Announcement

Collapse
No announcement yet.

Ubuntu 24.10 To Enhance Snap Permissions Handling

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #31
    Originally posted by moonwalker View Post
    I see you missed the memo
    Internet connectivity is not the only reason to make sure all CVEs are addressed, there are plenty possible environment configurations where security is a very high concern despite the whole network being airgapped from the larger wide web. Ever heard of defense in depth?
    With APT/DNF repositories it is fairly trivial to mirror them wholesale, as they are just static file directory structures. Whereas Snap Store is a whole application server requiring database and other components, and it is still not open by itself, you can only have isolated deployment of snap store proxy which is NOT the same as the actual snap store. And while snap store proxy can operate in isolated mode, even making sure that it contains just the absolutely necessary packages available and up-to-date is not exactly trivial. Worse yet, what you suggest with using flash drive is frankly childish - that may work for a family-sized deployment or a small business the size of a mom-and-pop shop, but it's a complete non-starter for an actual product being sold to a significant enough number of large enough customers to justify the expense of developing and maintaining it.
    their idea that a airgrapped system is secure is really naive.




    wikipedia is full of hacks and possibilities to break the air-gap...

    "Circumvention measures Since November 2013, scientists have shown that air gaps can be tricked using various methods. They can be overcome using covert acoustic networks.[3][4]
    A computer's graphics card can also be used to generate a radio signal.[5]
    The air gap can even be overcome by temperature changes.[6]
    Information can also be spied on via GSM devices (such as mobile phones).[7]
    Small amounts of data can also be transmitted using the noise of a hard disk read/write head[8]
    Another point of attack is optical transmission via manipulated hard disk activity indicators or other LEDs that are visible from the outside[9] The processor of a PC can be used to emit radio waves.[10] Network cables can also be used to generate radio signals.[11]​"

    how exactly can people claim that air gap alone is enough as security messurment and such systems do not need security updates...

    if you can deliver security updates to air gap systems with .deb and .rpm and flatpak and the same task is not possible with snap then of course snap is a security disaster.

    Phantom circuit Sequence Reducer Dyslexia

    Comment


    • #32
      Originally posted by moonwalker View Post
      Internet connectivity is not the only reason to make sure all CVEs are addressed, there are plenty possible environment configurations where security is a very high concern despite the whole network being airgapped from the larger wide web. Ever heard of defense in depth?
      as far as i can say the news are flooded with air-gap hacks see for example this 2 news:

      "Attack on air-gapped systems: Malware exfiltrates data wirelessly through the RAM The attack technique does not deliver a high data rate, but it is sufficient for real-time keylogging and the extraction of passwords and RSA keys. In particularly security-critical environments, there are often so-called air-gapped systems that are completely isolated for security reasons, i.e. operated without any network connection. This generally prevents attackers from communicating with these systems and extracting data. However, a researcher has developed a new attack technique that makes this possible - wirelessly via the RAM. The attack, known as Rambo, was developed by Mordechai Guri, a well-known security researcher at Israel's Ben-Gurion University of the Negev. In the past, Guri has often presented attacks on air-gapped systems - for example via keyboard LEDs, PC fans, changes in screen brightness or via a LAN cable used as an antenna. Controlled memory access generates radio signals For the Rambo attack to succeed, the target system must first be infected with malware that controls data transmission. This can be done, for example, using a USB stick with malware hidden on it that is connected to the isolated computer by an unwitting employee or a malicious intruder on site. The malware can then, according to Guri, generate radio signals via the system's internal memory buses that can be received using special hardware and an antenna. According to a report by Bleeping Computer, this is achieved through controlled read and write access to the memory, which generates electromagnetic emissions from the RAM. Ad The attack technique enables bit-by-bit data transmissions over several meters. The attack should also be successful from a virtual machine, provided the host system and other VMs running in parallel do not interfere with the signal generation. Guri used the Manchester code for data transmission as part of his experiments. This offers advantages in terms of clock synchronization and error detection, the researcher explains in his paper (PDF). Passwords exfiltrated in a matter of seconds A high data transfer rate cannot be expected from Rambo, but it is sufficient for real-time keylogging and for intercepting passwords, tokens and other sensitive information. According to Guri, transfer rates of up to 1,000 bits per second are possible. However, the data throughput must be reduced as the distance from the receiver increases, otherwise the error rate increases too high. According to the researcher, a 4,096-bit RSA key can be transmitted in 4 to 42 seconds, biometric data with a volume of 10,000 bits in 10 to 100 seconds, and a 128-bit password in 0.1 to 1.3 seconds. The shorter times were achieved in Guri's measurements at a distance of three meters, and the longer times were seven meters. In his paper, Guri lists several possible mitigations that can be used to protect air-gapped systems from the Rambo attack. These include generating random memory accesses, emitting external jamming signals, monitoring the environment for unknown radio signals, and using Faraday cages to block unwanted signal transmission from the isolated system.​"
      Die Angriffstechnik liefert zwar keine hohe Datenrate, für ein Keylogging in Echtzeit sowie das Ausleiten von Passwörtern und RSA-Keys reicht sie aber aus.


