Hey, if you or others want to be involuntary Bitcoin miners, unwitting DDoS zombies, or a test-bed for CPU flaws, go ahead. Your right about one thing though: that won't be amazing, it'll just be normal behavior. People do it all the time. Your comment on breaking the web also makes you sound like Jquery/Angular/Axios developer. As if nobody has the "right" to view a website with Javascript turned off.
You're right. However, doing something feels better than just laying down and letting the big-brother corporate feudal lords just monetize my existence at every opportunity. IMO, "Defense-in-Depth" still applies to an individual trying to be left alone, even if their countermeasures aren't 100% effective and they aren't sitting in a missile control silo.
If the sandboxed processes scream and thrash while covered in goo, that'll just add to my satisfaction that they've been shown their proper place in the world.:-)
When I worked at Oracle the rumor was he got in trouble for flying his MIG under the Golden Gate bridge.. I also remember him in that advertisement where he's in the Lotus Position saying "Ohhhmhm" over how enlightened his Linux based thin clients were compared to PeeCees. I wonder if he'd even cringe seeing one of those posters, now.
Okay it was the second-lamest attempt. You've outdone yourself with this additional hand waving. There is still time left in the year for another try. Talk about doubling down. BTW, in the future you have an option not to exchange any words with me, simple or otherwise. I promise I won't mind. However, in any case endless crawfishing won't change the fact you wrote this: "A nice quip on the quality of MS software in general, but not constructive to the discussion. There are orders of magnitude differences in not only the quality of software but the actual business practices of MS between the DOS days and now." You wrote it, not the Russians or a fucking imposter - you. The fact that it's somewhat ambiguous doesn't fool anyone for a second after you lashed out repeatedly. Now folks are supposed to believe, no no you didn't mean it, it's actually the other way. Yeah, right, dude. Nice try.
Exactly. Put in a "backdoor" (ala VMware tools, memory balloon drivers, or other such stuff that can talk to the host-side) and sooner or later someone will find a way to escape. Virtual machines can be cool and useful but there can be situations where they complicate the security threats you face versus bare metal. Spectre, Meltdown, and lots of side-channel low level CPU flaws have shown us that it's at least possible. If it's possible, then there is always the threat of really nasty exploit giving folks the ability to pwn the host machine or alter and/or read info/data/files in another VM. You also make the point about Bitcoin mining. There's a new threat that is somewhat resistant to traditional security measures. Sandboxing doesn't really have a well-cured answer there, either.
Years of watching Jurassic Park and I still love Silicon Graphics (it's a Crimson they have there - I have a Tezro and 3 other SGIs), the Mac Quadra 700 (I have two of them), and Thinking Machines supercomputers (hehe, I don't own one of these!). I love that freakin' movie.
The thing that stands out as being most effective in that bevy of countermeasures is NoScript. It's amazing how willing folks are to run un-trusted code from people with strong motivation to track and monetize you. You've just described what I do already, now. The only difference is that, in addition to the measures you describe, I have a script that removes the entire ~/.mozilla directory and then re-creates it from a minimal backup that just restores my bookmarks and the aforementioned security plugins. I had to go that far because I was still finding turdlets even after all that. It's frustrating that even the efforts at sandboxing I've seen so far aren't as complete as this psuedo-manual "browsing rig" we are doing now.
Your solution is a good one, but it's a lot of hassle. QubesOS has it all streamlined, but using paravirt with Xen is a bit of a misfit when I've used it. I'd rather see a solution built around LXC or OpenVZ. However, I guess there already are some efforts in this direction that have made progress. I suppose it's mostly a matter of preference in terms of what method to implement the key is making sure no trace is left for the bad guys to follow.
No, but it looks like they have the right idea. I'm just not on Windows very often but I will give it a shot sometime when I am. Thanks for the pointer. After years of just using NoScript and 'rm -rf ~/.mozilla' there has to be some kinda better way. However, my ability to trust a browser at this point will have to be after several test browsing sessions to see what turdlets it leaves afterwards when I examine the filesystem (and registry if it's Windows).
Yeah, I'm sure low-level file and cross-tab Javascript security in all browsers are just a matter of learning hotkeys. Garsh, why didn't we all just ask you to fix the issue for us?
