Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Advice needed for secure IM/Voice/Video Service

Wasabee wasabee18 at gmail.com
Tue Jul 2 02:22:32 PDT 2013


On 29/06/2013 20:57, Anthony Papillion wrote:
> On 06/29/2013 08:14 AM, Nick wrote:
>> Quoth Fabio Pietrosanti (naif):
>>> It would be a nice transparency measure to run a small web server
>>> that provide direct access to the full server filesystem, allowing
>>> to browse everything and download any files, with few exceptions
>>> such as SSH or SSL private keys.
>>>
>>> That way anyone would be able to fully inspect the server, even
>>> without logging-in, by assessing configurations and checking out
>>> that logs are not kept.
>> It would be nice, but you're still entirely trusting the server
>> admin to be providing an honest view of the system.
> Both of you bring up good points and it's something I personally worry
> about when using a service: even though a server admin "says" they
> aren't logging, how do we really *they* aren't logging? In some cases,
> we can go by reputation in the community. For example, if Jacob
> Appelbaum from the Tor Project started a service, we could all be
> "fairly sure" that he's not going to do something sneaky. But someone
> like me, who's brand new in the community with zero reputation, that's a
> different story.
>
> Thank you both for the feedback. I'm going to look at what you both said
> and see what I can do.
>
> Thanks!
> anthony
>
some info might also be useful for hacking you, e.g. if you expose your 
php version, kernel version, etc. if you give the world read access to 
everything; u'd better make sure you patch your system as promptly as 
possible. if you're hacked once; nobody will ever trust ur system 
anymore; especially if u have not patched against known vulnerabilities.
There are things like trusted boot u could use to have better certitude 
there is no rootkit on ur system. but u need to reboot the machine once 
in a while so it's not optimum. Maybe u can have several VMs and 
re-route traffic to another VM when u reboot one server.

There is some work on type-safe web servers and disposable VM like 
http://www.xenproject.org/developers/teams/mirage-os.html, 
<http://www.xenproject.org/developers/teams/mirage-os.html>http://erlangonxen.org/, 
https://github.com/GaloisInc/HaLVM that theoretically make it virtually 
impossible for u to get hacked into (not by the hosting company though). 
However m note sure how easy it is to add ur own tweaks to it.
also, i think they still rely on some c/c++ code for ssl and this is 
perfect either.

Maybe u're simply better off using a good sandboxing mechanism for ur 
web server.

Just thoughts...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130702/efe62a52/attachment.html>


More information about the liberationtech mailing list