Speeding Up Unity On Ubuntu With ATI Cards

I use Ubuntu 12.10 with Unity and I run a mid range ATI 5000 series GPU. Performance was surprisingly good in 12.10 after a fresh install (upgrade made performance horrible) but while playing Flash/HTML5 video things slowed down considerably, and using Super + W (expose) was much slower.

I searched around for some quick tips and found two that have apparently improved things significantly.

sudo apt-get install compizconfig-settings-manager

Then go to the CCSM and the OpenGL plugin and disable “Sync to Vblank”.

Go back to CCSM and then the Composite plugin. This time disable the “Check refresh rate”.

Expose is now much quicker/ smoother. Noticeably so – even while I’m playing video in Chrome. The difference is like night and day – I can reload pages/ tabs alongside the video and move windows around and it’s all smooth.

Make sure you’re on the latest ATI drivers. Due to Valve pushing for better Linux drivers the most recent versions (12.8/12.9) feature vastly improved performance.

Pulseaudio AppArmor Profile

Pulseaudio is an application used on many Linux systems to handle audio. It’s setuid and isn’t PIE, so it’s not a bad idea to restrict it. I believe Fedora uses an SELinux profile for Pulseaudio, but as an Ubuntu user I’m left having to make an AppArmor profile for it.

This profile works on my 64bit Ubuntu system. I’ll keep it updated here in case something changes, but I’m watching video via Chrome just fine. It’s obviously not a very strong profile as Pulseaudio starts off running with very high rights/ capabilities, but we can at least somewhat limit file access. I’m going to try to limit lib access further, but for now this is something.

The profile:

# Last Modified: Tue Dec 11 16:13:58 2012
#include <tunables/global>

/usr/bin/pulseaudio {
capability chown,
capability dac_override,
capability fowner,
capability fsetid,
capability kill,
capability setgid,
capability setuid,
capability sys_nice,
capability sys_resource,

 

/dev/null rw,
/dev/snd/controlC* rw,
/dev/snd/pcm* rw,
/dev/urandom r,
/etc/group r,
/etc/ld.so.cache r,
/etc/locale.alias r,
/etc/localtime r,
/etc/nsswitch.conf r,
/etc/passwd r,
/etc/pulse/client.conf r,
/etc/pulse/daemon.conf r,
/etc/pulse/default.pa r,
/etc/pulse/system.pa r,
/etc/udev/udev.conf r,
/home/*/.ICEauthority r,
/home/*/.Xauthority r,
/home/*/.esd_auth rwk,
/home/*/.pulse-cookie rwk,
/home/*/.pulse/ rw,
/home/*/.pulse/* rw,
/home/*/orcexec.* rw,
/lib/x86_64-linux-gnu/lib*.so* mr,
/proc/*/fd/ r,
/proc/*/stat r,
/proc/asound/card*/ r,
/proc/asound/card*/pc*/ r,
/proc/asound/card*/pc*/sub*/ r,
/proc/asound/card*/pc*/sub*/status r,
/proc/sys/kernel/ngroups_max r,
/root/.esd_auth rwk,
/root/.pulse-cookie rw,
/root/.pulse/ rw,
/root/.pulse/* rw,
/run/pulse/ rw,
/run/pulse/.pulse-cookie rwk,
/run/pulse/dbus-socket rwk,
/run/pulse/native rwk,
/run/pulse/pid rwk,
/run/shm/ r,
/run/shm/* rw,
/run/udev/data/\+sound:card* r,
/sys/bus/ r,
/sys/class/ r,
/sys/class/sound/ r,
/sys/devices/pci[0-9]*/**/*class r,
/sys/devices/pci[0-9]*/**/uevent r,
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/online r,
/sys/devices/virtual/dmi/id/bios_vendor r,
/sys/devices/virtual/dmi/id/board_vendor r,
/sys/devices/virtual/dmi/id/sys_vendor r,
owner /tmp/** mrwk,
/usr/bin/pulseaudio mrix,
/usr/lib/lib*so* mr,
/usr/lib/locale/** r,
/usr/lib/pulse-2.1/modules/*.so* mr,
/usr/lib/pulseaudio/pulse/gconf-helper Cx,
/usr/lib/x86_64-linux-gnu/alsa-lib/lib*.so* mr,
/usr/lib/x86_64-linux-gnu/gconv/gconv-modules r,
/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache mr,
/usr/lib/x86_64-linux-gnu/lib*.so* mr,
/usr/lib/x86_64-linux-gnu/pulseaudio/lib*.so* mr,
/usr/share/** r,
/var/lib/dbus/machine-id r,
/var/lib/lightdm/.Xauthority r,
/var/lib/lightdm/.esd_auth rwk,
/var/lib/lightdm/.pulse-cookie rwk,
/var/lib/lightdm/.pulse/ rw,
owner /var/lib/lightdm/.pulse/* w,
/var/lib/lightdm/.pulse/* r,
/var/lib/pulse/ rw,
/var/lib/pulse/* r,
/var/lib/pulse/*-default* rw,
/var/lib/pulse/d*.tdb rw,
profile /usr/lib/pulseaudio/pulse/gconf-helper {
#include <abstractions/base>
/usr/lib/pulseaudio/pulse/gconf-helper mr,

