2629aabcc5
2 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Aaron D. Lee
|
2629aabcc5 |
Fix 12 security findings from adversarial audit
CRITICAL: - #1+#2: Consistency proof verification no longer a stub — implements actual hash chain reconstruction from proof hashes, rejects proofs that don't reconstruct to the expected root. GossipNode._verify_consistency now calls verify_consistency_proof() instead of just checking sizes. - #3: Remove passphrase.lower() from KDF — was silently discarding case entropy from mixed-case passphrases. Passphrases are now case-sensitive as users would expect. - #4: Federation gossip now applies record_filter (trust store check) on every received record before appending to the log. Untrusted attestor fingerprints are rejected with a warning. - #5: Killswitch disables all logging BEFORE activation to prevent audit log from recording killswitch activity that could survive an interrupted purge. Audit log destruction moved to position 4 (right after keys + flask secret, before other data). HIGH: - #6: CSRF exemption narrowed from entire dropbox blueprint to only the upload view function. Admin routes retain CSRF protection. - #7: /health endpoint returns only {"status":"ok"} to anonymous callers. Full operational report requires authentication. - #8: Metadata stripping now reconstructs image from pixel data only (Image.new + putdata), stripping XMP, IPTC, and ICC profiles — not just EXIF. - #9: Same as #6 (CSRF scope fix). MEDIUM: - #11: Receipt HMAC key changed from public upload token to server-side secret key, making valid receipts unforgeable by the source or anyone who captured the upload URL. - #12: Docker CMD no longer defaults to --no-https. HTTPS with self-signed cert is the default; --no-https requires explicit opt-in. - #14: shred return code now checked — non-zero exit falls through to the zero-overwrite fallback instead of silently succeeding. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> |
||
|
Aaron D. Lee
|
496198d49a |
Add three-tier deployment infrastructure
Platform pivot from Raspberry Pi to three-tier model: - Tier 1: Bootable Debian Live USB for field reporters - Tier 2: Docker/K8s org server for newsrooms - Tier 3: Docker/K8s federation relay for VPS Tier 1 — Live USB (deploy/live-usb/): - build.sh: live-build based image builder for amd64 - Package list: Python + system deps + minimal GUI (openbox + Firefox) - Install hook: creates venv, pip installs soosef[web,cli,attest,...] - Hardening hook: disable swap/coredumps, UFW, auto-login to web UI - systemd service with security hardening (NoNewPrivileges, ProtectSystem) - Auto-opens Firefox kiosk to http://127.0.0.1:5000 on boot Tier 2+3 — Docker (deploy/docker/): - Multi-stage Dockerfile with two targets: - server: full web UI + stego + attestation + federation (Tier 2) - relay: lightweight FastAPI attestation API only (Tier 3) - docker-compose.yml with both services and persistent volumes - .dockerignore for clean builds Kubernetes (deploy/kubernetes/): - namespace.yaml, server-deployment.yaml, relay-deployment.yaml - PVCs, services, health checks, resource limits - Single-writer strategy (Recreate, not RollingUpdate) for SQLite safety - README with architecture diagram and deployment instructions Config presets (deploy/config-presets/): - low-threat.json: press freedom country (no killswitch, 30min sessions) - medium-threat.json: restricted press (48h deadman, USB monitoring) - high-threat.json: conflict zone (12h deadman, tamper monitoring, 5min sessions) - critical-threat.json: targeted surveillance (127.0.0.1 only, 6h deadman, 3min sessions) Deployment guide rewritten for three-tier model with RPi as legacy appendix. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> |