April 2, 2020

How to use Zoom with a Sandbox

With Corona, video conferences are on the rise, and organizations tend to use Zoom. The problem is that Zoom shows more and more security holes, bad practices, and privacy-related problems.

Zoom has a version that runs in the browser, but in my experience, it runs much worse than the native application. As running the native application is a security and privacy risk, let's see how we can use Linux sandbox techniques to restrict what the Zoom client can access.

1) Use flatpak.
Flatpak uses a sandbox called bubblewrap that isolates it from most of your personal data. You can find Zoom on Flathub.

If you do not have flatpak, you could try to use the bubblewrap sandbox without flatpak or try using firejail, but for most people it is much easier to just use flatpak.

2) Use Flatseal to revoke access to data that Zoom does not need to be able to access before running Zoom the first time. You can remove access to all host files (filesystems=host and filesystems=home disabled) without any problems.

This already solves many security and privacy issues of Zoom.

The problem that still remains is that Zoom generates personalized identifiers by using your network card's unique hardware address.

3) Restricting Access to your network devices: Now Zoom is isolated from your private files, but when you already used Zoom and have a look at $HOME/.var/.var/app/us.zoom.Zoom/config/zoomus.conf you will notice that Zoom uses your MAC-Address as identifier in the line deviceID=XX:XX:XX:XX:XX:XX.

There is a way to protect against this when you really want Zoom not to know such unique identifiers by using network namespaces.

Our setup is based on this introduction to Linux network namespaces. We will need some additional routing for network access and a tool to allow normal users to run applications in a network namespace for running Zoom inside a private network namespace.

Setting up a network namespace for Zoom:

sudo ip netns add zoom # Create the namespace "zoom"
sudo ip link add veth0 type veth peer name veth1 # Create connected virtual interfaces
sudo ip link set veth1 netns zoom # Assign the second interface to the network namespace "zoom"

You can now verify that you only see the virtual interface by running ip netns zoom exec ip link show. This runs the command ip link show inside the namespace "zoom" and you should see a loopback interface "lo" and the virtual interface "veth1" inside the new namespace.

When running ip link show alone, you should see your usual host network interfaces and "veth0", but no device "veth1".

Next, we need to assign IPs and set up a default route inside the network namespace so that Zoom can reach its servers. We will use the net for the interfaces. When you already use this net, you need to choose another IP range.

# Activate the interface in the default namespace
sudo ip link set up veth0
sudo ip addr add dev veth0
# Activate the interface inside the zoom namespace
sudo ip netns exec zoom ip link set up veth1
sudo ip netns exec zoom ip addr add dev veth1
# Add a default route inside the namespace
sudo ip netns exec zoom ip route add default via
# Enable IP forwarding
sudo bash -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'

Now we can communicate with the host outside of the zoom namespace and need to add routing into the internet. We use iptables with a NAT setup for this:

sudo iptables -P FORWARD -j DROP # Drop all packets that are not matched by another rule.
sudo iptables -I FORWARD -s -j ACCEPT # Forward packets for IPs from inside the namespace
sudo iptables -t nat -A POSTROUTING -s -j MASQUERADE # Use NAT for packets from the zoom network

To be able to use the namespace without root privileges you need to install netns-exec. This tool allows every user on the computer to run programs in another network namespace, so do not install it if this is a problem for you.

Now run netns-exec zoom IP link as a normal user to verify that you can execute programs in the network namespace and that you can only see the virtual network device.

When everything works, you can start using Zoom by running

netns-exec zoom flatpak run us.zoom.Zoom

Afterward, you can verify that zoomus.conf contains the virtual MAC address from the veth network interface instead of the unique MAC address of your network card.

Feedback If anything does not work for you, please leave a comment so that I can improve this article.

Kategorien: english Software Linux Sicherheit
Tagged: Zoom Flatpak network namespace netns Security Privacy

4 Kommentare

März 10, 2016

GNUSocial / Quitter and choosing a server

When twitter tried to make itself unpopular again (last time they upset their users with the prospect to allow 10,000 character tweets) by introducing an algorithmic timeline, the Hashtag #RIPTwitter started to trend and people started looking at alternatives again.

One of the alternatives is GNU social, often called Quitter after a popular GNU social server. Here is an article how to get started, once you decided for a server.

GNU social is a federated system like Jabber/XMPP, which means there is no central server. Each user can choose from a lot of servers, but reach people on other servers. This is a great thing, as everybody can run his own server and having more different servers adds redundancy and diversity. No one can control or censor the whole network.

On the other hand, without a central website, you have to choose a server you want to use for your account. Which server should you use? The one with the nicest name (i.e. quitter has a nice ring for twitter users), the one with the most users, or should you use some other criteria?

Of course, self hosting may be an option for some of us, but others cannot or do not want to host an own server. I host most of my stuff by myself, but unlike an e-mail server it would be hard to move to an hosted service, when i decide i do not want to host my instance on my own at a later time. So i started to think about which criteria are useful to choose an GNUSocial server for my account.

