Re: [ubuntu-studio-devel] How wide spread is Linux spyware?
On Fri, 2015-07-17 at 15:13 -0400, lukefro...@hushmail.com wrote: > I think we are looking at two different attack models here. Yesno. I look at both kinds of attacks. -- ubuntu-studio-devel mailing list ubuntu-studio-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-studio-devel
Re: [ubuntu-studio-devel] How wide spread is Linux spyware?
I think we are looking at two different attack models here. I am looking at user tracking both by law enforcement and by commerical entities, as opposed to efforts to break root and take over a computer. The latter mode of attack, even by law enforcement, usually delivers a windows-only payload even when a cross-platform exploit is used to deliver it. I will use an actual attack on torbrowser by the FBI as an example here: Last summer, the FBI managed to attack a .onion webserver owned by Freedom Roads hosting and insert code exploiting a browser vulnerability affecting what even then was an out of date version of Torbrowser. If and only if javascript was enabled, the exploit would run over any OS. It delivered a spyware payload known generically as a "CIPAV" or Computer Internet Protocal Address Verifier. It caused infected machines to phone home to the FBI over a non-Tor connection-but the payload code was Windows only. Anyone running the then current Torbrowser was not vulnerable, neither was anyone not enabling JS, nor anyone not running Windows. Now we have the Flash zero-days found by freedom fighters breaking into machines used by a European corporation that sold spyware to mutliple governments. This forced Adobe to hurredly patch Flash and Firefox in default builds at least for Windows to blacklist unpatched versions. Flash, Javascript, and Java are the three main ways payloads get in, and all three are cross-platform. It is the popularity of Windows more than anything else that has kept most of the payloads Windows-only. Thus, Windows is a high-crime neighborhood and for that reason alone uniquely difficult to secure against random opponents. For years I have warned that Windows must never be trusted for encryption or Tor, not even to open encrypted emails. That same CIPAV for Linux would have been several times harder to write, harder yet to conceal (where do you hide the startup job for next boot?) and all that extra work to hit only 1% of the user base. With the growth of smarphones, however, we will be looking at enemies who code this kind of exploit for three operating systems, namely Windows, iOS, and Android. We will have to be careful to watch for those Android payloads that by chance and lack of Android-specific code will also run on traditional Linux distros. On 7/17/2015 at 2:31 PM, "Ralf Mardorf" wrote: > >On Fri, 17 Jul 2015 13:46:50 -0400, lukefro...@hushmail.com wrote: >>When it really counts, I bring out the big guns by firing up >>Torbrowser. > >2 humans = 2² opinions > >Regarding TOR a message from the Arch general mailing list from >today >and regarding browser security in general, 2 mails from the Kubuntu >users mailing list, also from today. > >Begin forwarded message: > >Date: Fri, 17 Jul 2015 13:00:30 -0400 >To: arch-gene...@archlinux.org >Subject: Re: [arch-general] current flash vulnerabilities - what >to do? > > >On 17/07/15 12:35 PM, Ralf Mardorf wrote: >> On Fri, 17 Jul 2015 11:30:05 -0400, Daniel Micay wrote: >>> The Tor browser is quite insecure. It's nearly the same thing as >>> Firefox, so it falls near the bottom of the list when it comes >to >>> browser security, i.e. below even Internet Explorer, which has a >>> basic sandbox (but not nearly on par with Chromium, especially >on >>> Linux) and other JIT / allocator hardening features not present >at >>> all in Firefox. What the Tor browser *does* have that's unique >are >>> tweaks to significantly reduce the browser's unique fingerprint. >>> >>> https://blog.torproject.org/blog/isec-partners-conducts-tor- >browser-hardening-study >>> >>> Tor would be a fork of Chromium if they were starting again >today >>> with a large team. They don't have the resources to switch >browsers. >>> That would only change if they can get Google to implement most >of >>> the features they need. >> >> Vivaldi is based on Chromium. How does Vivaldi compare regarding >> security and privacy to IceCat, Pale Moon, Firefox, QupZilla, >Opera? >> >> https://aur4.archlinux.org/packages/?O=0&K=vivaldi >> https://aur.archlinux.org/packages/?O=0&K=vivaldi > >It's a proprietary browser built on Chromium. It's not interesting >from >a security / privacy perspective. > >If you want Chromium without Google integration then you can use >Iridium. It doesn't remove any tracking / spying code though. There >wasn't any to remove. Their redefinition of tracking just means >support >for any service hosted by Google (like adding a warning message >when a >dictionary would be downloaded from them). Most of what it does is >changing the the default settings to be more privacy conscious. > >https://git.iridiumbrowser.de/cgit.cgi/iridium-browser/log/ > > > > >Begin forwarded message: > >Date: Fri, 17 Jul 2015 14:49:01 +0200 >To: Kubuntu user technical support >Subject: Re: Any alternative for the Firefox plug-in 'Adobe Flash >Player'? > > >Hi all, > >On Fri, Jul 17, 2015 at 12:21 AM, Ralf Mardorf > >wrote: >> On T
Re: [ubuntu-studio-devel] How wide spread is Linux spyware?
