What kind of information sends your computer out?

Discussion in 'privacy general' started by true north, May 15, 2007.

Thread Status:
Not open for further replies.
  1. true north

    true north Registered Member

    Joined:
    Dec 14, 2006
    Posts:
    159
    Hi there,

    here is a blog about a privacy conference that is quite scary:
    http://blogs.zdnet.com/security/?p=197

    Has anyone a clue to counter this flow out of privacy informationo_O?

    true north
     
  2. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
    Don't know if it's my browser (or config) but I was more surprised by the lack of info given. Opera is not my default-browser, so that might be part of the reason that some things were not picked up.:thumb: :thumb:
     
  3. Huwge

    Huwge Registered Member

    Joined:
    Oct 21, 2004
    Posts:
    405
    Location:
    UK
    Heh, no info on mine, just an abusive line saying

    'Turn on JS, numbnuts'.
    :p
     
  4. herbalist

    herbalist Guest

    I didn't even get that much. There's nothing at all under the "Master Reconnaissance Tool" heading, and I have Java and JS enabled. Good old Proxomitron.
    Rick
     
  5. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,791
    Location:
    Texas
    Brilliant program to this day.
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Be sure and read the comments following the blog, especially:

    "Here's my results - and how to better protect yourself."

    Also, look at this thread, especially LWM's posts and his link to an earlier thread:

    https://www.wilderssecurity.com/showthread.php?t=174453

    And rightly so, because of the way the article is craftily constructed. This type of journalism has become almost a genre in itself.

    Think carefully of the impact of the language and the flow of content. ("loaded" words in bold)

    Title:
    Leak: to allow to become known, as information given out covertly.

    The information given out by the browser is not covert, it is overt, and this is widely known. See threads referenced above.

    Opening Statement:

    Very descriptive writing, setting up the reader with fear, uncertainty, and doubt as to what might lie waiting for her/him in what would appear to be the dangerous swamp called the internet. The reader is likely to pass quickly over the word "could."

    There are the obligatory references to experts giving a paper at a conference. (Look for numerous quotes from Joanna Rutkowska's appearance later this year at the Black Hat Conference)

    Data is presented, and we learn that:

    How would breaking into the machine be accomplished? We are left in the lurch to imagine the worst. The comments about Wifi are too general, and known exploits have occurred where user security has been either too lax or non-existent. See references in the blog comments.

    Now, many of these experts are knowledgeable in their field, and have contributed much to understanding how exploits work. But by culling statements from their presentations for their sensational impact, and leaving it at that, gives the reader nothing on which to base an analysis and think about security. Mentioning the dreaded XSS attack helps too.

    Now, we have something: a social engineering element has been add to the pot.

    Left unsaid: when and how does he find you to make this attack? There may be something here that needs to be dealt with, but we are given nothing of substance.

    Concluding statement:

    Really?

    This type of journalism with similar articles and titles certainly attracts many readers to the site, but one has to question, of what use is it on a site devoted to technology? Of greater interest to readers would be bringing in people with solutions and more analysis. Here, we have just one side of the discussion and one point of view.

    I'm sure that when a sample attack surfaces, ways of securing will become readily evident in addition to those mentioned already.

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  7. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,791
    Location:
    Texas
    Excellent post Rich.
     
  8. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    What he said!:thumb:
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks, Ron and Pedro.

    -rich
     
  10. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Hello,
    What they said ... and more.
    Experts say ... hah!
    Cheers,
    Mrk

    P.S. Turn on the javascript to see the demo... uh oh... really...
     
  11. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    3,522
    Location:
    USA - Back in a real State in time for a real Pres
    If my computer hears about a $50 DDR400 2x1GB. Otd, no rebate, Crucial, OCZ or Patriot brand & CAS2 RAM deal.

    I think my computer would bust through my front door.

    I'd have to chase it down the street. :D
     
  12. itsmej

    itsmej Registered Member

    Joined:
    Feb 10, 2007
    Posts:
    109
    Location:
    Australia
    here is a blog about a privacy conference that is quite scary:
    http://blogs.zdnet.com/security/?p=197

    Has anyone a clue to counter this flow out of privacy information

    Well What a load of rubbish Who ever made it has no idea or rather is scare mongering .simple answer to this junk and so called test out links ,Don't have Java running ,as thy The test site want it enabled ,i got Nil responce and as far as as soon as your pc turns on it sends out , Ehhhhh , "Umm teh" -- ok but first one has to be on the nett ! i see a few valet pionts made but hy could be less scary to a new reader! and this cant do a thing about it ,Mmmm think the fella should jion here and learn !
     
  13. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    I use Proxo with Sidki's latest configs but that page Master Reconnaissance Tool told me a lot of stuff Fx reveals. Most of it I know it reveals. How did that site know though what sites I visited a month ago? They looked at Fx history?

    Plus, why would they report that I have LocalRodeo plugin for Fx? I had never heard of it and I certainly don't have it! I had to do a search to find out what the heck it is. They also say I have Java enabled. I don't. I don't have Sun Java.
     
  14. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    I put that page to Trusted Zone and it showed no info (in IE it is possible to choose, which javascripts to enable & disable, so it is not just enable & disable javascript). When I set Trusted zone to Medium-Low I got this popup and after I acepted it, it showed some info.

    Rich is absolutelly right, there is no reason, why anyone should bothered about that info being revelead, it is not like revealing credit card numbers. If someone wants to protect that info by slowing down his internet using proxy, it is his choise. By the way, I have enabled error reporting, anonymous info sending to MS, Google and I know, that some software on my PC call home, since I have no outbound protection, and it does not bother me at all. I have nothing top secret at my PC, though they can find out, that my current hardware sucks. [​IMG]
     
  15. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    I just tried that site in Maxthon with scripting set to prompt (I had it turned off originally). I could get no information in Trusted Zone or not. But the reason is a scripting error on the page. I hate IE. IE6 is as bad as IE5.5 on my older 98SE machine. Constant scripting errors. I was curious though to see what would be revealed about IE.

    I still don't understand how that page can claim I have localrodeo plugin for Fx when I don't. Plus, it also claims I have localrodeo plugin for SeaMonkey and I don't.
     
  16. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    The Mr-T doesn't work on IE6. You can read the author's blog about it. It only works on IE7.

    As for it saying I have LocalRodeo installed on Fx and SeaMonkey, I started a thread at Mozillazine and got some interesting replies. One person explained everything about Mr-T.

    BTW, NoScript for Fx next version will incorporate what is in LocalRodeo.

    I don't know why everyone has been dissing the article. Actually, when you look into this, I am sure glad that I use the Proxomitron and Hostman. It was an excellent article ...not FUD either. You should be concerned with what your browser is revealing. I got my answers but not here which surprises me a bit.
     
  17. elio

    elio Registered Member

    Joined:
    May 3, 2007
    Posts:
    77
    I'm not surprised at all, instead.
    I noticed many people here tend to overlook what is happening inside their browsers, as long as they've got antivirus, firewall and possibly a sandbox wrapped around their browsers. So anything marked as JavaScript related is either labeled as browser specific (my browser is safer than yours) or paranoid (my PC can't be hacked by a web page), and the info they give away is not considered precious unless it comes from the local filesystem.

    As I tried to point out in another thread, there's so much ongoing inside our browsers that we should keep our eyes opened wide even if we browse the internet in a completely isolated virtual machine.

    The fact is that much of our life is moving online, so having our web profiles compromised (webmail account, facebook, linkedin, myspace or whateversocialnetworkimaffiliatedto account, GtheNextGreatestGoogleApp access, not to mention tax filing or other government services, online banking, paypal and the like) can be just as bad as having our PCs 0wn3d.
     
  18. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    What they are criticising is the panic article without solutions. Worst, they state there is no solution. Nothing helpful is in that article.
    Rich approached it. Maybe you prefer to reply to his post?
     
  19. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hello elio,

    That was not the point of those criticizing the article.

    More useful would be more indepth discussions such as the one you started about XSS, with viable solutions suggested.

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  20. elio

    elio Registered Member

    Joined:
    May 3, 2007
    Posts:
    77
    Pedro, my "most people" didn't include neither you or Rich, actually.
    Furthermore, I'm just arguing that this forum is probably not the first place to visit for web security advice (yet?).

    Rich's answer is actually very thoughtful and balanced.
    Nonetheless, if someone who's never been exposed to these "pure web" vulnerabilities could interpret it as a dismissal (move on, nothing interesting to see here). On the contrary, the not-so-apparent and maybe inconvenient truth is that the "solutions" he indirectly points out (like disabling JavaScript) are actually considered too much radical by many users of this board.

