Silk Road forums

Discussion => Security => Topic started by: pine on April 24, 2013, 05:49 am

Title: Linux GUI isolation, concerns about Skype-as-keylogger
Post by: pine on April 24, 2013, 05:49 am
I think this deserves some press/commentary in general. Also I'm concerned in particular that popular VOIP such as Skype, is a security threat, as I believe it is being possibly (suspicions, not proof) used as a tool for mass surveillance  or that at the very least there are huge security concerns with it. Mostly because it is assumed to be safe by many users to talk about SR using it, or to leave it running while on SR, and all the signs suggest anything but.

Don't think this is ridiculous until you've read through the links.

First off:

http://theinvisiblethings.blogspot.fi/2011/04/linux-security-circus-on-gui-isolation.html

Quote
The Linux Security Circus: On GUI isolation
There certainly is one thing that most Linux users don't realize about their Linux systems... this is the lack of GUI-level isolation, and how it essentially nullifies all the desktop security. I wrote about it a few times, I spoke about it a few times, yet I still come across people who don't realize it all the time.

So, let me stress this one more time: if you have two GUI applications, e.g. an OpenOffice Word Processor, and a stupid Tetris game, both of which granted access to your screen (your X server), then there is no isolation between those two apps. Even if they run as different user accounts! Even if they are somehow sandboxed by SELinux or whatever! None, zero, null, nil!

The X server architecture, designed long time ago by some happy hippies who just thought all the people apps are good and non-malicious, simply allows any GUI application to control any other one. No bugs, no exploits, no tricks, are required. This is all by design. One application can sniff or inject keystrokes to another one, can take snapshots of the screen occupied by windows belonging to another one, etc.

If you don't believe me, I suggest you do a simple experiment. Open a terminal window, as normal user, and run xinput list, which is a standard diagnostic program for Xorg (on Fedora you will likely need to install it first: yum install xorg-x11-apps):

$ xinput list

It will show you all the pointer and keyboard devices that your Xorg knows about. Note the ID of the device listed as “AT keyboard” and then run (as normal user!):

$ xinput test id

It should now start displaying the scancodes for all the keys you press on the keyboard. If it doesn't, it means you used a wrong device ID.

Now, for the best, start another terminal window, and switch to root (e.g. using su, or sudo). Notice how the xinput running as user is able to sniff all your keystrokes, including root password (for su), and then all the keystrokes you enter in your root session. Start some GUI app as root, or as different user, again notice how your xinput can sniff all the keystrokes you enter to this other app!

Yes, I can understand what is happening in your mind and heart right now... Don't worry, others have also passed through it. Feel free to hate me, throw out insults at me, etc. I don't mind, really (I just won't moderate them). When you calm down, continue reading.

In Qubes the above problem doesn't exist, because each domain (each AppVM) has it own local, isolated, dummy X server. The main X server, that runs in Dom0 and that handles the real display is never exposed to any of the AppVMs directly (AppVMs cannot connect to it via the X protocol). For details see this technical overview.

You can repeat the same experiment in Qubes. You just need to use the ID of the “qubesdev” device, as shown by xinput list (should be 7). Run the xinput in one of your domains, e.g. in the “red” one. Because we actually use the same device for both mouse and keystrokes, you should now see both the key scancodes, as well as all the mouse events. Notice how your xinput is able to sniff all the events that are destined for other apps belonging to the same domain where you run xinput, and how it is unable to sniff anything targeted to other domains, or Dom0.

BTW, Windows is the only one mainstream OS I'm aware of, that actually attempts to implement some form of GUI-level isolation, starting from Windows Vista. See e.g. this ancient article I wrote in the days when I used Vista at my primary laptop. Of course, it's still easy to bypass this isolation, because of the huge interface that is exposed to each GUI client (that also includes GPU API). Nevertheless, they at least attempt to prevent this at the architecture level.

Crossposting from another thread in which this topic came up:

Or you could have LE spyware on your machine logging your keystrokes. I think you should be very wary of a certain closed source instant messaging and VOIP program that is quite popular.
You mean.. skype is a keylogger?

Yes. Definitely. Without a shadow of a doubt. The only question that remains is whether the alphabet mafia actually obeyed the law itself in doing so, or whether they simply have been using it as a tool of mass surveillance with keyword targeting. I suspect the latter and that they've been using it for over five years.

