|
|
Debian security is pretty good, but there’s always scope for improvement. Here are some ideas that I think could be used to improve things.
- A security “wizard”, basically a set of scripts with support for plugins that will investigate your system and look for things that can be improved. It could give suggestions on LSMs that could be used, sysctl settings, lists of daemons running as root that possibly don’t need root privs, etc. Plugins could be for different daemons, so there could be a plugin for Apache that looks for potential issues with Apache configuration. It wouldn’t be possible to cover everything, but it would be possible to cover many common cases.
It appears that we used to have a “harden” package to do some of these things which disappeared. It appears that the only remnant of that is the hardening-runtime package.
- Kali Linux [1] is a distribution designed for penetration testing, I recently tried out many of it’s features and I was very impressed. While I don’t think that the aim should be to copy all Kali features into Debian there are probably some that are worthy of inclusion. Most Kali features run well in a VM, but the Wifi penetration testing tools need access to the hardware, so they could be a good candidate for inclusion in Debian (license permitting).
- We have a Securing Debian Manual [2] that is really good. It’s a little out of date and needs some contributions, it also needs to be better known.
- The Security Management page of the Debian wiki [3] has links to a number of pages about improving system security. It needs some updates, it doesn’t have a link to a page about SE Linux so there’s some work for me to do there.
- Can training help people? I would be happy to run some Debian SE Linux training sessions over Matrix or Jitsi. We can probably find people to offer training on other aspects of Linux security that are implemented in Debian if there is an audience. I don’t think that I and other DDs (Debian Developers) can train everyone, but we could train people who then go on to run other training sessions and make the session notes etc available under the GPL.
There would also be some benefits to training other DDs as probably no-one has a good overview of all the security features that are supported.
Any other ideas? Feel free to comment here or start a thread on a public mailing list. If you start a mailing list discussion please email me or comment here with the URL if it’s a list that I’m not on so I can track it via the archives. This post was inspired by a discussion on a private list of a related topic. I think it’s better to have a public discussion instead.
The IBM i operating system on the AS/400 is a system that runs on PPC for “midrange” systems. I did a bit of reading about it after seeing an AS/400 on ebay for $300, if I had a lot more spare time and energy I might have put in a bid for that if it didn’t look like it had been left out in the rain. It seems that AS/400 is not dead, there are cloud services available, here’s one that provides a VM with 2GM of RAM for “only EUR 251 monthly” [1], wow. I’m not qualified to comment on whether that’s good value, but I think it’s worth noting that a Linux VM running an AMD64 CPU with similar storage and the same RAM can be expected to cost about $10 per month.
There is also a free AS/400 cloud named pub400 [2], this is the type of thing I’d do if I had my own AS/400.
I’ve just started a Samsung tablet downloading a 770MB update, the description says:
- Overall stability of your device has been improved
- The security of your device has been improved
Technically I have no doubt that both those claims are true and accurate. But according to common understanding of the English language I think they are both misleading.
By “stability improved” they mean “fixed some bugs that made it unstable” and no technical person would imagine that after a certain number of such updates the number of bugs will ever reach zero and the tablet will be perfectly reliable. In fact if you should consider yourself lucky if they fix more bugs than they add. It’s not THAT uncommon for phones and tablets to be bricked (rendered unusable by software) by an update. In the past I got a Huawei Mate9 as a warranty replacement for a Nexus 6P because an update caused so many Nexus 6P phones to fail that they couldn’t be replaced with an identical phone [1].
By “security improved” they usually mean “fixed some security flaws that were recently discovered to make it almost as secure as it was designed to be”. Note that I deliberately say “almost as secure” because it’s sometimes impossible to fix a security flaw without making significant changes to interfaces which requires more work than desired for an old product and also gives a higher probability of things going wrong. So it’s sometimes better to aim for almost as secure or alternatively just as secure but with some features disabled.
