[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] What's to be Done

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] What's to be Done
From: bancfc@xxxxxxxxxxxxxxx
Date: Sun, 23 Aug 2015 20:30:27 -0400
Authentication-results: mail2.openmailbox.org; dkim=none reason="no signature"; dkim-adsp=fail (unprotected policy); dkim-atps=neutral
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 23 Aug 2015 20:40:55 -0400
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=openmailbox.org; s=openmailbox; t=1440376239; bh=1jYjhtcrkwglAqW2qx2wv2oCspzfb2NCJSvlzkQjPq0=; h=Date:From:To:Cc:Subject:From; b=jhZnew3tPB8AsGSWFaSS3amQMuDNBGqjiHWoMmQVvP0CViMT05D0rNlNPtx/0HPJO FwEgf9oofeOqRbmK+0hj1SPyBccZhZn24G1rlSfPiYVTmLnGYcWd8geDniKx9I2eGN FGcYM1o7wWZQq3yUoPPL+Ui9tKnFCtkb0j+gDZAQ=
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Roundcube Webmail/1.0.6

Fantastic talks by Jacob as always, he hammers home many major systemhardening ideas. I summarized the points in the talks and will build onthem with more ideas and information.


I encourage everyone to see the DebConf talks by all means:

http://gemmei.acc.umu.se/pub/debian-meetings/2015/debconf15/Citizenfour_Q_A_Session.webm

http://meetings-archive.debian.net/pub/debian-meetings/2015/debconf15/What_is_to_be_done_Reflections_on_Free_Software_Usage.webm

***

Debian Hardening topics covered:
* Disabling Avahi and Samba NFS by default

* Packaging grsecurity/PaX, Pond, xmpp-client, Tor Browser, Tor-launcherand pluggable transports - work currently being done on Tor relatedpackages as of 2015

* Adoption of Subgraph Oz sandboxing framework

* Cleaning vulnerable legacy networking protocols out of the Debiankernel

* Distribution of Tor in a base Debian distro
* Giving a sshd onion service as an install time option
* Encryption of system as default on install time
* Address Sanitizer and compiler time hardening of packages

* Adoption of new rootless, type safe DHCP daemon written by him and DanBernstein

* Adoption of tlsdate or alternative to unsafe NTP
* Gnuk libre hardware keycard adoption

* Encrypting APT connections to prevent package metadata leaks and makeexploiting problems in APT harder


Other topics:
* Blacklisting mouse jigglers in systemd
* Trust problems with proprietary hardware
* NSA Nightstand program WiFi stack injector

* Reversing targeted malware with Hercules by running Irssi IRC clienthoneypot on a grsecurity enabled environment inside a s390 emulatedsystem all running on the libre Milkymist FGPA* Non-adversarial forensics to verify systems integrity and compromiseattempts* Ways to verify system firmware compromise thru dumping images andarchiving them* Source code review in addition to reproducible builds to detectmaintainer coercion situations


***

Thoughts:

* grsecurity has its own superior Mandatory Access Control frameworkcalled RBAC. RBAC has advanced system behavior learning to generatecomplex policies on the fly. Writing policies is similar to thesimplicity of Apparmor vs the absurd difficulty of SELinux

* LSM has many problems and SELinux in particular actually weakens asystem in some ways that it wouldn't be without it. Its safe to say"With security like this who needs backdoors?"

* Wayland should address the security nightmare that is X but until thenthere is work being done by RedHat to make X run rootless

* The maintainer coercion problem can be avoided if they arepseudonymous Tor users. With reproducible builds the problem of taintedbinaries should be over or at least they won't be deniable. Shouldmalicious source code ever slip in it will be traceable in the publicrecord with code audits

* Reproducible builds are great and a step further is to have Debian andsystemd run deterministically so that the order folders are accessed andservices started during boot up is identical. Should make verificationand non-adversarial forensics easier to avoid this:

http://askubuntu.com/questions/618105/systemd-non-determinism-early-on-in-boot-from-squashfs

* Firefox is in a bad place from a security perspective. The rust basedServo engine is far away. In the long term an equally dangerous threatto Firefox's viability is Mozilla adopting policies and directions thatendanger its freedom:** signed addons is a great step to ensuring add on integrity butMozilla disallowing custom user generated keys is a step back for userfreedom and being able to consensually run addons Mozilla doesn'tapprove of.** adoption of the watered down WebExtensions API and deprecation of theXUL plugin system is huge setback for addon power and flexibility. Itwill impact TBB addons like Torbutton. This decision was made in favorof making Chrome addons fully compatible across both platforms withoutconsidering what will be sacrificed. As Firefox becomes a Chorme clonethe Tor Project will run into the design limitations they avoided on thefirst place by staying away from Chromium.

* Metadata leaks and exploitation of APT bugs during system updatescould be addressed best by having Debian support Onion Services fortheir update servers and push for mirrors adopting it. AFAICT there wasa brief experiment by the guardianproject's Hans-Christoph but when hetried encouraging Debian mirror admins to run behind Tor he got a lot ofpush back. apt-transport-tor might need changes to support onion mirrorURLs.

* Blacklisting mouse jigglers is a great idea however a better way is toconfigure the system to panic immediately and shutdown if a USB deviceis plugged in when you don't expect one to be. A package already existsthat does this called usbkill:

https://github.com/hephaest0s/usbkill

This can be packaged in Debian and further integrated into a panicddaemon that can immediately shutdown a LUKS encrypted system if acertain key is pressed similar to what Truecrypt did. grsecurity has anoption to disable USB devices too.

* There is a unique proof of concept for Linux that allows a LUKSencrypted system to safely standby without leaving master encryptionkeys in RAM. I would love to see this developed more and enabled bydefault in Debian:

https://github.com/jonasmalacofilho/ubuntu-luks-suspend

* tlsdate is a good start but to solve the time source problem I amlooking towards the Tor network. An accurate system time is veryimportant for security:


https://blog.hboeck.de/archives/863-Dont-update-NTP-stop-using-it.html

The Tor network is already considering a secure multiparty computationproposal to generate entropy for directory authorities. I can see asimilar situation with broadcasting a safe system time via the Torprotocol agreed to by relays running atomic clocks as a future solution.Alternatively the organizations running Time servers could be nudged torun http Onion Services for HTTP/TCP based time daemons to set time fromthem like Tails htpdate and Whonix sdwdate, the latter already usesmultiple sources of friendly Onion Services as clock sources. One dayDebian could ship with a Tor based time daemon.




--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] What's to be Done
  - From: Apple Apple

Prev by Author: [tor-talk] Mixmaster Attachments
Next by Author: [tor-talk] hardware recommendations
Previous by thread: Re: [tor-talk] future of torstatus.blutmagie.de
Next by thread: Re: [tor-talk] What's to be Done
Index(es):
- Author
- Thread