Full Disclosure mailing list archives
Re: Stealthier Internet access
From: Christian Sciberras <uuf6429 () gmail com>
Date: Tue, 25 May 2010 22:58:57 +0200
By the way, as to EFF's "research" everyone is bragging about; it's no big deal. I mean, seriously, I present my clients with a PDF download page only if their browser can't embed it. How did I do it? Some magic ultra-secret javascript to detect which browser plugins are installed and mime-types supported. Come on, this isn't like something born yesterday, we've been browser sniffing for the last century or so (for good, bad or outright lame reasons). There are cases where certain websites need to mimic the client's OS theme (no, don't mention superantivirus :) ). What else? Geolocation? Ask the marketeers (Google) they've been living off this info for years. Plugins, VB, AJAX, ActiveX...what's the big deal about them? We (web developers etc) can't treat our client (casual web users) as "anonymous useless crap" (sorry, but in the eyes of marketeer that's what someone with a dead response looks like). As to security? I'm sure this cannot be seriously exploitable. So you're keeping a list of browser signatures, to which criteria exactly, IP, cookies, sessions? Let's say you have a signature base of over 2m, what are you going to do with them? This isn't like credit card numbers; it's the context that matters. And once the user is gone off-site, the context goes away with him/her. Lastly, why should it matter to us/you as security enthusiasts/professionals? Sure some adversary might keep a tab on your movements with your browser. But wait a sec, where's your uber-stealth-tools gone to? In fact, they're still there. And let's face it, unless you're daft enough (and I would guess not) to run over the net shouting "exploits", you wouldn't do so from a terminal running WinXP and IE6. My two cents. Christian Sciberras. On Tue, May 25, 2010 at 10:42 PM, Christian Sciberras <uuf6429 () gmail com>wrote:
Valdis, you're wrong. Give me another century and I'll prove it to you. :-) On Tue, May 25, 2010 at 10:08 PM, <Valdis.Kletnieks () vt edu> wrote:On Wed, 26 May 2010 01:25:25 +0545, Bipin Gautam said: Rest of article actually looks good at first glance, but this jumped out at me:-Software disk Wiping: Wipe KEY, header of your encrypted storage volume (first few mb, ref specific manual) Ref using Peter Gutmann standard of data wipeing (35 wipes) And wipe entire storage using U.S. DoD 5200.28-STD (7 wipes)There is zero evidence that anybody is able to recover data after even a single overwrite of /dev/zero on a disk drive made this century. Even in the MFM days, Gutmann's recovery technique was difficult - today's densities render it essentially impossible. Even if it's possible, if your threat model includes the sort of organizations that could theoretically do it, maybe you should be considering thermite rather than software wipes. Especially if they're pounding on your door. ;) I'm more than open to hear of any *confirmed* cases of data recovered after even a single overwrite anytime after 1995. To date, I have not seen one. Prove me wrong, guys. ;) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Stealthier Internet access Bipin Gautam (May 25)
- Re: Stealthier Internet access Valdis . Kletnieks (May 25)
- Re: Stealthier Internet access Christian Sciberras (May 25)
- Re: Stealthier Internet access Christian Sciberras (May 25)
- Re: Stealthier Internet access Bipin Gautam (May 25)
- Re: Stealthier Internet access Valdis . Kletnieks (May 25)
- Re: Stealthier Internet access BMF (May 25)
- Re: Stealthier Internet access Marsh Ray (May 25)
- Re: Stealthier Internet access Bipin Gautam (May 25)
- Re: Stealthier Internet access Valdis . Kletnieks (May 25)
- Re: Stealthier Internet access T Biehn (May 31)
- Re: Stealthier Internet access Christian Sciberras (May 25)
- Re: Stealthier Internet access Valdis . Kletnieks (May 25)
- <Possible follow-ups>
- Re: Stealthier Internet access Elazar Broad (May 25)