Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] "uVirtus Linux, encrypted OS for Syria": a security review

Sahar Massachi Sahar at
Thu Feb 6 16:37:47 PST 2014

The fact that there's a "naked sudo" hole is brutal.

Forgive me if I misunderstand the problem, but how could *anyone* ship a
distribution with a passwordless sudo? That seems like it requires
deliberate malice to even set up.

On Thu, Feb 6, 2014 at 2:18 PM, KheOps <kheops at> wrote:

> Hash: SHA1
> Dear all,
> The uVirtus live distribution was publicized back in September as a
> secure live OS specifically designed for Syrians. It stems from the idea
> of having a one-click easy to use VPN client that uses OpenVPN over
> Obfsproxy.
> After testing it and discovering a few issues, I spent some more time in
> order to dig a bit more into its security.
> I noticed numerous worrying security issues, and in overall it does not
> appear to me as really responsible to recommend it instead of, say,
> Tails. Issues include for instance holes that may help an attacker
> compromise the user's machine by gaining root access and weak protection
> against data leaking in cleartext out of the VPN.
> I published a report that lists all the issues I could find and tried to
> assess their seriousness. I hope it is detailed and precise enough.
> It is available here in English:
> And in Arabic (sorry for the long link):
> We should thank Ameer, a Telecomix friend who spent a lot of time on
> translating it, but also giving me hints and correcting some English
> mistakes.
> We hope this helps to better assess uVirtus security and maybe feed the
> thinking for possible future versions.
> Sorry for the TLS certificate warning you will probably get in your
> browser, it is signed with the CA you'll find there:
> and its SHA1 fingerprint is
> C2:00:C7:9B:2C:9F:88:31:8B:A9:9E:B4:37:27:4E:93:75:8A:A7:6B.
> With datalove!
> KheOps
> Version: GnuPG v2.0.22 (GNU/Linux)
> iQEcBAEBAgAGBQJS9AoeAAoJEK9g/8GX/m3dpRkH/1rN/nDEjY2kJqhEMqaIwkiq
> PqJzXxhvSuMTYn9WXcA5kh9xH+OCBu2uSfTfm9ewfAO8W4C4Jx5AO8jgyo3bjFEP
> usJE8m7vaKZVnVUrzqyxMBuutxyljear+qn6r86i5FRbIoob582QAZM7+bunotOr
> bc5oUBgaq+KHx0p6yxohQw07MLaDwzXviu0lFcsRqMRfGzAMWFx3y8pGLUwS1Tiz
> S3jR+Vs+s80NBHmMhPK3HkB2qsMowC8tZlYaMLzuFqocoKsTyE3CCMz9R6Xw05HT
> aR5pSsbVuEvgMyhlqCJoVD8YD4qde8E5hxZrONZk4GKTIPDc90bgGW8FH/zmPqI=
> =h+MA
> --
> Liberationtech is public & archives are searchable on Google. Violations
> of list guidelines will get you moderated:
> Unsubscribe, change to digest, or change password by emailing moderator at
> companys at

Sahar Massachi

c: (585) 313-6649
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the liberationtech mailing list