On Fri, 17 Jul 2015 13:46:50 -0400, lukefro...@hushmail.com wrote: >When it really counts, I bring out the big guns by firing up >Torbrowser. 2 humans = 2² opinions Regarding TOR a message from the Arch general mailing list from today and regarding browser security in general, 2 mails from the Kubuntu users mailing list, also from today. Begin forwarded message: Date: Fri, 17 Jul 2015 13:00:30 -0400 To: arch-gene...@archlinux.org Subject: Re: [arch-general] current flash vulnerabilities - what to do? On 17/07/15 12:35 PM, Ralf Mardorf wrote: > On Fri, 17 Jul 2015 11:30:05 -0400, Daniel Micay wrote: >> The Tor browser is quite insecure. It's nearly the same thing as >> Firefox, so it falls near the bottom of the list when it comes to >> browser security, i.e. below even Internet Explorer, which has a >> basic sandbox (but not nearly on par with Chromium, especially on >> Linux) and other JIT / allocator hardening features not present at >> all in Firefox. What the Tor browser *does* have that's unique are >> tweaks to significantly reduce the browser's unique fingerprint. >> >> https://blog.torproject.org/blog/isec-partners-conducts-tor-browser-hardening-study >> >> Tor would be a fork of Chromium if they were starting again today >> with a large team. They don't have the resources to switch browsers. >> That would only change if they can get Google to implement most of >> the features they need. > > Vivaldi is based on Chromium. How does Vivaldi compare regarding > security and privacy to IceCat, Pale Moon, Firefox, QupZilla, Opera? > > https://aur4.archlinux.org/packages/?O=0&K=vivaldi > https://aur.archlinux.org/packages/?O=0&K=vivaldi It's a proprietary browser built on Chromium. It's not interesting from a security / privacy perspective. If you want Chromium without Google integration then you can use Iridium. It doesn't remove any tracking / spying code though. There wasn't any to remove. Their redefinition of tracking just means support for any service hosted by Google (like adding a warning message when a dictionary would be downloaded from them). Most of what it does is changing the the default settings to be more privacy conscious. https://git.iridiumbrowser.de/cgit.cgi/iridium-browser/log/ Begin forwarded message: Date: Fri, 17 Jul 2015 14:49:01 +0200 To: Kubuntu user technical support Subject: Re: Any alternative for the Firefox plug-in 'Adobe Flash Player'? Hi all, On Fri, Jul 17, 2015 at 12:21 AM, Ralf Mardorf wrote: > On Thu, 16 Jul 2015 21:06:09 +0200, Bas G. Roufs wrote: >>However, for WIndows users, this problem might be far more dangerous. > > Why should it be more dangerous for Windows users? > For the very obvious reason that a 0-day exploit is inherently more dangerous on a less secure system, and Windows is by design less secure compared to the *nix-based systems like Mac OS or Linux. 0-day exploits can very very diverse, and the most obvious risk is getting malware through such an exploit. Regards, Myriam Begin forwarded message: Date: Fri, 17 Jul 2015 18:13:28 +0200 From: Ralf Mardorf To: kubuntu-us...@lists.ubuntu.com Subject: Re: Any alternative for the Firefox plug-in 'Adobe Flash Player'? On Fri, 17 Jul 2015 14:49:01 +0200, Myriam Schweingruber wrote: >For the very obvious reason that a 0-day exploit is inherently more >dangerous on a less secure system, and Windows is by design less >secure compared to the *nix-based systems like Mac OS or Linux. 0-day >exploits can very very diverse, and the most obvious risk is getting >malware through such an exploit. The main issue with bloated browsers and crappy extensions such as the one from Adobe is unrelated to the operating system. Most people already offend their own privacy by simply typing something into e.g. a Google search, already without confirming the search by pressing the enter key. They should start Firefox with e.g. Google, then launch Wireshark. As soon as Wireshark hopefully only displays "Keep-Alive", they should type and watch what Wireshark shows. As soon as very risky extensions are used or very risky features provided by a web browser and/or add-ons, the operating system isn't much involved. The risk is more on a level compared to the risk of a phishing website. I guess everybody understands that it doesn't matter what operating system is used, when sending your banking password to a phishing website. This is similar for a lot of security and privacy issues caused by web browsers and their extensions. -- ubuntu-studio-devel mailing list ubuntu-studio-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-studio-devel
Re: [ubuntu-studio-devel] How wide spread is Linux spyware?
