Lots Of Good Stuff

by Bryan

15 comments

1 Badtux { 08.08.13 at 3:30 am }

I was surprised that they actually flipped the switch on the Tor takedown. I’ve been pretty sure for quite some time that Tor was compromised, and even had a good idea of ways to compromise it, to the point where I would use Tor only for things that I was trying to protect against private parties spying on me because there was a 50% chance that any communications I sent through were being tied to me by the NSA. But the thing is, now that they’ve leaked the compromise, it’s over. Nobody’s going to use Tor for anything serious ever again.

Note that the Tor bundle does not enable Javascript in the bundled Firefox browser, so if you used Tor as delivered by the EFF, you were immune to the drive-by Javascript exploit. Still, the fact that 50% of the nodes in Tor are owned by the FBI means its usefulness is clearly limited.

All in all, my reaction to recent news is a resounding WTF?

2 Bryan { 08.08.13 at 11:37 am }

It was pretty much an open ‘secret’ that TOR was compromised to some extent, but they have been blowing up real assets all over the place, as well as admitting to the ownership of various malware. It’s a meltdown.

They have to be attempting to justify their TIA/Big Brother operation, but they are destroying useful tools, and pissing off a lot of people in the process.

3 Kryten42 { 08.08.13 at 11:59 am }

Extremely stupid, but completely unsurprising.

Badtux: A correction about Tor. 🙂 Tor *does* enable JS via NoScript. From the FAQ:

Why is NoScript configured to allow JavaScript by default in the Tor Browser Bundle? Isn’t that unsafe?

We configure NoScript to allow JavaScript by default in the Tor Browser Bundle because many websites will not work with JavaScript disabled. Most users would give up on Tor entirely if a website they want to use requires JavaScript, because they would not know how to allow a website to use JavaScript (or that enabling JavaScript might make a website work).

I’m an expert! (No, really!) Can I configure NoScript to block JavaScript by default?

You can configure your copies of Tor Browser Bundle however you want to. However, we recommend that even users who know how to use NoScript leave JavaScript enabled if possible, because a website or exit node can easily distinguish users who disable JavaScript from users who use Tor Browser bundle with its default settings (thus users who disable JavaScript are less anonymous).

Disabling JavaScript by default, then allowing a few websites to run scripts, is especially bad for your anonymity: the set of websites which you allow to run scripts is very likely to uniquely identify your browser.

I can see their point… But it’s a bad idea, and the problem they point out easily avoided. Firefox fingerprinting (giving your User-Agent details) can be avoided a couple of ways. There are currently 4 ways that FF blabs about your details (browser & OS details). The easiest is to use an extension that changes your UA such as ‘User Agent Switcher’, which has a huge list of UA’s (an xml file d/l from the home site). Another thing you can do is use another extension that spoof’s the ‘referer’. 🙂

Depending on my mood on a given day, or the type of sites I’m visiting, I generally use one of these as my UA:

Mozilla/5.0 (DR-DOS 7.03; rv:24.0) Gecko/20130101 Firefox/24.0
Opera/13.20 (GEM/5; DR-DOS 7.03) Presto/2.12.388 Version/13.20
Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20130101 Firefox/24.0
Opera/12.80 (X11; Linux x86_64) Presto/2.12.388 Version/12.13
Mozilla/5.0 (Linux; U; Android 2.3.5; zh-tw; GT-I9100 Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
msnbot/1.1 ( http://search.msn.com/msnbot.htm)

None of which would have tripped that (and many other) JS exploit since they usually check for your Browser type/version and OS (since most target Windoze, though there are also exploits for Linux & even OSX).

Even if I did trigger an exploit of some kind, I use a sandbox and VPN, and have a strong Firewall, IDS & AV. When I’m not using my win box (which has Sandboxie), I use my fast USB3 pen drive with Tails installed. 🙂

Am I paranoid? You betcha!! Having worked in Intel/Security, I know for a fact “They *ARE* out to get you!” And no tin foil hat needed, as Americans are finally realizing! (Something which most Chinese, Russians etc. have taken for granted for decades). 😈

The thing with tor is that you need to be aware and careful of certain .onion servers/routers. I am sure some are run by various Governments/agencies. Generally, I try to stick with those on Bridges (Bridge Routers) as they are not listed in the public Tor directory and so have an extra layer of security, such as it is. 😉 Whenever I need to use Tor, which isn’t much these days anyway.

