Skype Linux Reads Password and Firefox Profile

mrcgran writes "Users of Skype for Linux have just found out that it reads the files /etc/passwd, firefox profile, plugins, addons, etc, and many other unnecessary files in /etc. This fact was originally discovered by using AppArmor, but others have confirmed this fact using strace on versions 1.4.0.94 and 1.4.0.99. What is going on? This probably shows how important it is to use AppArmor in any closed-source application in Linux to restrict any undue access to your files."

Shadow passwords FTW

[strredwolf]

This is why you should have shadow passwords, so that your encrypted password isn't stored in /etc/passwd.

Re:Shadow passwords FTW

[Bazman]

True, but if your list of usernames leaks out it saves remote attackers having to try non-existent usernames in a dictionary attack...

Corollary: dont use passwords vulnerable to dictionary attacks...

Re:Shadow passwords FTW

Yiff in hell, furfag.

Re:Shadow passwords FTW

[LivinFree]

WTF:

$ strace -e open ls -l
...
open("/etc/passwd", O_RDONLY) = 4
open("/etc/group", O_RDONLY) = 4
open("/proc/meminfo", O_RDONLY) = 3
...

OMFG - ls is trying to h4x me up!!1

Re:Shadow passwords FTW

[KiloByte]

$ strace -e open ls -l

ls has a valid reason to read these -- you want to see uids/gids as user names, not numeric values

But Skype?

Re:Shadow passwords FTW

[LivinFree]

ls has a valid reason to read these -- you want to see uids/gids as user names, not numeric values I don't use Skype, and don't have my own strace, so I don't have context. I'd be interested to see the whole strace. Perhaps it's checking $HOME, perhaps it's as this guy points out. Either way, /etc/passwd is world-readable. The stupid title of "Skype reads password[s]..." is nonsensical at best.

As for the Firefox jazz, did they allow the default install of the Skype Firefox plugin? If so, why wouldn't it poke around in ~/.mozilla?

There's lots of information we don't have, and sensationalist crap ensues. If someone is really worried, why bother using Skype? It's a service, not a $DEITY-given right, to use.

Re:Shadow passwords FTW

[Not+The+Real+Me]

"True, but if your list of usernames leaks out it saves remote attackers having to try non-existent usernames in a dictionary attack..."

This is an excellent point that many of the flamers fail to understand. Yes, a local user account has read access to /etc/passwd, but a hacker looking to tap into a 0-day exploit does not. My guess about Skype is that they are harvesting usernames and selling those to spammers and/or providing those usernames to a government agency. In case anyone missed it, the U.S. government has been doing quite a bit of data mining since 9/11/2001 so being able to discretely grab all the usernames off of a computer would play into this.

Re:Shadow passwords FTW

[Xabraxas]

I just ran an strace on GoogleEarth and it also reads /etc/passwd. I'm not so worried though because /etc/passwd is shadowed, none of my passwords (user and root) have passwords that can be dictionary attacked, and my system will timeout after 3 failed password attempts. That doesn't mean I don't want to know why Skype is reading /etc/passwd, but I agree the title of this article is sensational.

Re:Shadow passwords FTW

[Trogre]

So they download /etc/shadow too. Not a problem.

Re:Shadow passwords FTW

[Phisbut]

So they download /etc/shadow too. Not a problem.

Except that /etc/shadow is only readable by root. A userland application can't access it.

Re:Shadow passwords FTW

[arashi+no+garou]

Wow. You know, I tend to be one of those people who are wary of our government and their privacy track record, but on all my machines, windows and *nix, my username is my first name, and my (shadowed) password is very complex. My first name is quite common, so if they are looking to glean any info from that, well more power to them. If they really want to watch my online activity I'm sure AT&T would bend over backwards to assist them without any help from my boxen.

Re:Shadow passwords FTW

[ATMD]

+1 Paranoid...

Re:Shadow passwords FTW

[Tenareth]

Does NOBODY remember that the /etc/password file is where you convert a UID to a readable name? Almost EVERY program has to read /etc/passwd if they display the owner of a file.

This is really a non-issue.

Re:Shadow passwords FTW

[Lorkki]

Not to pick a nit, but I assume you meant to say "not just any userland application can access it."

Re:Shadow passwords FTW

[PacMan]

Does NOBODY remember that the /etc/password file is where you convert a UID to a readable name? Almost EVERY program has to read /etc/passwd if they display the owner of a file.

Unless the system used LDAP, or NIS, or Kerberos, etc, instead of /etc/password files.

This is why there are system calls like getpwuid and getpwnam, to convert between UIDs and usernames independently of the underlying authentication system.

To fool programs like this, setup LDAP authentication, and fill your /etc/password file with dummy information.

Re:Shadow passwords FTW

[RockDoctor]

My guess about Skype is that they are harvesting usernames and selling those to spammers and/or providing those usernames to a government agency. In case anyone missed it, the U.S. government has been doing quite a bit of data mining since 9/11/2001

Two possibly true facts which are not necessarily connected.
Unless something has changed significantly since eBay brought Skype out, the company is still headquartered in Luxembourg and so not directly affected by US legislation. That doesn't mean that the USG don't have the opportunity to try interference like this, but one of the first obstacles they'd have to face would be travelling to a foreign continent in order to talk to the people who can agree to their requests. Then they'd have to deal with the regulatory regimes of the foreign (i.e. non-US) countries (plural!) where the servers reside. Then they'd have to be sure of maintaining secrecy over such negotiations, assuming that they have sufficient influence over everyone they're talking to. And they'd have to face the prospect of losing their access to people's communications if the fact got out and non-US people stopped using the service (forcing US-people to move to other services).
Eavesdropping is a definite worry for me when I use Skype for commercial work (as instructed by some clients ; I don't consider it secure for personal use), but I don't think you've made the case for me to take decisive action to the extent of upsetting clients by declining to use the service. (It should be pointed out that others of my clients ban Skype from their networks because their security people can't [be bothered to] eavesdrop on Skype. Some of these are American, some Canadian, some European, some others ; there's no clear pattern.)

Dealing with a heterogenous world which is not necessarily appreciative-of or complaisant-with US desires must be a difficult pill for the US foreign policy people to swallow. It took the UK government several generations to swallow their lesson (assuming that HMG've swallowed it by now, which is often not clear).

Re:Shadow passwords FTW

[jibjibjib]

And those system calls will read /etc/passwd if necessary, of course.

Re:Shadow passwords FTW

tss, this is so silly. I recommend you to trace a random OSS app. It will also read that file. I think virtually every app that needs to figure out your uid needs to read that file. It is perfectly normal. Why do you think it's world-readable? In fact, i suspect it is not even the apps that are doing it but some default linux library.

Re:Shadow passwords FTW

[petermgreen]

surely since ebay is US based they could just order ebay to order skype to put in tracking facilities for them.

Re:Shadow passwords FTW

[petermgreen]

This is why there are system calls like getpwuid and getpwnam, to convert between UIDs and usernames independently of the underlying authentication system.
I'm pretty sure those are library functions not system calls so all strace will see is the application accessing the authentication system.

Re:Shadow passwords FTW

[xlordt]

You can still by pass this in a heart beat. Your best bet is chmod the the file to root.

Re:Shadow passwords FTW

I love Slashdot; anywhere else it would be -1 Paranoid.

Re:Shadow passwords FTW

[DJ+Wings]

On Digg, it would be +100 NothingNew.

Re:Shadow passwords FTW

[RockDoctor]

Depends on whether the laws under which Skype was set up allows Skype to enter into contracts like that.
IANAL, but I wouldn't be certain that they could (or that they couldn't). Law is complex, because lawyers make it so (so that lawyers can profit from interpreting it).

If Luxembourg (or European) law does not allow Luxembourg (EU) companies to enter into contracts to violate their customers/ citizen's privacy, then would that invalidate the purchase of Skype by eBay, or would it force the transfer of Skype from eBay(Global/US) to eBay(Luxembourg) ? Thorny area of law. Of course, possibly by not complying immediately (to allow them to get legal opinion), the eBay(US) employees could be signing themselves up for being "disappeared" by the US courts. Not nice.
(I was just recently having a "problem" at work due to our travel contractors requesting from everyone the identity-theft kit of information that the US require. For a time there was implication that our contract with them required us to violate our privacy like that. I think that we've got that stopped now. I hope we've got that stopped now. And of course, less than 1/20th of the travelling staff members ever travel to the US.)

Here's another potential complication - recently-joined Skype people presumably signed an EULA that included a phrase like "this contract is governed by the laws of Antigua" (or wherever was legally convenient for eBay to be legally headquartered ; I can't find my Skype EULA, but then I've just turned the program on for the first time in a week) ; however, older Skype users would have a contract that is governed by the laws of Luxembourg. So, which country's laws apply? And what are the Luxembourg laws about unfair contract terms? Did the old users agree to the new terms, and was that a fair change of contract?

BIG can of worms. Nice and open. Want a spoonful - fresh and writhing and juicy.

Why..

[mikkelm]

.. only closed source applications? I don't think most people read the entire sources of open source applications that they use.

Re:Why..

[lilomar]

Not everyone has to, just one person.

When I use Open Source apps, I do so knowing that there are many developers and hobbyists that have looked over the code, so I know that there aren't any glaring security flaws.

Imagine this had been an Open Source product for a minute... instead of an article just saying that it read /etc/ files, it would have said this part of the code reads the files, this is why it is nessasary, or here is a patch to stop it from doing this.

Re:Why..

[gomiam]

Unfortunately, you seem to be wrong, if we are to trust what this user says on the thread: he cites Gaim acting the same way (among "other programs"). Then again, he's not too explicit.

Re:Why..

[Ajehals]

Not to take away from your message - because you have a point, I think in the context of the summary it would be because you *can* find out what is happening if you realise something strange is going on and if you have the source. If you don't have the source, you may be able to figure out what is going on, and to a certain degree why, but you wont be clear until the company tells you what its doing (and you trust them). In the end it comes down to trust though (as with most things). I only use software that I trust, and ensure it comes from a source I am happy with, (in my case Debian), it doesn't get rid of all the issues but it does reduce the risks ( as I perceive them anyway).

Re:Why..

[DaleGlass]

Because for something as well known as Skype, somebody would be bound to read it at some point if it was open.

For example, I work on the Second Life source, and I and other people read quite big chunks of it. You can bet that the moment somebody noticed something fishy there'd be blog entries about it all over the web, and dozens of people looking at that and other parts of the source. And it'd have happened much earlier than if it was found by chance by some admin stracing or checking the logs.

In fact pretty much the first thing that people did when the source was opened was starting to think of interesting things to grep the source for.

Now that people like me have forks of the Second Life source, there are people who check the diffs for every new LL release when they merge the changes with their own. You can bet it would be pretty hard to sneak something into it in this situation.

Now how do you do that for a closed source program? You can't. You either need to be an uber-hacker who disassembles and decompiles things for fun, a paranoid sysadmin (unlikely too, who runs skype on a server?), or happen to notice something weird by chance and have the skill and knowledge to be able to figure out what a closed program is up to.

Re:Why..

[19thNervousBreakdown]

This is somewhat silly anyway. The Firefox plugins, OK, I don't know why they'd read that, maybe they're checking for a Skype plugin, but who cares? As for /etc/passwd, it's not /etc/shadow. Not only that, but they don't even have to write code that reads /etc/passwd. Try changing the "passwd: compat" line in /etc/nsswitch.conf to "passwd: nis" or something like that, chances are your read of /etc/passwd will go away. It's probably just doing something like getting your real name. Calm down and get some real evidence of wrongdoing like a packet capture of private information going out over the wire before you cry wolf.

Re:Why..

[mikkelm]

Well, obviously it also only took one person to discover the same in a closed source application.

Of course it would be easier to see the hows and whys in an open source application, but once you know, you know, and that's really at the core of the matter.

Re:Why..

[optimus2861]

Imagine this had been an Open Source product for a minute... instead of an article just saying that it read /etc/ files, it would have said this part of the code reads the files, this is why it is necessary, or here is a patch to stop it from doing this.

Interesting you should say that - did you read the linked thread on the Skype forum? Here's a later post (emphasis added):

i was a bit curious and tried strace on a few internet/network programs. it seems programs like skype, gaim, and perhaps other chat software all look in /etc/ passwd

Pidgin nee Gaim is GPL. A quick search on one of its mailing lists shows no useful hits for /etc/passwd. A later comment on this thread shows that something as innocuous as an ls command will trigger reads of /etc/passwd. Sounds like this is being overblown.

Re:Why..

[compm375]

Well, I just searched the source of Pidgin (because it is open source) and found it does indeed access /etc/passwd through getpwuid(getuid()) for use in Bonjour, Silc, and Zephyr protocols. There is no direct access to /etc/passwd and no use of getpwuid without using the current users uid through getuid. Skype may be doing the same thing, but there is really no way to know, is there?

Re:Why..

[IWannaBeAnAC]

Or most likely, getting the user's home directory so it knows where to find $HOME/.Skype to get the user's configuration settings. Virtually any program will do this, via the getpwnam function, section 3 of the Linux man page.

Re:Why..

[ciroknight]

"Calm down and get some real evidence of wrongdoing like a packet capture of private information going out over the wire before you cry wolf."

Because it's not at all possible if they're being sneaky enough to read files they really shouldn't be reading in the first place, they wouldn't ever dare encrypt it before they sent it back to a central server. Oh no, that'd be faaar too clever.

Possible rational reasons for stupidity and violation of trust don't cut it when it comes to privacy. "Oh, the government's reading your mail? Well, that's probably because they think you're a terrorist. Don't worry, they'd never do anything evil with what they read."

Re:Why..

"Calm down and get some real evidence of wrongdoing like a packet capture of private information going out over the wire before you cry wolf."

Convenient that those are encrypted...?

Re:Why..

[19thNervousBreakdown]

This is more like, "Oh, the government can get look op your name from your social security number. Don't worry, that's one of the reasons the social security number exists. Well, no, I can't say that the government hasn't used that information to also find my address and dispatch a highly trained team of assassins to brutally slay me, my family, everyone with a drop of my blood in their veins, and everyone I've ever loved or has loved me."

Re:Why..

[19thNervousBreakdown]

So decrypt it. What? You don't have the keys? Well, that's what you get for using closed source. I don't use Skype, but if I did I wouldn't worry about it. If you're that paranoid, maybe you should stick with GPL-3 software.

Re:Why..

[cduffy]

Most people don't need to. One person needs to. That's a much lower bar.

Additionally (and perhaps more importantly) -- in the case of OSS, the individual programmer is putting their public reputation on the line. In the case of proprietary software, the credit and blame generally goes to a faceless corporation.

Re:Why..

A later comment on this thread shows that something as innocuous as an ls command will trigger reads of /etc/passwd. Sounds like this is being overblown.

No idea why gaim does it, but ls has to read /etc/passwd in order to match uids to usernames when you do ls -l. There may be equally viable reasons for skype and gaim to do it, for instance discovering where the user's home directory is to store downloaded files, etc rather than trusting $HOME.

Re:Why..

[jguthrie]

Of course there's a way to know. Not to the point of certainty, but to a fairly high confidence level. At least, there's a way to know if it's calling getpwnam. It's a dynamically-linked executable and getpwnam is in one of those libraries so the name "getpwnam" is going to appear, in plain text, in the executable itself. A simple check with "strings" show getpwuid_r, getuid, getcwd, getpwnam_r, getgrid_r and others are in the executable. To be sure, you'd have to check the executable using tools that know about the parts of an ELF file (you know, like those that are in the Debian elfutils package) and see where those names show up.

Re:Why..

Because it's not at all possible if they're being sneaky enough to read files they really shouldn't be reading in the first place

What files are those?

Re:Why..

[jgrahn]

Or most likely, getting the user's home directory so it knows where to find $HOME/.Skype to get the user's configuration settings. Virtually any program will do this, via the getpwnam function, section 3 of the Linux man page.

It's probably better to simply getenv("HOME") to find $HOME. It's already in your process; why bother asking a file (or possibly a remote database)?

But yes, there are other mundane and valid reasons for reading /etc/passwd.

Re:Why..

...but there is really no way to know, is there?

An strace should show getpwuid() as opposed to open(), no?

Re:Why..

[perlchild]

Seems like people don't understand unix at all, when they post to security lists...
Just checking your own identity in unix requires a call to getpwnam, getpwent or their equivalent, which means that a function call in glibc has to read the password file. Practically every unix program does that... It reads in the whole file in memory and looks for you, unless you're using the db source, yp, nis+ or an external module: nss_ldap, nss_mysql, nss_pgsql. It's doing that to find YOU out... That's normal, system-wide behaviour, and not sinister at all(that's also why there's a nscd daemon to cache those results, to prevent your machine from grinding to a halt if you have 200k+ entries in that file.

Now unless the legacy api gets redesigned to NOT do a line by line scan, anyone using strace/ltrace/dtrace/tusc needs to filter out these internal "housekeeping" calls, which are perfectly normal, needing to find out if _you_ can open up your own log file...

The /etc/passwd /etc/group files are public files precisely because they are referred to in this manner. That's why shadow passwords are so necessary.

Re:Why..

[WilliamSChips]

Because if an open-source app did it then there would be a big media storm followed by a fork if the change isn't rescinded.

Re:Why..

[jimicus]

Of course an ls command can trigger a read of /etc/passwd. ls -l shows owners as username rather than numeric UID - where do you think it gets that information from?

This is why a shadow password file was invented in the first place.

Re:Why..

No, since getpwuid() is implemented in libc, and open() is a system call. strace can only trap system calls, i.e. user/kernel interactions.

Just like if you write code that uses fopen(), fwrite(), since stdio is not user/kernel interaction but rather a wrapper to syscalls like open() and write(), running an strace you'd see the latter but not the former.

Re:Why..

No. ltrace might show getpwuid() as opposed to open(). Strace shows system calls (i.e., to the kernel). You C library will implement getpw*() ultimately as a series of system calls, one of which will undoubtedly be open("/etc/passwd",0). To see dynamic library calls (such as calls to functions provided by your C library), you use ltrace.

Re:Why..

[SanityInAnarchy]

Calm down and get some real evidence of wrongdoing like a packet capture of private information going out over the wire before you cry wolf.

Well, the private information going out over the wire is kind of encrypted...

But think about the big picture. Aren't the guys making Skype the same guys that put the malware in Kazaa? It's the opposite of crying wolf -- when you say "I'm innocent!" for long enough when it's not true, no one will believe you're innocent even when you are.

People wonder why we don't trust anything Microsoft does? Same thing, only moreso.

Re:Why..

[Score+Whore]

When I use Open Source apps, I do so knowing that there are many developers and hobbyists that have looked over the code, so I know that there aren't any glaring security flaws.

You know. That's amazing. It's the same attitude as everybody else. So tell me again who's auditing every line of code that is on your system? The only way you know that it's been audited is if you audit it. Anything else is just faith based security. My guess is that every single binary object on your system has at least one line of code that has only been eyeballed by the author of that line.

Re:Why..

> The Firefox plugins, OK, I don't know why they'd
> read that, maybe they're checking for a Skype
> plugin, but who cares?

Who cares? If Skype is reading Firefox plugins or checking for them, that better have a good reason. I prefer my privacy, thank you. There is no reason for Skype to look for anything that has to do with Firefox. I'm removing my Skype installation right now.

Re:Why..

[nwbvt]

First of all, it is rare that only one person reads the source for any commercial software product. Code reviews are standard in most organizations, and even if not, there are many developers at work maintaining that code.

Second, with open source apps, you really don't know that. It is perfectly possible for someone to submit a bad patch and no one bothers to really look at it in depth (at least not as in depth as you would need to catch a well disguised security breach). A lot of people use software assuming someone else has audited it and made sure there is nothing wrong with it solely because it is under the GPL. But that is a very bad assumption to make.

Re:Why..

> When I use Open Source apps, I do so knowing that there are many developers and hobbyists that have looked over the code, so I know that there aren't any glaring security flaws.

cool so i just install OSS and there won't ever be the need for patches or updates ever because one/more guys have looked over it and declared: no glaring security flaws.
you do know that OSS doesn't guarantee flawless software do you? unpatched OSS is just as problematic as unpatched closed source software.

Re:Why..

[mjsottile77]

It's sad to say, but that is a horribly naive point of view. Open source simply means that the source is available. It does not come with a stamp of approval that it has been somehow certified as being 'safe' or 'not evil'. Sure, a small project might be read over by a hobbyist out of curiousity, but for a large project with tens or hundreds of thousands of lines of code, I personally do not at all believe that some benevolent third party has sifted through both a massive code base and the corresponding complex control, data, and logical flow of the code. I would assume that any sufficiently evil chunk of code would be both uncommented and somewhat obfuscated to hide the true intent of the code. So, it would be like finding a needle in a haystack, only after the needle has been painted hay colored. Open source does not imply safe - it simply implies open source code. You are correct that it has the POTENTIAL to be safer than closed source, but there is absolutely no guarantee that it has been certified as safe/not-evil/whatever.

