Re: [Freedombox-discuss] Java vulnerabilities
I think this is less of an issue for FreedomBox because it's based on Debian, and Debian packages get security updates. This should update a FreedomBox with any security patches: apt-get update apt-get upgrade To me this is one of the beautiful things about Debian (or any distro that has actively maintained package management.) All the pieces are coordinated and in sync...or that's the theory anyway. Of course none of this is magic and, for Debian, lots of kudos are due to all the Debian developers that help make this happen! On 06/16/2015 01:03 PM, Sandy Harris wrote: A rather scary article: http://www.itworld.com/article/2936575/security/software-applications-have-on-average-24-vulnerabilities-inherited-from-buggy-components.html Does the current Fbox implementation use Java? Should we eliminate it as a matter of necessary security policy? If not, how can we deal with these issues? Are other things we use also high-risk? Javascript? Perl? Python? ...? ___ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss ___ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
Re: [Freedombox-discuss] Virtual Machine Scripting and Tiny Tiny RSS
On Mon, May 20, 2013 at 12:39:16PM +0200, Anders Jackson wrote: I like the idea, a lot. Make the Freedombox a router in front of all services, manage the network connections for all services to Internet and the local network. As Freedombox are targeted at low powered devices, virtual machines might be to heavy though. You might look into containers instead. LCX might be a better solution for this. Faster and lighter to set up, run and tear down. And I know it works on more targets, like in ARM machines. https://www.berrange.com/posts/2012/01/17/building-application-sandboxes-with-libvirt-lxc-kvm/ Thanks for the link. So I see his approach lets you choose. The sandbox can run with either LXC or KVM. I like that. I'm going to come back to this and dig deeper. His approach seems like it probably has some of the scripting I'm looking for too, or something like it. At a very high level it seems the tradeoff between KVM and LXC is KVM gives better isolation/protection because it's full virtualization, while LXC performs better. LXC is probably a better approach for hardware such as the DreamPlug, while KVM seems better for more powerful platforms. More powerful platforms should become more common over time, given Moore's Law. Also, KVM runs on some ARM CPUs today. There was this earlier thread with some links: Debian Wheezy, and LXC http://lists.alioth.debian.org/pipermail/freedombox-discuss/2013-May/005310.html ___ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
Re: [Freedombox-discuss] Virtual Machine Scripting and Tiny Tiny RSS
On Mon, May 20, 2013 at 12:45:47PM +0100, Nick Hardiman wrote: Do you have a rundown yet of how to * stick exmachina (http://gitorious.org/exmachina) at the back, * proxy (http://www.privoxy.org, https://github.com/jvasile/freedombox-privoxy) in front, and * various apps into LXC? No, I wish I did. As a first pass, though, here are some things I think a solution would have. As a disclaimer, I realize that this is a departure from the current approach taken with the DreamPlug and wouldn't work for it. It seems like a natural evolution for the project, though, as hardware becomes more capapable. First, some terms: * VM - A virtual machine (VM), either a lightweight VM such as LXC or a fully virtualized machine such as KVM. * Host - The machine runs the VMs. * Guest - An instance of a VM. An approach: * The web app that provides the user interface (Plinth) runs in its own guest. * Each additional app or service (e.g. Privoxy) also runs in its own guest. * The host manages all guests: creating, starting, stopping. * Communication between host and guests would happen through sockets; e.g. for KVM this might be based on something like this: http://www.ldlabs.org/blog/2011/02/25/communication-between-qemukvm-guest-and-host/ What would this mean for exmachina, I wonder? It seems augeas may not be an option. The larger ideas behind exmachine would still apply, though, I think. Instead of augeas, the host would read from the socket. Any parsing it does would be very locked down, to help prevent injection attacks from a compromised guest. The host would have a whitelist of things it accepts, and discard anything else. Processing would be done in an environment such as Python versus C, to prevent memory overwrite problems. It would be nice if this were done in a way allows a choice between KVM and LXC. So scripts such as freedombox-vm create would call out to stubs that would do one thing for KVM and something else for LXC. (A given FreedomBox would be based on just KVM or LXC, and not both.) Whether all the stubs get filled out, and for what types of VMs (Tiny Tiny RSS, Tor Relay, etc) would depend on the do-ocracy model that FreedomBox seems to be following. I know I'm interested in this. I just wish I had more time for it. One other thought is this would ideally be a plugable architecture. A common interface would define how FreedomBox guests communicate with the FreedomBox host. Different people could be working on differerent modules. So I might be working on a Tiny Tiny RSS module, while someone else is working on an ownCloud module, someone else on the actual host, etc. ___ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
[Freedombox-discuss] Virtual Machine Scripting and Tiny Tiny RSS
I went to a presentation this past weekend about Tiny Tiny RSS. It's an RSS web app that can be installed on a server, to provide something like a Google Reader app. (The title of the presentation was The Coming Google RSS Reader Apocalpyse, at BarCampRDU 2013.) The presenter has Tiny Tiny RSS running on a machine at home, and is providing service for himself and some family and friends. He's even written a keyboard-centric web frontend: https://github.com/cgrinds/dripdripdrop He runs Tiny Tiny RSS as the backend, and then serves up pages based on the front end he's written. Tiny Tiny RSS is listed on the FreedomBox LeavingTheCloud page: http://wiki.debian.org/FreedomBox/LeavingTheCloud This got me thinking about how I'd like to Tiny Tiny on the machine I've got at home. Currently it's running ownCloud, WordPress, a Tor Relay, and BitTorrent. They run on separate VMs. I'd like to run Tiny Tiny RSS too, and want to put it in a separate VM. Ideally I'd have a script I could run, that just spins up a new VM running Tiny Tiny. It would be something like: freedombox-vm create tiny-tiny-rss [instance-name] [config-script-file] freedombox-vm start [instance-name] The VMs would run using KVM. Here's an interesting post on this, from this past week: How to get started with libvirt on Debian http://rabexc.blogspot.com/2013/05/how-to-get-started-with-libvirt-on.html I want to dig into this as a next project, after some other things I'm working on. I thought I'd put it out there to get any thoughts other might have on this, and find out if anyone else is doing something similar. Ultimately, it seems this kind of approach would be a good one for FreedomBox in general. The process of spinning up instances would be hidden behind the FreedomBox web UI, but a user would essentially be doing things such as freedombox-vm create and freedombox-vm start. This way, services are better insulated from each other, for better security. The host machine would probably be doing basic network services (dhcpd, dhclient, iptables, etc.) But then there would be a separate VM for user services such as an RSS reader, social networking, chat, etc. To take this one step further, the longer term goal would be to do something similar to what Qubes is doing with things such as temporary VMs -- VMs created temporarily for just one task and then discarded: http://www.qubes-os.org/ ___ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
[Freedombox-discuss] x86 Boxes and Debian Pure Blends
I watched the FOSDEM '13 FreedomBox 1.0 talk Eben and Bdale gave earlier this year. They mentioned x86 boxes as a target platform, versus just the DreamPlug. I'd like to install the latest FreedomBox on a small x86 box I've got. What's the best way to get started with this? I realize this may not be supported right now, and would be interested in any pointers on how to help. I have a related question. I've read FreedomBox will ideally be a Debian Pure Blend. What would that look like, as far as doing an install and configuring a box? (How would the install work? I'm guessing it would install a set of Debian packages. Then there would be some config scripts (puppet?) that would configure everything??) Thanks for any advice... Sean ___ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
Re: [Freedombox-discuss] x86 Boxes and Debian Pure Blends
On Wed, May 01, 2013 at 04:21:10PM +0200, Jonas Smedegaard wrote: * get the script used to produce those snapshot images and try create images yourself, adapting anything you discover being specific to some hardware not yours. This is the option I'd like to look into for now then, I think. My goal would be to run the same scripts that are used today for the DreamPlug images, but for an x86 box (with whatever changes I'd need to make to get them to work on an x86 box.) Am I right in thinking the images that Nick Daly releases are meant to run only on a DreamPlug (or VM that emulates a DreamPlug)? I'm looking at the different git repos to see what scripts I might want to look at first. I see several repos listed here: http://wiki.debian.org/FreedomBox#Code_and_Projects Any thoughts on which to clone and start with first, or what approach to take? I believe I want something as close as possible to what Nick's publishing, so I could offer any changes back upstream into the work that's already being done. My guess is I'd clone Nick's repo, since it's based off Bdale's and has the extra things he's putting in the weekly images. That would be this repo: https://github.com/nickdaly/freedom-maker Does that sound right? For now what I'm really after is just understanding what's in the current version of the FreedomBox, to see what's there and understand how any other work I'm doing or might do could be merged in with it. Thanks! ___ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
Re: [Freedombox-discuss] PHP Alternatives?
