Follow-up to “Open Letter to the Free Software Community”

← Ingenious Toy Synthesizer blag home Another Melodic Minor Scale Relationship →

Posted on 1 Jan 2010 18:18 UTC

This post is an update to Open Letter to the Free Software Community.

Good news on at least one front: disk encryption enabled at install time. Twitter user @threethirty points out that Fedora offers full-disk encryption, based on LUKS in its installer. Additionally, Seth Schoen of EFF says,

Incidentally, the Ubuntu 9.10 installer did ask me if I wanted to encrypt my home directory, and I said yes, and my home directory ended up encrypted. I don’t have to do anything to use the encryption (though I sure did when I wanted to mount a copy of my home directory after my laptop had a hardware problem...!). Ubuntu now supports two different disk encryption technologies natively, dm-crypt/LUKS for block device encryption and ecryptfs for transparent directory hierarchy encryption. Only ecryptfs can be configured by the current default installer.

File metadata other than filenames is not encrypted so an attacker can see when files were created, what the directory hierarchy looks like, and what their permissions are. I just created a subdirectory called "mew" and created a file in it called "meow" with the content "yow\n". On my underlying ext4 filesystem, this resulted in a subdirectory called

ECRYPTFS_FNEK_ENCRYPTED.FWYKolD5t3p-wkSZL8fM4Df7Pe6Kp8JVuB35U01hz-mH.qFTIYLSjZ5Ihk – 

which contains a file called

ECRYPTFS_FNEK_ENCRYPTED.FWYKolD5t3p-wkSZL8fM4Df7Pe6Kp8JVuB35EGKgkoJrVADQTEl8yWSj7U – 

which is 12288 bytes (hmmm, padding?) and whose contents are superficially unintelligible.

My setup is totally vulnerable to a cold boot attack, but I’m somewhat optimistic about the general case of a random untargeted attack where someone steals my laptop. ecryptfs is encrypting both the individual files in my home directory and their filenames under (what I think is) a salted hash of my login password. ecryptfs itself has the ability to have a distinct encryption password from my regular user password, though the Ubuntu installer doesn’t seem to have a way to set that up by default.

I don’t have documentation about what cipher modes are used or whether key material is protected against being swapped to disk (I think so because it’s in kernel memory) or written to disk during hibernation (I think not because default Linux hibernation is usually totally unencrypted) or whether there are countermeasures against common attacks against file encryption systems.

Ubuntu has supported transparent encryption technologies since at least 2006, but I’m pretty sure that the current release is the first one to make any of them an option in the OS installer.

I installed 9.10 by upgrading from 9.04, so I missed the option to encrypt at install time. I am going to install 9.10 fresh on my server soon, so I’ll give encryption a look.

This is great news, since disk encryption is a key feature when implemented well. Full-disk encryption with LUKS and dm-crypt, as featured in Fedora, sure sounds stronger than Ubuntu’s solution, but I withold judgement until I’ve seen all the install-time options in Ubuntu.

However, my general critique still stands; free software usability and security still lag behind the state of the art, and are worse than they need to be. Here are some of my favorite examples:

I bring these up primarily to try to puncture the still-held belief that open source software is somehow inherently more secure than closed software. I do not claim that closed software does not have plenty of equally-bad problems. However, these examples show that the free/open source software community is not taking full advantage of open software’s greatest putative strengths: openness, honesty, and peer review.

Maybe I’ll discuss usability more in a later post.



Comments