tfn2k tfn2k | 18 Jan 12:07 2006
Picon

(unknown)

tfn2k tfn2k | 18 Jan 12:15 2006
Picon

(unknown)

Taka John Brunkhorst | 18 Jan 12:40 2006
Picon

Re:

I wonder how long this list is been idle.

On 1/18/06, tfn2k tfn2k <tfn2kk <at> gmail.com> wrote:
>

--
Int'l Anti-Microsoft Assn. Japan/S'pore Dept.
fsck /dev/urandom;
Taka John Brunkhorst
antiwmac <at> gmail.com

--

-- 
gentoo-security <at> gentoo.org mailing list

Stuart Howard | 18 Jan 12:54 2006
Picon

Re:

It is normally very quiet untill someone [uts up an interesting
subject then a flurry of emails normally begins.

For example "IPtables vs Windows XP firewall for corporate security" ,
that should get a fair few coming in.

stu

On 18/01/06, Taka John Brunkhorst <antiwmac <at> gmail.com> wrote:
> I wonder how long this list is been idle.
>
> On 1/18/06, tfn2k tfn2k <tfn2kk <at> gmail.com> wrote:
> >
>
>
> --
> Int'l Anti-Microsoft Assn. Japan/S'pore Dept.
> fsck /dev/urandom;
> Taka John Brunkhorst
> antiwmac <at> gmail.com
>
> --
> gentoo-security <at> gentoo.org mailing list
>
>

--
"There are 10 types of people in this world: those who understand
binary, those who don't"

--Unknown

--

-- 
gentoo-security <at> gentoo.org mailing list

Taka John Brunkhorst | 18 Jan 13:30 2006
Picon

Re:

I see, it was so quiet I even forgot that I was in this list. :)

--
Int'l Anti-Microsoft Assn. Japan/S'pore Dept.
fsck /dev/urandom;
Taka John Brunkhorst
antiwmac <at> gmail.com

--

-- 
gentoo-security <at> gentoo.org mailing list

Douglas Breault Jr | 18 Jan 15:58 2006
Picon
Picon

Running untrusted software


Hello,

I am being forced to run software on my computer that I do not
inherently trust. It is supposed to collect a few pieces of information,
mainly my mac addresses and use the network. It is a one-time use CSA
(client security agent). It uses a csh script to unpack a "proprietary
binary" that we cannot see the source. There is no assurance it doesn't
collect other information or change anything on my computer.

I was curious as to what is the best way to handle this and situations
like these. In this instance, I was assuming downloading, and running on
a LiveCD would seem like the best policy. What if it uses methods to
discover that and I need to run it on my real installation? Is a chroot
jail the next best thing? As far as I know, to make a chroot jail I
merely copy programs and libraries inside a folder with the proper /
hierarchy and chroot into it. Is it more complex than this and are there
any guides?

Any and all suggestions are welcome.

Thank you,
Douglas Breault Jr.

--
How do I know the past isn't fiction designed to account for the discrepancy
between my immediate physical sensations and my state of mind?

/~\ The ASCII        Douglas Breault Jr. <GenKreton at comcast dot net>
\ / Ribbon Campaign  GnuPG public key ID: C4E44A19 (pgp.mit.edu)
 X  Against HTML     Key fingerprint:
/ \ Email!           21C3 F37D A8F5 1955 05F2  9A69 92A0 C177 C4E4 4A19
Oliver Schad | 18 Jan 16:14 2006
Picon

Re: Running untrusted software

Am Mittwoch, 18. Januar 2006 15:58 schrieb mir Douglas Breault Jr:
> I am being forced to run software on my computer that I do not
> inherently trust. It is supposed to collect a few pieces of
> information, mainly my mac addresses and use the network. It is a
> one-time use CSA (client security agent). It uses a csh script to
> unpack a "proprietary binary" that we cannot see the source. There is
> no assurance it doesn't collect other information or change anything
> on my computer.

If you don't trust this software don't use it in trusted environment 
which includes trusted system and trusted network.

> I was curious as to what is the best way to handle this and
> situations like these. In this instance, I was assuming downloading,
> and running on a LiveCD would seem like the best policy. 

Is your host in a trusted network?

> What if it 
> uses methods to discover that and I need to run it on my real
> installation? Is a chroot jail the next best thing? 

From a chroot environment you can easily escape on a standard kernel. 
Grsec offers a real chroot jail.

> As far as I know, 
> to make a chroot jail I merely copy programs and libraries inside a
> folder with the proper / hierarchy and chroot into it. Is it more
> complex than this and are there any guides?

# esearch jail

Best Regards
Oli

--

-- 
gentoo-security <at> gentoo.org mailing list

Picon

RE: Running untrusted software

A good host based IDS  (file integrity monitoring system) would record any system level changes made. IT should be fairly trivial to start of with a sterile environment prior to running your CSA and inspecting the environment afterwards.

Try Tripwire or AID.