Device manufacturers (and most companies in the Android space make the same claims while having the exact same bugs to deal with, Samsung is no different from the others in this regards) are not making devices more secure or more reliable than when they were initially released. They are aiming to make them almost as secure and reliable as when they were released. They don’t have much incentive to try too hard in this regard, Samsung won’t suffer if I decide my old tablet isn’t reliable enough and buy a new one, which will almost certainly be from Samsung because they make nice tablets.
As a thought experiment, consider if car repairers did the same thing. “Getting us to service your car will improve fuel efficiency”, great how much more efficient will it be than when I purchased it?
As another thought experiment, consider if car companies stopped providing parts for car repair a few years after releasing a new model. This is effectively what phone and tablet manufacturers have been doing all along, software updates for “stability and security” are to devices what changing oil etc is for cars.
NextCloud and OwnCloud History
Some time ago I tried OwnCloud, it wasn’t a positive experience for me. Since that time I’ve got a server with a much faster CPU, a faster Internet connection, and the NextCloud code is newer and running on a newer version of PHP, I didn’t make good notes so I’m not sure which factors were most responsible for having a better experience this time. According to the NextCloud Wikipedia page [1] the fork of NextCloud from the OpenCloud base happened in 2016 so it’s obviously been a while since I tried it, it was probably long before 2016.
Recently the BBC published an interesting article on “Turnover contagion” which is when one resignation can trigger many more [2] which is interesting to read in the context of OwnCloud losing critical staff failing after one key developer resigned.
I mentioned OwnCloud in a 2012 blog post about Liberty and Mobile Phones [3], since then I haven’t done well at achieving those goals. A few days ago I decided to try NextCloud and found it a much better experience than I recall OwnCloud being in the past.
Installation
I installed OwnCloud on an Oracle Cloud ARM VM (see my previous blog post about the Oracle Cloud Free Tier [4]).
This CloudCone article on installing NextCloud on Debian 10 (Buster) covers the basics well [5].
Here is the NextCloud URL for downloading the PHP files (a large ZIP archive) [6]. You have to extract to where Apache is configured to have it’s webroot and then run “chown -R www-data nextcloud/lib/private/Log nextcloud/config nextcloud/apps” (or if you use php-fpm then chown it to the user for that). NextCloud recommend having all of the NextCloud files owned by www-data, but that’s just a bad idea, allowing it to rewrite some of it’s program files is bad, allowing it to rewrite all of them is worse.
For my installation I used the Apache modiles macro, rewrite, ssl, php7.4, and headers (this is more about how I configure Apache than about NextCloud). Also I edited /etc/php/7.4/apache2/php.ini and changed memory_limit to 512M (the default of 128M is not enough). I’m currently only testing it, for a production use I would use php-fpm and run it under it’s own UID so that it can’t interact with other PHP apps.
After that it was just a matter of visiting the configuration URL and giving it the details of the database etc.
After setting it up the command “php -d memory_limit=512M occ app:install richdocumentscode_arm64” when run from the root of the OwnCloud installation installs the Cloudera components for editing LibreOffice documents in OwnCloud, this is the command for ARM64 architecture, I presume the command for other architectures is similar.
Conclusion
OwnCloud is very usable, it has a decent feature set built in and the option to download modules such as the components for editing LibreOffice files on the web is useful. But I am hesitant to install things that require the sort of access it requires. I think it would be better if there was a documented and supported way of installing things and then locking them down so that at runtime it can only write to data files not any program files or configuration files. It would also be better if it was packaged for Debian and had the Debian update process for security fixes. I can imagine many people installing it, forgetting to update it, and ending up with insecure systems.
The Situation
I bought myself some USB microphones over ebay, I couldn’t see any with USB type A connectors (the original USB connectors) and bought ones with USB-C connectors. I thought it would be good to have microphones that could work with recent mobile phones and with PCs, because surely it wouldn’t be difficult to get an adaptor. I tested one of the microphones, it worked well on a phone.
I bought a pair of adaptors for USB A ports on a PC or laptop to USB-C (here’s the link to where I bought them). I used one of the adaptors with a USB-C HDMI device which gave the following line from lsusb, I didn’t try using a HDMI monitor on my laptop, having the device recognised was enough.
