lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 25 May 2010 22:58:57 +0200
From: Christian Sciberras <uuf6429@...il.com>
To: Valdis.Kletnieks@...edu
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Stealthier Internet access

By the way, as to EFF's "research" everyone is bragging about; it's no big
deal.

I mean, seriously, I present my clients with a PDF download page only if
their browser can't embed it. How did I do it?
Some magic ultra-secret javascript to detect which browser plugins are
installed and mime-types supported.

Come on, this isn't like something born yesterday, we've been browser
sniffing for the last century or so (for good, bad or outright lame
reasons).
There are cases where certain websites need to mimic the client's OS theme
(no, don't mention superantivirus :) ).

What else? Geolocation? Ask the marketeers (Google) they've been living off
this info for years.
Plugins, VB, AJAX, ActiveX...what's the big deal about them?
We (web developers etc) can't treat our client (casual web users) as
"anonymous useless crap" (sorry, but in the eyes of  marketeer that's what
someone with a dead response looks like).

As to security? I'm sure this cannot be seriously exploitable. So you're
keeping a list of browser signatures, to which criteria exactly, IP,
cookies, sessions?
Let's say you have a signature base of over 2m, what are you going to do
with them?
This isn't like credit card numbers; it's the context that matters. And once
the user is gone off-site, the context goes away with him/her.


Lastly, why should it matter to us/you as security
enthusiasts/professionals?
Sure some adversary might keep a tab on your movements with your browser.
But wait a sec, where's your uber-stealth-tools gone to?
In fact, they're still there.

And let's face it, unless you're daft enough (and I would guess not) to run
over the net shouting "exploits", you wouldn't do so from a terminal running
WinXP and IE6.


My two cents.

Christian Sciberras.





On Tue, May 25, 2010 at 10:42 PM, Christian Sciberras <uuf6429@...il.com>wrote:

> Valdis, you're wrong.
> Give me another century and I'll prove it to you.
>
>
> :-)
>
> On Tue, May 25, 2010 at 10:08 PM, <Valdis.Kletnieks@...edu> wrote:
>
>> On Wed, 26 May 2010 01:25:25 +0545, Bipin Gautam said:
>>
>> Rest of article actually looks good at first glance, but this jumped out
>> at me:
>>
>> > > -Software disk Wiping:
>> > >  Wipe KEY, header of your encrypted storage volume (first few mb, ref
>> > > specific manual) Ref using Peter Gutmann standard of data wipeing (35
>> > > wipes)
>> > > And wipe entire storage using U.S. DoD 5200.28-STD (7 wipes)
>>
>> There is zero evidence that anybody is able to recover data after even a
>> single overwrite of /dev/zero on a disk drive made this century.  Even in
>> the MFM days, Gutmann's recovery technique was difficult - today's
>> densities
>> render it essentially impossible.  Even if it's possible, if your threat
>> model
>> includes the sort of organizations that could theoretically do it, maybe
>> you
>> should be considering thermite rather than software wipes.  Especially if
>> they're pounding on your door. ;)
>>
>> I'm more than open to hear of any *confirmed* cases of data recovered
>> after
>> even a single overwrite anytime after 1995.  To date, I have not seen one.
>> Prove me wrong, guys. ;)
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