zeitgeist team mailing list archive

Thread
Date

[Bug 787868] Re: Encryption of database

To: zeitgeist@xxxxxxxxxxxxxxxxxxx
From: Mikkel Kamstrup Erlandsen <mikkel.kamstrup@xxxxxxxxx>
Date: Mon, 06 Jun 2011 07:09:03 -0000
Reply-to: Bug 787868 <787868@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Some comments:

 1) The default ZG integration in Ubuntu 11.04 (and 10.10 netbook
edition) logs nothing that can't already be found in recently-used.xbel
(except zg also logs when you launch apps (but not what you do with
them)). So saying that ZG makes Ubuntu less secure by default is a
misunderstanding - and users that have disabled zg has degraded their
user experience for no reason.

 2) From an architectural pow I think that all encryption logic should
be confined in an extension. This probably require that extensions can
provide a factory method of some sorts for the DB connection (which they
can not do now).  To make this clean we should make sure that we can
only have one such factory at a time - or that they can sit on top of
each other in some way... Also consider upgrade paths.

 3) I think we should limit our security support to DB encryption since
that is a very clearly defined thing. If we have some somewhat-but-not-
really-secure heuristics our security profile will just become unclear
to ISVs or distros.

-- 
You received this bug notification because you are a member of Zeitgeist
Framework Team, which is subscribed to Zeitgeist Framework.
https://bugs.launchpad.net/bugs/787868

Title:
  Encryption of database

Status in Zeitgeist Framework:
  In Progress

Bug description:
  I think that Zeitgeist should encrypt databases in
  ~/.local/share/zeitgeist/* for anti-forensics reasons.

  While someone may happen to use an encrypted disk, Zeitgeist may serve
  as the ultimate accidental spyware to an unsuspecting user. One
  possible mitigation is to randomly generate a reasonable key, tie it
  into the login keychain and then use that key with something like
  http://sqlcipher.net/ rather than straight sqlite.

  In theory, a user will never know that this encryption/decryption is
  happening - no underlying assumptions about the disk need to be made
  to maintain any security guarantees. This should prevent anyone from
  learning the contents of the database without also learning the login
  password. Modern Ubuntu machines disallow non-root ptracing (
  https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening#ptrace )
  and if the gnome keyring is locked, an attacker would have a much
  harder time grabbing meaningful Zeitgeist data without interacting
  with the user or bruteforcing the login keychain.

References

[Bug 787868] [NEW] Encryption of database
From: Jacob Appelbaum, 2011-05-25