Re:Why..

[davitf]

Skype may be doing the same thing, but there is really no way to know, is there? Modify the code for getpwuid() so that it returns a fixed value instead of accessing /etc/passwd, and run Skype with this modified library. Watch whether it still tries to access the file.

Re:Why..

[SL+Baur]

First of all, it is rare that only one person reads the source for any commercial software product. But you're admitting that it is not guaranteed? "rare" != "never".

Of the bugs I found disassembling PC DOS 2.0 once upon a time, most of them were of the variety that a code review or audit should have caught. I did find plenty of code I would have fired the coder for if he had been working for me.

You have only your faith in the company who wrote the code that it was properly reviewed and audited prior to release.

Second, with open source apps, you really don't know that. It is perfectly possible for someone to submit a bad patch and no one bothers to really look at it in depth (at least not as in depth as you would need to catch a well disguised security breach). That's every bit as much of faith-based statement as your first one and "it is possible" is a bit of hedge.

I've managed both open source projects and proprietary source projects. The major difference being my hands were largely tied in a corporate environment and when I had a chance to make the rules (as in XEmacs), I restructured development to require more eyeballs on incoming code.

The difference with open source is that while you may take it on faith that the code has been reviewed, you have the opportunity to do it yourself or pay someone to do it for you. Neither of those possibilities are available with closed source.

Re:Why..

[chubs730]

If any open source application did this sort of thing, it would be known fairly quickly, because even the small minority that does read the source code would make it known.

Re:Why..

[OriginalArlen]

Why yes, that's right, only one person needs to review code to be sure that it's secure. That's why Microsoft's extensive and thorough peer review process catches all the security bugs in their code before it's released.

Actually the number of reviews required to be sure that a given program is secure is unbounded. On the contrary, it only takes one attacker spotting an issue everyone else has missed. Now, consider that even code like OpenSSL that has been combed over many times by cleverer people than you or I still occasionally patches security bugs. Hmmmm. Gosh.... that would mean that your machine just might not be entirely secure, even though you're up to date with patches! Gosh, who knew? :) (That was a rhetorical question. Bruce Schneier knew, of course.)

Re:Why..

[mattpalmer1086]

I agree it's overblown, but it's basically an issue of trust. All this shows is that people have more trust in open source software in this regard, for the obvious reasons. Since it is impossible to have that kind of trust in closed source software (it's not open!), occasionally people will try to reverse engineer it to see what its doing. If they see something that makes them suspicious, you get a story like this.

Re:Why..

[gtwilliams]

The most common reason these applications and others read /etc/passwd is that they call getpwuid() to obtain a struct that contains the user's home directory. Now the application knows where to find its configuration files.

Re:Why..

[nwbvt]

"But you're admitting that it is not guaranteed? "rare" != "never"."

Of course. I never said commercial software is guaranteed to be perfect. That obviously isn't the case.

"You have only your faith in the company who wrote the code that it was properly reviewed and audited prior to release."

Just as you have only your faith in the open source community that it was properly reviewed and audited prior to release. Remember, I'm not arguing that commercial software is inherently better than open source, only that it is not inherently worse. Both have their shares of advantages and disadvantages.

"The difference with open source is that while you may take it on faith that the code has been reviewed, you have the opportunity to do it yourself..."

Only if you have both the ability and time to do so. Most people don't.

"...or pay someone to do it for you. "

Thats exactly what you are doing when you purchase commercial software. Yes, sometimes the people you are paying do a crappy job, but that can happen with the people you hire to work on the open source as well.

Re:Why..

[gtwilliams]

I just searched the source of Pidgin (because it is open source) and found it does indeed access /etc/passwd through getpwuid(getuid())

Yes, that's because it needs to know the user's home directory to find its configuration file. There are many applications that do the same (innocuous) thing.

Re:Why..

[TechwoIf]

Calm down and get some real evidence of wrongdoing like a packet capture of private information going out over the wire before you cry wolf.

*sighs* Do we wolves ever get any respect from humans? They always cry "wolf" every time they see us. *looks around, points and crys out "HUMAN!"*

Re:Why..

[gtwilliams]

It's probably better to simply getenv("HOME") to find $HOME. It's already in your process; why bother asking a file (or possibly a remote database)?

But yes, there are other mundane and valid reasons for reading /etc/passwd.

Only if you consider POSIX mundane. Many programs call getpwuid() to obtain the user's home directory. The user's environment cannot be trusted.

Re:Why..

[Tribbin]

So you really think that if the code was open source from the start this would not have been addressed earlier?

BTW, it makes me wonder what we don't know about Skype for Windows where you do not have as many tools for monitoring file-access and stuff.

Re:Why..

[bit01]

Of course it would be easier to see the hows and whys in an open source application, but once you know, you know, and that's really at the core of the matter.

No, white box testing, by definition, is always going to be at least as good as black box testing. Black box testing is just a special case of white box testing. In the complex real world with many corner cases white box testing will be superior. From the point of view of the consumer open source software is everything that closed source software is. Plus the source is available.

Lying astroturfers may continue to claim that closing the source somehow gives mystically additional properties useful to the consumer but they're just being dishonest.

---

Beware deceptive astroturfers.

Re:Why..

[MP3Chuck]

"Aren't the guys making Skype the same guys that put the malware in Kazaa?"

No. The guys who make Skype are the same ones who created Kazaa, but it was Sharman Networks (or whatever it was called) that acquired it and put malware in it.

Re:Why..

[trewornan]

It'd be like finding a needle in a haystack - if you had a huge electromagnet handy. The reason dodgy code is dodgy is because of the things it does so you can pick it up automatically from that, and programs like strace and ethereal are going to point an arrow straight at offending code. To truly hide the code it would have to be inactive and thus cease to be dodgy.

Re:Why..

[Xabraxas]

Second, with open source apps, you really don't know that. It is perfectly possible for someone to submit a bad patch and no one bothers to really look at it in depth (at least not as in depth as you would need to catch a well disguised security breach).

That's more difficult than it seems, at least for large projects. On large projects coding style is enforced, the code actually has to be pretty useful, and on projects like the kernel Linus trusts other longtime kernel hackers more than upstarts like CK. On smaller projects it may be easier to insert malicious code without anyone noticing but then if the project is that small how many people are really affected? In the FLOSS world of 18 text editors, most people probably aren't running the same software. I think it would be a lot easier to just code your own malicious freeware application behind closed doors.

Re:Why..

[nwbvt]

Very few freeware applications are as widely used as the Linux kernel, either. So if thats the scope of the vulnerability you are seeking, neither is really a good way to achieve it. But the smaller attacks that only effect a few systems can still be dangerous. And some of those smaller open source apps can be pretty common. Consider something like gaim/pidgin. It is a relatively small project, and I believe much of it was developed by students. Yet it is used by a lot of people, and it has had security issues in the past.

Re:Why..

[nacturation]

When I use Open Source apps, I do so knowing that there are many developers and hobbyists that have looked over the code, so I know that there aren't any glaring security flaws. That must be why sendmail has such a stellar security record.

Re:Why..

[SL+Baur]

Thats exactly what you are doing when you purchase commercial software. Nope. Consider the ongoing discussion about Microsoft Vista and an apparent network slow down while playing music. The question of what's happening would be settled quickly by a code audit, except that no one outside of Microsoft is able to do that.

There is no opportunity with closed source to prove it for yourself. There is opportunity with open source whether you choose to do so or not. And by no means does this argument mean that open source is inherently better than closed source, it isn't necessarily in the short term. It's just that with closed source you must take it on faith that the vendor did a good job and with open source you're not forced to do that.

In the long term, open source is measurably better. You can always have bugs fixed even after the original vendor has stopped supporting it.

My own "conversion" to open source came after I bought an AT&T Unix PC in the fire sale after they discontinued them. It was a wonderful development environment, especially for its time. Among the software defects it had was a strip(1) that would delete an executable if it was already stripped. Probably a couple line patch to fix, but I had no opportunity to fix it other than to move the original strip out of the way and substitute a wrapper program that tested for that condition before allowing the original binary to run.

This is slashdot and car analogies seem to be popular here. The model of selling cars as closed source computers are sold now collapsed a long time ago. The manuals (detailed specification on how the car is built) and the parts are available so that anyone with a clue (usually mechanics who specialize in that sort of thing) can fix older automobiles. It is not a case of "we do not support 1986 Ford Escorts any more, please upgrade to the latest version" when there's a problem. The sooner the software world learns that Times Have Changed, the better.

Re:Why..

[Nasarius]

The user's environment cannot be trusted.

Depends on what you mean by that. A user application *should* trust the environment. There are plenty of good reasons you might want to change $HOME for one process, such as testing, debugging, or running multiple independent versions of the same application. There's absolutely no harm with normal applications going by environment variables. Obviously, this behavior becomes a gaping security hole if the system or a suid application does it.

Re:Why..

[Jartan]

Thanks for the explanation on that. I've never considered not using shadow passwords, but I find myself curious about this. Usernames aren't security but considering this behavior is there a way to keep them secret while still allowing appropriate access to the usernames the program has a valid reason to see?

Re:Why..

[perlchild]

Not under the current unix/posix design.
Any process(think top) could have a need to know the current userid for some other user. And with things like dialog boxes having a detailed mode like ls -l, we can forget having a seperate function when you don't need any other process but your own, it's too much of an edge case.

Using database files, where you can just access parts you need and not the parts you don't would be good, but not anyone is ready to recode /etc/passwd into db or sqlite format.

Keep in mind this wouldn't keep them "secret", but it would allow us to track "copied the entire /etc/passwd file" as opposed to "got a uid-login name matchup"

Getting rid of the userid/username match would get rid of the entire need for login names, except for auth, and just obsolete /etc/nsswitch. BUT there's a lot of valid uses for those, mostly having to do with ~user processing, permissions and the like..., Putting ext3 acls and the like make it a necessity to keep /etc/nsswitch, just to make sure you can understand permissions, on a user level.

On another note, just using pam/nss works basically because the assumption of how lookups work. Just removing the lookup ability would break quite a bit of code, most of it "bridging/gatewaying/accessing legacy" and otherwise linked in from sources you may not be able to control. Fixing that(think chown/chmod in a ldap environment) is non-trivial, especially just to prevent "getting" the passwd file.

I'd like to point out, nowhere in the article did they say they "sent" the file, they just spoke of reading it...

Re:Why..

[nwbvt]

"Nope. Consider the ongoing discussion about Microsoft Vista and an apparent network slow down while playing music. The question of what's happening would be settled quickly by a code audit, except that no one outside of Microsoft is able to do that."

<sarcasm>Right, because code audits are always perfect and catch every flaw in existence. Thats why open source software is always bug free.</sarcasm>

Look, I'm not arguing that OSS has no advantages. Of course it does. But it also has its share of disadvantages, even if the Richard Stallman and his zealots refuse to believe it.

Re:Why..

[dotgain]

Isn't that what the environment variable $HOME is for?

Re:Why..

Isn't that what the environment variable $HOME is for?

$ export HOME=/root

There is a difference. For most programs it doesn't matter in most cases (except when the user is deliberately trying to make it use a different directory and fails), but for some programs (especially setuid programs), being certain that the right directory is used is necessary.

Re:Why..

[fmaresca]

Exact.
In fact, I've run strace against skype-beta in Debian with ldap and the only calls relevant to /etc are: getuid32() and getgid32(), wich, since the ldap config is used in this box, do not read /etc/passwd or /etc/group.
So, next time, look closely to strace output.

Re:Why..

[Xabraxas]

But the smaller attacks that only effect a few systems can still be dangerous. And some of those smaller open source apps can be pretty common. Consider something like gaim/pidgin. It is a relatively small project, and I believe much of it was developed by students. Yet it is used by a lot of people, and it has had security issues in the past.

You glossed over the fact that is much easier to create your own malicious freeware (closed source) app than it is too try to sneak malicious code into an existing project that you do not have control of. Besides that I never said small projects don't have security issues. That really has nothing to do with what we are talking about which is purposely inserting malicious code into open source applications. Look how easy it is for people to create malware and get people to install it through social engineering. It's a more difficult task to sneak malicious code by maintainers of an open source project and have it accepted as is without being useful at all. It is a much more difficult task to create useful code that is also subversive. It's not impossible but is it really worth the time? If your code gets rejected for any reason, whether it is discovery, usefulness, or coding style you fail.

Re:Why..

[blz]

perlchild (nice name btw) is absolutely correct. When I read the article saying skype read /etc/passwd, /etc/group, etc, I too was wondering what the problem was. I am however curious why it was reading in the firefix profile stuff, as there should be nothing related to skype there.

This is a lie

It's impossible to compromise teh Lunix's security. This is a known fact. Thus... the story must be false.

it was the authors of Skype that...

[FudRucker]

put the spyware in Kazaa...

Re:it was the authors of Skype that...

the pope was also a member of hitler's youth!

Re:it was the authors of Skype that...

[FudRucker]

i was not trying to be a troll, i did not say what i meant to say though...

let me re-phrase what i meant to say, "the people that put spyware in Kazaa are the people that manufacture Skype"...

/etc/password

[Colin+Smith]

Is a public file, as are virtually all the others in /etc.

What's it doing? Well, what libraries is it linked with? Perhaps it's converting your UID into a name among other things.

Re:/etc/password

No kidding. If you go over the list of files it reads, it seems pretty clear it's just a normal running GUI program, nothing evil.

The only thing that stands out is when it checks the Mozilla profile, but I'll bet that it's doing that to make sure that the "skype:" URL handler is enabled and adding it if it isn't.

In other words, this is a complete non-story.

Re:/etc/password

[JosefAssad]

That, and this

Re:/etc/password

getenv( "USER" );

Why would you need to read /etc/passwd again?

I'm not saying there's no valid reason, just that getting a username is not a valid reason.

Re:/etc/password

[Jeffrey+Baker]

That doesn't give you the full name. Look people, there's absolutely nothing wrong with a program opening /etc/passwd. If you trace any random Linux program you will see it opening /etc/passwd, because there's useful information in there. There's an API for this, e.g. getpwent.

Re:/etc/password

[maxwell+demon]

Getting your full name?

Re:/etc/password

A technical point: the USER environment variable is not mandated by POSIX, whereas getpwnam() and getpwuid() are.

I'm not saying your point is invalid, it's just that using getpwnam() is more portable than getenv("USER") so getting a username is a valid reason ;)

Re:/etc/password

[VGPowerlord]

POSIX has getlogin() or getlogin_r() to get the current username.

Some implementations of these are apparently easily tricked, though.

I, for one,

Welcome our new password-reading spyware overlords

I am not suprised

[figleaf]

We already knows that Skype records a lot of other information including your BIOS : http://www.pagetable.com/?p=27

Which versions?

Which versions of Skype, 1.4 or all of them?

I think it is time to use SIP and force the 2 people I talk to to use SIP as well.

Re:Which versions?

[philfr]

Which versions of Skype, 1.4 or all of them?

I just checked my 1.3.0.53 version with strings, and strace.

It does read my passwd file (which is acceptable IMHO), but none of the other files mentioned.

And the "passwd" string is not in the binary, so it merely uses a getpw* library call.

Maybe people should stick to an older version ? I don't even know what 1.4 has more to offer (but, OK, I use skype 2 or 3 times a year...)

Re:Which versions?

[k8to]

Checking skype with strings isn't going to get you very far because the program is encrypted and decrypts itself to memory block by block (and only the current block). This behavior (among other tricks) is why I personally do not trust skype at all. However, stracing should allow you to see what files it happens to open on your run.

I do not believe Skype to be especially malicious, although I may be incorrect. I do believe their approach to transparency (ie. avoiding it at all costs) to be sufficient to not trust it.

Well...

[Attaturk]

[Why...] only closed source applications? I don't think most people read the entire sources of open source applications that they use.

And not everyone will use a tool to check what their closed source application is actually doing either. When using popular open source software there's a good chance that someone has already scanned the entire source and therefore a good chance that mischief would have been uncovered.

With closed source the chance that someone will uncover mischief, which they can only do by analysing the application's actual operation, is therefore much slimmer.

In summary, it's not that you can always trust open source above and beyond the equivalent closed source - it's just that it's generally much easier to do so. :)

Uh oh

[doyoulikeworms]

Russian hackers are getting your passwords!

Linked in libraries?

[wangmaster]

It'd be interesting to see what libraries skype links in. If it has anything built against mozilla libraries, or perhaps something else that might legitimately need to check user IDs for access information (say to /dev/whatever) or something like that.

What a load of FUD

[arivanov]

Dunno about AppArmour, but there is no way in hell to distinguish between legitimate getpwnam, getpwuid, etc calls and reading the whole passwd file on a linux system using strace.

Example:

strace on ls -laF immediately gives

open("/etc/passwd", O_RDONLY) = 4

Followed by quite a few reads out of it. So by the logic of the poster ls -laF is a horrible application doing horrible things to your system.

Unless you have read the source or single-stepped trhough the app with a debugger, examined the data and found that it does something nefarious like sending skype the whole of your /etc/passwd you should not claim that it does something illegitimate.

Re:What a load of FUD

[11223]

Oh my God! ls -laF is looking at my .mozilla directory! In fact, it's looking at every file in my home directory! GNU binutils is teh spywarez! ... what do you mean, it's supposed to do that?

Re:What a load of FUD

[DaleGlass]

Heh, but ls has a perfectly legitimate reason for it: Looking up account names. You can see that plain 'ls' doesn't open it, because the short format doesn't show usernames (now if it did in this case that'd be interesting as well). And if you still think it's suspicious you can get the source and look at it.

Now what exactly does skype need to know my or anybody else's account name for? I've got no clue, but I'd be very interested to find out.

Re:What a load of FUD

[DavidTC]

Um, because it wanted to refer to you as using real name, which is the entire damn point of having the field in /etc/passwd? Or even your username?

Without looking in /etc/passwd all it would know is your UID.

Or perhaps it's not even the thing doing it, perhaps it's using a shell script to see if the skype: handler is registered in Skype, and that script does 'ls -l' to check file sizes.

What I'd be interested in figuring out is exactly the fuck confidential information people think is hanging out in /etc/password? We all know that there are actually no passwords in that file, right?

And everyone know that programs access it all the time, right? Which is why it's deliberately world-readable?

Seriously, this entire article was made by someone who knows how to use strace but hasn't bothered running it on other programs, and has no idea what /etc/passwd is for.

Re:What a load of FUD

[mpeg4codec]

Dunno about AppArmour, but there is no way in hell to distinguish between legitimate getpwnam, getpwuid, etc calls and reading the whole passwd file on a linux system using strace.

Example:

strace on ls -laF immediately gives

open("/etc/passwd", O_RDONLY) = 4

Try ltrace, which is similar to strace but lists library calls [man section 3] instead of system calls [section 2]. Running your same example with ltrace, one will see:
getpwuid(1000, 0xbfaa1073, 0xbfaa0d08, 1000, 0x805c088) = 0xb7f8c9b8
where 1000 is my uid and the rest of the params are pointers to memory locations.

So yes, it's possible to distinguish, just not using strace. Proper tool for the job and all that.

Of course all this would be moot if we had access to the source, which is the underlying issue being debated here.

Re:What a load of FUD

[DaleGlass]

Um, because it wanted to refer to you as using real name, which is the entire damn point of having the field in /etc/passwd? Or even your username?

Why would it need to? Skype has its own accounts, if it wants to refer to me by name it can use whatever I entered in my account info.

Or perhaps it's not even the thing doing it, perhaps it's using a shell script to see if the skype: handler is registered in Skype, and that script does 'ls -l' to check file sizes.

That'd be a stupid way of doing it, and I think AppArmor would have logged bash in that case. Or at least I hope it can tell the difference between what a program is doing, and what a program launched by another is doing.

What I'd be interested in figuring out is exactly the fuck confidential information people think is hanging out in /etc/password? We all know that there are actually no passwords in that file, right?

More than confidential, it's interesting why it's looking there. Especially the much stranger mozilla directories and /proc/interrupts. Add those things together and it's not hard to imagine that skype might gathering something from /etc/passwd like everybody's real names and reporting them. Now I have no clue if it actually does that, but given that Skype is already well known for doing strange things, some paranoia seems justified.

Re:What a load of FUD

[arivanov]

It has no other legtimate means of getting your GECOS. As a result, I would expect it to do a /etc/passwd read via the getpw family of calls during initial registration. Doing it later on is not strictly necessary, but not very "nefarious" either.

Re:What a load of FUD

[FooBarWidget]

"Why would it need to? Skype has its own accounts, if it wants to refer to me by name it can use whatever I entered in my account info."

So that it can fill in sensible defaults in the 'register account' dialog. Having sensible defaults is good usability.

Re:What a load of FUD

[DaleGlass]

So that it can fill in sensible defaults in the 'register account' dialog. Having sensible defaults is good usability.

