Debian GNU/Linux on a HP Elitebook 845 G8

Some time ago, I received a new laptop, the HP Elitebook 845 G8. This is a 14″ laptop with an AMD CPU of the Renoir family, in my case an AMD Ryzen 7 PRO 5850U. As always, I run Debian GNU/Linux testing (currently Bookworm) on it. In this post, I will explain how to get all hardware working. This guide probably also works for other G8 Elitebooks, such as the Elitebook 835 G8 and Elitebook 855 G8, because they are all quite similar.

You can find detailed logs and reports of people running Linux on the Elitebook 845 G8 in the Hardware for Linux database.

Installation

I used a USB disk to boot the installer and a USB-C dock with an Ethernet interface to do a network installation. If you use the Debian installer with non-free firmware, you can also do the installation over wifi. I have not tried the current stable release Debian 11 Bullseye on this system. For best compatibility I strongly recommend testing because it has a more recent kernel and drivers.

Download the installation cd for Debian testing with non-free firmware: you need the file firmware-testing-amd64-netinst.iso.

Now we need to write it to a USB disk. Make sure there is no data on the drive you want to keep, because this process will completely wipe the disk.

To write the ISO image to a USB disk, Windows users can use the application Rufus, MacOS users can use Balena Etcher. If you are using Linux, you can dd the ISO image on your USB disk, or use a GUI like Fedora Media Writer.

Reboot the system and press F10 when the HP logo appears to load the BIOS/UEFI setup. Go to the Advanced page and select Boot Options. There make sure that USB Storage Boot is enabled. If you want to work with custom kernels, it can be handy to disable Secure Boot in SecuritySecure Boot Configuration, but it’s not needed to install and use Debian.

Save the changes you made (if any) and reboot the system and press F9 at the HP logo to get the boot menu. In the boot menu, select your USB drive to start the Debian installer.

Enabling non-free repositories

We will need to configure the non-free repositories for apt because we need several firmware packages from non-free. Edit /etc/apt/sources.list and check whether any deb line has main contrib and non-free at the end. If not add it, and then run

# apt update

Updating the BIOS/UEFI firmware

If you have a Windows installation, you can update the firmware from there, even before you install Linux. But you can also update the firmware without Windows. Follow the instructions in that blog post. It’s important to do this, not only because this gives you essential security fixes, but also bug fixes, some of which specifically for Linux compatibility.

Updating CPU firmware

Install the package amd64-microcode to ensure your AMD CPU is always running the latest microcode, which includes security fixes:

# apt-get install amd64-microcode

Flashing other firmware

The fwupd utility can download and install firmware from the LVFS. The firmware of the fingerprint reader of the Elitebook 845 G8, can be updated like this, and may be necessary to get the fingerprint reader working in Linux. First make sure fwupd is installed:

# apt install fwupd fwupd-amd64-signed

Now update all available firemware:

# fwupdtool update

If you have a HP USB-C Dock G5, then new firmware is also available in the LVFS, but it’s in the testing repository. To enable this repository, run this command:

# fwupdmgr enable-remote lvfs-testing 

Radeon Vega GPU

lspci identifies this GPU as

04:00.0 VGA compatible controller [0300]: Advanced Micro Devices, Inc. [AMD/ATI] Cezanne [1002:1638] (rev d1)

First make sure the firmware is installed for the GPU. This is needed to get any hardware acceleration.

# apt install firmware-amd-graphics

Then make sure these packages are installed in order to get Vulkan, VA-API, VDPAU and OpenCL support:

 # apt install mesa-va-drivers mesa-vulkan-drivers mesa-vdpau-drivers mesa-opencl-icd

Now add this to /etc/environment so that it uses the correct VDPAU driver:

VDPAU_DRIVER=radeonsi

In order to get GStreamer based players to use VA-API, you need to install this package:

# apt install gstreamer1.0-vaapi

After installing the firmware and editing /etc/environment you will need to reboot your system.

Unfortunately most video players and web browsers still don’t use VA-API hardware acceleration by default, but this needs to be configured manually. I will write a separate article about that later.

Realtek wifi adapter

The wifi adapter is a Realtek RTL8822CE according to lspci:

01:00.0 Network controller [0280]: Realtek Semiconductor Co., Ltd. RTL8822CE 802.11ac PCIe Wireless Network Adapter [10ec:c822]

Install the firmware to get it working:

# apt install firmware-realtek

This laptop can also be delivered with an Intel AX200 Wi-Fi 6 adapter (which is actually a better option than this one from Realtek). If you have this one, you will need to install the firmware-iwlwifi package instead.

Smartcard reader

lsusb identifies this smartcard reader as an Alcor AU9540:

Bus 005 Device 004: ID 058f:9540 Alcor Micro Corp. AU9540 Smartcard Reader

Note that it only sees the smartcard reader when a card has been inserted.

You will need pscd with the CCID driver to use this smartcard reader:

# apt install pscsd

Fingerprint reader

The fingerprint reader can be seen like this in lsusb:

Bus 003 Device 003: ID 06cb:00df Synaptics, Inc. 

Make sure you have installed all firmware updates with fwupd and then you need to install these packages:

# apt install fprintd libpam-fprintd

In GNOME, under SettingsUsers you can enable login on fingerprint and add your fingerprints.

Sound

lspci:

04:00.5 Multimedia controller: Advanced Micro Devices, Inc. [AMD] ACP/ACP3X/ACP6x Audio Coprocessor (rev 01)<br />04:00.6 Audio device: Advanced Micro Devices, Inc. [AMD] Family 17h/19h HD Audio Controller

Sound is working out of the box. I recommend switching from Pulseaudio to Pipewire.

Webcam

lsusb:

Bus 001 Device 002: ID 0408:5348 Quanta Computer, Inc. HP HD Camera

The webcam works out of the box. Many applications will see the IR camera as a second camera.

Bluetooth

lsusb:

Bus 003 Device 002: ID 0bda:b00c Realtek Semiconductor Corp. 802.11ac WLAN Adapter

If you use lsusb -v you will see that this is actually the Bluetooth Radio adapter. It is combined with the wifi adapter, hence the confusion.

Suspend/resume

HP does not support S3 (traditional suspend-to-ram/standby) in its recent Elitebooks any more, but instead uses s0ix (s2idle/suspend-to-idle/modern standby). S2idle support for AMD CPU’s was only added in Linux 5.11 with the amd_pmc driver. I recommend a very recent kernel, because later kernel versions had bug fixes in this regard too. However suspend regressed in stable update 5.17.3 (and others), a bug which was fixed in 5.17.5. I’m using a custom-built 5.17.5 kernel, but a fixed kernel will appear soon in Debian.

If you have HP Drivelock enabled, then your system will fail to resume. Drivelock is a security feature which can be set up in the BIOS and requires you to enter a password when starting up the system in order to access the contents of the disk. When trying to resume the system, fans start running, the keyboard backlight reacts to key presses, but the screen remains blank, nothing is written to logs and also network does not come up. Apparently this is a bug in HP’s BIOS/UEFI firmware which can be worked around by adding iommu=pt to the kernel command line. To do so, edit /etc/default/grub and add this to the variable GRUB_CMDLINE_LINUX_DEFAULT. For example:

GRUB_CMDLINE_LINUX_DEFAULT="quiet iommu=pt"

Then update the GRUB configuration:

# update-grub

Install isenkram to help install drivers when plugging in hardware

Isenkram is a utitliy which will show a message when you connect hardware to your system and extra software or firmware is available for that hardware.

# apt install isenkram

Enabling trimming of the NVME SSD

Enable the fstrim timer to make sure the SSD is trimmed on regular intervals:

# systemctl enable --now fstrim.timer

Increasing battery time

Switch to AMD P-state driver

AMD developed the amd_pstate driver which was introduced in Linux 5.17. amd_pstate offers better performance per Watt than acpi-cpufreq

/etc/modprobe.d/acpi-cpufreq-blacklist.conf

blacklist acpi-cpufreq

/etc/modules-load.d/amd-pstate.conf

amd_pstate

If you are using Linux 6.3 you don’t need to do this, but you will have to add to the the GRUB_CMDLINE_LINUX_DEFAULT options in /etc/default/grub.conf:

amd_pstate=active

and run update-grub.

Set up TLP

TLP is a tool which optimizes power consumption of your system in order to increase battery time. TLP also has an options Radio Device Wizard, which I will use here to automatically disable wifi when the system is connected via an Ethernet cable.

# apt install tlp tlp-rdw

Configure the Radio Device Wizard by creating the file /etc/tlp.d/10-tlp-rdw.conf:

# tlp-rdw - Parameters for the radio device wizard

# Possible devices: bluetooth, wifi, wwan.
# Separate multiple radio devices with spaces.
# Default: <none> (for all parameters below)

DEVICES_TO_DISABLE_ON_LAN_CONNECT="wifi wwan"
DEVICES_TO_DISABLE_ON_WIFI_CONNECT="wwan"
DEVICES_TO_DISABLE_ON_WWAN_CONNECT="wifi"

# Radio devices to enable on disconnect.

DEVICES_TO_ENABLE_ON_LAN_DISCONNECT="wifi wwan"
DEVICES_TO_ENABLE_ON_WIFI_DISCONNECT=""
DEVICES_TO_ENABLE_ON_WWAN_DISCONNECT=""

# Radio devices to enable/disable when docked.

DEVICES_TO_ENABLE_ON_DOCK=""
DEVICES_TO_DISABLE_ON_DOCK=""

# Radio devices to enable/disable when undocked.

DEVICES_TO_ENABLE_ON_UNDOCK="wifi"
DEVICES_TO_DISABLE_ON_UNDOCK=""

To enable best ASPM power saving features when on battery, create /etc/tlp.d/20-aspm.conf:

PCIE_ASPM_ON_AC=default
PCIE_ASPM_ON_BAT=powersupersave

You will also need to edit /etc/default/grub file to add pcie_aspm=force to the Linux command line, for example

GRUB_CMDLINE_LINUX_DEFAULT="quiet iommu=pt pcie_aspm=force"

And run update-grub to update the GRUB configuration.

