Update: "Testing stuff with QEMU"-articles published so far:
Here's a quick HOWTO to get you started with the QEMU emulator, the Debian installer (etch beta 3), and SELinux. If you execute the following steps you'll be left with an SELinux-enabled Debian unstable QEMU image, but not with a complete working and perfectly configured SELinux system. A more detailed article about SELinux will probably follow...
Basic Debian unstable install in QEMU:
apt-get install qemu
qemu-img create -f qcow /path/to/debian.img 5000M
qemu -hda /path/to/debian.img -boot d -cdrom debian-testing-i386-binary-1.iso
/etc/apt/sources.listif needed, and then dist-upgrade to the latest stuff:
apt-get update && apt-get dist-upgrade
halt" in the emulated Debian, wait for the shutdown to complete, press CTRL+ALT+2 to switch to the QEMU console, and type "
Creating a QEMU overlay image:
QEMU has a nice feature called overlay images which allows you to "clone" an image, where the new (overlay) image will only store the "diffs" to the original one, thus saving lots of space. This also allows you to remove the overlay image at any time and restart from the original image (which is nice for testing stuff which may break).
qemu-img create -b /path/to/debian.img -f qcow /path/to/debian_selinux_overlay.img
qemu -hda /path/to/debian_selinux_overlay.img
Basic SELinux setup:
Luckily the Debian kernels are xattr-enabled by default so we don't have to do anything at all here.
apt-get install checkpolicy policycoreutils selinux-policy-refpolicy-src
setfilesutility is in the wrong place, see #384850), but there's a simple workaround:
ln -s /sbin/setfiles /usr/sbin/setfiles
ln -s /etc/selinux/refpolicy/src /etc/selinux/targeted
selinux=1to enable SELinux in the kernel (press "e" to edit the boot options).
sestatus", which should print some information on the running SELinux system. If it says "SELinux status: disabled" something went wrong.
Congratulations! You now have a QEMU image with minimal SELinux support and you can start playing with it, tweaking the policy, finding and reporting bugs, reading tons of documentation on how SELinux actually works etc. etc.
As SELinux is (half?) a release-goal for Debian etch, it would be nice if many people could test it before the release, and this is one method to do so without breaking your production systems.
Update 2006-08-28: You don't really need
user_xattr support for SELinux, only xattr support (for security.selinux xattrs) for the filesystem you use, which is available per default in Debian kernels (thanks Russell Coker).
From the website:
ScatterChat is a HACKTIVIST WEAPON designed to allow non-technical human rights activists and political dissidents to communicate securely and anonymously while operating in hostile territory. It is also useful in corporate settings, or in other situations where privacy is desired.
Its security features include resiliency against partial compromise through perfect forward secrecy, immunity from replay attacks, and limited resistance to traffic analysis... all reinforced through a pro-actively secure design.
So the client is a "friendly-fork" of Gaim, it uses Tor to achieve anonymity, and for the crypto parts (secure messaging, secure file transfer) ScatterChat uses libgcrypt.
It's a cross-platform application available for Linux, Windows; support for other OSes is planned (Mac OS X, others).
You can always download the source code, of course, as it's free software. Actually, not quite. While ScatterChat itself is based on the GPL'd Gaim, it has to be GPL'd, too. However, the scatterchat-module package, which seems to contain the crypto-parts, is licensed under a custom "Hacktivismo Enhanced-Source Software License Agreement" (HESSLA) right now, which is so horribly long I didn't even bother reading it.
However, the README says:
I am open to the possibility of re-licensing parts of this library to GPL, BSD, public domain, or some other license. I cannot make any promises, but I will try to accomodate reasonable requests.
I'm going to do just that, email the author and ask him nicely to change the license to some sane, well-known free software license. If you feel similar, please let the author know (hint, hint). Depending on what the HESSLA really says, it might prevent ScatterChat from entering Debian, for example.
I haven't yet tried to use the application, but it sure looks like it has a lot of potential. It also seems do most security-related things right:
Of course that's no guarantee that it's secure; I hope some crypto-gurus look over it soon. But at least they didn't make obvious stupid mistakes we've all seen in many other pieces of software.
Anyways, I feel this is a real important project which will help lots of people (activists, political dissidents, normal people like me and you who value their privacy). Go check it out!
(via Boing Boing)
I'm probably not the first one to notice this, but you can actually use Google Earth anonymously (upon first glance at least) over Tor. It seems all the traffic (downloads of maps and textures etc.) goes over port 80 (http) and 443 (https), which can easily be anonymized with Tor (read an older post of mine for details on Tor).
export http_proxy=http://127.0.0.1:8118/ export HTTP_PROXY=http://127.0.0.1:8118/
and set up Privoxy and Tor correctly, then start Google Earth in the same xterm and you're done. I haven't looked closely at the protocol Google Earth uses (any articles available on that?) but upon a quick glance in Ethereal / Wireshark all traffic is torified, not even DNS requests are leaked. Technical explanation: the Google Earth binary uses libcurl internally, which honors the
http_proxy environment variable.
However, that's not a guarantee that you're 100% anonymous, as Goole Earth could send some unique identifier (e.g. MAC address, hard drive ID etc.) to their servers which would spoil your anonymity.
Btw, I actually discovered this accidentally because I have the above HTTP_PROXY lines in my
.bashrc, so most of my HTTP traffic is anonymized by default...
OK, so Goole has finally released a first version of Google Earth for Linux (beta, of course).
~/.lokidirectory is created with some stuff in it.
~/.googleearth/crashlogsdirectory contains log files which are generated when the application crashes, and sent to Google upon the next restart of the application automatically. The README says that you should basically
chmod 000 ~/.googleearth/crashlogsif you don't want that. They say these files don't contain personal information. I haven't seen one yet (didn't crash, yet), so I cannot tell if that's true.
I'll have to play around with it a bit more, maybe it's an issue with the NVIDIA drivers or something. But as I don't have the source I can basically just make stupid guesses...
(via Golem, and a bunch of other sites)
Both exploits are possible because the input of the programs is not properly (or at all) sanitized. Basically, they call
$wget_cmd is shell (/bin/sh) code which shall download a file via wget. As the
$wget_cmd string contains contents from an untrusted source (HTML/XML on some random server), this results in an "arbitrary code execution" vulnerability, the worst-case scenario you could imagine.
If someone is naive enough to even run such a podcatcher as root, this means a remote root exploit!
Anyways, the RedTeam is definately correct in saying that more and more people start listening to podcasts, and more and more podcatchers are written. But few of them are written with security in mind, which leaves many listeners at risk... I wonder how popular closed-source podcatchers such as iTunes are affected here. Are there any published audits/audit-results (black-box auditing, obviously, as you don't have the source code) for iTunes?
As for Free Software implementations... consider this a call for reviews and audits! If you know/use one of the many podcatchers (or an RSS feed aggregator, which are affected by similar issues), and have some knowledge on secure programming, get the source and review the application. Make the software you use, and the world at large, a little safer.
I'll definately have a look at the programs I'm using soonish...