}
}

Chrome Stable Shipping With Vulnerable Flash Player

Google Chrome 23 was just released to the stable channel with some notable security fixes. It’s also shipping out with a vulnerable Flash Player. Chrome bundles its PPAPI Flash Player into updates, which usually means users are patched more quickly or even before official patches are out. The PPAPI Flash plugin also runs in a very restrictive sandbox, on Windows it runs at an Untrusted Integrity Level with job tokens applied to it, and on Linux it runs with the BPF Sandbox among other things. 

While this typically means users are ahead of patches, in this case Google fell behind. Users shouldn’t worry too much, even if they did land on an exploit page for the vulnerability (and I don’t believe any are currently in the wild) the sandbox is very strong and they’d be protected from infection.

Google will be releasing the latest patched version shortly.

Rootkit Infecting Windows Machines In Wild

Microsoft has reported a fast-spreading rootkit that can infect both 32bit and 64bit Windows operating systems. The rootkit is spread through drive-by download, which means all a user has to do is visit a webpage hosting an exploit kit to be infected.

[…] variants of Necurs were reported on 83,427 unique machines during the month of November 2012. – Technet Blog

Necurs buries itself deep into systems, allowing it to bypass typical security programs and disable antivirus software. Once it is on the system detection is very difficult, as is removal. Your best bet is to prevent it from ever reaching your system.

Once Necurs infects a machine it can do a lot. It immediately hides itself and takes significant effort to protect itself from detection or removal. It can backdoor the system, allowing remote access to it, install more malware to monetize the system, and hijack your email to send out spam messages.

After infection the only real way to be sure a rootkit like Necurs has been removed is to reformat the system and perform a clean install. Products that use BootCDs may or may not be effective.

Keeping Necurs out of your system is the best way to be safe, as you can’t rely on removal/ detection once it’s on the system. Recently it was reported that when the Blackhole Exploit Kit detects the Chrome browser it tries a social engineering method instead of exploitation, due to Chrome substituting its own PDF plugin and disabling Java by default. Using Chrome is a good way to stay safe, but make sure you keep all of your programs up to date. Be sure to check out EMET for protection against 0-day exploits.

Finally Running Netflix On Linux

For years users of Linux have been finding workarounds to get Netflix running on Linux, primarily by running Windows in a virtual machine and then Netflix within that virtual machine. The reason for this is that Netflix will only run with DRM support, and although Linux has created projects that work with Silverlight content they could not recreate/ bypass the DRM.

Recently there has been a major advancement. WINE, the software used to run Windows software within Linux, has a few  patches that allow it to run Netflix. It’s not perfect yet, it’s a little choppy, but you can run Netflix straight from your Linux OS without having to resort to resource heavy virtual machines.

To get started just run the following commands in your terminal:

sudo apt-add-repository ppa:ehoover/compholio

sudo apt-get update

sudo apt-get install netflix-desktop

Launch netflix-desktop and enjoy! It’s really that simple. A tip: if your video is choppy try playing it in full screen, this seems to improve performance.

With Steam coming to Linux and now a working Netflix player I think a lot of users will be taking a serious look at desktop Linux.

Donate to WINE so we can see continued improvements to an incredible project: http://www.winehq.org/donate/

Note: This is not a supported method for playing Netflix. But it works!

Content Security Policy Keeps On Rolling

Content Security Policy is a method that browsers and websites use in conjunction to prevent various attacks, such as Cross Site Scripting, or XSS. Essentially when you visit a webpage it will send you back an HTTP Header letting your browser know that it wants to run the delivered code in a restricted way and that the code should only come from specific sources.