On Sat, 14 Jul 2012 20:08:20 -0500 Nick M. Daly nick.m.d...@gmail.com wrote: So, since there is a lot of concern about including PHP on the FreedomBox, what are our solutions? Static content would be good to keep on the table as an option, for cases where it can be used. Micah Lee from EFF did an interesting presentation at this year's HOPE: Privacy Tricks for Activist Web Developers. (Slides here: https://www.eff.org/hope9/privacy-tricks) One of his points was: Static HTML is always more secure than server-side code (slide 40). This doesn't work for everything, of course. But, it does keep a web server more secure. There's this list of static content generators: http://iwantmyname.com/blog/2011/02/list-static-website-generators.html It includes ikiwiki. Another comment from Micah's presentation was that some CMS systems have the ability to generate static content. So you can create content using CMS shortcuts, and then have it generate static content to put on your website. I do agree that security needs to be a top priority for FreedomBox, especially since it's is being advertised as an organizing tool for democratic activists in hostile regimes (from https://www.freedomboxfoundation.org/learn/). It seems there may be two target audiences. One is users that want to get away from centralized services such as Facebook. The other is activists that are risking their lives. A FreedomBox for the first audience could include dynamic content, while one for the second maybe shouldn't. There could be two versions of a FreedomBox, one for each audience. Or, maybe there's a safe(r) web application framework? signature.asc Description: PGP signature ___ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
Re: [Freedombox-discuss] FreedomBox as a home router to replace Cisco/Linksys
On Tue, 3 Jul 2012 14:42:02 +0200 Eugen Leitl eu...@leitl.org wrote: Or you could just put pfSense on ALIX. Yes, pfSense would be perfect...or a scaled down and simplified version of it. Although, it's FreeBSD versus Debian. I see Debian's been ported to ALIX: https://code.google.com/p/debian-for-alix/ I couldn't tell if there's a ALIX board with wireless, and non-binary drivers? I do see that the Dream Plug has wireless and two NICs: http://wiki.debian.org/FreedomBox/TargetedHardware The next version D2 Plug, though, only has one NIC. So it wouldn't make a very good home router since the one NIC would have to go to the WAN connection, and you wouldn't have one for local devices. I did a bit of research on OpenWRT types of devices, and whether Debian would run on them. It turns out it does, but with some problems. DebianWRT http://wiki.debian.org/DebianWRT Running Debian on ASUS WL-500G deluxe http://wpkg.org/Running_Debian_on_ASUS_WL-500G_deluxe The wireless driver is a binary kernel module (first problem), and it needs a 2.4 kernel (second problem.) signature.asc Description: PGP signature ___ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
Re: [Freedombox-discuss] Some thoughts I think should be widely shared
Another one is How to Run a Successful Free Software Project by Karl Fogel. It's available here, as a PDF and HTML: http://producingoss.com/ Amazon has it too, with reviews: http://www.amazon.com/Producing-Open-Source-Software-Successful/dp/161610063X I just finished reading it and thought it was great. Very well written, and lots of ideas on both the technical infrastructure as well as the human side of the process. On Mon, 2 Jul 2012 08:54:50 -0700 freedombox-discuss.neophyte_...@ordinaryamerican.net wrote: Guidelines on launching an open source project? http://lists.teachingopensource.org/pipermail/tos/2012-June/004986.html ___ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
[Freedombox-discuss] FreedomBox as a home router to replace Cisco/Linksys
Interesting articles on what Cisco is allegedly doing, or trying to do, with home routers: Amid Privacy Backlash, Cisco Says It’s Not Logging Your Web History http://go.bloomberg.com/tech-blog/2012-06-29-amid-privacy-backlash-cisco-says-its-not-logging-your-web-history/ Cisco’s cloud vision: Mandatory, monetized, and killed at their discretion http://www.extremetech.com/computing/132142-ciscos-cloud-vision-mandatory-monetized-and-killed-at-their-discretion Part of their service agreement read, or reads: When you use the Service, we may keep track of certain information related to your use of the Service, including but not limited to...network traffic (e.g., megabytes per hour); Internet history I remember from Eben's original talk on FreedomBox he described it as something people would use to replace their home wireless routers. They go to the store to buy a new wireless router, and buy a FreedomBox instead of a WeSpyOnYouBox. I wonder if this might be a good target for a first release of FreedomBox? Have it just be something people use to replace their current home routers. Then later releases would add to that, with extra features beyond being just a router. OpenWRT comes to mind, although it's not Debian. How hard would it be to get Debian running on a home router type of device, with the features users would expect from a simple home router? (Or, maybe Debian's already been ported to a device like this?) One of the big advantages I see to this is that it narrows the focus. We'd get something usable out sooner rather than later. Then over time services could be added, in later releases. FreedomBox. Routing without the spying. :-) signature.asc Description: PGP signature ___ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
Re: [Freedombox-discuss] FreedomBox as a home router to replace Cisco/Linksys
On Mon, 2 Jul 2012 16:25:32 -0700 (PDT) Jonathan Wilkes jancs...@yahoo.com wrote: [snip] I see. Interesting. I have Time Warner and have to use the device they provide. By default it's a wireless router with NAT. It can be configured for just pass-through, though, which is what I've done -- bridging mode. Is it a device that doubles as a dsl modem and wireless router? (I forgot about those devices.) Yes, it's a device that doubles as a wireless router and, in my case, a cable modem. How hard was putting it in bridging mode? Does Time Warner give you the l/p for the device? And what exactly does bridging mode do? It was pretty easy actually. It came with a web admin app, that has a setting for bridging mode. All I had to do was toggle the setting. Bridging mode causes it to work at layer 2 instead of layer 3. So it doesn't have an IP address anymore. It passes layer 2 traffic through to my own router, which now has the IP address assignment from Time Warner. I don't know much about cable modems, so don't know what the layer 2 traffic looks like. Presumably it's based on MAC addresses, or something like a MAC address?? Of course since the device no longer has an IP address, I can't get back to the web app to untoggle the setting. I'd have to do a hard reset. [snip] signature.asc Description: PGP signature ___ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss