Re: [Tails-dev] [RFC] Design (and prototype) for MAC spoofin…

Delete this message

Reply to this message
Autore: intrigeri
Data:  
To: The Tails public development discussion list
Oggetto: Re: [Tails-dev] [RFC] Design (and prototype) for MAC spoofing in Tails
Hi,

anonym wrote (26 Nov 2013 17:11:30 GMT) :
> 21/11/13 09:10, intrigeri wrote:


> What do you think about commit c177710?


Much better. Simplified a bit more in commit 3b41123.

>> * Regarding "It would obviously require to drop `set -e`, because
>> errors are indeed what could cause this to happen." --> err, well,
>> I kinda disagree that letting errors propagate further, just so we
>> can enjoy detecting it later, is "obvious". "set -e" detects a given
>> class of error conditions, great. The proposed failsafe check would
>> detect another (probably overlapping) class of error conditions.
>> I think that both should coexist.


> My point is that `set -e` doesn't simply "detect" errors, like you put
> it; it *terminates* the script upon certain error conditions, which
> most likely prevents whatever failsafe we have from detecting its class
> of errors (at least the non-overlapping part) and warn the user etc. Or
> am I misunderstanding how you want this failsafe to be implemented?


I think I now see what you mean.

My main concern is that removing `set -e' could lead to situations
when the failure detection code or the "fail close" code itself fails
at runtime for some reason, and then a MAC spoofing failure goes
silently undetected.

What I meant was:

  1. Have `set -e' detect its own class of errors and abort the
     script, and let the caller of this script handle this nicely.
  2. Have failsafe code at the end of tails-spoof-mac handle the cases
     that `set -e' didn't detect.


However, the script we're talking of (tails-spoof-mac) is run by udev
rules, so my #1 above can't be done that easily.

How about:

  1. Have the udev rule run a very simple, carefully written and
     robust wrapper script that runs tails-spoof-mac.
  2. Have failsafe code at the end of tails-spoof-mac handle the more
     or less expected failure modes that `set -e' didn't detect (I
     mean, e.g. some firmware that answers macchanger "yeah, OK, I'll
     use this MAC address" but actually doesn't record the change),
     and return 0 if the "fail close" protection can be
     successfully applied.
  3. Have the wrapper handle the unexpected cases when tails-spoof-mac
     returns with non-zero exit code (presumably due to `set -e'
     aborting it).


Then, the wrapper script is the only part that is not allowed to have
bugs, and we have a way to sanely handle bugs that tails-spoof-mac or
any of its dependencies (macchanger, our shell library) might expose
in corner cases we've not thought of yet.

Cheers!
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc