noobie tutorial video

General discussion about the NoScript extension for Firefox
Nan M
Ambassador
Posts: 102
Joined: Thu Mar 19, 2009 12:44 pm

Re: noobie tutorial video

Post by Nan M »

`nar wrote:I wish I had the time to train my customers Nan, I usually cannot even speak to them before they take their PC home other than the basics of what I did to repair their computer. So, I am looking to dumb-down the interface to neophyte level. Explaining IP's, domains, XSS and so forth is beyond their will to listen, or my time to train them(or learn well enough to train :). I just tell them to only allow the sites they trust and be wary of sites found during internet searches. I allow sites opened through bookmarks, and sometimes disable the yellow bar notification as it really doesn't tell me anything that the "S" with the red circle doesn't. Some people will forget to check that, so I gauge the particular user.
Yes, sympathies for you - - you've got the self-selected group that doesn't care so much about risk, if their machines are infected through a combination of lack of knowledge plus no precautions. They are often also those who exceed the speed limit and don't wash their hands after using the toilet :-) They can't see the results of their actions and they can't imagine the results and they think warnings are from fusspots.
The bookmarks tip is central to setting something secure up for a real novice when you can't give them time to train with NS.
When I get that scenario, I ask them to list what sites they transmit financial, and real id details with, and have a 5 minute session setting up workable permissions and then bookmark. Not that I'm suggesting in anything I write here that you should do the same in your situation, just putting it down for the general record.
Maybe at least this keeps their personal details safe enough for their next session.
It doesn't stop them getting recruited for the next botnet, or getting a keyboard recorder installed but some progress is progress nonetheless.
I found a couple of youtube videos with more info, but no speech. Even though they have music, it is too much like research for most people.
You're confirming my searches.
I am surprised that I couldn't find anything better.
Not so much suprise here. It took ages for resident AV as essential for novice users' Windows systems to become an accepted practise - all the early adopting on that part was from careful experienced users, and NS is still at the bleeding edge of novice browsing in many respects. NS how-tos are following the usual uptake - - with geek fans turning others on. This is why I'm really encouraged by your attitude - - it's recognising the central problem.
On the one hand I'd like someone really knowledgeable with NS to make a video, but on the other hand, they may just talk over most users' heads. It needs to explain why it is needed,
There you go - the main problem. There's just so many times you can tell someone their computer will get slow, they will give away their personal details, they will help crime etc etc. If they're not motivated, then any other information won't get through.
when you need to allow sites, and how to allow them. Anyone with the interest in more details will likely know how to click the help/about section and go to the homepage themselves. Keep it simple, more details should be in a second or third video.

I have never done a video, but after what I've seen, I am thinking about it.
I'd be really happy to comment on any script you want to run by the users here. I fancy it will be a very welcome addition to the community.
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.10) Gecko/2009042523 Ubuntu/9.04 (jaunty) Firefox/3.0.10
Nan M
Ambassador
Posts: 102
Joined: Thu Mar 19, 2009 12:44 pm

Re: noobie tutorial video

Post by Nan M »

Hi `nar,
Could you use this proof of stealing browsing history?

From hackademix's latest post http://hackademix.net/2009/05/08/start-panicking/ you might be interested in this really good-looking demonstration site of a JS privacy hole in Fx that has been covered by NS for years already.
http://startpanic.com/
It is clear as - with the button right there front and centre for the user to try it.
The reveal of history is a nice gradual extending list that could be the start to a Why do I need NS? Introduction video, do you think?
I'm certainly going to show the site to the library newbies next time we're meeting.

Best decide to use it now, because the report is that Mozilla are going to patch it 'real soon now'®.

regards, Nan M
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.10) Gecko/2009042523 Ubuntu/9.04 (jaunty) Firefox/3.0.10
`nar
Posts: 16
Joined: Tue May 05, 2009 6:39 am

Re: noobie tutorial video

Post by `nar »

I can see it now, "So what if they know where I've been?"

Not all of them secretly surf for pr0n. ;)

I can see that it is a bit disturbing, but those concerned about their history should be clearing it anyway. The site needs to show why it is important. Got my bank website? Sure. Got my account number? Now that would be scary! Maybe the saved passwords, but I am doubting that.

My internet has been down at home, so I haven't made much progress on the video front lately.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: noobie tutorial video

Post by Giorgio Maone »

`nar wrote:Got my account number? Now that would be scary! Maybe the saved passwords, but I am doubting that.
It's quite easy, if your bank has a XSS hole. Likely? You bet!
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)
`nar
Posts: 16
Joined: Tue May 05, 2009 6:39 am

Re: noobie tutorial video

Post by `nar »

I am weak on XSS, but wouldn't that require linking in? Like from an email? If I go to the bank website directly, does XSS still apply? If so, does that mean the website is hacked? As I understand it, XSS is a "window" you look through at the site in question, so any clicks and data entry can be intercepted by the "window" which is another website, just hidden, or transparent.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
`nar
Posts: 16
Joined: Tue May 05, 2009 6:39 am

Re: noobie tutorial video

Post by `nar »

Nevermind, I'll read your XSS info first :)
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: noobie tutorial video

Post by GµårÐïåñ »

Giorgio Maone wrote:It's quite easy, if your bank has a XSS hole. Likely? You bet!
Is it possible that this is more prevalent in European or simply put non-US based companies and operations? I am just curious because we rarely see these kind of issues in the US, it happens don't get me wrong but usually not on such a large exploitable scale and gets remedied very very quickly, perhaps because regulations governing security of information and server requirements are more stringent. Not sure, just thinking out loud.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: noobie tutorial video

Post by Giorgio Maone »

GµårÐïåñ wrote:
Giorgio Maone wrote:It's quite easy, if your bank has a XSS hole. Likely? You bet!
Is it possible that this is more prevalent in European or simply put non-US based companies and operations?
http://www.google.it/search?q=BANK+OF+A ... utf-8&aq=t
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: noobie tutorial video

Post by GµårÐïåñ »

Ok, point made, but by the admission of the "hackers" themselves, these were fairly small game and most of them were remedied pretty quick. Someone running NoScript and like me dumping their entire session/cookie/cache and so on each time I close my browser would be fairly safe, along with other safe practices of course. But a real problem for sure, no doubting that.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: noobie tutorial video

Post by Giorgio Maone »

GµårÐïåñ wrote:these were fairly small game
What does "small game" mean exactly in this context? Like you're visiting your preferred p0rn site and in the meanwhile someone there silently grabs your BOA password?
GµårÐïåñ wrote:Someone running NoScript [...]
... like CrYpTiC_MauleR (first Google result above), Sirdarckcat, RSnake, Jeremiah Grossman, Arshan Dabirsiaghi (OWASP) and every other web security expert I know: there's a reason, no matter what a certain guy whose initials are W. P. tries to smear around ;)
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: noobie tutorial video

Post by GµårÐïåñ »

Sorry, by small game I meant that in order to grab anything useful or significant (at least in my configuration) they gotta pull something more of an offensive onslaught brute force attack to pull anything. :twisted: Now if you got the barn door wide open, I wouldn't be surprised if they can whistle for your horses :lol: and you deserve to get ripped.

I know what you mean brother, W.P. can say whatever the hell he wants and any moron who doesn't know better can jump on that band wagon and shoot themselves in the foot, being stupid is an individual right; fact remains that anyone with their head screwed on right, will not be stupid enough to run without NS, don't let haters like that get you down or smear you, it shows their own ignorance. :ugeek:
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
Post Reply