Slashdot Mirror
Domain: boum.org
Stories and comments across the archive that link to boum.org.
Comments · 214
-
FIREFOX HOLE? WARNING Re: Base64 Encoded Images
FIREFOX HOLE? WARNING Re: Base64 Encoded Images
tor-talk@lists.torproject.org
SERIOUS ISSUE With Details! Re: Base64 Encoded Images: How to block them?From: https://tails.boum.org/forum/Base64_Encoded_Images:_How_to_block_them__63__/
@comment 9 / Comment by Anonymous â" Wed 14 Nov 2012 06:23:21 AM CET
"This has been a known "trivial" bug since 2006. Looking it over, it appears that the security benefit of being able to reduce ones browser's attack surface might have been overlooked. Or perhaps we've missed something!
The best way to get something done about this would be to create a Bugzilla account and explain the necessity (don't nag - just explain the need and the impications which seem to have been missed)
The bug is 331257. While you're there you might also be interested in 255107 and 786275."
https://bugzilla.mozilla.org/show_bug.cgi?id=255107
https://bugzilla.mozilla.org/show_bug.cgi?id=331257
https://bugzilla.mozilla.org/show_bug.cgi?id=786275#####
@comment 14:
"This excellent thread should be looked upon by the Tor and Tails developers. Has Mozilla dropped the ball on this? It appears to me to be a vicious bug which should be patched."
- Story:
http://www.theregister.co.uk/2012/09/03/phishing_without_hosts_peril/
"Watch out for the tinyurl that isn't | By John Leyden | Security, 11/03/2012
A shortcoming in browsers including Firefox and Opera allows crooks to easily hide an entire malicious web page in a clickable link - ideal for fooling victims into handing over passwords and other sensitive info.
Usually, so-called "phishing attacks" rely on tricking marks into visiting websites designed by criminals to masquerade as banks and online stores, thus snaffling punters' credentials and bank account details when they try to use the bogus pages. However this requires finding somewhere to host the counterfeit sites, which are often quickly taken down by hosting companies and the authorities or blocked by filters.
Instead, the malicious web pages can be stored in data URIs - uniform resource identifiers, not to be confused with URLs - which stuff the web code into a handy string that when clicked on, instructs the browser to unpack the payload and present it as a page.
It negates the need to find somewhere to secrete your malicious page, and once shortened using a service such as TinyURL, the URI can be reduced to a small URL perfect for passing around social networks, online chats and email. Crooks may need to set up a server to receive data from victims, however.
It's a technique already documented by researchers Billy Rios and Nathan McFeters - but now Henning Klevjer, an information security student at the University of Oslo in Norway, has revisited the attack method in his paper, Phishing by data URI [PDF][1].
Typically an attacker would first create a standalone web page, probably using content scraped off the legitimate site it seeks to mimic before making an encoded page and embedding it into a data URI.
URI-based attacks were previously documented by Rios and McFeters as part of an attack Microsoftâ(TM)s Internet Explorer 6 and 7. Klevjer's research expands on this basic theme and gives it a modern twist.
Googleâ(TM)s Chrome browser blocks redirection to data URIs, and other browsers have limits on the volume of data that can be packed into URIs. Klevjer created a 26KB attack page that failed to load in Internet Explorer, but worked on both Firefox and Opera.
As well as gettin
-
Tails LiveCD: one of many reasons to dump it 4good
A simple Q&A in this thread turned into trash:
https://tails.boum.org/forum/0.13_-_new_problem_-_dropped_packets_being_logged/
The frustrated user posted:
--
I use Tails to use Tor. I expect Tor to work as designed. Tails giving a hello, encrypted or not, back to the mothership, reminds me of most Windows machines which hit Microsoft's time server(s) with each boot.Instead of leading me in different directions, talking me through a maze of other options, please tell me how to disable this communication between my boot-up of Tails and the Tails server(s): the initial count or ping/hello and the security checks.
I know how to check your site for updates. I don't need the program checking and I don't want any boot stats provided to you from my system, encrypted or not.
Please tell me how to disable all of that - without the info on building my own Tails distro. It cannot be that difficult. This is an open OS, right? Let's appear more open in our replies and to the point.
--
No clear answer was given, but some user(s) rushed in to aid:
"And this is precisely what have been implemented"
Seriously now. PELD just documents your implementation, written in RFC style to appear more profound. I bet intrigeri wrote that part after implementing the feature in Incognito first.
And FFS, listen to your users. You can start with one of those useless TODO pages, outlining different approaches to checking for updates, and the way for users to control those.
------
"Sorry, but it is the opposite. We usually first design and then implement, as most good software development practice advice to do. The PELD has been written a long time ago. It is periodically updated when we find and design new features / issues. Usually through the cycle of writing todo pages where ideas are discussed."LOL. Are you the bullshitter in charge or something? Have you considered the career of presidential press-secretary or similar? I find it amazing how all you seem to care about is damage control using weasel words and hand-waving, and are completely disinterested in the actual truth.
Let me help you here. Commit adding the real-world experience passage: Dec 14, 2010. Security checker implementation: Feb 4, 2010.
In other words: Incognito's documentation has been adapted to the situation in Amnesia after-the-fact. Nothing was discussed. No TODO pages were created. Amnesia was "pinging the mothership", in words of the user above, long before PELD was imported and updated. That passage did not exist. Will you admit now that you were plain out bullshitting, or do I need to play out the whole dead parrot scene by Monty Python?
"We already do that, sorry if you are not our only user."
