security

ScatterChat - secure, anonymous, free, cross-platform Instant Messaging client

ScatterChat is a new cross-platform IM client announced by the Cult of the Dead Cow / Hacktivismo (during the HOPE conference, it seems).

From the website:

ScatterChat is a HACKTIVIST WEAPON designed to allow non-technical human rights activists and political dissidents to communicate securely and anonymously while operating in hostile territory. It is also useful in corporate settings, or in other situations where privacy is desired.

It is a secure instant messaging client (based upon the Gaim software) that provides end-to-end encryption, integrated onion-routing with Tor, secure file transfers, and easy-to-read documentation.

Its security features include resiliency against partial compromise through perfect forward secrecy, immunity from replay attacks, and limited resistance to traffic analysis... all reinforced through a pro-actively secure design.

So the client is a "friendly-fork" of Gaim, it uses Tor to achieve anonymity, and for the crypto parts (secure messaging, secure file transfer) ScatterChat uses libgcrypt.

It's a cross-platform application available for Linux, Windows; support for other OSes is planned (Mac OS X, others).

You can always download the source code, of course, as it's free software. Actually, not quite. While ScatterChat itself is based on the GPL'd Gaim, it has to be GPL'd, too. However, the scatterchat-module package, which seems to contain the crypto-parts, is licensed under a custom "Hacktivismo Enhanced-Source Software License Agreement" (HESSLA) right now, which is so horribly long I didn't even bother reading it.

However, the README says:

I am open to the possibility of re-licensing parts of this library to GPL, BSD, public domain, or some other license. I cannot make any promises, but I will try to accomodate reasonable requests.

I'm going to do just that, email the author and ask him nicely to change the license to some sane, well-known free software license. If you feel similar, please let the author know (hint, hint). Depending on what the HESSLA really says, it might prevent ScatterChat from entering Debian, for example.

I haven't yet tried to use the application, but it sure looks like it has a lot of potential. It also seems do most security-related things right:

  • it doesn't try to reinvent/reimplement its own crypto primitives (which would be doomed to fail), but rather uses libgcrypt
  • it has a documented crypto protocol
  • it's free software, which is a major requirement (see Kerckhoffs' principle)
  • it doesn't reinvent the wheel, but rather uses Tor for anonymity (for example)
  • etc. etc.

Of course that's no guarantee that it's secure; I hope some crypto-gurus look over it soon. But at least they didn't make obvious stupid mistakes we've all seen in many other pieces of software.

Anyways, I feel this is a real important project which will help lots of people (activists, political dissidents, normal people like me and you who value their privacy). Go check it out!

(via Boing Boing)

Anonymous Google Earth over Tor

I'm probably not the first one to notice this, but you can actually use Google Earth anonymously (upon first glance at least) over Tor. It seems all the traffic (downloads of maps and textures etc.) goes over port 80 (http) and 443 (https), which can easily be anonymized with Tor (read an older post of mine for details on Tor).

Just type

export http_proxy=http://127.0.0.1:8118/
export HTTP_PROXY=http://127.0.0.1:8118/

and set up Privoxy and Tor correctly, then start Google Earth in the same xterm and you're done. I haven't looked closely at the protocol Google Earth uses (any articles available on that?) but upon a quick glance in Ethereal / Wireshark all traffic is torified, not even DNS requests are leaked. Technical explanation: the Google Earth binary uses libcurl internally, which honors the http_proxy environment variable.

However, that's not a guarantee that you're 100% anonymous, as Goole Earth could send some unique identifier (e.g. MAC address, hard drive ID etc.) to their servers which would spoil your anonymity.

Btw, I actually discovered this accidentally because I have the above HTTP_PROXY lines in my .bashrc, so most of my HTTP traffic is anonymized by default...

Google Earth for Linux - Beta

OK, so Goole has finally released a first version of Google Earth for Linux (beta, of course).

Well, maybe this time they really mean it when they say "beta"...
Google Earth Linux 1 Google Earth Linux 2 Google Earth Linux 3
Here's some quick observations:

  • Of course, it's not open source, you basically get a bunch of *.so files and an executable.
  • It uses a bunch of open source software packages, though, e.g. libcurl, OpenSSL, libjpeg, libPNG, libtiff, libmng, zlib, Expat XML Parser, FreeImage, and a bunch of other things. All the licenses of those projects are contained in a README, though.
  • The installer seems to be (based on) the Loki installer, at least a ~/.loki directory is created with some stuff in it.
  • The maps cache, and some other files are stored in ~/.googleearth.
  • The ~/.googleearth/crashlogs directory contains log files which are generated when the application crashes, and sent to Google upon the next restart of the application automatically. The README says that you should basically chmod 000 ~/.googleearth/crashlogs if you don't want that. They say these files don't contain personal information. I haven't seen one yet (didn't crash, yet), so I cannot tell if that's true.
  • The EULA says that Google Earth will phone home (they call it "check for available updates to the Software"), and that you automatically agree to that when you use it: "By installing the Software, you agree to automatically request and receive Updates".
  • When I start Google Earth, I get a popup window which tells me to install Bitstream Vera Sans fonts or things might look strange. No idea which fonts extactly they mean, I've got the Debian packages ttf-bitstream-vera, and ttf-dejavu, but the warning still appears.
  • After Google Earth connects to the server(s) I get to see something resembling a globe, but not really what I (or Google possibly) expected. There's simply no textures for anything, I just see (broken) wireframes (see screenshot), but that's about it.

I'll have to play around with it a bit more, maybe it's an issue with the NVIDIA drivers or something. But as I don't have the source I can basically just make stupid guesses...

(via Golem, and a bunch of other sites)

Podsploiting

The RedTeam, a penetration testing group, has released two security advisories which explain security holes in two podcast clients (podcatchers).

Both exploits are possible because the input of the programs is not properly (or at all) sanitized. Basically, they call system($wget_cmd) where $wget_cmd is shell (/bin/sh) code which shall download a file via wget. As the $wget_cmd string contains contents from an untrusted source (HTML/XML on some random server), this results in an "arbitrary code execution" vulnerability, the worst-case scenario you could imagine.

If someone is naive enough to even run such a podcatcher as root, this means a remote root exploit!

Anyways, the RedTeam is definately correct in saying that more and more people start listening to podcasts, and more and more podcatchers are written. But few of them are written with security in mind, which leaves many listeners at risk... I wonder how popular closed-source podcatchers such as iTunes are affected here. Are there any published audits/audit-results (black-box auditing, obviously, as you don't have the source code) for iTunes?

As for Free Software implementations... consider this a call for reviews and audits! If you know/use one of the many podcatchers (or an RSS feed aggregator, which are affected by similar issues), and have some knowledge on secure programming, get the source and review the application. Make the software you use, and the world at large, a little safer.

I'll definately have a look at the programs I'm using soonish...

Mafia Boss Secures His Data with Caesar Cipher

This is just too funny not to blog about it...

You might have heard that the mafia boss Bernardo Provenzano has been arrested recently. Now people found out that he used some "cryptography" in his messages to relatives and so on. They were decrypted pretty fast: Mafia Boss's Encrypted Messages Deciphered.

"Looks like kindergarten cryptography to me. It will keep your kid sister out, but it won't keep the police out. But what do you expect from someone who is computer illiterate?" security guru Bruce Schneier, author of several books on cryptography, told Discovery News.

(via Bruce Schneier)

Syndicate content