1
0
mirror of https://github.com/PrivSec-dev/privsec.dev synced 2024-12-22 04:41:33 -05:00

Badness Enumeration

This commit is contained in:
Tommy 2022-07-27 09:37:53 -04:00 committed by tommytran732
parent 2c212f037f
commit cafb20949e
No known key found for this signature in database
GPG Key ID: 060B29EB996BD9F2
29 changed files with 57 additions and 21 deletions

View File

@ -28,11 +28,11 @@ params:
assets:
disableHLJS: true
disableFingerprinting: true
favicon: "/favicon.ico"
favicon16x16: "/favicon-16x16.png"
favicon32x32: "/favicon-32x32.png"
apple_touch_icon: "/apple-touch-icon.png"
safari_pinned_tab: "/safari-pinned-tab.svg"
favicon: "/favicon/favicon.ico"
favicon16x16: "/favicon/favicon-16x16.png"
favicon32x32: "/favicon/favicon-32x32.png"
apple_touch_icon: "/favicon/apple-touch-icon.png"
safari_pinned_tab: "/favicon/safari-pinned-tab.svg"
label:
text: "PrivSec.dev"

View File

@ -0,0 +1,36 @@
---
title: "Badness Enumeration"
date: 2022-07-27
tags: ['Knowledge base', 'Privacy', 'Security']
author: Tommy
---
Badness enumeration is the concept of making a list of known bad actors and attempting to block them. While it seems intuitive at first glance, badness enumeration should not be relied upon for privacy or security. In many cases, it actually does the exact opposite and directly harms the user. This post will attempt to explain why badness enumeration as a concept is flawed and give *some examples* of its failings in practice.
## The obvious problem
The obvious argument against badness enumeration is that there are so many threat actors out there, it is impossible to make a list to block all of them. Even when you make a magical list that somehow includes all of the threat actors that exist today, tomorrow a new threat actor will pop up and attack you anyways. Enumerating badness does not systematically solve the underlying problem. It is simply running away from the problem and hoping that a competent adversary will not come after you. Badness enumeration does not work, cannot work, has never worked, and will never work.
## Avdertisement/Tracker Blocking Extensions
On top of the [obvious problem](#the-obvious-problem) mentioned above, there are various technical reasons why advertisement/tracker blocking extensions cannot provide privacy. One of which is the fact that tracking can be done without any scripts at all. For example, a website only needs to know your session ID using a cookie and save all logs associated with that ID. It can then analyize when you visit the website, how long you visited the website for, which page on the website you spend the most time on, what you look at, and so on. Another problem is that a website can just host its own tracking code or [proxy third party tracking code under its own domain](https://gist.github.com/paivaric/211ca15afd48c5686226f5f747539e8b). Just because your adblocker blocks connections to Google Analytics does not mean that you can be sure you are actually "safe" from Google Analytics at all. Even when you are successful in doing so, there is nothing stopping the website from sharing the analytics data it collected on its own with Google either.
"Okay, so adblockers are unreliable, but what is the harm?" you may ask.
The problem here is that adblockers (especially with Manifest v2) are highly privileged and have access to all of your data within the browser. All it takes is for the extension developer to turn malicious for your passwords, session ids, TOTP secrets, etc to get compromised. Even if you were to assume that the extension developer is trustworthy, one vulnerability within the extension could still be catastrophic. This is made worse by the fact that adblockers typically use third-party blocklists, extending trust to the blocklist maintainers to not exploit the extension should a vulnerability be found. The ["uBlock, I exfiltrate"](https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css) blog post describes in detail how a CSS injection vulnerability in uBlockOrigin lead to data exfiltration with one sigle bad filtering rule.
Overall, adblockers weaken your security for dubios privacy benefits. You are better off not using any advertisement/tracker blocking extensions at all. If you want to avoid stateful tracking, consider clearing all cookies and site data upon exit, using [FireFox containers](https://linuxbsdos.com/2021/11/27/see-multi-account-containers-extension-is-not-needed-to-use-containers-in-firefox/), or using multiple browser instances. You would also need to hide your IP address using a VPN or something like the Tor network as well. If you are worried about stateless tracking, use a browser with fingerprinting protection like Brave (which can fool naive scripts) or Tor Browser (which has the best protection on the market).
## Antiviruses
Antiviruses are highly privileged processes with access to virtually all of your files and data, parsing through them trying to find something that matches a known bad signature. Beyond the fact that you need to trust the Antivirus company and that the signature list will never have all of the malware in existence, a vulnerable parser could lead to a system compromise. The [Abusing File Processing in Malware Detectors for Fun and Profit](/researches/Suman-Jana-and-Vitaly-Shmatikov.pdf) research paper by Suman Jana and Vitaly Shmatikov discusses this in detail.
The proper way to deal with untrusted applications is not to scan them with an Antivirus, but to confine them in such a way that even if they were maicious, they cannot do much damage at all. This has already been achieved on secure mobile operating systems like Android and iOS. Typically, attacks against these systems require an operating system level exploit chain, or for the user to actually mess up and grant an app access to sensitive data. On desktop operating systems, you should utilize virtualization to contain untrusted applications in their own virtual machine. This can be done with a system like Qubes OS, the [Windows Sandbox](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview), or just general KVM / HyperV Virtual Machines.
## Default Permit
Surprisingly (or unsurprisingly), the [The Six Dumbest Ideas in Computer Security](https://www.ranum.com/security/computer_security/editorials/dumb/) article from almost 20 years ago still holds true today. It explains the problem with Default Permit better than I ever could. In short, when setting up a Firewall or some sort of filter list, it is better to start out by blocking everything, then allowing only the traffic that you need. That way, you don't have to worry about applications that you didn't care enough to block turning out to be vulnerable. Sometimes, "goodness enumeration" is the solution to the problem.
## Conclusion
By now, I hope I have clearly explained why badness enumeration is never the solution to the problem. Sometimes, it can be a nice-to-have thing, like a VPN provider blocking advertisements and trackers on the DNS level to make the web experience more enjoyable. Other times, it can be harmful to your privacy and security, like with a malicious/vulnerable extension or antivirus. The important thing to keep in mind is that you cannot rely on badness enumeration for true privacy and security, and you should always be aware of the privacy and security implications that certain option may entail.