But it doesn't do that. I just made a new user account, ran skype, and starting creating a new skype account. Skype leaves the full name field blank.

Re:What a load of FUD

[ojs]

Oh oh ... you have a compromised computer!

Well, anyways, I dont see this in my strace of ls -laF :-)

Re:What a load of FUD

[DaleGlass]

Well, I just tried to ltrace it, it's interesting.

Lots of output, but no getpw or open in it, and before starting skype says "Binary file corrupted. Please reinstall skype". So can't get very far with ltrace.

Either ltrace screws something up, or skype intentionally makes it not work.

Re:What a load of FUD

[makomk]

Skype has some rather paranoid anti-debugging measures; it sounds like ltrace is tripping one of them. I'm surprised strace is allowed; presumably the Skype developers either didn't know how to block it or didn't care.

Re:What a load of FUD

From a security standpoint, you have it backwards. Unless you have read the source or confirmed in some other way that the app *doesn't* do anything naughty, you can't claim that it's entirely legitimate. Innocent until proven guilty doesn't apply to computer security.

Re:What a load of FUD

[mysidia]

This article looks like guerilla advertising for SuSE/AppArmor, a Novell product.

It's a fine example of why people who don't understand the C Library and Linux/BSD/POSIX SDK and how to disassemble the application should not be relying much on AppArmor to tell them what's good and evil.

The trouble is the library does it, not the application, and a few reads of some files can't tell you the application's intent, or show whether the information is being encrypted and sent out to the software maker or not.

This reminds me of folks that spend day and night reading firewall logs and mailing out hundreds of complaints to networks if a host so much as pinged them or tried to make a port 25 connection.

Sure, they could be a spammer or hacker, but just because you set alarms -- a connection attempt doesn't say that anything evil is being attempted. I'd be far more concerned if someone said Skype read something from /etc/shadow, then the very next thing it did was to make a port 80 connection to Skype's servers and send a HTTP POST submission with lots of binary jibberish.

Any program that needs to do so much as lookup the user's shell, home directory, username attribute, or real name needs to examine /etc/passwd.

Most non-trivial applications need the user's home directory to load their user preference files. Some internal shell script of Skype may even need the user and group names, in order to establish appropriate file permissions.

Sure, there are environment variables that popular distributions' shells use; however for an application like Skype to be portable, it may not be able to rely on a particular environment variable like 'HOME' being set -- it may be safest just to getpwuid() the user and lookup their home directory that way.

In any case, the SOFTWARE DEVELOPER would have the option of using getpwuid() instead of getenv("HOME"). It's the developers' choice.

Applications can accomplish things in fairly boneheaded ways sometimes, but that doesn't indicate anything malicious or evil.

Re:What a load of FUD

[mpeg4codec]

Skype probably using some timing measures to prevent the user from attaching a debugger, and ltrace may alter the timing enough so that Skype believes this is the case. If you're outputting the ltrace debugging to the terminal, that could very well be the case, because terminal output is pretty slow. Maybe outputting it using the -o flag would make it work. I don't use Skype, otherwise I'd try myself.

Re:What a load of FUD

[Junta]

On the /etc/passwd thing, first off, I don't see what they could get from that in 99% of systems. As has been noted *many* times before, no password or hash of a password is stored there most times. You mention 'real' names, which *possibly* in there, but the *vast* majority of desktop linux installs I see don't have anything accurate for the users full name. Any attempt to correlate that data, for whatever bizarre reason, wouldn't get them very far. Almost certainly all the worrisome /etc calls are made by auxilarly libraries in the course of trying to fulfill run-of-the-mill calls. The browser profile walking seems bizarre and probably the place where skype should answer, and the potential place where things like AppArmor and SELniux really come into play, where a single user wannts to segregate application data all run by the same user. I can't see why anyone would worry about /proc/interrupts, and can easily see how opening that is relevant to an application using an audio device/has realtime characteristics. If some counter in interrupts is increasing, that info may be helpful to know if someone files a report and says the audio is skipping, an interrupt going nuts would explain that readily.

Re:What a load of FUD

[arivanov]

Strace relies on a kernel interface which cannot be disabled by Joe Average Luser. I have not used ltrace, but in order to do what it does it has to rely on library preloads and other userspace approaches. That is trivial to detect. Even less paranoid closed source application will pick it up and refuse to run.

Re:What a load of FUD

[kasperd]

Strace relies on a kernel interface which cannot be disabled by Joe Average Luser.

And ltrace relies on the exact same interface, just tries to figure out some other things using it. The first of a few things to notice is, that strace is not completely transparent. There are bugs in at least some kernel versions, that causes system calls to sometimes return wrong return values when strace is being used. And for some system calls such as vm86 strace will actually show incorrect information about which system calls are being made. ltrace is even more tricky to get right. With static linking and very agressive optimization, it could become impossible to do what ltrace wants to do. Not seing getpwuid or related library calls is no definitive proof, that they are not being made. To make matters worse, even if /etc/passwd was only accessed through ordinary getpwuid calls to glibc, it might still be possible to get the entire contents of /etc/passwd. Once glibc have read it, pieces of it could be left around in memory from where it could trivially be read without making any system calls. The good news is, that /etc/passwd normally doesn't contain very sensitive information.

Re:What a load of FUD

[FST777]

This article looks like guerilla advertising for SuSE/AppArmor, a Novell product.

Hmmm... Why then would the summary link to the Ubuntu page on AppArmor instead of the openSUSE page? Even TFA primarily mentions Ubuntu.

Might be guerrilla advertising for AppArmor (which is, by the way, a decent OSS product) but it certainly isn't a SuSE/openSUSE/SLED advertisement.

But then, maybe it's just me: I don't consider Novell or any of its products evil. I know many do.

Re:What a load of FUD

[VGPowerlord]

As was pointed out in another thread elsewhere in this discussion, it has a legitimate use: to get your home directory's location so it can find its configuration files.

Re:What a load of FUD

[gtwilliams]

Now what exactly does skype need to know my or anybody else's account name for? I've got no clue, but I'd be very interested to find out.

It probably doesn't. But it most certainly needs to know how to open its configuration file, which it expects in your home directory. To get the path to that file, it calls getpwuid(). That library routine, on a system configured without network files like NIS+ or LDAP, will open /etc/passwd to obtain, among other things, your home directory.

Re:What a load of FUD

[DavidTC]

It's obvious why it looks around in the profile directories if you know the slightest bit about Skype.

Here's a hint for those that do not: Skype installs a protocol handler called skype:, in Firefox, so you can click on links and connect to people. Now, class, how would Skype go about doing that, or verify that it's already done it?

Also, there's a Skype toolbar that may or may not be installed. I don't know of offhand why the Skype program would need to know if that's installed, but it's not that hard to imagine a logical reason.

Re:What a load of FUD

10 points!

-- berkus

Re:What a load of FUD

[Kjella]

Seriously, this entire article was made by someone who knows how to use strace but hasn't bothered running it on other programs, and has no idea what /etc/passwd is for.

Agreed. But it's the kind of naming that drives people taking over someone else's code crazy. It's called /etc/passwd, but it does everything else but actually contain passwords. I recently discovered something similar in a piece of software I work with - the functionality the tables are named after has been moved to new database table, and what's left now is part other functions, part ghost tables which are empty except on upgrades and you want to just strangle someone trying to figure it out.

Re:What a load of FUD

[mvdwege]

Skype has some rather paranoid anti-debugging measures

This, to me, would be enough reason to ban Skype from all systems under my control. What does it have to hide that I, as legitimate administrator, am not allowed to know?

Not that this is the only reason why a security-conscious administrator should not allow Skype on the network, of course.

Mart

Incorrect

[bakuun]

put the spyware in Kazaa...

It is true that the same people were the main creators of Kazaa and Skype. However, those creators had nothing to do with the introduction of spyware into Kazaa. They are not to blame for what others did. The introduction of the spyware was included in Kazaa first after the program was sold from the creators.

hard to avoid

[m2943]

Many of those files are perfectly legitimate for any application to read.

In any case, you don't need AppArmor to find what files something opens, just use strace.

Re:hard to avoid

[SpaceLifeForm]

But reading /proc/interrupts is strange, no?

Re:hard to avoid

[m2943]

Hard to say. Skype is software that needs to run and do audio I/O on a wide variety of configuration and hardware, and without being able to rely much on system libraries. Reading /proc/interrupts is pretty reasonable for that.

They may also be collecting this data in order to send it to Skype to help them figure out what kinds of configurations people are using, or what kinds of configurations are crashing; I believe they give you a choice about whether to report system information.

GECOS field

/etc/passwd is likely accessed to lookup the full name of the user in the GECOS field.

But why Skype wants to access all firefox settings remains a mystery. But it might look for proxy information.

Re:GECOS field

Which is stupid. Proxy information is stored in /etc/sysconfig/proxy and/or the $http_proxy environment variable.

Re:GECOS field

Yeah, it's not like a Linux box could be multi-user and each user could have their own proxy preferences.

It's not like that at all.

shadows

[SolusSD]

virtually *any* linux distribution uses shadowed passwords s oour encryted password is kept in a separate file. Anyone "rolling their own" should have the forsight to do the same.

Why /etc/passwd access is benign

[vfaded]

First: The reason why most applications want to access the /etc/passwd file is to get your home directory. man getpwent for how this works.

Second: Any modern Linux system will use a shadow password file, its been years since I've seen a system use a regular password file.

Re:Why /etc/passwd access is benign

[MichaelJ]

And let's be clear on this... The application itself, per se, is not what's reading /etc/passwd ... it's libc, when the application calls getpwent() or getpwuid(). And it depends on /etc/nsswitch.conf's settings, which it reads first. Pure FUD. And if the idiot blocks application access to those files, things are NOT going to work correctly. Oh, and as for reading the Mozilla profile ... could it be looking for the Skype Toolbar?

Re:Why /etc/passwd access is benign

[kasperd]

The reason why most applications want to access the /etc/passwd file is to get your home directory.

That would be a bug. The application is supposed to use the HOME environment variable. If you get different directories by looking in /etc/passwd and using the HOME environment variable, then the environment variable is the one containing the correct directory.

Er, maybe it's getpwent or getpwnam?

[11223]

I can't speak to the Firefox profile access, but if an application wants to look at the GECOS field to find your real user name, the only way to do that on a non-NIS (or other network authentication scheme) system is to look at /etc/passwd. This is also why shadow passwords should always be used, because /etc/passwd can't be locked down.

Paranoia without understanding how UNIX works is inappropriate.

Re:Er, maybe it's getpwent or getpwnam?

[jguthrie]

I seem to be able to confirm this. When I run skype, it does not read /etc/password, I expect because my user information is distributed using LDAP. Therefore, it instead connects to nscd.

Halfway legitimate

And of course it phones home too. Voilà. Result: Either you are ok with that and you are one of these people that say "I have nothing to hide" (there's been a /. article about that too, more or less often), or you are not ok with it and should stop using it immediately.

But technically, anything that uses getpwuid(getuid()) uses /etc/passwd. This is how programs finds out your GECOS (real name) and or home directory, though I'd say that the latter should be done using getenv("HOME"), so as to change it temporarily (export HOME=~/somewhere_else).

reading /etc/passwd is normal

[harlows_monkeys]

It's quite common for programs to read /etc/passwd. For example, use strace on "ls -l", and you'll see it reading /etc/passwd.

It is via /etc/passwd that you convert a UID to a user name.

I've discovered even worse Linux privacy problems

In the research I did for my doctoral thesis, I found the shocking secret that getty and login and even init both read /etc/password and other files in /etc. My research has not yet found a valid reason for this. I am left feeling that Linux itself is spyware. My proposed solution is to only mount filesystems when a user is not logged in.

AppArmor. Hilarious.

Worst attempt to pimp AppArmor ever. SELinux FTW.

Ka-Zaam!

what else did you expect from the shop that brought you kazaa?

1989 called...

[itsdapead]

They want their critical Unix vulnerability back.

Darn - all I have to do is cat /etc/passwd from a regular account... let's see... gee, the sysadmin on this machine is a dumbass - what sort of root password is "x"?

OMG its on Mac OS as well - the root password here is '*' - well, at least they've used a non-alphabetic character.

What's that you say Mr Sock... /etc/passwd is a public file and no security-conscious distro has actually stored passwords in there since the encryption was cracked (at least for dictionary words) sometime in the 80s?

Wake me up if Skype actually emails a readable copy of /etc/passwd to the black hats - even then, it shouldn't be enough to compromise a system (although a list of usernames might be handy).

Re:1989 called...

The word 'password' does not appear in either the summary or the linked post. It remains a mystery why you think this discussion has anything to do with passwords. (Hint: Just because a file is called passwd doesn't mean that its one and only function pertains to passwords.)

Re:1989 called...

This used to work a long long time ago...

(and then there's this lame filter that says there's too few characters per line?! WTF, so now posting code is not allowed. lame lameness that wallows in lameless). I thought this would be fun for the sake of nostalgia. Good old days when you could do stuff like log into chat under someone else's acct and pretend to be a naughty nurse with your drunk friends when you were really way too bored and ought to have had better things to do, not that I would have any personal experience of the sort but I've heard such things have been known to happen. Okay is this enough lines to boost the average?

/* This source will/should print out SHADOWPW passwd files. */

struct SHADOWPW { /* see getpwent(3) */
char *pw_name;
char *pw_passwd;
int pw_uid;
int pw_gid;
int pw_quota;
char *pw_comment;
char *pw_gecos;
char *pw_dir;
char *pw_shell;
};
struct passwd *getpwent(), *getpwuid(), *getpwnam();

#ifdef elxsis? /* Name of the shadow password file. Contains password and aging info */

#define SHADOWPW "/etc/shadowpw"
#define SHADOWPW_PAG "/etc/shadowpw.pag"
#define SHADOWPW_DIR "/etc/shadowpw.dir" /*
* Shadow password file pwd->pw_gecos field contains:
*
* ,,,,
*
* = Type of password criteria to enforce (type int).
* BSD_CRIT (0), normal BSD.
* STR_CRIT (1), strong passwords.
* = Password aging period (type long).
* 0, no aging.
* else, number of seconds in aging period.
* = Time (seconds from epoch) of the last password
* change (type long).
* 0, never changed.n
* = Time (seconds from epoch) that the current password
* was made the (type long).
* 0, never changed.ewromsinm
* = Password (encrypted) saved for an aging to
* prevent reuse during that period (type char [20]).
* "*******", no .
*/ /* number of tries to change an aged password */

#define CHANGE_TRIES 3 /* program to execute to change passwords */

#define PASSWD_PROG "/bin/passwd" /* Name of the password aging exempt user names and max number of entires */

#define EXEMPTPW "/etc/exemptpw"
#define MAX_EXEMPT 100 /* Password criteria to enforce */

#define BSD_CRIT 0 /* Normal BSD password criteria */
#define STR_CRIT 1 /* Strong password criteria */
#define MAX_CRIT 1
#endif elxsi
#define NULL 0
main()
{
struct passwd *p;
int i;
for (;1;) {;
p=getpwent();
if (p==NULL) return;
printpw(p);
}
}

printpw(a)
struct SHADOWPW *a;
{
printf("%s:%s:%d:%d:%s:%s:%s\n",

Re:1989 called...

Dude, can you read the title of the summary?!? "Skype Linux Reads Password and Firefox Profile".

- Lillesvin (Posting anonymously because I've modded a bit around in the comments.)

But what's going out?

[Kickstart70]

Yeah, it's not quite kosher that the program reads this stuff, but what's more important is tracking what goes from the program back to Skype headquarters. Has anyone tried reading the traffic from it while not connected to a voice call, etc.? Want to get mad about something? Then at least ensure there's a valid and serious reason to do so.

Re:But what's going out?

You have no chance to find out, what Skype really does:

Skype traffic is encrypted and additionally obfuscated.
You have no chance to know, what Skype really sends out or recieves.

Skype causes also a lot of traffic when you are not using it for a voice call. This is because of the p2p-design: If you are running Skype your computer is used to help others communicating.

For details see the presentation A Silver Needle in the Skype from EADS experts:
http://www.blackhat.com/presentations/bh-europe-06 /bh-eu-06-biondi/bh-eu-06-biondi-up.pdf

Face it, you really have no chance to find out, what Skype does:

The real question is ...

[PinkyGigglebrain]

what does it do with the data it reads?

Will someone ...

[Just_Buch]

finally, for one, welcome our new Skype Overlords?

"/etc/passwd" is a misnomor

[iamacat]

It stores your username, home directory, default shell. Most applications read it at least once, to display your username based on current user id. Shadow passwords are usually in effect, so it's only rarely that this file contains encrypted passwords.

Re:"/etc/passwd" is a misnomor

[CastrTroy]

Is this the standard way of accesssing such information in Linux? I'm not a linux programmer, so I really haven't looked into it. Isn't there (shouldn't there be) better ways of accessing information such as username, home directory, shell, etc. without reading the file which also contains the passwords? Isn't this located in some environment variable? From reading the other posts, it seems like many applications "read /etc/passwd" mostly indirectly, by doing some system calls to get this kind of information. However, I think that this information should be available without reading the password file, as it may not be a good idea to give all users (especially on large multi-user systems) access to this file. It just seems like an unnecessary risk.

Re:"/etc/passwd" is a misnomor

[AaronW]

The standard APIs for obtaining this information read /etc/passwd. Passwords are no longer stored there, however, but are in /etc/shadow which is not accessable by users other than root.

Re:"/etc/passwd" is a misnomor

[mikael]

'struct passwd * getpwuid(uid_t uid )' and 'struct passwd *getpwnam(const char *pname)' are the standard function calls for retrieving a users password details, default shell, home directory etc...

They work by reading the password file sequentially and then returning the corresponding data structure.

You could try obscufating this information under some kernel or system method (eg. windows registry) but that would just make it easier for someone to hide a root kit.

Re:"/etc/passwd" is a misnomor

[CastrTroy]

Thanks for clearing that up. I wasn't exactly sure of how the whole thing worked. It seems that this is just another sensationalist article written by someone who doesn't know what they are talking about. And the editors let it slip through, and be published. Never mind that they wouldn't publish real news like the fact that the Wii has recently beat the XBox 360 in sales. But such is life on Slashdot.

Re:"/etc/passwd" is a misnomor

[cduffy]

There is a better way (the getpwent() call through the standard C library -- which will use LDAP or whatnot instead of /etc/password as appropriate); further, /etc/passwd doesn't actually contain passwords on any halfway modern system.

Re:"/etc/passwd" is a misnomor

[Lennie]

If I'm not mistaken: /etc/nsswitch.conf is the file that specifies the order in which files, databases (like LDAP) or NIS, etc. are handled.

Re:"/etc/passwd" is a misnomor

[Ecks]

Yes, In Unix the C API for accessing user information is the set of getpw* functions. Skype is probably trying find the user's full name by indexing the user "database" with the uid. This is both harmless and safe.

In any modern Unix or Linux System /etc/passwd doesn't have passwords in it. The name is a historical throwback to days when it did but 1970 was a long time ago. At that time Unix users didn't lock their doors in the metaphorical sense. Unix now stores password hashes in a different file: /etc/shadow on Linux, /etc/master.passwd on FreeBSD, OpenBSD and most likely NetBSD. This file is rw to root and inaccessible to any other user on the system.

-- Ecks

Re:"/etc/passwd" is a misnomor

[cduffy]

Correct; that's all functionality hidden behind getpwent() call.

Re:"/etc/passwd" is a misnomor

[init100]

The name of the file (passwd) is just a historical remnant, since passwords were once upon a time stored there. As others have already explained, passwords are nowadays usually stored in the shadow file, which isn't readable to anyone but root. The /etc/passwd is used for other user information, such as the full name, the user shell, the user home directory, and various other user-related bits and pieces.

Flawed logic

[Sycraft-fu]

First you assume that the person(s) that read it would catch anything evil in it. It's not like the evil code is necessairily going to be in a function called doEvil(), it could be very cleverly hidden among legit functions so that most people would miss it. With good obfuscation it wouldn't be hard to make something that people would have to play with a debugger just to figure out what is going on, and as such miss it on anything less than a really intense code audit.

Second, you assume the people who look at it aren't in on it. So maybe a couple people look at the code and find the evil bits. They contact the developer and ask what's up. The developer then lets them in to his cabal, who can use the evil bits for their own ends. The people decide they like this and don't tell anyone. The people who read the code have to be honest for this to work.

Third you assume that anyone other than the developer even bothers to look at the code. Not always a valid assumption, just because the code if you there doesn't mean anyone gives a shit. Maybe it is too complicated, maybe they just don't care, regardless the code being open is no guarantee that someone looked.

