[liberationtech] "uVirtus Linux, encrypted OS for Syria": a security review

Thu Feb 6 16:37:47 PST 2014

The fact that there's a "naked sudo" hole is brutal.

Forgive me if I misunderstand the problem, but how could *anyone* ship a
distribution with a passwordless sudo? That seems like it requires
deliberate malice to even set up.

On Thu, Feb 6, 2014 at 2:18 PM, KheOps <kheops at ceops.eu> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Dear all,
>
> The uVirtus live distribution was publicized back in September as a
> secure live OS specifically designed for Syrians. It stems from the idea
> of having a one-click easy to use VPN client that uses OpenVPN over
> Obfsproxy.
>
> After testing it and discovering a few issues, I spent some more time in
> order to dig a bit more into its security.
>
> I noticed numerous worrying security issues, and in overall it does not
> appear to me as really responsible to recommend it instead of, say,
> Tails. Issues include for instance holes that may help an attacker
> compromise the user's machine by gaining root access and weak protection
> against data leaking in cleartext out of the VPN.
>
> I published a report that lists all the issues I could find and tried to
> assess their seriousness. I hope it is detailed and precise enough.
>
> It is available here in English:
>
> https://press.telecomix.ceops.eu/en/posts/Review_of_security_issues_in_uVirtus_2.0/
>
> And in Arabic (sorry for the long link):
>
> https://press.telecomix.ceops.eu/ar/posts/%D9%85%D8%B1%D8%A7%D8%AC%D8%B9%D8%A9_%D9%84%D9%82%D8%B6%D8%A7%D9%8A%D8%A7_%D9%86%D8%B8%D8%A7%D9%85_uvirtus_2.0_%D8%A7%D9%84%D8%A3%D9%85%D9%86%D9%8A%D8%A9/
>
> We should thank Ameer, a Telecomix friend who spent a lot of time on
> translating it, but also giving me hints and correcting some English
> mistakes.
>
> We hope this helps to better assess uVirtus security and maybe feed the
> thinking for possible future versions.
>
> Sorry for the TLS certificate warning you will probably get in your
> browser, it is signed with the CA you'll find there:
>
> https://github.com/TelecomixSyria/TheSouq/tree/master/resources/ssl-ca/2012-2014
>
> and its SHA1 fingerprint is
> C2:00:C7:9B:2C:9F:88:31:8B:A9:9E:B4:37:27:4E:93:75:8A:A7:6B.
>
> With datalove!
> KheOps
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
>
> iQEcBAEBAgAGBQJS9AoeAAoJEK9g/8GX/m3dpRkH/1rN/nDEjY2kJqhEMqaIwkiq
> PqJzXxhvSuMTYn9WXcA5kh9xH+OCBu2uSfTfm9ewfAO8W4C4Jx5AO8jgyo3bjFEP
> usJE8m7vaKZVnVUrzqyxMBuutxyljear+qn6r86i5FRbIoob582QAZM7+bunotOr
> bc5oUBgaq+KHx0p6yxohQw07MLaDwzXviu0lFcsRqMRfGzAMWFx3y8pGLUwS1Tiz
> S3jR+Vs+s80NBHmMhPK3HkB2qsMowC8tZlYaMLzuFqocoKsTyE3CCMz9R6Xw05HT
> aR5pSsbVuEvgMyhlqCJoVD8YD4qde8E5hxZrONZk4GKTIPDc90bgGW8FH/zmPqI=
> =h+MA
> -----END PGP SIGNATURE-----
> --
> Liberationtech is public & archives are searchable on Google. Violations
> of list guidelines will get you moderated:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> Unsubscribe, change to digest, or change password by emailing moderator at
> companys at stanford.edu.
>

-- 
Sahar Massachi

c: (585) 313-6649
t: twitter.com/sayhar
w: saharmassachi.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20140206/56f1e6c7/attachment.html>