Why Does Dropbox Add a Unique ID to Every Photo?

Following on from my last post about Dropbox changing my photos, I noticed a new exif field of “Image Unique ID” embedded by Dropbox in the image.

This ID would allow Dropbox to track unique files across their storage estate to avoid duplication. Equally it could used to track the original file and who uploaded it from a cropped version posted online, especially if law enforcement turned up with legal papers and demanded access.

Think about leaked documents or protest photos, yes it’s good practise to strip the meta data out but not everyone does.

This again comes back to what Dropbox and it’s camera upload feature is doing and is it documented anywhere?

Note Google Photos does not embedded any tracking data in the exif of the image I tested by uploading and downloading it.

The Hash

The hash for IMG_7082 is 8af323e74def610b0000000000000000 which looks like a 128bit hash but with only the first 64 bits populated. I’ve tried a number of hash tools on various parts of the original but they don’t match the unique ID. I have tested just the pure image data from original and Dropbox modified images.

Reverse engineering the hash function isn’t the real issue here,  the real question is why has this ID been added?

Exchange Cumulative Update 8 and SSL certificates

This weekend while I was patching and rebooting KVM systems for Venom I took the opportunity to apply Microsoft’s latest Exchange Cumulative Update 8 work’s Exchange server.

I ran the pre-upgrade checks and  they picked up that my user wasn’t in the correct AD groups for scheme updates, once that was fixed the upgrade started without problems.

When the upgrade got to Section 10 – Mailbox role: Transport Services the upgrade failed because a certificate had expired. Fine just install an updated certificate but all of the Exchange management tools have been uninstalled so you can’t get to the certificate.

When you rerun the installer it detects the failed install and tries to resume and fails at the same place, in the end I had to move the clock back two days on the server to get the management tools to install so that the certificate could be replaced.

I’ve reviewed the Microsoft documentation and I can’t see any reference to this problem and it wasn’t detected in the pre-upgrade checks. I’m sure there is some powershell magic that could fix this but at 1am on a Monday morning I wasn’t all that interested in finding out!

Linux Capabilities and rsync, from presentation to practice

Hazel Smith gave an excellent talk at FLOSSUK’s Unconference in London about Linux Capabilities and using them as part of “least privilege” when running backups of Linux systems.

Hazel explained that by using Capabilities you can allow a single user (in this example backuphelper) when running a single binary (rsync) to read any file on the system. Hazel stressed in the presentation that this isn’t a privilege to give out lightly, however the ability to read any file isn’t a direct path to root. This level of privilege will allow access to for example hashed passwords or contents of any user’s files.

My personal backups use BackupPC which can pull backups with tar, smbclient or as I use rsync over ssh.

The second half of this post documents how I put Hazel’s talk into practice on my Debian based systems. I have also uploaded to GitHub an example Ansible task I used to roll out the changes to my systems.

Target System Setup

First off install the support packages for capabilities.

sudo apt-get install libcap2-bin libpam-cap
sudo pam-auth-update

Run  pam-auth-update and enable “Inheritable Capabilities Management”, if you prefer to manually manage the pam config files then add the line “auth optional pam_cap.so” to /etc/pam.d/common-auth

You will also need to add following line to /etc/security/capability.conf to allow backuphelper to retain cap_dac_read_search. The rules applied in order so make sure it’s above the default deny line “none  *”

cap_dac_read_search backuphelper

This next command sets cap_dac_read_search as Inheritable and Effective for the rsync binary. The net effect is that when the backuphelper user runs rsync that process can read any file on the system.

sudo setcap cap_dac_read_search+ei /usr/bin/rsync

The “belt and braces” setup Hazel recommended both locking down ssh access for the backuphelper user to ssh-keys only and locking the password on the account. To follow this advice add the following lines to /etc/ssh/sshd_config.

Match User backuphelper
 PasswordAuthentication no

And run the following command to lock the backuphelper account’s password

sudo passwd -l backuphelper

BackupPC Server Setup

The change needed here is very simple, you only need to change the user that pulls backups from your other systems. You will need to ensure that you have correctly setup the ssh keys etc for the backuphelper user.

This can be done either via the web UI or by editing the .pl config file directly. You need to change “-l root” to “-l backuphelper” for the RsyncClientCmd. An example from one of my systems is

$Conf{RsyncClientCmd} = '$sshPath -q -x -l backuphelper $host $rsyncPath $argList+';

Debugging

Always be careful working with PAM, you can lock yourself out! It is worth having a root shell open “just in case” until you are familiar with the process.

A simple test is to login via ssh as backuphelper and run “rsync -avn /root” and you shouldn’t get any permission denied errors and should see a list of files.

Something to bear in mind when debugging this is that running sudo from root -> user doesn’t give the user capabilities, you need to login directly to test things.

If you want to see whether pam_cap is working when logged in you can do this:

grep CapInh /proc/$$/status

Use capsh –decode= on the resulting bit string to understand what permissions you’ve got.

Enabling ssh support in gpg-agent on Ubuntu

I recently replaced my old Yubikey with one of the new Yubikey NEO’s, I wanted a simple and secure way of storing my GPG key as well 2 factor authentication.

This post is about setting up and fixing Ubuntu 14.04 and 14.10 to enable ssh-agent functionality in gpg-agent. I assume that you have already securely generated and stored a gpg key in the Yubikey and have imported the key stubs into gpg.

This post is rather complex because Seahorse the gnome-keyring manager “supports” ssh and gpg agent type functionality and takes over ssh-agent and gpg-agent. The problem with Seahorse is that it doesn’t work with OpenPGP cards and a secondary problem is that you need to disable a number of other ssh key services.

First you will need to install the following packages, gnupg-agent and pcscd the smart card management service.

sudo apt-get install gnupg-agent pcscd

You need to disable gnome-keyring’s ssh and gpg agent functionality, bug id 1387303 contains a fix allow this which has now been released as gnome-keyring – 3.10.1-1ubuntu7.1. Once this is installed you can disable the ssh and gpg agents in Unity’s startup applications found under the settings menu.

You will need to enable both gpg-agent support in gpg and then ssh-agent support in gpg-agent. In the $HOME/.gnupg directory add the line use-agent to gpg.conf  and enable-ssh-support gpg-agent.conf you may need to create the files.

Next you need to install a fixed version of the gnupg-agent upstart init script so that it starts gpg-agent correctly with ssh key support. Install this script into the .init directory in your home directory this overrides the system wide one.

mkdir $HOME/.init
wget -O $HOME/.init/gnupg-agent.conf http://www.programmierecke.net/howto/gpg-agent.conf

Finally you need to disable the “real” ssh-agent by commenting out the line in /etc/X11/Xsession.options, there aren’t any override options that I know of.

After restarting X or a reboot you should find that ssh-agent -L prints out a long ssh key string, you are looking for the one that ends in card:XXXXX this is the public half of your Yubikey gpg key in ssh key format.

With gnupg-agent providing ssh-agent services, you can use ssh-add to import existing SSH private keys into gpg’s key secure storage.

Hints and methods taken from: http://www.programmierecke.net/howto/gpg-ssh.html