      "Air-gapped systems: Malware uses LCD pixel patterns to extract data using sound Reception occurs, for example, via a smartphone located nearby. The data rate is low, but sufficient for keylogging and passwords. In addition to Rambo, security researcher Mordechai Guri from Israel's Ben-Gurion University of the Negev recently presented another attack technique that can be used to exfiltrate data from air-gapped systems without a network connection. In the attack known as Pixhell, data is transmitted using acoustic signals, which, however, do not come from a loudspeaker, but from an LCD monitor connected to the target system. Air-gapped systems are often used in particularly security-critical environments. Their isolation from the Internet and other networks ensures that potential attackers cannot access them remotely and possibly intercept sensitive information or intervene in security-critical processes. As Guri has shown several times in the past, there are ways to exfiltrate data from such systems without permanent physical access - for example via keyboard LEDs, PC fans, radio signals generated by RAM access or a connected LAN cable that is misused as an antenna. From pixel pattern to sound to data transfer If you want to protect an air-gapped system from acoustic signal transmission, you might come up with the idea of ​​removing all audio hardware. Guri uses Pixhell as an example to show that this is not necessarily enough. In the attack technique, malware outputs special pixel patterns on an LCD screen to generate audio signals in the frequency range from 0 to 22 kHz. Ad "The malicious code uses the sound generated by coils and capacitors to control the frequencies emitted by the screen," writes Guri in a 12-page paper (PDF) in which he introduces Pixhell. This makes it possible to transmit coded information - for example to a nearby notebook, smartphone or other receiving device with an integrated microphone. The researcher emphasizes that the patterns generated on the LCD screen are usually visible. In order to remain undetected, attackers can therefore schedule the data transfer for a time when no user is present. According to Guri, the patterns can also be limited to very slight changes in the brightness and color of the respective pixels, so that the attack is only noticeable on closer inspection. Data transmission over more than two meters Guri tested the attack with several display devices from different manufacturers. He managed to capture the acoustic signals generated with a smartphone from distances of up to 2.5 meters and decode the data contained in them. It should also be possible to simultaneously process the signals from several monitors with a single receiving device. Depending on the monitor and distance, Guri achieved data rates of 5 to 20 bits per second. Pixhell is therefore unsuitable for exfiltrating large amounts of data, but it is sufficient for keylogging or intercepting simple but sensitive character strings such as passwords or keys within a few seconds or minutes. Guri suggests several possible measures to protect air-gapped systems from the Pixhell attack. These include generating acoustic interference signals, monitoring the environment for patterns of audio signals, monitoring screen contents for unusual pixel patterns with an external camera, as well as physical access controls and a ban on devices equipped with microphones in security-critical areas.​"
      Der Empfang erfolgt zum Beispiel über ein in der Nähe befindliches Smartphone. Die Datenrate ist gering, reicht aber für Keylogging und Passwörter.


      Phantom circuit Sequence Reducer Dyslexia

      Comment


      • #33
        Originally posted by qarium View Post

        its time for business and people to understand that a distro like ubuntu with Microsoft money inside is not in their best interest.

        switch to debian or fedora or rocky linux... i did switch from kubuntu to fedora years ago.
        Hate to break it to you but every Linux distro has MS money inside it:

        Linux Foundation members help support the development of shared technology resources while accelerating their own innovation through open source.


        Notice who the Platinum members are, Microsoft, Intel, Meta/FB, IBM/RH, all the companies that Linux users love to hate.

        AMD, who Linux users seem to love, is only a Silver member.

        And the Fedora you seem to love so much?

        I believe you claimed a fully up-to date Fedora install of yours was taken down by a virus that could survive a full disk format, so maybe Fedora should not be used in anyone's best interest.

        Unless of course you were mistaken.