Fourth, you assume that the binaries are the same as the source. I'm betting at least some of the time, and probably more often than that, you install things from a binary package. It's easy and much faster than compiling everything. Great, but how do you know the source follows the binaries? It would be easy to release an untainted source, and then tainted binaries. That the checksums differed wouldn't be of any note, since it could just be that different compile options were used, or even a different compiler (for example using ICC since it generates more efficient binary code). As such no source audit would ever turn up the problems.

Finally, even if you compile your own, you assume that nothing else is in on it. I'll refer you to the classic Ken Thompson story http://cm.bell-labs.com/who/ken/trust.html. Some other program, and not just the compiler, could be in on inserting a trojan. It might never exist in source form, yet always get compiled in. Thus even a build from a verified source isn't a defense.

Really, what it comes down to is open source may give you a warm, fuzzy feeling but it isn't actually proof everything is on the level. Really, you have to test what the software actually does when it is run. You can't say "Well the source is open so it can't do anything evil," because you just don't know that. It's far more useful to analyze how the program acts on a system, than to look over the code.

After all, if looking at the code revealed everything, OSS would never have any bugs. You'd look at the code, see all the bugs, they'd all get fixed. Yet it does, nasty ones. My favourite is the BIND flaw discovered back around 2000 that was in essentially every version of BIND ever. Despite the fact that many people had looked at the code, nobody had ever noticed this. There was no ill intent, no conspiracy, it just wasn't something people saw.

As such the same could be done for something evil. Hide it well enough in the code, and nobody will notice it.

Re:Flawed logic

[DaleGlass]

First you assume that the person(s) that read it would catch anything evil in it. It's not like the evil code is necessairily going to be in a function called doEvil(), it could be very cleverly hidden among legit functions so that most people would miss it. With good obfuscation it wouldn't be hard to make something that people would have to play with a debugger just to figure out what is going on, and as such miss it on anything less than a really intense code audit.

This sort of "evil" is very transparent. You can code a hidden buffer overflow/exploit/backdoor in such a way that it's not obvious (= instead of == for example, caught in the Linux kernel once). But how do you hide an access to say, /proc/interrupts? You need to spell out the filename, and there's got to be an open or fopen for it somewhere. Any attempt to encode the filename is going to be weird and suspicious. Plus, file parsing would be quite a bit than a single line of code, so it's hard not to notice something is being read, stored, etc.

Second, you assume the people who look at it aren't in on it. So maybe a couple people look at the code and find the evil bits. They contact the developer and ask what's up. The developer then lets them in to his cabal, who can use the evil bits for their own ends. The people decide they like this and don't tell anyone. The people who read the code have to be honest for this to work.

Uh huh. Such a thing would be an outright admission of evildoing. Depending on what is being done it might be enough for a lawsuit, and definitely enough for mass publication all over the web to ruin the developer's name. Slashdot had a story on some Mac developer who claimed there was an anti-piracy check that'd delete the user's documents folder. Just the claim (which the developer says wasn't real and intended to scare people off) resulted in such outrage he's probably unemployable for years now.

No, anybody with any brains would deny any wrongdoing and claim a hacked server, or pretend that no mail is arriving at all.

Fourth, you assume that the binaries are the same as the source. I'm betting at least some of the time, and probably more often than that, you install things from a binary package. It's easy and much faster than compiling everything. Great, but how do you know the source follows the binaries? It would be easy to release an untainted source, and then tainted binaries. That the checksums differed wouldn't be of any note, since it could just be that different compile options were used, or even a different compiler (for example using ICC since it generates more efficient binary code). As such no source audit would ever turn up the problems.

But 99% of Linux software is delivered by the distribution, with the package maintainer often being completely unrelated to the developer. While it's not impossible for something weird to be going on, those distribution maintainers do things like patching the source and dealing with its bugs. You can bet that eg, the Debian maintainer of Firefox looked at the source.

Finally, even if you compile your own, you assume that nothing else is in on it. I'll refer you to the classic Ken Thompson story http://cm.bell-labs.com/who/ken/trust.html. Some other program, and not just the compiler, could be in on inserting a trojan. It might never exist in source form, yet always get compiled in. Thus even a build from a verified source isn't a defense.

That's a tricky one, but you can use a different compiler. Compile gcc with icc for instance. For OSS I think this approach is unlikely due to the frequence with which somebody decides "let's rewrite this part". It's easy to make a compiler that hiddenly changes some well known part of the source, but it's much harder to deal with a complete reorganization of it. To keep it up would need updates

Re:Flawed logic

[SanityInAnarchy]

It's not like the evil code is necessairily going to be in a function called doEvil(), it could be very cleverly hidden among legit functions so that most people would miss it.

The more obfuscated it is, the more likely it is that the open source community would just rewrite that chunk of code for being too difficult to understand.

The challenge is not only to make it impossible to see what the code is doing, but to make it possible to think you know what the code is doing, and still miss what it's really doing. And at the end of the day, it has to spell out /etc/passwd in the code somewhere, or it has to have code that generates it, and it would take a LOT of work to write code which generates '/etc/passwd' while also never spelling it and looks innocent.

(Ditto for any other way you'd do this. There are standard library functions to access passwd, and those would be just as hard to hide.)

Second, you assume the people who look at it aren't in on it. So maybe a couple people look at the code and find the evil bits. They contact the developer and ask what's up. The developer then lets them in to his cabal, who can use the evil bits for their own ends. The people decide they like this and don't tell anyone.

You only need one whistleblower developer to end that charade. And that one whistleblower would bring in hundreds or thousands of developers who'd never bothered to look at the code, who would read it and say "Yep. Looks evil."

Compare that to proprietary software -- it takes someone actively trying to reverse-engineer the software in some way; here, running it in a restricted environment. Even once you have someone doing that, it can be a lot less trivial than "just look at the source" for someone else to verify it.

Third you assume that anyone other than the developer even bothers to look at the code. Not always a valid assumption, just because the code if you there doesn't mean anyone gives a shit. Maybe it is too complicated, maybe they just don't care, regardless the code being open is no guarantee that someone looked.

Well, this is Skype we're talking about. It's popular enough that someone would have looked.

Also, consider the person making such "evil" software -- would they really be ballsy enough to assume no one would read the source? True, there could be some open projects with "evil" code in them that nobody's bothered to read, but anyone doing that is taking the chance that someone, somewhere, would read it and discover what they're doing.

And then there's the question of what happens when they discover it. Like right now, no one has a clue why Skype would be reading passwd. We assume it's evil, but we don't really know. Were it open source, we could just go read the code, and instantly see if there's a legitimate reason. If there wasn't, we could patch the "evil" bits out and keep using Skype as if nothing happened.

Fourth, you assume that the binaries are the same as the source. I'm betting at least some of the time, and probably more often than that, you install things from a binary package. It's easy and much faster than compiling everything. Great, but how do you know the source follows the binaries? It would be easy to release an untainted source, and then tainted binaries.

As the sibling post says, in general, most distros compile from source. So if you trust Ubuntu, say, you don't have to trust a hypothetically open source Skype in this respect -- the Ubuntu people would have compiled it from source themselves, and cryptographically signed the binaries.

Some other program, and not just the compiler, could be in on inserting a trojan. It might never exist in source form, yet always get compiled in. Thus even a build from a verified source isn't a defense.

That kind of rules out it being Skype's fault, then, for

Re:Flawed logic

[nwbvt]

"This sort of "evil" is very transparent. You can code a hidden buffer overflow/exploit/backdoor in such a way that it's not obvious (= instead of == for example, caught in the Linux kernel once). But how do you hide an access to say, /proc/interrupts? You need to spell out the filename, and there's got to be an open or fopen for it somewhere. Any attempt to encode the filename is going to be weird and suspicious. Plus, file parsing would be quite a bit than a single line of code, so it's hard not to notice something is being read, stored, etc."

Would it be difficult? Sure. But if you think it is impossible to hide an access to a file you are not supposed to see, you are obviously either new to writing software, or you lack imagination.

"Uh huh. Such a thing would be an outright admission of evildoing. Depending on what is being done it might be enough for a lawsuit, and definitely enough for mass publication all over the web to ruin the developer's name."

Thats an example of why such activities should be rare in the commercial world, where the developer's name, address, social security number, etc., are all on record. But not in the world of many open source projects where it is perfectly possible for someone to be practically anonymous when they submit their patches.

"But 99% of Linux software is delivered by the distribution, with the package maintainer often being completely unrelated to the developer."

Considering how many software packages a person typically has installed on their machine, that extra 1% is pretty dangerous. Yes, the official packages you got straight from the distro may all be fine, what about that new upgrade you went to that great new rpm repository your buddy told you about?

"You can bet that eg, the Debian maintainer of Firefox looked at the source."

You honestly think the owners of the distros look at all the source of each package they include? You must think they have no lives whatsoever.

"That's a tricky one, but you can use a different compiler."

I fail to see how that helps. How do you know the different compiler isn't the one with the Trojan? Its like if we were picking apples from a tree and I point out you have no way of knowing the one you just picked hasn't been poisoned, you throw that apple away and pick another one.

"It's easy to make a compiler that hiddenly changes some well known part of the source, but it's much harder to deal with a complete reorganization of it. To keep it up would need updates to the evil compiler."

It only needs to get in there once. And besides, I really don't think it would be that difficult to insert something generic like a keystroke monitor that would effect pretty much anything compiled with it.

"If Skype was open source we wouldn't be having this discussion at all."

I don't doubt that at all. A problem with an open source program rarely is treated the same as a problem with a commercial app by /. But that says more about the /. culture than it does the differences between open source and closed source.

I'm not saying don't use open source software. Just don't pretend it is immune to the problems that plague commercial software and forget about all precautions (like not running something like AppArmor, to tie this back to the original point) just because what you are running is under the GPL.

Re:Flawed logic

[DaleGlass]

Would it be difficult? Sure. But if you think it is impossible to hide an access to a file you are not supposed to see, you are obviously either new to writing software, or you lack imagination.

Ok, if you're so clever, provide an example of code that reads a file without making it easy to tell what it's doing, while avoiding looking suspicious.

Thats an example of why such activities should be rare in the commercial world, where the developer's name, address, social security number, etc., are all on record. But not in the world of many open source projects where it is perfectly possible for someone to be practically anonymous when they submit their patches.

Don't change subject. The original post was about a developer releasing "evil" code, then turning somebody who finds it to their side. Now you're talking about people submitting patches with somethind hidden in them. Completely different scenarios.

Most OSS projects don't blindly accept patches. Certainly not the ones in widespread usage. You might sneak a buffer overflow in, but to sneak an outright trojan would be seriously challenging. The submitter's anonymity isn't a problem if source is being examined.

Considering how many software packages a person typically has installed on their machine, that extra 1% is pretty dangerous. Yes, the official packages you got straight from the distro may all be fine, what about that new upgrade you went to that great new rpm repository your buddy told you about?

Stupidity exist everywhere of course, can't be eliminated 100%. But while for Linux users perhaps 1% of all software comes from unverified sources, for Windows users it's 99%. Just why exactly do you trust that say, Trillian isn't doing anything strange? Nobody but its developers really knows what's there.

You honestly think the owners of the distros look at all the source of each package they include? You must think they have no lives whatsoever.

Not all of it, but there are many distributions, which each look at different parts of the source. To sneak something in you'd need to be really sure that part won't get looked at by anybody, and that's hard. Developers watch mailing lists, talk to people who work on the project and use 'svn diff'.

I fail to see how that helps. How do you know the different compiler isn't the one with the Trojan? Its like if we were picking apples from a tree and I point out you have no way of knowing the one you just picked hasn't been poisoned, you throw that apple away and pick another one.

First you build gcc with icc. This is icc_gcc.
Then you build another copy of gcc with gcc. This is gcc_gcc.

Now you have two gccs with different code generated by different compilers.

So now you take both of those, and build the gcc source with both icc_gcc and gcc_gcc. Both should generate the same code. If they don't, something's fishy.

You can easily this with more compilers and multiple versions.

I'm not saying don't use open source software. Just don't pretend it is immune to the problems that plague commercial software and forget about all precautions (like not running something like AppArmor, to tie this back to the original point) just because what you are running is under the GPL.

Well, I still think it can't be defined that the OSS approach is superior. It's not impossible to sneak something in. But in doing so you must take a very high risk of being found out, and if somebody tracks that back to you, well, chances are you're going to have to look for a new carreer. People with a known record of coding nasty things aren't very liked in the software world.

Re:Flawed logic

[Yoooder]

But how do you hide an access to say, /proc/interrupts? You need to spell out the filename, and there's got to be an open or fopen for it somewhere

I beg to difer. A skilled programmer with malicious intent can be incredibly stealthy. While "good" code would likely just open a file by its full name, "bad" could would likely obfuscate it beyond recognition.

http://en.wikipedia.org/wiki/Obfuscated_code#Examp les Just check out the first example, which when ran produces the words to "The Twelve Days of Christmas."

Re:Flawed logic

[DaleGlass]

I beg to difer. A skilled programmer with malicious intent can be incredibly stealthy. While "good" code would likely just open a file by its full name, "bad" could would likely obfuscate it beyond recognition.

http://en.wikipedia.org/wiki/Obfuscated_code#Examp les Just check out the first example, which when ran produces the words to "The Twelve Days of Christmas."

Right. And that bit of code looks obviously harmless. You'd obviously scroll right by it if you saw it in some package's source, because there's absolutely no chance anything odd would be going on in a piece of code like that.

I mean seriously, that SCREAMS that there's something odd there.

Here's the same challenge for you as for the other poster: Write some code that accesses some file it shouldn't, and does something with the data in it (writing it to a socket say) in such a way that you can't tell what's it doing without looking really well at it, and it looks harmless or to be doing something else.

This obviously excludes clear obfuscation, horrible formatting, encoding the filename in any way, hiding the file open by doing the syscall by calling int 80, etc.

Re:Flawed logic

[darkwhite]

Right. And that bit of code looks obviously harmless. You'd obviously scroll right by it if you saw it in some package's source, because there's absolutely no chance anything odd would be going on in a piece of code like that. One big problem I see is that lots of code communicating with closed-source stuff like hardware, proprietary file formats, etc. will contain magic strings or binary blobs deemed necessary to work with the closed stuff. It would be much easier to hide malicious code in there and get it past reviewers' eyes...

Re:Flawed logic

[tucuxi]

First you build gcc with icc. This is icc_gcc. Then you build another copy of gcc with gcc. This is gcc_gcc.

Now you have two gccs with different code generated by different compilers.

So now you take both of those, and build the gcc source with both icc_gcc and gcc_gcc. Both should generate the same code. If they don't, something's fishy.

Very nice approach. I'd give you mod points if I had them. This can effectively guarantee that a toolchain you can build is free from binary-only evil.

Of course, you still can't know if any given gcc is also free from evil, since the 'evil gcc' could refuse to inject anything into the programs it is compiling unless an arbitrary number of restrictions is satisfied. For instance, only on April 1st, or only when certain code pattern is compiled.

Re:Flawed logic

[DaleGlass]

One big problem I see is that lots of code communicating with closed-source stuff like hardware, proprietary file formats, etc. will contain magic strings or binary
blobs deemed necessary to work with the closed stuff. It would be much easier to hide malicious code in there and get it past reviewers' eyes...

What's this "lots of code" you're talking about? On a normal Linux system that's maybe the nvidia driver and that's about it, and somebody is doing work on an open version of it. File formats used by OSS are usually very well documented (excluding a few things like reading MS office files)

Re:Flawed logic

Slashdot had a story on some Mac developer who claimed there was an anti-piracy check that'd delete the user's documents folder. Just the claim (which the developer says wasn't real and intended to scare people off) resulted in such outrage he's probably unemployable for years now. Actually that was real, but only for a couple of weeks. The developer then released a new version that didn't delete the user folder, but he maintained the claim that it did to scare pirates away. And yes, the whole ordeal was incredibly fucking stupid on his part.

Re:Flawed logic

[nwbvt]

"Ok, if you're so clever, provide an example of code that reads a file without making it easy to tell what it's doing, while avoiding looking suspicious."

First, I never said I was a hacker, so this really isn't my area of expertise. But as to how I would probably go about it if I were...

First, the actual reading of the file would be done by some existing code that processing needed files, so I wouldn't be adding any obvious code that opens files. And it would probably have to log the contents it is processing if an error occurred (so the evil software would then be able to do something with it. Then when I passed in the file it is not supposed to access, I would probably use some sort of generated regular expression that could (on certain inputs) match extra files (including whatever I want it to read). Then since those are not considered valid methods, it would encounter an error and logs the contents it was processing.

But again, this is not my area of expertise. I'm sure someone more experienced in this type of work could do a much better job.

"Don't change subject. The original post was about a developer releasing "evil" code, then turning somebody who finds it to their side. Now you're talking about people submitting patches with somethind hidden in them. Completely different scenarios."

Doesn't matter if it is the submitter of a random patch or the original developer. Either one could be anonymous. Yes, I am aware that is not the case with most large OSS projects, but they are not the ones I am worried about.

"Stupidity exist everywhere of course, can't be eliminated 100%. But while for Linux users perhaps 1% of all software comes from unverified sources, for Windows users it's 99%."

I don't know the statistics here, but I'm guessing most Windows users don't install that much (intentionally, at least) that doesn't come with the computer.

"Not all of it, but there are many distributions, which each look at different parts of the source. To sneak something in you'd need to be really sure that part won't get looked at by anybody, and that's hard. Developers watch mailing lists, talk to people who work on the project and use 'svn diff'."

It doesn't need to go in all distributions, just one or two. And it doesn't need to go in the official stable version for people to install it, many people use bleeding edge versions of distros.

" First you build gcc with icc. This is icc_gcc. Then you build another copy of gcc with gcc. This is gcc_gcc. Now you have two gccs with different code generated by different compilers. So now you take both of those, and build the gcc source with both icc_gcc and gcc_gcc. Both should generate the same code. If they don't, something's fishy. You can easily this with more compilers and multiple versions."

"Easily" is obviously a relative term. Are you really suggesting people do this with all their open source software, all so they can avoid running something like AppArmor?

"Well, I still think it can't be defined that the OSS approach is superior. It's not impossible to sneak something in. But in doing so you must take a very high risk of being found out, and if somebody tracks that back to you, well, chances are you're going to have to look for a new carreer. People with a known record of coding nasty things aren't very liked in the software world."

Yes, there certainly are advantages to OSS, but thats not one. I'm fairly certain your chances of having your vulnerability being caught AND it being traced back to you are much greater when you put it in as an employee of a software company as opposed to an anonymous developer of a OSS project.

The whole question of whether or not its possible to sneak in a vulnerability is moot, as I have personally seen it happen. The application (I won't name it, as they did fix the problem) would allow (under default settings, with a certain add on installed) an attacker to execute

Re:Flawed logic

[DaleGlass]

Doesn't matter if it is the submitter of a random patch or the original developer. Either one could be anonymous. Yes, I am aware that is not the case with most large OSS projects, but they are not the ones I am worried about.

There's a difference of scale.

In the first case you have a developer who wrote the whole thing, got found out, and inexplicably managed to convince somebody to stay silent. This developer has the size on their side, because the chances of that people won't look very well at a 50K line program is much greater than that something will be missed in a 10 line patch.

I don't know the statistics here, but I'm guessing most Windows users don't install that much (intentionally, at least) that doesn't come with the computer.

You've not dealt with enough Windows users, I see. Most of them seem to install any crap they can find anywhere. Programs menu nearly always doesn't fit on the screen without scrolling. You can find things like Bonzi Buddy (installed intentionally!), every IM messenger in existence, tools like WinZIP, WinRAR, file sharing tools, MP3 players (winamp), CD ripping tools, Photoshop/3D Studio/Maya/whatever (mostly pirated of course), keygens for those (made by VERY reputable people), tons of screensavers, etc, etc.

Now most of those are legitimate, but you can bet the average user knows that Winamp is cool and popular, but doesn't think there's any reason not to download it from the first website they come across (which is fairly often not the official one).

But it doesn't end there, you can expect to find every cool plugin ever made for Winamp as well, which includes nice things like Wildtangent (spyware).

Then of course, not like using only "official" stuff is a guarantee of anything. See the Sony $sys$rootkit, delivered on original music CDs, and nearly every computer manufacturer ships the system preloaded with all sorts of crap (it seems Dell even shipped preinstalled spyware).

This one guy I know reformats his system every couple of months, because it must have about every form of spyware in existence. Ads popup at random, IE crashes for no reason, youtube works in firefox but not in IE, takes ages to boot...

It doesn't need to go in all distributions, just one or two. And it doesn't need to go in the official stable version for people to install it, many people use bleeding edge versions of distros.

That's not my point, my point is that while the Debian maintainer might not read all of firefox, the Red Hat one is probably not looking at exactly the same parts source. That a single person doesn't read it all doesn't mean that collectively, over time, people aren't going to get through all of it. And you don't need to read all of it either, suspicious things can turn out from grep or when debugging something.

"Easily" is obviously a relative term. Are you really suggesting people do this with all their open source software, all so they can avoid running something like AppArmor?

No, but this is prefectly possible for a distribution to do. End users shouldn't be compiling anyway. The distribution making sure their toolchain is good is enough.

Yes, there certainly are advantages to OSS, but thats not one. I'm fairly certain your chances of having your vulnerability being caught AND it being traced back to you are much greater when you put it in as an employee of a software company as opposed to an anonymous developer of a OSS project.

Uh huh. I work at a company (working on internal code though). I could put any crap I wanted there, and probably nobody would ever find out, because nobody else at the company is capable of reading the simplest code. There are many companies, some of which are too small to have any sort of review process, and some of which do this stuff intentionally and honestly don't give a damn. You can't even boyco

Re:Flawed logic

[nwbvt]

" There's a difference of scale. In the first case you have a developer who wrote the whole thing, got found out, and inexplicably managed to convince somebody to stay silent. This developer has the size on their side, because the chances of that people won't look very well at a 50K line program is much greater than that something will be missed in a 10 line patch."

Fine, swap my example of a developer giving a patch with one starting their own project if it concerns you so much. My argument will be just as valid. The distinction is a red herring.

"You've not dealt with enough Windows users, I see. Most of them seem to install any crap they can find anywhere. "

No offense, but the Windows users you know are not representative of the community as a whole. Many just use whatever they are given, and don't bother installing anything else unless they absolutely need it. If Windows users were always prone to download any app they could find, why would the EU be concerned about what software MS pre-installs on their OS?

"That's not my point, my point is that while the Debian maintainer might not read all of firefox, the Red Hat one is probably not looking at exactly the same parts source."

And if the vulnerability only makes it in one or two distros? Your argument is contingent on it being widespread. But thats not always the case.

"No, but this is prefectly possible for a distribution to do. End users shouldn't be compiling anyway. The distribution making sure their toolchain is good is enough."

Once again, this assumes the software comes from a distro, which we have already established is not always the case. And even then, I'm sure distro owners don't do this for every package and every patch they include.

"Uh huh. I work at a company (working on internal code though). I could put any crap I wanted there, and probably nobody would ever find out, because nobody else at the company is capable of reading the simplest code."

Ok, your company sucks (either that or you are an arrogant prick who thinks all his coworkers can't do a thing when in reality they are just as capable as yourself). Whats your point? There are plenty of open source projects where the developers miss things as well (as I illustrated in my last post).

"You can't even boycott them because you're not their customer -- they sell their crap to somebody else."

Boycotts are for sissies. If a commercial software program is found with a vulnerability, they will be the subject of a lawsuit. And then they will go back and check the records to see who inserted that code, and you will be caught red handed.

"Besides, there are no real consequences for a company. Sony got off very, very lightly for what they did. Did anybody go to jail? Of course not."

Sony is currently facing class action lawsuits against them for rootkit incident. And they did get a lot of bad press, which certainly hurt their sales. The lack of criminal prosecution (so far) doesn't mean they got off cleanly.

In comparison, a hacker who submitted a patch or started a project anonymously with such a vulnerability could get off without a scratch. And even if he did get caught, its highly unlikely that he would have the assets for you to sue him and recover any damages.

Re:Flawed logic

[DaleGlass]

No offense, but the Windows users you know are not representative of the community as a whole. Many just use whatever they are given, and don't bother installing anything else unless they absolutely need it. If Windows users were always prone to download any app they could find, why would the EU be concerned about what software MS pre-installs on their OS?

That'd be one incredibly boring existence. Windows comes with very little that is useful.

What you say might apply to people who only very ocassionally use a computer for printing something, but those wouldn't be what I call normal users, just like I wouldn't call somebody who gets out their bycicle out once a year a cyclist.

Normal Windows users are generally knowledgeable enough to understand basic things -- such as how to find, download and install something, but not enough to understand concepts like security, phishing, the registry, how the Internet works even on a basic level, etc. How programs are created is an incredible mysterious black art to them, and it never comes to their minds that a program can be easily altered and redistributed. Surely Winamp is Winamp, even if you find on evilhaxx0r.com, or emailed by some random person to them.

These people will typically disregard precautions by telling you to stop being so paranoid, as "who'd want to break into my computer anyway?", assuming that people only ever break into things like banks and the pentagon as seen in the movies. Several people asked me whether I could break into a bank or the pentagon.

Attempts to explain that running programs sent in mail attachments are often fruitless, as they're really sure Bob would never send anything malicious.

Ok, your company sucks (either that or you are an arrogant prick who thinks all his coworkers can't do a thing when in reality they are just as capable as yourself). Whats your point? There are plenty of open source projects where the developers miss things as well (as I illustrated in my last post).

No, the company is simply small and doesn't concentrate on development. I double as the sysadmin. That's all the IT staff (me).

Not every company is some IBM-sized gorilla.

Boycotts are for sissies. If a commercial software program is found with a vulnerability, they will be the subject of a lawsuit. And then they will go back and check the records to see who inserted that code, and you will be caught red handed.

Vulnerabilities? I don't remember MS being ever sued for that, and they've had plenty.

Now how it goes with intentional rootkits, well, see below how that worked out.

Sony is currently facing class action lawsuits against them for rootkit incident. And they did get a lot of bad press, which certainly hurt their sales. The lack of criminal prosecution (so far) doesn't mean they got off cleanly.

Big deal. "Cost of doing business". The RIAA also gets lots of bad press, but they don't seem to be going anywhere. You can bet most people haven't heard of the whole debacle, the majority of them didn't understand it, a good portion didn't care, and most of them forgot about it by now anyway, since Sony is a well known brand and that obviously means they're trustworthy.

In comparison, a hacker who submitted a patch or started a project anonymously with such a vulnerability could get off without a scratch. And even if he did get caught, its highly unlikely that he would have the assets for you to sue him and recover any damages.

Yes, because people got a pile of money from Sony. Let's see, the settlement was: "Customers who exchange their XCP CD can either download three albums from a list of over 200 titles, or claim a cash payment of $7.50 and a free download of one album".

Such an incredible settlement! You can download 3 albums, from an amazing list of over 200 titles (probably 201, heh), and whic

Re:Flawed logic

[darkwhite]

Wifi drivers. SMAPI drivers. Video drivers (ever looked at the Radeon driver code in both the kernel and xorg? And there are lots more). Any driver that has to rely on poor/incomplete/nonexistent documentation. Stuff that has to write any kind of partially reverse-engineered proprietary file format - and there are a lot more proprietary formats with partially known headers out there than MS Office files. Specialized programs that talk to all kinds of embedded stuff (limited audience but still there). There's lots of specialized glue code out there to talk to undocumented, binary, proprietary stuff. I work in one of the most open scientific fields on the planet and I still run into that kind of crap every now and then.

Re:Flawed logic

[nwbvt]

"What you say might apply to people who only very ocassionally use a computer for printing something, but those wouldn't be what I call normal users, just like I wouldn't call somebody who gets out their bycicle out once a year a cyclist."

Ok, but if you want to be all elitist and dictate who is a computer user and who is not, why not go all the way and rule out all Windows users? Those who use their computers for only a few functions make up a large number of computer users, probably the majority. In fact, nowadays even I don't use my home computer for much more than browsing the Internet and reading my email, as I spend so much time on my work computer I don't want to do much more when I get home. Granted back in college I used it for a lot more, but college students make up a minority of all computer users.

"No, the company is simply small and doesn't concentrate on development. I double as the sysadmin. That's all the IT staff (me)."

If your company is selling software (otherwise it would irrelevant to the point) and you are the entire IT staff, then your company probably has problems.

"Vulnerabilities? I don't remember MS being ever sued for that, and they've had plenty."

I should have been more clear. Intentional vulnerabilities will result in lawsuits.

"Yes, because people got a pile of money from Sony. Let's see, the settlement was: "Customers who exchange their XCP CD can either download three albums from a list of over 200 titles, or claim a cash payment of $7.50 and a free download of one album"."

Times a lot of customers.

"In comparison, if this was a normal person and not a multinational, you'd have the guy bankrupt for the rest of his life. While I imagine you wouldn't get a whole lot out of it, I imagine you could get more than $7.5, and the result for the offending party would look a lot more like a punishment."

First, you are assuming you can catch him, which is unlikely if he is an anonymous OSS developer. Second, that isn't how bankruptcy works. It is perfectly possible for someone to recover from bankruptcy. Third, it doesn't matter if the other party is a multinational or an individual, class action lawsuits don't return that much to each person in the suit.

In other words, you wouldn't get a penny if this was an individual. So take your $7.50 and consider yourself lucky.

Re:Flawed logic

[DaleGlass]

Ok, but if you want to be all elitist and dictate who is a computer user and who is not, why not go all the way and rule out all Windows users?

Because in my view, "user" involves using, and a computer as a general purpose device is something that you very reasonably expect anybody can install something on.

All normal people I've seen have lots of third party software. The most computer illiterate person I know has installed a music score editor, and seems to have filled the disk with stuff downloaded from kaazaa, at the very least. Certainly there's a lot more than that there, but I didn't investigate.

Also not a single person can seem to resist a bit of personalization as it's a "personal computer" after all. Hard to call it your own if you don't at least change the desktop background and download a couple cool screensavers.

If your company is selling software (otherwise it would irrelevant to the point) and you are the entire IT staff, then your company probably has problems.

Oh, it isn't. But you seriously overestimate the level of control going on in places. While I'd completely agree such a thing would be bad management, I'm pretty sure it happens quite a lot, too.

Times a lot of customers.

I don't think you understood it very well. Those albums are effectively free to Sony. They're downloads. The only people they lose a bit of cash on is the ones choosing the cash, and the terms seem to be done in such a way that taking the cash is the unfavourable proposition. 3 albums, or $7.5 and one album. Googling around, $7.69 is the price of a cheap one, and it's not hard at all to find one for $14 to $70.

So maximizing what you get out of it would mean going with the 3 albums option, out of the amazing catalogue of "over 200" of them.

Now certainly Sony will lose a bit of cash over this, but combining that not nearly everybody they screwed over will join the lawsuit, and that most of the settlement is effectively free to them (just like MS paying with MS software), they're getting off very, very cheaply.

First, you are assuming you can catch him, which is unlikely if he is an anonymous OSS developer. Second, that isn't how bankruptcy works. It is perfectly possible for someone to recover from bankruptcy. Third, it doesn't matter if the other party is a multinational or an individual, class action lawsuits don't return that much to each person in the suit.

Ok, if he's so anonymous, how did people to get to use his software in the first place? Generally distributions don't include software without an active and reachable developer. If you have a website, domain, email address, etc, you're reasonably easy to trace.

In other words, you wouldn't get a penny if this was an individual. So take your $7.50 and consider yourself lucky.

Not the point anyway. The point is to discourage bad behavior, and you can discourage a single person a lot more effectively than a corporation.

Re:Flawed logic

[nwbvt]

"All normal people I've seen have lots of third party software. The most computer illiterate person I know has installed a music score editor, and seems to have filled the disk with stuff downloaded from kaazaa, at the very least. Certainly there's a lot more than that there, but I didn't investigate."

Once again, your acquaintances are not representative of the population as a whole. For every college student you know who installs a ton of crap on their computer, there are plenty who just use theirs for basic communication, browsing the net, and maybe writing a Word doc.

"Oh, it isn't."

Then it is irrelevant to the discussion at hand. We are talking about people who deliberately insert vulnerabilities into software that is then sold to others, not people who hack into their own corporate networks.

"But you seriously overestimate the level of control going on in places. While I'd completely agree such a thing would be bad management, I'm pretty sure it happens quite a lot, too."

And from what experience are you making this claim?

Virtually every piece of commercial software has to be supported, which means you have to have a support staff looking at the code. These guys will often find any vulnerabilities you left (debugging the software is kind of their job), and even the most rudimentary form of source control will have a way to determine who put in what code.

"Those albums are effectively free to Sony. "

Contrary to popular belief, Sony being forced to give away the product they usually sell for $10-$15 each costs them a lot of money. And of course you are forgetting they have to recall all existing rootkit CDs, which is always expensive. Again, the results of class action lawsuits never look great from the perspective of the individuals participating in the suit, but companies are hurt by them.

"Ok, if he's so anonymous, how did people to get to use his software in the first place? Generally distributions don't include software without an active and reachable developer. If you have a website, domain, email address, etc, you're reasonably easy to trace."

Trust me, its perfectly possible to set that up and be anonymous. Just because you can't doesn't mean someone with some reasonable level of technical skill can't. Yes, many OSS projects ensure they have enough information that they know who you are, but certainly not all. Its not hard to set up a sourceforge account with a free untraceable address from someone like gmail that you then only access from someone's open wireless network.

"Not the point anyway. The point is to discourage bad behavior, and you can discourage a single person a lot more effectively than a corporation."

So you can more easily discourage an individual who can easily remain anonymous and who might not have any assets and thus be willing to risk it all if they did somehow get caught than you can a large corporation who you can file a class action lawsuit against? I think you are in denial.

Re:Flawed logic

[DaleGlass]

Virtually every piece of commercial software has to be supported, which means you have to have a support staff looking at the code. These guys will often find any vulnerabilities you left (debugging the software is kind of their job), and even the most rudimentary form of source control will have a way to determine who put in what code.

Nothing at all is stopping me from becoming an 1 employee company and selling software. That doesn't confer any magical safety benefits for the end users.

There are programs in wide use (especially shareware) made by a team of 1-3 people. File compression tools for instance. Moonpod, a company that sells games online has 2 employees. They manage fine.

Contrary to popular belief, Sony being forced to give away the product they usually sell for $10-$15 each costs them a lot of money. And of course you are forgetting they have to recall all existing rootkit CDs, which is always expensive. Again, the results of class action lawsuits never look great from the perspective of the individuals participating in the suit, but companies are hurt by them.

What, it's the piracy rethoric now? Look, it's data. They lose nothing by giving free stuff that costs about $0 to produce to people who probably wouldn't have bought it anyway (would you participate in the class action lawsuit then go buy another Sony CD?).

Trust me, its perfectly possible to set that up and be anonymous. Just because you can't doesn't mean someone with some reasonable level of technical skill can't. Yes, many OSS projects ensure they have enough information that they know who you are, but certainly not all. Its not hard to set up a sourceforge account with a free untraceable address from someone like gmail that you then only access from someone's open wireless network.

Right, and I can do that with a closed source app as well. Only it'll take more time to figure out what it does, and I can connect to a wireless AP once, upload by trojan to a bunch of download sites, then never appear again.

So you can more easily discourage an individual who can easily remain anonymous and who might not have any assets and thus be willing to risk it all if they did somehow get caught than you can a large corporation who you can file a class action lawsuit against? I think you are in denial.

No, you are the one thinking that incorporation somehow confers magical safety benefits. Seriously, look at the amount of outrage it took to get SOMETHING to happen. And the end results were really disappointing. Now if the judgement was paying $100 per sysadmin/user hour spent removing the crap from their systems, then maybe it would have made some effect.

You can bet that if some 16 year old kid did that to Sony they'd have come up with some damage figure in the hundreds of thousands of dollars at the very least.

And it's not like it changed anything either, see the junk made by Sony shipped with BioShock.

Re:Flawed logic

[nwbvt]

" Nothing at all is stopping me from becoming an 1 employee company and selling software. That doesn't confer any magical safety benefits for the end users. There are programs in wide use (especially shareware) made by a team of 1-3 people. File compression tools for instance. Moonpod, a company that sells games online has 2 employees. They manage fine."

And there are many more such OSS projects. Whats your point?

"Right, and I can do that with a closed source app as well. Only it'll take more time to figure out what it does, and I can connect to a wireless AP once, upload by trojan to a bunch of download sites, then never appear again."

Aside from the fact that whether or not you can hack commercial software is irrelevant to the point we are discussing (whether or not open source software is immune to such attacks), name one commercial company that allows anonymous contributers to their proprietary software.

"No, you are the one thinking that incorporation somehow confers magical safety benefits."

I absolutely did not say anything remotely like that. Please work on your reading comprehension skills.

Look, I really don't know how much more clear I can make this without writing in "See Spot Run" style. Both proprietary and open source software have their advantages and their disadvantages. And all the Stallmans and Ballers of the world who try to argue otherwise are either blinded by ideology to the point where they are incapable of using common sense or complete fucking retards. Open source obviously has the advantage in that it is easier for third parties or users (in the rare cases where they have the knowledge and time) to verify what the program does. But it also has disadvantages in that it is easier for someone dishonest or unskilled to participate in them, and there isn't anyone to hold accountable when a problem occurs (they are generally provided as-is without any guarantees).

So if you are thinking either one is superior in every way, you are an idiot. And if you are thinking either one is so perfect that you don't have to take any precautions at all (like using AppArmor; in case your attention span is so pathetic you forgot what we were arguing about, it was the remark that you only have to take such precautions when you have closed source applications on your system), you are a complete retard.

There, I had to resort to name calling. Did that make it clear for you? Or are you still unable to comprehend that there is more to the world than the party lines preached by the Ballers and Stallmans of the world?

Re:Flawed logic

[DaleGlass]

And there are many more such OSS projects. Whats your point?

That your claim that commercial software somehow provides some sort of guarantee. You imply that when you say "Virtually every piece of commercial software has to be supported, which means you have to have a support staff looking at the code. [...]". Many companies DON'T have any dedicated support staff. When programmers are the support staff they can do whatever they please. If they put a trojan in, there's not going to be anybody over them watching.

Open source obviously has the advantage in that it is easier for third parties or users (in the rare cases where they have the knowledge and time) to verify what the program does.

Right, so we agree here.

But it also has disadvantages in that it is easier for someone dishonest or unskilled to participate in them, and there isn't anyone to hold accountable when a problem occurs

Disagree, it's neutral. Anybody can write software. Neither closed nor open source is inherently harder to write or publish. Possibility of collaboration isn't very relevant, I can work with somebody on a closed but free of charge program, or publish OSS and not accept anybody's patches.

(they are generally provided as-is without any guarantees).

Just like every piece of software in existence. Maybe with the rare exception of custom contracted coding, but that's not what we're talking about here.

There, I had to resort to name calling. Did that make it clear for you?

Yes, that you lost the argument, since you can't find anything better to say. Thanks for playing :-)

Re:Flawed logic

[nwbvt]

"That your claim that commercial software somehow provides some sort of guarantee."

I made no such claim, and no matter how long you spend looking back through this thread, you will find nothing proving I did. You merely think I did because you are incapable of seeing the world in anything but black and white, Ballmer vs Stallman, so you think anyone who doubts the magical powers of OSS must be in cahoots with MS. Unfortunately that just makes you look like a fool when it turns out the world is not like it.

"You imply that when you say "Virtually every piece of commercial software has to be supported, which means you have to have a support staff looking at the code. [...]""

It implies nothing of the sort, but good use of your imagination (or poor reading comprehension skills).

"When programmers are the support staff they can do whatever they please. If they put a trojan in, there's not going to be anybody over them watching."

Except the support contract doesn't end when the programmer leaves his job. In order for that scheme to work, the programmer would be risking his freedom and economic security on never losing his job and never moving to a different position. The fact of the matter is, even in a closed source project, you have no way of ensuring no one else will look at your code. But once again, this is entirely irrelevant (other than it indicates your problems understanding common sense).

"Just like every piece of software in existence. Maybe with the rare exception of custom contracted coding, but that's not what we're talking about here."

Wow, then why did I waste all that time helping support debug our product (which wasn't "custom contracted coding", btw)? Sorry, you are wrong again.

"Disagree, it's neutral. Anybody can write software. Neither closed nor open source is inherently harder to write or publish. Possibility of collaboration isn't very relevant, I can work with somebody on a closed but free of charge program, or publish OSS and not accept anybody's patches."

<sarcasm>Whatever you say Mr. Stallman</sarcasm>. So the question is, do you think this because you are blinded by ideology, or the other reason?

Re:Flawed logic

[DaleGlass]

Except the support contract doesn't end when the programmer leaves his job

Dude, what support contract? I'm talking about off the shelf software here. Like Windows, say. It doesn't come with any sort of support contract unless you buy it, and the EULA explicitly disclaims all warranty. This goes for 99% of the stuff on the market.

There are exceptions of course (like custom applications contracted by the customer), but 99.9% of normal people doesn't use anything of the sort.

Whatever you say Mr. Stallman. So the question is, do you think this because you are blinded by ideology, or the other reason?

What Stallman? Who mentioned anything about him? Can't you avoid having to resort to bringing up people who have nothing to do with the subject?

It's simple logic. All other things being equal (and they perfectly can be, because I'm not talking about any specific license here), the availability of source makes it much harder to sneak something nasty in. QED.

But you're not making any sense anymore anyway, because you're foaming in the mouth imagining me to be some adept of Stallman's.

Re:Flawed logic

[nwbvt]

"Dude, what support contract? "

Most commercially bought software has a support contract.

