New Tool Automates Phishing Attacks That Bypass 2FA

A new penetration testing tool published at the start of the year by a security researcher can automate phishing attacks with an ease never seen before and can even blow through login operations for accounts protected by two-factor authentication (2FA). From a report: Named Modlishka --the English pronunciation of the Polish word for mantis -- this new tool was created by Polish researcher Piotr Duszynski. Modlishka is what IT professionals call a reverse proxy, but modified for handling traffic meant for login pages and phishing operations. It sits between a user and a target website -- like Gmail, Yahoo, or ProtonMail. Phishing victims connect to the Modlishka server (hosting a phishing domain), and the reverse proxy component behind it makes requests to the site it wants to impersonate. The victim receives authentic content from the legitimate site --let's say for example Google -- but all traffic and all the victim's interactions with the legitimate site passes through and is recorded on the Modlishka server.

so...

[zlives]

you need to control DNS at the point of end user connection like with ... HOSTFILES :)

Re: so...

Except hardly anyone puts the loop back address in their host file unless they have specialty software that uses an alias for localhost. POP3 sometimes has this problem because sometimes the client software defaults to hard coded names for well-known endpoints. It is because they want all possible attacks to fail even if users have an inconvenient time troubleshooting. And when the server side and the client side both have the problem you can pull yourself hair out fixing it.

Re:so...

[Darkk]

That would be true if the computer been infected with malware. However, most people don't pay close attention to details like URLs before continuing so that would be hope by the attackers.

you need to control DNS at the point of end user connection like with ... HOSTFILES :)

Re:so...

[DarkOx]

Yes if only there was some method to provide cryptographicly verifiable DNS responses...hmm

Re:so...

[zlives]

but... its so complicated :)

Re:so...

[nehumanuscrede]

OMG

You just had to say it . . . . .

I think if you say it three times, we'll get a wall of text about how modifying your host files will:

1) Spice up your sex life
2) Cure Cancer
3) Solve P vs NP
4) Balance the National Debt

Re:so...

[dissy]

you need to control DNS at the point of end user connection

Why would you?
The user end point is already configured to query the root servers, which is all that's needed.
Any domain I register will be added to its particular top level that the roots already point at, and the circle of life is complete.

No, all you need is an end user stupid enough to think gmail.myowndomain.tld is actually gmail when they click it, and those are in no short supply.

Highlights the importance of HTTPS and HSTS header

[fuzzyf]

This just highlights the importance of HTTPS and Strict Transport Security Header.
Preloaded HSTS would require the attacker to install a root certificate on the victims computer or compromise an already existing one.

If you have that amount of control you can do far more than bypass 2FA.

Re: Highlights the importance of HTTPS and HSTS he

I think the more amusing question would be is that really true that you would need to do at least one of those things to succeed in attacking. I would say it depends on the messaging throughout of legitimate traffic and attacker traffic. Any system is hacksble if you give it enough time but maybe there isnt so much time in most lab testing scenarios for a variety of reasons

Useful tool, but you still have to get past PKI...

[sinij]

Useful tool for recording unencrypted traffic, but for anything that matters these days you have to find a way to present matching and trusted certificate.

For example, when connecting to /. my browser will check DNS record (i.e. slashdot.org) to an identifier in X.509 certificate (i.e. SAN contains slashdot.org). While DNS lookup could be hijacked, there is no way to hijack certificate without getting hold of a private key. If you simply proxy it, then you would only see encrypted traffic. If you substitute some other certificate, then you will have to get past browser certificate checks.

I would seriously

not mind seeing malicious hacking become a death sentence. Ditto rape, child molestation, selling drugs to minors, and many others. The West has grown very soft when it comes to crime. Singapore doesn't have much of a drug problem, does it? I'm not talking about marijuana. I'm talking about man-made illicit drugs like meth, crack cocaine, heroin, etc.

Re: I would seriously

I would agree and you probably gave the right answer to the problem. Most people choose the wrong answer to the wrong problem absolutely. BUT how do you feel about methadone clinics for the poor souls out there who might have become addicted for no fault of their own. Would you advocate illegally trafficking in methadone if it were necessary? I hope you would

Re:I would seriously

[geekmux]

not mind seeing malicious hacking become a death sentence. Ditto rape, child molestation, selling drugs to minors, and many others.

Sorry, but hacking is not as "ditto" simple as the other crimes you list here. Rape, child molestation, and selling drugs all usually require concrete physical evidence. I'm not going to face a fucking firing squad because some script kiddie was smart enough to spoof MY IP address when committing an electronic crime. And I'm not about to rely on some dinosaur judge rapping the gavel of fate to understand what IP spoofing is, and why I'm innocent. Fuck that legal nightmare.

Re:I would seriously

>The West has grown very soft when it comes to crime

Have you SEEN our incarceration statistics? I mean, "for-profit prison industry" is pretty self-explanatory.

Re: I would seriously

How does someone become addicted to methadone through "no fault of their own" exactly?

Re:I would seriously

[geekmux]

>The West has grown very soft when it comes to crime

Have you SEEN our incarceration statistics? I mean, "for-profit prison industry" is pretty self-explanatory.

The only thing self explanatory about a for-profit prison system is the profit part. Prioritizing criminals to be incarcerated for life instead of championing the death sentence when justified IS a sign of going soft on crime. We may be known as the Incarcerated States of America, but that sure as hell doesn't equate to a country with exceedingly low crime rates. That for-profit criminal system we have isn't deterring jack shit. Hell, it's viewed by many as a place where you can get three square meals a day and a place to sleep, so bringing forth incarceration numbers is essentially meaningless when talking about how "hard" we are on crime. Even those awaiting a death sentence can enjoy decades of life behind bars, which tends to make "death" row a joke.

I have the fix!

[mark_reh]

3 factor authentication!

It's the 7-minutes abs of IT!

Re:I have the fix!

[93+Escort+Wagon]

I'm holding out for 99-factor authentication.

Re:I have the fix!

[bob4u2c]

3 Factors relate to the following categories:

1. Something you know: username, password, pin number, etc.

2. Something you have: token generator, cell phone, computer, etc.

3. Something you are: your fingerprint, eye scan, hand geometry, voice print, etc.

I often hear people say that using CAPTCHA's or having to answer 3 to questions are two factors, but those still fall under the first category, something you know. I also hear people say to use a fingerprint or something, can't fake that. The problem though is you can, and once exposed you can't change it. Cell phones are also a problem where sites will send you a token, often those tokens are sent in plain text.

The issue of course is that all these boil down to some data the computer has to pass along. Your token is just a series of bits, your fingerprint is saved as a series of measurements and sent as bits, etc. These are all sent as part of the authentication request, all vulnerable to snooping.

Your best bet is still a password and some one time token generator. You may be able to intercept it, but once you can no longer snoop on my network I can logout and the token you snooped on won't work again.

Re:I have the fix!

[apoc.famine]

That's a pie in the sky idea. Never going to happen. I'm just holding out for one that goes up to 11. That's at least possible, I think.

Re:I have the fix!

[Chris+Mattern]

I'm holding out for 99-factor authentication.

That only works for CONTROL.

Re:I have the fix!

[sexconker]

Yup, everything done online or passed through a single wire is essentially 1 factor. Something you know.

Oh, you used a fingerprint scanner or smartcard reader? It just passed a signal to the verifying device/service. The verifying device/service didn't check to see you had a smartcard or that you used a valid fingerprint. It trusted the signal it got and believed the device that sent it.

Something you have and something you are require physical, interactive inspection. In a real security scenario, this is typically done with an actual guard checking an ID, badge, etc. and checking you to make sure you're X pounds, Y height, Z sex, W race, etc.

Re:I have the fix!

[93+Escort+Wagon]

I'm holding out for 99-factor authentication.

That only works for CONTROL.

Missed it by THAT much!

Re:I have the fix!

Feh. #2 and #3 are possessions. Their relative spoof difficulty/etc isn't all that far apart.

I mean, their strength still stacks, but without respect to category.

"Must present fingerprint and voiceprint" is little different than "Must present physical token and voiceprint"

As the old expression goes, something you know something you have.

When there isn't a middle to abuse

[H3lldr0p]

Create one!

This seems like it should be easy to defeat. Acting as a portal ought to come with some sort of detectable signature. A few extra ms, routing abnormalities?

Re:When there isn't a middle to abuse

This seems like it should be easy to defeat. Acting as a portal ought to come with some sort of detectable signature. A few extra ms, routing abnormalities?

Why would that be easy?

Transit time changes frequently. "A few extra" miliseconds would result in false-positive rates approaching 50%

Routes change frequently too. That's the point of using routing protocols. Worse, why would the route from the user's perspective change? Transparent proxies are the norm these days.

Plus "ought" is an ethical concept, not a descriptive one. The evil bit isn't implemented.

The only way one could detect this sort of attack reliably is to have enterprise-level DNSCrypt, enforce mandatory TLS on connections, ensure certs are handled before the link is compromised, never allow inferior encryption suites, ensure everything is patched, then monitor every connection for changes to any of those components.

FIDO U2F 2FA is an answer

Using the physical keys like the Yubikey or Google's key would prevent this. They won't sign 2FA challenges except for a matching DNS domain origin.

Re: FIDO U2F 2FA is an answer

It does not solve the entire problem since unlike most keys you have to bring the key data into your system to inspect it. It is a unique software algorithm that is not present in any other scheme. So if you are super paranoid about security in general, and not just the malware of the day, you cannot use the theoretically best software solution.

Re:FIDO U2F 2FA is an answer

[sexconker]

The attacker presents a login dialog to the user, and forwards that info to a genuine session.
The attacker presents a 2 factor dialog to the user, and forwards that info to a genuine session.
The attacker wins.
For bonus points, the attacker presents a second 2 factor dialog to the user, the user complies thinking they typed the code in wrong or the code timed out. The attacker uses that 2nd code to disable the 2 factor requirement on the account.

The attacker only needs to get a bit of malware on your box to install bogus certs / fuck your DNS.

"If they get malware onto your box, they've already won!" Until you clean the malware, use a different box, change a password, or they need another code from your dongle / phone / etc.

The main defense against this type of attack was that most people wouldn't be high value targets, so the phishing pages were merely storing credentials for later use (or sale). With expired codes from a dongle, app, or phone, those credentials are somewhat useless. (You can use them to scare the victim later in a ransom scheme, try to socially engineer an attack saying you lost the phone / dongle / whatever, try those same credentials elsewhere hoping they were reused, etc.)

Automating the full attack means that the code a user types in is used while it's still valid, and the attackers win. Without automation through to the end, only a high value target (or someone incredibly unlucky) would have an attacker actively watching and waiting to use one of those codes before it expired.

A defense against this, which never gained much traction unfortunately, is certificate pinning.

Re: FIDO U2F 2FA is an answer

U2F can't be relayed. The signature won't match the real domain and thus the reason website won't accept the attackers 2FA attempt.

Re: FIDO U2F 2FA is an answer

Dunce. Literally everything on the internet not on your connected LAN is relayed. Everything.

Re:Highlights the importance of HTTPS and HSTS hea

[sinij]

You don't need HSTS if you pay attention or browser warns you about submitting credentials over unencrypted** connection.

** In this case, it is certificate based authentication, a different technology from encryption, that help to definitively established the identity of the server as part of TLS handhsake that saves your bacon, but the entire process colloquially known as encryption.

Re:Congrats to my fellow pole... apk

Why haven't the Slashdot mods not made a spam filter to get rid of this APK crap yet? Surely it wouldn't be too hard to just filter out anything with "APK hosts" and mark it down -1 "Spam"

"an ease never seen before"

[darkain]

"an ease never seen before" >>> https://en.wikipedia.org/wiki/...