On a typical webpage all code is treated the same, despite its origin. Your browser has no way of knowing whether code from evil.com and code from benign.com is malicious, it runs it all if it’s on the page. If the content is served to the browser the browser runs it.

CSP implements a “least privilege” approach to websites. Least privilege is probably the single most powerful security concept and it’s lead to security features like SMEP/SMAP, DEP, MAC, DAC, and more.

A browser running code from a CSP enabled website will only run code on a whitelist basis. The code can be restricted to HTTPS://good.com/ and any code delivered from any other URL is denied.

Inline scripting is removed entirely as it’s too difficult to determine the origin. eval() is also denied by default, though it can be enabled.

Websites do have to opt into using a CSP, by default the  browser uses the same policy it always has, and the CSP has to be configured properly or it could be far less secure. Ideally we’d see websites like banking sites using CSP as it would be another way to ensure attackers could not gain entry into very sensitive data.

The Ubuntu Amazon ‘Privacy’ Issue

There’s been a lot of talk about a recent feature to Ubuntu 12.10 – when you type into the Dash you receive back information from Amazon based on your input. There’s a massive outcry that this is a privacy violation or even a security issue, and the media’s been fueling it as much as they can. I’m going to try to explain what’s going on here and where the issues actually lie.

How It Works

The feature activates when you type messages into the Dash – a feature of Unity that takes in your text input and outputs relevant information. When you type into your Dash info is sent to Canonical and then Canonical sends the info to Amazon, the information is then sent back to Canonical form Amazon and finally lands on your system. What is sent is only what you type in, nothing more.

The idea here is that I can type in “Vacuum” and now I get books on vacuum cleaners or some such thing. The Dash is meant to be a ‘conduit’ of information, you type a word and it responds with everything related to that word. Amazon is just one more way to provide information to you.

The Problem?

Users seem to think this is a privacy issue. I think people hear “OMG Ubuntu has Amazon ads now! And it can see what you type!” – no. No, Amazon can not see what you type and they’re not ads. They can see the words you put into the Dash and Canonical acts as a proxy, so really, it’s Canonical that “sees” what you’ve typed into the Dash. 

So this isn’t some full system keylogger or some such thing, it’s Canonical (the company behind Ubuntu, that packages your system components for you) seeing what you type into the Dash.

So ask yourself – what do I type in the Dash? For me it’s simple – I would type “Pidgin”, “Chrome”, “Homework” and open those files/ programs via Dash. Not exactly personal information. 

Unless you’re typing in “porn” or your social security number perhaps you should question how sensitive the information in your Dash really is. Really, what is it that you enter that’s scary?

And then remember that Canonical doesn’t need some clever Dash keylogger to steal your information… they’ve “got root” as Mark Shuttleworth put it. If you don’t trust Canonical you shouldn’t be using their Operating System because they could easily patch up a kernel to spy on you or any other system component that they build on your behalf.

I’ve heard people claim “But what if someone accidentally puts a password in?” well, uh, yeah, that sucks! Canonical then sees your password… not that they need it since, again, they have root. And all of this information is sent to Canonical via secure encrypted connection.

Even beyond all of this users seem to have missed that it’s always been this way. Yes, your Dash has always communicated via internet – how do you think it gets ‘recommended apps’ from the software center? Or music? It’s done this for a long long time and nothing has changed.

And, of course, you can easily disable this by typing “Privacy” into the Dash and disabling the feature.

It comes down to a simple question – do you trust Canonical? 

Educated Users Are Unicorns

When people talk about user education I have to ask if they’ve ever actually seen an educated user. Honestly, we talk about ‘user education’ like it actually exists, like the constant effort to get users to do even the simplest security oriented tasks ever pays off. When does it? When does user education ever work on someone who didn’t already want to learn? Frankly, as far as I can tell, never. You can get the person who’s already interested in computers to listen but that’s such a minority of the population it’s signification. A user who has no outside interest in computers actually following security advice is a unicorn – a myth.

There’s this mentality that computers are only as secure as their users. The sad thing is that, right now, this is actually the case. There exists no software implementation of a security model, for any operating system, that protects users from themselves.

The demand for advanced security keeps rising but there’s no one supplying. Instead the users get pushed to take more responsibility when it has been made abundantly clear for decades that they are not willing or capable of doing handling security decisions.

