Differences between revisions 39 and 44 (spanning 5 versions)
Revision 39 as of 2021-06-26 05:29:56
Size: 14520
Editor: josch
Comment: add glances
Revision 44 as of 2021-09-23 00:10:22
Size: 15841
Editor: PaulWise
Comment: add a section on telemetry libraries
Deletions are marked like this. Additions are marked like this.
Line 2: Line 2:

= Documentation =

 * [[https://www.debian.org/legal/privacy|Debian Privacy Policy]]
 * [[https://developer.mozilla.org/en-US/docs/Web/Privacy|Privacy-related web technologies]]

= Detection tools =

 * DebianPackage:wireshark
 * [[https://github.com/evilsocket/opensnitch/|opensnitch]]
 * DebianPackage:nsntrace
 * [[https://github.com/kushaldas/unoon/|unoon]]
 * [[https://lists.debian.org/161443589236.58635.12422980351447594761@localhost|qemu with filter-dump]]

= Issue categories =

 * logging & verbose logging
 * homephoning without user consent
   * cleartext
   * TLS
 * featurebug: when a bug is also a feature
 * privacy defaults
   * optin
   * optout
 * traceability
 * no deletion of config files when uninstalling a package
 * data leakage
   * software names and version numbers

= Reports =

 * [[https://bugs.debian.org/cgi-bin/pkgreport.cgi?users=debian-devel@lists.debian.org;tag=privacy|usertagged under debian-devel]]
 * [[https://debtags.debian.org/reports/facets/privacy|Debtags privacy facet]]
 * lintian privacy-breach tags: [[https://lintian.debian.org/tags/privacy-breach-generic.html|generic]] [[https://lintian.debian.org/tags/privacy-breach-donation.html|donation]] [[https://lintian.debian.org/tags/privacy-breach-facebook.html|facebook]] [[https://lintian.debian.org/tags/privacy-breach-google-adsense.html|google-adsense]] [[https://lintian.debian.org/tags/privacy-breach-google-cse.html|google-cse]] [[https://lintian.debian.org/tags/privacy-breach-google-plus.html|google-plus]] [[https://lintian.debian.org/tags/privacy-breach-logo.html|logo]] [[https://lintian.debian.org/tags/privacy-breach-piwik.html|piwik]] [[https://lintian.debian.org/tags/privacy-breach-statistics-website.html|statistics-website]] [[https://lintian.debian.org/tags/privacy-breach-twitter.html|twitter]] [[https://lintian.debian.org/tags/privacy-breach-uses-embedded-file.html|uses-embedded-file]] [[https://lintian.debian.org/tags/privacy-breach-w3c-valid-html.html|w3c-valid-html]]
Line 155: Line 189:
== Data leakage ==

 * Lots of different software leaks software names and version numbers into output
   * DNS servers respond with it to this command: {{{dig +short @f.root-servers.net version.bind chaos txt}}}
     * These DNS servers are definitely affected: unbound, bind
   * Mail user agents leak this into one of several headers: {{{User-Agent}}} {{{Mailer}}} {{{X-Mailer}}}
     * These MUAs are definitely affected: evolution
   * Mail servers leak this into the {{{Received}}} header
     * These MTAs are definitely affected: exim
   * Web browsers leak this into the {{{User-Agent}}} header
     * Almost all HTTP clients do this by default
Line 159: Line 205:
= Detection tools =

 * DebianPackage:wireshark
 * [[https://github.com/evilsocket/opensnitch/|opensnitch]]
 * [[https://github.com/jonasdn/nsntrace/|nsntrace]]
 * [[https://github.com/kushaldas/unoon/|unoon]]
 * [[https://lists.debian.org/161443589236.58635.12422980351447594761@localhost|qemu with filter-dump]]

= Reports =

 * [[https://bugs.debian.org/cgi-bin/pkgreport.cgi?users=debian-devel@lists.debian.org;tag=privacy|usertagged under debian-devel]]
 * [[https://debtags.debian.org/reports/facets/privacy|Debtags privacy facet]]
 * lintian privacy-breach tags: [[https://lintian.debian.org/tags/privacy-breach-generic.html|generic]] [[https://lintian.debian.org/tags/privacy-breach-donation.html|donation]] [[https://lintian.debian.org/tags/privacy-breach-facebook.html|facebook]] [[https://lintian.debian.org/tags/privacy-breach-google-adsense.html|google-adsense]] [[https://lintian.debian.org/tags/privacy-breach-google-cse.html|google-cse]] [[https://lintian.debian.org/tags/privacy-breach-google-plus.html|google-plus]] [[https://lintian.debian.org/tags/privacy-breach-logo.html|logo]] [[https://lintian.debian.org/tags/privacy-breach-piwik.html|piwik]] [[https://lintian.debian.org/tags/privacy-breach-statistics-website.html|statistics-website]] [[https://lintian.debian.org/tags/privacy-breach-twitter.html|twitter]] [[https://lintian.debian.org/tags/privacy-breach-uses-embedded-file.html|uses-embedded-file]] [[https://lintian.debian.org/tags/privacy-breach-w3c-valid-html.html|w3c-valid-html]]

