How legitimate is the Abine Do Not Track Plus add-on? Is it worth utilizing?

Kennering · 2012-05-25T09:30:39.501560+00:00

That was so many days ago I don't remember 100%, but it was roughly:

their privacy policy seems quite ok
but the license above and the way they pack the JS seems like they are seriously confused about something
haven't actually found any description as what it actually does (except some claims) - not enough time to unpack/beautify and read the code

Compare with Ghostery EULA, code etc.

welle · 3 days

They should rework the introduction page, since it doesn't say really anything substantial about the attack (demo video does not help at all). There are way too many details left out that are necessary for understanding that are only in the paper.

BTW needing unprivileged malware makes it quite impractical.

hanomalous · 11 days

It was generated by manual code review (see 1, 2)

mepper · 20 days

Few days ago we were joking that only thing worse than Adobe Flash is PHP. Aside from tons of vulnerabilities in PHP apps (partly due to bad language design), score for PHP this year is:

while making workaround for hashtable DoS (not fix!), remote code execution was introduced
while making fix for PHP/CGI remote code execution, they made a flaw in the fix rendering it worthless

It's vicious cycle - automated tools modify pages of vulnerable PHP apps/versions servers, many people get infected via drive-by downloads (Flash, Acrobat, Java mostly; occasionally browser exploit that almost always requires JavaScript for heap spraying).

I suggest to rename PHP to WTF (#!/usr/bin/wtf should be warning enough).

Though I'd say PHP and Adobe are about on-par.

Kennering · 21 days

I looked at the code of the script. It's not obfuscated, but it's packed.

NDA is a definitive show-stopper (present in every .js source):

/*
**********************************************************************************
 (C) 2008, 2009 by Abine, Inc. All Rights Reserved.

 This software is the confidential and proprietary information
 of Abine, Inc. ("Confidential Information"), subject
 to the Non-Disclosure Agreement and/or License Agreement you entered
 into with Abine. You shall use such Confidential Information only
 in accordance with the terms of said Agreement(s). Abine makes
 no representations or warranties about the suitability of the
 software. The software is provided with ABSOLUTELY NO WARRANTY
 and Abine will NOT BE LIABLE for ANY DAMAGES resulting from
 the use of the software.

 Contact license@getabine.com with any license-related questions.

 http://www.getabine.com

*/

ohet · 22 days

Thanks.

Is that going to work for Android 2.3? Latest cyanogenmod for HTC Hero (my phone) is 7.x (which is Android 2.3), haven't seen any CM9 test builds yet.

I have no problem flashing the phone to test it, but can't find anywhere whether it has alsa (and alsa drivers) or not.

B-Con · 22 days

Does anybody else think that "scare level" of BEAST is way overblown? Attacker needs to inject script in context of the attacked site, which makes it rather not much usable in reality.

ohet · 25 days

Thanks. By looking at the manifest, it also answers my previous question about Android version/API level.

securitygeek123 · 25 days

Yeah, several parts of the story don't add up:

They must've used some well-known method of embedding into substrate (e.g. a well-known program), since otherwise it's chasing "random-noise-looking" bits (assuming the password was used to derive encryption key).
Statistical methods might reveal existence of stego imprint, but that still leaves the question how are the bits of encrypted message mapped to substrate - Spatial domain? Frequency domain? Which frequencies? Any ECC used?
The guys surely thought "OK, I'll use stego and then raise two red flags at once - memory cards in underpants with porn on it - because everybody knows how much we are tolerant to porn!"

ohet · 25 days

I was curious since it's huge pain trying it out one-by-one. AOSP has tons of branches (based on Android versions):

git branch -a | wc -l         
64

Just for Android 4 there are several:

git branch -a | grep android-4
remotes/m/android-4.0.1_r1 -> origin/android-4.0.1_r1
remotes/origin/android-4.0.1_r1
remotes/origin/android-4.0.1_r1.1
remotes/origin/android-4.0.1_r1.2
remotes/origin/android-4.0.2_r1
remotes/origin/android-4.0.3_r1
remotes/origin/android-4.0.3_r1.1
remotes/origin/android-4.0.4_r1
remotes/origin/android-4.0.4_r1.1

ohet · 25 days

Was anyone able to build pulseaudio for Android? I tried it about a week ago, AOSP compiled OK, but the PulseAudio patches couldn't be applied.