Re:Highlights the importance of HTTPS and HSTS hea

[bob4u2c]

Modlishka is what IT professionals call a reverse proxy

A classic man in the middle attack. If you control the network between the client and server; being able to snoop on 2FA is the least of your worries. Using SSL might help, but if your DNS is compromised as well then your out of luck.
As a developer I use a reverse proxy whenever I need to view data being exchanged between different tiers of an application. Using SSL makes it harder, but there are ways of generating fake certs and using dns to mask where they really came from.

Again, if someone is able to inject themselves into your network you have much bigger problems.

Looks like a man in the middle attack

[140Mandak262Jamuna]

Not sure why it needs a new name or what is really new.

Re:Looks like a man in the middle attack

[apoc.famine]

Didn't read the summary, eh?

All of the MITM work has been done. You just snag the github code, deploy it on a server, tell it a URL to impersonate, and then get people to go to that serer. It's script-kid ready. You don't need to know how to code to deploy this. You don't even really need to know much about how the internet works.

Of course, the more you understand, the more effective this could be. There are enough dumbasses out there that if they click to a page that's identical to the one they are looking for, despite the URL being wrong, they will still log in. Everything else that you could do to make the URL look better just ups the number of people that might log in.

The hard work is done. It's basically a MITM app that you deploy and feed a URL, and you're up and running.

Re:Looks like a man in the middle attack

[140Mandak262Jamuna]

Thanks. It is the Monkey in the Middle, for dummies. I get it now.

Re:Looks like a man in the middle attack

Not OP.
I did read the summary, I'd just assumed this stuff was easy to acquire in the past, I figure since I'd thought of it years ago, someone else must have done it already.
Apparently not.

Re:Looks like a man in the middle attack

Not OP. I did read the summary, I'd just assumed this stuff was easy to acquire in the past, I figure since I'd thought of it years ago, someone else must have done it already. Apparently not.

I'm with you. I really thought this kind of script-kiddie-ready shit would be readily available by now. Hell, Metasploit is over 15 years old...

Re:Looks like a man in the middle attack

It's "Mantis in the Middle" (MITM).

Re:Useful tool, but you still have to get past PKI

No you don't. You can't use legitimate urls... you still need phishing urls. so bypassing PKI is useless if your site is gonna read g00gle.com. You just hope users don't notice.

Re: Biggest spammer = Google (/. primary financier

How very nice, you must have blacklisted every Azure and AWS routable IP, correct?

Re: I can cite 120++ /.ers who use hosts... apk

And of course 127.0.0.1 is the only loopback address, right, idiot?

Re:Highlights the importance of HTTPS and HSTS hea

[DarkOx]

The problem HSTS does not solve though is if I can get you to click my link to http://g0ogle.com/ (ok that one is taken but you get the idea) or https://g0ogle.com/.

HSTS won't let me MTIM your request to http://google.copm/ and inject my own content (because it plain text) or redirect you somewhere else because your browser will ignore that you asked for HTTP and do HTTPS and my cert won't pass muster. It will do nothing if I con you with a look-a-like domain. Which thanks those morons at LetsEncrypt I can easily obtain a certificate for gaining my a nice TLS connection that will appear secure in your browser and let me evade a lot of IPS systems and other protections on the network to sever up whatever malicious garbage I want.

Re:Useful tool, but you still have to get past PKI

Useful tool for recording unencrypted traffic, but for anything that matters these days you have to find a way to present matching and trusted certificate.

For example, when connecting to /. my browser will check DNS record (i.e. slashdot.org) to an identifier in X.509 certificate (i.e. SAN contains slashdot.org). While DNS lookup could be hijacked, there is no way to hijack certificate without getting hold of a private key. If you simply proxy it, then you would only see encrypted traffic. If you substitute some other certificate, then you will have to get past browser certificate checks.

The article lacks some detail, but I think the way it works is a phishing email has a link displayed to "https://Bigbank.com", but actually sends you to "https://logon-Bigbank.com" as is typical of phishing emails. The bogus server logon-Bigbank.com its own certificate registered to "logon-Bigbank.com", and talks to the actual Bigbank.com using Bigbank's cert. Few people look to check the Certification Path for every web page they go to.
Because the bogus logon-Bigbank.com is using its own cert, then it can decrypt the traffic on the fly before forwarding it to the session established with the actual Bigbank.com

What is different with this implementation is the bogus server knows that it is phishing for Bigbank.com, so it pulls content from the actual web site to present to the victim, and forwards the actual logon and TFA code to the real Bigbank.com. Now an active session on Bigbank.com is established on the server logon-Bigbank.com that the MITM controls. Now we go on to empty that account during that session.

That's not a reverse proxy.

IT professionals call this a reverse proxy.

This software is just another MITM for logins with spoofed domains. These existed in the 90's.

Re:Useful tool, but you still have to get past PKI

[DarkOx]

Except that I am not going to hijack slashdot.org I am going to attempt to con you into going to slashdit.org instead. Which I will proxy to slashdot.org's login page so you don't think anything is wrong. You will most likely go ahead and authenticate (and I'll sniff the cookies along the way). I know you want give the URL a second look either because thanks to Google nobody displays address bars anymore. So if you click my initial link I totally own you.

Oh and mysite will have TLS and valid certificate too because LetsEncrypt is completely irresponsible and will robo sign anything domain you control even if its a totally obvious look-a-like phishing domain.

Re: I can cite 120++ /.ers who use hosts... apk

No. You can have as many as you like, although most people arenâ(TM)t really in need of multiple NIcs etc u less they have unique problems/issues. My question is why would someone assign something other than 127.0.0.1 to their only loopback and then send tons of emails? I doubt it would be anyone that would admit to it

Re: Congrats to my fellow pole... apk

I just ask APK random questions that any /. Poster ought to have an answer for and I mod him down when he canâ(TM)t answer. Oh well

Terabyte per second? I go to jerk off!

