Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Auditing of Auto-Update of software commonly used by Human Rights Defenders

Rich Kulawiec rsk at gsp.org
Sun May 18 09:24:43 PDT 2014


On Thu, May 15, 2014 at 07:36:07AM +0200, Fabio Pietrosanti (naif) wrote:
> i think that would be very important to organize a project to Audit the
> functionalities of Auto-Update of software commonly used by human rights
> defenders.

Yes, but I'll go one step further: auto-update is a horrible idea -- even
if the connection is encrypted.

Why?  Because someone observing network traffic can deduce which operating
system(s) and application(s) a target is using by doing traffic analysis:
that is, just looking at where connections are originating and terminating.

Even passively checking for the existence of updates -- that is, not
actually downloading and installing them -- can facilitate this same
traffic analysis.

The results of that analysis have many uses: one that occurs to
me offhand is that a repressive government might wish to identify
everyone who appears to be using a particular application X because
(a) it's not widely used across the entire population (b) but it's used
extensively within a certain political/social movement/organization Y.
Combined with other traffic analysis (e.g., visits to the web site of Y)
this would be useful intelligence.  Combined with research into the
security vulnerabilities of X this would be VERY useful intelligence.

Another use that occurs to me is that particular combinations of updates
could constitute a signature that facilitates the tracking of individuals.
In other words, lots of people might check for updates to A, or updates
to B, or updates to C, etc.; but how many individuals check for updates
to A, B, F and M but never C, D or J?

I'm not sure what the answer to this problem will look like, but I
suspect it's going to involve doing away entirely with the concept of
"auto update".

---rsk



More information about the liberationtech mailing list