I agree 100% with Jacob that we need to work on these security issues.
While some people might find it paranoid, we should try to minimize our
attack surface.

AFAIK http://sqlcipher.net/ is cross-platform the only thing we will
need to do is package it for Ubuntu. It offers protections on platforms
that are hard to otherwise protect. During the generation of a NEW DB we
just need to add "PRAGMA key = 'passphrase';" And then we need to copy
data from the old into the new DB.

Right now anyone can do anything with our DB and the user may not even
know the DB is being created.

1) Copy the DB as it is into another physical drive
2) Any process can hook into zeitgeist and push out info

Those have to be fixed...
It won't cost us anything and people will not complain if we do it. The chances 
of people praising us for respecting their privacy is much bigger. AFAIK MeeGo 
people had a BIG issue with us being unencrypted. At UDS people told me they 
deinstalled Zeitgeist because of their fear of their data being exploited.
Now we cant fix both within the next 2 - 3 weeks to a much better state. But we 
have to start with it now.

I would like to start with the database encryption. I think we can land this as 
a new feature. And to be honest for that I don't care about backwards 
compatibility. What are the chances that:
1) People move away from Zeitgeist because it is in a way spyware
2) then people moving away after we encrypt the database because for them it 
will be backwards incompatible.

I am not going to get into details of the keyring stuff now. But again
its a vector that risks exploitation. We will need to tackle this
properly. But the sqlite cypher stuff can be done in a matter of a
couple of days including packaging (using Siegfried power) :P

You received this bug notification because you are a member of Zeitgeist
Framework Team, which is subscribed to Zeitgeist Framework.

  Encryption of database

Status in Zeitgeist Framework:

Bug description:
  I think that Zeitgeist should encrypt databases in
  ~/.local/share/zeitgeist/* for anti-forensics reasons.

  While someone may happen to use an encrypted disk, Zeitgeist may serve
  as the ultimate accidental spyware to an unsuspecting user. One
  possible mitigation is to randomly generate a reasonable key, tie it
  into the login keychain and then use that key with something like
  http://sqlcipher.net/ rather than straight sqlite.

  In theory, a user will never know that this encryption/decryption is
  happening - no underlying assumptions about the disk need to be made
  to maintain any security guarantees. This should prevent anyone from
  learning the contents of the database without also learning the login
  password. Modern Ubuntu machines disallow non-root ptracing (
  https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening#ptrace )
  and if the gnome keyring is locked, an attacker would have a much
  harder time grabbing meaningful Zeitgeist data without interacting
  with the user or bruteforcing the login keychain.

Mailing list: https://launchpad.net/~zeitgeist
Post to     : zeitgeist@lists.launchpad.net
Unsubscribe : https://launchpad.net/~zeitgeist
More help   : https://help.launchpad.net/ListHelp

Reply via email to