
> 
> the possibility to grab the contents of the screen is one of the many design 
> level security / privacy issues all major operating systems suffer from. The 
> APIs of Windows, Android, iOS etc. allow capturing the screen without 
> informing the user about it in any way.
> 
> It seems (quite obvious) to me that OpenBSD / Xenocara do not currently have 
> mechanisms to limit which processes / applications can access the contents of 
> the screen. I can already feel the storm brewing but I must ask: have there 
> been any plans regarding such a feature?
> 
> Yours,
> 
> Jyri
> 
> 
> --
> 
> jyri.hov...@iki.fi
> 
> +358-404-177133 (24/7)

Re: Preventing screen capturing in Xenocara?

2018-03-06 Thread Theodoros 
Is there any point on doing so, when most environments are hoarded by mobile 
phones?

Nice to have, but too little of an "audience" imho.


​​

‐‐‐ Original Message ‐‐‐

On March 7, 2018 5:34 AM, Jyri Hovila \[iki\]  wrote:

> ​​
> 
> Dear everyone,
> 
> the possibility to grab the contents of the screen is one of the many design 
> level security / privacy issues all major operating systems suffer from. The 
> APIs of Windows, Android, iOS etc. allow capturing the screen without 
> informing the user about it in any way.
> 
> It seems (quite obvious) to me that OpenBSD / Xenocara do not currently have 
> mechanisms to limit which processes / applications can access the contents of 
> the screen. I can already feel the storm brewing but I must ask: have there 
> been any plans regarding such a feature?
> 
> Yours,
> 
> Jyri
> 
> 
> --
> 
> jyri.hov...@iki.fi
> 
> +358-404-177133 (24/7)

Re: How are people dealing with the Intel AMT BIOS vulnerability/backdoor?

2017-05-15 Thread Theodoros 
- Disable and try to exploit (best way to know really)
- If necessary file a bug report with the vendor
- Block perspective ports on your network.

On 14 May 2017 at 21:33,   wrote:
> Hi,
>
> Just checked my router today and found out that the AMT vuln is on there and 
> active/provisioning, probably like most of your systems too..
>
> I have had to disconnect it from the Internet of course. Looks like trying to 
> disable AMT/MEBx within the BIOS doesn't do jack on my M58P, as it's still 
> being reported by a detection tool that it active and provisioning. Intel 
> have released instructions to patch for the Windows OS, but I don't have that 
> OS on any hard drives so isn't helpful for me. Intel have screwed us all over 
> - I'm totally fed up with this crap.

Canada and Software Backdoors

2016-12-05 Thread Theodoros 
Hello misc,

I would like your comments on how could the below affect OpenBSD; if at all.

link:
http://www.tomshardware.com/news/canada-software-encryption-backdoors-feedback,33131.html


Best greetings,

Theodore

Re: choosing OpenBSD for fileserver instead of FreeBSD + ZFS

2016-07-20 Thread Theodoros 
+1, zfs and hammer are great filesystems for such a use.

Looking forward to RAID10 support on softraid (!).



On 20 July 2016 at 15:08, Kamil Cholewiński  wrote:
> On Wed, 20 Jul 2016, Miles Keaton  wrote:
>> So I figure if I use OpenBSD + softraid RAID 5 (across 4 disks) and then
>> write my own little shell script to track the MD5 (find . -type f -exec
md5
>> {} \;) whenever I make changes, that should be enough to see if a file has
>> been changed due to disk corruption.
>
> This will detect corruption, but won't fix it. ZFS fixes corrupted files
> on the fly, when possible, and updates on-disk parity to sustain another
> hit on the same file.
>
> Also I would rather recommend you use RAID10, with drives from two
> different batches.

Re: Booting encrypted drive from another device

2016-06-22 Thread Theodoros 
It doesn't have to be always thrown away.

After some thinking, it could make a good entrapment technique.

1) create an unencrypted /boot volume and save a healthy offline
(usb?) backup you can use for comparison
2) hashcheck (from a usb-boot environment) and then boot normally the
system if check is OK
3) repeat 2 until check is NOT OK, make copy of failed /boot volume and examine.
4) win.




On 22 June 2016 at 19:52, Ted Unangst <t...@tedunangst.com> wrote:
> Theodoros wrote:
>> Fair point!
>> It would make it more complicated for an adversary, but not impossible.
>
> If an adversary gains possession of your hard drive and gives it back to you,
> throw it away.