Mmmmmm... Teeerabyte!

DNSSEC and DNSCRYPT

Should nip this in the bud.

Re:Highlights the importance of HTTPS and HSTS hea

[Mike+Van+Pelt]

A good password manager won't fill your google.com user ID and password into a g00gle.com web page. (I know LastPass won't; I'd assume others would balk at this, too.)

Re:Highlights the importance of HTTPS and HSTS hea

[fuzzyf]

That is not entirely accurate.
Browser will stop you from clicking a submit-button on a form, but nothing stops an attacker from using XMLHttpRequests (ajax call back in the day) to pass credentials. Button could then be wired up to just to a regular HTTP GET.

Re: Quote Batman to Lucius Fox... apk

Take your meds!!!!

'Security Researcher'

[Fly+Swatter]

There is that term again. He released a tool publicly to actively break security via MITM phishing. This is not how anyone serious about security would act. Call him a script-kiddie enabler.

Re:Highlights the importance of HTTPS and HSTS hea

[guruevi]

That really depends. If you can compromise the browser or browser cache but nothing else, there is still value where you can modify DNS and/or root CA but still not record keystrokes and clicks (since some browsers *cough* Chrome *cough* now resolve independently from the OS/network).

Fuck Everything, We're Doing 5 Factors

[nuckfuts]

Fuck it. We're going to five factors.

Sure, we could go to 3 factors next, like the competition. That seems like the logical thing to do. After all, two worked out pretty well, and three is the next number after two. So let's play it safe. Why innovate when we can follow? Oh, I know why: Because we're a business, that's why!

So a false domain reverse proxy?

[MarkH]

Which any decent website will block due to weird traffic from set of ips or by behaviour blocking?

Am I missing something ?

Only if you don't use FIDO U2F Key

FIDO U2F keys are not susceptible to this kind of attack. :) Fight me.

Re:Highlights the importance of HTTPS and HSTS hea

[DarkOx]

Wrong. LetsEncrypt removed any (although it was already limited) trust you could have in a third party CA. Before LE most CAs made a t least a little effort to not provide or to revoke certs for obvious phishing domains when the complaints rolled in.

Nothing LE does is needed for an encrypted web. We could all be using self signed certs + pinning and it would provide EXACTLY as much assurance as LE certs provide. The problem was the browser vendors could not do anything smarter with their stupid "scare screens"

Wrong

This is not "Bypassing 2FA". It's a variation on classic man in the middle. Not a "bypass" by any stretch of the imagination.

Make a wheel Mr. FAKE NAME... apk

"U either die a hero or live long enough to see urself become a villain" ("your kind" try make it so) vs. https://it.slashdot.org/commen...

"Sometimes, people deserve to have their FAITH REWARDED" per Batman saying it in regards to what Lucius Fox saw @ the end of "The Dark Knight" too!

(Get rid of the tracking which my ware does also besides knocking out malware of most all types sources of infestation).

See subject: Any of you with talent/skills should be doing the SAME & Make a Wheel https://isc.sans.edu/forums/di... as I did multiplatform & yes, it works (for less, doing MORE vs. ANY single 'competitor' full of security issues (DNS/Antivirus) OR 'souled-out' to NOT work by default in full (adblock).

APK

P.S.=> Is it working? MUST BE as attacks by malicious host-domain names in URL's has gone down & I noticed it too recently as did these guys:

https://unit42.paloaltonetwork...

(& thus, MY FAITH IS REWARDED by that evidence alone - believe me, making it & then putting up w/ CRAP I do from trolls too? It was truly an ACT OF FAITH on my part)... apk

3 factor security

[AHuxley]

A letter by post with more code on it?
A CC sized device with a LCD display using a time limited code sent by post?

Re:3 factor security

[coofercat]

A keyboard overlay that alters the location of the letters?
Maybe a special lens that re-assembles the text on the screen so it's readable?

I miss the old days ;-)

Congrats to my fellow pole... apk

I stop phishing PAYLOAD links (the dangerous part where malware/malcript etc. is) via APK Hosts File Engine 2.0++ 64-bit for Linux h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r L i n u x . z i p (remove spaces between chars & download)

APK Hosts File Engine 10++ SR-1 32/64-bit for Windows https://hosts-file.net/?s=Down... (DL link @ bottom)

Soon for MacOS too (I just got a NEW Mac-Mini to port it there too)!

APK

P.S.=> I suggest you ALL try do the same & "Make a Wheel" https://isc.sans.edu/forums/di... also, just as I did above in a MULTIPLATFORM WHEEL that works (I use it everyday along w/ 100,000++ users worldwide vs. threats & to go faster online)... apk

Why depend on others ONLY? apk

See subject: Want to do a layered-security/defense in depth right & resolve FASTER vs. remote DNS (most unpatched vs. the Kaminsky redirect poisoning flaw mind you), especially ISP dns?

Do it yourself via https://slashdot.org/comments....

"Sometimes, people deserve to have their FAITH REWARDED" per Batman in regards to what Lucius Fox saw @ the end of "The Dark Knight"!

(Get rid of the tracking which my ware does w/ knocking out malware sources of infestation).

Is it working? YES as attacks by malicious host-domain names in URL's = down & I noticed it recently as did these guys:

https://unit42.paloaltonetwork...

(MY FAITH IS REWARDED by that ACT OF FAITH on my part)

APK

P.S.=> You w/ skills should be doing the SAME & Make a Wheel https://isc.sans.edu/forums/di... as I did multiplatform & it works (for less, doing MORE vs. ANY single 'competitor' full of security issues (DNS/Antivirus) OR 'souled-out' to NOT work by default (adblock))... apk

New reverse proxy penetration testing tool?

