Debian's "popularity contest" package as threat vector?

I am wondering whether to force-uninstall Debian's popularity-contest package as part of Stormy's installation process. It would be good to have an idea how popular Stormy is, but on the other hand, I'm not sure how anonymous the reporting is on Debian's end.

This is also relevant for users of the tor package, who might also be at mild risk (though far less so because the number of users is so high, and doesn't reveal location of location-hidden services).

Anyone have opinions on this? I'm leaning towards checking if popularity-contest is installed and then asking if the user would like it to be removed.

EDIT: We should also discuss whether to remove it as part of Tor's installation process overall.

added Debian Stormy component::applications/tor bundles/installation owner::saint priority::medium resolution::wontfix severity::normal status::closed tor-hs type::enhancement labels

Good call!

It would be awesome if popcon used tor when it found it installed. But since that won't happen anytime soon, I think it is reasonable to list it in the Conflicts line of Stormy's debian package.

Btw, what do you mean by "install process"? I'm assuming there will be a debian package, otherwise popcon wouldn't be an issue... but, removing the package in stormy's preinst or postinst script isn't possible, I think, because dpkg is still running.

You could make Stormy refuse to start if popcon is installed, but it could narc you out before you fix the problem so that isn't the right approach. If you want to make sure popcon never reports Stormy, I think using the Conflicts line is the only way to do it.

It would be nice if popcon let individual packages opt-out, and/or let users decide not to report about certain packages. As far as I can tell it doesn't currently have any ability to report about some packages but not others. It does at least encrypt the reports it sends back, though. See http://popcon.debian.org/FAQ

Trac:
Status: new to accepted
Owner: N/A to saint

Replying to cypherpunks:

Btw, what do you mean by "install process"? I'm assuming there will be a debian package, otherwise popcon wouldn't be an issue... but, removing the package in stormy's preinst or postinst script isn't possible, I think, because dpkg is still running.

After install, you must run stormy in order to set up a hidden service with it. During HS setup, it adds other packages and adjusts various configurations.

You could make Stormy refuse to start if popcon is installed, but it could narc you out before you fix the problem so that isn't the right approach.

It would definitely narc you out if Stormy had been installed through debian, but not configured (such as before Stormy is ever run). This is definitely a concern, as someone could install the application but not set up their hidden service for a while.

If you want to make sure popcon never reports Stormy, I think using the Conflicts line is the only way to do it.

Thanks!

It does at least encrypt the reports it sends back, though.

The FAQ says that they "evaluate" using public key encryption. http://popcon.debian.org doesn't even use SSL. Although it does seem like it might be possible to run it through Tor if its mail function is disabled.

The Tails team also had a good discussion about why it was disabled by default: https://mailman.boum.org/pipermail/tails-dev/2012-October/001960.html

• popcon readme
• popcon faq
• popcon bugs
• popularity contest mailing list
• popularity contest mailing list: Drop atime and ctime for privacy reasons possible?
• The connection would obviously need to go over its own Tor circuit (stream isolation). At the moment popcon tries to go through http and if it fails (no internet connectivity) it goes into the mail queue. (sendmail) Sendmail probably works though TransPort, but we don't know if it can be torified for proper stream isolation or if you want to implement TransPort.
• (From the popcon readme) "Each popularity-contest host is identified by a random 128bit uuid (MY_HOSTID in /etc/popularity-contest.conf)." - This would allow to enumerate a quite good guess about the amount number of users.
• If you were to ship a VM image, MY_HOSTID would probably get created at build time and all users would have the same MY_HOSTID, which would make it useless. A new MY_HOSTID would have to be created at first boot. But as long you are using a script, that won't be an issue.
• Popcon runs at a random day. Good.
• If the machine is powered on: it runs at 6:47, which is bad, because a local adversary (ISP or hotspot) could guess popcon runs over Tor (traffic pattern).
• If the machine is powered off at 6:47, it sends the report later, only if anachron is installed. It shouldn't run instantly after powering on, also for fingerprinting reasons. The time would have to be truly randomized.
• As long as the transmission is not encrypted, see popularity-contest should encrypt contents Malicious Tor exit relays could modify the transmission, but this is only a minor issue. Such malicious Tor exit relays could send fake transmissions on their own. Encryptoin has been added (see debian bug ticket), but I am not sure it landed in the repos yet.
• It's questionable if and if yes, how long Debian will accept popularity contest transmissions from Tor exit relays. There is potential for electoral fraud.

While encryption may be available, the decision was made some time ago to disable popcon for Stormy users. They can re-enable it if they like, but considering the use-case of Stormy, this seems unlikely.

I think we should consider uninstalling popcon when tor is installed also, and leaving this ticket open in case people have other thoughts on this.

Trac:
Description: I am wondering whether to force-uninstall Debian's popularity-contest package as part of Stormy's installation process. It would be good to have an idea how popular Stormy is, but on the other hand, I'm not sure how anonymous the reporting is on Debian's end.

This is also relevant for users of the tor package, who might also be at mild risk (though far less so because the number of users is so high, and doesn't reveal location of location-hidden services).

Anyone have opinions on this? I'm leaning towards checking if popularity-contest is installed and then asking if the user would like it to be removed.

to

I am wondering whether to force-uninstall Debian's popularity-contest package as part of Stormy's installation process. It would be good to have an idea how popular Stormy is, but on the other hand, I'm not sure how anonymous the reporting is on Debian's end.

This is also relevant for users of the tor package, who might also be at mild risk (though far less so because the number of users is so high, and doesn't reveal location of location-hidden services).

Anyone have opinions on this? I'm leaning towards checking if popularity-contest is installed and then asking if the user would like it to be removed.

EDIT: We should also discuss whether to remove it as part of Tor's installation process overall.
Component: - Select a component to Tor

Trac:
Cc: griffin@cryptolab.net to griffin@cryptolab.net, weasel

Trac:
Component: Tor to Tor bundles/installation

Trac:
Username: satiroloko
Summary: Debian's "popularity contest" package as threat vector? to https://trac.torproject.org/projects/tor/wiki/WikiFormattingDebian's "popularity contest" package as threat vector?
Reviewer: N/A to N/A
Severity: N/A to Major
Cc: griffin@cryptolab.net, weasel to griffin@cryptolab.net, weasel, satiroloko
Sponsor: N/A to N/A
Status: accepted to closed
Resolution: N/A to fixed

Replying to saint:

I am wondering whether to force-uninstall Debian's popularity-contest package as part of Stormy's installation process. It would be good to have an idea how popular Stormy is, but on the other hand, I'm not sure how anonymous the reporting is on Debian's end.

This is also relevant for users of the tor package, who might also be at mild risk (though far less so because the number of users is so high, and doesn't reveal location of location-hidden services).

Anyone have opinions on this? I'm leaning towards checking if popularity-contest is installed and then asking if the user would like it to be removed.

EDIT: We should also discuss whether to remove it as part of Tor's installation process overall.

Trac:
Username: satiroloko
Version: N/A to Tor: 0.3.0.0-alpha-dev
Type: enhancement to project
Sponsor: N/A to Sponsor4

Trac:
Status: closed to reopened
Sponsor: Sponsor4 to N/A
Severity: Major to Normal
Version: Tor: 0.3.0.0-alpha-dev to N/A
Summary: https://trac.torproject.org/projects/tor/wiki/WikiFormattingDebian's "popularity contest" package as threat vector? to Debian's "popularity contest" package as threat vector?
Resolution: fixed to N/A
Type: project to enhancement

People opt into participating in popcon. We should no more (ask to) uninstall it than any other random package should cause tor to be uninstalled.

Trac:
Status: reopened to closed
Resolution: N/A to wontfix

closed