        Comment


        • #34
          Originally posted by sophisticles View Post
          Hate to break it to you but every Linux distro has MS money inside it:
          Linux Foundation members help support the development of shared technology resources while accelerating their own innovation through open source.

          Notice who the Platinum members are, Microsoft, Intel, Meta/FB, IBM/RH, all the companies that Linux users love to hate.
          AMD, who Linux users seem to love, is only a Silver member.
          And the Fedora you seem to love so much?
          there is a difference between linuxfoundation and ubuntu in case of linuxfoundation it is only money from microsoft but the managment is not in their hand..

          with ubuntu it is different the complete managment of ubuntu is in hand of these microsoft evil people.


          Originally posted by sophisticles View Post
          I believe you claimed a fully up-to date Fedora install of yours was taken down by a virus that could survive a full disk format, so maybe Fedora should not be used in anyone's best interest.
          Unless of course you were mistaken.
          you claim you have a cyber security university degree then please explain this to me:
          The company has decided not to extend these updates to its Ryzen 1000, 2000, and 3000 series processors or its Threadripper 1000 and 2000 models.

          you claim in your writing that it is impossible to hide a virus on my system who could survive a full disk format...
          i have a threadripper 1920X this means ZEN1 cpu architecture this means my cpu has the sinkclose vulnerability and zen1 and zen1+ and zen2 will never get a bios/uefi update with updated microcode.
          this means as soon as someone has root access at kernel level he can use sinkclose to install a virus who can in fact survive a full disk format.

          but you know what you talk here is older story it was about a vulnerability in the language pack of Firefox119
          it used a chain of vulnerability from firefox119 as entry point over a glibc root exploit to get root access at kernel level and then it used the LogoFAIL vulnerability to install a poisoned /boot/efi/logo.jpg to be able to install a virus who did in fact survive a full disk format.

          because of that story you sophisticles did post the poisoned link to the webserver who did this ity pretty sure my systems are trash and i have to buy a new system.

          sinkclose will never get patches of my threadripper 1920x system and i am pretty sure the attackers did know sinkclose as well means they did not only use LogoFAIL they of course installed a trojan horse by sinkclose as well.

          Phantom circuit Sequence Reducer Dyslexia

          Comment


          • #35
            [QUOTE=qarium;n1491040]
            Originally posted by qarium View Post
            its time for business and people to understand that a distro like ubuntu with Microsoft money inside is not in their best interest.

            switch to debian or fedora or rocky linux... i did switch from kubuntu to fedora years ago.
            I want stability with a desktop; Ubuntu provides that. Fedora's only interested in chasing upstream, which broke GNOME for me since F38 or F39, and still F40 last month.

            FreeBSD's where it's at now without the nonsense of systemd as an init being able to leak past OS VPNs with its own DNS, and being able to make the decision to use Xorg without prejudice

            Comment


            • #36
              Originally posted by moonwalker View Post
              I see you missed the memo
              But those are Nightlies, that is not the equivalent of what is available as the Snap nor as the deb from the PPA.

              Originally posted by moonwalker View Post
              Internet connectivity is not the only reason to make sure all CVEs are addressed, there are plenty possible environment configurations where security is a very high concern despite the whole network being airgapped from the larger wide web. Ever heard of defense in depth?
              Hence why I wrote that the need was low, not non-existent.

              Originally posted by moonwalker View Post
              With APT/DNF repositories it is fairly trivial to mirror them wholesale, as they are just static file directory structures. Whereas Snap Store is a whole application server requiring database and other components, and it is still not open by itself, you can only have isolated deployment of snap store proxy which is NOT the same as the actual snap store. And while snap store proxy can operate in isolated mode, even making sure that it contains just the absolutely necessary packages available and up-to-date is not exactly trivial. Worse yet, what you suggest with using flash drive is frankly childish - that may work for a family-sized deployment or a small business the size of a mom-and-pop shop, but it's a complete non-starter for an actual product being sold to a significant enough number of large enough customers to justify the expense of developing and maintaining it.
              The reason that I mentioned flash drives was because I interpreted it to be that those clients of your where completely without network. Ofc if they have a network share you can just put the files there instead (and it is possible to script this in a way that makes it work exactly how it would work with separe .deb files), not entirely sure why you deiced to be so anal about the specific way of delivery in something that was just an example. But it reminds me to not try to ever give you any more tips in the future.
              Last edited by F.Ultra; 11 September 2024, 08:45 PM.