I want every single tab I open to be like a baby finding itself in a brand new world every time. I want no cookies to cross reference (yes, I am willing to login every time). I wish for no resources available for Javascript trying to find clever ways to spy and screw with things outside of that "sandbox". I want that tab to feel like it's running on a computer that was just whisked into existence for that one task only. When I close that tab I want (at least on the local system) for it to be like that never happened. Don't leave cache files, ghost cookies, cookies, or alter the system in one single goddamn binary bit that can be tracked later on. I know "private browsing" claims to do a lot of these things, but then you find out later that it really doesn't or that there is some tracking. However, I gotta say, my current method works pretty well. I just keep a bookmarks file that I occasionally import/export when needed. Then I use 'srm' (secure rm) to wipe every file and directory that the browser altered when it was running (inside of a jail, usually). It's not that I have all kinds of stuff to hide, I just hate being spied on by automated "eyes".
Yeah, and "the sky is blue" is every bit as self-evident as "Microsoft is a bunch of good people now."... dumbfuck. Sure. Yeah. Keep sellin it. Play those two statements off as being equally credible. It'll totally work for anyone 8 years old and under without a shred of reason. Ever heard the statement "Extraordinary claims require extraordinary evidence" ? Well... "the sky is blue" isn't going to cut it when making rainbow & unicorn statements about Microsoft, dumbass. On the 1 to 10 scale of logical arguments I'd rate yours at "1".
Oh, well, no proof or evidence of that is needed for your claim at all. You can just say it and *POOF* it's true. They should just get the benefit of the doubt after decades of evil since they've been so good lately, adopting Bash and OpenSSH, huh, Bill? Hey everybody, did you hear ? M$ is awesome now, Thegarbz told me so! I swear... your next post will ask me for links evincing that Microsoft has ever been evil... Pathetic.
Dude, you can't make shit up then argue with yourself. Well, you can, I guess, but I won't participate in that. I never said half the shit you are straw-manning up. At this point you are just arguing with your own lack of reading comprehension. Like I said, you are high and a bit retarded. I'm sorry the world is too complex for you.
You are high. Nobody cares if you think single-factor-use-your-face is a great idea except other people wearing black turtlenecks and hornrims using consumer grade devices and having no actual need for security beyond "good enough" which is all it's meant for along a continuum of smartphone options (mostly poor ones). You have apparently never heard of costumes, impersonation, sculpture, 3D printing, fiberglass, fake hair, latex, disguises, actors, or any number of other zillion year old "technology" that can be deployed fairly readily to foil it, no "6 tries" needed. You must have been down for nap-time when story after story hit the net about facial recognition being fooled easily by photographs and other simple measures. The newest tech is better, sure, and FaceID is more sophisticated than some, but not infallible and not nearly good enough to rely on as a sole factor for anything beyond impersonal casual security where no other security would have been used otherwise. You keep bringing up "humans authenticating" one another by their faces. It's pathetically simple minded to conflate recognition with authentication and overlooks a very obvious flaw: humans get fooled all the time! Easily! Again go look up "costume" or "disguise" or "make up" and blow your mind with some new ideas you appear to have never encountered before!
Someone needs to probe deep into this digging to the bottom, checking the proper crevices and getting the hard facts no matter how long they may be or who gets stiffed in the end.
Those are good ideas. It's pretty tough to believe a skilled sculptor couldn't reproduce someone's face/head quickly and with cheap materials using just a simple photo. They usually start with Styrofoam then use clay, waxes, and other items to make the face look realistic. Ever been to a wax museum? I seriously doubt you'd need to be even close to that skilled to fool a smartphone. After all, the phone has to be pretty forgiving to work for the person in different outfits, hats, weather, etc... I've known several artists that I'd bet money could do it in just a few hours work with cheap easy-to-source materials. However, if one added blinking, temperature, and other biologic factors it suddenly gets harder. It still wouldn't be impossible. You would just need to switch to using real people with cosmetic/prosthesis to make them look like the victim you want to impersonate. You just gotta make sure you start with someone who's skull is the right size. However, every additional metric you check for makes it harder.
Slashdot Mirror
Sweet, that made me go refresh my Xen news buffer. Lots of cool developments and the near-arrival of pvh2 is definitely one of them.
*Yawn* more hand waving. Start a puppet show, instead.
