Mai 12, 2020

Links (135)

Kategorien Links
Tagged Zoom Sicherheit Security Adblocker anti adblocker BlockAdBlock Covid19 Corona Tracker Covid Tracker Tracking App GPT-2 Bibel Erotik Onlinemeeting Meeting Video Konferenz video conference Hacker Exploits Google Analytics Wayland Song Kind Lied Butthole twitter Iceland Island
Mobil qrcode zeigen

0 Kommentare

April 2, 2020

How to use Zoom with a Sandbox

With Corona, video conferences are on the rise and organizations tend to use Zoom. The problem is, that Zoom shows more and more security holes, bad practices and privacy related problems.

Zoom has a version that runs in the browser, but in my experience it run much worse than the native application. As running the native application is a security and privacy risk, let's see how we can use Linux sandbox techniques to restrict what the Zoom client can access.

1) Use flatpak.
Flatpak uses a sandbox called bubblewrap, that isolates it from most of your personal data. You can find Zoom on Flathub.

If you do not have flatpak, you could try to use the bubblewrap sandbox without flatpak or try using firejail, but for most people it is much easier to just use flatpak.

2) Use Flatseal to revoke access to data that Zoom does not need to be able to access before running Zoom the first time. You can remove access to all host files (filesystems=host and filesystems=home disabled) without any problems.

This already solves many security and privacy issues of Zoom.

The problem that still remains is that Zoom generates personalized identifiers by using the unique hardware address of your network card.

3) Restricting Access to your network devices: Now Zoom is isolated from your private files, but when you already used Zoom and have a look at $HOME/.var/.var/app/us.zoom.Zoom/config/zoomus.conf you will notice that Zoom uses your MAC-Address as identifier in the line deviceID=XX:XX:XX:XX:XX:XX.

There is a way to protect against this when you really want Zoom not to know such unique identifiers by using network namespaces.

Our setup is based on this introduction to Linux network namespaces. We will need some additional routing for network access and a tool to allow normal users to run applications in a network namespace for running Zoom inside a private network namespace.

Setting up a network namespace for Zoom:

sudo ip netns add zoom # Create the namespace "zoom"
sudo ip link add veth0 type veth peer name veth1 # Create connected virtual interfaces
sudo ip link set veth1 netns zoom # Assign the second interface to the network namespace "zoom"

You can now verify that you only see the virtual interface by running ip netns zoom exec ip link show. This runs the command ip link show inside the namespace "zoom" and you should see a loopback interface "lo" and the virtual interface "veth1" inside the new namespace.

When running ip link show alone, you should see your usual host network interfaces and "veth0", but no device "veth1".

Next we need to assign IPs and setup a default route inside the network namespace, so Zoom can reach its servers. We will use the net 10.0.0.0/24 for the interfaces. When you already use this net, you need to choose another IP range.

# Activate the interface in the default namespace
sudo ip link set up veth0
sudo ip addr add 10.0.0.1/24 dev veth0
# Activate the interface inside the zoom namespace
sudo ip netns exec zoom ip link set up veth1
sudo ip netns exec zoom ip addr add 10.0.0.2/24 dev veth1
# Add a default route inside the namespace
sudo ip netns exec zoom ip route add default via 10.0.0.1

Now we can communicate with the host outside of the zoom namespace and need to add routing into the internet. We use iptables with a NAT setup for this:

sudo iptables -I FORWARD -s 10.0.0.0/24 -j ACCEPT # Forward packets for IPs from inside the namespace
sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j MASQUERADE # Use NAT for packets from the zoom network

To be able to use the namespace without root privileges you need to install netns-exec. This tool allows every user on the computer to run programs in another network namespace, so do not install it if this is a problem for you.

Now run netns-exec zoom ip link as normal user to verify that you can execute programs in the network namespace and that you can only see the virtual network device.

When everything works, you can start using Zoom by running

netns-exec zoom flatpak run us.zoom.Zoom

Afterwards you can verify, that zoomus.conf contains the virtual MAC address from the veth network interface instead of the unique MAC address of your network card.

Feedback If anything does not work for you, please leave a comment, so I can improve this article.

Kategorien english Software Linux Sicherheit
Tagged Zoom Flatpak network namespace netns Security Privacy
Mobil qrcode zeigen

0 Kommentare

März 27, 2020

Links (134)

Kategorien Links
Tagged Sarah2 Cipher Encryption Verschlüsslung Typographie Squire AI GPT-2 GPT2 AIDungeon Scissors Scheren Emojis Assange Mailserver Mail E-Mail CSS GDPR Consent Signal Messenger Duckduckgo Tracker Tracking Pets Neopets Covid Corona Virus Modeling Simulation
Mobil qrcode zeigen

0 Kommentare

Dez. 16, 2019

Links (133)

Kategorien Links
Tagged Klimawandel Klimakatastrophe Apple linux Dieter Nuhr Klimaproteste Greta Greta Grotesk Font Schriftart Typeface Handschrift handwriting Computer slow TV Allowance TV printf C Opfer Gender Studies Pomo Genderstudies Facebook twitter Pomo-Twitter GDPR DSGVO Cookies opt-in Opt-out cookie syncing Weihnachtsmarkt Stackoverflow StackExchange
Mobil qrcode zeigen

0 Kommentare

Okt. 11, 2019

Links (132)

Kategorien Links
Tagged Privacy data collection Matrix Harry Botter Harry Potter Bot Zitate Neuronales Netz static Game CCC Chaos Communication Camp Raytracer Postscript WebGL fluid Simulation Firefox IPv6 Scientists Forscher Brief Letter Climate Klima Forschung
Mobil qrcode zeigen

0 Kommentare

Juni 16, 2019

Links (131)

