From patrick-mailinglists at whonix.org Wed Dec 4 07:54:11 2019 From: patrick-mailinglists at whonix.org (Patrick Schleizer) Date: Wed, 4 Dec 2019 06:54:11 +0000 Subject: [Whonix-devel] Qubes-Whonix Security Disadvantages - Help Wanted! Message-ID: <9ee5e375-d33b-3c52-6aa3-f9a303e7f30f@whonix.org> kloak - Anti Keystroke Deanonymization - https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak - https://www.whonix.org/wiki/Keystroke_Deanonymization * Already installed by default in Non-Qubes-Whonix for a long time. * Not on the horizon for Qubes-Whonix. Qubes VM kernel non-default issue. * Qubes issue: https://github.com/QubesOS/qubes-issues/issues/2558 ---- Linux Kernel Runtime Guard (LKRG) - https://www.whonix.org/wiki/Linux_Kernel_Runtime_Guard_LKRG * Soon to be installed by default in Non-Qubes-Whonix. * Not soon to be installed in Qubes-Whonix by default because Qubes is not using Qubes VM kernel by default yet. * Qubes issues: * https://github.com/QubesOS/qubes-issues/issues/5461 * https://github.com/QubesOS/qubes-issues/issues/1850 * https://github.com/QubesOS/qubes-issues/issues/5212 ---- tirdad - TCP ISN CPU Information Leak Protection - https://github.com/Whonix/tirdad * Soon to be installed by default in Non-Qubes-Whonix. * Not soon to be installed in Qubes-Whonix by default because Qubes is not using Qubes VM kernel by default yet. * Qubes issue: https://github.com/QubesOS/qubes-issues/issues/5212 ---- Kernel Hardening through Kernel Boot Parameters - https://github.com/Whonix/security-misc/blob/master/etc/default/grub.d/40_kernel_hardening.cfg * Already installed by default in Non-Qubes-Whonix for a long time. * Not on the horizon for Qubes-Whonix. Qubes VM kernel non-default issue. * Qubes issue: https://github.com/QubesOS/qubes-issues/issues/5212 ---- Strong Linux User Account Separation / Protection against Bruteforcing Linux User Account Passwords - https://github.com/Whonix/security-misc - https://www.whonix.org/wiki/Dev/Permissions#Bruteforcing_Linux_User_Account_Passwords * Already default in Non-Qubes-Whonix. * Might be fixeable in Qubes-Whonix * https://forums.whonix.org/t/qubes-sudo-su-root-hardening-development-discussion/8561 * Qubes issues: * https://github.com/QubesOS/qubes-core-agent-linux/pull/171 * https://github.com/QubesOS/qubes-issues/issues/2695 * https://github.com/QubesOS/qubes-issues/issues/1885 ---- Please help fixing these issues! ----- This was originally posted here: https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581 https://twitter.com/Whonix/status/1201050814900588544 From blackhole at torproject.org Thu Dec 12 19:32:51 2019 From: blackhole at torproject.org (Tor Bug Tracker & Wiki) Date: Thu, 12 Dec 2019 18:32:51 -0000 Subject: [Whonix-devel] #17400 [Applications/Tor Browser]: Decide how to use the multi-lingual Tor Browser in the alpha/release series In-Reply-To: <042.3d027c8e2c86d4bde0dc681e8e45da4b@torproject.org> References: <042.3d027c8e2c86d4bde0dc681e8e45da4b@torproject.org> Message-ID: <057.8998a06dd0252953b29da6a72e4533c4@torproject.org> #17400: Decide how to use the multi-lingual Tor Browser in the alpha/release series -------------------------------------------------+------------------------- Reporter: gk | Owner: tbb- | team Type: task | Status: new Priority: Medium | Milestone: Component: Applications/Tor Browser | Version: Severity: Normal | Resolution: Keywords: ux-team, tbb-usability-stoppoint- | Actual Points: wizard, TorBrowserTeam202002, AffectsTails | Parent ID: | Points: Reviewer: | Sponsor: -------------------------------------------------+------------------------- Changes (by sysrqb): * cc: cohosh (added) * keywords: ux-team, tbb-usability-stoppoint-wizard, TorBrowserTeam201608, AffectsTails => ux-team, tbb-usability-stoppoint-wizard, TorBrowserTeam202002, AffectsTails Comment: See #32711 for one additional benefit of this. We recently merged #32676 for the Tails use-case, but this ticket would provide many more benefits, too. Maybe we should start with #22710. -- Ticket URL: Tor Bug Tracker & Wiki The Tor Project: anonymity online From procmem at riseup.net Fri Dec 13 04:30:27 2019 From: procmem at riseup.net (procmem at riseup.net) Date: Fri, 13 Dec 2019 03:30:27 +0000 Subject: [Whonix-devel] Fwd: MinEntropy Implications for Passphrase Strength In-Reply-To: References: Message-ID: <2ea90e3a-12f6-4f44-cdb7-f2b1f638144a@riseup.net> -------- Forwarded Message -------- Subject: Re: MinEntropy Implications for Passphrase Strength Date: Thu, 12 Dec 2019 15:03:38 -0500 From: Arnold Reinhold To: procmem It?s not an easy question to answer. ?Here is a somewhat more legible discussion: https://crypto.stackexchange.com/questions/66097/why-is-min-entropy-significant-in-cryptography At the simplest level, if you think of the Diceware word list as a set of symbols, and you are picking each symbol with a uniform random process, which physical dice approximate very well, then min entropy equals Shannon entropy. On the other hand, if you look at the resulting pass phrase as a string of characters, the distribution will not be uniformly random, and the min entropy will be less than the Shannon entropy. The Diceware word list can occasionally generate passphrases so short that are subject to brute force searches, that?s why I recommend requiring a minimum length.? Min entropy attempts to bound the worst case behavior, but that is not necessarily realistic. The words have semantic meaning and it is possible to randomly generate a passphrase like ?Four score and seven years ago? which might be in a list of, say, the top 1000 English phrases. That could be considered a min entropy of less than 10 bits. But such occurrences are rare and are fairly easy for humans to spot. This does not only apply to Diceware. A string of?random characters could spell a word. A random hex string could be 3243F6A8885A3, aka Pi. ?One solution would be to check a generated password or phrase against a collection of cracker lists, but any given password could be added to such lists at a later date, so that won?t completely eliminate the problem. What Shannon entropy does do for a password or phrase generation scheme is measure the likelihood that a weak password will be generated, which in the case of Diceware is extremely low. Best, agr > On Nov 19, 2019, at 6:20 PM, procmem at riseup.net > wrote: > > Hi Arnold. I came across a publication that claims minentropy is a more > accurate measure for passphrase strength than Shannon Entropy. The > Wikipedia article on the topic is complex and not really accessible for > people who want to learn about it. > > Questions: > > * What is Minentropy and how does it impact Diceware passphrase strength? > > * How do I calculate it? > > I would appreciate a plain English explanation I can add to our > documentation. TIA. > > > https://www.cs.bu.edu/~reyzin/papers/entropy-survey-ICITS-2011-no-animations.pdf > > https://en.wikipedia.org/wiki/Min-entropy > > PS. Before sending I found this link that somewhat helps: > > https://crypto.stackexchange.com/questions/63786/relation-between-entropy-and-min-entropy > > Does this imply minentropy is only relevant in cases where passphrases > are formed from sources with non uniform distributions? > > I have CC'd our ML so your reply can benefit our users. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From blackhole at torproject.org Mon Dec 16 12:50:30 2019 From: blackhole at torproject.org (Tor Bug Tracker & Wiki) Date: Mon, 16 Dec 2019 11:50:30 -0000 Subject: [Whonix-devel] #9675 [Applications/Tor Launcher]: Provide feedback mechanism for clock-skew and other bad problems In-Reply-To: <045.450235e9604cfa29a09ceeb02fc15df8@torproject.org> References: <045.450235e9604cfa29a09ceeb02fc15df8@torproject.org> Message-ID: <060.d2b65e4145b102515b3184c436d0e574@torproject.org> #9675: Provide feedback mechanism for clock-skew and other bad problems -------------------------------------------------+------------------------- Reporter: lunar | Owner: brade Type: defect | Status: | assigned Priority: High | Milestone: Component: Applications/Tor Launcher | Version: Severity: Normal | Resolution: Keywords: tbb-3.0, extdev-interview, tbb- | Actual Points: helpdesk-frequent, tbb-usability, | AffectsTails | Parent ID: | Points: Reviewer: | Sponsor: -------------------------------------------------+------------------------- Comment (by gk): FWIW: Firefox has an own mechanism to detect clock skew because of certificate invalidation concerns, see: https://bugzilla.mozilla.org/show_bug.cgi?id=1339329. It might be not fine-grained enough for our purposes but I figured I should mention it at least for completeness sake. -- Ticket URL: Tor Bug Tracker & Wiki The Tor Project: anonymity online From blackhole at torproject.org Wed Dec 18 14:13:15 2019 From: blackhole at torproject.org (Tor Bug Tracker & Wiki) Date: Wed, 18 Dec 2019 13:13:15 -0000 Subject: [Whonix-devel] #31090 [Webpages]: stop using gpg keyservers / provide OpenPGP keys for download as files from torproject.org In-Reply-To: <049.b90c17480cda65eae9352fe2f69017cb@torproject.org> References: <049.b90c17480cda65eae9352fe2f69017cb@torproject.org> Message-ID: <064.c2ab1577b5dbf500a2b9f75407b07e97@torproject.org> #31090: stop using gpg keyservers / provide OpenPGP keys for download as files from torproject.org -----------------------+-------------------------- Reporter: adrelanos | Owner: (none) Type: defect | Status: reopened Priority: Medium | Milestone: Component: Webpages | Version: Severity: Normal | Resolution: Keywords: | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: -----------------------+-------------------------- Changes (by adrelanos): * status: closed => reopened * resolution: duplicate => Comment: I don't think this is a duplicate and I don't think this was solved. The reasons to no longer using keyservers are still valid. I've downloaded Tor. Not Tor Browser. * https://dist.torproject.org/tor-0.4.2.5.tar.gz * https://dist.torproject.org/tor-0.4.2.5.tar.gz.asc For that I need Nick's signing key {{{7A02B3521DC75C542BA015456AFEE6D49E92B601}}}. https://support.torproject.org/tbb/how-to-verify-signature/ explains how to do that for Tor Browser, uses {{{curl -s https://openpgpkey.torproject.org/.well- known/openpgpkey/torproject.org/hu/kounek7zrdx745qydx6p59t9mqjpuhdf |gpg --import -}}} but I wouldn't know how to use that to get Tor signing key / acquire Nick's key. Currently it is documented nowhere how to acquire Nick's key. Therefore reopening. -- Ticket URL: Tor Bug Tracker & Wiki The Tor Project: anonymity online From patrick-mailinglists at whonix.org Mon Dec 30 11:03:24 2019 From: patrick-mailinglists at whonix.org (Patrick Schleizer) Date: Mon, 30 Dec 2019 10:03:24 +0000 Subject: [Whonix-devel] systemd unit file to remount /home /tmp /dev/shm /run with nosuid, nodev Message-ID: Hello, a script to remount /home /tmp /dev/shm /run (configurable) with nosuid,nodev (+noexec configurable) has been created by me. The purpose of remounting is increasing the security of the system. The script shall run as early as reasonably possible during boot. The systemd unit file [1] and script [2] attached below in a simplified version or links to actual version. [3] [4] This is planned to be enabled by default in a Debian derivative Linux distribution. The issue with the systemd unit file is that it runs the script while other scripts are run and it seems like "mount -o nosuid,nodev --bind /tmp /tmp" is non-atomic. By that I mean, other scripts (run by other systemd unit files) that require /tmp are experiencing a split second or so where /tmp is non-writeable and therefore fail. Various race condition are possible and one was already experienced. How to solve that? Not using '/etc/fstab.d' because fstab '.d' folder does not exist yet. [5] Not using '/etc/fstab' because that is non-ideal for a derivative Debian Linux distribution. [6] a) The remount-secure.service unit file should run alone. Non-parallel. Until remount-secure.service is done, no other systemd unit files should be run. Is that possible with systemd? b) The remount-secure.service should add a reverse dependency to most other systemd unit files which is saying "After=remount-secure.service". Is that possible? c) Could the systemd unit file express "do this right after systemd is done with the usual file system mounting but still? Which service or target would that be? 'Before=local-fs.target' and 'After=systemd-remount-fs.service'? d) Or remount-secure.service should not exist and instead be a drop-in configuration file snippet '/lib/systemd/system/systemd-remount-fs.service.d/30_remount-secure.conf' using 'ExecStartPost=/usr/lib/security-misc/remount-secure'? e) Any other solution? Kind regards, Patrick [1] [Unit] Description=remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in) Documentation=https://github.com/Whonix/security-misc DefaultDependencies=no Before=sysinit.target Requires=local-fs.target After=local-fs.target After=qubes-sysinit.service [Service] Type=oneshot RemainAfterExit=yes ExecStart=/usr/lib/security-misc/remount-secure [Install] WantedBy=sysinit.target [2] mount -o remount,nosuid,nodev /home mount -o remount,nosuid,nodev /run mount -o remount,nosuid,nodev /dev/shm mount -o nosuid,nodev --bind /tmp /tmp [3] https://github.com/Whonix/security-misc/blob/master/lib/systemd/system/remount-secure.service [4] https://github.com/Whonix/security-misc/blob/master/usr/lib/security-misc/remount-secure [5] https://github.com/systemd/systemd/issues/12506 [6] Confusing question for users who upgrade or make changes to the file. (dpkg interactive conflict resolution dialog)