Disable Bluetooth and wifi when on battery and they are not in use by creating /etc/tlp.d/30-disable-devices-on-battery.conf:

DEVICES_TO_DISABLE_ON_BAT_NOT_IN_USE="bluetooth nfc wifi wwan"

Submitting your system to the Linux Hardware database

The Linux Hardware database is a useful tool where users searching for hardware, can check the compatibility of systems with Linux. I recommend running this tool on all your Linux systems. After submission, you will get a link where you can view the data and indicate whether all hardware works and which work-arounds you had to apply. Click on the Review button on the page to do so.

# apt install hw-probe
# hwprobe --all --upload

Conclusion

Actually Linux compatibility of the HP Elitebook 845 is actually in good shape. It’s not perfect, but all hardware can be made to work. On distros like Ubuntu, which install non-free firmware by default, it should even be easier to make everything work. Still HP lags behind Dell and Lenovo in Linux support, because they don’t make it possible to flash the BIOS/UEFI firmware using fwupd, while all recent Dell and Lenovo business laptops have their firmware available in the LVFS. Also the problem that iommu=pt needs to be used to successfully resume the laptop when Drivelock is enabled, is a problem that HP should address in a BIOS update.

Updating HP BIOS firmware from Linux

I have an HP Elitebook 845 G8 laptop. I wanted to update the BIOS/UEFI firmware to the latest version. This is important because firmware updates include essential security fixes.

On Linux you can use the LVFS (Linux Vendor Firmware Service) to easily install firmware updates with the fwupd utility or any of its graphical front-ends (such as GNOME Software or KDE Discover). Dell and Lenovo offer firmware updates for many of their systems via LVFS, however HP only has a very small number of firmware updates available on LVFS.

Fortunately it is possible to install firmware updates without having Windows installed, but it’s a bit more manual work. Here I will explain how I managed to update my Elitebook 845 G8, but this should work for most recent HP laptops and desktops.

First you need to download the firmware update for your system. Use your favourite web search engine and search for the model name and add the word downloads to it, for example: HP Elitebook 845 G8 downloads. The first hit will probably bring you to the right page, in my case: https://support.hp.com/us-en/drivers/selfservice/hp-elitebook-845-g8-notebook-pc/38492638

If you don’t know the exact model of your system, use this command (as root):

# /usr/sbin/dmidecode | grep "Product Name"

On the HP downloads page, you will probably get a mssage that it was unable to find drivers for your product. Click on the link Choose a different OS and select any Windows 10 version. Now you will find the latest firmware for your system under BIOS-System Firmware. Click on Download. It will try to let you install a Windows Download and Install Assistant: click on No thanks, I will download and install manually to directly get the firmware file, which should have a name similar to sp138978.exe.

Once you have downloaded this file, we need to extract it. You can use 7-Zip for that. Make sure it is installed on your system:

# apt-install 7zip

Then we will make a directory and extract the firmware package in it:

$ mkdir /tmp/hpfirmware
$ cd /tmp/hpfirmware
$ 7zz x  ~/Downloads/sp138978.exe

You will see many files in the /tmp/hpfirmware directory, such as the History.txt file which you can read if you want to know which changes and bug fixes this update brings. The firmware itself is stored in a file with the extension .bin, in my case it’s named T82_01082000.bin.

To install this firmware, we have to copy it to a directory HP/DEVFW/firmware.bin in your EFI directory (this assumes that you are booting your system in UEFI mode and not in legacy BIOS mode). So as root run these commands from the /tmp/hpfirmware directory:

# mkdir -p /boot/efi/EFI/HP/DEVFW
# cp *.bin /boot/efi/EFI/HP/DEVFW/firmware.bin

Now reboot your system. In GRUB’s menu, choose UEFI Firmware Settings. You will get HP’s Startup Menu of which the last menu item is Update System and Supported Device Firmware. This should now automatically install the firmware update. This takes several minutes , and you screen will go blank during some time: don’t panic and let it run.

Web application firewall: Modsecurity and Core Rule Set

A web application firewall (WAF) filters HTTP traffic. By integrating this in your web server, you can make sure potentially dangerous requests are blocked before they arrive to your web application or sensitive data leaks out of your web server. This way you add an extra defensive layer potentially offering extra protection against zero-day vulnerabilities in your web server or web applications. In this blog post, I give a tutorial how to install and configure ModSecurity web application firewall and the Core Rule Set on Debian. With some minor adaptions you can also use this guide for setting up ModSecurity on Ubuntu or other distributions.

ModSecurity is the most well-known open source web application firewall. The future of ModSecurity does not look too bright but fortunately with Coraza WAF an alternative which is completely compatible with ModSecurity is in development. At this moment Coraza only integrates with the Caddy web server, and does not have a connector for Apache or NGinx so for that reason it is currently not yet usable as a replacement for ModSecurity.

While ModSecurity provides the framework for filtering HTTP traffic, you also need rules which define what to bloc and that’s where the Core Rule Set (CRS) comes in. CRS is a set of generic rules winch offer protection to a various range of common attacks via HTTP, such as SQL injection, code injection and cross-site scripting (XSS) attacks.

Install ModSecurity and the Core Rule Set on Debian

I install the Apache module for ModSecurity, the geoip-database, which can be used for blocking all requests from certain countries, and modsecurity-crs, which contains the Core Rule Set. I take this package from testing, because it has a newer version (version 3.3.2 at the time of writing). There is no risk in taking this package from testing, because it only contains the rules and does not depend on any other packages from testing/unstable. If you prefer faster updates, you can also use unstable.

# apt install libapache2-mod-security2 geoip-database
# apt install -t testing modsecurity-crs

Configuring ModSecurity

In order to load the ModSecurity module in Apache, run this command:

# a2enmod security2

Then copy the example ModSecurity configuration file to /etc/modsecurity/modsecurity.conf:

cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

Now edit /etc/modsecurity/modsecurity.conf. I highlight some of the options:

SecRuleEngine on
SecRequestBodyLimit 536870912
SecRequestBodyNoFilesLimit 131072
SecAuditLog /var/log/apache2/modsec_audit.log
#SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
#"id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
SecPcreMatchLimit 500000
SecPcreMatchLimitRecursion 500000
SecStatusEngine Off

The SecRuleEngine option controls whether rules should be processed. If set to Off, you completely disable all rules, with On you enable them and it will block malicious actions. If set to DetectionOnly, ModSecurity will only log potential malicious activity flagged by your rules, but will not block them. DetectionOnly can be useful for temporary trying out the rules in order to find false positives before you really start blocking potential malicious activity.

The SecAuditLog option defines a file which contains audit logs. This file will contain detailed logs about every request triggering a ModSecurity rule.

The SecPcreMatchLimit and SecPcreMatchLimitRecursion set the match limit and match limit recursion for the regular expression library PCRE. Setting this high enough will prevent errors that the PCRE limits were exceeded while analyzing data, but setting it too high can make ModSecurity vulnerable to a Denial of Service (DoS) attack. A Core Rule Set developer recommends a value of 50000 so that’s what I use here.

I change SecRequestBodyLimit to a higher value to allow large file uploads.

I disable the rule 200004 because it is known to cause false positives.

Set SecStatusEngine to Off to prevent ModSecurity sending version information back its developers.

After changing any configuration related to ModSecurity or the Core Rule Set, reload your Apache web server:

# systemctl reload apache2

Configuring the Core Rule Set

The Core Rule Set can be configured via the file /etc/modsecurity/crs/crs-setup.conf.

Anomaly Scoring

By default the Core Rule Set is using anomaly scoring mode. This means that individual rules add to a so called anomaly score, which at the end is evaluated. If the anomaly score exceeds a certain threshold, then the traffic is blocked. You can read more about this configuration in crs-setup.conf but the default configuration should be fine for most people.

Setting the paranoia level

The paranoia level is a number from 1 to 4 which determines which rules are active and contribute to the anomaly scoring. The higher the paranoia level, the more rules are activated and hence the more aggressive the Core Rule Set is, offering more protection but potentially also causing more false positives. By default the paranoia level is set to 1. If you work with sensitive data, it is recommended to increase the paranoia level.

The executing paranoia level defines the rules which will be executed but their score will not be added to the anomaly scoring. When HTTP traffic hits rules of the executing paranoia level, this traffic will only be logged but not be blocked. It is a especially useful to prepare for increasing the paranoia level and finding false positives on this higher level, without causing any disruption for your users.

To set the paranoia level to 1 and the executing paranoia level to 2, make sure you have these rules set in crs-setup.conf:

SecAction \
  "id:900000,\
   phase:1,\
   nolog,\
   pass,\
   t:none,\
   setvar:tx.paranoia_level=1"
SecAction \
  "id:900001,\
   phase:1,\
   nolog,\
   pass,\
   t:none,\
   setvar:tx.executing_paranoia_level=2"

Once you have fixed all false positives, you can raise the paranoia level to 2 to increase security.

Defining the allowed HTTP methods

By default the Core Rule Set only allows the GET, HEAD, POST and OPTIONS HTTP methods. For many standard sites this will be enough but if your web applications also use restful APIs or WebDAV, then you will need to add the required methods. Change rule 900200, and add the HTTP methods mentioned in the comments in crs-setup.conf.

SecAction \
 "id:900200,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"

Disallowing old HTTP versions

There is a rule which determines which HTTP versions you allow in HTTP requests. I uncomment it and modify it to only allow HTTP versions 1.1 and 2.0. Legitimate browsers and bots always use one of these modern HTTP versions and older versions usually are a sign of malicious activity.

SecAction \
 "id:900230,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:'tx.allowed_http_versions=HTTP/1.1 HTTP/2 HTTP/2.0'"

Blocking specific countries

Personally I’m not a fan of completely blocking all traffic from a whole country, because you will also block legitimate visitors to your site, but in case you want to this, you can configure this in crs-setup.conf:

SecGeoLookupDB /usr/share/GeoIP/GeoIP.dat
SecAction \
 "id:900600,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:'tx.high_risk_country_codes='"

Add the two-letter country codes you want to block to the last line (before the two quotes), multiple country codes separated by a space.