Kategorien Links
Tagged Anja Rützel Enissa Amani Empörio Amani Calendar Kalender Fallacy Bullshit Web twitter Facebook Freie Rede Internet abmahnen Abmahnung Klarnamen Anonymität Anonym Macht Machtfrage disziplinlos Autofahrer Autos Baumaßnahmen Bau Verkehrsregeln Tracking Nachrichten Nachrichtenseiten Harry Potter Neural Network NN Neuronales Netz HTTP Status HTTP Status Latein
Mobil qrcode zeigen

0 Kommentare

April 24, 2019

Links (130)

Kategorien Links
Tagged laser LIDAR self-driving Auto iOS Facebook Apps spyware Windows Windows 98 Zuckerberg Privacy Privatssphäre Icons targeting Ads Werbung drawing zeichnen Anleitung Handy englisch Anglizismus Tankstelle Überfall Brötchen schmieren 280 Bananas Bananen Radioaktivität Strahlung Physik Wasserfall Schwimmbad twitter headerbars Hipster Squirrel Eichhörnchen Perl Farbkleckse Überwachungsstaat Keybase TOFU TADA Trust Vertrauen Schlüssel Kryptografie Passwords Passwörter Nazis Rassisten
Mobil qrcode zeigen

0 Kommentare

Jan. 13, 2019

Links (129)

Kategorien Links
Tagged Facebook Netflix Airbnb Tinder Mark Zuckerberg Zuckerberg Tumblr Web Adult Content sex-positive A* A-Star algorithm DeinTherapeut Norman Norman Wolf Papagei Alexa Amazon Bestellungen Google Edge Tree Swings Schaukeln Softwareentwicklung software development headerbars titlebars Tracking Kamera 1995 Smart TV TV Escher Stairwell Treppen
Mobil qrcode zeigen

0 Kommentare

Dez. 6, 2018

Links (128)

Kategorien Links
Tagged Chrome Mastodon Federation federated Orgasmus Sex JavaScript Minesweeper Game Gender Studies Scholarship Corruption Flatpak Security Knuth Donald Knuth Tic-Tac-Toe Populismus Überwachungsstaat ISP Schweden Internetprovider Zensur Elsevier Sci-Hub Google Tracking machine learning maschinelles Lernen Versagen Failure Elefanten Evolution CheeseMaster Käse Spiel Therapie DeinTherapeut twitter Psychologie Psychotherapie VPP Verbande Psychologischer Psychotherapeutinnen und Psychotherapeuten Urknall Physik Astronomie DLR
Mobil qrcode zeigen

0 Kommentare

Sept. 8, 2018

Converse.js with prosody

Since the latest release (4.0.0), converse.js supports OMEMO. With OMEMO and MAM (server side message archive to show older chatlogs), it seems to be now a really nice client for everyday usage.

But deploying it isn't as easy as one might think. Here a short summary what I needed to do to get BOSH and HTTP file upload working together with an own prosody XMPP server.

By default the prosody BOSH (Jabber over HTTP) server listens on port 5280 and 5281 for unencrypted respectively TLS connections.
When converse.js is installed on a webserver, the website at port 80 (HTTP) / 443 (HTTPS) is considered as another origin by the browser, so it will not allow access to the BOSH server.
The BOSH server can allow such an access by setting a cross-origin resource sharing header (CORS).

The problem is, that setting the header is not yet implemented in prosody.

To fix this, here is an easy patch for the net/http/server.lua file from prosody:

To allow access from any website, change the line

headers = { date = date_header, connection = response_conn_header };

to

headers = { date = date_header, connection = response_conn_header, 
            access_control_allow_origin = "*" };

This solves the problem to access the BOSH server, but HTTP file upload will still have problems.


HTTP file upload uses the PUT method on the server, with the new filename, which does not exist, yet.
A CORS-request by the browser before the upload results in an error 404 (File not found) and fails even when the correct header is set, so no upload is attempted.
This means the cross-origin header solution does not allow for working file transfers.

To solve the problem, we can use a reverse proxy to have the BOSH and HTTP-upload URLs on the same domain (and port) as the converse.js installation.
The patch for sending the cross-origin resource sharing header above is no longer needed with this solution, as everything will now run on the same domain and port.

For nginx, I use the following reverse proxy configuration for the vHost CONVERSE_DOMAIN at which converse.js is hosted:

# BOSH
location ^~ /http-bind {
    proxy_pass "https://PROSODY_SERVER:5281/http-bind";
    proxy_http_version 1.1;
    proxy_set_header Host JABBER_DOMAIN;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_buffering off;
    tcp_nodelay on; 
}
# HTTP-Upload
location ^~ /upload {
    proxy_pass "https://PROSODY_SERVER:5281/upload";
    proxy_http_version 1.1;
    proxy_set_header Host JABBER_DOMAIN;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_buffering off;
    tcp_nodelay on; 
}

where JABBER_DOMAIN needs to be the appropriate vHost in prosody, i.e. the part after the @ in the jabber IDs, and PROSODY_SERVER is the IP or hostname where nginx can access the prosody server.

In prosody, the following configuration is needed

# Consider internal non-https connections as external https connections
consider_bosh_secure = true;
# Allow requests from other domains than the @server part of the jabber IDs
cross_domain_bosh = true;
# Base URL used to generate HTTP-upload URLs
http_external_url = "https://CONVERSE_DOMAIN/"

This configuration makes prosody accept connections from nginx, even when the internal connection does not use HTTPS and sets the base URL which is used to construct URLs for file uploads to the external address of the reverse proxy.

You can now firewall the prosody HTTP-server, as BOSH and HTTP file upload should only need access the nginx HTTP server.

Kategorien Tipps Software Technik
Tagged prosody converse.js converse nginx reverse proxy OMEMO MAM Jabber
Mobil qrcode zeigen

0 Kommentare