I've played with other browsers (rekonq in particular) but never found a way to keep them from coming up unique in Panopticlick. Thus they are too easily tracked and can only be used with websites known not to contain any ads, trackers, or 3ed party analytic tools. One of the problems is that the security plugin infrastructure that has grown up around Firefox is difficult to duplicate on another browser. I use NoScript, Ghostery, and Canvasblocker plus a long list of blocked servers in /etc/hosts. These plugins are almost mandatory to stop cookieless tracking, browser fingerprinting, supercookies, etc. We are engaged in an arms race with the black hats that devise new ways to tracking people for the likes of Google, Facebook, and all those sleazy ad networks. The sypware you have to find and disable in Firefox is bad enough that ideally it would be forked and stripped down. On the other hand, the Internet as a whole has become extremely malicious. ANY website that is monetized in any way should be regarded as an attack vector. Some (Google and Facebook especially) are among the most malicious sites on the entire web when it comes to privacy. On the other hand, any website that might be unpopular with a government agency is subject to spoofing attacks, man in the middle attacks, and even the potential for redirection to malicious copies of the server in a governmental version of phishing. Think Google's "safebrowsing" database will call out a DHS phish site? Imagine living in a city where the grocer will attempt to pick your pocket, the banker will try to find your home so he can clean out your safe, half of all ATM's are fakes set up by criminals to harvest deposits, and the police are terrorists protecting a dictatorship. The entire Internet is just such a city. When it really counts, I bring out the big guns by firing up Torbrowser. On 7/17/2015 at 1:46 AM, "Ralf Mardorf" wrote: > >On Thu, 16 Jul 2015 23:33:19 -0400, lukefro...@hushmail.com wrote: >>Given the way Firefox is going, I recommend and practice periodic >>"cleaning" of URL's from about:config. > >That's my recommendation too, but I dislike to do it again and >again. I >try to find a less bloated browser, that fit too my needs, IOW >that's less bloated but provides more comfort than e.g. xombrero. > >I don't remember if I mentioned it already in this thread, on my >machine >I need around 1½ hours to compile a kernel with a default >Arch/Debian/Ubuntu configuration and around 3½ hours to compile >Firefox. > >There are a few interesting notes about e.g. Firefox's policy in >the >current flash discussion on Arch general mailing list. And on the >Kubuntu user mailing list there's also is a Flash discussion that >became >a browser security discussion, but it's not interesting for more >experienced users. > >-- >ubuntu-studio-devel mailing list >ubuntu-studio-devel@lists.ubuntu.com >Modify settings or unsubscribe at: >https://lists.ubuntu.com/mailman/listinfo/ubuntu-studio-devel -- ubuntu-studio-devel mailing list ubuntu-studio-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-studio-devel
[ubuntu-studio-devel] LiveFS ubuntustudio/trusty/i386 failed to build on 20150717
5.1) ... Setting up libkrb5-3:i386 (1.12+dfsg-2ubuntu5.1) ... Setting up libgssapi-krb5-2:i386 (1.12+dfsg-2ubuntu5.1) ... Setting up libhcrypto4-heimdal:i386 (1.6~git20131207+dfsg-1ubuntu1.1) ... Setting up libheimbase1-heimdal:i386 (1.6~git20131207+dfsg-1ubuntu1.1) ... Setting up libwind0-heimdal:i386 (1.6~git20131207+dfsg-1ubuntu1.1) ... Setting up libhx509-5-heimdal:i386 (1.6~git20131207+dfsg-1ubuntu1.1) ... Setting up libkrb5-26-heimdal:i386 (1.6~git20131207+dfsg-1ubuntu1.1) ... Setting up libheimntlm0-heimdal:i386 (1.6~git20131207+dfsg-1ubuntu1.1) ... Setting up libgssapi3-heimdal:i386 (1.6~git20131207+dfsg-1ubuntu1.1) ... Setting up libldap-2.4-2:i386 (2.4.31-1+nmu2ubuntu8.1) ... Setting up libcurl3-gnutls:i386 (7.35.0-1ubuntu2.5) ... Setting up apt-transport-https (1.0.1ubuntu2.8) ... Setting up openssl (1.0.1f-1ubuntu2.15) ... Setting up ca-certificates (20141019ubuntu0.14.04.1) ... Setting up libdpkg-perl (1.17.5ubuntu5.4) ... Setting up patch (2.7.1-4ubuntu2.3) ... Setting up dpkg-dev (1.17.5ubuntu5.4) ... Setting up pkg-create-dbgsym (0.67~trusty) ... Processing triggers for libc-bin (2.19-0ubuntu6.6) ... Processing triggers for initramfs-tools (0.103ubuntu4.2) ... Processing triggers for ca-certificates (20141019ubuntu0.14.04.1) ... Updating certificates in /etc/ssl/certs... 