Make sure you have the package geoip-database installed.

Core Rule Set Exclusion rules for well-known web applications

The Core Rule Set contains some rule exclusions for some well-known web applications like WordPress, Drupal and NextCloud which reduces the number of false positives. I add the following section to crs-setup.conf which will allow me to enable the exclusions in the Apache configuration by setting the WEBAPPID variable in the Apache configuration whenever I need them.

SecRule WEBAPPID '@beginsWith wordpress' 'id:20000,phase:1,nolog,pass,t:none setvar:tx.crs_exclusions_wordpress=1'
SecRule WEBAPPID '@beginsWith drupal' 'id:20001,phase:1,nolog,pass,t:none setvar:tx.crs_exclusions_drupal=1'
SecRule WEBAPPID '@beginsWith dokuwiki' 'id:20002,phase:1,nolog,pass,t:none setvar:tx.crs_exclusions_dokuwiki=1'
SecRule WEBAPPID '@beginsWith nextcloud' 'id:20003,phase:1,nolog,pass,t:none setvar:tx.crs_exclusions_nextcloud=1'
SecRule WEBAPPID '@beginsWith cpanel' 'id:20004,phase:1,nolog,pass,t:none setvar:tx.crs_exclusions_cpanel=1'
SecRule WEBAPPID '@beginsWith xenforo' 'id:20005,phase:1,nolog,pass,t:none setvar:tx.crs_exclusions_xenforo=1'

Adding rules for Log4Shell and Spring4Shell detection

At the end of 2021 a critical vulnerability CVE-2021-44228, named Log4Shell, was detected in Log4j, which allows remote attackers to run code on a server with the vulnerable Log4j version. While the Core Rule Set offered some mitigation of this vulnerability out of the box, this protection was not complete. New improved detection rules against Log4Shell were developed. Because of the severity of this bug and the fact that it’s being exploited in the wild, I strongly recommend adding this protection manually when using ModSecurity version 3.3.2 (or older). Newer, not yet released versions, should have complete protection out of the box.

First modify /etc/apache2/mods-enabled/security2.conf so that it looks like this:

<IfModule security2_module>
        # Default Debian dir for modsecurity's persistent data
        SecDataDir /var/cache/modsecurity

        # Include all the *.conf files in /etc/modsecurity.
        # Keeping your local configuration in that directory
        # will allow for an easy upgrade of THIS file and
        # make your life easier
        IncludeOptional /etc/modsecurity/*.conf

        # Include OWASP ModSecurity CRS rules if installed
        IncludeOptional /usr/share/modsecurity-crs/*.load
        SecRuleUpdateTargetById 932130 "REQUEST_HEADERS"
</IfModule>

Then create the file /etc/modsecurity/99-CVE-2021-44228.conf with this content:

# Generic rule against CVE-2021-44228 (Log4j / Log4Shell)
# See https://coreruleset.org/20211213/crs-and-log4j-log4shell-cve-2021-44228/
SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|XML://*|XML://@* "@rx (?:\${[^}]{0,4}\${|\${(?:jndi|ctx))" \
    "id:1005,\
    phase:2,\
    block,\
    t:none,t:urlDecodeUni,t:cmdline,\
    log,\
    msg:'Potential Remote Command Execution: Log4j CVE-2021-44228', \
    tag:'application-multi',\
    tag:'language-java',\
    tag:'platform-multi',\
    tag:'attack-rce',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/152/137/6',\
    tag:'PCI/6.5.2',\
    tag:'paranoia-level/1',\
    ver:'OWASP_CRS/3.4.0-dev',\
    severity:'CRITICAL',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

In March 2022 CVE-2022-22963, another remote code execution (RCE) vulnerability was published in the Spring framework was published. The Core Rule Set developed a new rule to protect against this vulnerability which will be included in the next version, but the rule can be added manually if you are running the Core Rule Set version 3.3.2 or older.

To do so, create the file /etc/modsecurity/99-CVE-2022-22963.conf with this content:

# This rule is also triggered by the following exploit(s):
# - https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/
# - https://www.ironcastle.net/possible-new-java-spring-framework-vulnerability-wed-mar-30th/
#
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
    "@rx (?:class\.module\.classLoader\.resources\.context\.parent\.pipeline|springframework\.context\.support\.FileSystemXmlApplicationContext)" \
    "id:1006,\
    phase:2,\
    block,\
    t:urlDecodeUni,\
    msg:'Remote Command Execution: Malicious class-loading payload',\
    logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
    tag:'application-multi',\
    tag:'language-java',\
    tag:'platform-multi',\
    tag:'attack-rce',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/152/248',\
    tag:'PCI/6.5.2',\
    tag:'paranoia-level/2',\
    ver:'OWASP_CRS/3.4.0-dev',\
    severity:'CRITICAL',\
    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"

Don’t forget to reload your Apache configuration after adding these rules.

Testing ModSecurity and checking the logs

We can now easily test ModSecurity by doing a request which tries to abuse a cross-site scripting (XSS) vulnerability:

$ curl -I "https://example.org/?search=<script>alert('CRS+Sandbox+Release')</script>"

This should return HTTP response 403 (Forbidden).

Whenever something hits your ModSecurity rules, this will be logged in your Apache error log. The above request has created these messages in the error log:

[Sat Apr 09 22:22:02.716558 2022] [:error] [pid 847584:tid 140613499016960] [client client-ip:49688] [client client-ip] ModSecurity: Warning. detected XSS using libinjection. [file "/usr/share/modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "55"] [id "941100"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:search: <script>alert('CRS Sandbox Release')</script>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "example.org"] [uri "/"] [unique_id "YlHq6gKxO9SgyEd0xH9N5gADLgA"]
[Sat Apr 09 22:22:02.716969 2022] [:error] [pid 847584:tid 140613499016960] [client client-ip:49688] [client client-ip] ModSecurity: Warning. Pattern match "(?i)<script[^>]*>[\\\\s\\\\S]*?" at ARGS:search. [file "/usr/share/modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "82"] [id "941110"] [msg "XSS Filter - Category 1: Script Tag Vector"] [data "Matched Data: <script> found within ARGS:search: <script>alert('CRS Sandbox Release')</script>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "example.org"] [uri "/"] [unique_id "YlHq6gKxO9SgyEd0xH9N5gADLgA"]
[Sat Apr 09 22:22:02.717249 2022] [:error] [pid 847584:tid 140613499016960] [client client-ip:49688] [client client-ip] ModSecurity: Warning. Pattern match "(?i:(?:<\\\\w[\\\\s\\\\S]*[\\\\s\\\\/]|['\\"](?:[\\\\s\\\\S]*[\\\\s\\\\/])?)(?:on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)|op)|i(?:s(?:c(?:hargingtimechange ..." at ARGS:search. [file "/usr/share/modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "199"] [id "941160"] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: <script found within ARGS:search: <script>alert('CRS Sandbox Release')</script>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "example.org"] [uri "/"] [unique_id "YlHq6gKxO9SgyEd0xH9N5gADLgA"]
[Sat Apr 09 22:22:02.718018 2022] [:error] [pid 847584:tid 140613499016960] [client client-ip:49688] [client client-ip] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 15)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "example.org"] [uri "/"] [unique_id "YlHq6gKxO9SgyEd0xH9N5gADLgA"]
[Sat Apr 09 22:22:02.718596 2022] [:error] [pid 847584:tid 140613499016960] [client client-ip:49688] [client client-ip] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "91"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 15 - SQLI=0,XSS=15,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 15, 0, 0, 0"] [ver "OWASP_CRS/3.3.2"] [tag "event-correlation"] [hostname "example.org"] [uri "/"] [unique_id "YlHq6gKxO9SgyEd0xH9N5gADLgA"]

In the first 3 lines we see that we hit different filters which check for XSS vulnerabilities, more specifically rules 941100, 941110 and 941160 all of them having the tag paranoia-level/1.

Then the fourth line shows that we hit rule 949110 which caused the web server to return the HTTP 403 Forbidden response because the inbound anomaly score, 15, is higher than 5. Then rule 980130 gives us some more information about the scoring: we hit a score of 15 at the paranoia level 1, while rules at the other paranoia levels rules contributed 0 to the total score. We also see the scores for individual types of attack: in this case all 15 points where scored by rules detecting XSS attacks. This is the meaning of the different abbreviations used:

SQLISQL injection
XSScross-site scripting
RFIremote file inclusion
LFIlocal file inclusion
RCEremote code execution
PHPIPHP injection
HTTPHTTP violation
SESSsession fixation

More detailed logs about the traffic hitting the rules can be found in the file /var/log/apache2/modsec_audit.log.

Fixing false positives

First of all, in order to minimize the amount of false positives, you should set the WEBAPPID variable if you are using one of the known web applications for which the Core Rule Set has a default exclusion set. These web applications are currently WordPress, Drupal, Dokuwiki, Nextcloud, Xenforo and cPanel. You can do so by using the <a href="https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#SecWebAppId">SecWebAppId</a> option in a VirtualHost of Location definition in the Apache configuration. For example if you have a VirtualHost which is used by Nextcloud, set this within the VirtualHost definition:

<Virtualhost nextcloud.example.org>
    ...OTHER OPTIONS HERE...
    <IfModule security2_module>
        SecWebAppId "nextcloud"
    </IfModule>
</VirtualHost>

If you have a WordPress installation in a subdirectory, then add SecWebAppId within Location tags.

<Location /wordpress>
    <IfModule security2_module>
        SecWebAppId "wordpress-mysite"
    </IfModule>
</Location>

If you have multiple WordPress sites, give each of them a unique WEBAPPID which name starts with wordpress. Add a different suffix for every instance so that each one run its in own application namespace in ModSecurity.

