Re: Preventing screen capturing in Xenocara?
Excuse me; quick read bites back. My mind went directly to the human factor. That process limitation would be nice to have +1 ‐‐‐ Original Message ‐‐‐ On March 7, 2018 5:34 AM, Jyri Hovila \[iki\]wrote: > > > Dear everyone, > > the possibility to grab the contents of the screen is one of the many design > level security / privacy issues all major operating systems suffer from. The > APIs of Windows, Android, iOS etc. allow capturing the screen without > informing the user about it in any way. > > It seems (quite obvious) to me that OpenBSD / Xenocara do not currently have > mechanisms to limit which processes / applications can access the contents of > the screen. I can already feel the storm brewing but I must ask: have there > been any plans regarding such a feature? > > Yours, > > Jyri > > > -- > > jyri.hov...@iki.fi > > +358-404-177133 (24/7)
Re: Preventing screen capturing in Xenocara?
Is there any point on doing so, when most environments are hoarded by mobile phones? Nice to have, but too little of an "audience" imho. ‐‐‐ Original Message ‐‐‐ On March 7, 2018 5:34 AM, Jyri Hovila \[iki\]wrote: > > > Dear everyone, > > the possibility to grab the contents of the screen is one of the many design > level security / privacy issues all major operating systems suffer from. The > APIs of Windows, Android, iOS etc. allow capturing the screen without > informing the user about it in any way. > > It seems (quite obvious) to me that OpenBSD / Xenocara do not currently have > mechanisms to limit which processes / applications can access the contents of > the screen. I can already feel the storm brewing but I must ask: have there > been any plans regarding such a feature? > > Yours, > > Jyri > > > -- > > jyri.hov...@iki.fi > > +358-404-177133 (24/7)
Re: How are people dealing with the Intel AMT BIOS vulnerability/backdoor?
- Disable and try to exploit (best way to know really) - If necessary file a bug report with the vendor - Block perspective ports on your network. On 14 May 2017 at 21:33,wrote: > Hi, > > Just checked my router today and found out that the AMT vuln is on there and > active/provisioning, probably like most of your systems too.. > > I have had to disconnect it from the Internet of course. Looks like trying to > disable AMT/MEBx within the BIOS doesn't do jack on my M58P, as it's still > being reported by a detection tool that it active and provisioning. Intel > have released instructions to patch for the Windows OS, but I don't have that > OS on any hard drives so isn't helpful for me. Intel have screwed us all over > - I'm totally fed up with this crap.
Canada and Software Backdoors
Hello misc, I would like your comments on how could the below affect OpenBSD; if at all. link: http://www.tomshardware.com/news/canada-software-encryption-backdoors-feedback,33131.html Best greetings, Theodore
Re: choosing OpenBSD for fileserver instead of FreeBSD + ZFS
+1, zfs and hammer are great filesystems for such a use. Looking forward to RAID10 support on softraid (!). On 20 July 2016 at 15:08, Kamil Cholewińskiwrote: > On Wed, 20 Jul 2016, Miles Keaton wrote: >> So I figure if I use OpenBSD + softraid RAID 5 (across 4 disks) and then >> write my own little shell script to track the MD5 (find . -type f -exec md5 >> {} \;) whenever I make changes, that should be enough to see if a file has >> been changed due to disk corruption. > > This will detect corruption, but won't fix it. ZFS fixes corrupted files > on the fly, when possible, and updates on-disk parity to sustain another > hit on the same file. > > Also I would rather recommend you use RAID10, with drives from two > different batches.
Re: Booting encrypted drive from another device
It doesn't have to be always thrown away. After some thinking, it could make a good entrapment technique. 1) create an unencrypted /boot volume and save a healthy offline (usb?) backup you can use for comparison 2) hashcheck (from a usb-boot environment) and then boot normally the system if check is OK 3) repeat 2 until check is NOT OK, make copy of failed /boot volume and examine. 4) win. On 22 June 2016 at 19:52, Ted Unangst <t...@tedunangst.com> wrote: > Theodoros wrote: >> Fair point! >> It would make it more complicated for an adversary, but not impossible. > > If an adversary gains possession of your hard drive and gives it back to you, > throw it away.
Re: Booting encrypted drive from another device
Fair point! It would make it more complicated for an adversary, but not impossible. On 21 June 2016 at 10:36, ludovic coues <cou...@gmail.com> wrote: > 2016-06-21 9:27 GMT+02:00 Theodoros <theodoro...@gmail.com>: >> Well TPM is a closed hardware-bound system that does this before boot >> (as far as I know). I was asking more for an open (software) system >> for doing so post-boot. >> > > sha512 /boot > > If you do it post-boot, your screwed. If attacker can alter your > bootloader, altering you program checking the bootloader is easy. > > > > > -- > > Cordialement, Coues Ludovic > +336 148 743 42
Re: Booting encrypted drive from another device
Well TPM is a closed hardware-bound system that does this before boot (as far as I know). I was asking more for an open (software) system for doing so post-boot. On 21 June 2016 at 10:23, Peter Hessler <phess...@theapt.org> wrote: > fwiw, this is literately the point of TPM. > > > On 2016 Jun 21 (Tue) at 10:19:21 +0300 (+0300), Theodoros wrote: > :Could someone trust a bootloader by e.g. having an aide-like system on > :boot, confirming its' authenticity as part of the boot process? > : > :Please share your thoughts. > : > : > : > :On 20 June 2016 at 14:36, Ivan Markin <t...@riseup.net> wrote: > :> Bodie: > :>> What is that security reason worth of not using default full disk > :>> encryption? > :> > :> Have a look at e.g. Evil Maid Attack [1]. One may want to bear a trusted > :> bootloader with themselves and leave raw full-encrypted drive in some > :> 'hostile' environment. > :> > :> [1] https://www.schneier.com/blog/archives/2009/10/evil_maid_attac.html > :> > :> -- > :> Ivan Markin > : > > -- > The only really decent thing to do behind a person's back is pat it.
Re: Booting encrypted drive from another device
Could someone trust a bootloader by e.g. having an aide-like system on boot, confirming its' authenticity as part of the boot process? Please share your thoughts. On 20 June 2016 at 14:36, Ivan Markinwrote: > Bodie: >> What is that security reason worth of not using default full disk >> encryption? > > Have a look at e.g. Evil Maid Attack [1]. One may want to bear a trusted > bootloader with themselves and leave raw full-encrypted drive in some > 'hostile' environment. > > [1] https://www.schneier.com/blog/archives/2009/10/evil_maid_attac.html > > -- > Ivan Markin
Re: /usr/ and wxallowed
Anybody who had used automatic disk allocation, it would have taken care of this: http://man.openbsd.org/disklabel#AUTOMATIC_DISK_ALLOCATION /usr/local 10% of disk. 2G – 10G On 9 June 2016 at 15:53, Kapetanakis Gianniswrote: > On 08/06/16 22:02, Mihai Popescu wrote: >>> >>> Sorry, no, I should have been clearer. >> >> Man, so much confusion in this thread. All are mixed in usage: >> partition, mount point, filesystem, mount options, etc. Aren't they >> different anymore? I was reading about wx_ stuff since I will install >> a new snapshots, but this thread is too damn unclear. >> >> Sorry. >> > > I think it's quite clear. If you want run programs that violate W^X > protection, for instance some programs from ports might have problems with > W^X, > then you have to mount the filesystem under which the program exists with > wxallowed. > > Since ports are installed in /usr/local you have options like: > > a) if you have a separate /usr/local then you mount /usr/local with > wxallowed option > b) if you have only /usr then you have to mount /usr with wxallowed option > c) or create a new /usr/local filesystem, move old /usr/local (from /usr > filesystem) there and mount that with wxallowed > > If you install a new system, then recommended to create a separate > /usr/local from start... > > G
Re: browser trouble with latest snapshot