There’s a great paper done by Microsoft researchers about cost benefit analysis performed by users when given security advice. There are only perceived costs of avoiding negatives when it comes to security whereas there are immediate costs to being secure. As the paper puts it “Security advice simply offers a bad cost-benefit trade off to users.” [PDF]

The abundance of advice we lump into what for whatever reason is dubbed “common sense” is far too much for the vast majority of users to take in.

Users a decade ago were using the same passwords that we see today. The antivirus companies from the 80s are the leading antivirus companies today, and very little has changed. The user group model is still the basis of Windows and Linux security models and ASLR, a 10 year old mitigation technique, is still implemented in a weak manor outside of the PaX ASLR.

Despite the consistently growing demand for advanced security the industry hasn’t evolved in 30 years. The only thing that has changed is we blame users a lot more than ever and expect them to constantly keep up to date with the latest security advice that gets lumped into “common sense.”

Microsoft Security Essentials Fails Test – Short Analysis Of Results

Recently Microsoft Security Essentials, the antivirus provided by Microsoft and installed by default on Windows 8, failed to gain certification from AV-TEST, an organization that tests AV software based on specific criteria.

MSE got a 1.5/6.0 for protection, 3.5/6.0 for repair, and 5.5/6.0 for usability

In terms of protection, it seems to do really poorly. It actually does alright, but it’s 0day protection is terribly low – enough to pull the entire score down quite a lot.

But as you can see from other AVs, the higher the rate of 0day detection the higher the performance hit and the higher the number of false positives. Why? Because the heuristics engines run longer and are much more sensitive.

So it’s obvious that Microsoft is prioritizing removal and usability far above 0day detection. They absolutely excel in low false positives, whereas the highest rated AVs have quite a large number by comparison.

So what about 0day malware? Well, on Windows 8 where MSE is installed by default there’s a system wide SmartScreen, Microsoft’s reputation based filter for detecting 0day malware. Clearly they’re separating the security into components – MSE for removal and detection of known malware, and SmartScreen for detection of 0day malware.

So take the entire score into consideration, take the entire system into consideration, before deciding whether MSE is worth using..

Source:

http://www.av-test.org/en/tests/home-user/windows-7/sepoct-2012/

Defending Against Hacktivism

‘Hacktivism’ is a term that describes hacking on behalf of ideals. Wikileaks is one example of hacktivism, made famous by their hacking of US government systems. Anonymous is often referred to as a hacktivist organization. This new movement has serious implications for security.

A lot of what I’ve written about in the past has been an explanation of why certain security methods work and why some don’t. Most of that is based on attackers and their motivation – if a target costs more to attack than the payoff it won’t be attacked. In the case of typical hackers and malware developers the goal is simply to make your product too “expensive” to hack.

But defending against hacktivist groups is an entirely different game. These are people who aren’t doing this for fun or profit, they’re doing it because they believe it’s the right thing to do. In the case of cost v benefit it’s a matter of raising costs higher than benefits – but hacktivists aren’t interested in financial benefits, only in their cause.

This new motivation is far more powerful than a financial one. In the case of an activist motivated attack financial gain isn’t a factor, therefor the cost is purely based on time. (In reality we’ve seen legal repercussions used as a deterrent as well).

The situation is similar to that of defending against so-called Nation State or Government Funded Malware; attacks like Stuxnet, Duqu, or Flame, all of which originated from the US government. Again, financial gain is not the prime motivator (well, I suppose for the US gov’t it is but I won’t go into politics).

Dealing with Hacktivist and Nation State malware is just about the same, as the motivations are less relevant and it’s all about defending from everything. It calls for a new level of security, one that software currently does not provide for us. Current policies enforced by operating systems are weak and don’t benefit the user much at all, and the only way to achieve true proactive security is to use PaX and Grsecurity for Linux, which is difficult for Desktop Users.  Now, desktop users are not always the target, but as we’ve seen with Flame, DuQu, and Stuxnet they’re often caught in the crosshairs or even used to spread the malware. 

Providing truly proactive security to desktop users will take entirely new tools and techniques. Maybe in future blog posts I’ll talk about those techniques, though it would take quite a while to explain. For now we have to rely on PaX and Grsecurity, or if we’re stuck on Windows, locking down the system with unruly policies and various other techniques to secure the system.

Without an explanation of how to defend I suppose this post may seem a bit useless. The point I want to draw attention to is that between Nation State and Hacktivist attacks we are going to continue to see a rise in advanced malware designed for attacking otherwise secure systems, and our current security is too outdated to deal with it.