If you still encounter false positives, you can completely disable rules by using the configuration directive SecRuleRemoveById. I strongly recommend not disabling rules globally, but limiting its removal to the specific location from which you want them to be removed, for example by putting them with <Location> or <LocationMatch> tags in the Apache configuration. For example:

<LocationMatch ^/wp-admin/(admin-ajax|post)\.php>
    <IfModule security2_module>
        SecRuleRemoveById 941160 941100 941130 932105 932130 932100
    </IfModule>
</LocationMatch>

Pay attention not to disable any of the 949*, 959*, and 980* rules: disabling the 949* and 959* rules would disable all the blocking rules, while disabling the 980* rules would give you less information about what is happening in the logs.

Conclusion

ModSecurity and the Core Rule Set offer an additional security layer for web servers in your defence in depth strategy. I strongly recommend implementing this on your servers because it makes it harder to abuse security vulnerabilities.

Keep an eye on the Core Rule Set blog and Twitter account: sometimes they post new rules for specific new critical vulnerabilities, which can be worthwhile to add to your configuration.

Fixing crackling/popping while playing music in Debian GNU/Linux

I was experiencing crackling/popping sounds while playing music with Rhythmbox in my Debian GNU/Linux Testing (Bookworm) system. The noises start when starting music playback and stop as soon as I stop the playback.

I came around this bug report for Pipewire but I’m currently still using PulseAudio 15 instead. However it contained a comment which led to the solution: speech-dispatcher is known for causing problems of crackling sounds.

Speech-dispatcher is used for speech synthesis often used by blind or visually impaired people. If you don’t use this functionality, you can either disable speech-dispatcher (speechd) or completely uninstall it:

Disable speech-dispatcher by editing /etc/speech-dispatcher/speechd.conf, removing the comment sign # before this line near the end of the file:

DisableAutoSpawn

Then you will have to log out and log in your desktop or you can kill all speech-dispatcher processes manually.

If you want, you can remove speech-dispatcher completely by running this command:

# apt remove speech-dispatcher

Note that this will remove the gnome meta-package, which in itself is harmless, but might lead to new GNOME components not being installed automatically in the future.

This fixed the constant popping crackling noises while playing music completely for me.

Missing video thumbnails in Nautilus in Debian Bullseye

I am using Debian Bullseye and already for a long time I noticed that Nautilus failed to generate thumbnails for certain video files, leading to only a generic video icon instead of a thumbnail.

In the kernel log (dmesg), you will see this error:

qtdemux0:sink[70839]: segfault at 0 ip 0000000000000000 sp 00007f724fe61d18 error 14 in totem-video-thumbnailer[5638abe9b000+3000]
Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.

This is Debian bug #967941: gnome-video-thumbnailer crashes with a segmentation fault when thumbnailing H.264 encoded video files when you have the package libopenblas0-pthread installed.

Available Work-arounds

Remove libopenblas0-pthread

# apt-get remove libopenblas0-pthread

This might not be possible if you need this package for other reasons.

For performance reasons you might also want to install the BLIS BLAS implementation and set it as default. Install the packages libblis3-pthread and libblis64-3-pthread and set them default using the update-alternatives commands from the next work-around.

Switch the default BLAS implementation from OpenBlas to Atlas

If you cannot uninstall libopenblas0-pthread, you can change the default BLAS and LAPACK implementation on your system to a different implementation than OpenBLAS

# update-alternatives --config libblas64.so.3-x86_64-linux-gnu
# update-alternatives --config libblas.so.3-x86_64-linux-gnu
# update-alternatives --config liblapack.so.3-x86_64-linux-gnu

Choose a different implementation than openblas in all 3 cases. Usually Atlas will be installed and available by default. You can also install the packages libblis3-pthread and libblis64-3-pthread and choose the BLIS implementation for the former two and Atlas for the latter.

Disable the sandbox in totem-video-thumbnailer

Totem-video-thumbnailer uses some kind of sandbox limiting how much CPU and memory resources the process can use. This enhances security and prevents the process from using all resources in case something would go wrong. OpenBLAS causes problems in combination with these restrictions. You can disable them in totem-video-thumbnailer by calling it with the -l option. To automatically let GNOME call it with that option, edit the file /usr/share/thumbnailers/totem.thumbnailer and edit the Exec= line so that it looks like this:

Exec=/usr/bin/totem-video-thumbnailer -l -s %s %u %o

If you can, rather use one of two previous work-arounds, because disabling this restrictions could have security implications.

Regenerating the failed thumbnails

Finally after implementing one of the 3 work-arounds, you will need to regenerate the failed thumbnails. GNOME Thumbnail Factory keeps a list of all failed thumbnails, so that it does not retry to generate them over and over again. They are stored in ~/.cache/thumbnails/fail/gnome-thumbnail-factory so you can just delete this directory:

rm -rf ~/.cache/thumbnails/fail/gnome-thumbnail-factory

Now when you browse a directory which contains video files with missing thumbnails with Nautilus, it should generate them automatically.

Using HTTP headers to protect your visitor’s security and privacy

Recently there has been a lot of controversy over Google starting to use Federated Learning of Cohorts (FLoC) in its Chrome browser. This new technique is used to track users without using third party cookies, but has severe privacy implications because it actually makes fingerprinting users easier and can reveal your interests to websites.

To prevent tracking by FLoC and other tracking techniques, there is only one good solution: stop using Google Chrome. The best privacy friendly browser is Firefox, especially if you set it to strict enhanced tracking protection. If you really need to use Chrome, then at least install one of the open source extensions which disable FLoC and Privacy Badger for other tracking protection.

As a website owner, you can also do something to protect your users. You can opt out your website to be included in cohort computation by sending the header Permissions-Policy: interest-cohort=()

This can be easily done for all your websites by modifying your Apache configuration. While at it, you should set some other security and privacy related headers, notably:

  • X-Frame-Options "SAMEORIGIN": this makes sure that browsers will not allow your website to be included in an iframe on another domain.
  • X-Content-Type-Options "nosniff": This will prevent the browser from trying to automatically detect the file type of a downloaded file instead of using the MIME type sent by the server. This can mitigate attacks where a hacker manages to upload a malicious file by giving it a filename which makes it look like a harmless file type which is then served to your visitors.
  • Referrer-Policy "no-referrer-when-downgrade": when a visitor clicks on a link, the browser will only send the referrer when it’s not going from a HTTPS to a HTTP connection. This is fine if your URLs don’t contain any private information. If they do, then consider using strict-origin-when-cross-origin, so that only your domain name instead of the complete URL is sent as referrer if people click on a link leading to an external website, or even same-origin, which prevents any referrer being sent to external sites. You should probably do this for an internal website, web application or wiki, webmail, etc. More information about Referrer-Policy

To set these in Apache in Debian, create a file /etc/apache2/conf-available/security-headers.conf with these contents:

<IfModule mod_headers.c>
   Header always set X-Frame-Options "SAMEORIGIN"
   Header always set X-Content-Type-Options "nosniff"
   Header always set Referrer-Policy "no-referrer-when-downgrade"
   Header always set Permissions-Policy: interest-cohort=()
</IfModule>

Then make sure the mod_headers module is loaded and this file is enabled by running these commands:

# a2enmod headers
# a2enconf security-headers
# systemctl reload apache2

Another important header to set in your SSL virtualhosts is the HSTS header: it ensures that the browser will automatically use HTTPS every time when connecting to the website in the future. Place this in your SSL enabled virtualhost:

<IfModule mod_headers.c>
   Header always set Strict-Transport-Security "max-age=63072000"
</IfModule>

Then you should also add this to your non-SSL virtualhost to redirect all visitors using HTTP to HTTPS:

<IfModule mod_rewrite.c>
   RewriteEngine on
   RewriteCond %{HTTPS} !=on
   RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
</IfModule>

Of course make sure mod_rewrite is enabled if that’s not yet the case:

# a2enmod rewrite
# systemctl reload apache2

You can check your server configuration on securityheaders.com. There you can also find more information about the headers Cross-Origin-Embedder-Policy, Cross-Origin-Opener-Policy and Cross-Origin-Resource-Policy, some other security related headers. Because they require more changes to your website to implement correctly, I’m not discussing them here.

More information

LineageOS 18.1 (Android 11) on OnePlus 3/3T status

Table of contents

Now that LineageOS 18.1 is officially out, it’s time to take a look at how it runs on Oneplus 3/3T phones, just like I did for LineageOS 17.1 on Oneplus 3/3T. At this time I am not yet running LineageOS 18.1 myself so the information here is based on what I read in the LineageOS 18.1 on Oneplus 3/3T thread on XDA-developers forum. Because of this, information here can be incomplete and inaccurate. If you encounter any problems, search in the thread on XDA Developers and post a message there if necessary. This page will be updated as more additional information becomes known.

Questions, problems and solutions

Is it possible to upgrade from LineageOS 17 to 18.1?

Even though this is usually discouraged on XDA and people will often refuse to give you any support if you did not do a clean installation, it is actually possible. The procedure can lead to problems, so make sure you have proper back-ups and know how to use TWRP.

First make a complete back-up of your device using TWRP. I strongly recommend to back up everything, both the system partition files as the system image. While this is both the same, sometimes a restored system only boots successfully with one of them. Definitely also back up data and boot.

After a successful complete backup, connect your phone to your computer, and via the android notification that it’s charging via USB, select that you want to transfer files. Now open your device’s internal storage disk on your computer, and copy the complete backup in TWRP/BACKUPS/ to your computer. I recommend also making a complete back-up of all apps, with an app like OAndBackupX and then copying this back-up to your PC. While connected to your PC, also make a back-up of your photos in the DCIM directory, because these are not included in backups made with TWRP and OAndBackupX.

Download the following files, either using a browser in Android, either using your computer and in that case copy them to your phone’s internal storage.

Now go to TWRP and install Magisk Unnstaller zip. Then choose Wipe – Advanced wipe, and wipe system, boot, cache and dalvik (don’t wipe data or storage: you will loose all data on your phone if you do so). Then go to Install – Install image, and choose the twrp image. Choose recovery and let it flash TWRP. Then reboot your phone back into the new recovery. Then flash LineageOS 18.1 via Install, then wipe cache and dalvik cache, and reboot. If all goes fine, you can boot back in TWRP and flash Magisk.

If all this fails, restore the backups you made.

Which gapps should I use?

You can use MindTheGapps or OpenGapps for LineageOS 18.1. If you choose OpenGapps, use OpenGapps nano. Never use any of the more complete packages, they will cause problems. Install the missing Google applications afterwards from the Play Store.

I cannot find Netflix in the Google Play Store

When you go the Settings in the Play Store app, under Play Protect certification you will see that your device is not certified.

To solve this, flash the latest Magisk zip in TWRP. Then back in Android go to Settings – Apps & Notifications and there go to Play Store App-Info. Go to Storage and there clear the cache and the storage. Now restart your phone. If you go to the Play Store settings, you will see that the message that it is not certified is gone, and you will be able to install Netflix. After clearing the storage, verify that the Play Store settings are OK for you, because these will have been reset.

Android Gadget Hacks: Fix Play Store Uncertified Errors When You Forget to Flash Magisk

My bank app refuses to start because the phone is rooted

Flash Magisk in TWRP. Then Start Magisk Manager and tap on SafetyNet Check. It should return Success and a green check mark for both CtsProfile and basicIntegrity. Then in Magisk’s menu go to Settings and make sure Magisk Hide is enabled. Then in the menu go to Magisk Hide and enable it for your bank app and for Google Play Services. If it does not work yet, try to remove data and cache of your bank app and reboot. Then try to reconfigure your account.

Known bugs in LineageOS 18.1 on OnePlus 3/3T

The phone crashes from time to time

Some users are reporting stability problems: they experience random reboots in LineageOS because of a kernel panic, at a frequency of about once a week. Logs posted on XDA point to a kernel oops in ffs_data_clear, which is a function in the USB gadget code.

https://forum.xda-developers.com/t/rom-official-nightly-lineageos-18-1-for-oneplus-3-3t.4230665/post-85294671

No way to disable a SIM card when using multiple SIMs

https://forum.xda-developers.com/oneplus-3/oneplus-3–3t-cross-device-development/rom-lineageos-17-0-oneplus-3-3t-t3990061/post82770687#post82770687
https://forum.xda-developers.com/oneplus-3/oneplus-3–3t-cross-device-development/rom-lineageos-17-0-oneplus-3-3t-t3990061/post82771459#post82771459

In LineageOS 16.0 it’s possible to disable one of the SIM cards if you have two SIMs installed. In LineageOS 17.1 and 18.1, the only way to disable a SIM is to physically remove the card from the slot.

This problem is not OnePlus 3/3T specific: it is like this in all LineageOS builds for all devices, and is a deliberate choice by the developers, because it was too hard to implement this for Qualcomm devices (“it’s not a bug, it’s a feature”).

Using Fangfrisch to improve ClamAV malware detection in e-mail

If you have an e-mail server, maybe you already are using the open source tools Amavis and ClamAV to detect malicious e-mails. ClamAV’s default virus signatures however, while being useful, still only detect a limited set of malware. Fortunately there exist third-party unofficial signatures which you can use to drastically improve the detection rate so that it becomes similar to the detection rate of commercial anti-virus software. These third-party signatures are a must-have on any mail server using ClamAV.

ClamAV can also be very useful to scan the webroot directories on web servers in order to detect malicious PHP scripts which may be installed on your server after an intrusion in a web application. Several of the third-part ClamAV definitions proposed here, specialize in this kind of malware.

Fangfrisch is a utility which automates downloading third-party ClamAV virus definitions. It has several free repositories containing ClamAV signatures configured by default, but you can also easily add other ones.

Third-party ClamAV virus definitions

SaneSecurity

SaneSecurity is a set of signatures focusing on so-called 0-day and 0-hour malware, which means that it includes hashes of new malicious files being sent by e-mail. Furthermore it contains signatures for malicious URLs, common spam and phishing messages and generic signatures which detect some commonly types of techniques used in malware, such as exe files with a double extenstion (for example pdf.exe), exe files hidden in ISO files and often abused functions in MS Office macros. Sanesecurity also distributes signatures from other sources, such as phishing URLs from phishtank.com. A complete list of available signature databases can be found on their website.

SaneSecurity signatures are free to use, however a donation is appreciated.

SecuriteInfo

The French company SecuriteInfo claims that their ClamAV definitions add 4.000.000 signatures for malware and spam not detected by the official ClamAV signatures. There is a free feed of the signatures available, however it only contains signatures older than 30 days. For up-to-date 0-day malware detection, you will need one of the paid plans.

In the MalwareBazaar database you can see that SecuriteInfo is often the only ClamAV definitions database which detects malicious Windows binaries.

Malwarepatrol

MalwarePatrol is a commercial threat intelligence company which offers free and paid feeds, including ClamAV virus signatures which contain URL’s pointing to malware files on the world wide web. The free feed is only updated every 72 hours, while the paid feed is updated every 4 hours. If you need an invoice or want to use the feeds for protecting customers of your company, you will have to use the commercial feeds.

Quickly after integrating the free feed in my Amavis installation, I noticed it was wrongly blocking legitimate mails with links to arxiv.org/pdf, which is used a lot in academic environments. So be careful when you integrate this feed. For this reason you should not automatically block all messages marked by Malwarepatrol. With Amavis you can give them them a positive spam score. In combination with the score from the Bayes spam filter, legitimate mails will not be blocked.

MalwareExpert

MalwareExpert offers a commercial, paid feed of signatures which detect malicious PHP files, meant for scanning your web servers.

URLHaus

URLHaus is a project from abuse.ch collecting URLs of sites distributing malware. They offer a ClamAV signature database of all these malicious URLs so that you can block all e-mail containing links to sites distributing malware. This database can be used for free, both for commercial and non-commercial purposes.

Clam-punch

Clam-punch is described as a “highly curated set of signatures for ClamAV”. It seems to focus mainly on malicious macros in MS Office documents. They do not seem to be updated regularly any more, however as the signatures appear to be rather generic, they can probably still be useful.

TwinWave Security Twinclams

Twinclams is a Github repository by TwinWave Security and contains signatures for malicious MS Office documents. The author of twinclams appears to be a contributor of Clam-punch. This ClamAV virus database is getting updated daily and appears to be highly effective in detecting newly found Office documents with malicious macros. Recent malicious Office document in the MalwareBazaar database are almost always detected by the Twinclams definitions, sometimes even detecting files which are not detected yet by commercial anti-virus software.

R-FX Networks Linux Malware Detect

Part of its Linux Malware Detect (LMD) tool, R-FX Networks offers a set of ClamAV signatures specializing in detecting Linux specific malware, including malicious PHP scripts, trojan horses such as malicious IRC bots, worms, etc.

InterServer

Another set of ClamAV signatures focused on malicious PHP scripts is maintained by the hosting provider InterServer. I highly recommend this feed if you want to scan your web servers.

ditekshen

The ClamAV signatures by security reseacher ditekshen add detection for various Windows, MacOS and Linux trojan horses en ransomware.

Installing Fangfrisch

Unfortunately Debian does not have a package for Fangfrisch, so you need to install it manually. In contrast to the documentation, I prefer to install fangfrisch in /opt though, using /var/lib/fangfrisch only for the database, and saving the signatures in /var/lib/fangfrisch/signatures, so that we can check them later on before letting ClamAV use them.

# mkdir -m 0770 -p /var/lib/fangfrisch/signatures
# chgrp -R clamav /var/lib/fangfrisch
# mkdir /opt/fangfrisch 
# cd /opt/fangfrisch
# apt-get install python3-venv python3-pip
# python3 -m venv venv
# source venv/bin/activate
# pip3 install fangfrisch

Configuring Fangfrisch

Create the file /etc/fangfrisch/fangfrisch.conf with these contents:

[DEFAULT]
db_url = sqlite:////var/lib/fangfrisch/db.sqlite

# The following settings are optional. Other sections inherit
# values from DEFAULT and may also overwrite values.

local_directory = /var/lib/fangfrisch/signatures
max_size = 5MB
on_update_exec = /usr/local/bin/setup-clamav-sigs
on_update_timeout = 42
log_level = info

[malwarepatrol]
enabled = no
# Replace with your personal Malwarepatrol receipt
# receipt = XXXXXXXXX
# change product id if necessary.
# 32 = free guard, 33 = Basic Defense yearly, 34 = Basic Defense monthly, 37 = Basic Defense EDU/Contributor
# product = 32

# This is untested
[malwareexpert]
enabled = no
max_size = 20M
prefix = https://signatures.malware.expert
interval = 1d
# serial_key = xxxxxxx
url_malware.expert_fp = ${prefix}/${serial_key}/malware.expert.fp
url_malware.expert_hdb = ${prefix}/${serial_key}/malware.expert.hdb
url_malware.expert_ldb = ${prefix}/${serial_key}/malware.expert.ldb
url_malware.expert.ndb = ${prefix}/${serial_key}/malware.expert.ndb

[sanesecurity]
prefix = https://ftp.swin.edu.au/sanesecurity/
max_size = 10M
enabled = yes
interval = 1h
url_malwareexpert_fp = disabled
url_malwareexpert_hdb = disabled
url_malwareexpert_ldb = disabled
url_malwareexpert_ndb = disabled

[securiteinfo]
enabled = no
# uncomment the next line if you want to use the securiteinfoold.hdb database with old signatures
# max_size = 500MB
# Replace with your personal SecuriteInfo customer ID
# customer_id = abcdef123456
# Remove the exclamation mark before the next databases if you have the Professional subscription
!url_0hour = ${prefix}securiteinfo0hour.hdb
!url_securiteinfo_mdb = ${prefix}securiteinfo.mdb
# The next databases are disabled by default in fangfrisch because they are prone to false positives, but we reduce most of them to a spam score in Amavis
url_old = ${prefix}securiteinfoold.hdb
url_spam_marketing = ${prefix}spam_marketing.ndb

[urlhaus]
enabled = yes
max_size = 2MB

[twinwave]
enabled = yes
max_size = 2M
integrity_check = disabled
interval = 1h
prefix = https://raw.githubusercontent.com/twinwave-security/twinclams/master/
url_twinclams = ${prefix}twinclams.ldb
url_twinwave_ign2 = ${prefix}twinwave.ign2