Hey, if you or others want to be involuntary Bitcoin miners, unwitting DDoS zombies, or a test-bed for CPU flaws, go ahead. Your right about one thing though: that won't be amazing, it'll just be normal behavior. People do it all the time. Your comment on breaking the web also makes you sound like Jquery/Angular/Axios developer. As if nobody has the "right" to view a website with Javascript turned off.
I haven't tried that one. Just NoScript, Ghostery, and a few others. It sounds promising. I'll give it a shot.
You're right. However, doing something feels better than just laying down and letting the big-brother corporate feudal lords just monetize my existence at every opportunity. IMO, "Defense-in-Depth" still applies to an individual trying to be left alone, even if their countermeasures aren't 100% effective and they aren't sitting in a missile control silo.
If the sandboxed processes scream and thrash while covered in goo, that'll just add to my satisfaction that they've been shown their proper place in the world. :-)
When I worked at Oracle the rumor was he got in trouble for flying his MIG under the Golden Gate bridge.. I also remember him in that advertisement where he's in the Lotus Position saying "Ohhhmhm" over how enlightened his Linux based thin clients were compared to PeeCees. I wonder if he'd even cringe seeing one of those posters, now.
Okay it was the second-lamest attempt. You've outdone yourself with this additional hand waving. There is still time left in the year for another try. Talk about doubling down. BTW, in the future you have an option not to exchange any words with me, simple or otherwise. I promise I won't mind. However, in any case endless crawfishing won't change the fact you wrote this: "A nice quip on the quality of MS software in general, but not constructive to the discussion. There are orders of magnitude differences in not only the quality of software but the actual business practices of MS between the DOS days and now." You wrote it, not the Russians or a fucking imposter - you. The fact that it's somewhat ambiguous doesn't fool anyone for a second after you lashed out repeatedly. Now folks are supposed to believe, no no you didn't mean it, it's actually the other way. Yeah, right, dude. Nice try.
Exactly. Put in a "backdoor" (ala VMware tools, memory balloon drivers, or other such stuff that can talk to the host-side) and sooner or later someone will find a way to escape. Virtual machines can be cool and useful but there can be situations where they complicate the security threats you face versus bare metal. Spectre, Meltdown, and lots of side-channel low level CPU flaws have shown us that it's at least possible. If it's possible, then there is always the threat of really nasty exploit giving folks the ability to pwn the host machine or alter and/or read info/data/files in another VM. You also make the point about Bitcoin mining. There's a new threat that is somewhat resistant to traditional security measures. Sandboxing doesn't really have a well-cured answer there, either.
Years of watching Jurassic Park and I still love Silicon Graphics (it's a Crimson they have there - I have a Tezro and 3 other SGIs), the Mac Quadra 700 (I have two of them), and Thinking Machines supercomputers (hehe, I don't own one of these!). I love that freakin' movie.
The thing that stands out as being most effective in that bevy of countermeasures is NoScript. It's amazing how willing folks are to run un-trusted code from people with strong motivation to track and monetize you. You've just described what I do already, now. The only difference is that, in addition to the measures you describe, I have a script that removes the entire ~/.mozilla directory and then re-creates it from a minimal backup that just restores my bookmarks and the aforementioned security plugins. I had to go that far because I was still finding turdlets even after all that. It's frustrating that even the efforts at sandboxing I've seen so far aren't as complete as this psuedo-manual "browsing rig" we are doing now.
Your solution is a good one, but it's a lot of hassle. QubesOS has it all streamlined, but using paravirt with Xen is a bit of a misfit when I've used it. I'd rather see a solution built around LXC or OpenVZ. However, I guess there already are some efforts in this direction that have made progress. I suppose it's mostly a matter of preference in terms of what method to implement the key is making sure no trace is left for the bad guys to follow.
No, but it looks like they have the right idea. I'm just not on Windows very often but I will give it a shot sometime when I am. Thanks for the pointer. After years of just using NoScript and 'rm -rf ~/.mozilla' there has to be some kinda better way. However, my ability to trust a browser at this point will have to be after several test browsing sessions to see what turdlets it leaves afterwards when I examine the filesystem (and registry if it's Windows).
Years of watching various "sandboxing" fails has convinced me that you are probably right.
The only wife I need to hide from is yours... but hey, just kidding, haha. It's hilarious right?
Yeah, I'm sure low-level file and cross-tab Javascript security in all browsers are just a matter of learning hotkeys. Garsh, why didn't we all just ask you to fix the issue for us?
