[coreboot] Coreboots Board Status have privacy issues for contributors

Discussion:

j***@goat.si

2018-11-25 17:24:06 UTC

I took a look into https://review.coreboot.org/cgit/board-status.git?

The commit here
https://review.coreboot.org/cgit/board-status.git/commit/?id=72945dee4c60b90cdf6c507f4847c26028a56a09
tells me for example that the MAC address from Paul Menzel is
bc:5f:f4:c8:d3:98 .
The mac address from the WLAN Router Patrick Georgi is using is based on
this commit
https://review.coreboot.org/cgit/board-status.git/commit/?id=addd59d8fb55dc62a7d8e9ec730612f63fc5d61a
the mac 70:3a:cb:bd:fd:e3 . This is probably some Google device his
device is connecting to because the mac range is registered to Google
Inc. Now i can lookup in public wifi databases and in some cases i then
know where the users lives.
The mac address from Chris Thompson is 6c:f0:49:47:22:4d based on
https://review.coreboot.org/cgit/board-status.git/commit/?id=da41a5a88bebc9ffbe2cbc9a38a5fba530496daf

And the mac address from Denis 'GNUtoo' Carikli who is using parabola as
os was using a Hitachi HDP725050GLA360 with firmware GM4OA52A and a
second WDC WD5000AAKB-00YSA0 with firmware 12.01C02 and have switched
now to a ST9160314AS with 0002SDM1 firmware. His mac address of one of
his computers is bc:5f:f4:9c:b7:32 . In this computer he is using a
KINGSTON SV300S37A240G with firmware 603ABBF0 .

I was thinking of contributing to the Board Status but i dont want to
release any private data and wont contribute now. What is the usage of
the world to know what mac address the people are using?

Please fix this to:
1) Remove kernel log and replace it with "uname -r" to just know the
kernel version.
2) Please make the contribution without the force of having to register
to git. Make a public account that have just access to the
board-status.git and set this public account into the code itself. Then
there can be for example a simple live linux iso that people can boot
with LAN cable connected. No requirement of installation software, of
setting things up or anything like that.

--
coreboot mailing list: ***@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Arthur Heymans

2018-11-25 17:54:15 UTC

Permalink

I was thinking of contributing to the Board Status but i dont want to release
any private data and wont contribute now. What is the usage of the world to know
what mac address the people are using?

Feel free to edit the kernel log.

1) Remove kernel log and replace it with "uname -r" to just know the kernel
version.

The kernel log does contain other useful information, so dropping it
would make the board status repo less useful.

--
==============
Arthur Heymans
--
coreboot mailing list: ***@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Nico Huber

2018-11-25 21:02:16 UTC

Permalink

Post by j***@goat.si
the mac 70:3a:cb:bd:fd:e3 . This is probably some Google device his
device is connecting to because the mac range is registered to Google
Inc. Now i can lookup in public wifi databases and in some cases i then
know where the users lives.

You can also just ask them where they live. Whereby I want to say, not
everybody is in the same paranoid mode.

Post by j***@goat.si
I was thinking of contributing to the Board Status but i dont want to
release any private data and wont contribute now. What is the usage of
the world to know what mac address the people are using?

There is no usage. It just makes the script simpler that gathers the
information.
No, you, please fix this. You are very welcome to contribute patches.

Post by j***@goat.si
1) Remove kernel log and replace it with "uname -r" to just know the
kernel version.

This makes no sense, nobody asked for the kernel version. We want to see
kernel messages. You can however implement a heuristic to filter per-
sonal information.

Post by j***@goat.si
2) Please make the contribution without the force of having to register
to git. Make a public account that have just access to the
board-status.git and set this public account into the code itself.

You are free to set something like this up and redirect all pushes to
your Gerrit account. *After* you filtered spam.

Post by j***@goat.si
Then
there can be for example a simple live linux iso that people can boot
with LAN cable connected. No requirement of installation software, of
setting things up or anything like that.

Yes, please implement that. Again patches are welcome. We don't lack
ideas, we lack the time to set things up. So once you are done with
that, feel free to ask what else you can do.