[clampunch]
enabled = yes
max_size = 2M
integrity_check = disabled
interval = 24h
prefix = https://raw.githubusercontent.com/wmetcalf/clam-punch/master/
url_miscreantpunch099low = ${prefix}MiscreantPunch099-Low.ldb
url_exexor99 = ${prefix}exexor99.ldb
url_miscreantpuchhdb = ${prefix}miscreantpunch.hdb

[rfxn]
enabled = yes
interval= 4h
integrity_check = disabled
prefix = https://www.rfxn.com/downloads/
url_rfxn_ndb = ${prefix}rfxn.ndb
url_rfxn_hdb = ${prefix}rfxn.hdb
url_rfxn_yara = ${prefix}rfxn.yara

[interserver]
enabled = yes
interval = 1d
integrity_check = disabled
prefix = https://sigs.interserver.net/
url_interserver_sha256 = ${prefix}interserver256.hdb
url_interserver_topline = ${prefix}interservertopline.db
url_interserver_shell = ${prefix}shell.ldb
url_interserver_whitelist = ${prefix}whitelist.fp

[ditekshen]
enabled = yes
interval = 1d
integrity_check = disabled
prefix = https://raw.githubusercontent.com/ditekshen/detection/master/clamav/
url_ditekshen_ldb = ${prefix}clamav.ldb
filename_ditekshen_ldb = ditekshen.ldb

Don’t forget to customize the entries if you have any paid subscription. Set some safe file permissions on this file, especially if it contains tokens of commercial subscriptions:

# chown root:clamav /etc/fangfrisch/fangfrisch.conf
# chmod 640 /etc/fangfrisch/fangfrisch.conf

Checking the new signatures before letting ClamAV use them

In the configuration file above, I call the script setup-clamav-sigs whenever signatures were updated. This script will check whether the downloaded files are really different than the signatures in /var/lib/clamav, and if they are, check them to ensure they don’t contain errors preventing ClamAV to load them. If ClamAV can successfully load them, it will copy them to /var/lib/clamav and restart clamdscan if it’s loaded. Download the script from the GitLab repository, place it in /usr/local/bin and make sure it’s executable.

Initalizing Fangfrisch

When you have set up Fangfrisch, you have to initialize it by executing

sudo -u clamav -- /opt/fangfrisch/venv/bin/fangfrisch --conf /etc/fangfrisch.conf initdb

Configuring Clamav

SecuriteInfo recommends setting these settings in /etc/clamav/clamd.conf in order to get the best detection while still avoiding too many false positives:

DetectPUA yes
ExcludePUA PUA.Win.Packer
ExcludePUA PUA.Win.Trojan.Packed
ExcludePUA PUA.Win.Trojan.Molebox
ExcludePUA PUA.Win.Packer.Upx
ExcludePUA PUA.Doc.Packed

Configuring Amavis

I assume you already have a working Amavis instance. Sanesecurity gives some recommendations for Amavis for the best results. Add this to the configuration, for example In Debian you can create the file /etc/amavis/conf.d/50-clamav:

@keep_decoded_original_maps = (new_RE(
  qr'^MAIL$',   # retain full original message for virus checking (can be slow)
  qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables
  qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
# qr'^Zip archive data',     # don't trust Archive::Zip
));

@virus_name_to_spam_score_maps =
   (new_RE(  # the order matters!
     [ qr'^TwinWave\.'                                      => undef ],# keep as infected
     [ qr'^MiscreantPunch\.'                                => undef ],# keep as infected
     [ qr'^Structured\.(SSN|CreditCardNumber)\b'            => 2.0 ],
     [ qr'^(Heuristics\.)?Phishing\.'                       => 2.0 ],
     [ qr'^(Email|HTML)\.Phishing\.(?!.*Sanesecurity)'      => 10.0 ],
     [ qr'^Sanesecurity\.(Malware|Badmacro|Foxhole|Rogue|Trojan)\.' => undef ],# keep as infected
     [ qr'^Sanesecurity\.Phishing\.'                        => 6.0 ],
     [ qr'^Sanesecurity\.Blurl\.'                           => 4.0 ],
     [ qr'^Sanesecurity\.Jurlbl\.'                          => 2.0 ],
     [ qr'^Sanesecurity\.Spam\.'                            => 2.0 ],
     [ qr'^Sanesecurity\.SpamL\.'                           => 2.0 ],
     [ qr'^Sanesecurity\.Junk\.'                            => 4.0 ],
     [ qr'^Sanesecurity\.Scam4\.'                           => 2.0 ],
     [ qr'^Sanesecurity\.'                                  => 0.1 ],
     [ qr'^Sanesecurity.TestSig_'                           => 0   ],
     [ qr'^Email\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\.' => 0   ],
     [ qr'^BofhlandMW\.'                                    => undef ],# keep as infected
     [ qr'^Bofhland\.Malware\.'                             => undef ],# keep as infected
     [ qr'^Bofhland\.'                                      => 2.0 ],
     [ qr'^winnow.malware\.'                                => undef ],# keep as infected
     [ qr'^winnow\_'                                        => 2.0 ],
     [ qr'^PhishTank\.Phishing\.'                           => 6.0 ],
     [ qr'^Porcupine\.Malware\.'                            => undef ],# keep as infected
     [ qr'^Porcupine\.'                                     => 2.0 ],
     [ qr'^Email\.Spammail\b'                               => 2.0 ],
     [ qr'^Safebrowsing\.'                                  => 2.0 ],
     [ qr'^winnow\.(phish|spam)\.'                          => 2.0 ],
     [ qr'^SecuriteInfo.com\.Phish'                         => 6.0 ],
     [ qr'^SecuriteInfo.com\.Spam'                          => 2.0 ],
     [ qr'^MBL_'                                            => 4.0 ],
   ));

These settings ensure that not only the different parts and attachments will be separately scanned by ClamAV, but also the mail as a whole. Then we will reduce some ClamAV virus detections from infected to a spam score in Spamassassin. I do this on rules which could be more likely causing false positives. You can adapt the score to your own situation.

Automatically running Fangfrisch using a systemd timer

Create the file /etc/systemd/system/fangfrisch.service:

[Unit]
Description=Download unofficial clamav virus definition files
ConditionPathExists=/var/lib/fangfrisch/db.sqlite

[Service]
Type=oneshot
User=clamav
WorkingDirectory=/var/lib/fangfrisch
ExecStart=/opt/fangfrisch/venv/bin/fangfrisch --conf /etc/fangfrisch/fangfrisch.conf refresh

[Install]
WantedBy=multi-user.target

Then create the file /etc/systemd/system/fangfrisch.timer:

[Unit]
Description=Download unofficial clamav virus definition files
Requires=fangfrisch.service

[Timer]
Unit=fangfrisch.service
Persistent=true
OnUnitActiveSec=10min
RandomizedDelaySec=30

[Install]
WantedBy=timers.target

Run this command to activate the timer:

# systemctl enable --now fangfrisch.timer

Ignoring virus definitions

It is possible that you hit false positives with certain definitions. If you want to completely disable a specific virus definition, you can add its name to a text file with the ign2 extension in /var/lib/clamav/. For example for me the Sanesecurity.Badmacro.Doc.hypers caused a false positive for me, so I created the file /var/lib/clamav/local_whitelist.ign2 with content:

Sanesecurity.Badmacro.Doc.hypers

To reload the database after changing the database, run

# sudo -u clamav clamdscan --reload

Conclusion

With free third-party databases (Sanesecurity, URLHaus, Clam-punch, Twinclams, R-FX MLD, Interserver and ditekShen) it is possible to drastically improve the detection rate of ClamAV so that it becomes an excellent virus scanner for e-mail and web servers at least if you use it In combination with Amavis’ configuration to block malicious file types (such as exe, com, vbs, dll, pif, etc.) and a well configured and trained Spamassassin. If you want the best protection, add a subscription to the SecuriteInfo feeds.

De waarheid over Coronalert en gedecentraliseerde contact tracing apps

Inhoudstafel

Te lang om allemaal te lezen? Ga onmiddellijk door naar de conclusie.

Wie mij een beetje kent, weet dat ik privacy erg belangrijk vind. Daarom dacht ik dat contact tracing apps for COVID-19 een zeer slecht idee waren toen men daar enkele maanden geleden begon over te praten. Een app die contant bijhoudt waar je bent en wie je tegenkomt, dat is enkel iets dat je in ondemocratische landen en dictatoriale regimes verwacht, maar niet in Europa waar onze privacy gewaarborgd zou moeten zijn door de GDPR (AVG). En wat met de betrouwbaarheid van deze apps? Bluetooth was nooit voor dergelijke toepassingen ontworpen. Het zou leiden tot veel foutieve waarschuwingen. Geen denken aan dat ik zo’n app ooit zou installeren.

Althans, dat was mijn mening enkele maanden geleden. Ondertussen is mijn mening volledig veranderd. En dat is gebeurd na het lezen over gedecentraliseerde contact tracing apps gebaseerd op de Google en Apple Exposure Notification (GAEN) API en DP-3T. Ik heb reeds de Italiaanse contact tracing app Immuni gebruikt in Italië en ook in België gebruik ik de app Coronalert (Androidversie, iPhone-versie).

DP-3T

Decentralized Privacy-Preserving Proximity Tracing of DP-3T is een open protocol ontwikkeld door verschillende universiteiten waaronder ETH en EPFL uit Zwitserland, de KU Leuven uit België en TU Delft uit Nederland.

Volgende cartoon geeft een eenvoudig overzicht van hoe DP-3T werkt.

Elke dag wordt een nieuwe random seed (gebaseerd op de seed van de dag voordien) op de telefoon van elke gebruiker en deze dagelijkse seed wordt op te elefoon bijgehouden gedurende 14 dagen. Op basis van deze seed worden er ephermal identifiers (EphIDs) aangemaakt. Deze EphIds verandere verscheidene keren per uur.