That's the lamest attempt at backpedaling I've seen in 2018. You deserve a prize.
I want every single tab I open to be like a baby finding itself in a brand new world every time. I want no cookies to cross reference (yes, I am willing to login every time). I wish for no resources available for Javascript trying to find clever ways to spy and screw with things outside of that "sandbox". I want that tab to feel like it's running on a computer that was just whisked into existence for that one task only. When I close that tab I want (at least on the local system) for it to be like that never happened. Don't leave cache files, ghost cookies, cookies, or alter the system in one single goddamn binary bit that can be tracked later on. I know "private browsing" claims to do a lot of these things, but then you find out later that it really doesn't or that there is some tracking. However, I gotta say, my current method works pretty well. I just keep a bookmarks file that I occasionally import/export when needed. Then I use 'srm' (secure rm) to wipe every file and directory that the browser altered when it was running (inside of a jail, usually). It's not that I have all kinds of stuff to hide, I just hate being spied on by automated "eyes".
Yeah, and "the sky is blue" is every bit as self-evident as "Microsoft is a bunch of good people now." ... dumbfuck. Sure. Yeah. Keep sellin it. Play those two statements off as being equally credible. It'll totally work for anyone 8 years old and under without a shred of reason. Ever heard the statement "Extraordinary claims require extraordinary evidence" ? Well... "the sky is blue" isn't going to cut it when making rainbow & unicorn statements about Microsoft, dumbass. On the 1 to 10 scale of logical arguments I'd rate yours at "1".
Oh, well, no proof or evidence of that is needed for your claim at all. You can just say it and *POOF* it's true. They should just get the benefit of the doubt after decades of evil since they've been so good lately, adopting Bash and OpenSSH, huh, Bill? Hey everybody, did you hear ? M$ is awesome now, Thegarbz told me so! I swear... your next post will ask me for links evincing that Microsoft has ever been evil... Pathetic.
Dude, you can't make shit up then argue with yourself. Well, you can, I guess, but I won't participate in that. I never said half the shit you are straw-manning up. At this point you are just arguing with your own lack of reading comprehension. Like I said, you are high and a bit retarded. I'm sorry the world is too complex for you.
Life is good, man. I ain't bothered by you, him, or fuck all else. *shrug*
You are high. Nobody cares if you think single-factor-use-your-face is a great idea except other people wearing black turtlenecks and hornrims using consumer grade devices and having no actual need for security beyond "good enough" which is all it's meant for along a continuum of smartphone options (mostly poor ones). You have apparently never heard of costumes, impersonation, sculpture, 3D printing, fiberglass, fake hair, latex, disguises, actors, or any number of other zillion year old "technology" that can be deployed fairly readily to foil it, no "6 tries" needed. You must have been down for nap-time when story after story hit the net about facial recognition being fooled easily by photographs and other simple measures. The newest tech is better, sure, and FaceID is more sophisticated than some, but not infallible and not nearly good enough to rely on as a sole factor for anything beyond impersonal casual security where no other security would have been used otherwise. You keep bringing up "humans authenticating" one another by their faces. It's pathetically simple minded to conflate recognition with authentication and overlooks a very obvious flaw: humans get fooled all the time! Easily! Again go look up "costume" or "disguise" or "make up" and blow your mind with some new ideas you appear to have never encountered before!
Someone needs to probe deep into this digging to the bottom, checking the proper crevices and getting the hard facts no matter how long they may be or who gets stiffed in the end.
Those are good ideas. It's pretty tough to believe a skilled sculptor couldn't reproduce someone's face/head quickly and with cheap materials using just a simple photo. They usually start with Styrofoam then use clay, waxes, and other items to make the face look realistic. Ever been to a wax museum? I seriously doubt you'd need to be even close to that skilled to fool a smartphone. After all, the phone has to be pretty forgiving to work for the person in different outfits, hats, weather, etc... I've known several artists that I'd bet money could do it in just a few hours work with cheap easy-to-source materials. However, if one added blinking, temperature, and other biologic factors it suddenly gets harder. It still wouldn't be impossible. You would just need to switch to using real people with cosmetic/prosthesis to make them look like the victim you want to impersonate. You just gotta make sure you start with someone who's skull is the right size. However, every additional metric you check for makes it harder.