Some of the main aspects include:

  • Reliability: You do not want your E-Mails to be lost, probably you do not want your queets (messages on GNUSocial) to be lost as well.
  • Privacy and Security: Neither should the data be lost on a harddrive failure, nor do you want your private messages or password in a leak.
  • Moderation: On the big sites like Twitter there are sometimes problems with harassment. So when a new social network grows, it will need some moderation to stop people from harassing others. On the other hand could too much moderation hurt the idea of an free alternative, which may even provide more freedom than the commercial ones.

As i asked myself these questions, i thought others may ask themself the same. So i decided to survey some of the server administrators about these things. I sent a mail with some questions to these instances (taken from this list of instances):

(I will link them to follow up posts, as i get answers and have time to blog them)

The Questions:

Gnusocial configuration

- How many characters per queet are possible on your instance? - Which plugins are installed on your instance? - Do you keep up with the most recent version or are you testing new versions for a while before using them?

Users, Stability & Money ========================

Users would like a service, which lasts forever and runs fast and reliable. Can you tell something about how your service tries to achieve this?

- How many users does your service have? - For how long does it exist? - How do you pay for the service? Do you get enough donations, do you have sponsors or do you pay for it yourself? - What do you need to pay for hardware / hosting? - Are there costs for moderating / maintaining the site? - How do you want to ensure, the service will last (That it can be payed for and there are enough people, who keep it running)? - How can your users support you? Do you accept donations? Are there other ways to say thank you, like a amazon wishlist or flattr?

Abuse Handling ==============

The larger the site, the more abusive users will come. How do you handle the moderation on your site?

- How can users report abusive Queets / private Messages? - How fast can the moderation handle such requests? - Are you actively moderating the site or just handling reports?

- Do you have specific policies how to react on which type of incident? - Is there a page with the rules for your instance or do you rely on common sense and notify users, when they are going too far?

- Can you tell something about the possible consequences for breaking the rules? - Do you notify authorities for serious incidents or do you just ban the users and let the victim report it to the police themself?

Moderation ==========

Moderation to prevent abuse is important, but too much moderation can hurt a site. Moderating legal but possibly offensive posts may create chilling effects, where people censor themself to avoid being moderated or even banned for unpopular opinions.

- When do you delete possibly offensive tweets? - When do you warn users? - When do you temporarily ban users? - When do you permanently ban users?

- Do your moderators discuss decisions among themselfes or are they acting on their own? - Do you discuss the moderation with the users? - How do you avoid, that moderators are biased to their own opinion in the discussion, which they are moderating?

- Do you think your users need to think about being moderated before writing a queet? - Do you have any rules, which require the users to think beyond common sense before posting, like avoiding tv spoilers?

- Where does inacceptable behaviour start on your instance? (bad opinions expressed in a serious manner / flame wars / trolling / insults / haressment / serious threats) - What are your moderators doing with reports for queets in heated discussions, which are strictly speaking not breaking a rule, but offending other users in the discussion?

- How are you moderating queets from other gnusocial instances?

Backup & Privacy ================

Some instances have plugins for backup, others don't have this option. What options do you provide for your users? How do you handle the privacy of your users?

- Can your users export their data (queets, private messages)? - Is there a way to import this data or data from other gnusocial instances? - Do you have backups for your server, i.e. in case of hardware failure? - Can your users delete their account? - How long does it take for the data to be deleted completely (i.e. disappear from any backups)? - Do you retain any data after deletion, i.e. to as proof for abusive behaviour, to enable recovery of the deleted account or to prevent others from reregistering the account name? - Do you ever read private messages? Under which circumstances would you do so and would you inform the users afterwards?

Security ========

- How are you protecting the data (i.e. is the server hard disk encrypted)? - Does your site use HTTPS? - Did you configure more security options like a HSTS header?

Legal Issues ============

It is pretty common that people post copyrighted images on social media, which can get them into trouble. A smaller site may have problems to get accused of the violation itself instead of the user. How do you handle copyrighted content and law enforcement requests?

- Do you inform your users about rules for posting copyrighted images / texts? - Do you try to actively moderate copyright violations or do you take down content only on request? - What would you do, when you receive a DMCA notice or a similiar request in your country?

- What do you do about images violating personality rights of people in the image? - How would you handle requests for the EU "right to be forgotten" law? - Did you think about getting a national security letter?

Technical Information =====================

Can you tell something about how you run the website?

- What hardware are you using? - What software (i.e. operation system, etc.) are you using? - Does the server just run gnusocial or are you using it for other things as well? - Is your server very busy with the instance?

Final thoughts ==============

- Why should users choose your instance? - Do you want to tell anything else?

