Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Stealthier Internet access
From: Christian Sciberras <uuf6429 () gmail com>
Date: Tue, 25 May 2010 22:58:57 +0200

By the way, as to EFF's "research" everyone is bragging about; it's no big
deal.

I mean, seriously, I present my clients with a PDF download page only if
their browser can't embed it. How did I do it?
Some magic ultra-secret javascript to detect which browser plugins are
installed and mime-types supported.

Come on, this isn't like something born yesterday, we've been browser
sniffing for the last century or so (for good, bad or outright lame
reasons).
There are cases where certain websites need to mimic the client's OS theme
(no, don't mention superantivirus :) ).

What else? Geolocation? Ask the marketeers (Google) they've been living off
this info for years.
Plugins, VB, AJAX, ActiveX...what's the big deal about them?
We (web developers etc) can't treat our client (casual web users) as
"anonymous useless crap" (sorry, but in the eyes of  marketeer that's what
someone with a dead response looks like).

As to security? I'm sure this cannot be seriously exploitable. So you're
keeping a list of browser signatures, to which criteria exactly, IP,
cookies, sessions?
Let's say you have a signature base of over 2m, what are you going to do
with them?
This isn't like credit card numbers; it's the context that matters. And once
the user is gone off-site, the context goes away with him/her.


Lastly, why should it matter to us/you as security
enthusiasts/professionals?
Sure some adversary might keep a tab on your movements with your browser.
But wait a sec, where's your uber-stealth-tools gone to?
In fact, they're still there.

And let's face it, unless you're daft enough (and I would guess not) to run
over the net shouting "exploits", you wouldn't do so from a terminal running
WinXP and IE6.


My two cents.

Christian Sciberras.





On Tue, May 25, 2010 at 10:42 PM, Christian Sciberras <uuf6429 () gmail com>wrote:

Valdis, you're wrong.
Give me another century and I'll prove it to you.


:-)

On Tue, May 25, 2010 at 10:08 PM, <Valdis.Kletnieks () vt edu> wrote:

On Wed, 26 May 2010 01:25:25 +0545, Bipin Gautam said:

Rest of article actually looks good at first glance, but this jumped out
at me:

-Software disk Wiping:
 Wipe KEY, header of your encrypted storage volume (first few mb, ref
specific manual) Ref using Peter Gutmann standard of data wipeing (35
wipes)
And wipe entire storage using U.S. DoD 5200.28-STD (7 wipes)

There is zero evidence that anybody is able to recover data after even a
single overwrite of /dev/zero on a disk drive made this century.  Even in
the MFM days, Gutmann's recovery technique was difficult - today's
densities
render it essentially impossible.  Even if it's possible, if your threat
model
includes the sort of organizations that could theoretically do it, maybe
you
should be considering thermite rather than software wipes.  Especially if
they're pounding on your door. ;)

I'm more than open to hear of any *confirmed* cases of data recovered
after
even a single overwrite anytime after 1995.  To date, I have not seen one.
Prove me wrong, guys. ;)


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]