HackerTrans
TopNewTrendsCommentsPastAskShowJobs

almet

55 karmajoined hace 10 años

Submissions

Tool to use signal without a smartphone

github.com
1 points·by almet·hace 21 horas·0 comments

Reticulum: Source-privacy claim vs. routing metadata

codeberg.org
12 points·by almet·hace 2 meses·1 comments

How to Reproduce Container Images

dangerzone.rocks
1 points·by almet·hace 3 meses·0 comments

Pwn Santa – Container Isolation Bug Bounty / CTF

dangerzone.rocks
4 points·by almet·hace 7 meses·1 comments

comments

almet
·hace 3 meses·discuss
Currently working on a way to help folks setup a signal account without requiring a smartphone.

It's in rust with egui, and should help folks to do that without the cli.

Not ready for prime time yet, but available at https://github.com/almet/signal-without-smartphone
almet
·hace 6 meses·discuss
(Hi, disclaimer: I'm one of the current dangerzone maintainers)

You are correct: that's basically what Dangerzone is doing!

The challenges for us are to have a sandbox that keeps being secure and make it possible for non-tech folks (e.g. journalists) to run this in their machines easily.

About the sandbox:

- Making sure that it's still updated requires some work: that's testing new container images, and having a way to distribute them securely to the host machines ;

- In addition to running in a container, we reduce the attack surface by using gVisor¹ ;

- We pass a few flags to the Docker/Podman invocation, effectively blocking network access and reducing the authorized system calls ;

Also, in our case the sandbox doesn't mount the host filesystem in any way, and we're streaming back pixels, that will be then written to a PDF by the host (we're also currently considering adding the option to write back images instead).

The other part of the work is to make that easily accessible to non-tech folks. That means packaging Podman on macOS/Windows, and providing an interface that works on all major OSes.

¹ https://dangerzone.rocks/news/2024-09-23-gvisor/
almet
·hace 6 meses·discuss
(Hi, disclaimer: I'm one of the current dangerzone maintainers)

That's a good question :-)

Opening PDFs, or images, or any other document directly inside your machine, even with a limited PDF viewer, potentially exposes your environment to this document.

The reason is that exploits in the image/font/docs parsing/rendering libraries can happen and are exploited in the wild. These exploits make it possible for an attacker to access the memory of the host, and in the worse case allow code execution.

Actually, that's the very threat Dangerzone is designed to protect you from.

We do that by doing the docs to pixel conversion inside a hardened container that uses gVisor to reduce the attack surface ¹

One other way to think about it is to actually consider document rendering unsafe. The approach Dangerzone is taking is to make sure the environment doing the conversion is as unprivileged as possible.

In practice, an attack is still possible, but much more costly: an attacker will be required to do a container escape or find a bug in the Linux kernel/gVisor in addition to finding an exploit in document rendering tools.

Not impossible, but multiple times more difficult.

¹ We covered that in more details in this article https://dangerzone.rocks/news/2024-09-23-gvisor/
almet
·hace 6 meses·discuss
(Hi, dangerzone maintainer here)

There is indeed a dangerzone-cli tool¹, and it should be made more visible. We plan on updating/consolidating our docs in the foreseeable future, to make things clearer.

Also, plans are here to make it possible to use dangerzone as a library, which should help use cases like the one you mention.

¹ https://github.com/freedomofpress/dangerzone/blob/main/dange...
almet
·hace 7 meses·discuss
Freedom of the Press Foundation is kick-starting a bug bounty program for this holiday season.

Challenge the popular adage "containers don't contain", by sending Santa a naughty letter that bypasses Dangerzone protections (Libreoffice + gVisor + Podman)

If your letter breaks a containerization layer by capturing a flag, you get the associated bounty.

Have fun!