View File

@ -43,7 +43,7 @@ When logging into a website, all you need to do is to physically touch the secur
The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only be used once, and when a successful authentication occurs, the counter is increased which prevents reuse of the OTP. Yubico provides a [detailed document](https://developers.yubico.com/OTP/OTPs_Explained.html) about the process.
![Yubico OTP](/yubico-otp.png)
![Yubico OTP](/images/yubico-otp.png)
The Yubico validation server is a cloud based service, and you're placing trust in Yubico that their server won't be used to bypass your MFA or profile you. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third-parties to profile you. Like TOTP, Yubico OTP does not provide phishing resistance.

View File

@ -9,7 +9,7 @@ The first task a person should do when taking steps to protect their privacy and
## Defining a threat
![Cameras](/cameras-1.jpg)
![Cameras](/images/cameras-1.jpg)
To make a threat model, we must first define a threat. A common mistake made by people who are just getting into the privacy space is to define the threat as "big-tech companies." There is a fundamental problem with this definition:
@ -66,7 +66,7 @@ If you have already submitted your real information to a number of sites which s
## Protection from malware and hackers
![Motherboard](/motherboard-1.jpg)
![Motherboard](/images/motherboard-1.jpg)
You need security to obtain any semblance of privacy: **Using tools which appear private is futile if they could easily be exploited by attackers to release your data later.**