Re: Booting encrypted drive from another device

2016-06-21 Thread Theodoros 
Fair point!
It would make it more complicated for an adversary, but not impossible.



On 21 June 2016 at 10:36, ludovic coues <cou...@gmail.com> wrote:
> 2016-06-21 9:27 GMT+02:00 Theodoros <theodoro...@gmail.com>:
>> Well TPM is a closed hardware-bound system that does this before boot
>> (as far as I know). I was asking more for an open (software) system
>> for doing so post-boot.
>>
>
> sha512 /boot
>
> If you do it post-boot, your screwed. If attacker can alter your
> bootloader, altering you program checking the bootloader is easy.
>
>
>
>
> --
>
> Cordialement, Coues Ludovic
> +336 148 743 42

Re: Booting encrypted drive from another device

2016-06-21 Thread Theodoros 
Well TPM is a closed hardware-bound system that does this before boot
(as far as I know). I was asking more for an open (software) system
for doing so post-boot.

On 21 June 2016 at 10:23, Peter Hessler <phess...@theapt.org> wrote:
> fwiw, this is literately the point of TPM.
>
>
> On 2016 Jun 21 (Tue) at 10:19:21 +0300 (+0300), Theodoros wrote:
> :Could someone trust a bootloader by e.g. having an aide-like system on
> :boot, confirming its' authenticity as part of the boot process?
> :
> :Please share your thoughts.
> :
> :
> :
> :On 20 June 2016 at 14:36, Ivan Markin <t...@riseup.net> wrote:
> :> Bodie:
> :>> What is that security reason worth of not using default full disk
> :>> encryption?
> :>
> :> Have a look at e.g. Evil Maid Attack [1]. One may want to bear a trusted
> :> bootloader with themselves and leave raw full-encrypted drive in some
> :> 'hostile' environment.
> :>
> :> [1] https://www.schneier.com/blog/archives/2009/10/evil_maid_attac.html
> :>
> :> --
> :> Ivan Markin
> :
>
> --
> The only really decent thing to do behind a person's back is pat it.

Re: Booting encrypted drive from another device

2016-06-21 Thread Theodoros 
Could someone trust a bootloader by e.g. having an aide-like system on
boot, confirming its' authenticity as part of the boot process?

Please share your thoughts.



On 20 June 2016 at 14:36, Ivan Markin  wrote:
> Bodie:
>> What is that security reason worth of not using default full disk
>> encryption?
>
> Have a look at e.g. Evil Maid Attack [1]. One may want to bear a trusted
> bootloader with themselves and leave raw full-encrypted drive in some
> 'hostile' environment.
>
> [1] https://www.schneier.com/blog/archives/2009/10/evil_maid_attac.html
>
> --
> Ivan Markin

Re: /usr/ and wxallowed

2016-06-09 Thread Theodoros 
Anybody who had used automatic disk allocation, it would have taken
care of this:

http://man.openbsd.org/disklabel#AUTOMATIC_DISK_ALLOCATION

/usr/local 10% of disk.   2G – 10G


On 9 June 2016 at 15:53, Kapetanakis Giannis 
wrote:
> On 08/06/16 22:02, Mihai Popescu wrote:
>>>
>>> Sorry, no, I should have been clearer.
>>
>> Man, so much confusion in this thread. All are mixed in usage:
>> partition, mount point, filesystem, mount options, etc. Aren't they
>> different anymore? I was reading about wx_ stuff since I will install
>> a new snapshots, but this thread is too damn unclear.
>>
>> Sorry.
>>
>
> I think it's quite clear. If you want run programs that violate W^X
> protection, for instance some programs from ports might have problems with
> W^X,
> then you have to mount the filesystem under which the program exists with
> wxallowed.
>
> Since ports are installed in /usr/local you have options like:
>
> a) if you have a separate /usr/local then you mount /usr/local with
> wxallowed option
> b) if you have only /usr then you have to mount /usr with wxallowed option
> c) or create a new /usr/local filesystem, move old  /usr/local (from /usr
> filesystem) there and mount that with wxallowed
>
> If you install a new system, then recommended to create a separate
> /usr/local from start...
>
> G

Re: browser trouble with latest snapshot

2016-05-29 Thread Theodoros 
W^X is now mandatory.

Please follow the following:

"W^X violating programs can be permitted on a ffs/nfs filesystem-basis,
using the "wxallowed" mount option.  One day far in the future
upstream software developers will understand that W^X violations are a
tremendously risky practice and that style of programming will be
banished outright.  Until then, we recommend most users need to use the
wxallowed option on their /usr/local filesystem. [...]"



