malicious rootfs and/or uboot?

A blog reader contacted me asking:

"I'm wondering how we can know that your linux images and the programs we download are not malicious."

My answer was basically you don't since you didn't download, inspect and compile the code yourself.

I thought it was a great question and a good topic to discuss.

-grayman4hire
======================================
Pogoplug V2 and V3 Serial Connection
Tutorial - Pogoplug v4 (Series 4 and Mobile) with Linux (Debian or Arch)
OpenWRT on Pogoplug Mobile
Tutorial - Pogoplug E02/V4 with Arch Linux ARM
Hacking the Pogoplug v3/Oxnas (Pro/Classic) with Debian
OpenWRT on Pogoplug v3/Oxnas (Pro/Classic)

speaking for myeslf - I come in the category of most users and "hope" that what i install is safe as i lack the indepth knowledge to inspect and verify 99% of code out there

*usual caveats apply*

It's a legit question. I think there are several questions when one installs a software package or system:

1. Is it safe from the source?

- Can you trust the distro builder? i.e track record or a large organization. How many people have been using the system?
- Is it full discolsure? ie. you can build the same thing from the provide source code?

2. How do I know that it has been tampered with?

- Can I verify it by inspection?
- Can I verify it by software tools

We could pick each question and discuss. I'm doing my tax, so a little bit busy :)) but will answer question or suggest what can be done for users that are very security contious.

PS.

Also, I think the tittle of the thread/post should be changed to something less alarming ;)

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)



Edited 2 time(s). Last edit at 04/14/2015 05:19PM by bodhi.

For those with a little time on their hands, I would recommend reading the paper "Reflections on Trusting Trust" by Ken Thompson, one of the original Unix developers. It addresses the issue of just how difficult it is to ensure there have been no trojans inserted in an OS, and it's well worth the read:

http://www.cs.berkeley.edu/~rxin/db-papers/TrustingTrust-Thompson.pdf

And similarly, i will admit the thought crossed my mind if linking our registration names to each MAC address (at Pogo site to enable SSH) has something to do with the low cost? I know beyond our safe neighborhoods it's a cruel world, and intelligence agencies have their jobs to do. But I've looked at text I've written ten years earlier and -edited- LOL

That was the initial appeal of a home NAS, or better yet Local Area Network Attached Storage.

I hope this is the place to ask, because I'd like to setup with all the bells and whistles you have here, but the other Pogo Pro I'd like to Net-neuter and keep it to LAN and use the wireless (as-is) for 100-foot range out in the shed.

I think it was TEN who mentioned being hammered on port 21 that got me thinking of a dedicated Pogo for offline.



Edited 1 time(s). Last edit at 04/14/2015 11:14PM by JoeyPogoPlugE02.

restamp,

> http://www.cs.berkeley.edu/~rxin/db-papers/Trustin
> gTrust-Thompson.pdf

Agreed. Great paper, highly recommended!

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)

JoeyPogoPlugE02 Wrote:
-------------------------------------------------------
> And similarly, i will admit the thought crossed my
> mind if linking our registration names to each MAC
> address (at Pogo site to enable SSH) has something
> to do with the low cost? I know beyond our safe
> neighborhoods it's a cruel world, and intelligence
> agencies have their jobs to do. But I've looked at
> text I've written ten years earlier and -edited-
> LOL
>
Honestly, I don't know, but you really have a good and/or strong point there. OTOH, if you noticed from my post, I prefer hack my PogoPlug Pro P02 from a serial/console connection to enable SSH instead of registering it to PogoPlug to get the SSH enabled.

bodhi Wrote:
-------------------------------------------------------
> Also, I think the tittle of the thread/post should
> be changed to something less alarming ;)

Come on, you know I did that intentionally :)

restamp Wrote:
-------------------------------------------------------
> For those with a little time on their hands, I
> would recommend reading the paper "Reflections
> on Trusting Trust" by Ken Thompson, one of the
> original Unix developers. It addresses the issue
> of just how difficult it is to ensure there have
> been no trojans inserted in an OS, and it's well
> worth the read:
>
> http://www.cs.berkeley.edu/~rxin/db-papers/Trustin
> gTrust-Thompson.pdf

Thanks I'll give it a read.

-grayman4hire
======================================
Pogoplug V2 and V3 Serial Connection
Tutorial - Pogoplug v4 (Series 4 and Mobile) with Linux (Debian or Arch)
OpenWRT on Pogoplug Mobile
Tutorial - Pogoplug E02/V4 with Arch Linux ARM
Hacking the Pogoplug v3/Oxnas (Pro/Classic) with Debian
OpenWRT on Pogoplug v3/Oxnas (Pro/Classic)

Cant' wait to try that, thanks a million habibie.

Oh yeah forgot to exclaim, that paper IS a good read. OT but I'm going to make a Linux cheat sheep based on the code legend. Can't get some of this stuff into my head without repetition.



Edited 1 time(s). Last edit at 04/15/2015 02:52PM by JoeyPogoPlugE02.

Joey,

> And similarly, i will admit the thought crossed my
> mind if linking our registration names to each MAC
> address (at Pogo site to enable SSH) has something
> to do with the low cost?

I don't think so :) the Pogoplugs have been uncessful so they just want to dump inventory. But I agree, that is part of the low real price they sell.

Besides, with a box inside your LAN it is very secure, the weak spot is the router. Now if want to, you can use only local MAC address that you generate randomly (notice my u-boot installation default envs does use one I generated). WOL won't work with local MAC, but it's another issue. Only the internet facing box that you need to worry about, so habibie has a point in that if the box is going to face the net, then we'd rather not advertise it by registering at Cloudengines.

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)



Edited 1 time(s). Last edit at 04/15/2015 03:17PM by bodhi.

grayman4hire,

> Come on, you know I did that intentionally :)

OK, it does sound sensational like a tabloid headline :))

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)

bodhi Wrote:
-------------------------------------------------------
> Joey,
>
> > And similarly, i will admit the thought crossed
> my
> > mind if linking our registration names to each
> MAC
> > address (at Pogo site to enable SSH) has
> something
> > to do with the low cost?
>
> I don't think so :) the Pogoplugs have been
> uncessful so they just want to dump inventory. But
> I agree, that is part of the low real price they
> sell.
>
> Besides, with a box inside your LAN it is very
> secure, the weak spot is the router. Now if want
> to, you can use only local MAC address that you
> generate randomly (notice my u-boot installation
> default envs does use one I generated). WOL won't
> work with local MAC, but it's another issue. Only
> the internet facing box that you need to worry
> about, so habibie has a point in that if the box
> is going to face the net, then we'd rather not
> advertise it by registering at Cloudengines.

Yeah i just wondered and then out loud LOL Another, more practical reason I'd like to keep it in the LAN is, in case the net service they offer goes down. There's some fundamental things about LANS and DNS and low IPs I still have to get a grip on - as food for thought, all my Thin clients have an IP starting at 10. I wonder why the hospital does that. Ahh, another idea, I'll post off topic forum...

I'll be glad to answer any question about the rootfs and/or kernel releases. If I don't know the answer, perhaps someone will be able to suggest a good idea that we all can be benefited from.

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)

JoeyPogoPlugE02 Wrote:
-------------------------------------------------------
> Cant' wait to try that, thanks a million habibie.
>
If you take a look at my (2nd) patch where it removes the if [ "x$cedebug" != "x" ]; then, you will notice the cedebug is defined in the environemtn. On my original PogoPlug Pro P02, the environment doesn't contain cedebug variable. So, I suspect the PogoPlug server creates such a variable when one performs an activation to register his/her PogoPlug device. I believe you can create such a cedebug variable using blparam. I haven't played with blparam yet, so I don't know how to do this. Since we are talking about doing this through a serial console, perhaps you know how to modify the environment to add cedebug. I am a pretty newbie in this and have no clue how to do this, yet.

habibie Wrote:
-------------------------------------------------------
> JoeyPogoPlugE02 Wrote:
> --------------------------------------------------
> -----
> > Cant' wait to try that, thanks a million
> habibie.
> >
> If you take a look at my (2nd) patch where it
> removes the if [ "x$cedebug" != "x" ];
> then, you will notice the cedebug is
> defined in the environemtn. On my original
> PogoPlug Pro P02, the environment doesn't contain
> cedebug variable. So, I suspect the
> PogoPlug server creates such a variable when one
> performs an activation to register his/her
> PogoPlug device. I believe you can create such a
> cedebug variable using blparam. I haven't
> played with blparam yet, so I don't know how to do
> this. Since we are talking about doing this
> through a serial console, perhaps you know how to
> modify the environment to add cedebug. I am
> a pretty newbie in this and have no clue how to do
> this, yet.

If you guys post this off-topic issue in a new thread, I will show you how to do that.

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)

bodhi Wrote:
-------------------------------------------------------
> habibie Wrote:
> --------------------------------------------------
> -----
> > JoeyPogoPlugE02 Wrote:
> >
> --------------------------------------------------
>
> > -----
> > > Cant' wait to try that, thanks a million
> > habibie.
> > >
> > If you take a look at my (2nd) patch where it
> > removes the if [ "x$cedebug" != "x" ];
> > then, you will notice the cedebug is
> > defined in the environemtn. On my original
> > PogoPlug Pro P02, the environment doesn't
> contain
> > cedebug variable. So, I suspect the
> > PogoPlug server creates such a variable when
> one
> > performs an activation to register his/her
> > PogoPlug device. I believe you can create such
> a
> > cedebug variable using blparam. I
> haven't
> > played with blparam yet, so I don't know how to
> do
> > this. Since we are talking about doing this
> > through a serial console, perhaps you know how
> to
> > modify the environment to add cedebug. I
> am
> > a pretty newbie in this and have no clue how to
> do
> > this, yet.
>
> If you guys post this off-topic issue in a new
> thread, I will show you how to do that.
>
Bodhi,

I can do that. However, before I go ahead, will it make more sense to just respond to my original post?

JoeyPogoPlugE02 Wrote:
> I think it was TEN who mentioned being hammered on port 21

22 actually (standard only because one irresponsible provider fake-RSTs secure connections on other ports, as if it was the Great Firewall of China), but several 10000 SSH break-in attempts later I'm happy to report the iptables contrived at http://forum.doozan.com/read.php?2,20609,20799#msg-20799 et seq. (limited to 2 attempts per connection) reduce the 3h dynamic blacklist to 1-2 persistently stupid bots per machine, and require logging for only 3% approx. of DROPs, i.e. very little load to keep the machine accessible to legitimate users while making the drones stay away.
Of course I'd do it on the (closed source) router if that offered a decently configurable netfilter, but it doesn't burden the Pogoplug much either (which does offer everything required through iptables, and can conveniently etherwake more power-hungry LAN peers and pass e.g. a VNC port to them through ssh -L).



Edited 1 time(s). Last edit at 04/16/2015 04:53PM by TEN.

Thank you and bodhi for helping me understand that critical place in the infrastructure. That's one reason slow DSL doesn't bother me too much for now, and at one time even dialup had its appeal with me - less bandwidth for others to jackhammer their way in.

@grayman4hire - Good quesiton ...

I've been doing a blog for about 3 years and have become a great fan of disclaimers, something along the lines - "This is provided as is, without warranty or gaurantee of fitness for the purpose. If in doubt do your own due diligence, and don't download and/or use."

As was pointed out by others, there's really no way to know if anything downloaded is free from malicious stuff. Aside from compiling it oneself, after having read and understood what the code does.

Cheers

Don Charisma ... because anything is possible with Charisma

My blog - http://DonCharisma.org
Our commercial site - http://DonCharisma.com

PS, for the record - I'd vouch for bodhi's downloads ... I've yet to find any trojans or viri, hard to find even any bugs :)

Cheers

Don Charisma ... because anything is possible with Charisma

My blog - http://DonCharisma.org
Our commercial site - http://DonCharisma.com

DonCharisma Wrote:
-------------------------------------------------------
> PS, for the record - I'd vouch for bodhi's
> downloads ... I've yet to find any trojans or
> viri, hard to find even any bugs :)
>
> Cheers

This site is clean of trackers too, a good sign. I use Ghostery in every browser (with alert bubble shut off and only three trackers allowable).
And my knowledge of bohdi is such, if he had a global pogoplug farm crunching numbers for some universal cause (maybe OpenWRT with QOS when otherwise idle), I'd do it. Idle computer time is one thing, but 5-watts doing a good cause when my Dish receiver takes 23 Watts OFF...
Altruistic pipe dream? I have them sometimes - but I don't sense bohdi programming Pogoplugs to harass kittens or something LOL

And even though rootkits are insidious and bad, so is using root/root. I'll change mine immediately LOL

=========
-= Cloud 9 =-



Edited 1 time(s). Last edit at 04/20/2015 02:49PM by JoeyPogoPlugE02.

Thanks for the confidence guys:)

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)

@bodhi - You're welcome, and thanks for all your efforts :)

... looks like Joey gets my sense of humour too, nice one Joey ... harass kittens ... classic !

Cheers

Don Charisma ... because anything is possible with Charisma

My blog - http://DonCharisma.org
Our commercial site - http://DonCharisma.com

DonCharisma Wrote:
-------------------------------------------------------
> ... looks like Joey gets my sense of humour too,
> nice one Joey ... harass kittens ... classic !
>
> Cheers

ahh bless yer heart :-) And dude your website is awesome to say the least.

=========
-= Cloud 9 =-