Nico

--
coreboot mailing list: ***@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Mike Banon

2018-11-25 22:32:30 UTC

Permalink

I've already raised this board_status.sh issue a few months earlier,
together with the proposed fix (which I forgot to transform into a
patch, perhaps because no one replied to me) -
https://mail.coreboot.org/pipermail/coreboot/2018-April/086488.html .
It could be hard to create an automatic filter which will successfully
erase all the information that you believe is private, and also there
could be different estimates of what is private and what is not.
Perhaps the easiest solution is just to insert a pause before
uploading the results, so that a user could use this pause to remove
the log parts that he considers as private. Also, this way only the
user will be responsible for removing his private information and
there wouldn't be any complains like "your script didn't remove X and
some 3-letter-agency hacked me by using this knowledge"

Post by Nico Huber

You can also just ask them where they live. Whereby I want to say, not
everybody is in the same paranoid mode.

There is no usage. It just makes the script simpler that gathers the
information.
No, you, please fix this. You are very welcome to contribute patches.

Post by j***@goat.si
1) Remove kernel log and replace it with "uname -r" to just know the
kernel version.

This makes no sense, nobody asked for the kernel version. We want to see
kernel messages. You can however implement a heuristic to filter per-
sonal information.

You are free to set something like this up and redirect all pushes to
your Gerrit account. *After* you filtered spam.

Yes, please implement that. Again patches are welcome. We don't lack
ideas, we lack the time to set things up. So once you are done with
that, feel free to ask what else you can do.
Nico
--
https://mail.coreboot.org/mailman/listinfo/coreboot

--
coreboot mailing list: ***@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

David Hendricks

2018-11-26 06:41:02 UTC

Permalink

Thanks for pointing out these issues.

For what it's worth, the user must use the '-u' option to upload results.
And as Arthur points out you can edit logs and such yourself to scrub any
private data. The script just automates a few steps for convenience, though
obviously we'd like a reasonably uniform data set to compare with. You're
right that we don't need to know anyone's MAC address for coreboot
development; however as others have pointed out a full kernel log is useful
since firmware issues often manifest themselves there (memory map
incorrect, devices not enabled, etc) so it's good to have them for
comparison.

Still, a pause as Mike suggested and perhaps a scary warning or two could
be useful.

Then there can be for example a simple live linux iso that people can boot

Post by j***@goat.si
with LAN cable connected. No requirement of installation software, of
setting things up or anything like that.

There is one - See util/board_status/set_up_live_image.sh .

Julius Werner

2018-11-29 01:33:29 UTC

Permalink

Sounds like something that should be pretty simple to automate in the
uploader script? While it's probably good to also have a warning and
clarify that the final obligation lies with the uploader, there's no
reason we can't help them by adding sanitization for common issues as
we find them.

We're doing something similar when we collect Chrome OS crash reports
(these don't get made public so the impact isn't as high, but the
basic idea is the same), so we could just steal or at least take
inspiration from that code:
https://chromium.googlesource.com/chromiumos/platform2/+/master/crash-reporter/crash_collector.cc#262

(Note in particular the extra care taken to distinguish MAC addresses
from ATA ACPI commands, that's probably useful for our case as well?
Although maybe not anymore these days...)
On Sun, Nov 25, 2018 at 10:42 PM David Hendricks

Post by David Hendricks

Thanks for pointing out these issues.
For what it's worth, the user must use the '-u' option to upload results. And as Arthur points out you can edit logs and such yourself to scrub any private data. The script just automates a few steps for convenience, though obviously we'd like a reasonably uniform data set to compare with. You're right that we don't need to know anyone's MAC address for coreboot development; however as others have pointed out a full kernel log is useful since firmware issues often manifest themselves there (memory map incorrect, devices not enabled, etc) so it's good to have them for comparison.
Still, a pause as Mike suggested and perhaps a scary warning or two could be useful.

Post by j***@goat.si
Then there can be for example a simple live linux iso that people can boot
with LAN cable connected. No requirement of installation software, of
setting things up or anything like that.

There is one - See util/board_status/set_up_live_image.sh .
--
https://mail.coreboot.org/mailman/listinfo/coreboot

--
coreboot mailing list: ***@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot