Opened 5 years ago

Closed 3 years ago

#13154 closed enhancement (wontfix)

Debian's "popularity contest" package as threat vector?

Reported by: saint Owned by: saint
Priority: Medium Milestone:
Component: Applications/Tor bundles/installation Version:
Severity: Normal Keywords: tor-hs, Debian, Stormy
Cc: griffin@…, weasel, satiroloko Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by saint)

I am wondering whether to force-uninstall Debian's popularity-contest package as part of Stormy's installation process. It would be good to have an idea how popular Stormy is, but on the other hand, I'm not sure how anonymous the reporting is on Debian's end.

This is also relevant for users of the tor package, who might also be at mild risk (though far less so because the number of users is so high, and doesn't reveal location of location-hidden services).

Anyone have opinions on this? I'm leaning towards checking if popularity-contest is installed and then asking if the user would like it to be removed.

EDIT: We should also discuss whether to remove it as part of Tor's installation process overall.

Child Tickets

Change History (13)

comment:1 Changed 5 years ago by cypherpunks

Good call!

It would be awesome if popcon used tor when it found it installed. But since that won't happen anytime soon, I think it is reasonable to list it in the Conflicts line of Stormy's debian package.

Btw, what do you mean by "install process"? I'm assuming there will be a debian package, otherwise popcon wouldn't be an issue... but, removing the package in stormy's preinst or postinst script isn't possible, I think, because dpkg is still running.

You could make Stormy refuse to start if popcon is installed, but it could narc you out before you fix the problem so that isn't the right approach. If you want to make sure popcon never reports Stormy, I think using the Conflicts line is the only way to do it.

comment:2 Changed 5 years ago by cypherpunks

It would be nice if popcon let individual packages opt-out, and/or let users decide not to report about certain packages. As far as I can tell it doesn't currently have any ability to report about some packages but not others. It does at least encrypt the reports it sends back, though. See http://popcon.debian.org/FAQ

comment:3 Changed 5 years ago by saint

Owner: set to saint
Status: newaccepted

comment:4 in reply to:  1 Changed 5 years ago by saint

Replying to cypherpunks:

Btw, what do you mean by "install process"? I'm assuming there will be a debian package, otherwise popcon wouldn't be an issue... but, removing the package in stormy's preinst or postinst script isn't possible, I think, because dpkg is still running.

After install, you must run stormy in order to set up a hidden service with it. During HS setup, it adds other packages and adjusts various configurations.

You could make Stormy refuse to start if popcon is installed, but it could narc you out before you fix the problem so that isn't the right approach.

It would *definitely* narc you out if Stormy had been installed through debian, but not configured (such as before Stormy is ever run). This is definitely a concern, as someone could install the application but not set up their hidden service for a while.

If you want to make sure popcon never reports Stormy, I think using the Conflicts line is the only way to do it.

Thanks!

It does at least encrypt the reports it sends back, though.

The FAQ says that they "evaluate" using public key encryption. http://popcon.debian.org doesn't even use SSL. Although it does seem like it might be possible to run it through Tor *if* its mail function is disabled.

The Tails team also had a good discussion about why it was disabled by default: https://mailman.boum.org/pipermail/tails-dev/2012-October/001960.html

comment:5 Changed 5 years ago by proper

  • popcon readme
  • popcon faq
  • popcon bugs
  • popularity contest mailing list
  • popularity contest mailing list: Drop atime and ctime for privacy reasons possible?
  • The connection would obviously need to go over its own Tor circuit (stream isolation). At the moment popcon tries to go through http and if it fails (no internet connectivity) it goes into the mail queue. (sendmail) Sendmail probably works though TransPort, but we don't know if it can be torified for proper stream isolation or if you want to implement TransPort.
  • (From the popcon readme) "Each popularity-contest host is identified by a random 128bit uuid (MY_HOSTID in /etc/popularity-contest.conf)." - This would allow to enumerate a quite good guess about the amount number of users.
  • If you were to ship a VM image, MY_HOSTID would probably get created at build time and all users would have the same MY_HOSTID, which would make it useless. A new MY_HOSTID would have to be created at first boot. But as long you are using a script, that won't be an issue.
  • Popcon runs at a random day. Good.
  • If the machine is powered on: it runs at 6:47, which is bad, because a local adversary (ISP or hotspot) could guess popcon runs over Tor (traffic pattern).
  • If the machine is powered off at 6:47, it sends the report later, only if anachron is installed. It shouldn't run instantly after powering on, also for fingerprinting reasons. The time would have to be truly randomized.
  • As long as the transmission is not encrypted, see popularity-contest should encrypt contents Malicious Tor exit relays could modify the transmission, but this is only a minor issue. Such malicious Tor exit relays could send fake transmissions on their own. Encryptoin has been added (see debian bug ticket), but I am not sure it landed in the repos yet.
  • It's questionable if and if yes, how long Debian will accept popularity contest transmissions from Tor exit relays. There is potential for electoral fraud.

comment:6 Changed 5 years ago by saint

While encryption may be available, the decision was made some time ago to disable popcon for Stormy users. They can re-enable it if they like, but considering the use-case of Stormy, this seems unlikely.

I think we should consider uninstalling popcon when tor is installed also, and leaving this ticket open in case people have other thoughts on this.

comment:7 Changed 5 years ago by saint

Component: - Select a componentTor
Description: modified (diff)

comment:8 Changed 5 years ago by nickm

Cc: weasel added

comment:9 Changed 5 years ago by nickm

Component: TorTor bundles/installation

comment:10 Changed 3 years ago by satiroloko

Cc: satiroloko added
Resolution: fixed
Severity: Major
Status: acceptedclosed
Summary: Debian's "popularity contest" package as threat vector?https://trac.torproject.org/projects/tor/wiki/WikiFormattingDebian's "popularity contest" package as threat vector?

comment:11 in reply to:  description Changed 3 years ago by satiroloko

Sponsor: Sponsor4
Type: enhancementproject
Version: Tor: 0.3.0.0-alpha-dev

Replying to saint:

I am wondering whether to force-uninstall Debian's popularity-contest package as part of Stormy's installation process. It would be good to have an idea how popular Stormy is, but on the other hand, I'm not sure how anonymous the reporting is on Debian's end.

This is also relevant for users of the tor package, who might also be at mild risk (though far less so because the number of users is so high, and doesn't reveal location of location-hidden services).

Anyone have opinions on this? I'm leaning towards checking if popularity-contest is installed and then asking if the user would like it to be removed.

EDIT: We should also discuss whether to remove it as part of Tor's installation process overall.

comment:12 Changed 3 years ago by gk

Resolution: fixed
Severity: MajorNormal
Sponsor: Sponsor4
Status: closedreopened
Summary: https://trac.torproject.org/projects/tor/wiki/WikiFormattingDebian's "popularity contest" package as threat vector?Debian's "popularity contest" package as threat vector?
Type: projectenhancement
Version: Tor: 0.3.0.0-alpha-dev

comment:13 Changed 3 years ago by weasel

Resolution: wontfix
Status: reopenedclosed

People opt into participating in popcon. We should no more (ask to) uninstall it than any other random package should cause tor to be uninstalled.

Note: See TracTickets for help on using tickets.