It's amazing people didn't get more suspicious when they found out they couldn't even delete their own accounts.

https://www.schneier.com/blog/archives/2013/01/who_does_skype.html

http://www.techspot.com/news/51880-microsoft-enables-china-to-spy-on-skype-users-via-keyword-triggers.html

http://cryptome.org/0001/ms-spy-takedown.htm

http://www.washingtonpost.com/business/economy/skype-makes-chats-and-user-data-more-available-to-police/2012/07/25/gJQAobI39W_story.html?wpisrc=nl_cuzheads

http://www.slate.com/blogs/future_tense/2012/11/09/skype_gave_data_on_a_teen_wikileaks_supporter_to_a_private_company_without.html

http://wikileaks.org/wiki/Skype_and_SSL_Interception_letters_-_Bavaria_-_Digitask

--

Not everybody agrees with me, but I think this looks really bad, esp. for people who never gave it a moments thought
Title: Re: Linux GUI isolation, concerns about Skype-as-keylogger
Post by: wicked420 on April 24, 2013, 06:03 am
Skype is a huge security concern for many reasons, you're forced to use a proxy to keep any of your information secure via skype.  Never connect to anyone on skype unless proxied.

Title: Re: Linux GUI isolation, concerns about Skype-as-keylogger
Post by: kmfkewm on April 24, 2013, 07:13 am
ALL major desktop windowing systems have no isolation between GUI windows. If any one of your applications is pwnt, EVERYTHING can be keylogged. There are defenses though, you can use virtual machines like Qubes does, or you can use things like SELinux sandboxes. There are other techniques as well. Desktop OS's with windowed applications have long been considered insecure, this is one of the main reasons why. On the other hand who wants to do everything from command line. Qubes is a good step in the right direction, I haven't been using it myself but I do use multiple virtual machines and keep what I run on the host to the bare minimum.
Title: Re: Linux GUI isolation, concerns about Skype-as-keylogger
Post by: MarcelKetman on April 24, 2013, 04:02 pm
subbed
Title: Re: Linux GUI isolation, concerns about Skype-as-keylogger
Post by: SelfSovereignty on April 24, 2013, 04:17 pm
I'm a founding member of "Just Say NO to Skype."  I think I'm the only member though... but we're still taking applications!

To be serious: uhhh... this comes as a surprise to people?  It's a layered architecture, basically: if the first layer doesn't catch a keystroke, it gets passed on.  Usually to the active window.  That's how hotkeys work.  I mean if X didn't catch your hotkey before it reached the active window, it would be the active window's job to implement that.  Along with half of the shit that X actually does, every single program would need to know how to replace that functionality.

That's ludicrous.  Which is why it's not how modern operating systems are designed.
Title: Re: Linux GUI isolation, concerns about Skype-as-keylogger
Post by: astor on April 24, 2013, 05:03 pm
Skype is a closed source application that is now controlled by a corporation that openly works with LE and provides tools like this:

https://en.wikipedia.org/wiki/Computer_Online_Forensic_Evidence_Extractor

You should put zero trust in Skype. You should not do anything sensitive on the same computer/OS where Skype is installed. If for some reason you need to use Skype, do your sensitive stuff in Tails or on a separate computer.
Title: Re: Linux GUI isolation, concerns about Skype-as-keylogger
Post by: pine on April 27, 2013, 02:47 am
Pine believes something slightly different, which is the above (Legal Intercept) is used for regular policing (Skype's main source of LE income), but that the FBI and DEA have *realtime access* (used for terrorism, drug smuggling) to a different system which involves a program called a RAT or Remote Access Tool that when deployed to your Skype's backdoor allows all manner of extra goodies to be had, including your keystrokes. It is unnecessary to involve a supernode because they have your plaintext (which is why "logging" is the right word vs "intercept"), although they have access to your session keys too if need be, and basically all manner of data is vacuumed out of your machine and into theirs.

Like I have already said, I cannot know whether they are using Skype for mass surveillance, although this is to me a far from unlikely possibility. I do know they are using Skype as a resource to gather information on individuals. Given everything I have posted, I believe it would be a good move for SR users not to be using Skype to talk about the Silk Road, nor to have the program running in the background.
Why would Skype be monitoring all your activity? Wouldn't it be easier if it was simply windows that did all the job? And I agree talking about SR on Skype or MSN or any conventional real-time chat client isn't a wise move, but if Skype went as far as keylogging, would it really stop doing so if you didn't let it run in the background? It's still interesting to know that Skype is monitoring your conversations, but I think they were basically telling you they were in their privacy policy, or they didn't tell you they didn't at least. Nobody should talk about about illegal stuff or the SR on conventional chat clients anyway, PGP or OTR should be used for that.
Your articles don't say anything about Skype being able to record your every keystroke when not using Skype.