= Issue categories =

 * logging & verbose logging
 * homephoning without user consent
   * cleartext
   * TLS
 * featurebug: when a bug is also a feature
 * privacy defaults
   * optin
   * optout
 * traceability
 * no deletion of config files when uninstalling a package

= Documentation =

 * [[https://www.debian.org/legal/privacy|Debian Privacy Policy]]

= See also =

 * [[https://developer.mozilla.org/en-US/docs/Web/Privacy|Privacy-related web technologies]]
== Telemetry libraries ==

Debian contains some telemetry client libraries and some packages depend or build-depend on them. The code calling these libraries may or may not be active by default, often API keys are required before data may be submitted.

 * [[https://sentry.io/|Sentry]]: requires something called a DSN before the client libraries will send to the server. Server side is BSL licensed, Apache2 licensed after 36 months, so it is self-hostable. Client libraries in Debian: DebianPts:golang-github-getsentry-sentry-go DebianPts:golang-raven-go DebianPts:ruby-sentry-raven DebianPts:sentry-python DebianPts:node-raven-js

Documentation

Detection tools

Issue categories

  • logging & verbose logging

  • homephoning without user consent
    • cleartext
    • TLS
  • featurebug: when a bug is also a feature
  • privacy defaults
    • optin
    • optout
  • traceability
  • no deletion of config files when uninstalling a package
  • data leakage
    • software names and version numbers

Reports

Privacy issues in Debian packages

Phone home

There are some common categories of phoning home:

These packages either don't fit those categories or do lots of them and more:

Phone elsewhere

Connectivity

Some services need to know when system is "online". Best practice is to only rely on system services, optionally coupled with distro-specific public service like network-manager-config-connectivity-debian . An antipattern is to hardcode probing of a public service.

Packages determining connectivity by probing Apple website and Google DNS resolvers:

Packages determining connectivity by probing Google DNS resolvers:

DNS

Many network protocols need a nameserver. Best practice is to only rely on user input or system resolver. An antipattern is to hardcode one or more nameservers, either exclusively or as internal default.

Packages using Cloudflare and Freenom and Google DNS resolvers by default:

Packages using Cloudflare and Google DNS resolvers by default:

Packages using Cloudflare and Google and Qaud9 DNS resolvers by default:

Packages using Google DNS resolvers by default:

Packages using Google and UncensoredDNS DNS resolvers by default:

Packages using Google and 77.88.39.152 DNS resolvers by default:

ICE

WebRTC and SIP and similar protocols need a public-accessible TUN/STUN/TURN service across public networks. Best practice is to only rely on local configuration. an antipattern is to hardcode public STUN services, either exclusively or as internal default.

Packages using Ekiga STUN resolvers by default:

Packages using Ekiga and GNUnet and Mozilla STUN resolvers by default:

Packages using Ekiga and SIPgate and Stuntman and more STUN resolvers by default:

Packages using Ekiga and SIPphone and Google and Stuntman and Xten and more STUN resolvers by default:

Packages using Google STUN resolvers by default:

Packages using Google and Stuntman STUN resolvers by default:

Packages using SIPgate and SIPphone STUN resolvers by default:

Packages using SIPphone STUN resolvers by default:

Packages using Stuntman STUN resolvers by default:

Packages using Xten STUN resolvers by default:

Data sharing

  • remmina - shares the clipboard with remote hosts over RDP by default
  • pidgin - shares typing notifications with remote peers by default
  • hw-probe - includes truncated salted hashes of MAC addresses and serial numbers in hardware probe reports
  • git-remote-bzr (all implementations) - leaks the local git branch name into the "branch nick" field of commits, which could get pushed to a remote repository

Data leakage

  • Lots of different software leaks software names and version numbers into output
    • DNS servers respond with it to this command: dig +short @f.root-servers.net version.bind chaos txt

      • These DNS servers are definitely affected: unbound, bind
    • Mail user agents leak this into one of several headers: User-Agent Mailer X-Mailer

      • These MUAs are definitely affected: evolution
    • Mail servers leak this into the Received header

      • These MTAs are definitely affected: exim
    • Web browsers leak this into the User-Agent header

      • Almost all HTTP clients do this by default

Data storage

  • web and other servers of various kinds default to logging information about requests over the network from external entities

Telemetry libraries

Debian contains some telemetry client libraries and some packages depend or build-depend on them. The code calling these libraries may or may not be active by default, often API keys are required before data may be submitted.