Jailing the Zoom Client

While there are many Open Source solutions for browser-based videoconferencing and online meetings, like BigBlueButton or Jitsi, I am still forced to use zoom in a lot of contexts.

But the zoom web client lacks a lot of functionality and generally does not work well in my experience.

On the other hand I absolutely distrust the zoom client. Just inspect the strings that appear in the binary of the launcher…

$ strings /opt/zoom/ZoomLauncher | grep grep
pacmd list-sinks |grep 'name:\|module:'

Yes, they are using a lot of shell commands in their compiled binaries. Firejail to the rescue!

more…

Advanced Browser Security with Firejail – A Hands On Guide

Many people believe that browser security is difficult. I created this guide as an overview of Firejail sandboxing technology. The goal is to show you that security can be simple and fun.

The video guide is structured as a hacking session. The victim is running a sandboxed browser. An imaginary zero-day exploit gives the attacker control of the sandbox in the form of a remote shell. Let’s see what damage we can do. And maybe, reconfigure the sandbox so the victim can survive the aftermath of such an attack.

Enjoy!

Restricting Programs From Backdoors/IP Leaks (Audacity Example)

Video on Odysee

Take a look at your Desktop and/or interface. Be it MATE (desktop/laptop), Phosh (Pinephone/Librem), or KDE. We use several buttons/shortcuts to programs everyday. Some of these need the internet. Some do not.

Have you minimized access to programs who do not need the internet? Did you know some programs secretly “call home” and share data/your IP address with 3rd parties (sometimes sold)? The most ideal setup is one which is restricted wherever possible, but not up to the point where your setup becomes unusable.

Here we are going to use a Hot Off the Press News example to demonstrate how to allow networking only to those programs requiring it (such as web browsers, encrypted messengers, etc). Other programs like VLC Media player, GIMP (image manipulation), and Libre Office do NOT need ANY networking for full functionality. So why do we allow it? Because this is default behavior, we accept it. We are going to change that today.

more

Jolla/Sailfish OS 4.0.1 Koli is now available

There are many reasons to choose Sailfish OS over other mobile operating systems, but at Jolla we never forget that privacy and control are things our customers care deeply about. That’s because we care deeply about them too, and that’s why we’ve introduced Firejail app sandboxing into Sailfish OS 4 Koli.

When you first run an application, the Firejail app sandbox will make clear which permissions an application needs in order to run. A Firejailed app is prevented from accessing any of the functionality not granted on the list. Why is that important? We know Jolla developers are trustworthy, but there’s always the possibility someone will release an app containing rogue code, or with an accidental vulnerability for an attacker to exploit. If this happens, it’s reassuring to know the app is confined to minimise any harm it can do.

Some users may be concerned that this increasing security and privacy may impact the control you have over your own device. Rest assured this is not the case. With developer mode activated you’re still free to execute apps outside the sandbox if you prefer. In contrast to other mobile operating systems we want all Sailfish OS users to have full control of their devices, while ensuring malicious hackers don’t.

In the latest release many of the Jolla apps are sandboxed by default, but we’re not yet applying this to third party apps. Sandboxing prevents the use of boosters and QML pre-compilation, with a performance penalty we’re working to avoid. Restricting its use initially to a selected set of apps will give us the chance to iron out some of these kinks before we activate it for third party apps in a future release.

more

SafetyDetectives: 5 Best Antivirus Protection for Linux

After years of using Linux on my main computer, I got really tired of seeing how many low-quality Linux antivirus programs were floating around the internet. While Linux is much more secure than other operating systems, I kept finding vulnerabilities that I was struggling to patch.

One of the reasons for this is that there simply aren’t very many antivirus scanners for Linux. While malware is still an issue, Linux users don’t face the same risks as PC and Mac users, so we need to utilize other cybersecurity tools to harden our devices.

I spent a long time finding the best free Linux cybersecurity tools on the internet. After testing 29 different programs, I’ve come up with some rock-solid programs to help bulk up security on my Linux machine.

  • ClamAV: Open-source freeware antivirus scanner with a GUI.
  • Sophos: Free for one user, scan and remove malware, command line only.
  • Firetools: Sandboxing software prevents malicious web scripts with a GUI.
  • Rootkit Hunter: Behavior-based rootkit scanning, command line only.
  • Qubes: A distro designed to keep your computer as secure as possible.

more… Also in French and Romanian

Firejail on Linux to sandbox all the things

Firejail is a program that can prepare sandboxes to run other programs. This is an efficient way to keep a software isolated from the rest of the system without need of changing its source code, it works for network, graphical or daemons programs.

You may want to sandbox programs you run in order to protect your system for any issue that could happen within the program (security breach, code mistake, unknown errors), like Steam once had a “rm -fr /” issue, using a sandbox that would have partially saved a part of the user directory. Web browsers are major tools nowadays and yet they have access to the whole system and have many security issues discovered and exploited in the wild, running it in a sandbox can reduce the data a hacker could exfiltrate from the computer. Of course, sandboxing comes with an usability tradeoff because if you only allow access to the ~/Downloads/ directory, you need to put files in this directory if you want to upload them, and you can only download files into this directory and then move them later where you really want to keep your files.

more