popularity-contest

NoOp glgxg at mfire.com
Fri Mar 30 02:07:23 UTC 2007 

On 03/29/2007 05:54 PM, Jeffrey F. Bloss wrote:
> Jan Torben Heuer wrote:
> 
>> OOzy Pal wrote:
>> Hi,
>> 
>> > Nothing more!!! If it is (K)Ubuntu developers then no problem.
>> > 
>> > No risk on my private data!!! Right?
>> 
>> This package is not more dangerous than other packages.  It's on you whom
>> you trust....
> 
> In fact, it's considerably more dangerous than "other packages" because
> it compiles statistics about what software and versions are installed
> on your system and how you're using them, then sends that information
> in the clear through email... one of the most exploitable ways of moving
> information there is on the net. :(
> 
> The short version is you don't even *know* who it is you're trusting.
> 
> And the information itself is highly valuable to a lot of different
> BadGuys(tm). From script kiddie crackers who search for known
> vulnerable versions of some software and then "Metasploit" it, to evil
> governments perusing mail in bulk and profiling "dissidents",
> Broadcasting this sort of information in the clear isn't just a way to
> make their life easier it's potentially the difference in making it
> *possible*.
> 
> And none of this takes into account the fact that the database could be
> attacked directly. I realize identities are hashed, and I'd assume that
> to mean a cryptographically strong actual hash, but a "serial number"
> is still a serial number. If an attacker found a way to end run the
> mathematics they'd own everyone and/or someone, entirely. :(
> 
> 

Debian's machine was hacked in 2006 & popcon was one of the services
that was affected and temporarily taken down..

http://www.geekzone.co.nz/juha/840
<quote>
One core Debian server has been reinstalled after a compromise and
services have been restored. On July 12th the host gluck.debian.org has
been compromised using a local root vulnerability in the Linux kernel.
The intruder had access to the server using a compromised developer account.

The services affected and temporarily taken down are: cvs, ddtp,
lintian, people, popcon, planet, ports and release.
</quote>

Note that it was a "developer's" account that was hacked. So:
http://popcon.debian.org/FAQ
<quote>
A) Each popularity-contest host is identified by a random 128bit uuid
   (MY_HOSTID in /etc/popularity-contest.conf). This uuid is used to
   track submissions issued by the same host. It should be kept secret.
   The reports are sent by email or HTTP to the popcon server.  The
   server automatically extracts the report from the email or HTTP and
   stores it in a database for a maximum of 20 days or until the host
   sends a new report. This database is readable only by Debian
   Developers.  The emails are readable only by the server admins.
   Every day, the server computes a summary and post it on
   <http://popcon.debian.org/all-popcon-results.txt.gz>. This summary
   is a merge of all the submissions and does not include uuids.
</quote>
isn't much comfort.

Other references:
http://www.darknet.org.uk/2006/07/debian-development-machine-gluck-hacked/
<http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=popularity-contest;dist=unstable#_4_2_5>
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=414644

Also, according to http://popcon.debian.org/FAQ it appears that the msgs
are emailed as root:

<quote>
Q) I don't want popcon email to be sent by root! How can I change that ?

A) To send as user 'myuser', edit the function 'do_sendmail' in
/etc/cron.weekly/popularity-contest to

  do_sendmail()
  {
    su myuser -s /bin/sh -c "/usr/sbin/sendmail -oi \"$MAILTO\""
  }
</quote>

So, if I understand this correctly; popcon sets up a cron job & on a
regular basis/schedule sends an email from root to some email address at
ubuntu (presumably survey at popcon.ubuntu.com if it is anything similar to
the debian address: http://popcon.debian.org/README) that lists *all*
programs and libraries that I have used since the last popcon cron job.

Perhaps I need to turn my TFH shiny side out... but I also think that my
system sending out emails without an obvious indication that it is doing
this is a serious security issue. I'm surprised that someone (someone
probably has, we just don't know it) hasn't used this program to gather
other information and send it to some other redirected email address.

Like I said before; I've uninstalled & removed popularity-contest
*permanently* from all my systems. This seems to be another "what was I
thinking" Ubuntu implementation... at least Bill Gates's call-home
programs don't send emails from a root account (at least not that I'm
aware of).

G.

More information about the ubuntu-users mailing list