EphIDs worden uitgewisseld met andere gebruikers van de tracking app via Bluetooth Low Energy (BLE) en elke telefoon houdt de EphIDs die hij ontvangen heeft lokaal bij op de telefoon, samen met de datum en de sterkte van het signaal, dat kan gebruikt worden om de afstand in te schatten.

Wanneer iemand positief test op COVID-19 kan die, met de hulp van de gezondheidsauthoriteiten, de seed van de eerste dag waraop hij besmettelijk was, uploaden naar een centrale server. Op dat moment worden alle voorgaande dagelijkse seeds gewist van de telefoon en wordt een compleet nieuwe random dagelijkse seed aangemaakt, zodat de gebruiker ook in de toekomst niet kan gevolgd worden.

De app downloadt regelmatig een lijst van al de dagelijkse seeds van de besmette gebruikers van de centrale server en kan op basis daarvan al de EphIDs berekenen. De app vergelijkt deze EphIDs met de lijst van EphIDs die hij onlangs is tegengekomen. Op basis van de het aantal overeenkomstige EphIDs kan de app berekenen hoe lang de twee in elkaars buurt zijn geweest en op basis van de opgeslagen signaalsterkte kan een inschatting gemaakt worden van de afstand. Als de twee langer dan een bepaalde tijd binnen een bepaalde afstand in elkaars buurt zijn geweest, dan zal de gebruiker een waarschuwing krijgen dat hij in contact is geweest met een besmettelijke persoon, samen met verdere instructies. Een contact met een besmette persoon wordt in het Engels “exposure” genoemad, Coronalert gebruikt in het Nederlands de term “blootstelling”.

Meer details zijn te vinden in de DP-3T white paper.

Apple/Google Exposure Notifications API

De Google/Apple Exposure Notifications API (soms afgekort tot GAEN) is een API die door Google en Apple is ontwikkeld en die gebruikt kan worden door gedecentralseerde contact tracing apps. Deze API is gebaseerd op de principes van het DP-3T-protocol en kan enkel gebruikt worden door apps die zijn goedgekeurd door Google en Apple: slechts één app per land, ontwikkeld door de officiële gezondheidsauthoriteiten, kan goedgekeurd worden. Enkel gedecentraliseerde apps die geen enkele informatie over de positie van gebruikers verzamelen, worden goedgekeurd.

Op Apple iOS kunnen apps normaal geen Bluetooth op de achtergrond gebruiken, maar een uitzondering werd gemaakt voor apps die gebruik maken van deze API. Dit betekent dat op Apple iPhone, deze API de enige manier is om een betrouwbare contact tracing app te maken. Apps die deze API niet gebruiken, zoals de StopCovid France app, moeten via work-arounds de app in de achtergrond toch naar de voorgrond halen, wat hen potentieel minder betrouwbaar maakt en een negatief effect heeft op het batterijverbruik.

Het DP-3T framework werd aangepast om gebruik te maken van de Exposure Notifications API.

De Google/Apple Exposure Notifications API en DP-3T wordt gebruikt door de Belgische contact tracing app Coronalert. Andere apps die deze API gebruiken zijn Coronamelder (Nederland), SwissCovid (Zwitserland), Immuni (Italië), Corona-Warn-App (Duitsland).

De broncode van de de implementatie van het framework voor Android en iOS werd in de tweede helft van juli 2020 gepubliceerd.

Veel gestelde vragen (FAQ) – Enkele mythes ontkracht

Deze apps zijn soms onderwerp van moedwillige fake news campages, of lokken in ieder geval hevige reacties uit die het gevolg zijn van een een gebrek aan begrip van de werking van deze apps. Hier zal ik enkele belangrijke vragen beantwoorden.

Schenden deze apps mijn privacy? Zullen de authoriteiten weten wie ik ontmoet, waar ik ben en wat ik doe?

De apps die gebruik maken van de Google Apple Exposure Notification API houden geen persoonlijke informatie bij van de gebruikers: ze kennen je naam niet, je telefoonnummer, waar je woont of andere persoonlijke gegevens. Ze verzamelen ook geen locatiegegevens, dus ze weten niet waar je bent.

Het enige dat deze apps doen, is anonieme codes uitwisselen met andere mensen in je buurt. Deze codes veranderen verscheidene malen per dag, zodat het onmogelijk is om je te volgen door middel van deze codes.

De codes die de uitgewisseld worden, worden enkel lokaal op je telefoon bijgehouden en niet in een centrale databank. Er is dus geen manier voor de authoriteiten om te weten hoeveel mensen en wie u ontmoet heeft.

Contact tracing apps maken daarnaast gebruik van uitgebreide preventiemaatregelen om uw veiligheid en privacy te beschermen: zo doen ze dummy uploads om te vermijden dat door middel van netwerkanalyse zou kunnen ontdekt worden wie een positieve test heeft afgelegd, wordt er gebruikt gemaakt van CA of certificate pinning om man-in-the-middle-aanvallen te voorkomen, enzovoort.

Deze apps zijn geen hulpmiddel voor massarveillance en zijn ook geen Big Brother zoals sommigen beweren.

Hoe kan ik zeker zijn dat de app werkt zoals beweerd wordt en echt geen privé-informatie verstuurd?

Deze apps zijn gewoonlijk open source, wat betekent dat je de zelf de code kan onderzoeken om te zien hoe de app werkt en wat deze precies doet. Zelfs als je zelf de kennis niet hebt om de code na te kijken, dan mag je er zeker van zijn dat er genoeg experten zijn die hier naar kijken en zij zullen het wel luid en duidelijk laten horen wanneer iets niet zuiver op de graat is. Het moet gezegd: vaak zijn degenen die het luidst over deze apps roepen politici uit de oppositie en activisten die nooit naar de code of de documentatie hebben gekeken.

Hier zijn links naar de broncode van enkele contact tracing apps en de documentatie:

Op de issue trackers van deze apps kunnen problemen gemeld worden en vragen gesteld worden.

Ook de broncode van het Exposure Notifications framework, gebruikt door deze apps, is openbaar:

Een eerste analyse van de broncode van de Coronalert app toont aan dat deze inderdaad niet meer gegevens bijhoudt en verstuurt dan aangekondigd en dat Sciensano en Ixor (het Belgische bedrijf dat de backendservers beheert) nooit persoonlijke data ontvangen van de app.

Waarom zou ik Google en Apple, die een slechte reputatie hebben op vlak van privacy, nu moeten vertrouwen?

Eigenlijk hebben Google en Apple deze API zelfs niet nodig om je te volgen. Als je een telefoon gebruikt met iOS of Android met Google Play Services, heb je op zich al een veel groter privacyprobleem dan deze gedecentraliseerde, open source contact tracing apps. Dat is ook het geval als je Facebook, Twitter, Instagram, TikTok, NetFlix, Spotify, FaceAp, Tinder en dergelijk apps gebruikt: deze kennen uw naam, locatie, uw interesses, vrienden en dat allemaal zonder deze API. Gedecentraliseerde contact trcacing apps weten veel minder over u dan al deze apps. Dit beeld vergelijkt de verschillende permissies die SwissCovid, Facebook en Whatsapp kunnen aanvragen op iOS. Het is duidelijk dat het niet de contact tracing app is die het meeste informatie kan verzamelen.

Prof. Bart Preneel (KU Leuven), een cryptograaf die meegewerkt heeft aan het de ontwikkeling van het DP-3T framework, zegt dat “voor één keer Google en Apple kiezen voor de goede kant van de privacy”.

Daarnaast is er een manier om deze contact tracing apps te gebruiken zonder enige Google-services op je telefoon. Het microg-project heeft zijn eigen, volledig open source implementatie gemaakt van de Exposure Notification API. Deze kan geïnstalleerd worden op een Androiddistributie zoals LineageOS. Er is bevestiging dat SwissCovid en Immuni werken met de microg-implementatie van de API, dus andere apps werken wellicht ook. Op deze manier is het mogelijk om deze contact tracing apps te gebruiken zonder enige binaire code van Google of Apple.

Waarom vereist Coronalert dat Locatie aan staat op mijn Androidtelefoon als de app zogezegd mijn locatie niet bijhoudt?

Om te scannen naar Bluetooth-apparaten op Android, is het nodig dat de locatie-instelling aan staat op Android omdat dit in theorie kan gebruikt worden om uw positie te bepalen. Dit wordt bijvoorbeeld gebruikt door navigatie-apps om uw positie te bepalen in ondergrondse tunnels. In werkelijkheid is het voor apps die gebruik maken van de GAEN API niet toegelaten om uw locatie op te vragen. Het kan ook in de broncode van de app geverifieerd worden dat op geen enkel moment de locatie wordt bepaald. In Instellingen – Locatie – Machtigingen op app-niveau kan u ook nog altijd locatietoegang uitschakelen voor apps. Coronalert (of andere contact tracing app gebaseerd op de Expsoure Notificatoins API) zal in deze lijst niet verschijnen omdat deze geen locatie opvraagt.

In Android 11, uitgekomen in september 2020, is het niet meer nodig om Locatie aan te hebben op uw telefoon om contact tracing apps te gebruiken die gebaseerd zijn op de Exposure Notifcation API.

Zullen deze apps mij een waarschuwing geven telkens wanneer een besmette persoon voorbijgekomen is en dus heel wat valse waarschuwingen geven?

De apps zullen enkel een waarschuwing geven als aan bepaalde voorwaarden voldaan is. Die voorwaarden worden gewoonlijk door de overheid vastgelegd op basis van epidemioloigsche data. De Italiaanse Immuni app bijvoorbeeld, zal een waarschuwing geven wanneer iemand op een afstand van maximaal 2 meter staat gedurende minstens 15 minuten. SwissCovid zal pas waarschuwen bij een contact van minstens 15 minuten binnen een afstand van 1,5m.

