101 posts • joined 16 Jun 2007
I also reported some basic XSS vulnerabilities in Protonmail. If you sent an email with a header like this:
As soon as it appeared in Protonmail message list at the recipients end, you could completely take over their account, read all their email, send emails as them etc. I'm credited on: https://protonmail.ch/blog/protonmail-security-contributors/ for it.
To me, this is a really bad mistake that no "good" web developer would make these days. Especially considering how they're selling their service. It makes me think their software is probably full of security holes.
"it is also possible to download private chat logs for the compromised account" - This is why people should use OTR. If your IM provider doesn't have your chat logs, they can't leak them.
You're missing the point
Shared hosting? Privilege escalation? Even if there were no MySQL installations in existance with an Internet facing network interface, this would still be a massive problem.
Macbook vs Thinkpad
I had two IBM Thinkpads, then a Macbook, and now a Lenovo Thinkpad (T420). I haven't noticed any difference in quality between the Thinkpads. They've all been great pieces of reliable kit. The Macbook on the other hand had numerous hardware failures in the 3 years I had it. The power supply died, the battery died, the hard drive died, and the plastic casing started flaking off.
HTTPS and SPDY both solve this problem. Personally, all of the Internet traffic leaving my mobile phone goes over a VPN to my server, so I get a clean connection.
Boxee's pretty good. As long as you don't mind sending them data about everything you watch and when you watch it - https://grepular.com/Boxee_TV_Helps_Its_Self_To_Your_Viewing_Habits
No conspiracy theory hereAs the author of the post, I'd just like to say something. All I described was what I saw, and how I got around it. I compared its "technical" behaviour to that of Chinas firewall, because both use spoofed RST packets to disrupt connections. I didn't provide any commentary on my opinions of why they were doing the blocking, or whether or not they should. I don't consider it a "news piece", rather a simple technical description of a problem and a solution, for people to learn from. A lot of people have twisted what I wrote to make it sound like I'm describing some sort of conspiracy. If that's what you think, read my article again. To be fair, TheRegister has probably twisted it the least amount. Compare it to the boingboing.net interpretation for a laugh.
SSL vs TLS
SSL v1.0 was never released to the public, SSL v1.1 and v1.2 never existed. I think you mean TLS. There's a really good summary of the history of SSL and TLS on Wikipedia:
TLS 1.0, otherwise known as SSL 3.1, came after SSL 3.0.
Most sites don't check to make sure that the request was a POST rather than a GET. This is unimportant anyway, because creating cross-site POSTs is almost as easy as creating cross-site GETs:
<form method="post" action="https://target.site.example.com/changepassword.cgi">
<input type="hidden" name="newpassword" value="foo">
<input type="submit" id="submit" value="submit">
There are defenses against this attack, but 99% of sites don't use them. And before you go off on one about sites requiring you to enter your old password as well, stop attacking the particular example, and think about the "class" of attacks that are available.
"That's a choice."
"That's a choice."
I know that you *can* enable certificate verification. I've done it myself in Exim. That only happens in very limited and minor cases though. Where the two communicating systems know each other and the administrators of both systems have a reason to want to enforce it.
I'd bet at least 99.9999% of SMTP traffic is either not encrypted, or encrypted without certificate verification.
"How does your browser know that a request from another tab to the same site should be blocked?"
It doesn't need to block anything. The "secure tab" gets its own cookie store. When you log into a site inside that secure tab, the secure tabs cookie store contains your session cookie. Any other tab that tries to launch an attack against the site, will be launching it against a site which it isn't logged into.
This would also allow people with multiple accounts at the same site to log in multiple times from different secure tabs.
He will only be susceptible to this attack if he visits other sites at the same time as being logged into the bank website. You shouldn't be doing this anyway because of the prevalence of XSS and CSRF vulnerabilities. This attack just gives you another reason.
SMTP can already be trivally MITMd
SMTP can already be trivially MITM'd because SMTP servers don't do any sort of certificate verification. Basically the majority of SMTP is unencrypted, and even that which is protected by TLS is "protected" by self signed certificates that aren't even checked/verified.
SMTP TLS is good for defending against passive observers opportunistically, but if somebody can intercept the connection, on either the sending *or* receiving side, you're screwed.
You misunderstood the attack
The trouble is, people visit https and http sites at the same time. If the target is logged into a https page, and then visits a http page on a different site. You can inject stuff into that http page that will initiate requests against the target site.
Eg, you could stick this bit of code in the http page if the target site is vulnerable to CSRF:
And if the target site doesn't use Strict-Transport-Security, and hasn't set the Secure flag on their cookie, you can cause the browser to initiate a non-ssl http request against the target to leak their cookie by simply slipping this into some unrelated http request to a different site:
This is incorrect
As I use the Firefox addon RequestPolicy, I should be immune from this attack. The attacker wont be able to initiate the cross site requests unless I tell RequestPolicy to allow them.
I prefer TextSecure by http://whispersys.com/. Allows you to send/receive encrypted SMS, and also uses public key cryptograhpy to encrypt SMS on your device.
The sort of kooks who write articles like this give a bad name to people who have legitimate concerns about data being stored which shouldn't be stored.
Of course the emergency services keep a record of who calls them! What the hell is wrong with that? I'm surprised they've kept the data for as long as 12 years, but still, it's not that big a deal...
Also, to use PGP on Android install APG (Android Privacy Guard). Then to use PGP with email install K-9. It's much better than the standard email client anyway, but it also plugs in to APG.
People with Android phones. Use TextSecure from Whisper Systems. It's a drop in replacement for the standard SMS app, and works almost exactly the same. It uses public key encryption so your SMS are automatically encrypted, and to view them you have to enter the password for your private key. It also uses public key encryption to encrypt messages over the air between two TextSecure users.