I am not even the same guy. You seem to have a problem with the idea that more than one person might disagree with your "one true vision".
"For other people, please don't come into his game by replying to his provocations."
Whereas all you are doing is replying to non-provocations with bullshit. Well done!
--Finally, the OP responded:
"I find it amazing how all you seem to care about is damage control using weasel words and hand-waving, and are completely disinterested in the actual truth"
Agreed, I've never encountered such defensive, empty, and negative, or out right hostile responses as I have here, especially to simple questions!
This is the last version of Tails I use. It's easier to pick from any number of Linux distros and use a LiveCD with TBB and not run into stupid shit and the same for answers.
Have fun 'counting' others, or whatever bullshit voodoo you have going on in scripts and/or binaries you fail to deliver simple answers for, there will no longer be any Whispers, backs, or TAILS for me anymore.
Heads, I win..
Tails you lose!
--When you begin picking apart t
-
Tails installed on USB - then carried in rectum?
-
rectum as a security vehicle
I wunnar if they have certain employees carry devices such as microsd cards in a more creative way. See this post on Tor's Tails distribution forum page:
"can I install tails on usb then carry it in my rectum?"
"i wonder if its portable enough to install tails on usb then slide it into my anus for carrying in my rectum through long road trips and travel flights?"
https://tails.boum.org/forum/can_I_install_tails_on_usb_then_carry_it_in_my_rectum__63__/
The responses are very interesting. Is such a method a more secure way of carrying these tiny storage devices?
-
Re:Cool, but...
FireGPG is officially discontinued. Some people are still maintaining it on github. But nobody should use FireGPG because it's broken by design. It uses the textarea on the page for the user to input the plaintext, and only then encrypts it. Unbelievable.
-
Re:This is what you do to truly hide your ASS!
-
Re:This is what you do to truly hide your ASS!
-
Re:This is what you do to truly hide your ASS!
-
Re:This is what you do to truly hide your ASS!
-
This is what you do to truly hide your ASS!
Not everyone understands computers, that doesn't mean they're incompetent, wikileaks, openleaks and other needs to help their submitters keep anonymous, and there are better ways to do this, follow my instructions below, and you'll be as safe as you CAN be in this world:
1) First of all, you need to download TAILS
http://tails.boum.org/download/index.de.html
2) Burn this
3) Get a second computer
4) Tear out its harddisks
5) Make sure there are NO USB-memory sticks either.
6) Make it boot from the CD only, (enter the bios and set Boot Priority to CDROM)
7) Now you can surf relatively safely, but you're not done yet!
8) When surfing, do NOT surf into familiar places of yours, do NOT use your real name, do NOT search for your real name or even your internet alias, if it's known in combination with your name (if you surfed with it on your computer, google already knows your IP, so forget it!)
TAILS uses TOR, google it if you're truly curious. It can't keep you 100% anonymous but it's the safest "service" out there, and it's only relatively safe if YOUR SURFING HABITS ARE SAFE TOO.
Good luck!
-
Re:TrueCrypt
Not TrueCrypt.
Nuff said.
also : https://tails.boum.org/support/truecrypt/index.en.html
I'll never say this enough : Don't trust Truecrypt when you have a shitload of similar/better tools that you can actually trust on linux.
I mean just look at this -
LiveCDs - TAILS v0.7.1, Liberté Linux
First, don't bet your life on this technology or OpenSSH or other tech.
Second, rather than run TOR on an everyday personal or work computer (Windows or Mac or Linux) with sensitive data and identifiable traits, I'd recommend booting a LiveCD: TAILS (v0.7.1 is the latest) and Liberté Linux:
http://tails.boum.org/
http://dee.su/liberteor get Knoppix and harden it:
http://knoppix.com/Change your MAC and connect at a coffee shop (if paranoid-- on the other side of town, and wear sunglasses in case of surveillance), not from home. Or connect to someone else's open WiFi, or get the key with Backtrack. Less secure is running a LiveCD in a VM (virtualbox or vmware). Another less secure option is running a hardened Linux, or at least running the Bastille script.
What am I missing? The main trouble with the LiveCD/DVDs is the NIC driver/module, but Knoppix is good for that.
integral-fellow
-
Re:Protesting..
Some friends in Cairo would like to bypass some of the online censorship measures. I've quickly suggested some things (below) to consider overnight. What have I missed?
Anonymous connection:
No:
https://www.eff.org/deeplinks/2010/01/help-eff-research-web-browser-trackingBut:
https://www.eff.org/https-everywhere/Also:
http://www.hotspotshield.com/And services like:
http://filesharefreak.com/2008/10/18/total-anonymity-a-list-of-vpn-service-providers/
but verify on the ground.Only if they understand the tradeoffs:
http://www.privoxy.org/
https://techstdout.boum.org/TorDns/Avoid random lists of anonymous proxies or DNS servers.
To secure the computer:
Use a popular boot disk that leaves nothing behind, e.g.:
http://www.ubuntu.com/desktop/get-ubuntu/downloadRemove metadata:
http://owl.phy.queensu.ca/~phil/exiftool/
http://www.microsoft.com/downloads/en/details.aspx?FamilyId=144E54ED-D43E-42CA-BC7B-5446D34E5360&displaylang=en
and similar for other files they may deal with.Delete/wipe files securely.
Many uses:
http://mailinator.com/
http://www.hushmail.com/Consider:
http://www.disconnectere.com/
and its analogues -
The (Amnesic) Incognito Live System
I suggest using:
The (Amnesic) Incognito Live System
https://amnesia.boum.org/