Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
This thread is now closed, please don't try to continue it. - todd
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
If I'm explaining security or lack of security, or saying things like "this is not enough", it's not as part of a speech that's meant to whine. I'll explain: I could've just asked, in my first message, whether OpenBSD has a mechanism like Ctrl-Alt-Delete on Windows, and whether it has sandboxing for desktop apps, without explaining the rationale of having such security features. Then, someone could've come and tell me that these security features aren't necessary, or that I'm focusing on a minor security aspect. I wanted an informed discussion, so I was explaining the rationale behind these to make readers understand why I was asking about them. Furthermore, in my recent message about the faking of a doas/sudo prompt and User Account Control (UAC) on Windows, there was a part where I said that the sandboxing that OpenBSD provides for certain apps "[that alone] is not enough"; I said that in the context of explaining the security that UAC provides on Windows compared to what there seems to be with the default installation of OpenBSD, notice the rest of the message and how that comment of mine was in parantheses. It may sound like I'm completely knowledgeable about OpenBSD, but I'm not. I understand certain generally-applying concepts, but I don't know if, for example, there's a sysctl(2) or something that can optionally toggle into that. (As an example, until recently, I didn't know there was an optional sysctl(2) that can enable extra hardening for malloc.) I hope this clears up why I'm writing things the way I do.
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
On Sunday, March 31, 2024, Jose Maldonado wrote: > El Sun, 31 Mar 2024 01:10:15 + > Dan escribió: > > On Wednesday, March 27, 2024, Dan wrote: > > > > Hi @list! > > Lots of discussion and useless talk when the solution is in your hands > @Dan: > > 1.- Are you worried about the fact that apps on X11 may suffer Emphasis on "may". > input-spoofing? Great, start writing all the code necessary to prevent > that from happening and help us improve the security of OpenBSD and any > other OS that uses X11. There's already rootless X on OpenBSD, it may prevent that? The thing is, I don't know. So I asked. And there's already efforts to replace X11 with Wayland, and already efforts to port Wayland to OpenBSD. > > Coming here and saying that we are not attentive to security and that Where did I say that? False accusation. > is why we "HAVE" to do something, is utter Where did I say anybody has to do anything? False accusation. > idiocy. Start doing > something yourself, if you want to collaborate beyond a stupid speech. "Speech"? These are important questions. > > 2.- Do you want a mechanism that prevents logins being stolen? Same Why should I want something to be added when it might already exist and I'm missing it? Again, I asked. > story, start writing kid, crying at the list doesn't help. Where did I "cry" or whine about OpenBSD? False accusation. Quite the contrary, I praised OpenBSD at various times, and I wouldn't have come here in the first place if I wouldn't have had appreciation for OpenBSD. > > 3.- Do you want more applications to have pledge/unveil to improve Which "more" applications? I do not know whether this: https://openports.pl/search?file=unveil https://openports.pl/search?descr=unveil Is the exhaustive list of all third-party apps that are sandboxed with pledge/unveil. I asked whether people knew of other programs or whether it's possible to list other programs beyond that. It seems that you expect me to assume that these links list all sandboxed programs exhaustively, but I do not assume, I ask. > security? Same story...start writing the code necessary for it and stop > crying. Where did I "cry" or whine about OpenBSD? False accusation. > > Nobody is here to serve your designs or needs. Which ones? I didn't know I had any. > Want something? Write it > down, it contributes to the project more than What if it's already written down? > tantrums and tears. Which ones? > > My last and unique message in this thread: Don´t feed the fucking > troll! In case you're referring to me feeding trolls rather than being the troll: Peter N. M. Hansteen said he blocked me after merely my second message in this thread. Because of his reputation, I lost sense of whether I'm perceived as a troll here.
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
El Sun, 31 Mar 2024 01:10:15 + Dan escribió: > On Wednesday, March 27, 2024, Dan wrote: > Hi @list! Lots of discussion and useless talk when the solution is in your hands @Dan: 1.- Are you worried about the fact that apps on X11 may suffer input-spoofing? Great, start writing all the code necessary to prevent that from happening and help us improve the security of OpenBSD and any other OS that uses X11. Coming here and saying that we are not attentive to security and that is why we "HAVE" to do something, is utter idiocy. Start doing something yourself, if you want to collaborate beyond a stupid speech. 2.- Do you want a mechanism that prevents logins being stolen? Same story, start writing kid, crying at the list doesn't help. 3.- Do you want more applications to have pledge/unveil to improve security? Same story...start writing the code necessary for it and stop crying. Nobody is here to serve your designs or needs. Want something? Write it down, it contributes to the project more than tantrums and tears. My last and unique message in this thread: Don´t feed the fucking troll! This thread to /dev/null -- * Dios en su cielo, todo bien en la Tierra
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
On Wednesday, March 27, 2024, Dan wrote: > Hello, I have 3 security-related questions: > (1) Does OpenBSD have a mechanism like Ctrl-Alt-Delete on Windows (Secure > Attention Key, or SAK) to prevent malware (or a website in fullscreen, for > example) from faking a logout process and/or faking a login prompt? On > Windows the kernel ensures that the operating system captures this key > combination and takes over with a real login prompt that malware can't fake > without first defeating the OS security. > (Let me clarify for the rest of this message: malware is any program that acts maliciously; it doesn't *necessarily* bypass exploit mitigations or security features of the OS (e.g. it could work around them, or abuse the lack of them).) Something recent that I found that's relevant: https://www.bleepingcomputer.com/news/security/decade-old-linux-wall-bug-helps-make-fake-sudo-prompts-steal-passwords/ (From March 28, 2024. Note that this isn't a vulnerability in how the OS separates users or enforces security, this is a vulnerability that could be used to make a convincing "phishing" attack.) This isn't exactly the issue that SAK prevents, because the SAK is meant to be used at login time (not when already logged in as one user and trying to doas/sudo one program/command into another user), but I'll repeat the two links I sent before: https://security.stackexchange.com/a/34975 https://learn.microsoft.com/windows/win32/winstation/desktops The second link being the more relevant one. Notice how Microsoft describes that User Account Control takes over the screen with a secure desktop mode. UAC is the equivalent of doas/sudo. There's an additional problem though: malware and websites in fullscreen could mimic the sound and visual dimming effect that UAC does on Windows. While UAC doesn't ask the user to press a privileged key combination like Ctrl-Alt-Delete (so the user has no guarantee that the UAC prompt is authentic, even with the said perceptual effects), it does something else: it asks for authorization (and details what is authorized exactly) without relying on knowledge of the passphrase as proof for authorization. Malware on OpenBSD that knows the root passphrase, or the passphrase of a doas-capable/sudoer user, can escalate its privileges; malware on Windows (including web content that escapes the browser's sandbox) that knows the passphrase of a user in the Administrators group cannot escalate its privileges without first compromising the integrity of Windows, because asking Windows to escalate privileges would ensure that the user authorizes the escalation regardless of the passphrase (let's assume that UAC is set to its highest (fourth) level, rather than the default (third) level that excepts some system programs from causing a UAC prompt when escalating). (Web content that escapes the browser's sandbox of Chromium, Firefox, and Tor Browser on OpenBSD would need to compromise the integrity of OpenBSD, because it sandboxes them further using pledge(2) and unveil(2) (or find a weakness in how these two are set up). So that's already a very good thing, but that alone is not enough.) It's important to emphasize that it doesn't matter whether UAC asks or doesn't ask for a passphrase to authorize, rather the important thing here is that it takes over the computer temporarily in a way that cannot be interfered with by normal programs and asks for explicit authorization; it could as well ask for a passphrase too as a second factor. Malware that fakes a UAC prompt and get "authorized" by the user would achieve nothing, as it hasn't really asked Windows to escalate, whereas malware on OpenBSD that convincingly fakes a doas prompt and gets "authorized" by the user can then impersonate the "authorizing" user going forward.
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
On Saturday, March 30, 2024, hahahahacker2009 wrote: > Vào Th 7, 30 thg 3, 2024 vào lúc 11:19 Dan đã > viết: > > >> > >> > >> > I've looked at the > >> > source code and issue tracker of upstream Firefox in the past and it > has > >> > upstream support for pledge(2) and unveil(2). > >> > >> Great, you figured it out: if you want to know if a given piece of > >> software uses pledge, grep its source code for pledge. > > > > > > Sounds very tiresome and cumbersome to check. You failed to point at any > rule according to which I'm not permitted to ask a general question about > such software without resorting to tiresome and cumbersome manual methods > like what you're suggesting here, and you consistently ignore this by > bringing the same manual grep/find suggestion again and again with no > sensible reason given what I explained now. > > Even "friendly" linux communities would tell you to check yourself. There's no problem in being told to do that, just as there's no problem in asking if people know about such programs without me having to tiresomely check everything. Perhaps there's a website somewhere that lists all pledged/unveiled apps and I'd be duplicating the effort needlessly? > You are wasting people's time. Subjective. > And before spamming in the list can you make your message > fit 72 character per line and disable HTML? First, I'm not spamming. Second, no, I can't. The Gmail web interface for mobile (which I'm using) doesn't let me disable HTML, and I don't see how I could limit line length except by manually counting characters and breaking lines, and I'm obviously not gonna do that. Sorry. I may switch to a different email client/interface in the future, this Gmail interface seems to not be paid much attention to by Google. > > > > > >> > >> You really need to shut the fuck up now. > >> > >> Please note that I am replying to you directly, off-list. > >> Hint: there is a reason for that. > > > > > > I am deliberately shaming you on a public mailing list because you're a > troll. I may also block you in my Gmail settings if I'll find the setting > in mobile. I'm giving you a middle finger. > > > > ~ | ~ | ~ | ~ | ~ | ~ > > > > (Note for everyone: This message is intended to shame a troll; if you're > here to follow the technical discussion only, feel free to skip reading > this message.) > > Dan, I see you are a troll too. False. I asked legitimate questions and I answer honestly and precisely. > You are sending HTML emails and it doesn't fit 72 char per line. Ditto. > It is annoying. Your message include a bunch of not needed trash. I answer everything that's brought up as comprehensively as needed, so I don't see what's "not needed". > > You ask the whole list things that you can research yourself, they are Ditto. > not highly advanced topics. These topics are repeatedly asked by people > who will never read man pages or faq. That That doesn't appear in the man pages or FAQ, and in my very first message I've already mentioned how Chromium, Firefox, and Tor Browser are sandboxed, so I obviously did look up things before asking here. So you're wrong here in two aspects. attitude should only exist > on reddit/lemmy and other linux communities which tries to be "friendly". Please elaborate, what attitude are you referring to precisely? That's a vague statement. Also, please explain the reasoning (or point to a rule) whereby the attitude should not exist here. > So please: > > Do your homework before you post. Ditto. > > > I saw Jan Stary's messages > (https://marc.info/?a=10863507214&r=1&w=2) > are mostly answering people's question. > But your messages are asking people to do research for you. False. I didn't tell anyone to do anything for me. I asked questions. > > If you can't do research yourself, why expecting people to do it for you? Both premises are false. Ditto. > They might think that you don't have any knowledge and thus ignore you > (for example, they think you might not understand what they are writing). I'm not sure what logic follows from asking questions about specific things (specific as they are in the question) to drawing a conclusion that the asker lacks knowledge about things not specified/asked about in the questions. Regarding the things that are specified/asked about in the question, it's obvious that the asker doesn't know about them, because I wasn't presenting a riddle, and this is true universally to everyone. I don't understand how I'm special here from any other people that ask questions here. > Or simply, if you cannot respect yourself, why expect others to respect > you? Excuse me? > > In Viet Nam, you are simply called "animals" (súc vật, very offensive) and > then ignored. > Excuse me? What the fuck did you call me??