"What Stallman? Who mentioned anything about him? Can't you avoid having to resort to bringing up people who have nothing to do with the subject?"

Sure, but its fun making fun of the fact you are clearly a Stallman fanboy with no ability to think for yourself. Though its getting old now, and your 'arguments' seem to be more in the mold of denial.

"It's simple logic. All other things being equal (and they perfectly can be, because I'm not talking about any specific license here), the availability of source makes it much harder to sneak something nasty in. QED."

The very fact that you think quoting some "Open source is better, yeah!" rhetoric is a logically valid argument means its no more use arguing with you...

Re:Flawed logic

[DaleGlass]

Sure, but its fun making fun of the fact you are clearly a Stallman fanboy with no ability to think for yourself. Though its getting old now, and your 'arguments' seem to be more in the mold of denial.

Did Stallman steal your lunch money at school or something? Look, you're the one bringing up Stallman here.

The very fact that you think quoting some "Open source is better, yeah!" rhetoric is a logically valid argument means its no more use arguing with you...

If I was a Stallman fanboy, I'd be talking about *Free Software*, but I'm not. Also, I'm not quoting anything.

You seem to know (or at least think to know) Stallman's opinions on things better than I, as I have no clue what rethoric you think I'm quoting here.

The list

[DaleGlass]

Here's the list, reordered somewhat to group related things together.

/dev/snd/controlC0 rw, /dev/snd/pcmC0D0c rw, /dev/snd/pcmC0D0p rw, /dev/snd/pcmC0D1c rw, /dev/snd/timer r, /usr/share/alsa/** r,

ALSA sound devices. Perfectly normal given that skype uses sounds

/home/*/.Skype rw, /home/*/.Skype/** rw, /usr/bin/skype mr, /usr/share/skype/** r,

Skype's own files, ok

/home/*/.config/Trolltech.conf r, /home/*/.fontconfig/* r, /home/*/.fonts/* r, /usr/share/fonts/** r, /usr/share/icons/** r, /usr/share/locale-langpack/**r, /usr/share/X11/XKeysymDB r, /var/cache/fontconfig/* r, /var/lib/defoma/fontconfig.d/fonts.conf r, /etc/fonts/** r,

Seems harmless. Font stuff, icons, locales.

/home/*/.Xauthority r, /home/*/.ICEauthority r,

Needed to talk to the X server. X authorization info. Seems ok.

/home/*/.kde/share/config/kioslaverc r,

KDE integration? Probably not sensitive

/home/*/.mozilla r, /home/*/.mozilla/plugins r, /home/*/.mozilla/firefox r,

No clue what it's looking for there.

/tmp/** rw,

Temp directory, harmless

/etc/resolv.conf r, /etc/hosts r, /etc/nsswitch.conf r, /etc/gai.conf r,

DNS stuff, it needs to connect to servers after all

/etc/passwd r, /etc/group r,

Maybe harmless. No passwords here, only lists of usernames and home directories. And RL names, if specified. As other people suggested, may be just being used to find something like the home directory. Might be used to gather stats on number of users on the system, names, etc. Probably not a huge deal unless RL names are specified, but still interesting.

/proc/1/cmdline r,

Command line for init. On my system contains only the runlevel. Not sure what's interesting to look at here, but it is quite unusual.

/proc/interrupts r,

Interrupt statistics. This would allow determining the number of CPUs, hardware present (from listed module names), activity levels of various devices. Potential for gathering hardware statistics. Not sure what would a legitimate use for this be.

Re:The list

/home/*/.mozilla r, /home/*/.mozilla/plugins r, /home/*/.mozilla/firefox r,
No clue what it's looking for there.

My guess is: they are looking for http/https proxy definitions there.
Since there is no standard place on Linux to store this, they look into Firefox configuration files.

Your guess is just as good as mine, of course.

Re:The list

[DoubleMike]

/home/*/.mozilla r, /home/*/.mozilla/plugins r, /home/*/.mozilla/firefox r,
It's looking for the Skype Firefox plugin.

And you are a troll

[someone1234]

It is hard to compromise Linux security, but only if the user knows what he does.
You cannot deny the user to give away his own password in any system.

Skype may be NSA spyware

[mbkennel]

I have a modest suspicion that skype is more than it seems. I don't believe in 98% of conspiracy theories (like 9/11 'it was a inside job bomb' crap), but this one is not entirely crazy.

I do know that the Intelligence Community people in the US and elsewhere were very concerned about declining abilities to track and trace communications used by their targets, as compared to conventional telecom, where they have quasi-official backdoors installed directly with the telecom companies.

Notice the extraordinary anti-decompiling and self-modifying nature of the skype code---even manages to thwart many popular *hardware debuggers* and virtual machine strategies. The protocol itself is extremely obscure and apparently encrypted. I don't have a link but I think this can be easily verified, as I saw a presentation online which detailed some attempts to understand skype. This was not just good 'ordinary' hackers, but appeared to be the work of very serious and very professional full time computer security people, i.e. state-supported grey hats.

The level of self-security and the investment necessary to pursue this seems totally disproportionate to any commercial needs. This reflects a very serious investment of talent and money.

So why is it there?

But the really unusual fact to ponder is this: Why did eBay buy skype, and at such a high price?
It makes no sense commercially for skype or eBay. I believe the reason is simple: to bring skype development and download servers and most importantly connection servers under U.S. jurisdiction. Once it is so, the government can now (thanks to our now imperial enabling acts) simply order eBay/skype to put in spyware and order them to never talk about it. Most probably the government approached US companies with this proposal and shopped around until it found one who would say yes.

A financial analyst might see something funky in eBay financials if they were clever, there no doubt has to be some payment or other compensation to eBay.

Now the reason for the hypersecurity is clear---to mask whatever data are going *OUT* from skype and whatever it is installing. For some reason I have the suspicion that uninstalling won't completely uninstall quite everything.

There is probably some kind of Manchurian Daemon ability too---if They find somebody they really want to track. Why? Because it makes sense that they'd want to do so.

Re:Skype may be NSA spyware

[datapharmer]

Wouldn't it be easier to just go straight to hardware manufacturers? This sounds like an ton of work for a software wiretap that *might* get installed compared to say asking Intel to install some microcode on their processor or Bios makers to add a little something something to the boot code. With most computers having integrated ethernet controllers with OnWake commands and soft off power it would be trivial to do something at the machine code level and it would end up on EVERY machine with few ways to detect it.

Re:Skype may be NSA spyware

Oh come on. Really?

"Why did eBay buy skype, and at such a high price?"

Why did they buy them? Well, it doesn't take a genius. Because they might want to integrate Skype calling into eBay stores. Because it's a good investment. Because they plan to develop ecommerce facilities over Skype. Any number of reasons.

Why at such a high price? How about, because that's what the market valued them at, or because that's how much they thought someone else would pay, and they could afford it? Or if you don't buy either of those, how about 'because it is overvalued and they got poor advice'. Weren't you around in the 1990s?

Prime example of something else seemingly ridiculously overvalued: MySpace.

And as for: 'there no doubt has to be some payment or other compensation to eBay', of course there is. It's called: their stock gaining more interest in the market. Besides that, have you never heard of loss leaders?

You should stick to conspiracy theories about 9/11 and Iraq. In an issue of such serious consequence, there is almost a guarantee that there will be some conspiracy, somewhere, to use it for political gain. "Wes, you gotta say it was Iraq".

But this? Just because the market doesn't always make sense, doesn't mean it is being directed by outside hands whose motives can be divined, but whose actions cannot be detected.

Re:Skype may be NSA spyware

[bcmm]

There would be few ways to detect NETWORK TRAFFIC which doesn't seem to belong to any process? WTF? If you're gonna get routers to forward this you're gonna need to use normal networking protocols... That means making sure no one is using that port already and so on. Skype would be useful because it has an incomprehensible distributed network protocol in which a few extra kilobytes of data transfer would easily go totally unnoticed.

Re:Skype may be NSA spyware

[datapharmer]

why make it difficult? Use insertion to append it to a transfer that is already going on such as checking pop email or an http request on port 80. have it get intercepted by a relay somewhere between you and the transfer's destination. the router at the relay sees the extra info, saves it and strips it out passing off the rest of the data like nothing ever happened. If it didn't make it though a route that did this it would look like corrupted data and would resent - with another opportunity to be picked up. There is plenty of *normal* encrypted traffic, and most people don't keep a close eye on their traffic anyhow. How is this any harder than skype?

Re:Skype may be NSA spyware

[shotgunefx]

Well, they did try that in the 90s with the Clipper chip didn't they?

http://en.wikipedia.org/wiki/Clipper_chip

Re:Skype may be NSA spyware

[datapharmer]

Good memory - yes they did. I also remember some controversy over a public GUID in the Pentium III that couldn't be turned off when it was first released (even after the bios update flash it was still found there was a way to circumvent the bios and turn it back on).

Re:Skype may be NSA spyware

[bcmm]

ISPs would notice that sort of amount of corruption. And a lot of routers would need to be in on the secret. All in all, too many people need to be involved (loads of routers have source code available). With Skype, you can send ANY data you like to ANY IP address you like (that's how obfuscated P2P protocols work, folks) without even causing suspicion.

Re:Skype may be NSA spyware

Don't believe the facts surrounding 9/11? Then you're blissfully unaware, which makes you stupid. Seriously, look this information up, if you are not convinced, come back here and tell the world that you've proven that these "theories" are unfounded, baseless and without a shred of truth.

Otherwise, you don't know what the hell your talking about and sound like an idiot.

Re:Skype may be NSA spyware

[dusty123]

Sorry, but to me these conspiracy theories are nonsense. Those file accesses prove the contrary to me: If I'd like to spy out a user, I'd for sure have a look at the browser bookmarks, the browser history, the cookies, the encrypted password file, maybe a search for installed software and more. Skype reads none of these files.

By the way, there are a lot of spyware tools out there, that exactly do this and we don't bother so much. For instance, Microsoft Office searches the harddisk for installed data and more; Various antivirus tools access nearly every file on the harddisk and also send arbitrary data, moreover there are a number of tools that are known to be spyware.

And don't forget: One of the reasons for Skype's success is exactly its encrypted and obscure protocol: It installs very easily, regardless if there's a firewall, a Telco that tries to block VoIP or a nasty system administrator. Skype is unproblematic, works well and does not need tech-knowhow.

SIP on the other hand is soooo complicated. And still, there's not a single SIP-based P2P VoIP application that is on-par with Skype from a usability viewpoint, especially on Linux.

Ebay knew that and recognized that Skype is developing to a quasi-standard in the VoIP sector, just like Adobe's PDF. And that's the reason why they bought it.

Nyet. Estonian.

[mrmcwn]

Incorrect. Estonian hackers are stealing your passwords.

Skype...

[JCWDenton]

--Skype. The whole world can talk for free.-- Skype. The whole world can be spied on for $2 Billion

Re:Why.. small reality check!

[pjr.cc]

There are in reality many very reasonable reasons why a program might read your passwd file. There are in fact innumerable standard unix function calls that do just that (this has already been pointed out). Now, if I could be bothered looking at the strace its very easy to tell if its doing this via a libc/glibc function call or whether its implementing such a call internally. Even if its internal it could be because they've statically linked in a library that does getpw* calls - who knows.

However, the point I WANTED to make was that just because /etc/passwd is world-readable doesn't mean you should share with the world! Just having usernames provides a hacker with tonnes of information about your systems for an attack point. "Oh look the user blah appears, that means he installed package x - i bet its the one with the security flaws". Or any number of other things that can be gleaned from /etc/passwd. I hope all your users set passwords that are non-predictable for example.

Skype reads your Skype passwords!

News at 11

This is a realtime app

[l2718]

Skype is a realtime app (in both a2d and d2a directions). Interrupt statistics, CPU loads etc are vital for the app to decide what quality of encoding/decoding it can afford to do.

Regarding /etc/{passwd,group} others have pointed out this is probably for the GECOS info of the current user. Should be easy to check using a debugger - just need to recompile the C library.

To me, the oddest part is the wholesale reading of mozilla and firefox profiles.

Re:This is a realtime app

[DaleGlass]

Skype is a realtime app (in both a2d and d2a directions). Interrupt statistics, CPU loads etc are vital for the app to decide what quality of encoding/decoding it can afford to do.

Why isn't it looking in /proc/cpuinfo then? /proc/interrupts doesn't contain any indication of how many interrupts can be serviced, nor the time it takes to service one, or the load caused by the interrupt, so it seems quite pointless performance-wise.

Best harmless use that comes to mind: Skype knows that device X and device Y create problems when sharing IRQ, and contains some sort of message to the user in that case.

Re:This is a realtime app

[tero]

It's probably reading mozilla/ff profiles to see if the Skype Firefox plugin is installed. Not very dangerous.

I really hope this turns out to be wrong

[Britz]

Otherwise Skype ist dead for me. The outage was bad enough. There are many alternatives. Ekiga rulz for example.

Please

[joto]

Please, before you submit (or accept) an article about security to (or on) slashdot, make sure you understand rudimentary unix programming. There is no way any non-trivial unix program is going to NOT read /etc/passwd. /etc/passwd needs to be read for almost any trivial thing to be accomplished, such as finding out your home-directory so that .skype can be read, or for displaying ownership of files in a file-dialog.

Now, as to why skype needs to read firefox configuration files, I have no idea. I haven't used skype, so I don't know what it does. But most likely this is done, because some users asked for a certain "integration" feature, whether it's bookmarks or plugins, or whatever...

Re:Please

[SanityInAnarchy]

/etc/passwd needs to be read for almost any trivial thing to be accomplished, such as finding out your home-directory so that .skype can be read, or for displaying ownership of files in a file-dialog.

Actually, both of those examples can be much more easily discovered with common environment variables. USER shows my username, LOGNAME seems to be another variant of that, HOME is my home directory, and so on.

Now, I admit that they might have just decided to use standard library functions to find that out, and those standard library functions read passwd, so it could be innocent. But your assertion is blatantly false.

Now, as to why skype needs to read firefox configuration files, I have no idea.

Your suggestion about "integration" doesn't make a lot of sense, because I don't believe it does connect to Firefox in any way. If we checked in more detail, we could probably figure out if they're trying to read your web passwords and such.

But considering that Skype on Windows reads your BIOS, and that Skype is made by the same people who put spyware in Kazaa, I don't think it's unreasonable to assume the worst.

Re:Please

So, which POSIX specified environment variable gives the same information as the GECOS field in /etc/passwd? 10 points if you managed a flash of brilliance and correctly answered "None of them". Besides which, why the blue fuck would a developer piss about reading environment variables when a fully-specified API exists for finding that information? "Hey you know, I could use the fully documented and correct method of getting the users full name, or I could hack something up instead. Hmmm..." Yes, clearly reading calling getpwent() is just wrong and evil. Damn those closed source developing bastards!

On the bright side, this entire Slashdot thread has been a laugh riot. It's confirmed: 99% OF SLASHDOT WOULDN'T KNOW A COMPILER IF IT BIT THEM IN THE ASS. You're all about as bright as a 10W incandescent bulb.

Re:Please

Besides which, why the blue fuck would a developer piss about reading environment variables when a fully-specified API exists for finding that information?

From http://www.gnu.org/software/libc/manual/html_node/ Standard-Environment.html#Standard-Environment

For most purposes, it is better to use HOME, precisely because this lets the user specify the value. ... For most purposes, it is better to use LOGNAME, precisely because this lets the user specify the value.

Re:Please

Finaly. Thank you!

Not a big deal - /etc/passwd is local public info

[bl8n8r]

The firefox profile is a little weird, but programs read /etc/passwd all the time to get the running user ID and groups. If you are not using shadow passwords, you should be, and all normal Unix distros are. Want to know a secret? If you use LDAP, it will query LDAP to find out your UID and GID also. It's normal. /etc/shadow is a different story. Root is the only one that can read that file, and if you are running skype as root, you're foolish.

I'd suggest that anyone with concern about skype on linux simply add a user to the system called "xskype" or similar. Run skype as that user, and it will be contained to only what that user has access to. Problem solved.

It's "ensuring contract compliance"

[DingerX]

Skype has some pay features that come with interesting provisions. For example, you can buy a SkypeIn phone number cheaply for personal use. If you're a business, you pay a different rate for a number that you can use, say, from multiple sites (for example, for follow-the-sun customer service). Temp directory and hardware information are two things that are very rarely the same...

Non-issue really...

[bealzabobs_youruncle]

as /etc/passwd can be read by a regular issue, probably just poking for *IDs and ~home. Is there likely a more elegant/less intrusive way for Skype to find what it's looking for? Probably so, but we'll never know as long that they only make binary blobs available. It's a tough call to break down and used closed source, but sometimes functionality trumps the politics. I don't like using the blobs nVidia provides, but I want my eye candy. I don't care for Adobe Flash, but so much content is based on it I chose to make my life easier. I'm not a Skype user so I can't judge, but doesn't Ekiga do ths job pretty well? Does the Skype client only accept calls from other Skype clients?

Firefox

[bcmm]

There is an official Skype Firefox extension. IIRC it recognises phone numbers in web pages and makes them into links so that you can call them more easily. Skype is probably looking for it's extension.

Re:Firefox

Indeed, slashdot unwittingly covered this extension one day, showcasing its ever-brilliant fact-checking.

Not an issue

[gweihir]

Any application may read /etc/passwd and other files there. In fact Skype may just read it to find its own UID/GID and doing it in this way is prefectly acceptable. There are two things that every halfway secure Unix system does to secure /etc/passwd 1) shadow-passwords, i.e. that actual encrypted passwards are in /etc/shadwo, which is not readable except for root and 2) salting, which makes dictionary attacks against encrypted passwords much, much harder.

Symmary: Nothing to see here, except some people that do not undertsand Unix security.

Re:your a queer

[JackieBrown]

Nice try,

Debian uses shadow passwords. It's one of the questions in the installer.

Skype is due to be replaced

[RealBorg]

I stopped using Skype just a short time ago, mainly because of eBay's attitude toward AMD64 support:
http://forum.skype.com/index.php?showtopic=93068

Since then I have found that there are already standards based open source replacements for Skype, mainly SIP and Ekiga. In contrast to Skype they got video conferencing and you can get a public telephone number for free.

Also I started to think about what would be needed for the german "Bundestrojaner" and compare it to Skype:
- it is installed on a majority of systems
- it is protected against decompilation / debuggers
- it bypasses almost any firewall
- it uses encryption for network traffic
- it may send lots of data even when not making a call
- it might have already been deployed by the NSA
- eBay has a history of cooperating with federal agencies

Tom

Re:Skype is due to be replaced

[Tatsh]

From the forum: Even the supposedly static Skype 1.4 requires the libsigc++-2.0-0c2a for which there is no 32-bit package in Ubuntu Feisty for AMD64. As recommended here I have tried to install the i386 package but only ended up with a broken aptitude (which requires the 64Bit libsigc-2.0.so.0). I have now spent a whole lot more time on getting Skype to run than I would have liked to so I am now abondoning my efforts.

Debian refused to make a non-pure 64-bit port of their distro. Therefore Ubuntu has as well. But I run Skype on Gentoo AMD64 without an issue. I hate Ubuntu users now. They are ruining it for all of us, whining all day "I can't get this to work and this is supposed to be easy and I'm so stupid but I hate Windows because I just figured out everyone else does and how Microsoft is so evil so let me jump on this bandwagon." Go back to Windows or Mac OS X, idiots. Actually just go back to Windows. Let us not have idiots using OS X either.

Re:your a queer

[jlarocco]

not every distro of linux uses shadow passwords (think debian or netbsd)

First: NetBSD isn't a Linux distro.

Second: Debian uses shadow passwords.

Third: There's nothing wrong with reading /etc/passwd. POSIX even has an API for accessing it in user code. See the man pages for getpwuid, getpwnam, getpwent, setpwent and endpwent. For example, everytime you do "ls -l", it uses information from /etc/passwd.

In any case, there's really no excuse for not using shadow passwords.

Skype Shows How Not to Trust

[Doc+Ruby]

This probably shows how important it is to use AppArmor in any closed-source application in Linux to restrict any undue access to your files.

It shows how important it is to secure your system, whether Linux, Windows, or any other, against trusting any app too much with resources not created by, or explicitly granted to, the trusted app.

It also shows that it's too hard to trust closed source apps on any platform, even when closed source is the default status.

It also shows that AppArmor can protect you from untrustworthy apps, unless it won't run on your platform (like Windows).

It also shows why Linux is more trustworthy than is Windows, especially when Linux is used with open source apps, which are the default, which can be inspected by lots of people for trustworthiness.

That kind of untrustworthiness also shows that Skype cannot be trusted not to spy on all your phone conversations and address books. I know I don't trust it. This latest "secret prying" behavior erodes any trust that's misplaced in giving it access to your personal data, including media (that includes your conversations).