View File

@ -11,7 +11,7 @@ Android is a very secure and robust operating system out of the box. This post w
### Recommended Phones
![Google Store](/google-store.png)
![Google Store](/images/google-store.png)
Google Pixel phones are the **only** devices I would recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google's custom [Titan](https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html) security chips acting as the Secure Element.
@ -24,11 +24,11 @@ You should also avoid buying the /e/ OS phones (sometimes branded as the Murena
You should also be very wary of low quality privacy branded phones like the Freedom Phone, BraX2 Phone, Volta Phone, and the like. These are cheap Chinese phones with the [Mediatek Helio P60](https://i.mediatek.com/p60) from 2018, which has already reached end-of-life or is near end-of-life. Needless to say, you should also avoid any vendor who claims they are Zero-day proof like this:
![Volta phone](/volta-phone.png)
![Volta phone](/images/volta-phone.png)
## Android-based Operating Systems
![GrapheneOS Aurora](/grapheneos-aurora.jpg)
![GrapheneOS Aurora](/images/grapheneos-aurora.jpg)
In certain cases, installing a custom Android-based operating system can help increase your privacy and security. This is rather tricky; however, as the vast majority of these operating systems (a.k.a. "custom ROMs") do exactly the opposite - breaking the Android security model, ruining your security while providing no or dubious privacy benefits.
@ -63,7 +63,7 @@ Quite a few applications allow you to "share" a file with them for media upload.
If you are using GrapheneOS, you should utilize the Storage Scopes feature to force apps that request broad storage access permission to function with scoped storage.
![VLC Storage Scopes](/vlc-storage-scopes.png)
![VLC Storage Scopes](/images/vlc-storage-scopes.png)
## User Profiles
@ -115,7 +115,7 @@ If you are using a device with Google services, either your stock operating syst
### Enroll in the Advanced Protection Program
![Advanced Protection Program](/advanced-protection-program.png)
![Advanced Protection Program](/images/advanced-protection-program.png)
If you have a Google account we suggest enrolling in the [Advanced Protection Program](https://landing.google.com/advancedprotection/). It is available at no cost to anyone with two or more hardware security keys with [FIDO2](/knowledge/multi-factor-authentication/#fido2-fast-identity-online) support.
@ -150,6 +150,6 @@ On Android distributions with privileged Google Play Services (such as stock OSe
- **Settings****Google** → **Ads**
- **Settings****Privacy** → **Ads**
![Ads=id](/ads-id.png)
![Ads=id](/images/ads-id.png)
You will either be given the option to delete your advertising ID or to *Opt out of interest-based ads*, this varies between OEM distributions of Android. If presented with the option to delete the advertising ID that is preferred. If not, then make sure to opt out and reset your advertising ID.

View File

@ -18,7 +18,7 @@ When choosing a custom Android-based operating system, you should make sure that
### Verified Boot
![Verified Boot](/verified-boot.png)
![Verified Boot](/images/verified-boot.png)
[Verified Boot](https://source.android.com/security/verifiedboot) is an important part of the Android security model. It provides protection against [evil maid](https://en.wikipedia.org/wiki/Evil_maid_attack) attacks, malware persistence, and ensures security updates cannot be downgraded with [rollback protection](https://source.android.com/security/verifiedboot/verified-boot#rollback-protection).
@ -66,14 +66,14 @@ In order for a system to be secure, it must have SELinux in Enforcing mode, acco
Unfortunately, many custom Android-based operating system builds (especially unofficial LineageOS builds) disables SELinux or set it into Permissive mode. You can check whether SELinux is in enforcing mode or not by executing `getenforce` in the ADB shell (the expected output is `Enforcing`). You should avoid any Android-based operating system builds that do not have SELinux in enforcing mode at all cost.
![ADB SELinux](/adb-selinux.png)
![ADB SELinux](/images/adb-selinux.png)
## Recommended Android-Based Operating Systems
Currently, I am only aware of two Android-based operating systems that should be used over the stock operating systems:
### GrapheneOS
![GrapheneOS Aurora](/grapheneos-aurora.jpg)
![GrapheneOS Aurora](/images/grapheneos-aurora.jpg)
[GrapheneOS](https://grapheneos.org) is the **only** custom Android-based operating system you should buy a new phone for. It provides additional [security hardening](https://en.wikipedia.org/wiki/Hardening_(computing)) and privacy improvements over the stock operating system from Google. It has a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), network and sensor permissions, and various other [security feature](https://grapheneos.org/features). GrapheneOS also comes with full firmware updates and signed builds, so verified boot is fully supported.
@ -83,7 +83,7 @@ Because GrapheneOS does not grant any Google Apps and Services apart from the op
Recently, GrapheneOS has also added the [Storage Scopes](https://grapheneos.org/usage#storage-access) feature, allowing you to force apps that request broad storage access permission to function with scoped storage. With this new feature, you no longer have to grant certain apps access to all of your media or files to use them anymore.
![VLC Storage Scopes](/vlc-storage-scopes.png)
![VLC Storage Scopes](/images/vlc-storage-scopes.png)
Currently, Google Pixel phones are the only devices that meet GrapheneOS's [hardware security requirements](https://grapheneos.org/faq#device-support).