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
On Saturday, March 30, 2024, hahahahacker2009 wrote: > Vào Th 6, 29 thg 3, 2024 vào lúc 07:40 Dan đã > viết: > > > This only lists third-party packages that have an OpenBSD > ports-originated addition of pledge/unveil configuration files; packages > that use pledge/unveil without configuration files, or whose pledge/unveil > configuration files originate from the upstream distribution, are not > listed. Chromium, Ungoogled Chromium, Firefox, Firefox ESR, and Tor Browser > are sandboxed, which is excellent because Web browsing is one of the most > popular desktop activity and browsers are meant to use networking and > execute untrusted JavaScript/WebAssembly code, and parse untrusted data > like media, CSS, etc. Contrary to servers, that if they're hacked then some > business might be ruined, personal computers are used to do banking and > shopping online, chat with distant friends/family > members/doctors/lawyers/coworkers/etc., > and hold our personal thoughts and memories, so I believe that they > shouldn't get compromised just because the user entered the wrong website > on a bad day, or opened the wrong video, or the wrong file, etc. OpenBSD > already has the excellent system calls pledge(2) and unveil(2), and already > uses them extensively in the base system and for the aforementioned > browsers, but what about other programs? > > You can help on applying pledge and unveil to your other programs > now, instead of spamming on mailing list like this. Are you the > Nowarez Market guy again? > What spam exactly? I have no idea who is "Nowarez Market guy".
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
James Huddle : > I live in post-2016 USA and have essentially given up hope of any sort of > computer security. Personal thought and from USA where the core of private data business resides. Due to different reasons and the env I work in I results attacked very often under OpenBSD, in X. Having the name of the vulnerability makes not such a difference to me, thanks for the insight anyway. However, I think to not say it wrong recalling that most of people are here for the sempliticy applied to security and portability subjects In OpenBSD. Minimize the security subject at this point seems having a purpose, wrong. -Dan Mar 30, 2024 18:23:38 James Huddle : > I live in post-2016 USA and have essentially given up hope of any sort of > computer security.
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
When X11 came to my attention, in the 1980's, it was called X11. "What," I wondered back then, "could that mean?" Back then, we would get to know new software long before version 11, so it seemed an odd name. Back then. It's been X11 for millennia. I discovered Exfiltrator (or Exfiltration, 'ex'+10) about a year ago. LOL. I actually did not know about the vulnerability. Thanks, Matthew. And yes, I was voicing the untested theory of precisely what you articulated, Luke. I live in post-2016 USA and have essentially given up hope of any sort of computer security. The mantra I developed, as my coworkers insisted on using (for instance) the React JS package that had "Exfil" as a dependency, was: "When in Rome." On Fri, Mar 29, 2024 at 4:44 PM wrote: > Luke A. Call writes: > > > > On 2024-03-29 09:01:07-0400, James Huddle > wrote: > > > Exfiltrator. There's an 11-letter word that starts with "ex". X11. > > > > After a quick web search, I'm not sure I follow. Is that a reference to > > a program that exfiltrates data after a computer is compromised? Can you > > elaborate a little? I realize this is an ignorant question. > > In short, there is a well known shortcoming or feature depending > on who you ask inherent in the X protocol's design where any > application which uses the X server (ie. can access the tcp port > or unix socket and has the correct xauth key, which is to say all > of them) can request (and get) the ability to read all of the X > events, which includes every key press and mouse movement in every > application. > > Exfiltrator is 11 letters and we are at X protocol version 11. > > There are common mitigations against this problem, such as not > giving strangers the ability to run unknown programs on your console. > > Matthew > >
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
Replying now to cho...@jtan.com: >[…] any >application which uses the X server (ie. can access the tcp port >or unix socket and has the correct xauth key […] The default PF configuration blocks access to the ports, but only on non-loopback interfaces. https://github.com/openbsd/src/blob/master/etc/pf.conf Again, I'm not an X11 expert, but it looks like the X auth file exists because anyone can connect to these ports on localhost, so the file would mediate it further. PF can match packets based on UIDs, but if I understand pf.conf(5) correctly, it matches based on the user owning the listening socket (which would be the dedicated X11 account) rather than the user that tries to connect to the X server. The xauth(1) and Xsecurity(7) man pages seem relevant, I'll have a deeper look at them later.
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
(Note for everyone: This message is intended to shame a troll; if you're here to follow the technical discussion only, feel free to skip reading this message.) ~ | ~ | ~ | ~ | ~ | ~ On Friday, March 29, 2024, Jan Stary wrote: > > > > (The person > > > > you're replying to should be in the To field, and the mailing list > in the > > > > Cc field.) > > > > > > I replied to the list. > > > If you are not subscribed to the list, > > > you don't get the list replies. > > > > I did not know that. > > Please don't send anything else to this mailing list. Shut up. That's warranted given that this is essentially what you're telling me here (also more explicitly in the last part of your message, as quoted at the bottom here). > > > > Repeat after me: I can display what looks like a login screen; > > > I don't to have anything to do with ctrl-alt-del to display that. > > > > I do not need to repeat mantras. I did not deny that programs can do > that, > > quite the opposite: I explicitly acknowledged that programs can do that, > > and asked what mechanism OpenBSD provides to ensure, at the user's > request, > > that the operating system temporarily takes over with a real login prompt > > that cannot be interfered with or snooped on. > > OpenBSD provides no "mechanism" to make it impossible for a user > to display something that looks like a login screen; just like > no other OS provides no such mechanism. Once again, that's the opposite of what I said, and completely missing what I said. > > > I've looked at the > > source code and issue tracker of upstream Firefox in the past and it has > > upstream support for pledge(2) and unveil(2). > > Great, you figured it out: if you want to know if a given piece of > software uses pledge, grep its source code for pledge. Sounds very tiresome and cumbersome to check. You failed to point at any rule according to which I'm not permitted to ask a general question about such software without resorting to tiresome and cumbersome manual methods like what you're suggesting here, and you consistently ignore this by bringing the same manual grep/find suggestion again and again with no sensible reason given what I explained now. > > > Your "if there is one [program I care about]", "duh", and other things > > you've said so far to me and I haven't pointed out in this paragraph show > > that you're very disrespectful towards me. > > Nothing gets past you. False. I strive to exercise critical thinking, analytical thinking, and logic as much as possible. Nonsense, however, doesn't "get past me", as I rightfully evaluate it as nonsense and therefore dismiss it. Ditto regarding true but irrelevant things. > > > I saw that I got replied to using marc.info, > > No you didn't. Maybe you'll understand it better if I'll rephrase, because you're definitely lying here, with no basis: I saw, using marc.info, that I got replied to. > > > and proceeded to log into my > > email to reply, but then I didn't see that reply in my inbox. So I looked > > at an old thread I had a few years ago on this mailing list that I knew > > that worked well, and looked at the To and Cc fields in the exchange of > > messages, and I assumed this is how it's always meant to be. > > You assumed wrong. Correct; I assumed you made a honest mistake. I had no better way to know what's true, however, so it's not really my fault, because I acted in a good way within the limits of my then-current knowledge and range of possible reactions I could react in the situation. > > > this isn't my first time using a mailing list, > > but I'm pretty sure it's my second time, and I'm fairly new > > to how mailing lists work. I deserve none of your disrespectful attitude > > and your wrong assumption of ill intentions from me; furthermore, you > > completely ignored the substance of the discussion in this thread, and > did > > not contribute anything useful to the discussion. Your entire reply was > > meant to purposely be rude to me and attack me ad hominem. Take an > example > > from Luke (luke...@onemodel.org), they actually contributed something > > meaningful to the discussion and didn't act like an asshole to me. I > > recognize your name, I know you publish lots of material about OpenBSD, > for > > example the links in your signature, and you're also part of the > editorial > > team of undeadly.org, which I frequently visit. It's a shame you're > such an > > asshole, though. Disgusting. > > Right, everybody knows PNH is a disgusting asshole contributing nothing. Peter N. M. Hansteen's disgusting behavior has absolutely nothing to do with any contribution he may or may not have contributed whatsoever. Furthermore, I said quite the opposite: I mentioned how he's part of the OpenBSD news website that I love to visit and that I've seen his name in many places (for example, I found his networking tutorials in the past, and saved the links for myself because it's good learning material and interesting). I explicit
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
Luke A. Call writes: > > On 2024-03-29 09:01:07-0400, James Huddle wrote: > > Exfiltrator. There's an 11-letter word that starts with "ex". X11. > > After a quick web search, I'm not sure I follow. Is that a reference to > a program that exfiltrates data after a computer is compromised? Can you > elaborate a little? I realize this is an ignorant question. In short, there is a well known shortcoming or feature depending on who you ask inherent in the X protocol's design where any application which uses the X server (ie. can access the tcp port or unix socket and has the correct xauth key, which is to say all of them) can request (and get) the ability to read all of the X events, which includes every key press and mouse movement in every application. Exfiltrator is 11 letters and we are at X protocol version 11. There are common mitigations against this problem, such as not giving strangers the ability to run unknown programs on your console. Matthew
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
On 2024-03-29 09:01:07-0400, James Huddle wrote: > Exfiltrator. There's an 11-letter word that starts with "ex". X11. After a quick web search, I'm not sure I follow. Is that a reference to a program that exfiltrates data after a computer is compromised? Can you elaborate a little? I realize this is an ignorant question. > On Thu, Mar 28, 2024 at 7:39???PM Luke A. Call wrote: > > > On 2024-03-28 17:28:56+0100, Jan Stary wrote: > > > > (2) I've learned that X11 allows locally running malware to sniff the > > > > keystrokes input to any other X11-using app running under any user. > > > > > > I don't believe that's true. > > > Where have you "learned" that, and how does that work? > > > "Dear X11, what is $user typing into his firefox textarea"? > > > > I'm no X expert, but I think what you are saying is technically correct > > across users, but I believe it is possible for one application to > > sniff the keystrokes input to another app running under the *same* user, at > > least, and under different users in the same X session depending on how > > they connect. Specifically: > > > > 1) Under `man xterm' in the "SECURITY" section it says some related > > things that sound like that is what they are saying. I can't elaborate > > on what it says there but that made me want to be cautious. > > > > 2) running > >xinput list > > ...shows some devices, where on my system the /dev/wskbd has "id=6". > > Then taking that number 6 and doing > >xinput test 6 > > ...and typing in a separate xterm window shows the keystrokes from the > > second window, in the first. I believe the same would be true for any > > X application running as the *same* user. > > > > 3) I did some experimenting in the past with "ssh -X user@..." and > > "ssh -Y user@...", and only when using -Y were keystrokes visible across > > users. Similar things can be done with less cpu overhead using xauth > > and magic cookies etc (I played with that, with help from people on this > > list, scripted it for myself using what they and man pages helped me > > learn, and haven't > > thought about it much since then, except to use the scripts--but it is very > > handy for me to have things running as different users within the same X > > session, because of these boundaries around keyboard sniffing and also > > filesystem etc restrictions across users). > > > > 4) I am under the impression that the clipboard sharing between X users is > > not restricted as the above things are. Ie, one can spy on another > > freely. > > > > Luke Call > > > >
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
Exfiltrator. There's an 11-letter word that starts with "ex". X11. On Thu, Mar 28, 2024 at 7:39 PM Luke A. Call wrote: > On 2024-03-28 17:28:56+0100, Jan Stary wrote: > > > (2) I've learned that X11 allows locally running malware to sniff the > > > keystrokes input to any other X11-using app running under any user. > > > > I don't believe that's true. > > Where have you "learned" that, and how does that work? > > "Dear X11, what is $user typing into his firefox textarea"? > > I'm no X expert, but I think what you are saying is technically correct > across users, but I believe it is possible for one application to > sniff the keystrokes input to another app running under the *same* user, at > least, and under different users in the same X session depending on how > they connect. Specifically: > > 1) Under `man xterm' in the "SECURITY" section it says some related > things that sound like that is what they are saying. I can't elaborate > on what it says there but that made me want to be cautious. > > 2) running >xinput list > ...shows some devices, where on my system the /dev/wskbd has "id=6". > Then taking that number 6 and doing >xinput test 6 > ...and typing in a separate xterm window shows the keystrokes from the > second window, in the first. I believe the same would be true for any > X application running as the *same* user. > > 3) I did some experimenting in the past with "ssh -X user@..." and > "ssh -Y user@...", and only when using -Y were keystrokes visible across > users. Similar things can be done with less cpu overhead using xauth > and magic cookies etc (I played with that, with help from people on this > list, scripted it for myself using what they and man pages helped me > learn, and haven't > thought about it much since then, except to use the scripts--but it is very > handy for me to have things running as different users within the same X > session, because of these boundaries around keyboard sniffing and also > filesystem etc restrictions across users). > > 4) I am under the impression that the clipboard sharing between X users is > not restricted as the above things are. Ie, one can spy on another > freely. > > Luke Call > >
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
Replying now to Luke (luke...@onemodel.org): Thank you, that's interesting! I appreciate that you're contributing a meaningful answer to my questions, and I also appreciate that you're nice to me. :) Also h.kampm...@web.de seems to be nice to me, unless I misinterpreted what they said (I'm not sure, sorry). ~ | ~ | ~ | ~ | ~ | ~ On Thursday, March 28, 2024, Jan Stary wrote: > On Mar 28 21:16:45, dan.peretz...@gmail.com wrote: > > You didn't "Reply All", so I didn't get your reply in my inbox. > > Apparently, you did. No, I did not. You're assuming I reply to your message in my inbox; that's a wrong (and fallacious) assumption. I checked marc.info for replies when not logged into my email (as this is more convenient than logging in repeatedly). When I saw your reply in marc.info, I logged into my email to reply to you but couldn't find your message in my inbox, and didn't know why. Fortunately, I am smart, so I created a new message with the same subject line (including the "Re:" part at the start) and CCed the mailing list so marc.info would detect it as if it's in the same thread, and apparently I succeeded. I also copied your sentences from marc.info and pasted them into my reply, along with prepending > signs. > > > (The person > > you're replying to should be in the To field, and the mailing list in the > > Cc field.) > > I replied to the list. > If you are not subscribed to the list, > you don't get the list replies. I did not know that. I really am not subscribed. I don't want to subscribe to the entire mailing list, I just think it's useful to get replies to my thread only; perhaps there's a way to accomplish that? > > > >Even on windows; this has nothing to do with intercepting ctrl-alt-del. > > False. Ctrl-Alt-Delete