[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Automatic downloading of non-free software by stuff in main

On Thu, Dec 07, 2017 at 12:17:10PM -0500, Paul R. Tagliamonte wrote:
> If the Secret Police has seized your computer, has physical access to
> your machine and the decryption passphrase for your system, I don't
> think there's any website that you visited that would be more
> incriminating than the rest of the drive.

Some of us do take steps to be aware of potentially sensitive data on our
disks.  While for anything really dangerous you'd have an in-memory livecd,
that's quite a hassle for everyday use, thus most of us don't go into
paranoia and at most know how to wipe histories.

This can be somewhat tricky as you have quasi-logs stored around, such as
~/.cache/thumbnails (timestamped!), but at least these are files that are
reasonable for an average person to find.

Smuggling this data in xattrs on the other hand?  Even for those of us who
mess with filesystem development and who are aware of caps (xattr -l
/bin/ping) and thus rsync -X, it's surprising news.  And usual tools shipped
by current Debian don't mark the presence of such hidden data, nor do we
install any xattrs aware tool by default.  Now take an average somewhat
technical user... no way to find this.

But, I see you're dismissing possible harm as "theoretical".  While I don't
have real-life examples of bad xattrs yet, here's two related cases that
happened to me, personally -- without bad consequences as both were on a
desktop that doesn't leave my home, but it's obvious what would happen if
the data was read by a bad guy, especially likely on an USB stick, laptop or
phone that you travel past a border with.

* upgrading to gnupg2 left a copy of my private key in ~/.gnupg/secring.gpg,
  despite me explicitly deleting it, and asking gpg to --list-secret-keys
  doesn't reveal that this "backup just in case you might want to downgrade"
  is still on the disk.

* a sysadmin whom I have helped before asked me for help interpreting mail
  headers and some advice wrt something that happened at his company (I
  never had any relation with that company).  Instead of sending a tarball,
  he copied the mails to a temporary IMAP account, to which I connected with
  Thunderbird.  I've viewed a couple of the mails and promptly deleted the
  account.  Yet Thunderbird not only downloads the entirety of data for
  offline use (this is kind of known), but also leaves data for deleted
  accounts on the disk, without any indication it's there (unless you dig
  into the profile's directory by hand).  I found out these files are there
  only many years later.  The mails included stuff that's illegal to
  distribute, and would clearly land the guy in jail, and possibly me as
  well.  Semi-accidentally distributing them was a lapse of judgement on his
  part, but per the Dissident Test, I would really appreciate if software
  did not put its user in danger after the human error is noticed and
  (seemingly) rectified.

> > (Your logic would argue that browser porn mode is basically
> > pointless.)
> In a word of network taps, and a world where if I had a program
> running on your computer without you knowing, yes, it is actually
> literally useless.

You probably noticed all the outrage against backdoors in Intel ME and AMD
PSP.  You might also want an operating system with open auditable code.

> All it does it avoid storing data into your profile
> or sending data the browser has about you, kinda. Not even that well,
> just mostly well enough. It's not a security or privacy measure.

I don't even use the "incognito mode", it's indeed nearly useless.  It
doesn't even block third-party trackers, block most means of fingerpriting,
etc.  You're much better off with a hand-crafted browser profile.  Then,
there's Tor, which is no magic bullet, but is a pretty powerful tool.

> It does not make you safe. It doesn't avoid a network tap. Your
> browser will still send an SNI before you handshake, and the Server's
> Certificate, and your Client Certificate before the handshake is done.

No need to even bother eavesdropping on SNI, browsers and most programs send
a DNS query even for a domain you accessed a minute ago.  Usually, this goes
only over your ISP and the network path to an authoritative nameserver in
the vicinity of the target server, but in some configurations it gets send
to world's second most nosy company (with an enormous infrastructure for
cross-matching such data!); despite that resolver being supposed to be
anycasted, on at least one occassion I noticed it going to the US (the
world's most nosy government (geoip-ing the AS doesn't work but you can look
at traceroute).  Even worse, if you use systemd-resolvd, any transient
failure will silently use for queries (#761658, wontfixed closed). 
Gee, guess how this goes if you're working for a company or country that the
US finds "interesting".
> The URL where you got a file is not nearly as privacy violating as the
> file itself to the secret police. If you can read the attr, you can
> read the file.

In #883746 I pointed out an image that's harmless on its own, but can be
used for nasty purposes when a personal identifier is accessible.

Or, what if the URL contains login details?  Or the referer points to a
secret forum?

> The pros vastly outweighs the speculitive cons on this

I might be inattentive, but I did not notice a single pro mentioned on
this thread.  The only part, Windows-like "you downloaded this file from the
Internet, it may be bad" popup, can be done with a boolean, and is still a
dubious idea.

>,it's literally
> just a tag that's stored on the filesystem. If you can read the tag,
> you can read the file. If you store porn that's readable by others,
> it's not a shock that you go to porn websites. If you have an
> overthrow the government file, it's not really that big of a deal
> where you got it from. Chances are they'd be more interested in the
> file.

I guess you haven't read news about leaks happening once in a short while? 
It seems as if in most cases the govt is interested mostly not in what was
leaked, but in who leaked it, so they can make an example of the

And, in recent cases that data came on USB sticks, which, unless formatted
with FAT, preserve xattrs.

⢀⣴⠾⠻⢶⣦⠀ 14:13 < icenowy[m]> are they hot enough? ;-)
⣾⠁⢰⠒⠀⣿⡁ 14:17 < icenowy[m]> I think now in Europe it should be winter? Let
⢿⡄⠘⠷⠚⠋⠀                     the BPi warm you ;-)
⠈⠳⣄⠀⠀⠀⠀ 14:17 <@KotCzarny> yeah, i have a pc to warm me ;)

Reply to: