Active Topics

 


Reply
Thread Tools
Posts: 1,293 | Thanked: 4,319 times | Joined on Oct 2014
#31
Originally Posted by jonwil View Post
One thing we definatly need to do if we upgrade NSS or otherwise update the security for the N900 is to make sure it passes this test page
https://www.ssllabs.com/ssltest/viewMyClient.html
and doesn't bring up any red flags on there.

Right now it shows a bunch of red flags.
Bringing in a newer version of NSS would probably solve a lot of this (since it would have SSL3 turned off and TLS1.2 support and not support weak ciphers and etc)
Hmm shows my onyx doesn't support tlsv1.2, yet, down the list, it does lol.
Not perfect test honestly.
 

The Following 3 Users Say Thank You to nieldk For This Useful Post:
Posts: 1,203 | Thanked: 3,027 times | Joined on Dec 2010
#32
Did anyone ever look at reviving gtkmozembed by hooking it up to embedlite?
 

The Following 3 Users Say Thank You to Android_808 For This Useful Post:
Posts: 262 | Thanked: 315 times | Joined on Jun 2010
#33
Originally Posted by wicket View Post
Both programs that MicroB is comprised of (browser and browserd), run as the user user. For the two points above to be possible, a vulnerability would need to be exploited in the kernel or some other software. This may be possible indirectly through some other MircoB exploit, otherwise MicroB itself is completely safe from these.
If arbitrary code execution was possible, even as the user user from MicroB, yes, you're correct that they wouldn't be able to encrypt your files at the filesystem level, but wouldn't they still be able to delete/encrypt/corrupt/copy them on an individual basis?
 

The Following 3 Users Say Thank You to Xagoln For This Useful Post:
wicket's Avatar
Posts: 634 | Thanked: 3,266 times | Joined on May 2010 @ Colombia
#34
Originally Posted by Xagoln View Post
If arbitrary code execution was possible, even as the user user from MicroB, yes, you're correct that they wouldn't be able to encrypt your files at the filesystem level, but wouldn't they still be able to delete/encrypt/corrupt/copy them on an individual basis?
An arbitrary code execution exploit in MicroB would give an attacker the same privileges as the user user. This normally means they would have read/write access to everything under /home/user including MyDocs. This assumes that the device owner hasn't done anything stupid to weaken the security. One thing that I forgot is that many users here use rootsh without a password which would of course gives the attacker full access to the device.

Even if rootsh isn't installed, the user may not be safe. The default setup allows it to be installed without root privileges. In my opinion rootsh should be removed from the repositories but this probably wouldn't even be enough.

If you ask me, Maemo is very broken in this respect. It's not that hard for an attacker to create some malware, create multiple Garage accounts and then vote it up for promotion to Extras. Actually, they probably don't even need to do that. They can just enable Extras-devel and install anything from that. It's part of the reason why I want to replace Maemo with Debian.
__________________
DebiaN900 - Native Debian on the N900. Deprecated in favour of Maemo Leste.

Maemo Leste for N950 and N9 (currently broken).
Devuan for N950 and N9.

Mobile devices with mainline Linux support - Help needed with documentation.

"Those who do not understand Unix are condemned to reinvent it, poorly." - Henry Spencer

Last edited by wicket; 2016-09-17 at 22:54.
 

The Following 5 Users Say Thank You to wicket For This Useful Post:
wicket's Avatar
Posts: 634 | Thanked: 3,266 times | Joined on May 2010 @ Colombia
#35
So I've been playing around with web browsers in Easy Debian (jessie). One option that I like is Midori which is available in jessie-backports. It passes all of the Cipher Suites tests from SSL Labs. It fails the Mixed Content Tests but it's not clear what are the implications these failures. I think I'm going to make it my main browser.

Here are some Midori usage tips if anyone is interested:
  • Make sure you install the ca-certificates package.
  • The first thing you'll notice is that it doesn't display the address bar due to the screen size however there are a few ways around that. The most practical one is to change the Toolbar Style to "Small icons" under Preferences.
  • It has a full screen option which is nice. There's a Shortcuts extension that can be installed to remap the full screen keyboard shortcut. This extension can be removed after configuration without affecting the the new mapping. Removing it probably slightly reduces the memory footprint.
  • It has an option to launch a web page as a web app (-a on the command line) which reduces the memory footprint (at least for single page viewing). You can do cool things like this:

    Code:
    $ debbie midori -e Fullscreen -a https://m.uber.com
    Who needs Android or iOS for an Uber app?
  • Zoom can be controlled with Ctrl-+ and Ctrl--. The default zoom level can be set under Preferences. I've set mine to 0.75 to help get around the N900's limited screen resolution (although it does helps that I'm slightly short-sighted so I can actually read small text )
  • Something that I set up a long time ago on my N900 was to use Browser Switchboard (available in Extras) to disable autostart of MicroB. This causes it to take much longer to start up but the memory this frees up makes it well worthwhile in my opinion.

If anyone has any spare time, it would be nice to update the Midori and libwebkit packages in Extras to the latest versions.
__________________
DebiaN900 - Native Debian on the N900. Deprecated in favour of Maemo Leste.