    Anyway, I think that rather than replying I could integrate it to a certain extent...
    I subscribe to this comment, which deserved to be linked, and especially to its final "rundown" and conclusions which deserve to be quoted:

    The link above is worth to explain and reassure about some "privacy jokes" and scaremonger sites, but is slightly off-topic here.
    MR-T is not a demo of the typical HTTP-headers munching server side script, and it definitely collects much more data than you expect to give away in your typical navigation session.
    Sure, we all consider "overt", for instance, our global navigation history, i.e. the list of the web sites we visited, let's say, during this session or even during this month...

    What about portscanning your machine or even your local network? How "overt" should a map of the services running in your PC, in your router or in a webserver inside your private intranet be?

    Just to be short, the aim of an article like that is not and should not be an in-depth technical discussion of how web-related security issues work.
    It may serve as an introduction and an awareness bell ring, but then, if you want detailed explanations allowing you to build a plausible defensive line, you are free to gather information elsewhere: the article itself contains a good link to start, RSnake's blog, and the MR-T's source code is itself the most instructive reading.

    Where the article falls short is to provide any advice to end-users, as Rich correctly pointed out.
    It doesn't mention NoScript or TOR, even if RSnake himself is a NoScript user ;)
    On the other hand, it seems most readers managed to figure out their conclusions anyway, so the piece wasn't that bad maybe...
     
    Last edited: May 28, 2007
  21. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Yes, it serves the purpose of awareness, but not enlightment.:)
    Well, if you keep posting, we'll do better. I was compeled to give FF another go because of Noscript, after your discussions about XSS.

    Now i'm trying again Proxomitron, this time giving a damn about how it works. I can block scripts per site, but i don't know how/ if it counters XSS. Next i'm checking out Sidki's filters to see.
    This is because i like Opera a lot, but it lacks this kind of control.
    And this tool does a lot :eek: Proxomitron rules big time
     
  22. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Elio,

    As a starting point for those here who haven't waded through that long thread, your description of the XSS types is informative:

    https://www.wilderssecurity.com/showthread.php?p=1002678#post1002678

    Also, these posts in the same thread by:

    fax Post 26

    and

    flinchlock Post 51.



    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  23. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    In some ways this is true, because people get caught up in discussing products, rather than analyzing threats and developing strategies that lead to solutions. Herbalist hits at this often.

    Too bad, because ronjor posts articles almost daily that provide information about current exploits, trends in the industry, etc.

    Unfortunately, they aren't as popular as "Which is better" topics.

    EDIT: another difficulty is when a poster asks for advice. Without knowing the details of his system, his surfing habits, etc, it is often very difficult to give advice, because the intitial question often is, Would this product make me more secure?

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
    Last edited: May 28, 2007
  24. elio

    elio Registered Member

    Joined:
    May 3, 2007
    Posts:
    77
    How true :D

    OK, let's fuel some "popular" discussion, then ;)

    Pedro!!!

    NoScript > Proxomitron (much greater, in facts) against JavaScript treats.
    Proxomitron just filters the textual content of the response, it cannot prevent script execution: there are several quite obvious ways to escape those textual filters (e.g. embedded event handlers, CSS expressions or bindings, encoded data: URLs and so on), so I'm fairly confortable stating that, generally speaking, Proxomitron cannot effectively block a malicious script.
    This is a job for NoScript.

    Once you convert to Firefox+NoScript, you can keep Proxomitron for content filtering (especially if you still use multiple browsers) or you may prefer switching to Firekeeper, which can do more or less the same (a bit more actually) but from the browser inside.

    Anyway, client-side protection from XSS is currently given only by NoScript.

    Inflammatory bottom line:
    Firefox+NoScript(+Firekeeper?) > Opera+whateveryouwant :shifty:
     
    Last edited: May 28, 2007
  25. Quill

    Quill Registered Member

    Joined:
    Mar 27, 2005
    Posts:
    10
    I'm quite interested in this. As a long time user of firefox + Proxomitron (sidki) I'm curious about the alternatives. From what I gather, to simulate the proxomitron environment using fx extensions, I'd need:

    Adblock (Plus) + Filter set
    noscript
    greasemonkey + scripts
    Firekeeper

    Would using the above be a better option than Prox now, pros/cons?
     
Loading...
Thread Status:
Not open for further replies.