Just to let you know, I found a link which explains some of what I was getting at, in that there is no magic isolation between GUI programs on your desktop, most people, including computer people appear to assume there is, but there is not.

Quote
There certainly is one thing that most Linux users don't realize about their Linux systems... this is the lack of GUI-level isolation, and how it essentially nullifies all the desktop security. I wrote about it a few times, I spoke about it a few times, yet I still come across people who don't realize it all the time.

So, let me stress this one more time: if you have two GUI applications, e.g. an OpenOffice Word Processor, and a stupid Tetris game, both of which granted access to your screen (your X server), then there is no isolation between those two apps. Even if they run as different user accounts! Even if they are somehow sandboxed by SELinux or whatever! None, zero, null, nil!

The X server architecture, designed long time ago by some happy hippies who just thought all the people apps are good and non-malicious, simply allows any GUI application to control any other one. No bugs, no exploits, no tricks, are required. This is all by design. One application can sniff or inject keystrokes to another one, can take snapshots of the screen occupied by windows belonging to another one, etc.

If you don't believe me, I suggest you do a simple experiment. Open a terminal window, as normal user, and run xinput list, which is a standard diagnostic program for Xorg (on Fedora you will likely need to install it first: yum install xorg-x11-apps):

$ xinput list

It will show you all the pointer and keyboard devices that your Xorg knows about. Note the ID of the device listed as “AT keyboard” and then run (as normal user!):

$ xinput test id

It should now start displaying the scancodes for all the keys you press on the keyboard. If it doesn't, it means you used a wrong device ID.

Now, for the best, start another terminal window, and switch to root (e.g. using su, or sudo). Notice how the xinput running as user is able to sniff all your keystrokes, including root password (for su), and then all the keystrokes you enter in your root session. Start some GUI app as root, or as different user, again notice how your xinput can sniff all the keystrokes you enter to this other app!

http://theinvisiblethings.blogspot.se/2011/04/linux-security-circus-on-gui-isolation.html
Interesting article pine, it could explain this whole Skype keylogging thing but as I said before, if it were doing it, it would also be doing it while you're not running it. And your article is only about Linux, does the same work on other OS's as well?
Title: Re: Linux GUI isolation, concerns about Skype-as-keylogger
Post by: pine on April 27, 2013, 03:16 am
Why would Skype be monitoring all your activity? Wouldn't it be easier if it was simply windows that did all the job? And I agree talking about SR on Skype or MSN or any conventional real-time chat client isn't a wise move, but if Skype went as far as keylogging, would it really stop doing so if you didn't let it run in the background? It's still interesting to know that Skype is monitoring your conversations, but I think they were basically telling you they were in their privacy policy, or they didn't tell you they didn't at least. Nobody should talk about about illegal stuff or the SR on conventional chat clients anyway, PGP or OTR should be used for that.

Sure, you're right, I expect LE to have exploits for all popular operating systems, and they probably have off-the-shelf software from some private contractor that does this for Windows, with a nod and wink from Microsoft no doubt.

But that isn't a news story and no tech people would ever raise an eyebrow at the thought of Windows having a backdoor.

The thing is that Skype is on all platforms, especially Linux, which is regarded generally as being a lot more secure than anything else apart from BSD. Nearly every piece of software on a Linux box is open source. About the only propriety software you could count on being there, is Skype. So as such it's the perfect vehicle for leveraging a backdoor into a system, for this reason:

If Skype was a piece of software running surreptitiously then it would definitely have been noticed by now. The key thing, the "gotcha" as it were, is that in practice Skype is running all the time anyway because most users like it that way. That always on software, therefore, has pretty much permanent access to your keystrokes whether or not they are intended for Skype, and unfortunately, as the article says, this is exceptionally tough to counter. It's the kind of thing I'd have expected SELinux to forbid, but apparently not according to the author. It's the perfect disguise for a state keylogger.

Interesting article pine, it could explain this whole Skype keylogging thing but as I said before, if it were doing it, it would also be doing it while you're not running it. And your article is only about Linux, does the same work on other OS's as well?

I'm not sure, but I think it was said that windows Vista had some protection mechanism. Talk about irony.

Don't recommend y'all install Vista! ;)
Title: Re: Linux GUI isolation, concerns about Skype-as-keylogger
Post by: itsthecops on April 27, 2013, 04:27 am
Miss Pine, do you think there could someday be encrypted keyboards?
Title: Re: Linux GUI isolation, concerns about Skype-as-keylogger
Post by: pine on April 27, 2013, 06:21 am
Platypus Pine, do you think there could someday be encrypted keyboards?

Yes, I think some variants of this exist. Actually it would be quite brilliant if a special keyboard came with a one time pad key length, of even 50mb would be more than enough. Then you could have "paired keyboards". It would be 100% unbreakable instant messaging communication then. You don't have to trust the machine you're working with. A real boon in a conflict environment or where there is a mole. I bet this has already been done somewhere. You'd still have to secure the keyboard though, to prevent unsought out 'upgrades'.

Only problem would be you wouldn't detect when you make spelling mistakes :D

And since you have to distribute keyboards everywhere, it's not really practical for us. Could be good for spies or military though. It's a pretty constrained usecase.

Title: Re: Linux GUI isolation, concerns about Skype-as-keylogger
Post by: kmfkewm on April 27, 2013, 07:49 am
Why would Skype be monitoring all your activity? Wouldn't it be easier if it was simply windows that did all the job? And I agree talking about SR on Skype or MSN or any conventional real-time chat client isn't a wise move, but if Skype went as far as keylogging, would it really stop doing so if you didn't let it run in the background? It's still interesting to know that Skype is monitoring your conversations, but I think they were basically telling you they were in their privacy policy, or they didn't tell you they didn't at least. Nobody should talk about about illegal stuff or the SR on conventional chat clients anyway, PGP or OTR should be used for that.

Sure, you're right, I expect LE to have exploits for all popular operating systems, and they probably have off-the-shelf software from some private contractor that does this for Windows, with a nod and wink from Microsoft no doubt.

But that isn't a news story and no tech people would ever raise an eyebrow at the thought of Windows having a backdoor.

The thing is that Skype is on all platforms, especially Linux, which is regarded generally as being a lot more secure than anything else apart from BSD. Nearly every piece of software on a Linux box is open source. About the only propriety software you could count on being there, is Skype. So as such it's the perfect vehicle for leveraging a backdoor into a system, for this reason:

If Skype was a piece of software running surreptitiously then it would definitely have been noticed by now. The key thing, the "gotcha" as it were, is that in practice Skype is running all the time anyway because most users like it that way. That always on software, therefore, has pretty much permanent access to your keystrokes whether or not they are intended for Skype, and unfortunately, as the article says, this is exceptionally tough to counter. It's the kind of thing I'd have expected SELinux to forbid, but apparently not according to the author. It's the perfect disguise for a state keylogger.

Interesting article pine, it could explain this whole Skype keylogging thing but as I said before, if it were doing it, it would also be doing it while you're not running it. And your article is only about Linux, does the same work on other OS's as well?

I'm not sure, but I think it was said that windows Vista had some protection mechanism. Talk about irony.

Don't recommend y'all install Vista! ;)

Qubes developer oversells it compared to other solutions sometimes, you can prevent the same attack with SELinux, it just doesn't have copy paste between applications in such a configuration.
Title: Re: Linux GUI isolation, concerns about Skype-as-keylogger
Post by: tree on April 27, 2013, 01:33 pm
Why would Skype be monitoring all your activity? Wouldn't it be easier if it was simply windows that did all the job? And I agree talking about SR on Skype or MSN or any conventional real-time chat client isn't a wise move, but if Skype went as far as keylogging, would it really stop doing so if you didn't let it run in the background? It's still interesting to know that Skype is monitoring your conversations, but I think they were basically telling you they were in their privacy policy, or they didn't tell you they didn't at least. Nobody should talk about about illegal stuff or the SR on conventional chat clients anyway, PGP or OTR should be used for that.

Sure, you're right, I expect LE to have exploits for all popular operating systems, and they probably have off-the-shelf software from some private contractor that does this for Windows, with a nod and wink from Microsoft no doubt.

But that isn't a news story and no tech people would ever raise an eyebrow at the thought of Windows having a backdoor.

The thing is that Skype is on all platforms, especially Linux, which is regarded generally as being a lot more secure than anything else apart from BSD. Nearly every piece of software on a Linux box is open source. About the only propriety software you could count on being there, is Skype. So as such it's the perfect vehicle for leveraging a backdoor into a system, for this reason:

If Skype was a piece of software running surreptitiously then it would definitely have been noticed by now. The key thing, the "gotcha" as it were, is that in practice Skype is running all the time anyway because most users like it that way. That always on software, therefore, has pretty much permanent access to your keystrokes whether or not they are intended for Skype, and unfortunately, as the article says, this is exceptionally tough to counter. It's the kind of thing I'd have expected SELinux to forbid, but apparently not according to the author. It's the perfect disguise for a state keylogger.