The article also doesn't mention what (minimal) version of Android it should work for.

vamediah · 27 days

I'll try to make a more user-friendly version for both FF and Chrome (I admit it was a bit too hackish).

vamediah · 29 days

After many WTFs, I think I got the XPI working:

https://dl.dropbox.com/u/63034125/reddit-ssl.xpi

This one just adds the certificate exception for www.reddit.com. I'll try to find out whether it's possible for the addon to also install more HTTPS Everywhere rules. Then the user would just need to install HTTPS Everywhere and this addon, no hackeroo necessary.

BTW I added a note in the article to make sure the rules are active by clicking on the HTTPS Everywhere icon - I recalled that one of them was disabled by default originally (because of the certificate domain name mismatch).

vamediah · 1 month

Technicality - I was looking for a way to create a Firefox extension that would install the certificate (so that we could avoid the "untrusted certificate" step).

The relevant APIs are (nsICertOverrideService):

http://www.oxymoronical.com/experiments/apidocs/interface/nsICertOverrideService
http://doxygen.db48x.net/mozilla/html/interfacensICertOverrideService.html
http://doxygen.db48x.net/mozilla/html/interfacensIX509Cert.html
https://mxr.mozilla.org/mozilla-central/source/security/manager/pki/resources/content/exceptionDialog.js#362
@mozilla.org/security/certoverride;1

silx823 · 1 month

You're partially right. It's easier for some PGP keys than others. For example, verifying a Fedora key or key belonging to someone from Tor project is fairly simple:

Get key from keyserver
Google hash via encrypted.google.com
First result lead to the project pages via https
Browser will do the certchain validation, with Perspectives you'll get another "level of confidence" that the there is not MitM
You can check whois that those domains belong to the right parties (in case of EV/OV/IV cert, the CA asserts this as well)
For extra paranoia, extract the SubjectPublicKeyInfo pins from Chrome and compare the pubkeys in certs of torproject.org and google

So in cases like above, I have fairly great confidence I've obtained the right key.

On the other hand, some keys are almost impossible to verify - owner didn't publish fingerprint anywhere and key is self-signed. In that case one may try "network perspective" approach, i.e. download keys and/or the package via different paths (couple of Tor exit nodes, VPN...)

BTW an oneliner for getting the SPKI pin to verify against Chrome's pins (it probably can be made shorter/nicer):

openssl x509 -inform pem -in cert.pem -pubkey -noout | grep -v -e '^--' | base64 -d | sha1sum | cut -f 1 -d " " | perl -ne 'chomp; s/(.{2})/pack('C', hex($1))/ge; print $_;' | base64

silx823 · 1 month

There was a fairly recent paper at BlackHat 2011/DefCon 19 on using it for getting traffic for "bitsquatting" domains.

vamediah · 1 month

Because I want a simple feature that pulseaudio supports: any app on PC (be it mpd, vlc, mplayer...) can be set to have output to pulseaudio. Pulseaudio can be streamed over network to a pulseaudio client.

I originally wanted it mostly for videos - video on screen and sound over network to android.

vamediah · 1 month

SoundWire was mentioned in the xda-developers thread, but as I understand it, there's no server for linux, or is it available somewhere?

This SoundWire is different SoundWire, I presume (app is called JackTrip, last release in 2010).

ssladmin · 1 month

Sure, but that's trivial. I spent some time doing PhD in model checking and also some time as virus lab analyst.

All the interesting (and useful) applications are non-trivial. For example, it took me just 2-3 hours to put together few open-source components to make a Turing-complete environment with unrestricted network access that one highly-rated top-5 AV scanner didn't have any problem with. Well, the size was around ~100 MB, but I didn't bother at all "thinning it down".

I didn't even use any "attack" code like metasploit. It was purely an application of well-known complexity/computability/distributed-systems principles (PoC).

