I agree 100% with Jacob that we need to work on these security issues. While some people might find it paranoid, we should try to minimize our attack surface.
AFAIK http://sqlcipher.net/ is cross-platform the only thing we will need to do is package it for Ubuntu. It offers protections on platforms that are hard to otherwise protect. During the generation of a NEW DB we just need to add "PRAGMA key = 'passphrase';" And then we need to copy data from the old into the new DB. Right now anyone can do anything with our DB and the user may not even know the DB is being created. Examples: 1) Copy the DB as it is into another physical drive 2) Any process can hook into zeitgeist and push out info Those have to be fixed... It won't cost us anything and people will not complain if we do it. The chances of people praising us for respecting their privacy is much bigger. AFAIK MeeGo people had a BIG issue with us being unencrypted. At UDS people told me they deinstalled Zeitgeist because of their fear of their data being exploited. Now we cant fix both within the next 2 - 3 weeks to a much better state. But we have to start with it now. I would like to start with the database encryption. I think we can land this as a new feature. And to be honest for that I don't care about backwards compatibility. What are the chances that: 1) People move away from Zeitgeist because it is in a way spyware 2) then people moving away after we encrypt the database because for them it will be backwards incompatible. I am not going to get into details of the keyring stuff now. But again its a vector that risks exploitation. We will need to tackle this properly. But the sqlite cypher stuff can be done in a matter of a couple of days including packaging (using Siegfried power) :P -- You received this bug notification because you are a member of Zeitgeist Framework Team, which is subscribed to Zeitgeist Framework. https://bugs.launchpad.net/bugs/787868 Title: Encryption of database Status in Zeitgeist Framework: New Bug description: I think that Zeitgeist should encrypt databases in ~/.local/share/zeitgeist/* for anti-forensics reasons. While someone may happen to use an encrypted disk, Zeitgeist may serve as the ultimate accidental spyware to an unsuspecting user. One possible mitigation is to randomly generate a reasonable key, tie it into the login keychain and then use that key with something like http://sqlcipher.net/ rather than straight sqlite. In theory, a user will never know that this encryption/decryption is happening - no underlying assumptions about the disk need to be made to maintain any security guarantees. This should prevent anyone from learning the contents of the database without also learning the login password. Modern Ubuntu machines disallow non-root ptracing ( https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening#ptrace ) and if the gnome keyring is locked, an attacker would have a much harder time grabbing meaningful Zeitgeist data without interacting with the user or bruteforcing the login keychain. _______________________________________________ Mailing list: https://launchpad.net/~zeitgeist Post to : zeitgeist@lists.launchpad.net Unsubscribe : https://launchpad.net/~zeitgeist More help : https://help.launchpad.net/ListHelp