Interesting article pine, it could explain this whole Skype keylogging thing but as I said before, if it were doing it, it would also be doing it while you're not running it. And your article is only about Linux, does the same work on other OS's as well?

I'm not sure, but I think it was said that windows Vista had some protection mechanism. Talk about irony.

Don't recommend y'all install Vista! ;)
I get how Skype would be the one application monitoring everything now, I wasn't thinking of Linux when you first stated that. I didn't even know it was available on Linux. I understand your suspicions now and they seem pretty well founded. What's BSD and why is it safer than Linux? And what's Qubes?
Title: Re: Linux GUI isolation, concerns about Skype-as-keylogger
Post by: Jack N Hoff on April 27, 2013, 01:44 pm
Why would Skype be monitoring all your activity? Wouldn't it be easier if it was simply windows that did all the job? And I agree talking about SR on Skype or MSN or any conventional real-time chat client isn't a wise move, but if Skype went as far as keylogging, would it really stop doing so if you didn't let it run in the background? It's still interesting to know that Skype is monitoring your conversations, but I think they were basically telling you they were in their privacy policy, or they didn't tell you they didn't at least. Nobody should talk about about illegal stuff or the SR on conventional chat clients anyway, PGP or OTR should be used for that.

Sure, you're right, I expect LE to have exploits for all popular operating systems, and they probably have off-the-shelf software from some private contractor that does this for Windows, with a nod and wink from Microsoft no doubt.

But that isn't a news story and no tech people would ever raise an eyebrow at the thought of Windows having a backdoor.

The thing is that Skype is on all platforms, especially Linux, which is regarded generally as being a lot more secure than anything else apart from BSD. Nearly every piece of software on a Linux box is open source. About the only propriety software you could count on being there, is Skype. So as such it's the perfect vehicle for leveraging a backdoor into a system, for this reason:

If Skype was a piece of software running surreptitiously then it would definitely have been noticed by now. The key thing, the "gotcha" as it were, is that in practice Skype is running all the time anyway because most users like it that way. That always on software, therefore, has pretty much permanent access to your keystrokes whether or not they are intended for Skype, and unfortunately, as the article says, this is exceptionally tough to counter. It's the kind of thing I'd have expected SELinux to forbid, but apparently not according to the author. It's the perfect disguise for a state keylogger.

Interesting article pine, it could explain this whole Skype keylogging thing but as I said before, if it were doing it, it would also be doing it while you're not running it. And your article is only about Linux, does the same work on other OS's as well?

I'm not sure, but I think it was said that windows Vista had some protection mechanism. Talk about irony.

Don't recommend y'all install Vista! ;)
I get how Skype would be the one application monitoring everything now, I wasn't thinking of Linux when you first stated that. I didn't even know it was available on Linux. I understand your suspicions now and they seem pretty well founded. What's BSD and why is it safer than Linux? And what's Qubes?
An operating system called openbsd.  All the techies on on previous drug market places I was on years ago before the road was around raved about it and how secure it is.  I never got into it myself.
Title: Re: Linux GUI isolation, concerns about Skype-as-keylogger
Post by: SelfSovereignty on April 28, 2013, 12:47 am
I get how Skype would be the one application monitoring everything now, I wasn't thinking of Linux when you first stated that. I didn't even know it was available on Linux. I understand your suspicions now and they seem pretty well founded. What's BSD and why is it safer than Linux? And what's Qubes?
An operating system called openbsd.  All the techies on on previous drug market places I was on years ago before the road was around raved about it and how secure it is.  I never got into it myself.

It started at Berkeley I think.  Turned into OpenBSD, FreeBSD, and NetBSD.  They're basically to Linux as Linux is to Windows.  Sorta.  ... yeah, not really, that doesn't work.  Maybe in popularity, but that's all.

Basically it's a Linux system, except the kernel isn't Linux -- it's a BSD.  I've never tried one myself, but as Jack here says, I've seen people saying they're more secure than Linux the entire time I've used Linux.  Whether there's any truth to that I can't say.  It may be that it was once true, but with the greater activity around the Linux kernel you'd think that would have changed by now.