Bus 003 Device 002: ID 2109:0100 VIA Labs, Inc. USB 2.0 BILLBOARD
I tried connecting a USB-C microphone and Linux didn’t recognise the existence of a USB device, I tried that on a PC and a laptop on multiple ports.
I wondered whether the description of the VIA “BILLBOARD” device as “USB 2.0” was relevant to my problem. According to Big Mess O’ Wires USB-C has separate wires for USB 3.1 and USB 2 [1]. So someone could make a device that converts USB-A to USB-C with only USB-2 wires in place. I tested the USB-A to USB-C adaptor with the HDMI device in a USB “SuperSpeed” (IE 3.x) port and it still identified as USB 2.0. I suspect that the USB-C HDMI device is using all the high speed wires for DisplayPort data (with a conversion to HDMI) and therefore looks like a USB 2.0 device.
The Problem
I want to install a microphone in my workstation for long Zoom training sessions (7 hours in a day) that otherwise require me to use multiple Android devices as I don’t have a device that will do 7 hours of Zoom without running out of battery. A new workstation with USB-C is unreasonably expensive. A PCIe USB-C card would give me the port at the back of the machine, I can’t have the back of the machine near the microphone because it’s too noisy.
If I could have a USB-C hub with reasonable length cables (the 1M cables typical for USB 2.0 hubs would be fine) connected to a USB-C port at the back of my workstation that would work. But there seems to be a great lack of USB-C hubs. NewBeDev has an informative post about the lack of USB-C hubs that have multiple USB-C ports [2]. There also seems to be a lack of USB-C hubs with cables longer than 20cm.
The Solution
I ended up ordering a Sades Wand gaming headset [3], that has over-ear headphones and an attached microphone which connects to the computer via USB 2.0. I gave the URL for the sades.com.au web site for reference but you will get a significantly better price by buying on ebay ($39+postage vs about $30 including postage).
I guess I won’t be using my new USB-C microphones for a while.
I think most people and everyone who reads my blog is familiar with the phone support scams that are common nowadays. There’s the “we are Microsoft support and have found a problem with your PC”, the “we are from your ISP and want to warn you that your Internet access will be cut off”, and the “here’s the bill for something expensive and we need you to confirm whether you want to pay”.
Most people hang up when scammers call them and don’t call them back. But I like to talk to them. I review the quality of their criminal enterprise and tell them that I expect better quality criminals to call me. I ask them if they are proud to be criminals and if their parents would be proud of them. I ask them if they are paid well to be a criminal. Usually they just hang up and on one occasion the criminal told me to “get lost” before hanging up.
Today I got a spam message telling me to phone +61-2-8006-7237 about an invoice for Norton “Software Enhancer” and “Firewall Defender” if I wanted to dispute it. It was interesting that they had an invoice number in the email which they asked me for when I called, at the time I didn’t think to make up an invoice number with the same format to determine if they were actually looking it up, in retrospect I should have used a random 9 digit number to determine if they had a database for this.
On the first call they just hung up on me. The second call they told me “you won’t save anyone” before hanging up. The third call I got on to a friendly and talkative guy who told me that he was making good money being a criminal. I asked if he was in India or Australia (both guys had accents from the Indian subcontinent), he said he was in Pakistan. He said that he made good money by Pakistani standards as $1 Australian is over 100 Pakistani Rupees. He asked me if I’d like to work for him, I said that I make good money doing legal things, he said that if I have so much money I could send him some. ;) He also offered to take me on a tour of Islamabad if I visited, this could have been a genuine offer to have a friendly meeting with someone from the opposite site of computer security or an attempt at kidnap for ransom. He didn’t address my question about whether the local authorities would be interested in his work, presumably he thinks that a combination of local authorities not caring much and the difficulty of tracking international crime makes him safe.
It was an interesting conversation, I encourage everyone to chat to such criminals. They are right that you won’t save anyone. But you can have some fun and occasionally learn some interesting things.
Bloomburg has an insightful article about Juniper, the NSA, and the compromise of Netscreen [1]. It was worse than we previously thought and the Chinese government was involved.
Haaretz has an amusing story about security issues at a credit card company based on a series of major WTFs [2]. They used WhatsApp for communicating with customers (despite the lack of support from Facebook for issues like account compromise), stored it on a phone (they should have used a desktop PC), didn’t lock the phone down (should have been in a locked case and bolted down like any other financial security device), and allowed it to get stolen. Fortunately the thief was only after a free phone not the financial data stored on it.
David Brin wrote an insightful blog post “Should facts and successes matter in economics? Or politics?” [3] which is part of his series about challenging conservatives to bet on their policies.
Vice has an interesting article about a normal-looking USB-C to Lightning cable that intercepts data transfer and sends it out via an embedded Wifi AP [4]. Getting that into such a small space is an impressive engineering feat. The vendor already has a YSB-A to lightning cable with such features for $120 [5]. That’s too expensive to just leave them lying around and hope that someone with interesting data finds them, but it’s also quite cheap for a targeted attack.
Interesting article about tracking people via Bluetooth MAC address or device name [6]. Most of the research is based on a man riding a bike around Norway and passively sniffing Bluetooth transmissions. You can buy commercial devices that can receive Bluetooth from 1Km away. A recent version of Bluetooth has random Mac addresses but that still allows tracking by device name which for many people is their own name.
Cory Doctorow has a good summary of the ways that Facebook is rotten [7]. It’s worse than you think.
In 2019 almost all Facebook’s top Christian pages were run by foreign troll farms [8]. This is partly due to Christians being gullible, but Facebook is also to blame for this.
Cornell has an interesting article about using CRISPR to identify the gender of chicken eggs before they hatch [9]. This means that instead of killing roosters hatched from eggs for egg production they can just put those eggs for eating and save some money. Another option would be to genetically engineer more sexual dimorphism into chickens as the real problem is that hens for laying eggs are too thin to be good for eating so if you could have a breed of chicken with thin hens and fat cocks then all eggs could be hatched and the chickens used. The article claims that this is an ethical benefit of not killing baby roosters, but really it’s about saving 50 cents per egg.
Umair Haque wrote an insightful article about why everything will get more expensive as the externalities dating back to the industrial revolution have to be paid for [9].
Alexei Navalny (the jailed Russian opposition politician who Putin tried to murder) wrote an insightful article about why corruption is at the root of most world problems and how to solve it [10].
Cory Doctorow wrote an insightful article about breaking in to the writing industry which can apply to starting in most careers [11]. The main point is that people who have established careers have knowledge about starting a career that’s at best outdated and at most totally irrelevant. Learning from people who are at most one step ahead of you is probably best.
Peter Wehner wrote an insightful article for The Atlantic about the way churches in the US are breaking apart due to political issues [12]. Similar things appear to be happening in Australia for the same reason, conservative fear based politics which directly opposes everything in the Bible about Jesus is taking over churches. On the positive side this should destroy churches and the way churches are currently going they should be destroyed.
The Guardian has an article about the incidence of reinfection with Covid19 [13]. The current expectation is that people who aren’t vaccinated will probably get it about every 16 months if it becomes endemic (as it has in the US and will do in Australia if conservatives have their way). If the mortality rate is 2% each time then an unvaccinated person could expect a 15% chance of dying over the course of 10 years if there is no cumulative damage. However if damage to the heart and lungs accumulates over multiple courses of the disease then the probability of death over 10 years could be a lot higher.
Psyche has an interesting article by Professor Jan-Willem van Prooijeni about the way that conspiracy theories bypass rationality [14]. The way that entertaining stories bypass rationality is particularly concerning given the way Facebook and other social media are driven by clickbait.