[najajomo]

“Named Modlishka .. this new tool .. is what IT professionals call a reverse proxy, but modified for handling traffic meant for login pages and phishing operations”

Didn't a reverse proxy turn up in eps1.3__da3m0ns.mp4 of Mr Robot?

HOWEVER: Addendum to whom I replied to

See subject: The "root 13" DNS servers = patched vs. Kaminsky redirect poisoning (but they're still slower vs. hosts LOCALLY resolving faster) & it's TOO BAD most ISP dns' aren't as I said originally https://it.slashdot.org/commen...

* WHICH JACKASSES HERE HAD TO TRY "downmod hide" to NO AVAIL - I repost NULLIFYING you whimps, lol - easily.

APK

P.S.=> Had to "cover my bases" vs. TROLLS & nitpickers... apk

Quote Batman to Lucius Fox... apk

"Sometimes, people deserve to have their FAITH REWARDED" per https://it.slashdot.org/commen...

* :)

As I did seeing host-domain name use going DOWN in malware per https://unit42.paloaltonetwork...

Analogy per Batman in regards to what Lucius Fox saw @ the end of "The Dark Knight"!

(Get rid of the tracking which my ware does w/ knocking out malware sources of infestation).

Is it working? YES!

(MY FAITH IS REWARDED by my ACT OF FAITH's results)

APK

P.S.=> Any of you with talent/skills should be doing the SAME & Make a Wheel https://isc.sans.edu/forums/di... as I did multiplatform - it's EXACTLY mostly for those who you speak of... apk

Re:Useful tool, but you still have to get past PKI

That's not irresponsible - that's you not understanding the service.

LetsEncrypt provides the bare minimum SSL - the domain you're connecting to really is the domain you're connecting to.

"The domain you're connecting to belongs to the company you think you're interacting with" is an entirely different level of Certificate, and the browsers know that and actually display sites protected by the lower level differently to those protected by the verified identity ones.

Take yours & your own poor advice... apk

See subject: Instead of "trolling" me? Make a wheel https://isc.sans.edu/forums/di... you waste of life...

* ... or, is it because you've WASTED so much of your God-given life & time that you don't have what it takes to do so? My money's on THAT regarding YOU & "your kind"...

* "Sometimes, people deserve to have their FAITH REWARDED" per https://it.slashdot.org/commen...

(Especially all you "Lucius Fox" types - as I make not only malware threats go away but I make trackers disappear too (right from that scene in the film by analogy))

Host-domain use IS down & I can't HELP but think what I did helped that per https://unit42.paloaltonetwork...

(MY FAITH IS REWARDED by that ACT OF FAITH on my part)

"He didn't do anything wrong" - Jamie Gordon "The Dark Knight" (like me & your CRAP's the SHIT I get? Please - Mr. Advertiser/webmaster (who IF your kind didn't track/infect/slow us I'd never have put out my program in the 1st place), INFERIOR competitor OR malware maker/botnet herder - I see RIGHT thru you & your "PETTY MOTIVATIONS"

APK

P.S.=> I can do it & it works https://it.slashdot.org/commen... - YOU? Obviously can't... apk

For the BEST hosts file, multiplatform... apk

For the BEST hosts file, multiplatform https://it.slashdot.org/commen...

* :)

* "Sometimes, people deserve to have their FAITH REWARDED" per https://it.slashdot.org/commen...

(Especially all you "Lucius Fox" types - as I make not only malware threats go away but I make trackers disappear too (right from that scene in the film by analogy))

Host-domain use IS down & I can't HELP but think what I did helped that per https://unit42.paloaltonetwork...

(MY FAITH IS REWARDED by that ACT OF FAITH on my part)

"He didn't do anything wrong" - Jamie Gordon "The Dark Knight"!

APK

P.S.=> "Batman has NO LIMITS" per the "Dark Knight" quote from Christian Bale in it... apk

Already running on App Engine!

This runs directly on Google App Engine so you can serve Modlishka from a secure google.com URL ...

Re:Highlights the importance of HTTPS and HSTS hea

I think you got it all wrong with Let's Encrypt. Google could shut down the project overnight by revoking their root certificate. Microsoft, Firefox and Apple would soon follow. Yet, they haven't done so. I know the GP said mostly the same thing, but it is worth repeating: CAs are not trustworthy. If they make it difficult or inconvenient to get a certificate, their clients will simply flock to another CA which is more accommodating. Symantec once was one of the biggest CAs, and it took years of abuse before Google and Mozilla finally decided to revoke their root certificate.

(Posting anonymously because I'm on my phone without my password to log on.)

Re:Highlights the importance of HTTPS and HSTS hea

You're better off using the password manager in Chrome in my opinion; it even generates strong passwords now. LastPass has had several important security issues in the past few years. Allowing webpages to interact with the password database can cause a website to steal all your passwords.

KoiPhish

[abc__cba]

Neat idea, i have seen tools like that a few times a few years back. One other tool has a cute and fitting name for this relay proxy idea. Its called KoiPhish lol : https://github.com/wunderwuzzi...

APK is a proven retarded bitch

Sorry retarded bitch Alexander Peter Kowalski, you are just a loser who is too dumb to realize you got stomped long ago.
Here is a chronicle of your bitch ass getting beaten on your port filtering statements.
Here is another one where your got beaten hard because you can't back up anything you say. This was about how you claim your shitware can block all hosts in a domain, which it can't.
Then there is your claim that the Chinese copied you but you admit that at best all you have is wild ass speculation and can't offer any real proof or even actual evidence to support yourself.
How about the list of experts you claim support your statements, none of which actually support your work and have been shown to actually be saying things different from what you stated they were.
Maybe instead you can tell us about your "success" where a project rejected your stupid simplistic idea or maybe threaten to sue someone again because you are a insecure little man who is washed up and never amounted to anything.