Re:Skype Shows How Not to Trust

[Ash-Fox]

It shows that you and the article writer don't know much about Linux.

Passwords on modern Linux systems are stored in /etc/shadow, not /etc/passwd. You can't even read /etc/shadow from default user accounts.

Re:Skype Shows How Not to Trust

[Doc+Ruby]

It shows how little you know about security. There's more in /etc/passwd than hidden passwords. There's a list of system users, which can indicate specific SW installed on that system. Some of which has specific vulnerabilities. So an attacking app like Skype (or something that exploits Skype) can detect SW to attack without other tests that can trigger an alarm.

Before you go shooting off your mouth with insults about security, make sure you know what you're talking about. Don't piss off people with superior security-fu to whom you've given your website's URL.

Re:Skype Shows How Not to Trust

[Ash-Fox]

It shows how little you know about security. There's more in /etc/passwd than hidden passwords.

There are no passwords in /etc/passwd in modern Linux distributions, it's in /etc/shadow.

There's a list of system users, which can indicate specific SW installed on that system.

Of course determining what is a system user can become difficult since different distributions have different values. Some stop at UIDs at 0, 10, 100 and 1000 etc.

Some of which has specific vulnerabilities.

Which is why one should keep their system upto date against known exploits.

So an attacking app like Skype (or something that exploits Skype) can detect SW to attack without other tests that can trigger an alarm.

In theory, yes. However as we've seen with Windows, most malware tends to perform the attack without checking since it's more efficient. Discovering services instead of immediately attempting a attack of sorts is more likely to be useful to a 'cracker' getting said information, since (s)he can work on setting up methods to exploit.

Before you go shooting off your mouth with insults about security, make sure you know what you're talking about.

You haven't given told me anything I didn't know already, and you again implied that encrypted passwords lived in /etc/passwd when they do not.

Don't piss off people with superior security-fu to whom you've given your website's URL.

Sounds like you're making a threat.

Re:Skype Shows How Not to Trust

[Doc+Ruby]

I said /etc/passwd passwords are hidden - by being omitted. You repeated what I said as if you're disagreeing.

The rest of your post is just as worthless. You're not worth teaching how to read, much less how computer security actually works.

Goodbye, crunchy.

Re:Skype Shows How Not to Trust

[MikeBabcock]

There's no valuable password data in /etc/passwd at all and in fact many programs read /etc/passwd to get username -> uid mapping information as well as the location of your home directory. It is because /etc/passwd is frequently read by programs that the password data is stored (on any modern *nix) in /etc/shadow instead. strace all the major software on Linux and you'll find any number of them read /etc/passwd for various reasons. This is NOT a security issue, in any way, move along.

Re:Skype Shows How Not to Trust

[Doc+Ruby]

The data of value in /etc/passwd is not the passwords, which are hidden, as I said (omitted and replaced with an x). Attacking programs can get useful info other than the password, as I detailed in the post to which you replied.

I don't know why you bothered to post something that merely asserts a nonvulnerability that I'd already "prebutted", but to which you did not reply meaningfully.

Re:your a queer

This has already been mentioned, but in the Unix world it is standard to read the passwd file for some things, and in all modern Unix like OS's (yes, this includes NetBSD and Debian), it does not contain password information. (BSDs don't have an /etc/shadow file like a Linux distro, but they have for example /etc/master.passwd)

Try it yourself: $ cat /etc/passwd

You'll find information about user names, UIDs, GIDs, home directories, shells, "real name", etc. But no passwords.

If it wasn't this way, there'd be no reliable way to get your username as a string, for example, since the system call API only provides getuid(), which returns an integer.

Basically: The original Unix used to put encrypted passwords in /etc/passwd, but also made it so that important information that user apps need goes there. This was a design mistake, and it has been corrected in all modern systems.

Interbase

Google about the infamous InterBase backdoor.
It was a good database engine produced by Borland, but it contained a backdoor that allowed anybody to gain access to all data. They forgot about that detail and after eight years published its source code on the Net. It took a bunch of months for a single developer to find the backdoor (and it was a database engine, not a small desktop app!) and make it public.

This is why, at least on my planet, only fools use closed source software to manage sensitive information.

Re:your a queer

[Lennie]

> not every distro of linux uses shadow passwords (think debian or netbsd)

leen@debian64:~$ cat /etc/debian_version
4.0
leen@debian64:~$ ls -lA /etc/shadow
-rw-r----- 1 root shadow 1171 2007-08-17 01:41 /etc/shadow

Re:But...More Secure? At least smarter!

[cloricus]

Because this could never happen to a company like say Microsoft or Google who even have offices in countries where the enemy live and tens of thousands of employees!

You are an idiot; the argument has always been that because more people can see the source code there is a higher chance that bugs and exploits will be caught (which I think we can all agree happens effectively in the Open Source community) - not that open source stops all of these attack vectors.

Go back to spreading your FUD to the twelve year olds on those other technology websites and leave this one for the grown ups.

Re:You idiots:

Install them, yes.

Run them, no.

Retard troll, at least get the terminology right.

Re:I've discovered even worse Linux privacy proble

If only there were an open-source version of Linux. What am I saying, that's Communism!

This isn't unusual behavior

You'll find that nearly all programs will access /etc/passwd in some way. I'm willing to be that nowhere in the code that skype wrote do they actually specifically call out /etc/passwd as a file, but just a system call to check permissions or even a file lookup will have the system check /etc/passwd. This isn't all that unusual. As for the Firefox stuff, I couldn't say but it would be a bad idea to put some smarts in to look for proxy info and such that might help it auto setup. To be fair nothing you mentioned is all that out of the ordinary.

Re:But...More Secure?

[NickFortune]

In fact, with all that open source, isn't it easier to see what is going on so I can write a better exploit?

That, sir, is a very good point. In fact it's such a good point, it makes me wonder why no one has ever suggested such a thing before, here on Slashdot.

Fortunately, there is a simple fix, readily suggested by the exemplary record set by The Microsoft Corporation. All we need to do is change the file "/etc/passwd" to be "/etc/.passwd". That way, the file will no longer show up on directory listings. And, since no one on earth is clever enough to think of running "ls -a", that means that no one will know where the password file is, so no one will be able to break in. Security Through Obscurity FTW!

Furthermore, if we apply this policy rigorously throughout the whole of the Linux operating system, I'm sure we can make Linux' security record every bit a good as Windows in no time at all.

SIP sucks

[SanityInAnarchy]

SIP, if I remember, requires so many open ports you may as well not try unless you're sitting on a real Internet IP address, with no firewall, at both ends.

I believe there's something else you can use instead, some Asterisk-specific but somewhat widely-supported protocol, a bit simpler, only requires one port. There's also Jabber/Gtalk -- I know Kopete supports that now, among other clients. I don't know exactly how the voice works, but it is nice to be able to have one or more central servers to connect to, so at least your endpoints can be behind whatever firewall/NAT people have set up.

But Skype is actually the technically best solution I've seen, and I wish there was an open source alternative, or an open spec. It actually uses some UDP tricks to allow you to open a connection directly between the two endpoints, requiring no bandwidth from Skype, even if both endpoints are firewalled and NAT'ed. It does require at least one publicly-accessible server, but only for the initialization.

Of course, for conferences, I'd have to recommend mumble, which looks to be intending to replace TeamSpeak and Ventrillo for voice chat in games.

Re:SIP sucks

>SIP, if I remember, requires so many open ports you may as well not try unless you're sitting on a real Internet IP address, with no
>firewall, at both ends.

Nat just sucks but there is some workaround with connection tracking, i.e. http://www.iptel.org/sipalg/ .

Um... duh?

[cylence]

Programs don't read /etc/passwd to get passwords (nobody stores 'em in there any more), they read /etc/passwd to map between user ids and user names. Chalk this up to the most overhyped nothing I've seen posted to /. for a while...

Re:Um... duh?

[cyberteeth]

I'm with you. Why is slashdot of all places, attempting to post such sensationalistic garbage off as news?

AppArmor - Ubuntu?

[postmortem]

AppArmor isn't ubuntu's design to link to Ubuntu package. It is Novell's software, and like should have given them credit.

Instead, we have again Ubuntu users claiming everything and not doing anything but copying (yes I know GNU)

Re:your a queer

[Znork]

"Third: There's nothing wrong with reading /etc/passwd."

Actually, there is, but for the entirely opposite reason. If you read passwd you'll miss any network based users, such as users authorized over LDAP, kerberos, or others.

getpwent and company, on the other hand, will get you those. As would getent or similar command line utility.

Re:your a queer

[cab15625]

Third: There's nothing wrong with reading /etc/passwd. POSIX even has an API for accessing it in user code. See the man pages for getpwuid, getpwnam, getpwent, setpwent and endpwent. For example, everytime you do "ls -l", it uses information from /etc/passwd. There are legitimate reasons for a command like ls to want to connect a bunch of UID's and usernames. Making the same argument for a program like skype that should only ever have to read one (or possibly two) config files is a bit more of a stretch. When you consider the fact that ls generally doesn't broadcast stuff allover an internal p2p network at unknown machines, the difference is even more important (especially if you're slightly paranoid about security).

Re:your a queer

[Feyr]

uhh, woody had shadow passwords and probably even before that

Re:your a queer

[geniusj]

He mentioned the libc calls already. Those calls will use whatever method is appropriate for obtaining user information. On a default installation, this will be reading /etc/passwd.

Response to another idiot

No, you DO NOT INSTALL ANYTHING APART FROM SYS AS A ROOT! You only give them privileges, open ports, etc.

Linux users are nowadays just as stupid as mainstream.

Re:You idiots:

[geniusj]

/etc/passwd can be read by any user

Two small things.

[Ed+Black]

1. A *LOT* of software looks in /etc/passwd because you can get uid, gid, homedir etc. from there (try grep $USER /etc/passwd - go on) 2. Passwords are very rarely stored in /etc/passwd these days. 3. I've written scripts that touch firefox profiles for stuff as innocuous as protocol handlers..yeah, erm. 4. Why is AppArmor a link to an ubuntu wiki? Are Ubuntu about to invent AppArmor like they invented networkmanager et al?

It's the 1990 Prodigy scare all over again

[14erCleaner]

This is like a blast of deja vu...in the early 1990's the ISP Prodigy was accused of stealing information from their users, based on bits of personal information that some users found in their cache files (due to the client using uninitialized disk space, reclaimed from previously deleted files by the OS). Much paranoia and very little enlightenment followed in online discussions. See e.g. http://en.wikipedia.org/wiki/Prodigy_(ISP)#Spyware -like_behavior

Re:your a queer

[utopianfiat]

Furthermore skype will try to install the firefox extension if you want it to, so reading your firefox profile isn't "unnecessary" as the article title claims...

Re:But...More Secure? At least smarter!

[WED+Fan]

Go back to spreading your FUD to the twelve year olds on those other technology websites and leave this one for the grown ups.

Now, that should be modded funny. Bravo, sir. I was about to feel your indignation until you let us in on the joke with refering to /. as a site for grown ups. You should be commended.

Notice, there has been response of substance, just the attacks and misdirection.

Please respond to Linux security issues without misdirecting to MS, or attacking the poster.

Your response in...3...2...1...

One Too Many Hits

[Nom+du+Keyboard]

This is just one too many hits against Skype. I'd rather use Vonage.

Free Alternative

It would be nice if enough people contributed and used http://www.openwengo.org/ so that it becomes a better alternative.
A nice exemple of some big companies believig in free software and trying to do it right.

Ei, not Nyet.

[orcrist]

Estonian hackers would say "ei" (pronounced 'ay-ee' for you English speakers) not "nyet" ;-)

Promotion Ad for apparmor

[microbee]

Reading /etc/passwd is necessary for a lot of things, like convert between uid and username, for example. It's not like there is only password in the file. Any person with a bit clue about Unix would know that.

If the poster is not stupid, I'd think the only reason he posted this is because he wanted to promote apparmor. And it's still stupid.

Re:Promotion Ad for apparmor

[Ash-Fox]

And besides, /etc/passwd doesn't even have the passwords on modern Linux systems.

It's stored in /etc/shadow, so what happens if you try to read that file?

ash-fox@Tapestry:~$ cat /etc/shadow
cat: /etc/shadow: Permission denied
ash-fox@Tapestry:~$ ls -ll /etc/shadow
-rw-r----- 1 root shadow 945 2007-08-23 11:49 /etc/shadow
ash-fox@Tapestry:~$

Passwords are safe for now.

Re:your a queer

[808140]

Wow, you guys were seriously trolled. HAND.

I mean, NetBSD as a distro of Linux? Come on, don't make it so easy for them!

all your passwd

[yoprst]

are belong to us!

Re:But...More Secure?

[IntergalacticWalrus]

But, linux is more secure. These things are protected. No one is writing exploits for linux.

Oh, wait, it isn't, they aren't, and they are.

Wait, who said no one is writing exploits for Linux? People write exploits for everything. No software is 100% secure, and anyone who claims the opposite is a fool.

In fact, with all that open source, isn't it easier to see what is going on so I can write a better exploit?

Open code allows anyone to do security audits to patch vulnerabilities before they can be exploited. Patches also tend to propagate faster because of their public nature, and the fact that anyone with sufficient knowledge about the issue can write and apply those patches himself. On the other hand, when a vulnerability is found in closed software, you have no choice but to patiently wait for the vendor to fix it, which may take some time depending on various factors such as PR and the perceived priority of the vulnerability to the vendor's eyes.

Isn't it easier for me to, say, sneak a corporate or national spy into the development team and compromise the project?

You seem to imply that it would be harder to do the same in a non-open project. At least in an open project the code can be audited by anyone. When you get proprietary software you can't inspect it yourself unless you're a member of the project. And if said project is compromised, you can't do anything.

With millions of lines of code, do you think we could keep an Iranian or Chinese spy from getting malicious code into the project?

Chinese spy? I'm not even going to bother replying to this one.

Hypothetical:

- Start a project for a civilian equivelent of a military application
- Form a project team
- Accept a programmer from a country that has very specific ideology driven agendas against much of the western world
- Wonder why the government won't switch to the OS of your desire

Again, the same thing could happen for a closed project, and with greater repercussions, so your argument is meaningless.

Now, the REAL reasons why some governments don't switch to open source:
- Lack of understanding of the movement
- Switching technologies is expensive, especially when the vendors of the current one has made sure it would be difficult to switch by disregarding standards
- Misinformation from corporate interests that see open source as a threat to their current business model instead of embracing it, or people like you

But, wait, linux is more secure. These things are protected. Nobody is writing exploits.

Made-up bullshit again.

Re:I've discovered even worse Linux privacy proble

[ArsonSmith]

Ohh yea? Get this. When you set up your account on a Linux system your password is stored, encrypted in a file called /etc/shadow. Seems a bit shady to me. What are they doing with it? Encrypting it so you don't know that's what's happening and then storing it.

Re:your a queer

[bccomm]

NetBSD uses shadow passwords too. Check your facts at the door.

why /etc/passwd?

[abby.edwards]

man nsswitch.conf

Re:But...More Secure? At least smarter!

Why would anybody respond to such an obvious troll with "substance"?

Re:your a queer

And to add to that: if /etc/passwd was supposed to be soooo guarded, it wouldn't be 644.

Readable to all.

...What the fuck?

[SanityInAnarchy]

Congratulations on including more profanity than actual content in your post...

Oh, here's a hint: "Hacking something up" involves, in Bash, simply accessing $HOME. In Perl, it's $ENV{HOME}. Even in C, it's something like getenv("HOME").

If that's your idea of "hacking something up", you've clearly never been a programmer. If you really think accessing the 8th element of the array returned by getpwent() is more readable than the above, you're also clearly retarded.

Or is it the lack of documentation? Bullshit. I just did a 'set | grep sanity' at the commandline, found I have HOME=/home/sanity. Took far less time than it'd take to Google for "Standard POSIX way to find the home directory without pissing off Anonymous Cowards."

Note also that I said "it could be innocent." I didn't even say that environment variables was a better or easier way. I just said that nobody has to read /etc/passwd to find the user's home directory, which is true.

Re:...What the fuck?

[gtwilliams]

Of course, no one could ever modify his environment before running a program. That wouldn't be fair.

Re:...What the fuck?

[SanityInAnarchy]

That's part of the point. If a program uses $HOME instead of getpwent or whatever, that means I can have multiple config profiles for that program saved somewhere, assuming it doesn't support them by itself.

In fact, Wine supports this kind of thing explicitly, with the WINEHOME environment variable.

Now, why wouldn't you want to support stuff like this in an app like Skype?

Re:...What the fuck?

[gtwilliams]

That's part of the point. If a program uses $HOME instead of getpwent or whatever, that means I can have multiple config profiles for that program saved somewhere, assuming it doesn't support them by itself.

Of course a programmer *could* design that behavior. More typically, programs are designed to look in the home directory (obtained though the POSIX getpwuid() function call designed for that purpose) or use the file specified in the -f option on the command line.

Personally, I think it's silly to expect programs to rely on the /etc/profile or similar mechanism to set an environment variable to obtain the user's home directory instead of the API for that purpose. It certainly doesn't save anything -- getenv() vs. getpwuid(). And it could be wrong.

Re:...What the fuck?

note: different AC.

well, you are clearly not a programmer. I suspect they may not even call the functions themselves but some of the libraries they use call it. It is really very very normal to read /etc/passwd. And furthermore, personally I think it would be very wise if I left the user to decide their username of the day. If I create an app i do not trust user input. So I am not going to let him tell what his name is and where his home dir is located. It is going to break things far to easily. It even has security implications. I need the system to provide a trusted way of linking uids to names.

Oh...and your FUD about surely if you research you surely can find them mailing the file upstream unmasks you as a troll.

Sorry, -5 irrelevant, and you are not worth the /. ID.....

Oh, please, let me work where your code runs!

No security at all!

Want to run as Bob? Easy:

USER=Bob /Some/noob/wrote/this/app :-P

Re:Oh, please, let me work where your code runs!

No security at all!

Want to run as Bob? Easy:

USER=Bob /Some/noob/wrote/this/app :-P

Why shouldn't I be allowed to pretend that my login name is Bob? It's not like it would give me any more privileges than I have already (and if it was an open source app, I could just modify the code to substitute Bob where it normally reads the name - not relevant for Skype of course). It's only if you really, really, really need to know the real login name (mainly in suid/sgid apps, I imagine) that you shouldn't use the environment variable. Only the Skype developers can say whether that applies here.

Required Reading

I strongly recommend a reading of "The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments" http://www.nsa.gov/selinux/papers/inevitability/. Whether it's AppArmor or SELinux or something else, it's well past time to start requiring mandatory access controls on our OSes.

Access to Firefox profile worries me most

[jetxee]

Actually, it is much more sensitive part of information than /etc/passwd. /etc/passwd gives away the real name at most. ~/.mozilla gives away practically everything about internet activity of a person. I think this is the thing to worry about.

Lame

[SQLz]

There is a stanard libc library for reading in /etc/password you dolts, you shouldn't have passwords in there anyway. You need things like this to find out the users shell, home directory, etc. Cry me a river, dictionary attack? I mean, make a decent password and use one of the many tools available to notify you of that stuff. Nothing, is secure, security is just a means of slowing people down.

Underhanded C contest

[gr8dude]

Here's the same challenge for you as for the other poster: Write some code that accesses some file it shouldn't, and does something with the data in it (writing it to a socket say) in such a way that you can't tell what's it doing without looking really well at it, and it looks harmless or to be doing something else.

Take a look at the Underhanded C contest.

There are no passwords in the passwd file

[flyingfsck]

The passwd file stores hashes of the passwords. There is nothing sinister about reading the passwd file in order to do authentication - how the hell else must you do it?

Re:There are no passwords in the passwd file

[Ash-Fox]

The passwd file stores hashes of the passwords.

Actually it's stored in /etc/shadow

Re:There are no passwords in the passwd file

[JoeF]

There aren't even hashes in /etc/passwd. Password hashes are stored in /etc/shadow nowadays, and /etc/shadow is only readable by root.
I wonder which clueless moron came up with this alarmist BS...

Not worried

[Tribbin]

As long as there is no grand drop in network speed, I'm not worried.

Citizens

Law abiding citizens have nothing to fear

APPARMOR IS BULLSHIT!

Path based security is a joke and anyone with any respect in the security field will tell you so.

Re:But...More Secure?

[Spazmania]

Furthermore, if we apply this policy rigorously throughout the whole of the Linux operating system, I'm sure we can make Linux' security record every bit a good as Windows in no time at all.

No, that won't do at all. If you want to make Linux's security approach that of Windows, you'll need something like, "chmod -R 777 /"

Correction...

[SanityInAnarchy]

It's WINEPREFIX. Same concept, though -- by default it's ~/.wine, but if I want it to go somewhere else, I can.

An example of practical use: I believe IEs4Wine does this, because Internet Explorer doesn't generally like having multiple versions on the same Windows. So it just creates multiple fake Windows installs, and switches between them with WINEPREFIX.