Other things I do to avoid fingerprinting include spoofing my MAC address and of course my IP (which since I use a VPN and high-anon Proxy is kinda gilding the lilly). 😉 But I am a professional paranoid! 😆

Why do I bother? And i doing *naughty* things in the Internet (Heaven forbid!) 😮 Nope. I just like to annoy the hell out of all the moronic spooks out there that think people who want to ensure their privacy (sorry, I should say *hide* which is what I’m doing in their hypocritical eye’s) MUSt be doing bad things! ’cause, ya know… If you are doing nothing wrong, ya got nuthin ta hide! Right? 😉 Of course, this conveniently ignores that most Corporations are totally crooked and would give their CEO’s teeth to get all your lovely private data! 🙂

Oh, one last item from the Tor FAQ:

Is there a backdoor in Tor?

There is absolutely no backdoor in Tor. Nobody has asked us to put one in, and we know some smart lawyers who say that it’s unlikely that anybody will try to make us add one in our jurisdiction (U.S.). If they do ask us, we will fight them, and (the lawyers say) probably win.

We think that putting a backdoor in Tor would be tremendously irresponsible to our users, and a bad precedent for security software in general. If we ever put a deliberate backdoor in our security software, it would ruin our professional reputations. Nobody would trust our software ever again — for excellent reason!

But that said, there are still plenty of subtle attacks people might try. Somebody might impersonate us, or break into our computers, or something like that. Tor is open source, and you should always check the source (or at least the diffs since the last release) for suspicious things. If we (or the distributors) don’t give you source, that’s a sure sign something funny might be going on. You should also check the PGP signatures on the releases, to make sure nobody messed with the distribution sites.

Also, there might be accidental bugs in Tor that could affect your anonymity. We periodically find and fix anonymity-related bugs, so make sure you keep your Tor versions up-to-date.

*shrug* I’d tend to give them the benefit of doubt. However, since I trust almost nobody, and for good reason… 😉

4 Kryten42 { 08.08.13 at 12:04 pm }

Oh… I should mention:

FireFox is currently at Version 23 (as of yesterday). Why are people still using V17 anyway? That was released Nov 2012 (from memory). And that vulnerability was fixed in v17.0.7 (or something like that).

Seriously…

5 hipparchia { 08.08.13 at 7:51 pm }

when i first looked at doing something to thwart the spies, corporate and others, i was excited about tor. then i read the description a little more closely and thought oh yeah riiiiight, no bad guy is ever gonna take advantage of this! /snark

6 Bryan { 08.08.13 at 8:43 pm }

Hipparchia, it is a matter of balance – I’m less concerned about ‘individual entrepreneurs’ than governments and corporations. The ‘bad guys’ are rarely as clever as they think, and get sloppy, so they get caught eventually.

Who still uses V17? The ‘bad guys’ and ‘tourists’, Kryten. The BGs don’t take the time to keep things up-to-date, and the ‘tourists’ don’t realize they should. FF does it automatically unless you stop it, so there really is no excuse, not to be current on everything.

People who don’t update their software are the breeding ground for malware. Even worse are the ISPs who don’t stay current with patches. Most software providers patch as soon as they become aware of a problem, but if their users don’t update, the script-kiddies can play.

I have people who continue to send me HTML e-mails, even though I made it plain that I wouldn’t look at them as anything but text, because I’m not interested in cleaning up after a virus. A couple of these people have forwarded malware to me, and I have called to tell them they need to contact the people they sent it to and apologize for being stupid. They are the kind of people who use the free anti-virus software supplied by their ISPs, and never upgrade their machines.

If I intended to do something strange, I certainly wouldn’t do it with my equipment, when there are so many other options available.

I wonder how many ‘Net cafés got droned as a result of that conference call?

7 hipparchia { 08.08.13 at 10:59 pm }

I’m less concerned about ‘individual entrepreneurs’ than governments and corporations.

govts and corps would be who i had in mind when i said bad guys.

8 Bryan { 08.09.13 at 12:10 am }

Touché! 🙂

9 Badtux { 08.09.13 at 2:32 am }

I think V17 is what was bundled with Tor, and did *not* have auto-updates turned on.

As for why not use newer versions of Firefox, they break too much stuff. Why, they even removed the blink tag from the newest version! I find the latest Firefox to be utterly useless. I have better luck viewing sites with Internet Exploder 10 than Firefox 22, that’s how bad it is.

