jmg
/
blog
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
The blog.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
107 Commits
1 Branch
4.6 MiB
 
 
 
 
Tree: 3e9df87cf1
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '3e9df87cf1'
${ noResults }
blog/content/2018/10/crash-dumps-do-i-submit-the...

120 lines
6.1 KiB
Raw Blame History 

  1. ---

  2. title: "Crash Dumps: Do I submit them?"

  3. description: >

  4.   TL;DR: No, they collect too much and aren't handled safely.

  5. posted: !!timestamp '2018-10-23'

  6. created: !!timestamp '2018-10-23'

  7. time: 3:54 PM

  8. tags:

  9.   - security

  10. ---

  11. 

  12. TL;DR: No, do not submit your crash dumps.  Consumers: No company has

  13. sane crash dump policies to ensure your privacy and PII is protected,

  14. minimized and secured.  Companies: You need to ensure that crash dumps

  15. are handled in a secure manner and that crash dumps are just that: a

  16. crash dump. Anything not directly related to a crash dump should be

  17. excluded. Usage statistics and the like do not belong in crash reports.

  18. 

  19. ## Why Not Send Dumps?

  20. 

  21. There is a long history of companies failing to minimize the data and

  22. to protect it.  Microsoft for years sent crash dumps over the internet

  23. in the clear

  24. ([WER & Privacy conerns](https://en.wikipedia.org/wiki/Windows_Error_Reporting#Privacy_concerns_and_use_by_the_NSA)).

  25. This allowed the NSA to harvest them, and develop 0-days for issues that

  26. MS failed to fix.  Google's Chrome would send a screencap of the entire

  27. Desktop along with it's crash dumps

  28. ([link](https://twitter.com/vmjulix/status/857482886097715200)).  It

  29. previously would only send the window, but now sends the entire screen.

  30. Though they provide a preview, there is no way to see exactly what

  31. information will be sent.

  32. 

  33. I do not relish in advising people to not submit crash dumps as this

  34. will impact developers ability to fix bugs.  But as with all aspects of

  35. security, companies continue to demonstrate that they are not willing

  36. to do the work that is necessary to protect user's data and their

  37. privacy.

  38. 

  39. ## Communication

  40. 

  41. You need to communicate to your users how crash dumps are handled.  Just

  42. saying, trust us, does not inspire confidence, as there are a large

  43. number of cases of data breaches where the company has said exactly that

  44. leading up to leaks.  The policy is the first step to demonstrating that

  45. you have thought about user's concerns and decided how you will handle

  46. their personal and sensitive data.

  47. 

  48. The policy also helps shape how employees will treat the data too.  By

  49. having the policy, it is a reiteration to the employees that user data

  50. isn't simply chaff, but that it needs to be protected and handled with

  51. care.

  52. 

  53. Just saying that it's protected by a privacy policy isn't enough.  For

  54. example, Google Chrome's Report an Issue says that the information is

  55. protected by their privacy policy, but if you read the Chrome browser

  56. Privacy Policy, there is nothing in there that says how the data is

  57. handled.  That it is handled like the rest of the data collected does

  58. not inspire confidence that the possibly confidential data that may be

  59. included will be handled with greater care.

  60. 

  61. ## How to handle dumps

  62. 

  63. The first step is to ensure that what is collected in the dump has

  64. minimum information needed to debug issues.  Code paths (back traces)

  65. are likely to be safe.  Data, such as arguments to functions, may include

  66. user data and needs to be carefully examined.  There are many different

  67. types of data that can be released from embarrassing (what website was

  68. visited), to security breach (including cookies/tokens for web sites

  69. that may not be yours), to confidential intellectual property leaking

  70. (source code, designs, etc).  Each of these may have different impact on

  71. the user, but should never happen.

  72. 

  73. Second, crash dumps need to be transmitted confidentially.  This means

  74. either using TLS or encrypting the dumps with a tool like GPG before

  75. sending.  This ensures that unauthorized parties are unable to view the

  76. contents.  The NSA used the dumps to gather information for their

  77. operations, which if Microsoft had properly protected their user's data,

  78. this would not have happened.

  79. 

  80. Third, they need to be stored in a secure manner and able to be

  81. expunged.  It should even be possible for the user to remove the crash

  82. dump if they discover that information was shared when it should not have

  83. been.  The life time that a company keeps the dumps should be limited.

  84. If you haven't fixed a bug from five years ago, how do you know you can

  85. reproduce it, or that if you are able to reproduce it, that the code is

  86. still present in your current software?  It the crash is a major issue,

  87. it is likely that you'll have more recent dumps that exhibit the same

  88. issue if it is a problem, so old dumps are just not as useful compared

  89. to the data that may be present.

  90. 

  91. As crash data needs to be deleted, almost any cloud service is immediately

  92. excluded unless other precautions are used, such as encryption.  With

  93. the cloud, you have zero visibility into how the data is managed and how

  94. or when it is backed up.  Cloud providers rarely tell you their retention

  95. policies on back ups, and other policies that may keep data around.  Do

  96. they securely remove your VM's storage when they migrate it?  Do they

  97. ensure that storage is deleted from all clones, shards, servers and

  98. backups when you delete it?  If not, how long will that data stay around

  99. before it is finally expunged.

  100. 

  101. Fourth, access to dumps need to be controlled.  Auditing is a good first

  102. step to know who is accessing the data, but additional measures like

  103. limiting who has access needs to be used.  Not everyone on the team needs

  104. access to them.  As they are classified, they can be assigned to teams

  105. or people that need access to the data in them.  This helps make sure

  106. that an employee isn't trolling for nudes or other confidential

  107. information.  It should also limit how easy data is copied out of the

  108. archive.  How these controls are put in place will vary by company.

  109. 

  110. Edit:  Case in point:  I recently opened a support case with Apple.

  111. Apple provides a program to collect data to send to them to help trouble

  112. shoot the issue.   The program collected 280 MB of data.  When uploading

  113. the data, Apple informs the user that it is their responsibility to NOT

  114. submit any personal information that they don't want.  There is no way

  115. most people are qualified to look at the data, and even redact it

  116. properly.  I

  117. [attempted to do so](https://twitter.com/encthenet/status/1057445997373087744),

  118. and it took a very long time, and I'm not sure that I got everything.

  119. Expecting a normal computer user to be able to do this is insane.