[HOME] [DOWNLOAD] [DOCS] [BLOG] [SUPPORT] [TIPS] [ISSUES] [Priority Support]

VLC Apparmor Profile (WIP) / streaming documentation for Whonix / install youtube-dl by default


#1

Oops, yes! Which reminds me… Shouldn’t VLC have an apparmor profile given that it’s bundled with Whonix & network facing? I see there was some discussion about it 2 years ago: Whonix AppArmor Profiles Development Discussion

Neither Debian nor Ubuntu have VLC profiles:
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles
https://packages.debian.org/jessie/all/apparmor-profiles/filelist
https://packages.debian.org/jessie/all/apparmor-profiles-extra/filelist

If I manage to put one together, should I have apparmor block networking completely? Is anyone actually streaming with it? My impression is that people are using it for offline viewing and might actually be surprised that it is network-enabled. I think video streaming should be done inside tor browser? (or perhaps there’s a way to limit it to LAN shares.)

There’s a profile here: http://www.insanitybit.com/2013/12/31/vlc-apparmor-profile/
(with zero comments, so not very helpful - to me anyway)


#2

Hi entropy,

Great idea! :slight_smile:

VLC is not without a host of it’s own buffer/heap overflows etc that allow arbitrary code execution, memory corruption and other nasties, plus it relies on a ton of third party libraries which they cannot vouch for. See here:

https://www.videolan.org/security/

But, the VLC profile should allow networking for streaming. It is useful for internet radio, video, podcasts and many other things.

IMHO it is insane for people to regularly stream media with Tor Browser. The attack surface of Firefox ESR and all other browsers is huge, let alone allowing the gambit of Javascript. Compare how many critical security vulnerabilities are seen in regular browser updates vs media players.

Schneier has outlined all the boning general Tor Browser users get e.g. FoxAcid, Quantum and so on. At this stage I have no doubt that all Tor users are automatically targeted by systems that do not require any human input.

Whonix users would be better off security-wise streaming Youtube and other media where possible via the “Media” -> “Open Network Stream” function in VLC, preferably in a separate Whonix Workstation from their other activities to get proper stream isolation.

Why give Youtube and their ilk (the corporate, surveillance-capitalist, government-partner extraordinaires) any information via temporary Javascript permissions? They can go fuck themselves. :smiling_imp:

On a side note, it’s worth reminding Whonix users that ‘free streaming’ sites are plagued with malware ads, drive-by malicious downloads and other payloads aimed at malicious behaviour. Qubes users should preferably only use those sites with disposable VMs to throw out any likely corruption after a session.

https://www.cs.stonybrook.edu/about-us/News/Its-Free-Reason-Security-Risks-Live-Streaming

Watch sports on free livestreaming websites? Bad news: there’s a 50 per cent chance those overlay ads are malicious.

Analysis of more than 23,000 free streaming websites revealed that, perhaps unsurprisingly, the illegal streams posed a major security risk, exposing people to malware, data theft and financial scams.

Researchers from the university of KU Leuven in Belgium and Stony Brook University in the US used a semi-automated tool to identify and analyse livestreaming sites. The 23,000 sites found corresponded to 5,600 domain names, 20 per cent of which were in Alexa’s top 100,000 websites.

The semi-automated system then visited these sites 850,000 times and analysed more than one terabyte of resulting traffic. From those visits, as many as half of the adverts turned out to be malicious.

“It’s a public secret that the [free livestreaming] ecosystem is not averse to using deceptive techniques to make money from the millions of users who use their services,” said Nick Nikiforakis, assistant professor from the department of computer science at Stony Brook University.

Many overlay adverts on livestreaming sports sites have fake close buttons, or close buttons that move when a mouse is hovered over them. This deceptiveness exposes users to further risk of being exposed to malware.

“In addition to exposing numerous copyright and trademark infringements, we found that clicking on video overlay ads leads users to malware-hosting webpages in 50 per cent of the cases," said Zubair Rafique, a PhD student in computer science at KU Leuven who worked on the project.


#3

Wow, great information. Thank you!

IIRC, we don’t have any information pertaining to streaming online multimedia content in the Wiki.

I think the usual advice goes something like this:

  1. Download video using third-party site like keepvid.com
  2. Move to an offline temporary / disposable VM
  3. Playback and destroy VM

For those that don’t want to download the video in full, a more risky option:

  1. Browse video site with Javascript OFF.
  2. Grab the direct video URL (somehow)
  3. Stream using VLC

The worst possible method:

  1. Turn on Javascript
  2. Stream directly from the website using your Browser.

So I was looking around for possibilities, and I came across this package in the debian repos:

https://packages.debian.org/jessie/youtube-dl

youtube-dl is a small command-line program to download videos from
YouTube.com and other sites that don’t provide direct links to the
videos served.

project home: https://rg3.github.io/youtube-dl/

Does anyone have experience with this? Could this be included in Whonix with a user-friendly GUI?


#4

I’ve been happily using youtube-dl for some years. Well developed, works on many popular streaming sites (not just YouTube), and a powerful set of options. Should be part of Whonix IMO.


#5

Yes, that’s a gap. Can you add it here please? (can also rename the page now if not best)

https://www.whonix.org/wiki/Streaming

That sounds sane.

Yes. Using it on and off for years myself.

Unless a good argument against is will be made (probably unlikely) we can surely add it for Whonix 14. Created https://phabricator.whonix.org/T554 to remember doing that.


#6

Good information and I agree with your rationale.

I’ve also used youtube-dl for some time, with no problems.

The only caveat is that sometimes it is necessary to download the latest youtube-dl version from Debian testing repos with some youtube links for it to work correctly. I’m not sure why.


#7

Because youtube keeps changing the website that results in breaking youtube-dl. Downloading is not something youtube appreciates. Then the youtube-dl developers need to fix it and release a newer version.


#8
So I was looking around for possibilities, and I came across this package in the debian repos:
https://packages.debian.org/jessie/youtube-dl
    youtube-dl is a small command-line program to download videos from
    YouTube.com and other sites that don't provide direct links to the
    videos served.
project home: https://rg3.github.io/youtube-dl/
Does anyone have experience with this? Could this be included in Whonix with a user-friendly GUI?

I was delighted when I accidentally stumbled across youtube-dl in the deb repo some moons back:) It is richly packed with many options - quite a few and many of which caters to many “whims and needs” to tailor your download to fulfil your exacting requirements.

Then I also snagged this GUI front-end for my neighbour’s elderly father which is slightly “CLI adversed”


(A cross platform front-end GUI of the popular youtube-dl written in wxPython. )

I hope I did not run afoul of any protocols concerning this dated discussion.
Please excuse me in advance.

Have a happy summer Everyone.
x