View File

@ -15,7 +15,7 @@ For frozen distributions, package maintainers are expected to backport patches t
In fact, in certain cases, there have been vulnerabilities introduced by Debian because of their patching process. [Bug 1633467](https://bugzilla.mozilla.org/show_bug.cgi?id=1633467) and [Bug 1679430](https://bugzilla.mozilla.org/show_bug.cgi?id=1679430) are examples of this.
![Upstream / Distros Gap](/upstream-distros-gap.png)
![Upstream / Distros Gap](/images/upstream-distros-gap.png)
Holding packages back and applying interim patches is generally not a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this:
@ -74,7 +74,7 @@ Here is a quick non authoritative list of distributions that are generally bette
### Fedora Workstation
![Fedora](/fedora-screenshot.png)
![Fedora](/images/fedora-screenshot.png)
[Fedora Workstation](https://getfedora.org/en/workstation/) is a great general purpose Linux distribution, especially for those who are new to Linux. It is a semi-rolling release distribution. While some packages like GNOME are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months.

View File

@ -5,7 +5,7 @@ tags: ['Operating Systems', 'Qubes OS', 'Anonymity', 'Privacy']
author: Tommy
---
![Lokinet](/lokinet.png)
![Lokinet](/images/lokinet.png)
[Lokinet](https://lokinet.org) is an Internet overlay network utilizing onion routing to provide anonymity for its users, similar to Tor network. This post will provide a quick (and non exhaustive) list of its [pros](#advantages) and [cons](#disadvantages) from an end user perspective and go over how to set it up on Qubes OS.

View File

Before

Width:  |  Height:  |  Size: 3.3 KiB

After

Width:  |  Height:  |  Size: 3.3 KiB

View File

Before

Width:  |  Height:  |  Size: 454 B

After

Width:  |  Height:  |  Size: 454 B

View File

Before

Width:  |  Height:  |  Size: 718 B

After

Width:  |  Height:  |  Size: 718 B

View File

Before

Width:  |  Height:  |  Size: 7.2 KiB

After

Width:  |  Height:  |  Size: 7.2 KiB

View File

Before

Width:  |  Height:  |  Size: 2.0 KiB

After

Width:  |  Height:  |  Size: 2.0 KiB

View File

Before

Width:  |  Height:  |  Size: 264 KiB

After

Width:  |  Height:  |  Size: 264 KiB

View File

Before

Width:  |  Height:  |  Size: 144 KiB

After

Width:  |  Height:  |  Size: 144 KiB

View File

Before

Width:  |  Height:  |  Size: 286 KiB

After

Width:  |  Height:  |  Size: 286 KiB

View File

Before

Width:  |  Height:  |  Size: 5.5 MiB

After

Width:  |  Height:  |  Size: 5.5 MiB

View File

Before

Width:  |  Height:  |  Size: 424 KiB

After

Width:  |  Height:  |  Size: 424 KiB

View File

Before

Width:  |  Height:  |  Size: 476 KiB

After

Width:  |  Height:  |  Size: 476 KiB

View File

Before

Width:  |  Height:  |  Size: 66 KiB

After

Width:  |  Height:  |  Size: 66 KiB

View File

Before

Width:  |  Height:  |  Size: 34 KiB

After

Width:  |  Height:  |  Size: 34 KiB

View File

Before

Width:  |  Height:  |  Size: 379 KiB

After

Width:  |  Height:  |  Size: 379 KiB

View File

Before

Width:  |  Height:  |  Size: 539 KiB

After

Width:  |  Height:  |  Size: 539 KiB

View File

Before

Width:  |  Height:  |  Size: 102 KiB

After

Width:  |  Height:  |  Size: 102 KiB

View File

Before

Width:  |  Height:  |  Size: 90 KiB

After

Width:  |  Height:  |  Size: 90 KiB

View File

Before

Width:  |  Height:  |  Size: 433 KiB

After

Width:  |  Height:  |  Size: 433 KiB

View File

Before

Width:  |  Height:  |  Size: 837 KiB

After

Width:  |  Height:  |  Size: 837 KiB

View File

Before

Width:  |  Height:  |  Size: 160 KiB

After

Width:  |  Height:  |  Size: 160 KiB