zeitgeist team mailing list archive

Thread
Date

[Bug 787868] Re: Encryption of database

To: zeitgeist@xxxxxxxxxxxxxxxxxxx
From: Jacob Appelbaum <jacob@xxxxxxxxxxxxx>
Date: Wed, 25 May 2011 23:28:00 -0000
Reply-to: Bug 787868 <787868@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

After discussing with Seif, I realized that there's a major issue that
seems to be unspoken. Zeitgeist is meant to be cross-platform "myware"
program - it helps you to use your computer.

There's a problem with the implementation though - some platforms are
not really privacy protecting or user friendly by default; they may not
all offer disk encryption or real data protection of any kind. So in
effect, when Zeitgeist is running, you have no idea if you're safe in
certain threat models. This is the flip-side to any myware program: when
the data collected falls into the wrong hands, Zeitgeist becomes spyware
that is harmful to the user. If Zeitgeist doesn't encrypt the database
by default, the answer to "am I secure if my device is lost?" is at
best, a maybe and by default, a no.

-- 
You received this bug notification because you are a member of Zeitgeist
Framework Team, which is subscribed to Zeitgeist Framework.
https://bugs.launchpad.net/bugs/787868

Title:
  Encryption of database

Status in Zeitgeist Framework:
  New

Bug description:
  I think that Zeitgeist should encrypt databases in
  ~/.local/share/zeitgeist/* for anti-forensics reasons.

  While someone may happen to use an encrypted disk, Zeitgeist may serve
  as the ultimate accidental spyware to an unsuspecting user. One
  possible mitigation is to randomly generate a reasonable key, tie it
  into the login keychain and then use that key with something like
  http://sqlcipher.net/ rather than straight sqlite.

  In theory, a user will never know that this encryption/decryption is
  happening - no underlying assumptions about the disk need to be made
  to maintain any security guarantees. This should prevent anyone from
  learning the contents of the database without also learning the login
  password. Modern Ubuntu machines disallow non-root ptracing (
  https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening#ptrace )
  and if the gnome keyring is locked, an attacker would have a much
  harder time grabbing meaningful Zeitgeist data without interacting
  with the user or bruteforcing the login keychain.

References

[Bug 787868] [NEW] Encryption of database
From: Jacob Appelbaum, 2011-05-25