              Comment


              • #37
                Originally posted by qarium View Post
                its time for business and people to understand that a distro like ubuntu with Microsoft money inside is not in their best interest.

                switch to debian or fedora or rocky linux... i did switch from kubuntu to fedora years ago.
                It's time for the people that don't run said businesses to stop assuming they know what's in those businesses' best interest. As much as I personally would love to see everyone adopt Debian. And other people already replied about Microsoft money.

                Originally posted by F.Ultra View Post
                But those are Nightlies, that is not the equivalent of what is available as the Snap nor as the deb from the PPA.
                ​First, that's completely beside the point of me not buying the claims that Mozilla demanded Canonical packages FF as a snap because Mozilla did start shipping their own APT repos way after Canonical switched FF to snap. Second:
                Code:
                $ sudo apt-cache policy firefox
                firefox:
                Installed: (none)
                Candidate: 130.0-2
                Version table:
                130.0~build2 500
                500 https://packages.mozilla.org/apt mozilla/main amd64 Packages​
                ...
                Code:
                $ sudo apt-cache policy firefox-esr
                firefox-esr:
                Installed: (none)
                Candidate: 128.2.0esr~build1
                Version table:
                128.2.0esr~build1 500
                500 https://packages.mozilla.org/apt mozilla/main amd64 Packages​
                ...
                Had you read the whole blog post, you'd see this (emphasis is mine):
                Following a period of testing, these packages will become available on the beta, esr, and release branches of Firefox.
                Originally posted by F.Ultra View Post
                Hence why I wrote that the need was low, not non-existent.
                What's low for a grandma that only uses computer to record baking recipes is grave for an engineer working on, e.g., a classified DARPA project.
                Originally posted by F.Ultra View Post
                The reason that I mentioned flash drives was because I interpreted it to be that those clients of your where completely without network. Ofc if they have a network share you can just put the files there instead (and it is possible to script this in a way that makes it work exactly how it would work with separe .deb files), not entirely sure why you deiced to be so anal about the specific way of delivery in something that was just an example. But it reminds me to not try to ever give you any more tips in the future.
                The reason I "decided to be so anal about the specific way of delivery" is one word - scale. It has to work at a very large scale, combined with potentially very stringent security requirements.​
                Last edited by moonwalker; 12 September 2024, 02:27 AM.

                Comment


                • #38
                  Originally posted by MadWatch View Post

                  I don't understand why so many users complain about this. Why is many mount points a problem? Honest question, not trolling.
                  It's something the kernel and subsystems must keep track of, taking up resources. But the primary issue that bugs me is the spam when using various tools that deal with devices and mount points, to search through endless text for the one you need among the numerous ones active. On my system i see about half a page's worth of console text when shutting down the computer about deactivated mounts... ugly. And this is with absolute minimal use of snap, always use other method if available.

                  What would the experience be under ubuntu where everything that can be has been transferred to use snap?

                  Comment


                  • #39
                    Originally posted by qarium View Post

                    their idea that a airgrapped system is secure is really naive.




                    wikipedia is full of hacks and possibilities to break the air-gap...

                    "Circumvention measures Since November 2013, scientists have shown that air gaps can be tricked using various methods. They can be overcome using covert acoustic networks.[3][4]
                    A computer's graphics card can also be used to generate a radio signal.[5]
                    The air gap can even be overcome by temperature changes.[6]
                    Information can also be spied on via GSM devices (such as mobile phones).[7]
                    Small amounts of data can also be transmitted using the noise of a hard disk read/write head[8]
                    Another point of attack is optical transmission via manipulated hard disk activity indicators or other LEDs that are visible from the outside[9] The processor of a PC can be used to emit radio waves.[10] Network cables can also be used to generate radio signals.[11]​"

                    how exactly can people claim that air gap alone is enough as security messurment and such systems do not need security updates...

                    if you can deliver security updates to air gap systems with .deb and .rpm and flatpak and the same task is not possible with snap then of course snap is a security disaster.
                    Total security is impossible. The most you can do is make it harder for hackers to break in. The methods you describe above are pretty exotic, and very hard to pull off, and impossible on many embedded systems because they lack the hardware you mention. So yes, air-gapping does offer an extra degree of security.

                    Comment


                    • #40
                      Originally posted by MadWatch View Post

                      I don't understand why so many users complain about this. Why is many mount points a problem? Honest question, not trolling.
                      BeCaUsE iT dOeSnT lOoK nIcE!!!!111oneoneone

                      Comment

                      Working...
                      X