10 Kryten42 { 08.09.13 at 4:44 am }

LOL @ hipparchia! You got that right!! 😀 😉

Yayyyy… About time that useless throwback *blink* is gone! And good riddance to bad rubbish! 😀

Every browser that’s updated breaks things. *shrug* And IE is the worst offender in that group. 🙂 What I like about FF is that I can get into it deeply and fix things myself. And yes, I know I’m in a minority there. Hell, I still use the ‘CustomizeGoogle 0.76’ extension, even though Google pressured the developer & Mozilla to kill it. It’s officially unsupported since 2008 (FF 4 or thereabouts) and Mozilla removed the ability (officially) to disable FF extensions version checking since about v17. But of course someone created a small extension to add the code back into FF to re-enable that option. 😆 I find that CG is one of the most important extensions for FF I use! The main reasons are that it anonymizes the Google cookie UID, creates bogus GAnalytics cookies, forces all Google sites to use HTTPS (Search, GMail, News, Images, Groups, products, Books, etc), and a great feature for my searching is that it add’s links to other search engines, Google’s Cache and the Wayback Machine. It’s a shame the developer was forced to stop developing it. But it still does most of what I need.

Extensions I use include: Adblock Plus/ABP Popup Addon/ABP Element Hiding Helper, Better Privacy, NoScript, Ghostery, UA Switcher, RefControl, Masking Agent, MaskMe, FlashBlock, Facebook Disconnect, Cookies Manager+, Clear Console, Extended Statusbar, Session Manager, Memory Fox, MAFF + UnMHT, TooManyTabs, & very strong password manager. 🙂

I also use HostsMan to modify my hosts file to block (redirect to 127.0.0.1 – ‘localhost’) about 47,000 bad or very annoying sites which speeds up my browsing a lot. If I ever *need* to visit or use one of those blocked sites, I can easily temporarily disable the hosts with just a button. I use these list mainly (plus a bunch of my own IP’s): MVPS, hpHosts (Ad & Tracking servers), Peter Lowe’s AdServer List, Cameleon, Malware Domain List. These are all independently validated and have been around for years. One of the great features of HostsMan (apart from being free), is that it removes all dupe’s, changes 0.0.0.0 -> 127.0.0.1 in the lists, and rearranges the Hosts file to put several domain’s per line to speed things up even more. You might think it would be slow because Hosts would be huge, but with the optimizations via HostsMan, it’s less than 1MB (without HM, it’s over 1,5MB). HM also manages the DNS client service (things like flushing the cache when it get’s polluted or old).

All that said, I also use Opera (v15), Chromium (v30) and even IE 9/10 (oh, and when I get really paranoid or I just *feel the need for speeeeed*, I use QtWeb & PaleMoon!) 😉 😆

I use whatever is necessary for my needs at any given time. If it works (the way I want), I’ll use it. 🙂

Also, people who use Tor, if they had updated when advised (June 26th) to v2.3.25-10, wouldn’t have been vulnerable to that exploit, and kudo’s to Tor for actually being ahead of that exploit. 🙂 If people didn’t take the advisory seriously… That’s their problem. *shrug*

I’m a beta tester (*official* beta tester I mean) for a few companies. At the moment, I am testing “Internet Security 2014 Beta’ for F-Secure, Zemana AntiLogger v2 beta, and another I can’t name (NDA). I’ve been beta testing s/w for more than 20 years (I was an official developer for Netscape Comm’s early 90’s until they lost the plot and I waved bye-bye. I told them they wouldn’t last long. *shrug*).

Hell, I still receive the Apple Security-announce Digest (currently Vol 10, Issue 15, plus the weekly Apple/HP/others Support Updates), SCAMwatch alerts and several other security digests. So I *know* what’s going on, and I am very good at patterns and trends analysis. 🙂 Forewarned is forearmed. 😉

I’ve never had a compromised system (not just home, that’s easy, but companies I’ve had or worked for, including 2 ISP’s). I take security *very* seriously, and people who give it lip-service, deserve what they get IMHO. It’s an evil, nasty World. Get used to it. *shrug*

I used to get paid a *lot* of money to do security audits (my last one was over $120k + expenses for an Insurance company a decade or so ago). I got tired of all the traveling and stupid internal politics and incredible ignorance of supposed *experts*! I also got tired of doing the work, and having it tossed in a corner because all they wanted was to be able to say to the regulators they’d had an audit done and it’s all good. I did an audit for a major Bank regarding credit fraud. At that time, they were handling around 9% fraud. I did the work and showed them how they could lower that to less than 4%, and I was told by a Director that they could live with 14% fraud because they just pass it on to the stupid customers and it’s not worth their wasting profit’s on until it get’s higher than that!