You prove yourself a RETARD vs. this

1.) My program stops portfilter in hosts https://news.slashdot.org/comm... 2.) China did hosts hardcodes after me http://theregister.co.uk/2017/... IMITATING ME & "Time is on my side" (Rolling Stones) 3.) /. users & security pros state the value of hosts for getting users more speed/security/reliability/anonymity 4.) I never threatened to sue Thor SCHMUCK - I only said I'd speak to an attorney & I did who advised I go thru their removal process & I did, then CA falling apart proved my point selling off the antivirus they had that did a FALSE POSITIVE they rescinded to NO THREAT on an old program of mine, period.

Wildcards CREATE FALSE POSITIVES (try wildcard myftp.org, not all sites in it =e bad). Hosts specifics don't cause that.

Security pros galore + /.ers praise the layered security efficacy of hosts.

APK

P.S.=> All you've managed is looking stupid & STALKING me by UNIDENTIFIABLE anonymous posts - "big accomplishment" for you (not)... apk

Biggest spammer = Google (/. primary financier)

See subject: & you can TRY (whipslash failed for 2 yrs. straight) & "You'll hunt me. You'll condemn me. Set the dogs on me" Batman from "The Dark Knight" (& you'll FAIL)...

* "Sometimes, people deserve to have their FAITH REWARDED" per https://it.slashdot.org/commen...

(Especially all you "Lucius Fox" types - as I make not only malware threats go away but I make trackers disappear too (right from that scene in the film by analogy))

Host-domain use IS down & I can't HELP but think what I did helped that per https://unit42.paloaltonetwork...

(MY FAITH IS REWARDED by that ACT OF FAITH on my part)

"He didn't do anything wrong" - Jamie Gordon "The Dark Knight"!

APK

P.S.=> Any of you with talent/skills should be doing the SAME & Make a Wheel https://isc.sans.edu/forums/di... as I did multiplatform - it's EXACTLY mostly for those who you speak of... apk

Thanks: Dozens of /.ers think so w/ ... apk

Thanks: Dozens of /.ers think so w/ 100k++ users worldwide & I did something that works (have you?) https://it.slashdot.org/commen...

* "Sometimes, people deserve to have their FAITH REWARDED" per https://it.slashdot.org/commen...

(Especially all you "Lucius Fox" types - as I make not only malware threats go away but I make trackers disappear too (right from that scene in the film by analogy))

Host-domain use IS down & I can't HELP but think what I did helped that per https://unit42.paloaltonetwork...

(MY FAITH IS REWARDED by that ACT OF FAITH on my part)

"He didn't do anything wrong" - Jamie Gordon "The Dark Knight" (like me & your CRAP's the SHIT I get? Please - Mr. Advertiser/webmaster (who IF your kind didn't track/infect/slow us I'd never have put out my program in the 1st place), INFERIOR competitor OR malware maker/botnet herder - I see RIGHT thru you & your "PETTY MOTIVATIONS"... apk

* THINK ABOUT THAT & Make a wheel as I have per https://isc.sans.edu/forums/di...

APK

P.S.=> Only thing HOLDING YOU DOWN from doing the right thing as I have, is YOU - & ME? Hey - "I'm whatever Gotham NEEDS me to BE" per Batman in "the Dark Knight"... apk

Did I say that? NO, you did... apk

Did I say that? NO, you did: Quit trying to put words in my mouth I never said & quit STALKING me by UNIDENTIFIABLE anon posts weezil.

* Why not APPLY YOURSELF INSTEAD OF BEING A WEAK STUPID TROLL like you are now?

That is, provided you have the skills needed & I STRONGLY SUSPECT you & "your kind" (useless mouth-breathers, "ne'er-do-well" SNOWFLAKE DOLTS & defective (lol, as gweihir calls you)) DON'T have what it takes to MAKE A WHEEL https://isc.sans.edu/forums/di...

(I do & it works, natively, doing FAR MORE for FAR LESS vs. ANY single other so-called 'competitor' riddled w/ security issues (Antivirus/DNS) OR souled-out to NOT WORK by default (adblock) that's easily detected & blocked...)

APK

P.S.=> I take heart in 1 thing - the VERY FACT you have to pull your crap makes me LMAO & @ you at YOUR expense, publicly (while you won't even STAND behind your bs no less)... apk

Questions like what? All you do is HIDE! apk

Questions like what? All you do is HIDE behind UNIDENTIFIABLE anon posts STALKING me & don't stand behind your crap + abuse 'downmodpoints' I easily nullify (via unlimited repost ability I have unlike MOST AC posters)...

& me? Well, ok:

* "Sometimes, people deserve to have their FAITH REWARDED" per https://it.slashdot.org/commen...

(Especially all you "Lucius Fox" types - as I make not only malware threats go away but I make trackers disappear too (right from that scene in the film by analogy))

Host-domain use IS down & I can't HELP but think what I did helped that per https://unit42.paloaltonetwork...

(MY FAITH IS REWARDED by that ACT OF FAITH on my part)

"He didn't do anything wrong" - Jamie Gordon "The Dark Knight"

APK

P.S.=> Thanks for proving my point & why not APPLY YOURSELF constructively as I have https://it.slashdot.org/commen... & MAKE A WHEEL https://isc.sans.edu/forums/di... as I have that works vs. threats multiplatform INSTEAD of pulling the crap you do? Do you LACK the skills?? Learn them... apk

I can cite 120++ /.ers who use hosts... apk

I know 120++ /.ers using hosts & 100,000++ users of my ware for hosts file creation 4 more speed/security via https://it.slashdot.org/commen...

* :)

(No offense intended but you MIGHT want to re-think that speaking in NEAR "absolutes"...)

& me? Well, ok:

* "Sometimes, people deserve to have their FAITH REWARDED" per https://it.slashdot.org/commen...

(Especially all you "Lucius Fox" types - as I make not only malware threats go away but I make trackers disappear too (right from that scene in the film by analogy))

Host-domain use IS down & I can't HELP but think what I did helped that per https://unit42.paloaltonetwork...

(MY FAITH IS REWARDED by that ACT OF FAITH on my part)

"He didn't do anything wrong" - Jamie Gordon "The Dark Knight"

APK

P.S.=> Hosts files come BY DEFAULT (in Windows) w/ 127.0.0.1 as loopback adapter address ... apk

So you are a retarded bitch then

Got is shit for brains. All you can do is repeat your previously torn apart statements, disproved theories, and outright lies. No one questioned if you or the Chinese did it first only the part where you say they copied you. Only you brought your shit program into the port filtering discussion and it was chronicled as such. There was one of your e-mail posted where you clearly stated you were going to sue. You really need to learn how to read and write too. Maybe your father can beat some sense into you as it obviously didn't do it enough when you were a child. If you post your same bullshit again it will be understood that you have nothing and concede everything. This also happens to include trying to deflect, change the subject or demand that others prove they can do bullshit work like yours.

More lies from Alexander Peter Kowalski

Like how he claims the Chinese copied him but can't produce any evidence.

How about when he states that hosts does port filtering but again can't backup his statement which was shown to be false.

There is also his list of "experts" who support him but it turns out they don't say what he is claiming.

This also ignores his out of context quotes he uses to lie by omission.

The problem with him is that his entire reputation is built upon the lie he told years ago that hosts is an effective security solution. It has been exposed numerous times as being a lie and when exposed he fails to argue logically and instead will try to deflect criticism, change the subject, move the goal posts, return to a previously disproved statement, demand you prove you did better than his file concatenator, or just call people names.

Re:Highlights the importance of HTTPS and HSTS hea

[DarkOx]

The CA's were never dependable the for profit CAs never made the problem this bad:

https://it.slashdot.org/story/...

Basically LE took what was already a problematic and dubious trust system and cranked the problems up to 11. Analogy: Buying stuff from some guy on the street vs buying stuff from someone who is legally incorporated. Of course anyone can incorporate it does take much effort or prove much - but it takes some effort and means you at least have an address on file. Its a weak check but its 'something'. LE took that 'something' out of the signed SSL cert process.

I stand by my comments that LE does nothing useful. In fact it probably is negative security because it replaces cases where people would have used a self signed cert and verified the thumbprint over another channel. So it has if anything reduced the degree of authentication occurring. As far as just preventing eavesdropping when you don't know or trust the remote party anyway - their certs offer exactly nothing over a self signed one. Basically they just get around the "scare screens" when 99% of the sites using LE certs are really the ones you should be afraid of!

Re:Highlights the importance of HTTPS and HSTS hea

Wrong. LetsEncrypt removed any (although it was already limited) trust you could have in a third party CA. Before LE most CAs made a t least a little effort to not provide or to revoke certs for obvious phishing domains when the complaints rolled in.

Nothing LE does is needed for an encrypted web. We could all be using self signed certs + pinning and it would provide EXACTLY as much assurance as LE certs provide. The problem was the browser vendors could not do anything smarter with their stupid "scare screens"

Oh I am quite aware of using self signed certs + pinning, similar to the way SSH does it. Good luck gaining mainstream traction using that method for non-technical people without out-of-box browser integration. Moxie tried that with Convergence and that failed.

I'm not saying what LE is the only way to make an encrypted web, like you are suggesting I'm saying. They have provided one way to do so. Even if you went the self-signed + pinning method, people will become desensitized to the leap-of-faith method of pining a certificate the first time visiting a site.

There's a reason LE alone has over 150 million active domain names. Sure, some may be used for phishing, but that is a minuscule percentage of the overall picture. I'm arguing that you shouldn't throw out the baby with the bath water. The old way of using the lock icon for trusting a displayed web page is not wise IMO. It never really was, but because such a small number of sites used TLS previously, people did.

You could also argue that TLS 1.3 is also helping phishers because of the PFS it introduces, which makes it difficult to intercept traffic as well. Some ignorant corporations and banks tried making that argument. Thankfully they didn't sway the IETF standard.

As usual your lies LOSE... apk

1.) My program stops portfilter in hosts https://news.slashdot.org/comm...

2.) China did hosts hardcodes after me http://theregister.co.uk/2017/... IMITATING ME & "Time is on my side" (Rolling Stones)

3.) /. users & security pros state the value of hosts for getting users more speed/security/reliability/anonymity

4.) Security pros galore + /.ers praise the layered security efficacy of hosts. What do you say they don't agree with? Should I post that AGAIN?? Ask & EAT YOUR WORDS.

APK

P.S.=> All you've managed is looking stupid & STALKING me by UNIDENTIFIABLE anonymous posts - "big accomplishment" for you (not)... apk

You LOSE again as usual... apk

I didn't have to sue Thor SCHMUCK: CA caved in & sold off the shitty antivirus & they rescinded to ZERO THREAT (no threat on an old program of mine in a FALSE POSITIVE of THEIRS (an error on their part), stupid!

My program stops portfilter in hosts https://news.slashdot.org/comm...

China doing hosts hardcodes LONG AFTER I did proves my point they had to imitate me, period.

* Yes - you LOSE as always!

APK

P.S.=> See subject - it's ALL YOU KNOW HOW TO DO, lmao...apk

Re:Highlights the importance of HTTPS and HSTS hea

[Mike+Van+Pelt]

You're better off using the password manager in Chrome in my opinion; it even generates strong passwords now. LastPass has had several important security issues in the past few years.

Really? (google, google) Nope. Nothing I hadn't seen before, nothing really major, and all addressed very quickly when discovered. If I had a trivial master password, it might be an issue, but I don't.

APK choose to admit he is a retarded bitch

I see Alexander Peter Kowalski that you chose to admit that you are a retarded bitch by continuing to repeat your torn apart statements, disproved theories, and outright lies. As an added bonus you decided to make a new baseless claim too. Now lets see if you can actually provide some actual evidence to support that you managed to get CA to shutdown the AV program because of you. You can't but will make all sorts of stupid fucking statements claiming you did because you just can't stop with the lies. It isn't my fault that you have shit for brains and are so detached from reality that you can't see that you lost long ago and just keep digging a bigger hole for yourself.

Facts listed here make you LOSE... apk

1.) I never had to sue Thor SCHMUCK - CA rescinded their FALSE POSITIVE error, sold off their shitty antivirus & I said I'd speak to an attorney & I did who advised I go thru their removal process & I won.

2.) China did hosts hardcodes after me http://theregister.co.uk/2017/... IMITATING ME & "Time is on my side" (Rolling Stones)

3.) /. users state the value of hosts for getting users more speed/security/reliability/anonymity listed here (enumerated as "Registered /.ers reviews") https://it.slashdot.org/commen...

4.) Security pros galore + /.ers praise the layered security efficacy of hosts quoted here https://it.slashdot.org/commen...

5.) My program stops portfilter errs in hosts https://news.slashdot.org/comm...

* See subject CHUMP - you LOSE (it's ALL you know how to DO vs. me, lol (you're SO GOOD @ it (losing))).

APK

P.S.=> You've PROVEN you PROJECT you're a RETARD that can't DENY FACTS I just blew you AWAY w/ easily, lol... apk

Retarded bitch APK is the loser

Retarded bitch Alexander Peter Kowalski is the loser but he hasn't figured it out yet. All he can do is keep repeating his lies over and over again in hopes that they might be true. Too bad he can't actually defend his statements but then he lacks the mental facilities to do so anyway. I'm actually surprised he hasn't choked on his own tongue yet.

APK - Too dumb to realize he lost

Like I said, all you can do is keep repeating your same bullshit. All of that has been debunked previously many times. Just because you refuse to accept the truth doesn't mean it isn't actually true, but it does mean you are a retard.

You can't deny facts I listed, lol... apk

See subject: ... & you say "I lost"? You've lost vs. me SO MANY TIMES you HIDE behind UNIDENTIFIABLE anon STALKING me.

* For Pete's sake - do you REALLY think you're "fooling anyone" but yourself, psycho?

(Whatever it was I totally BURNED you on is SO BAD you're ashamed of it, obviously... lol, you did THAT to yourself)

APK

P.S.=> Guess again - you're not... apk

Such conviction "standing behind your words"

See subject: You've lost vs. me SO MANY TIMES you HIDE behind UNIDENTIFIABLE anon STALKING me, lmao - whimp.

* For Pete's sake - do you REALLY think you're "fooling anyone" but yourself, psycho?

Guess again - you're not... & whatever I put out is FACT you can't defeat (& it makes me LMAO seeing you "FLAIL" against black & white UNDENIABLE fact that BLOWS YOU AWAY!).

APK

P.S.=> HOWEVER: Whatever it was I totally BURNED you on in the past beneath one of your doubtless MANY SOCKPUPPET fake accounts, is SO BAD you're ashamed of it, obviously (& it's made YOUR LOSER ASS deranged, obsessed w/ stalking me too)... lol, you did THAT to yourself... apk

Sorry retard bitch APK fact is you lost

Sorry retard bitch Alexander Peter Kowalski when someone destroys all you evidence initially and you fail to refute it any of it but instead just keep repeating those statements it means you lost. The fact that you fail to realize it means that you are a retard and don't know you lost. You were given plenty of chances to actually try to support your statements but every time you chose to just repeat them providing no new support. We are done here because you are just stuck in a loop.

Retarded bitch APK is only fooling himself

Retarded bitch Alexander Peter Kowalski is only fooling himself by continuing to repeat the same bullshit statements that were torn apart initially. Since you continually failed to refute anything that was said about your work with actual evidence and instead just kept repeating your previously debunked statements it means you lost. When you state that you won after doing this it is just your attempt to try and convince your self that you aren't a total loser. Everyone else can see this but you are just too mentally deficient. As such we are done here as you are just stuck in a loop.

Try "destroy" THIS: You'll FAIL... apk

1.) I never had to sue Thor SCHMUCK - CA rescinded their FALSE POSITIVE error, sold off their shitty antivirus & I said I'd speak to an attorney & I did who advised I go thru their removal process & I won.

2.) China did hosts hardcodes after me http://theregister.co.uk/2017/... IMITATING ME & "Time is on my side" (Rolling Stones)

3.) /. users state the value of hosts for getting users more speed/security/reliability/anonymity listed here (enumerated as "Registered /.ers reviews") https://it.slashdot.org/commen...

4.) Security pros galore + /.ers praise the layered security efficacy of hosts quoted here https://it.slashdot.org/commen...

5.) My program stops portfilter errs in hosts https://news.slashdot.org/comm...

APK

P.S.=> All you've managed is looking RETARDED yourself & STALKING me by UNIDENTIFIABLE anonymous posts - "big accomplishment" for you (not)... apk

You can't refute actual evidence here... apk

1.) I never had to sue Thor SCHMUCK - CA rescinded their FALSE POSITIVE error, sold off their shitty antivirus & I said I'd speak to an attorney & I did who advised I go thru their removal process & I won.

2.) China did hosts hardcodes after me http://theregister.co.uk/2017/... IMITATING ME & "Time is on my side" (Rolling Stones)

3.) /. users state the value of hosts for getting users more speed/security/reliability/anonymity listed here (enumerated as "Registered /.ers reviews") https://it.slashdot.org/commen...

4.) Security pros galore + /.ers praise the layered security efficacy of hosts quoted here https://it.slashdot.org/commen...

5.) My program stops portfilter errs in hosts https://news.slashdot.org/comm...

APK

P.S.=> All you've managed is looking RETARDED yourself & STALKING me by UNIDENTIFIABLE anonymous posts - "big accomplishment" for you (not)... apk