17 added, 8 removed; done. Running hooks in /etc/ca-certificates/update.ddone. RUN: /usr/share/launchpad-buildd/slavebin/buildlivefs ['buildlivefs', '--build-id', 'LIVEFSBUILD-32683', '--arch', 'i386', '--project', 'ubuntustudio-dvd', '--series', 'trusty', '--datestamp', '20150717-171704', '--proposed'] Reading package lists... Building dependency tree... Reading state information... The following extra packages will be installed: apt-utils dctrl-tools debootstrap dh-python fdupes germinate iso-codes libapt-inst1.5 libexpat1 liblzo2-2 libmpdec2 libpopt0 libpython2.7-minimal libpython3-stdlib libpython3.4-minimal libpython3.4-stdlib live-build lsb-release mime-support python-apt-common python-minimal python2.7-minimal python3 python3-apt python3-germinate python3-minimal python3-pycurl python3-software-properties python3.4 python3.4-minimal rsync squashfs-tools ucf unattended-upgrades wget Suggested packages: debtags isoquery dosfstools genisoimage git memtest86+ memtest86 mtools parted syslinux grub uuid-runtime win32-loader gnu-fdisk partimage lsb binfmt-support python3-doc python3-tk python3-apt-dbg python-apt-doc libcurl4-gnutls-dev python3-pycurl-dbg python3.4-doc openssh-client openssh-server bsd-mailx mail-transport-agent Recommended packages: libpython2.7-stdlib file python python2.7 The following NEW packages will be installed: apt-utils dctrl-tools debootstrap dh-python fdupes germinate iso-codes libapt-inst1.5 libexpat1 liblzo2-2 libmpdec2 libpopt0 libpython2.7-minimal libpython3-stdlib libpython3.4-minimal libpython3.4-stdlib live-build livecd-rootfs lsb-release mime-support python-apt-common python-minimal python2.7-minimal python3 python3-apt python3-germinate python3-minimal python3-pycurl python3-software-properties python3.4 python3.4-minimal rsync squashfs-tools ucf unattended-upgrades wget 0 upgraded, 36 newly installed, 0 to remove and 0 not upgraded. Need to get 9171 kB of archives. After this operation, 46.9 MB of additional disk space will be used. Get:1 http://ftpmaster.internal/ubuntu/ trusty-updates/main libapt-inst1.5 i386 1.0.1ubuntu2.8 [58.4 kB] Get:2 http://ftpmaster.internal/ubuntu/ trusty/main libexpat1 i386 2.1.0-4ubuntu1 [71.4 kB] Get:3 http://ftpmaster.internal/ubuntu/ trusty/main libmpdec2 i386 2.4.0-6 [73.3 kB] Get:4 http://ftpmaster.internal/ubuntu/ trusty/main libpopt0 i386 1.16-8ubuntu1 [25.8 kB] Get:5 http://ftpmaster.internal/ubuntu/ trusty-security/main libpython3.4-minimal i386 3.4.0-2ubuntu1.1 [441 kB] Get:6 http://ftpmaster.internal/ubuntu/ trusty-security/main mime-support all 3.54ubuntu1.1 [29.3 kB] Get:7 http://ftpmaster.internal/ubuntu/ trusty-security/main libpython3.4-stdlib i386 3.4.0-2ubuntu1.1 [1986 kB] Get:8 http://ftpmaster.internal/ubuntu/ trusty-security/main python3.4-minimal i386 3.4.0-2ubuntu1.1 [1201 kB] Get:9 http://ftpmaster.internal/ubuntu/ trusty-security/main liblzo2-2 i386 2.06-1.2ubuntu1.1 [49.9 kB] Get:10 http://ftpmaster.internal/ubuntu/ trusty-security/main libpython2.7-minimal i386 2.7.6-8ubuntu0.2 [307 kB] Get:11 http://ftpmaster.internal/ubuntu/ trusty-security/main python2.7-minimal i386 2.7.6-8ubuntu0.2 [1110 kB] Get:12 http://ftpmaster.internal/ubuntu/ trusty-updates/main apt-utils i386 1.0.1ubuntu2.8 [172 kB] Get:13 http://ftpmaster.internal/ubuntu/ trusty-security/main python3.4 i386 3.4.0-2ubuntu1.1 [163 kB] Get:14 http://ftpmaster.internal/ubuntu/ trusty/main python3-minimal i386 3.4.0-0ubuntu2 [23.3 kB] Get:15 http://ftpmaster.internal/ubuntu/ trusty/main libpython3-