Maemo Leste for N950 and N9 (currently broken).
Devuan for N950 and N9.

Mobile devices with mainline Linux support - Help needed with documentation.

"Those who do not understand Unix are condemned to reinvent it, poorly." - Henry Spencer

Last edited by wicket; 2016-09-19 at 01:15. Reason: Figured out how to launch web apps in full screen
 

The Following 11 Users Say Thank You to wicket For This Useful Post:
Posts: 262 | Thanked: 315 times | Joined on Jun 2010
#36
Originally Posted by wicket View Post
An arbitrary code execution exploit in MicroB would give an attacker the same privileges as the user user. This normally means they would have read/write access to everything under /home/user including MyDocs. This assumes that the device owner hasn't done anything stupid to weaken the security. One thing that I forgot is that many users here use rootsh without a password which would of course gives the attacker full access to the device.
Indeed. I was thinking of rootsh as an attack vector, although in my limited experimentation I was not able to pass commands to /usr/bin/root. There are surely ways though.

If you ask me, Maemo is very broken in this respect. It's not that hard for an attacker to create some malware, create multiple Garage accounts and then vote it up for promotion to Extras. Actually, they probably don't even need to do that. They can just enable Extras-devel and install anything from that. It's part of the reason why I want to replace Maemo with Debian.
I agree totally, and that's something that's been on my mind a lot, although I think any alternatives to Maemo are currently too clunky or lacking in vital features if one still wants to use their N900 as a phone.
 

The Following 5 Users Say Thank You to Xagoln For This Useful Post:
Halftux's Avatar
Posts: 868 | Thanked: 2,516 times | Joined on Feb 2012 @ Germany
#37
Originally Posted by wicket View Post

If anyone has any spare time, it would be nice to update the Midori and libwebkit packages in Extras to the latest versions.
So for compiling some newer libwebkit you need to stick to gcc 4.7 this is not a big problem. In addition you need to have glib >=2.36.0 and maemo has only 2.20.3 so I guess this will not work.
I tried with webkitgtk-2.4.11 from debian sid.
 

The Following 6 Users Say Thank You to Halftux For This Useful Post:
Maemish's Avatar
Posts: 1,719 | Thanked: 4,765 times | Joined on Apr 2018 @ Helsinki, Finland.
#38
Any idea how is the security today or is it at the same level as before? Did anyone do anything to these security matters or is there somewhere like the basic safety and security instructions on using N900? I have just been using it and haven't really thought of how to make it more secure. I would like to know: I have cssu-testing (maybe devel).

1. Is there a way to update the certificates of the device/microb?

2. If you have rootsh installed do you need to set a root password (haven't seen instructions for that shared or mentioned too much on this forum)?

3. Is Glenwall firewall valid and are there good instructions somewhere for a basic user what to use while just browsing?

4. Are people still interested these things or should I just wait for Maemo Leste to be a proper solution?

5. I have been using Mobile Hotspot for sharing my wifi to N810. It uses only WEP encryption so is there a better option which people use?

6. I have set up with the stock email app connection to my secure email provider with imap and ssl etc. Is there some problems with that email app and should I use some other (it just works so fine and would not want to change to something not as good)?

7. Is using a browser with easy debbie more secure by default or is it related to a newer browser (netsurf 3.8)?

8. Noticed that in some post it was mentioned that "just update global trust list with mozillas and you are good to go". Seems as a good option compared not doing anything. Is it good option and how to do it, or is there a better option and how to do that?

Would really like to know what I should have understood in the beginning when started to use this device.
__________________
"I don't know how but I can try!" (active)

Master of not knowing (active)

For me it is possible to get lost in any case (active)

Learning to fall from high (DONE)

Learning to code with BASIC (WIP)

Last edited by Maemish; 2019-03-16 at 23:57.
 

The Following 3 Users Say Thank You to Maemish For This Useful Post:
endsormeans's Avatar
Posts: 3,141 | Thanked: 8,161 times | Joined on Feb 2013 @ From my Gabriola Island hermitage, near the Edge of the World
#39
Concerning #2
rootsh doesn't need a password ...

(I wouldn't ...nor device password...there are a good long list of threads and posts titled like :
"forgot password , locked out of device , help!?!?"
next thing you know you forget it....then you are up a fast flowing body of water without a handheld device to navigate with)

concerning all your other many questions ...
essentially what you want is someone to do the leg work for you and hunt down answers and forum links to answers...
And it may take a lot of time to do just that..
Some here may know one or two... or a couple of quick answers...
But...
Why not use the the search button to your right?
That is how people figure things out here.

Asking for answers for the list of questions you have ...
before looking and trying the answers provided in forum posts by those who have posted the most recent successes ..
is working backwards.

I would suggest looking first.
That is the whole point of keeping a decade plus of past threads and posts...
to research them.
If you have a hard time after hunting down your questions...
and after finding answers ...
whether due to the solutions being outdated ...
or no answers at all found...
Then definitely ask for help.

But with your particular questions...
I think you won't find it too difficult to hunt down the requisite posts concerning the topics...
They quite common questions ...
So there should be plenty of documentation readily available ..
via the search function here.
__________________
Lurker since 2007, Member since 2013, Certifiable since 1972

Owner of :
1-n770 (in retirement), 3-n800's / 3-n810's (still in daily use), 5-n900's ((3 are flawless, 1 loose usb ( parts), 1 has no telephony (parts))
3-nexus 5's : 1 w/ Floko Pie 9.1 (running beautifully) waiting for Stable Droid 10 rom, 1 w/ ̶Ubuntu Touch, 1 with Maru OS (intend maemo leste when ready)

1/2 - neo900 pre- "purchased" in 2013. N̶o̶w̶ ̶A̶w̶a̶i̶t̶i̶n̶g̶ ̶r̶e̶f̶u̶n̶d̶ ̶p̶r̶o̶c̶e̶s̶s̶ ̶l̶a̶s̶t̶ ̶f̶e̶w̶ ̶y̶e̶a̶r̶s̶ - neo900 start up declared officially dead -
Lost invested funds.


PIMP MY N8X0 (Idiot's Guide and a video walkthrough)http://talk.maemo.org/showthread.php?t=94294
THE LOST GRONMAYER CATALOGShttp://talk.maemo.org/showthread.php...ight=gronmayer
N8X0 VIDEO ENCODING THE EASY WAYhttp://talk.maemo.org/showthread.php...ght=mediacoder
242gb ON N800http://talk.maemo.org/showthread.php?t=90634
THE PAIN-FREE MAEMO DEVELOPMENT LIVE DISTRO-ISO FOR THE NOOB TO THE PROhttp://talk.maemo.org/showthread.php?t=95567
AFFORDABLE MASS PRODUCTION FOR MAEMO PARTShttp://talk.maemo.org/showthread.php?t=93325

Meateo balloons now available @ Dave999's Meateo Emporium
 

The Following User Says Thank You to endsormeans For This Useful Post:
Maemish's Avatar
Posts: 1,719 | Thanked: 4,765 times | Joined on Apr 2018 @ Helsinki, Finland.
#40
I think that would just not be wise. I have been here now for a year. There are people who have been maybe ten and are still using their device daily. I believe that if they use it daily they have probably sorted out some security stuff. Now if some new person starts to use N900 I don't see a real value for him to need to use lots and lots of time reading different threads in this forum trying to find answers to many questions if there are people who know the answers and could easily give them.

I have tried to search answers but in many threads it goes the same way as in this: a good title making you think that from that thread you will find answers. Well I didin't find answers, just talk about many things what would be good to be done but I don't know what happened. Did someone find solutions?

I see making my questions (which I thought first to put on a new thread "Security of N900 in 2019" to make it easier for everyone to have one thread under which to disguss about it but because I would have probably got an answers "do not start a new thread if there is already a similar thread" I searched one which had ended with only questions and ideas in the air without solutions or answers) in this particular thread a very wise thing to do.

If someone knows the answers and will answer them in this thread which is left as kind of unfinished state then if there comes a next person searching for answers from this same thread then he will find the answers and the title of the thread is not kind of misleading or a disappointment.

If there is a thread or a wikipage of the security of N900 which clearly guides a new N900 user through things explaining these very serious matters well, then my bad. Just say there is one and I will shame. But if there isn't such, there should be. To make a new N900 user to search about this kind of matters from many many different threads which may or may not give answers which may or may not be updated (some may have answers predating cssu, cssu testing or cssu devel solutions).

I think that this forum would have more value if there would be a procedure of keeping some wikipages updated that way that always when there comes a new user asking the same guestions you could just say "first read all these pages for new users". Now I have got answers from some or just "read through the forum" sometimes. I just don't think it is a wise thing to do and I think this should change.

You have done your part really well endsormeans with your guide for N8x0 which you updated now when there was a dead link. You can always point a person to read it. So should be with security matters if they are not dealt with installing cssu updates (maybe they are but it was left unaswered in this thread, on a mere idea stage).

If someone knows these answers I don't know why he would not like to answer. Only proper reason would be that the answers are already there easily found. I claim they aren't and that there are only few here who really knows and who knows which threads are dead ends and which threads have real answers which are still up to date and which are unneccessary or may even make things worse.

I think I have right to ask. You have the right not to answer. From my point of view to go through threads which do not give answers is wasted time and not wise thing to do. You may oppose and see a value there. And we may stay thinking about this matter differently and its perfectly ok.

I understand people are thired of answering same questions to new users. I'm trying to help to make it stop. "The perfect setup for N900", they are good. If someone would like to make one about N900 security that would be very helpfull to all I think.
__________________
"I don't know how but I can try!" (active)

Master of not knowing (active)

For me it is possible to get lost in any case (active)

Learning to fall from high (DONE)

Learning to code with BASIC (WIP)

Last edited by Maemish; 2019-03-17 at 09:46.
 

The Following 2 Users Say Thank You to Maemish For This Useful Post:
Reply

Tags
fremantle, microb


 
Forum Jump


All times are GMT. The time now is 15:43.