Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] feed over email

Steve Weis steveweis at gmail.com
Tue Feb 1 10:10:25 PST 2011


Glancing through the code, I don't see any circumvention. It relies on
using a mail provider that supports SSL. That is optional and must be
configured by the end user (see below).

If a user does not configure FOE to use an SSL email provider,
everything will be sent in the clear. That is easy to filter and could
put end users receiving verboten material at risk.

Worse, there is no authentication of message payloads from the server.
I think I can spoof a message with a malicious payload that will be
written to disk in the client's RSS catalog (see link below).

This is somewhat moot because it is Windows-only, requires installing
a client, and no binaries are available for download. That's probably
a good thing.

A couple issues from a cursory look at the code:
1. SSL is not required. Someone using this who didn't explicitly use
an email provider supporting SSL will be trivial to track:
http://code.google.com/p/foe-project/source/browse/trunk/FOE/foe2010-current/Common/OpenPOP-SSL/POP3/POPClient.cs#444
2. There is no authentication of messages from the server. This could
put clients at risk since they will be saving untrusted content to
disk: http://code.google.com/p/foe-project/source/browse/trunk/FOE/foe2010-current/Client/FoeClientMessage.cs#290
3. I suspect the server DB code is vulnerable to SQL injection attack,
although input might be getting properly sanitized by C#'s SqlClient.
I will bet a beer that someone can find an exploit:
http://code.google.com/p/foe-project/source/browse/trunk/FOE/foe2010-current/Server/FoeServerMessage.cs#259

Background links:
http://code.google.com/p/foe-project/
http://www.defcon.org/images/defcon-18/dc-18-presentations/Ho/DEFCON-18-Ho-FOE.pdf

On Tue, Feb 1, 2011 at 2:05 AM, Luke Allnutt <AllnuttL at rferl.org> wrote:
>
> Dear All,
>
> I saw this story on the Broadcasting Board Of Governors testing this "feed
> over email" system:
>
> http://www.nextgov.com/nextgov/ng_20110131_3828.php?oref=rss#
>
> Just wondered if anyone had any thoughts on how effective this is as a
> circumvention tool?
>
> Best Wishes,
> Luke
>



More information about the liberationtech mailing list