I got very tired of working my ass off to tell companies how to keep themselves & more importantly (to me), their customers safe, only to be told “Thanks. But we can afford it. Don’t let the door hit you on the way out.” What they mean is “We can afford it because our customers are powerless and stupid and we just pass the cost on to them. No problem.”

My main system here has my OS, app’s and data stored in TrueCrypt redundant hidden volumes using Twofish-Serpent cyphers in cascade, & Whirlpool (ISO, or 3rd gen) hash. It uses a hardware key which has to be connected to authenticate (but it looks like another *ordinary* device and I have several that are just that. Obfuscation is important in security), even if the passwords are known. I have redundant copies of the key (hardware does fail).

See… paranoid! 😈 😆

With good reason.

11 Bryan { 08.09.13 at 4:50 pm }

I stay within a limited range of sites on this machine, so I don’t worry about it much. If I’m going to do something ‘sporting’ I have another machine that I use that I regularly reformat and reload. Old equipment serves a purpose and lives on.

On this machine I dump history, cache, cookies, etc. every night at shut-down, and that is because of the annoying ads for things I’ve looked at during the day that keep popping up wherever I go. It is only slightly inconvenient to sign in daily. but not as annoying as adds for something my Mother asked me to look at for her. A man can only handle so many Engelbert Humperdinck ads before mayhem ensues.

If I was still working on a regular basis, I would go full bunker on connecting. and be on a VPN, but I don’t need to do that anymore.

12 Badtux { 08.10.13 at 7:29 pm }

I was being sarcastic about the blink tag, Kryten :). Still, the latest Firefox breaks an astounding number of sites that work just fine with Internet Explorer 10, Chrome, or even Opera/Konqueror/Safari. The IPMI baseband in my Supermicro servers requires a web browser to access it and easily monitor things (there are CLI tools that you can run from Linux, but they are woefully bad). Works fine in every browser in my toolkit… except Firefail.

Regarding going to sites that I am dubious about, I usually wget them and examine the HTML for suspicious things ;). Then if I think it’s legit I’ll snapshot a virtual machine and go to it from the virtual machine — then roll back the virtual machine once I’m done just in case. Now that I have my new (to me) server with 48 gigabytes of memory and 24 terabytes of storage and dual quad-core Westmeres (yes, two generations old thus why the bare chassis and motherboard was being sold for pocket change, but still works fine), I can spin up virtual machines like crazy without even breaking a sweat memory and storage-wise.

13 Kryten42 { 08.11.13 at 7:14 am }

LOL I know you were m8. 😉 Nobody with a brain could like that stupid BLINK tag! I was being… enthusiastic. LOL 😉

If I’m suspicious (or curious) about a site, I use a ripper/spider (Teleport Ultra). It has some very useful features that make it a good tool for the security toolbox. 🙂 It will parse the Java/JS of a site and grab any links in the code for one thing. Though I have and do use wget for some things. Even on Win. I use it to gram the M$ updates actually. 🙂

14 Kryten42 { 08.17.13 at 9:20 am }

Been meaning to add to this, but been kinda hectic the past week.

One of the other reasons I prefer FF is because of teh EFF’s HTTPS Everywhere (which is now in Beta for Chrome based browsers). 🙂

Mozilla had removed the old padlock icon from the FF address bar used to indicate secure (HTTPS) or non-secure (HTTP) protocol/addresses. FF now has the padlock back, and also tints the left side of the address bar green or blue. If you mouse-over the padlock, it will tell you who the Verification Authority for the HTTPS is (if there is one). Nice. 🙂

PS: I see that the EFF’s new member drive was very successful! 2479 new paid-up members, thanks to the NSA!! Yayyy! And the TeaBaggers say Gov is no good for Business! LMAO

15 Bryan { 08.17.13 at 4:25 pm }

Every browser has strengths and weaknesses, and the ‘best’ is the one that does what you want, the way you want to do it. There are still sites that I need to access that will only work correctly with IE, so I have to use it once a month to deal with that issue to pay a bill. C’est la vie 🙁

I like Chrome, but I just don’t trust Google, so I don’t use it whenever I can avoid it.

Yes, people are catching on to what’s really going on, and they are not happy about it. Those groups and organizations that have been warning about the problems are starting to benefit from the backlash.