On 29 May 2016 at 14:31, lvdd  wrote:
> Hi,
>
> I am having trouble with chromium, firefox and otter-browser since the
> upgrade to the latest amd64 snapshot (28th).
>
> Chromium shows me an "Aw Snap" right from the start and for everything
> (even the settings page) so it is currently completely unusable. This
> also happens with a new user and fresh profile. The console shows the
> following messages:
>
> chromium-50.0.2661.102 (installed)
>
> $chrome
> [66535:432215264:0529/130552:ERROR:process_posix.cc(195)] Not
> implemented reached in bool (anonymous
> namespace)::WaitForExitWithTimeoutImpl(base::ProcessHandle, int *,
> base::TimeDelta)
> [66535:1613461560:0529/130552:ERROR:linux_util.cc(122)] Not implemented
> reached in std::string base::GetLinuxDistro()
> Received signal 11 SEGV_MAPERR 0010
> [end of stack trace]
> [66535:-65538504:0529/130552:ERROR:process_posix.cc(195)] Not
> implemented reached in bool (anonymous
> namespace)::WaitForExitWithTimeoutImpl(base::ProcessHandle, int *,
> base::TimeDelta)
> [66535:-65538504:0529/130601:ERROR:network_interfaces_posix.cc(63)] Not
> implemented reached in bool net::GetNetworkList(NetworkInterfaceList *,
> int)
>
> Firefox starts up and is usable but crashes hard and leaves a
> core-file when saving files to the filesystem. When I go to a random
> website (e.g. openbsd.org) and use "Save Image As" on the bannerI get
> the folder picker and as soon as I press "save" the browser crashes. The
> image is saved to the filesystem though. This is what the console shows:
>
> firefox-46.0.1 (installed)
>
> $firefox
> firefox:/usr/lib/libsqlite3.so.32.0:
/usr/local/lib/firefox-46.0.1/libmozsqlite3.so.64.0 :
> WARNING: symbol(sqlite3_version) size mismatch, relink your program
>
> (firefox:52435): libnotify-WARNING **: Failed to connect to proxy
> Segmentation fault (core dumped)
>
> Sometimes I get a "Bus Error" instead of the segmentation fault.
>
> To test things further I also tried the otter-browser and this won't
> even start. It segfaults right away leaving a core file as well.
>
> I also get a ton of "chrome(86896): mmap W^X violation" and
> "otter-browser(50154): mmap W^X violation" messages in
> dmesg.
>
> The only browser working for me in the moment is firefox-esr
> (firefox-esr-45.1.1 (installed)).
>
> As I said I have tried also with a newly created user so the
> profiles are empty and no extension having a chance to mess things up.
> I wonder if I am the only one having these issues. I will continue
> following future snapshots and updated packages as soon as they are
> available, as I hope this has been solved in newer packages.
>
> Maybe somebody has a solution already? If you need more info for
> debugging just ping me and ask.
>
> Thanks a lot
> Lars
>
> Here is my dmesg for completeness:
>
> OpenBSD 6.0-beta (GENERIC.MP) #2131: Fri May 27 21:04:15 MDT 2016
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 8440098816 (8049MB)
> avail mem = 8179703808 (7800MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xec2f0 (67 entries)
> bios0: vendor American Megatrends Inc. version "0806" date 12/14/2015
> bios0: ASUS All Series
> acpi0 at bios0: rev 2
> acpi0: sleep states S0 S3 S4 S5
> acpi0: tables DSDT FACP APIC FPDT LPIT SSDT SSDT MCFG HPET SSDT SSDT
> BGRT
> acpi0: wakeup devices UAR1(S4) PS2K(S4) PXSX(S4) RP01(S4) PXSX(S4)
> RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) PXSX(S4) RP05(S4) PXSX(S4)
> RP06(S4) PXSX(S4) RP07(S4) [...]
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Core(TM) i3-4360 CPU @ 3.70GHz, 3691.89 MHz
> cpu0:
>
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,A
ES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AV
X2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
> cpu0: 256KB 64b/line 8-way L2 cache
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
> cpu0: apic clock running at 99MHz
> cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE
> cpu1 at mainbus0: apid 2 (application processor)
> cpu1: Intel(R) Core(TM) i3-4360 CPU @ 3.70GHz, 3691.46 MHz
> cpu1:
>