Cedega actually provides a GUI for this. You can install each game in its own "game folder", each of which is a fake Windows. Thus, no one game that runs on Cedega can possibly be incompatible with another game, or interfere with it in any way -- unless you want them to (obviously you can install multiple things onto the same "game folder", including patches and mods to a game you already have there).

This article is retarded

[insane_coder]

Guess what? The proper thing for any app which saves settings is to read /etc/passwd, and no, it's not to steal your files.
The proper way to get information about the user, such as his name, his home directory, etc is to call the function getpwuid() in a manner like: getpwuid(getuid()), it returns the following struct:

struct passwd {
char *pw_name; /* user name */
char *pw_passwd; /* user password */
uid_t pw_uid; /* user ID */
gid_t pw_gid; /* group ID */
char *pw_gecos; /* real name */
char *pw_dir; /* home directory */
char *pw_shell; /* shell program */
};

Sure it has the user's password listed there (in some format), but this is the proper way to retrieve all the other data also found here. All good applications which save settings per user or try to be more friendly towards the user will call getpwuid() and in turn end up reading /etc/passwd. I have hundreds of programs on my machine like this.

If you think a program reading /etc/passwd is automatically malicious, just remove all your binaries now.

As for reading Firefox files, I'm not sure what it's doing, but Skype does offer Firefox integration right? Surely it's not too hard to imagine it's trying to figure out your configuration and check for conflicting plugins, and the like.

Re:your a queer

[Mr.+Marabou+Man]

$ uname -a && ls -l /etc | grep passwd$
NetBSD 3.1 NetBSD 3.1 (GENERIC) #0: Tue Oct 31 04:27:07 UTC 2006 builds@b0.netbsd.org:/home/builds/ab/netbsd-3-1-RE LEASE/i386/200610302053Z-obj/home/builds/ab/netbsd -3-1-RELEASE/src/sys/arch/i386/compile/GENERIC i386
-rw------- 1 root wheel 1102 Aug 26 08:37 master.passwd
-rw-r--r-- 1 root wheel 944 Aug 26 08:37 passwd

Re:your a queer

[Opportunist]

There's nothing wrong with reading /etc/passwd.

Is there? Is there not? How should I know?

In an open source project, one could take the source and if it's FUD, debunk it immediately. Maybe there is a legit reason to read the passwd, maybe there is not. Do I know? No. Can I find out? No. It's closed source. I just know that it does. But what does it do with my passwords? Nobody knows but Skype's makers.

That's the core problem with closed source. I cannot trust it. Maybe it has a good reason to access the passwd file. But do you expect the best or worst? As a security expert, I expect the worst by default until proven wrong. Everything else is playing russian roulette with your system security. You can't just trust a program intrinsically until proven wrong, because when you're proven wrong, it usually is too late.

Re:But...More Secure?

[Zibri]

No, no, no! That wont do at all. Then everybody could make changes to all the files. It should be "chmod -R 774 /", and then you add every user to the admin group, except for the guest user.

How does closed-source affect the use of AppArmor?

[Calyth]

How does closed-source program really affect the use of AppArmor? When was the last time the average Linux user had gone through code to make sure that it is doing things as advertised? When was the last time someone verified that the binary package they got from the distribution is the result of the open source code?

You can't mix ideology with due diligence.

It's not even skype...

[pomac]

#0 0xf7ddc5b3 in getuid () from /lib32/libc.so.6
#1 0x44a325d5 in _XimLocalOpenIM () from /usr/lib32/libX11.so.6
#2 0x44a30f2a in _XimOpenIM () from /usr/lib32/libX11.so.6
#3 0x44a30c70 in _XimRegisterIMInstantiateCallback () from /usr/lib32/libX11.so.6
#4 0x44a16828 in XRegisterIMInstantiateCallback () from /usr/lib32/libX11.so.6

#0 0xf7ddc5b3 in getuid () from /lib32/libc.so.6
#1 0x44a325d5 in _XimLocalOpenIM () from /usr/lib32/libX11.so.6
#2 0x44a30f2a in _XimOpenIM () from /usr/lib32/libX11.so.6
#3 0x44a1687a in XOpenIM () from /usr/lib32/libX11.so.6

The profile thing is a bit different though... The needle in the skype is much worse by comparison, =)

Mod parent up

[xixax]

Congratulations for have the only sane, informative post on this thread after many many pages of scrolling. Is there any way we can mod this as a six?

So Skype collects user data to find unique users?

I guess I'm just old and they have every second of my life cataloged and critiqued already, but isn't Skype just trying to identify unique users? I use Skype for business so I'm fine with any identity-verification tools they may use. You don't know how annoying it is to be fooled and do some programming for an imposter for free because you didn't have $70 for a full background check.

Mod Parent Down

We all know teh Lunix is impregnable and flawless. Anyone who comes into our sacred temple of Lunixness and says otherwise needs to be modded down into the flames of hell.

How dare you speak ill of teh Lunix or Firefux!! All FOSS is perfection by design!! May our Master and Savior teh Lunis strike you down!!!

Re:your a queer

> In an open source project, one could take the source and if it's FUD, debunk it immediately.

But since it's a closed source project, one can throw out wild unsubstantiated allegations with no need to back them up.

Rule Number One

When I use Open Source apps, I do so knowing that there are many developers and hobbyists that have looked over the code, so I know that there aren't any glaring security flaws.

Assumption is the mother of all fuck-ups.

Hidden code...

[Twisted64]

Hide it well enough in the code, and nobody will notice it.

Sneaky example: white_rbt.obj

If we each think someone else checked the source?

[KWTm]

Why only closed source applications? I don't think most people read the entire sources of open source applications that they use.

Not everyone has to, just one person.

When I use Open Source apps, I do so knowing that there are many developers and hobbyists that have looked over the code

Good point, but it's not as simple as you seem to think. For large and far-reaching projects like Linux (the kernel) or Samba, yes, there are many hobbyists who have looked over the code. Not so for small projects, little novelty programs or handy-to-use utilities; there, any hobbyists would probably not go over the code with a fine-toothed comb, and just read over the gist of the code more to understand it than to make sure it's not doing something nasty. You'd be relying on the developers, but if they had malicious intent, it's not like they're going to announce that their open source program has a trojan embedded.

You know what I would do, if I wanted to do something nasty? Suppose for a moment I was strongly motivated to exploit other people's computers using open-source software --say I was paid to bring a DDOS attack against some arbitrary website as part of a protection racket, or something. I'd write an open-source program; given enough time and motivation, I might even fork off some useful but immature OSS program. I'd embed some nasty stuff in there, add features to make lots of people want it. (Example: I take the on-screen clock in KDE (or GNOME) and make it announce the time out loud --kinda "cool" but doesn't take that much development effort.) I would upload it to some reputable site, like SourceForge. I might even fabricate a "development team", complete with different email addresses for various team members.

Do you really think other people are going to read over my source code? Only those people who are interested in extending and contributing to my sources would do so. That would take at least a few months, and before that, I'd probably have recruited a sizeable botnet.

Even if someone did look over the source code, the malicious part of it might not be that easy to spot. Check out the Underhanded C contest where people write innocent-looking programs that do subtle but nasty things. I remember the inaugural contest, which was to make a simple, straightforward vote-counting program that would give George Bush more votes, but ONLY on November second, and not any other date. I thought, "How could someone possibly sneak something underhanded in there, and not have the malicious code stick out like a sore thumb? Haven't people heard of syntax highlighting?" And then, lo and behold, there were programs that did exactly as requested, looking for all the world like an innocent program, with no obvious funny-looking-code on syntax highlighting, and counted the votes correctly on November first and third, but on November second, suddenly George Bush got more votes! The winning program used a pointer overflow and took advantage of the fact that the word "second" (as in "November second") had one more letter than "first" or "third", creating a buffer overflow only when the date string was too long. Since then, there have been three more contests.

That brings me to my somewhat off-topic point: I wish we could have some mechanism for peer review, a corps of OSS programmers (probably volunteers) who would go over code and sign it as reviewed. For example, someone might say, "I've reviewed the GUI portion of GNOME Evolution, and didn't see anything malicious." He would GPG-sign the source code, and we the community could evaluate this based on how well-known the programmer is --Bruce Perens might have more credibility than Ann Onymous Coward, for example. We might establish a database of reviewed pieces of code. And someone spotting some funny behaviour might put in a request to revi

RealPlayer, anyone?

[sweetandy]

This is just a little bit reminding me of RealPlayer. Yet another reason to use free software and ONLY free software. When will people get it?

Re:your a queer

[macshit]

There's nothing wrong with reading /etc/passwd.

Is there? Is there not? How should I know?

Do some research, perhaps? This is not mysterious sekret info...

Standard C library functions read /etc/passwd for very innocuous reasons -- for instance, finding the name of the user.

Unfortunately many people are far quicker to cry and scream in public about things they don't understand, than put in a bit of effort trying to understand what's going on first.

Slashvertisement

[giminy]

Sure, you could use AppArmor (tm, R, etc). ...or you could use SELinux...

Let the flamewar begin!

Sigh. This is perfectly reasonable!

[DarkHelmet433]

As has been stated 10 million times above, they're not reading /etc/passwd. They're calling the C/Posix API function getpwuid(). Why? Because it is the safest way to find the user's home directory - in order to locate a firefox profile. They probably check $HOME as well.

Why check the firefox profile? Because they can look at your proxy settings, to see if it needs to use a socks4 or socks5 proxy at all.

This is all part of their "just works" auto-configuration. It is far from the end of the world.

Which is a more reasonable explanation?
1) Skype is data mining stuff to create a giant database of user names and firefox profiles; or
2) Skype is doing its best to "just work" with your network configuration if possible.

Option #2 explains all of the "suspicious" activity quite nicely. #1 is absurd if you think about it.

cite the right link, ffs.

Why link to an Ubuntu page that mentions what a good idea it would be have a project that builds from AppArmor, when instead you could have linked to... AppArmor itself?

Please refrain from being so lame in future. AppArmor.

Re:But...More Secure? At least smarter!

[thej1nx]

No no, my good man... you are confused! It is MS whose response to Windows security issues comes in 321+ days... Linux responses and patches to security vulnerabilties come much much faster!

Re:But...More Secure?

[darksith69]

Security Through Obscurity FTW!

Fuck The What?

firefox profile = proxy test: Validated !

[risq]

to keep it simple stupid: - /etc/passwd: almost every prog reads this to turn uid into username, etc.... - firefox profile: it is a read of the proxy settings (automatic proxy detection). i tested this, test it for yourself, change your proxy settings to something different and skype wont connect, on the right proxy settings it connects via http through the firewall (bad enough) so the article is almost complete nonsense, despite the fact that one thing is obviously true: closed source can do harm, dont use it ! the question is not what skype can and does read, but u can easily imagine what a bad program can do with your profile settings in your home directory (read plain text passwords / keys locally stored....) for skype there is still no evidence at all that it does something bad. but i wont use it just because it is closed source !

Re:Sigh. This is perfectly reasonable!

I was going to suggest this. Simply reading files isn't always that big a deal. Openoffice will scan your .mozilla directory too, it looks for certificates when you want to encrypt and sign documents, it uses NSS rather than openssl. There are a lot of apps that will look like they are doing odd looking things when you strace them or strip permissions with selinux or app-armor. Mac and Windows users simply expect applications to work most of the time, maybe that means reading proxy settings, checking for open firewall ports and stuff like that.

Skype is a nicely crafted piece of software that usually just works. I'm not going to just defend them, sometimes companies do stupid stuff, but you have to weigh the business side of things, what do they stand to gain vs. lose by grabbing passwords and stuff like that? For Voip, they are probably the undisputed leader. For video conferencing, I'd say the same. if you're looking at platform to platform solutions rather than iChat and MSN chat, they have no peers. It's theirs to lose, why would they risk it all for something that isn't even their primary focus?

Apparently not worth reading the entire comment.

[SanityInAnarchy]

First, let's address your issue:

And furthermore, personally I think it would be very wise if I left the user to decide their username of the day. If I create an app i do not trust user input. So I am not going to let him tell what his name is and where his home dir is located. It is going to break things far to easily. It even has security implications.

I really, really fail to see how any of this has a security implication when we are talking about Skype learning where to store its ~/.skype dir or whatever.

I mean, yes, there are cases where you should not touch the environment. Accessing config files is not one of them; in fact, plenty of apps deliberately include commandline switches to change that kind of thing. Having the user change their name doesn't seem to be a security implication either, unless there's any parts of Skype that are setuid root, which would be pretty stupid.

However, good job for missing the point (like the other guy, who actually did give me a /. ID...)

Here is what I said:

Note also that I said "it could be innocent." I didn't even say that environment variables was a better or easier way. I just said that nobody has to read /etc/passwd to find the user's home directory, which is true.

You may be a programmer, but you really need to work on that reading comprehension. Why is it that every time I post an alternate way of doing something, everyone assumes I'm advocating it?

Re:your a queer

[rifter]

"Third: There's nothing wrong with reading /etc/passwd. POSIX even has an API for accessing it in user code. See the man pages for getpwuid, getpwnam, getpwent, setpwent and endpwent. For example, everytime you do "ls -l", it uses information from /etc/passwd." There are legitimate reasons for a command like ls to want to connect a bunch of UID's and usernames. Making the same argument for a program like skype that should only ever have to read one (or possibly two) config files is a bit more of a stretch. When you consider the fact that ls generally doesn't broadcast stuff allover an internal p2p network at unknown machines, the difference is even more important (especially if you're slightly paranoid about security).

Skype needs to find the username of the user it is bieng installed for and the location of that user's home directory. Both of those are contained in /etc/passwd. Further, it probably checks the contents of directories, so presumably the side-effects of using ls are not out of order here, either.

Re:your a queer

[irc.goatse.cx+troll]

That's the core problem with closed source. I cannot trust it. Maybe it has a good reason to access the passwd file. But do you expect the best or worst? As a security expert, I expect the worst by default until proven wrong. Everything else is playing russian roulette with your system security. You can't just trust a program intrinsically until proven wrong, because when you're proven wrong, it usually is too late.

I expect the most common -- That it's just looking up homedirs or usernames. If you really didn't trust it, chroot it or run it in a virtual machine. You can trust it just fine then.

It's also not as if theres some secure encrypted path from your HD to your CPU. You can strace it or disasm it all the same. Not as clear as reading C, but also tells you exactly what its doing (as opposed to trying to follow obfuscated code with intentional but easy to miss exploits).

Re:your a queer

[cab15625]

Not really. Once you login to your linux computer, the environment variables USER and HOME get set to your username and home directory respectively. If Skype can't find a config file with your skype username/password (which is probably why it needs to know your home directory) then it can always ASK you for that info. Finally, even if this was a valid reason to look in /etc/passwd, it still doesn't explain the need to rifle through all the other files. If you read through the list in the article, it's quite impressive. Some of them I can cobble together an excuse in my head (it needs to check /dev/snd so that it knows how to deal with your sound card). Others make no sense to me at all (why does it need to sift through my firefox pluggins? What does it need with my .Xauthority file?). And some, like /etc/passwd just seem like a poor choice for how to get info that is already available through other means.
As for /etc/passwd itself, things like ls need it since you may use ls to look at stuff that isn't always yours (try ls -l /dev). If you run skype, you're making a phone call, not listing the /dev tree. If it wants to find out who you are, there are other ways that aren't going to seem so fishy.

Re:But...More Secure?

[d3vo1d]

But you know they couldn't just stop at /etc/passwd. *nix done the MS way:

$uname -a
Microsoftix

$ls /
/bin
/home
/lost+found
/tmp

Release Notes:
/lib is hidden to keep the user from manually installing conflicting versions of libraries (as all libs have had version numbers removed)
All other directories have been hidden as they could either confuse the user or the user could render the system inoperable.
All files have permissions 774 and all users are members of group "root".
Before cd'ing into any hidden folder, Microsoftix's patented "SafeDir" will prompt the user "Are you sure? (Y/N?". Please note Microsoftix SafeDir uses MSTK to display its confirmation dialog. As such, you can only cd into hidden directories from within the X environment. This shouldn't be a problem, as Microsoftix does not support consoles outside of the X environment.

Re:your a queer

[rifter]

Not really. Once you login to your linux computer, the environment variables USER and HOME get set to your username and home directory respectively. If Skype can't find a config file with your skype username/password (which is probably why it needs to know your home directory) then it can always ASK you for that info. Finally, even if this was a valid reason to look in /etc/passwd, it still doesn't explain the need to rifle through all the other files. If you read through the list in the article, it's quite impressive. Some of them I can cobble together an excuse in my head (it needs to check /dev/snd so that it knows how to deal with your sound card). Others make no sense to me at all (why does it need to sift through my firefox pluggins? What does it need with my .Xauthority file?). And some, like /etc/passwd just seem like a poor choice for how to get info that is already available through other means.

As for /etc/passwd itself, things like ls need it since you may use ls to look at stuff that isn't always yours (try ls -l /dev). If you run skype, you're making a phone call, not listing the /dev tree. If it wants to find out who you are, there are other ways that aren't going to seem so fishy.

We don't know exactly what Skype is doing with these files except that the program (or its calls) does open them. As far as USER and HOME go, they aren't guaranteed to be anything like correct, and it would be a bad practice to rely on them, especially when there already exist proper system calls for determining the UID of the user. As covered in other posts, mapping that UID to a username would require /etc/passwd, and that is what it is for.

Any program that creates sound is going to either have to open a sound device file or send signals to your mixer of choice (esd/alsasound/etc) so it's not unusual that this program opens those files. Skype uses a Firefox plugin, which would explain why it needs to access those. Your .Xauthority file is potentially opened every time you use an X11 application. And like we said before listing files will probably call the same stuff as ls which will result in opening the /etc/passwd file.

It's not necessarily that the program needs information from all of these files, but rather that opening these files is part of how an application like this works on Linux.

Re:But...More Secure?

[rifter]

"Security Through Obscurity FTW!"

Fuck The What?

For Teh Win

Yeah, Fuck The World came first, as a slogan, but this seems to have supplanted it.

Re:But...More Secure?

[Boronx]

Fuck the Wumpus was the critically acclaimed, though much less popular sequel to Hunt the Wumpus

Re:your a queer

[Opportunist]

Way ahead of you. Gimme a few, it's a fair lot of asm.

anyway

[O.+El+Mekki]

Ever if this alert was an error, I think it's good to have some of this kind sometimes : if anyone think about putting a trojan in a closed sources app for linux, he will think about it twice.

So if that's really an error, I won't be one of those who blame its authors... :)

the faget is you

NetBSD/linux has used shadow passwords since they forked from Slackware in '87. next time pry the dicks out of your mouth long enough to supply at least a little bit of oxygen to your dizzy, ruined brain.

Re:your a queer

[cortana]

What does it need with my .Xauthority file? Surely this is required so that it can connect to your X11 server?

Re:your a queer

[Random832]

But what does it do with my passwords? Nothing, unless your system's ancient: those haven't been stored in /etc/passwd for years. I would assume, given that, that if you DO have such an ancient system, it throws them away, since it has no expectation they will be there anyway.

Re:If we each think someone else checked the sourc

[FrostedChaos]

>You know what I would do, if I wanted to do something nasty? Suppose for a
>moment I was strongly motivated to exploit other people's computers using
>open-source software --say I was paid to bring a DDOS attack against some
>arbitrary website as part of a protection racket, or something. I'd write an
>open-source program; given enough time and motivation, I might even fork off
>some useful but immature OSS program. I'd embed some nasty stuff in there, add
>features to make lots of people want it. (Example: I take the on-screen clock
>in KDE (or GNOME) and make it announce the time out loud --kinda "cool" but
>doesn't take that much development effort.) I would upload it to some reputable
>site, like SourceForge. I might even fabricate a "development team", complete
>with different email addresses for various team members.

Open-source apps on sourceforge don't really get that many users
compared to windows shareware like WinAmp or AIM. Linux use is definitely still
under 10%. Your KDE clock would be going after %0.01 of 10%-- and it's the bad 10%,
the users who actually know how to examine network traffic and source code.

netstat, System Monitor, and nmap are your friends.

I agree with the concept of networks of trust, and code reviews. If you are the NSA,
no doubt you need line-by-line review of code. Most people are not the NSA, and
are content with firewalls and some common sense.

Yes, they're looking for proxy settings

[Khopesh]

My guess is: they are looking for http/https proxy definitions there. Since there is no standard place on Linux to store this, they look into Firefox configuration files.

You are correct. If you re-read the forums and scan for the comments from the Skype staff (ignoring the troll responses), they confirm that they're reading the prefs.js for proxy settings. Doesn't explain why it looks at the plugins, but it's a start. They could tighten it down by adding a "search for proxy" option in the skype pref for proxy so that it doesn't waste as many resources (or as much of privacy nuts' time).