W^X is now mandatory. Please follow the following: "W^X violating programs can be permitted on a ffs/nfs filesystem-basis, using the "wxallowed" mount option. One day far in the future upstream software developers will understand that W^X violations are a tremendously risky practice and that style of programming will be banished outright. Until then, we recommend most users need to use the wxallowed option on their /usr/local filesystem. [...]" On 29 May 2016 at 14:31, lvddwrote: > Hi, > > I am having trouble with chromium, firefox and otter-browser since the > upgrade to the latest amd64 snapshot (28th). > > Chromium shows me an "Aw Snap" right from the start and for everything > (even the settings page) so it is currently completely unusable. This > also happens with a new user and fresh profile. The console shows the > following messages: > > chromium-50.0.2661.102 (installed) > > $chrome > [66535:432215264:0529/130552:ERROR:process_posix.cc(195)] Not > implemented reached in bool (anonymous > namespace)::WaitForExitWithTimeoutImpl(base::ProcessHandle, int *, > base::TimeDelta) > [66535:1613461560:0529/130552:ERROR:linux_util.cc(122)] Not implemented > reached in std::string base::GetLinuxDistro() > Received signal 11 SEGV_MAPERR 0010 > [end of stack trace] > [66535:-65538504:0529/130552:ERROR:process_posix.cc(195)] Not > implemented reached in bool (anonymous > namespace)::WaitForExitWithTimeoutImpl(base::ProcessHandle, int *, > base::TimeDelta) > [66535:-65538504:0529/130601:ERROR:network_interfaces_posix.cc(63)] Not > implemented reached in bool net::GetNetworkList(NetworkInterfaceList *, > int) > > Firefox starts up and is usable but crashes hard and leaves a > core-file when saving files to the filesystem. When I go to a random > website (e.g. openbsd.org) and use "Save Image As" on the bannerI get > the folder picker and as soon as I press "save" the browser crashes. The > image is saved to the filesystem though. This is what the console shows: > > firefox-46.0.1 (installed) > > $firefox > firefox:/usr/lib/libsqlite3.so.32.0: /usr/local/lib/firefox-46.0.1/libmozsqlite3.so.64.0 : > WARNING: symbol(sqlite3_version) size mismatch, relink your program > > (firefox:52435): libnotify-WARNING **: Failed to connect to proxy > Segmentation fault (core dumped) > > Sometimes I get a "Bus Error" instead of the segmentation fault. > > To test things further I also tried the otter-browser and this won't > even start. It segfaults right away leaving a core file as well. > > I also get a ton of "chrome(86896): mmap W^X violation" and > "otter-browser(50154): mmap W^X violation" messages in > dmesg. > > The only browser working for me in the moment is firefox-esr > (firefox-esr-45.1.1 (installed)). > > As I said I have tried also with a newly created user so the > profiles are empty and no extension having a chance to mess things up. > I wonder if I am the only one having these issues. I will continue > following future snapshots and updated packages as soon as they are > available, as I hope this has been solved in newer packages. > > Maybe somebody has a solution already? If you need more info for > debugging just ping me and ask. > > Thanks a lot > Lars > > Here is my dmesg for completeness: > > OpenBSD 6.0-beta (GENERIC.MP) #2131: Fri May 27 21:04:15 MDT 2016 > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP > real mem = 8440098816 (8049MB) > avail mem = 8179703808 (7800MB) > mpath0 at root > scsibus0 at mpath0: 256 targets > mainbus0 at root > bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xec2f0 (67 entries) > bios0: vendor American Megatrends Inc. version "0806" date 12/14/2015 > bios0: ASUS All Series > acpi0 at bios0: rev 2 > acpi0: sleep states S0 S3 S4 S5 > acpi0: tables DSDT FACP APIC FPDT LPIT SSDT SSDT MCFG HPET SSDT SSDT > BGRT > acpi0: wakeup devices UAR1(S4) PS2K(S4) PXSX(S4) RP01(S4) PXSX(S4) > RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) PXSX(S4) RP05(S4) PXSX(S4) > RP06(S4) PXSX(S4) RP07(S4) [...] > acpitimer0 at acpi0: 3579545 Hz, 24 bits > acpimadt0 at acpi0 addr 0xfee0: PC-AT compat > cpu0 at mainbus0: apid 0 (boot processor) > cpu0: Intel(R) Core(TM) i3-4360 CPU @ 3.70GHz, 3691.89 MHz > cpu0: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX ,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,A ES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AV X2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT > cpu0: 256KB 64b/line 8-way L2 cache > cpu0: smt 0, core 0, package 0 > mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges > cpu0: apic clock running at 99MHz > cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE > cpu1 at mainbus0: apid 2 (application processor) > cpu1: Intel(R) Core(TM) i3-4360 CPU @ 3.70GHz, 3691.46 MHz > cpu1: >