BTW almost all IT people in antivirus business were complete dicks. Generally even bigger egomaniacs/dicks than crypto people. But hey, "Have you heard of Goedel's incompleteness theorem and Turing/Church theorems? I bring you 60-year old news." is a great ice-breaker (aka "spirit-crusher").

yishan · 1 month

any idea what it would actually cost?

Not really (alienth didn't respond). I'd guess at most 2-3x times more (upper bound). One guy claims the cost "grows exponentially", but that does not even make sense.

I was thinking about creating an XPI (FF extension) that would make the necessary exceptions for people who do not understand cert validation and fingerprints (however, such addon won't get into addons.mozilla.org, they don't like such behavior for a good reason)

I'm not sure I'm buying the argument that SNI is not supported because of "imperfect client support". Well, if your TLS client does not support SNI, then two things are true:

that TLS client sucks, get another one
you'd use non-https version. Problem solved. "There - I fixed it!"

Note - my rule is completely custom, I've changed it a few times. It's not submitted mostly due to "unusability by general public" because of the bad CN. I'll need to check the "https-everywherization-possibility" of *.thumbs.redditmedia.com and I could ask for pull request (the rule would be by default disabled).

EDIT: There exist quick solutions with HTTPS proxy (something like BlueCoat, finally it can be actually used for good), but I haven't checked how much do they cost (there is wide range of such devices). It's hard to guess the price if I don't know their network topology closely enough. My "educated opinion" is that if they really wanted to have an experimental test support for some test period, it wouldn't be that much costly to deploy some hackish solution first (real solution later). Maybe they are short on manpower, too.

EDIT2: if you wanted use the rules above and make an exception, here are certs you should check against (full certs + fingerprints): http://pastie.org/3829158

nonprofiteer · 1 month

Which GUI can do the steps above in minimal number of steps? I know about Kleopatra and Enigmail GPG frontends, but neither can do the google step.

nonprofiteer · 1 month

Enigmail makes a lot of stuff easier, but whenever I have to do something on commandline - an operation I haven't done in a while - it's UI nightmare (even with help of zsh-completion).

Following use case is driving me quite mad:

download tarball
download signature (so far so good)
gpg --verify #unknown key
gpg --recv-keys (why the hell can't it work with --fingerprint?)
gpg --fingerprint
google the fingerprints and/or check from other gpg signatures (--check-sigs)
gpg --edit-key
set trust
lsign (depending...)
gpg --verify
tar xzf (AAAAAH!HHH!)

Yesterday if enfuriated me enough to decide making a small program for automating that (cmdline with QtWebkit for google output).

If you want to "normal" people use crypto, show them TLS and/or OTR (but don't rely on "plausible deniability" of OTR - does not work IRL).

EDIT: add 6b: bash your head on the table for "how the fuck is it possible that a repository owner doesn't publish key fingerprint anywhere and has it only self-signed"

yishan · 1 month

SSL on Akamai drives up the cost exponentially

Exponentially in respect to what? Node count? I.e. what it the variable that is operand of the exponential function? Or is it meant figuratively?

SSL proxy isn't an option because you lose the entire reason for putting Akamai infront of your site.

Not true, that's what I'm actually doing by using the specific HTTPS Everywhere rules (I just needed to accept few certs with wrong CN).

I tried to guess parts of the topology (based on a few queries) - https://imgur.com/a/C7RQc

First picture is the actual status (plain http for client), second is "eclipsing DSA" with really dumb HTTPS proxy (pool) that just has the proper cert (and bandwidth/CPU must be adequate to traffic).

The solution with HTTPS proxy requires custom domain, does not require any changes to existing server infrastructure. Fixing human-generated reddit.com links could be made by HTTPS Everywhere rule. (I omitted in the picture that the proxying would be necessary for Amazon as well.)

By testing out the above "solution" for some period "SSL-crying crowd" will get SSL (without warnings), it won't eat trough your budget and you'll have some numbers of hom\w much traffic, costs, etc.

If you draw me a more realistic network topology (by hand is good enough) I can think of a solution that's not so hackish.

reddit gold Since March 2012	Two-Year Club
Verified Email

vamediah

TROPHY CASE

you'll need to login or register to do that

create a new account

login