De afstand wordt geschat op basis van de verzwakking van het signaal. Die verzwakking hangt helaas wel af van heel wat parameters, zoals het model van de telefoon dat gebruikt wordt, de richting waarin die telefoon wordt gehouden, enzovoort. Google past voor elk telefoonmodel een correctie toe op de verzwakking, zodat de waardes vergelijkbaar zouden moeten zijn tussen verschillende modellen. De drempelwaarden die worden gebruikt om waarschuwingen te geven, zijn gebaseerd op experimenten in verschillende omgevingen en kunnen in de toekomst nog aangepast worden om het aantal vals positieven en negeatieven aan te passen.

Dus nee, contact tracing apps zullen u geen waarschuwing geven telkens wanneer iemand die even kortbij gepasseerd is, positief wordt getest. Enkel wanneer zeer redelijke drempelwaarden worden overschreden, zal u een waarschuwing krijgen. Ook de authoriteiten realiseren zich dat deze contact tracing apps een hulpmiddel zijn voor tracing, maar nooit manuele contact tracing kunnen vervangen. Een contact tracing app kan ook nooit een COVID-19-test vervangen.

In de praktijk zal Coronalert ook niet-risicovolle contacten weergeven: er zal dan in de app staan dat er een blootstelling geweest is, maar het risico blijft op laag staan en de app blijft groen. Enkel bij een contact langer dan 15 minuten op een afstand die minder dan 1,5m geschat wordt, zal het scherm rood worden en zal er een notificatie komen over een hoogrisico-contact. Enkel in dat laatste geval zal een quarantaine en test aangeraden worden.

Zijn deze apps nuttig als niet iedereen of ten minste een groot deel van de bevolking ze gebruikt?

Contact tracing apps zijn zeker nuttig, zelfs als enkel een deel van de bevolking ze gebruikt.

Een vaak geciteerd artikel van de Oxford University stelt dat als 60% van de bevolking een contact tracing app gebruikt, dit de epidemie volledig zou kunnen stillegen. Wat echter veel minder geciteerd wordt is het volgende deel van de zin: “zelfs met een lager aantal van gebruikers van de app, schatten we een vermindering in het aantal coronavirusgevallen en het aantal doden”. Ze schatten dat één besmetting kan vermeden worden voor elke 2 gebruikers van de contact tracing app.

Dus zelfs een adoptiegraad van minder dan 60% is nuttig om de curve te helpen afplatten of zelfs naar beneden te halen, waardoor mensenlenvens gered worden.

Zal dit nefast zijn voor het batterijverbruik van mijn telefoon?

Doordat gebruik gemaakt wordt van Bluetooth Low Energy, zou het batterijverbruik beperkt moeten zijn. Bluetooth Low Energy is speciaal ontworpen voor een laag energieverbruik en wordt ook gebruikt om verbinding te maken met smartwatches en draadloze hoofdtelefoons. Het batterijverbruik zou minder dan 5% moeten zijn in vergelijking met een situatie waarin Bluetooth volledig uitgeschakeld is op de telefoon.

Moet ik een andere app installeren als ik naar het buitenland ga?

Met de steun van de Europese Unie werd een gateway service gebouwd die de uitwisseling van keys van besmette personen tussen Europese landen mogelijk maakt. Op 19 oktober 2020 werd deze in gebruik genomen en sindsdien kunnen de Italiaanse (Immuni), Duitse (Corona-Warn-App) en Ierse app (COVID Tracker) hiervan gebruik maken. Het is de bedoeling dat de apps van andere EU-landen deze ondersteuning ook in de toekomst krijgen. Voor de Belgische app Coronalert wordt dit in verwacht tegen november 2020.

Merk op dat er geen uitwisseling mogelijk is met de StopCovid France app omdate deze een gecentraliseerd systeem gebruikt in plaats van het gedecentraliseerde DP-3T.

Wat vinden experts van deze apps?

Het is belangrijk om te herhalen dat DP-3T en dus het Google/Apple Expsoure Notifications framework dat erop gebaseerd is, ontworpen is door academici van universiteiten in verschillende landen. Prof. Bart Preneel (KU Leuven), een cryptograaf die meegewerkt heeft aan het de ontwikkeling van het DP-3T framework, zegt dat “voor één keer Google en Apple kiezen voor de goede kant van de privacy”.

Het British Information Commissioner’s Office (de nationale gegevensbeschermingsauthoriteit) “gelooft dat het CTF (Google/Apple’s contact tracing framework) van bij het ontwerp rekening houdt met de principes van gegevensbescherming, inclusief ontwerpprincipes rond dataminimisatie en veiligheid.

Prof. Douglas Leith (Trinity College Dublin) heeft analyse van het netwerkverkeer van contact tracing apps gedaan. In een rapport besluit hij: “We vinden dat de apps zich over het algemeen goed gedragen op vlak van privacy, alhoewel de privacy van de Ierse, Poolse en Letse apps kan verbeterd worden.” Hij bekritiseerde wel het feit dat het Google/Apple Exposure Notifcations framework niet open source was op dat moment (intussen is de code daarvan wel openbaar) en het feit dat de Google Play Services privégegevens verzenden naar Google (iets dat op alle Androidtelefoons met Google Play Services gebeurt, los van de aanwezigheid van dit framework.)

Analyses van de broncode van de apps zoals deze van Coronalert en deze van Immuni, tonen aan dat de apps geen persoonlijke data bijhouden en versturen.

De grootste kritiek op het framework komt van prof. Serge Vaudenay, cryptograaf van EPFL. Hij klaagt over het feit dat de GAEN (toen nog) closed source was en stelt dat een aantal aanvallen op het systeem mogelijlk zijn. Het DP-3T-team heeft geantwoord op de kritiek.

Conclusie

Vergeet al de samenzweringstheorieën en de bezwaren van privacy-activisten die nooit uitgezocht hebben hoe deze apps werken: gedecentraliseerde open-source contact tracing apps die gebruik maken van de Google/Apple Exposure Notification API zijn geen Big Brother en geen instrument voor massale spionage van de bevolking. Het protocol werd ontwikkeld door academici gespecialiseerd in IT-beveiliging en privacy en de broncode van de apps kan door iedereen nagekeken worden. Uitgebreide documentatie beschrijft de werking van de apps, en legt uit wat er allemaal gedaan wordt om de privacy van de gebruikers te beschermen. Door anonieme ephemerial IDs te gebruiken en geen locatiegegevens te verzamelen, weten deze contact tracing apps minder van u dan de meeste social network apps of dan het besturingssysteem van uw telefoon zelf. Als u zich zorgen maakt om uw privacy, hebt u belangrijkere dingen om u zorgen over te maken.

Contact tracing apps kunnen zeer nuttig zijn in het bestrijden van de epidemie, ook als slechts een klein deel van de bevolking ze gebruikt. Voor mij is het gewoon een kwestie van verantwoordelijkheid waarom ik gebruik maak van deze apps: om anderen te beschermen, om onze maatschappij en economie te beschermen en uiteindelijk om zelf beschermd te worden door anderen die de app gebruiken.

Meer informatie

Geschiedenis van dit artikel

Update 19 september 2020: voeg links naar broncode Coronalert toe – Voeg informatie toe over de implementatie van microg van de API

Update 29 september 2020: voeg informatie over EU gateway service toe

Update 13 oktober 2020: voeg informatie over laagrisico- en hoogrisicontacten in Coronalert toe

Update 19 oktober 2020: EU federation gateway actief in 3 landen

Setting up Linux on a desktop or laptop system, part 1: choosing a Linux distribution and a desktop environment

Which Linux distribution?

The most widely used distribution is Ubuntu. Other popular desktop distributions are Linux Mint, Fedora, OpenSUSE Tumbleweed and Manjaro. Personally I prefer to use Debian, not only on servers but also on desktop systems, but this distribution does require more manual work to set up on a desktop system, so it is not the easiest choice if you are new to Linux. In that case I would recommend some of the Ubuntu variants or Linux Mint.

Choose a recent version of your Linux distribution of choice. If you use Ubuntu, install the latest LTS version (20.04 Focal Fossa at the time of writing) and if you encounter problems related to hardware support, consider using the latest non-LTS version (20.10 Groovy Gorilla will be available end of October 2020. You can download daily builds if you want to test this version in development). I recommend Debian users to install the testing version on recent hardware.

Which desktop environment?

You will have to choose which desktop environment you want to use on your Linux system. Depending on your distribution, you make this choice before downloading the ISO, or during the installation.

The most widely used desktop environments are GNOME, KDE Plasma, Cinnamon and XFCE. The first three desktop environments get updates and improvements more often than XFCE and are more complete: for this reason I would recommend one of these. XFCE on the other hand is interesting as a lightweight desktop for older hardware.

KDE is very customizable, but the many configuration options can be overwhelming at times. GNOME is less customizable and tries to deliver a user-friendly modern desktop out of the box. If you want a simple clean desktop with a more traditional, Windows- or macOS-like desktop, then you can consider Cinnamon.

In the next table you will find links to the different editions of popular distributions. Some distributions have a default or preferred desktop, one in which they invest most work. I have set these in bold.

GNOMEKDE PlasmaCinnamonXFCE
UbuntuUbuntu DesktopKubuntuUbuntu Cinnamon RemixXubuntu
Linux Mintno installer availableno installer availableLinux Mint CinnamonLinux Mint XFCE
FedoraFedora WorkstationFedora KDE PlasmaFedora CinnamonFedora XFCE
OpenSUSE TumbleweedYou choose your desktop during the installation: OpenSUSE Tumbleweed installation ISOs. Cinnamon can only be added after the installation.
ManjaroManjaro GNOMEManjaro KDE PlasmaManjaro CinnamonManjaro XFCE
DebianYou choose your desktop during the installation: Debian Testing installer

If you like KDE Plasma, you can also consider installing the KDE Neon distribution. It is an Ubuntu LTS with the latest KDE packages installed. This way it provides a more up to date and more standard KDE experience than Kubuntu. However it misses a lot of standard non-KDE application, which you will have to install yourself afterwards.

If you want to get a feeling of these distributions and desktops, you can test them out in a web browser on the website distrotest.net. All in all, I would recommend not spending too much time on choosing your distribution and desktop. Pick one of the beginner-friendly distributions and try it. If you really don’t like it, it is easy enough to install another distribution.