Date: Thu, 8 Apr 2021 12:24:02 -0400 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: Stefan Blachmann <sblachmann@gmail.com> Cc: Gordon Tetlow <gordon@tetlows.org>, Miroslav Lachman <000.fbsd@quip.cz>, FreeBSD Security Team <secteam@freebsd.org>, Ed Maste <emaste@freebsd.org>, FreeBSD-security@freebsd.org, cperciva@freebsd.org Subject: Re: Security leak: Public disclosure of user data without their consent by installing software via pkg Message-ID: <20210408162402.en6dxevum7se2ndj@mutt-hbsd> In-Reply-To: <CACc-My2PMzaiwqZUnTEhzKY5U3n0GzjOXMmsgPEVjf5Zyn4F4w@mail.gmail.com> References: <CACc-My1b32PLyeOU4hMDCBGaVzU1GLSrgAft95zMb5U7p7eRwQ@mail.gmail.com> <20210406142735.nbearpqiqz3wyrmd@mutt-hbsd> <6fcb2d1a-929e-c1fe-0273-42858ec547ec@quip.cz> <20210406144222.gbgjcc7jsozsl2m2@mutt-hbsd> <410E4486-F9CF-41C3-9396-BD307AF2325F@tetlows.org> <CACc-My2PMzaiwqZUnTEhzKY5U3n0GzjOXMmsgPEVjf5Zyn4F4w@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--7hoa3axnlf5iwapj Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Apr 08, 2021 at 04:50:17AM +0200, Stefan Blachmann wrote: > The answers I got from both "Security Officers" surprised me so much > that I had to let that settle a bit to understand the implications. >=20 >=20 > Looking at the FreeBSD Porters' Handbook > [https://docs.freebsd.org/en_US.ISO8859-1/books/porters-handbook/pkg-inst= all.html], > it describes the purpose of the package pre- and postinstallation > scripts as to "set up the package so that it is as ready to use as > possible". >=20 > It explicitly names only a few actions that are forbidden for them to > do: "...must not be abused to start services, stop services, or run > any other commands that will modify the currently running system." >=20 > Anything else is apparently deemed =E2=80=9Callowed=E2=80=9D. > Spying out the machine and its configuration, sending that data to an > external entity =E2=80=93 perfectly OK. Not a problem at all. >=20 > This has been proved by the handling of this last BSDstats security > incident, where the FreeBSD =E2=80=9Cpkg=E2=80=9D utility is being abused= to run > spyware without the users=E2=80=99 pre-knowledge and without his content. >=20 > This abuse is apparently being considered acceptable by both FreeBSD > and HardenedBSD security officers. > Instead of taking action, you "security officers" tell the FreeBSD > users that it is their own guilt that they got =E2=80=9Cpwnd=E2=80=9D. > Just because they trustingly installed software from the package repo > hosted by FreeBSD, without religiously-carefully auditing every and > each packages' pre- and postinstallation script before actual install, > using the =E2=80=9Cpkg -I=E2=80=9D option. >=20 > Indeed, I felt very surprised that the =E2=80=9CSecurity Officer=E2=80=9D= of =E2=80=9CHardened > BSD=E2=80=9D chimed in, only to publicly demonstrate his lack of competen= ce to > recognize obvious security problems. > Like two fish caught with a single hook! 1. Ad hominem much? I understand the underlying problem very well. 2. Your hostility is incredibly annoying. 3. You attribute malice where there is none. 4. This is volunteer work, where volunteers have everyones well-being in mind. 5. Threatening to go to journalists accomplishes... what? What makes you think journalists are NOT paying attention to this list? What makes you think journalists care about you? 6. I really, really, really, really, really hate the "Karen" meme. But it fits incredibly well here. 7. Where can I review your patches that fix the problem? 8. Entitlement mentality much? Sure, the bsdstats package shouldn't submit just on "pkg install." Instead of fixing the problem, you went the hostile route. I'm sure you won't learn anything from this, but I hope you do. To me, it reinforces how random people feel entitled to force their will on others. Thanks, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A= 4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --7hoa3axnlf5iwapj Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmBvLh8ACgkQ/y5nonf4 4fotUQ//TSRdaATwqPdte2RFqKFr7qwGXvRGu0mFXk1fnTFeoY+yfl6oe1QkUwPM jrcxJml+i8cQurjbH/9hOL9EaoCIJmuWafmbQpgQ6piZxp9ocbCLu4zXQqN2wRCa DotUTYt+aB4RzXQMhwLe1BKyY80OTlf0pmGDLYKIXODDXcm3Gt4y1nzsrw8ujClD I5aAa2oCKem485nFhQWjcv8TnrT43ql8FrWTO49pkR+HEM/riNozfIyVThH0wZXq I88f3bSZY92Fuxm/TJsgsVIHB3BXREpHHORIwG/RaGch3/ZSFCKETpQR1JrcTb6a rxmwziaFINAOFMbTdrkYQDIB6+j/E0WHUifTX+a+B1lBDBiangn6nTN7qM5NWeYq oSCoMWqTc6EfX7bw5E7+fGMQWMJQmhE+u9LqboZhhitUSODsqzYgCsebI1rxmcJ5 CLScmv2OyPJGtK/tU5yRPCWo+GR8NjdX1Gg6sfNF42HploGehl8sq45Eh6dKx0cp e972KInTQ0pn08bGFten5MDpH2ougz83H37R26etB0Xb+QuNzWYYsX5OTXPQIQsE L0QpQW5nIS4gqBWHnCM2LTfHzHo25sX9D7nZjvbum+nScfmjxOHNkqi8m+r3W7gq wno+zlssco1pOYIwxwJPAZQYUYXnAqemsL4P7ThR34SjUaDYRuI= =JOhb -----END PGP SIGNATURE----- --7hoa3axnlf5iwapj--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20210408162402.en6dxevum7se2ndj>