-----Original Message-----
From:   Douglas Breault Jr. on behalf of Douglas Breault Jr
Sent:   Wed 1/18/2006 8:58 AM
To:     gentoo-security <at> lists.gentoo.org
Cc:    
Subject:        [gentoo-security] Running untrusted software
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Hello,

I am being forced to run software on my computer that I do not
inherently trust. It is supposed to collect a few pieces of information,
mainly my mac addresses and use the network. It is a one-time use CSA
(client security agent). It uses a csh script to unpack a "proprietary
binary" that we cannot see the source. There is no assurance it doesn't
collect other information or change anything on my computer.

I was curious as to what is the best way to handle this and situations
like these. In this instance, I was assuming downloading, and running on
a LiveCD would seem like the best policy. What if it uses methods to
discover that and I need to run it on my real installation? Is a chroot
jail the next best thing? As far as I know, to make a chroot jail I
merely copy programs and libraries inside a folder with the proper /
hierarchy and chroot into it. Is it more complex than this and are there
any guides?

Any and all suggestions are welcome.

Thank you,
Douglas Breault Jr.

- --
How do I know the past isn't fiction designed to account for the discrepancy
between my immediate physical sensations and my state of mind?

/~\ The ASCII        Douglas Breault Jr. <GenKreton at comcast dot net>
\ / Ribbon Campaign  GnuPG public key ID: C4E44A19 (pgp.mit.edu)
 X  Against HTML     Key fingerprint:
/ \ Email!           21C3 F37D A8F5 1955 05F2  9A69 92A0 C177 C4E4 4A19
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDzleMkqDBd8TkShkRA1l4AKC2W54KDDwSN9MXKzodtN+v917BHgCfVsZJ
TPF6ZYn/ynJ5F9HZ45EtuPs=
=yPaH
-----END PGP SIGNATURE-----
--
gentoo-security <at> gentoo.org mailing list


Douglas Breault Jr | 18 Jan 16:29 2006
Picon
Picon

Re: Running untrusted software


I need to run this CSA in order to gain access to the network. I don't
trust the network much either, but I am always using OpenVPN, which I
trust completely. Currently I can access the network, and ergo my vpn
without this, but after the 26th that all changes.

I will definitely look into grsec but it seems complicated. Regardless I
require a viable solution and I will take the steps necessary,
regardless of complication.

Is there a way to try and trace what the binary wants to do? I'm aware i
could run strace on it and ethereal to capture what it transmits... But
is there more I can do?

Thanks,
Douglas Breault Jr.

Oliver Schad wrote:
> Am Mittwoch, 18. Januar 2006 15:58 schrieb mir Douglas Breault Jr:
>> I am being forced to run software on my computer that I do not
>> inherently trust. It is supposed to collect a few pieces of
>> information, mainly my mac addresses and use the network. It is a
>> one-time use CSA (client security agent). It uses a csh script to
>> unpack a "proprietary binary" that we cannot see the source. There is
>> no assurance it doesn't collect other information or change anything
>> on my computer.
> 
> If you don't trust this software don't use it in trusted environment 
> which includes trusted system and trusted network.
> 
>> I was curious as to what is the best way to handle this and
>> situations like these. In this instance, I was assuming downloading,
>> and running on a LiveCD would seem like the best policy. 
> 
> Is your host in a trusted network?
> 
>> What if it 
>> uses methods to discover that and I need to run it on my real
>> installation? Is a chroot jail the next best thing? 
> 
>>From a chroot environment you can easily escape on a standard kernel. 
> Grsec offers a real chroot jail.
> 
>> As far as I know, 
>> to make a chroot jail I merely copy programs and libraries inside a
>> folder with the proper / hierarchy and chroot into it. Is it more
>> complex than this and are there any guides?
> 
> # esearch jail
> 
> Best Regards
> Oli
> 

--
How do I know the past isn't fiction designed to account for the discrepancy
between my immediate physical sensations and my state of mind?

/~\ The ASCII        Douglas Breault Jr. <GenKreton at comcast dot net>
\ / Ribbon Campaign  GnuPG public key ID: C4E44A19 (pgp.mit.edu)
 X  Against HTML     Key fingerprint:
/ \ Email!           21C3 F37D A8F5 1955 05F2  9A69 92A0 C177 C4E4 4A19
Oliver Schad | 18 Jan 16:36 2006
Picon

Re: Running untrusted software

Am Mittwoch, 18. Januar 2006 16:24 schrieb mir Johnson, Maurice E CTR 
NSWCDL-K74:
> A good host based IDS  (file integrity monitoring system) would
> record any system level changes made. 

No such IDS records any changes in *file systems* if the running 
software has no access to root privileges. That is a important 
difference.

> IT should be fairly trivial to 
> start of with a sterile environment prior to running your CSA and
> inspecting the environment afterwards.
>
> Try Tripwire or AID.

This is not a good idea because this IDS cannot monitor all system 
activities. The only reliable way to monitor all activities is to run 
this software in a sandbox.

Best Regards
Oli
--

-- 
gentoo-security <at> gentoo.org mailing list


Gmane