cannot be intercepted on Windows without first > > compromising the integrity of the operating system. The Windows kernel is > > hardcoded to forward Ctrl-Alt-Delete to Winlogon, and Winlogon runs in a > > separate Secure Desktop mode that takes over the entire screen and no > other > > programs can intercept keystrokes from or send keystrokes to. > > https://security.stackexchange.com/a/34975 > > https://learn.microsoft.com/windows/win32/winstation/desktops > > Repeat after me: I can display what looks like a login screen; > I don't to have anything to do with ctrl-alt-del to display that. I do not need to repeat mantras. I did not deny that programs can do that, quite the opposite: I explicitly acknowledged that programs can do that, and asked what mechanism OpenBSD provides to ensure, at the user's request, that the operating system temporarily takes over with a real login prompt that cannot be interfered with or snooped on. Windows can already do that with Ctrl-Alt-Delete, but I couldn't find anything on the web to suggest that OpenBSD can do that. > > And it has nothing to do with OpenBSD. Ditto. > > > >I don't believe that's true. > > >"Dear X11, what is $user typing into his firefox textarea"? > > I'm not an X11 expert, and I'm not sure if the example provided in the > > following link is because the program and the desktop it's running under > > have different UIDs (rather than locking the desktop, logging into a > > different user with a new desktop session using a SAK like > Ctrl-Alt-Delete, > > and running it there), but I found this old blog post, by whom I believe > is > > the founder of Qubes OS, being cited somewhere: > > https://theinvisiblethings.blogspot.com/2011/04/linux- > security-circus-on-gui-isolation.html > > It is common knowledge that X11 is insecure by design, not (only) by the > > ancient code, so even if the blog post isn't relevant anymore, it > wouldn't > > surprise me if such attacks could still be done. > > Ah, so that's what you have "learned": a 13y old blogpost. Which is supposed to be relevant. Age isn't directly related to relevancy, especially when talking about much older tech (X11, which is 39 years old according to Wikipedia) that's still used today (2024, which is 0 years ago). Furthermore, I was linked to that article from madaidans-insecurities.github.io (a blog of one of the developers of Whonix). > Fine, show me how you read another user's keystrokes under X. Showing a proof of concept is not a necessity to convey or prove a point in an online discussion, and I don't follow orders from you. So I have no obligation whatsoever (including for the sake of argument, which is the most important here) to do that. > > > >>I saw that Chromium, Firefox, and Tor Browser on OpenBSD (at least when > > installed from the OpenBSD package manager/ports) are sandboxed with > > pledge(2) and unveil(2). > > >find /usr/ports/ -name pledge\* > > Already done: > > https://openports.pl/search?file=unveil > > This only lists third-party packages that have an OpenBSD > ports-originated > > addition of pledge/unveil configuration files; packages that use > > pledge/unveil without configuration files, or whose pledge/unveil > > configu
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
On 2024-03-28 17:28:56+0100, Jan Stary wrote: > > (2) I've learned that X11 allows locally running malware to sniff the > > keystrokes input to any other X11-using app running under any user. > > I don't believe that's true. > Where have you "learned" that, and how does that work? > "Dear X11, what is $user typing into his firefox textarea"? I'm no X expert, but I think what you are saying is technically correct across users, but I believe it is possible for one application to sniff the keystrokes input to another app running under the *same* user, at least, and under different users in the same X session depending on how they connect. Specifically: 1) Under `man xterm' in the "SECURITY" section it says some related things that sound like that is what they are saying. I can't elaborate on what it says there but that made me want to be cautious. 2) running xinput list ...shows some devices, where on my system the /dev/wskbd has "id=6". Then taking that number 6 and doing xinput test 6 ...and typing in a separate xterm window shows the keystrokes from the second window, in the first. I believe the same would be true for any X application running as the *same* user. 3) I did some experimenting in the past with "ssh -X user@..." and "ssh -Y user@...", and only when using -Y were keystrokes visible across users. Similar things can be done with less cpu overhead using xauth and magic cookies etc (I played with that, with help from people on this list, scripted it for myself using what they and man pages helped me learn, and haven't thought about it much since then, except to use the scripts--but it is very handy for me to have things running as different users within the same X session, because of these boundaries around keyboard sniffing and also filesystem etc restrictions across users). 4) I am under the impression that the clipboard sharing between X users is not restricted as the above things are. Ie, one can spy on another freely. Luke Call
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
On Thu, Mar 28, 2024 at 09:16:45PM +, Dan wrote: > You didn't "Reply All", so I didn't get your reply in my inbox. (The person > you're replying to should be in the To field, and the mailing list in the > Cc field.) OH PUH-LEEZE. No. You send to a mailing list, people are supposed to reply to the mailing list. A select few may have their mail clients configured so the author of the message will receive a courtesy copy (aka Cc:). If I seem unresponsive to any followups to this thread, a likely reason will be that I will not see messages with your From: without putting in some extra effort. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
Hello, when I read posts like @Dan's, I say to myself: Don't feed the troll. Pointless. Wish you all a nice weekend, Heinz Gesendet: Donnerstag, 28. März 2024 um 23:02 Uhr Von: "Jan Stary" An: misc@openbsd.org Betreff: Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps go away On Mar 28 21:16:45, dan.peretz...@gmail.com wrote: > You didn't "Reply All", so I didn't get your reply in my inbox. (The person > you're replying to should be in the To field, and the mailing list in the > Cc field.) > > >Even on windows; this has nothing to do with intercepting ctrl-alt-del. > False. Ctrl-Alt-Delete cannot be intercepted on Windows without first > compromising the integrity of the operating system. The Windows kernel is > hardcoded to forward Ctrl-Alt-Delete to Winlogon, and Winlogon runs in a > separate Secure Desktop mode that takes over the entire screen and no other > programs can intercept keystrokes from or send keystrokes to. > https://security.stackexchange.com/a/34975 > https://learn.microsoft.com/windows/win32/winstation/desktops[https://learn.microsoft.com/windows/win32/winstation/desktops] > > >I don't believe that's true. > >"Dear X11, what is $user typing into his firefox textarea"? > I'm not an X11 expert, and I'm not sure if the example provided in the > following link is because the program and the desktop it's running under > have different UIDs (rather than locking the desktop, logging into a > different user with a new desktop session using a SAK like Ctrl-Alt-Delete, > and running it there), but I found this old blog post, by whom I believe is > the founder of Qubes OS, being cited somewhere: > https://theinvisiblethings.blogspot.com/2011/04/linux-security-circus-on-gui-isolation.html[https://theinvisiblethings.blogspot.com/2011/04/linux-security-circus-on-gui-isolation.html] > It is common knowledge that X11 is insecure by design, not (only) by the > ancient code, so even if the blog post isn't relevant anymore, it wouldn't > surprise me if such attacks could still be done. > > >>I saw that Chromium, Firefox, and Tor Browser on OpenBSD (at least when > installed from the OpenBSD package manager/ports) are sandboxed with > pledge(2) and unveil(2). > >find /usr/ports/ -name pledge\* > Already done: > https://openports.pl/search?file=unveil[https://openports.pl/search?file=unveil] > This only lists third-party packages that have an OpenBSD ports-originated > addition of pledge/unveil configuration files; packages that use > pledge/unveil without configuration files, or whose pledge/unveil > configuration files originate from the upstream distribution, are not > listed. Chromium, Ungoogled Chromium, Firefox, Firefox ESR, and Tor Browser > are sandboxed, which is excellent because Web browsing is one of the most > popular desktop activity and browsers are meant to use networking and > execute untrusted JavaScript/WebAssembly code, and parse untrusted data > like media, CSS, etc. Contrary to servers, that if they're hacked then some > business might be ruined, personal computers are used to do banking and > shopping online, chat with distant friends/family > members/doctors/lawyers/coworkers/etc., and hold our personal thoughts and > memories, so I believe that they shouldn't get compromised just because the > user entered the wrong website on a bad day, or opened the wrong video, or > the wrong file, etc. OpenBSD already has the excellent system calls > pledge(2) and unveil(2), and already uses them extensively in the base > system and for the aforementioned browsers, but what about other programs?
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
go away On Mar 28 21:16:45, dan.peretz...@gmail.com wrote: > You didn't "Reply All", so I didn't get your reply in my inbox. (The person > you're replying to should be in the To field, and the mailing list in the > Cc field.) > > >Even on windows; this has nothing to do with intercepting ctrl-alt-del. > False. Ctrl-Alt-Delete cannot be intercepted on Windows without first > compromising the integrity of the operating system. The Windows kernel is > hardcoded to forward Ctrl-Alt-Delete to Winlogon, and Winlogon runs in a > separate Secure Desktop mode that takes over the entire screen and no other > programs can intercept keystrokes from or send keystrokes to. > https://security.stackexchange.com/a/34975 > https://learn.microsoft.com/windows/win32/winstation/desktops > > >I don't believe that's true. > >"Dear X11, what is $user typing into his firefox textarea"? > I'm not an X11 expert, and I'm not sure if the example provided in the > following link is because the program and the desktop it's running under > have different UIDs (rather than locking the desktop, logging into a > different user with a new desktop session using a SAK like Ctrl-Alt-Delete, > and running it there), but I found this old blog post, by whom I believe is > the founder of Qubes OS, being cited somewhere: > https://theinvisiblethings.blogspot.com/2011/04/linux-security-circus-on-gui-isolation.html > It is common knowledge that X11 is insecure by design, not (only) by the > ancient code, so even if the blog post isn't relevant anymore, it wouldn't > surprise me if such attacks could still be done. > > >>I saw that Chromium, Firefox, and Tor Browser on OpenBSD (at least when > installed from the OpenBSD package manager/ports) are sandboxed with > pledge(2) and unveil(2). > >find /usr/ports/ -name pledge\* > Already done: > https://openports.pl/search?file=unveil > This only lists third-party packages that have an OpenBSD ports-originated > addition of pledge/unveil configuration files; packages that use > pledge/unveil without configuration files, or whose pledge/unveil > configuration files originate from the upstream distribution, are not > listed. Chromium, Ungoogled Chromium, Firefox, Firefox ESR, and Tor Browser > are sandboxed, which is excellent because Web browsing is one of the most > popular desktop activity and browsers are meant to use networking and > execute untrusted JavaScript/WebAssembly code, and parse untrusted data > like media, CSS, etc. Contrary to servers, that if they're hacked then some > business might be ruined, personal computers are used to do banking and > shopping online, chat with distant friends/family > members/doctors/lawyers/coworkers/etc., and hold our personal thoughts and > memories, so I believe that they shouldn't get compromised just because the > user entered the wrong website on a bad day, or opened the wrong video, or > the wrong file, etc. OpenBSD already has the excellent system calls > pledge(2) and unveil(2), and already uses them extensively in the base > system and for the aforementioned browsers, but what about other programs?