Of course, the police can always go to the network providers who will have a log of all SMS transmitted, but messages encrypted over the air are safe from content inspection.
And of course, if you're in the UK, the police can simply throw you in jail for not handing over the password :( US users are safe from that shit though.
Registered porn viewers?
I wonder how long it would take before an unencrypted copy of one of these registered porn viewer lists gets left on a usb stick on a bus.
"As servers with hundreds of gigabytes of memory have become the norm"
When did that happen?
Not for G1's
Runs dog slow on my G1. Keeps crashing, and doesn't seem to ever finish loading any pages. Didn't have problems like this with Opera Mini. Opera Mini was only very slow, not dog slow, and didn't render lots of pages correctly.
Great. Opera Mini is crap, but I don't want to use the bundled browser because I'm one of the two thirds of Android users who are still on <=2.1, ie running a trivally exploitable default browser. Hopefully this version is better than Mini at rendering websites.
I don't like Opera Mini, but I've just set it to be my G1's default browser. Bah.
Daniel doesn't sound very keen about keeping this service running anymore. I wonder if somebody else would be willing to take it over. A trusted authority like the EFF maybe?
"it's unclear whether the comment was meant as a joke."
I can see how that would be unclear to a baffoon yes. To a thinking person, it's pretty clear it was a joke, so suggesting otherwise is disingenuous.
I'm not commenting on the tastefulness of the joke.
DuckDuckGo addressed a similar problem with information leakage through HTTP headers a few months back:
"Or rather, no sign-up is needed. After all, every time you use a search engine (ANY search engine AFAIK), you give away data for free that ad agencies will use to slam targeted ads in your face."
"If you're on the Internet, they probably know all about you already"
Firefox + AdBlock + Beef Taco + Flash Block + HTTPS Everywhere + NoScript
No Script + Flash Block + Better Privacy + Cookie Monster + AdBlock + Ghostery + Beef TACO
Whilst I agree with his sentiment, provoking 4chan is not a good idea.
Bugs are to be expected, but there's no reason to have things like XSS flaws and bad user input validation, even in "pre-alpha" software. That just suggests bad coding practice and generally sloppy programming.
A lot of people have smartphones these days that barely last 24 hours before needing to be recharged. I would definitely buy one of these phones to take camping, on holiday and on weekends away along side my smartphone.
However, it doesn't mention SMS, and by the sounds of it, it doesn't support SMS. That rules it out for me. Like most people, I spend more time talking via SMS than via voice...
"62 people, including 28 UK nationals or dual citizenship holders, have been extradited from the UK to the US"
Is this more or less or the same as it was before the changes in 2004?
T-Mobile UK PAYG
"Android users on contract tariffs with bundled data, but will raise issues if you are on PAYG or roaming abroad. "
T-Mobile UK PAYG does a really good data deal. I pay 20 quid for a 6 month booster which gives me 1GB of allowance each month. That equates to £3.33/month. You don't get charged if you exceed that limit, but they will warn you about it. You're not going to hit 1GB a month unless you're downloading videos every day or doing a lot of tethering. Perfect for navigation+web browsing+email though.
I'm not associated with T-Mobile other than as a customer.
American accents only
You forgot to mention that it's American English accents only at the moment. It doesn't cope with British accents yet.
Is "fsck" allowed?
"Unite's press release doesn't note how many hours the guides put in"
A pretty vital piece of missing information. You're journalists aren't you? Do some journalism and find out...
Is that enforced? Ie, do they block ports/ips to prevent you from doing it?
VOIP != Streaming Music
"I already drive around streaming spotify without issues...until I go out to the countryside that is."
Streaming music over 3G bares no resemblance to VOIP over 3G. If you're streaming music, latency isn't an issue because it can buffer the content. You can't buffer VOIP though, even a small amount of latency would cause gaps in the conversation. You need a constant, stable, low latency connection in order to have a reasonable quality conversation and 3G simply doesn't provide that in practice.
VOIP over 3G works, but it sucks badly. I don't know why anyone would choose to use it. In fact, I doubt anybody does. Does anyone here do it? Has anyone here tried it and then gave up because of how shit it is?
> Is this "free" as in "uses data allowance" for those not on an unlimited contract?
I would assume so. I'm on T-Mobile UK PAYG and with their £20/six months Internet booster I get "unlimited" (1GB) of bandwidth each month for £3.33, which is practically free.
My God. It still doesn't support line-height. What sort of a modern browser doesn't support line-height. It was in CSS version 1 ffs. Think I'll stick with the standard browser for now. At least it renders websites properly.
HTML5 - Local Storage
If he is guilty of those crimes, then the two year maximum sentence is insane. I'd have thought at least ten years... Two years inside is an annoyance, ten years is punishment. The guy is clearly a deranged asshole.
Why would you use this, when XMarks exists? http://www.xmarks.com/ - Synchornises your bookmarks between Firefox, Safari, Chrome and IE. Also supports password and tab syncing.
"Now, at least, the handset has a front-facing camera - present on most smartphones for video calls"
Present on "most smartphones"? That's a load of bull crap. *some* smartphones have front facing cameras, the vast vast majority don't. No Android phones have a front face camera for example...
JS not required
"British honeybees have survived the coldest winter in 31 years with losses of one in six hives - higher than the natural rate but a marked improvement over previous years."
The stupidity of the man hurts. It hurts so bad.
- Review Is it an iPad? Is it a MacBook Air? No, it's a Surface Pro 3
- Game Theory The agony and ecstasy of SteamOS: WHERE ARE MY GAMES?
- Hello, police, El Reg here. Are we a bunch of terrorists now?
- Worstall on Wednesday Wall Street woes: Oh noes, tech titans aren't using bankers
- Kate Bush: Don't make me HAVE CONTACT with your iPHONE