[liberationtech] "uVirtus Linux, encrypted OS for Syria": a security review

Fri Feb 7 04:42:00 PST 2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, Feb 07, 2014 at 11:25:31AM +0200, Maxim Kammerer wrote:
> On Fri, Feb 7, 2014 at 2:37 AM, Sahar Massachi <Sahar at brandeis.edu> wrote:
> > The fact that there's a "naked sudo" hole is brutal.
> >
> > Forgive me if I misunderstand the problem, but how could *anyone* ship a
> > distribution with a passwordless sudo? That seems like it requires
> > deliberate malice to even set up.
> 
> Careful here: Tails had passwordless sudo prior to v0.11, less than 2
> years ago. So either unlimited local root access is not such a big
> deal, or recommendation to use Tails is short-sighted — in either case
> the report has a problem. I suggest that the report author sweeps both
> issues under the carpet simultaneously using a politically correct
> language referencing problems that were taken care of a long time ago,
> and are not that critical to begin with.

There may be two differents things mixed here.

First, recommending the use of Tails instead of uVirtus is not just
related to the passwordless root access. You probably noticed by reading
the report that there are numerous other issues in and around uVirtus
that make Tails undoubtedly a safer (and possibly easier to use) choice.
Possibly not the only choice though, as this is mentioned in the
conclusion with a link to a comparative study between IprediaOS, Liberté
Linux, Privatix, Tails and Whonix. The idea was to avoid just saying
"Hey, you're using uVirtus, too bad for you", but to also give a link to
better solutions in overall. It is a misundertanding to think that I
"sweep under the carpet" the root issue and Tails at the same time: I
would perform the same recommendation even without this issue.

Second, on the passwordless issue itself. It may be a matter of
interpretation, but considering that any executable program using "sudo"
can get unlimited access seems problematic to me. As mentioned in the
report, in Syria a common method of attack is to fool users in
downloading and executing malicious programs disguised as something
else. If one manages to have the user do this from uVirtus, it looks to
me quite easy then to perform nasty stuff such as messing around with
the data contained on the local hard disks. Maybe it is not so easy to
do, making the issue "not that critical" as you state, in which case I
think it'd be useful to justify a bit the claim. But then maybe this
depends on other security features of the system you're considering, and
in uVirtus the fact that this issue is surrounded by many others seems
to make it quite critical.

The Tails ChangeLog¹ I found for 0.11 does not seem to explain why the
passwordless root was removed, but my guess would go towards security
concerns.

Best,
KheOps

¹ https://git-tails.immerda.ch/tails/plain/debian/changelog?id=0.11
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQEcBAEBAgAGBQJS9NSYAAoJEK9g/8GX/m3dz3AIAI7UyyRYH5mJbUAIAlUcGRQp
cKeTneIMeAheJGiaBQm+gMypL0x8hA5Q2lioZyXGnP2NyU4OG+ktJCOSguflXDx2
9IqeKoyrS9bp6AJAY2A+a361wN28OgQr6gPc7C+s8DNDNcv6v4LksD1MphS1j01Y
uHJ4OcuN1AqzvZbGK22nkAewT89qF4YzEraHoWpqlUZEh+hvxBfYScipWA/h8wMD
xCU1ZZyJVyYtEOHpV15Oja1DXtLrL5Db9uizI6k8UtHEgn+KxNq6wQb66tmDiwNs
9AJAD8ndc6oz5cEkQtOaMvqVVMDyTGWJwHS7zU3Zaj6LtDJHLizAjhM2Nsz1vKY=
=fj5e
-----END PGP SIGNATURE-----