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
not in the mailing list world I've been using for close to 30 years if you post to the mailing list I reply to the mailing list On March 28, 2024 3:16:45 PM MDT, Dan wrote: >You didn't "Reply All", so I didn't get your reply in my inbox. (The person >you're replying to should be in the To field, and the mailing list in the >Cc field.) >
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
You didn't "Reply All", so I didn't get your reply in my inbox. (The person you're replying to should be in the To field, and the mailing list in the Cc field.) >Even on windows; this has nothing to do with intercepting ctrl-alt-del. False. Ctrl-Alt-Delete cannot be intercepted on Windows without first compromising the integrity of the operating system. The Windows kernel is hardcoded to forward Ctrl-Alt-Delete to Winlogon, and Winlogon runs in a separate Secure Desktop mode that takes over the entire screen and no other programs can intercept keystrokes from or send keystrokes to. https://security.stackexchange.com/a/34975 https://learn.microsoft.com/windows/win32/winstation/desktops >I don't believe that's true. >"Dear X11, what is $user typing into his firefox textarea"? I'm not an X11 expert, and I'm not sure if the example provided in the following link is because the program and the desktop it's running under have different UIDs (rather than locking the desktop, logging into a different user with a new desktop session using a SAK like Ctrl-Alt-Delete, and running it there), but I found this old blog post, by whom I believe is the founder of Qubes OS, being cited somewhere: https://theinvisiblethings.blogspot.com/2011/04/linux-security-circus-on-gui-isolation.html It is common knowledge that X11 is insecure by design, not (only) by the ancient code, so even if the blog post isn't relevant anymore, it wouldn't surprise me if such attacks could still be done. >>I saw that Chromium, Firefox, and Tor Browser on OpenBSD (at least when installed from the OpenBSD package manager/ports) are sandboxed with pledge(2) and unveil(2). >find /usr/ports/ -name pledge\* Already done: https://openports.pl/search?file=unveil This only lists third-party packages that have an OpenBSD ports-originated addition of pledge/unveil configuration files; packages that use pledge/unveil without configuration files, or whose pledge/unveil configuration files originate from the upstream distribution, are not listed. Chromium, Ungoogled Chromium, Firefox, Firefox ESR, and Tor Browser are sandboxed, which is excellent because Web browsing is one of the most popular desktop activity and browsers are meant to use networking and execute untrusted JavaScript/WebAssembly code, and parse untrusted data like media, CSS, etc. Contrary to servers, that if they're hacked then some business might be ruined, personal computers are used to do banking and shopping online, chat with distant friends/family members/doctors/lawyers/coworkers/etc., and hold our personal thoughts and memories, so I believe that they shouldn't get compromised just because the user entered the wrong website on a bad day, or opened the wrong video, or the wrong file, etc. OpenBSD already has the excellent system calls pledge(2) and unveil(2), and already uses them extensively in the base system and for the aforementioned browsers, but what about other programs?
Re: Security questions: Login spoofing, X11 keylogging, and sandboxed apps
> (1) Does OpenBSD have a mechanism like Ctrl-Alt-Delete on Windows (Secure > Attention Key, or SAK) to prevent malware (or a website in fullscreen, for > example) from faking a logout process and/or faking a login prompt? On > Windows the kernel ensures that the operating system captures this key > combination and takes over with a real login prompt that malware can't fake > without first defeating the OS security. Any X11 program can display a screen that looks like the login screen. Even on windows; this has nothing to do with intercepting ctrl-alt-del. > (2) I've learned that X11 allows locally running malware to sniff the > keystrokes input to any other X11-using app running under any user. I don't believe that's true. Where have you "learned" that, and how does that work? "Dear X11, what is $user typing into his firefox textarea"? > (3) I saw that Chromium, Firefox, and Tor Browser on OpenBSD (at least when > installed from the OpenBSD package manager/ports) are sandboxed with > pledge(2) and unveil(2). Are there any other major apps, especially that > commonly accept untrusted input, that are also sandboxed like that on > OpenBSD? Especially email clients, media players, word processors, apps to > send/receive/sync files, etc. find /usr/ports/ -name pledge\*
Security questions: Login spoofing, X11 keylogging, and sandboxed apps
Hello, I have 3 security-related questions: (1) Does OpenBSD have a mechanism like Ctrl-Alt-Delete on Windows (Secure Attention Key, or SAK) to prevent malware (or a website in fullscreen, for example) from faking a logout process and/or faking a login prompt? On Windows the kernel ensures that the operating system captures this key combination and takes over with a real login prompt that malware can't fake without first defeating the OS security. (2) I've learned that X11 allows locally running malware to sniff the keystrokes input to any other X11-using app running under any user. Does Xenocara/rootless X on OpenBSD prevent or limit this? (3) I saw that Chromium, Firefox, and Tor Browser on OpenBSD (at least when installed from the OpenBSD package manager/ports) are sandboxed with pledge(2) and unveil(2). Are there any other major apps, especially that commonly accept untrusted input, that are also sandboxed like that on OpenBSD? Especially email clients, media players, word processors, apps to send/receive/sync files, etc. Thank you.