I recently had to renew the SSL certificate for my web server, nothing exciting about that but Certbot created a new directory for the key because I had removed some domains (moved to a different web server). This normally isn’t a big deal, change the Apache configuration to the new file names and run the “reload” command. My monitoring system initially said that the SSL certificate wasn’t going to expire in the near future so it looked fine. Then an hour later my monitoring system told me that the certificate was about to expire, apparently the old certificate came back!
I viewed my site with my web browser and the new certificate was being used, it seemed strange. Then I did more tests with gnutls-cli which revealed that exactly half the connections got the new certificate and half got the old one. Because my web server isn’t doing anything particularly demanding the mpm_event configuration only starts 2 servers, and even that may be excessive for what it does. So it seems that the Apache reload command had reloaded the configuration on one mpm_event server but not the other!
Fortunately this was something that was easy to test and was something that was automatically tested. If the change that didn’t get accepted was something small it would be a particularly insidious bug.
I haven’t yet tried to reproduce this. But if I get the time I’ll do so and file a bug report.
Kali is a Debian based distribution aimed at penetration testing. I haven’t felt a need to use it in the past because Debian has packages for all the scanning tools I regularly use, and all the rest are free software that can be obtained separately. But I recently decided to try it.
Here’s the URL to get Kali [1]. For a VM you can get VMWare or VirtualBox images, I chose VMWare as it’s the most popular image format and also a much smaller download (2.7G vs 4G). For unknown reasons the torrent for it didn’t work (might be a problem with my torrent client). The download link for it was extremely slow in Australia, so I downloaded it to a system in Germany and then copied it from there.
I don’t want to use either VMWare or VirtualBox because I find KVM/Qemu sufficient to do everything I want and they are in the Main section of Debian, so I needed to convert the image files. Some of the documentation on converting image formats to use with QEMU/KVM says to use a program called “kvm-img” which doesn’t seem to exist, I used “qemu-img” from the qemu-utils package in Debian/Bullseye. The man page qemu-img(1) doesn’t list the types of output format supported by the “-O” option and the examples returned by a web search show using “-O qcow2“. It turns out that the following command will convert the image to “raw” format which is the format I prefer. I use BTRFS for storing all my VM images and that does all the copy-on-write I need.
qemu-img convert Kali-Linux-2021.3-vmware-amd64.vmdk ../kali
After converting it the file was 500M smaller than the VMWare files (10.2 vs 10.7G). Probably the Kali distribution file could be reduced in size by converting it to raw and then back to VMWare format. The Kali VMWare image is compressed with 7zip which has a good compression ratio, I waited almost 90 minutes for zstd to compress it with -19 and the result was 12% larger than the 7zip file.
VMWare apparently likes to use an emulated SCSI controller, I spent some time trying to get that going in KVM. Apparently recent versions of QEMU changed the way this works and therefore older web pages aren’t helpful. Also allegedly the SCSI emulation is buggy and unreliable (but I didn’t manage to get it going so can’t be sure). It turns out that the VM is configured to work with the virtio interface, the initramfs.conf has the configuration option “MODULES=most” which makes it boot on all common configurations (good work by the initramfs-tools maintainers). The image works well with the Spice display interface, so it doesn’t capture my mouse, the window for the VM works the same way as other windows on my desktop and doesn’t capture the mouse cursor. I don’t know if this level of Spice integration is in Debian now, last time I tested it didn’t work that way.
I also downloaded Metasploitable [2] which is a VM image designed to be full of security flaws for testing the tools that are in Kali. Again it worked nicely after converting from VMWare to raw format. One thing to note about Metasploitable is that you must not make it available on the public Internet. My home network has NAT for IPv4 but all systems get public IPv6 addresses. It’s usually nice that those things just work on VMs but not for this. So I added an iptables command to block IPv6 to /etc/rc.local.
Conclusion
Installing VMs for both these distributions was quite easy. Most of my time was spent downloading from a slow server, trying to get SCSI emulation working, working out how to convert image files, and testing different compression options. The time spent doing stuff once I knew what to do was very small.
Kali has zsh as the default shell, it’s quite nice. I’ve been happy with bash for decades, but I might end up trying zsh out on other machines.
|
|