Kategorien: OpenSource Internet Medien Software english
Tagged: GNUSocial Quitter StatusNet twitter RIPTwitter

0 Kommentare

Sept. 24, 2011

XKCD could be better

I think two of the recent XKCD comics could be done better. I am regularily reading xkcd sucks, but i do not agree on everything he says. But many comics can be done better, i present two improved comics here:

XKCD 953

Original here

What did i do? I removed the redundant dialogue. The Joke is presented in the first line, everything after that is just the same joke. Maybe he wanted to explain his joke in a way, that even persons who do not know about the 10 types of people in the worlds (those who understand binary and those who do not) will understand his joke.

XKCD 954

Original here

This one is a bigger change. Randall put several jokes in this comic, which are not quite compatible to each other and i removed all but the main joke: Black-Hat Guy blocks the end of a very long escalator to get a funny result.

The other jokes in the comic just were saying "i can ask dumb questions, too.". Oh cool, BHG has a witty response to curious questions. Funny. Lol.

Kategorien: english
Tagged: XKCD improved Remix Binary Base 2 Escalator Comics Comic

0 Kommentare

Mai 24, 2011

sudo make me a sandwich

Save this as "Makefile":

UID=$(shell id -u)
        @echo "make love, not war!"
        @if [ "${UID}" = "0" ];then echo "okay.";\
        else echo "What?";echo -n "make ";fi
        @if [ "${UID}" != "0" ];then echo -n "it ";fi
        @if [ "${UID}" != "0" ];then echo "yourself.";fi

And execute it:

$ make me a sandwich
$ sudo make me a sandwich

If you do not understand it, read this XKCD-Comic.

Kategorien: Fun english Software
Tagged: Sandwich XKCD make sudo Comic Code Makefile

0 Kommentare

März 23, 2011

Anonymous-Twitter Bookmarklet

Bookmarklet: Anonymous-Twitter

how to use it

  • drag the Bookmarklet above to your bookmarks-toolbar.
  • visit twitter
  • click the Bookmarklet
  • ???

what does it do?

When you click the bookmarklet, every tweet will have "Anonymous" as author, so you can judge the tweets by the message and not by the author.

how does it work?

the bookmarklet runs a tiny piece of javascript on the twitter-page to insert some CSS-Code, which hides the user-images and usernames from twitter and adds "Anonymous" as username and a picture of Anonymous as user-image.

thanks to ...

@paniq, who tweeted the idea and also makes good music.

Stylish / Userscript

you can use the userstyle for twitter, if you want the change to be permanent. the userstyles site has also an option to install the style as userscript.

Kategorien: Anonymität Internet Fun english Software
Tagged: Anonymous twitter JavaScript Bookmarklet

0 Kommentare

Sept. 2, 2010

Trying something new for git commit-ids

one disadvantage of git is, that its commit-ids are ugly.

b1e7470 (even the short form of b1e74702c83accb73d60e884f7a46fc06d5d51b2) is something nobody can remember. With SVN you can say "i am using svn revision 754". a number with three to six digits for most project can be memorized.

But a commit-id of git is in the short form a seven-digit hex-number, and its "randomly" choosen (by a hash function). SVN numbers a strictly monotone, so you know the project is approximate at 750 commits, and you remember the last digit, so you can say "the commit was 754".

now i am trying something new on the otfbot project: the ver2name function uses the seven-digit version of a git commit-id to generate a fantasy-name.

b1e7470 → Radwalhel

now Radwalhel may be funny enough, so you can remeber it, when someone asks you, which version you are running.

The cool function about ver2name is, that it preserves all important information, so you can convert it back to a git commit-id. So the developer can use the "funny" name to find the git-revision the user is using:

Radwalhel → b1e7470

some more examples:

0000000 ⇔ Babbabbab
8080808 ⇔ Mebmobmob
fffffff ⇔ Zozzazzaz

you see how its working: one hexdigit is mapping to one consonant, the 7th digit is mapping to two vocals. the third vocal is created by a hash of the last two digits, but it carries no additional information and is ignored in parsing the name back to a version.

we will see, if this helps against the confusion caused by git-commit-ids. its an experiment. And its still no solution to the problem, that two consecutive commits have totally different IDs.

Kategorien: Software english
Tagged: git svn vcs commit names commit-id svn-rev

2 Kommentare

Jan. 5, 2009

lyrics search for the current song with MPD

Another Tipp for Users of MPD:
firefox "https://ssl.scroogle.org/cgi-bin/nbbw.cgi?Gw=$(mpc|head -n1) lyrics&n=1"
searches for the current songname + "lyrics" on Scroogle (yeah, privacy).

Of course you can just change "firefox" i.e to "opera" and "https://ssl.scroogle.org/cgi-bin/nbbw.cgi?Gw=" to "http://google.de/search?q=" or what search-engine and browser you like.

Kategorien: Software english
Tagged: Tipps Song MPD Lyrics current current Song search

0 Kommentare

Aug. 27, 2008

The Game

In Soviet Russia, the Game loses YOU!

Kategorien: Fun english
Tagged: Game russian Reversal the Game Smirnoff Soviet Russia Russia Soviet Witz

0 Kommentare