InformAction Forums

(Split as interesting, but O/T, from "NoScript Sightings" -- Tom T. )

Tom T. wrote:

GµårÐïåñ wrote:This author tries in vane to give advise on beating NoScript, not knowing his suggestions are USELESS.
http://www.makeuseof.com/tag/3-tactics- ... sers-site/

Not to mention attempts to bundle us as villains.

See this very fine post by an enthusiastic NS supporter.
(And accept your fair share of the praise, my friend. )

I think that the point about sites needing revenue is fair (I like not having to pay subscriptions for the sites that I use daily), and I appreciate that the author's recommendations leaned toward doing nothing or asking politely. But as my comment there states, advertising is dangerous, and the advertisers really have no accountability to us, so trusting them is hazardous at best.

As for trying to evade NoScript - lol! That won't get far. With NoScript, your browser is yours.

Anyone has a problem with losing revenue from ads, they should take it up with Adblock and such. To blame a tool like NoScript that protects against privacy invasion, tracking and less than honest methods to gather data on people, and bundle it with the rest in an article about loss of revenue from ads, then that's just bull and stupid in my opinion. It unfairly bundles NS in a group that it doesn't belong. Do we cripple their ability to make money selling your demographic and statistics, you betcha, but we do nothing to intentionally cripple their ability to post ads. If anything, why not mention RequestPolicy which often can be used quite easily to block images being served off ad servers. I just think it was skewed and I didn't like it, but to each their own and good luck trying to defeat us.

Thrawn wrote:<snip> But as my comment there states, advertising is dangerous, and the advertisers really have no accountability to us, so trusting them is hazardous at best.

You may find it encouraging that Yahoo is supporting Do-Not-Track.

Also, a single large advertiser like Amazon has more accountability than these agencies that come and go, or represent hundreds of clients, and will do "whatever it takes". At the thread to which I pointed GµårÐïåñ, I mentioned an entertainment site, where, for example, if you are viewing something by or about Band X, the site displays Amazon ads for Band X's albums, etc. No animation, just the album cover, usually. But of course I agree about the darker side, which seems to be the majority.

[color=#00AA00][b]GµårÐïåñ[/b][/color] wrote: Do we cripple their ability to make money selling your demographic and statistics, you betcha, but we do nothing to intentionally cripple their ability to post ads.

I've often reflected on the irony that if they served a simple text ad, with still images only -- no executable content -- then yes, NS would not affect them at all. It's the (over-)use of Flash, data-mining scripts, etc. that drives users to block them.

But I use RP too, because (for one reason) who knows which ones will be planting web bugs, without the PITA of looking at the code? So yes, they brought it on themselves.

Agreed. Personally, I use several things as a layered approach and with due respect to anyone's feeling trying to make money, I don't care if it affects them. They need the money so bad, make your content pay only and voila, no need to blast us with all kinds of crap to deliver content that can be found in a 1000 other places without the intrusion into my screen. On my own sites, I ONLY point to things that I actually want to share, not part of some ad system or agency, meaning they are constant, they are usually a link/image and static, that's it. So I do what I preach, not one of those, do what I say not what I do people.

I use the following tools in the exact order mentioned and configured to be effective at the layer they are presented for technical and functional reasons. NoScript (duh! - aggressive configuration) + RequestPolicy (aggressive) + Adblock Plus (custom rules only) + BetterPrivacy + Perspectives + RefControl + Server Spy + HTTPS Everywhere (with a single default rule) + Ghostery (aggressive) + TACO/Abine (aggressive) + a few tools (such as Console2, AIO, Flagfox, GreaseMonkey, etc.) that's it, run a tight ship, no problems and always stable (well at least 99.9% up time ) and I like to randomly screw with my UA just to have a little fun

GµårÐïåñ wrote: I use the following tools in the exact order mentioned and configured to be effective at the layer they are presented for technical and functional reasons. NoScript (duh! - aggressive configuration) + RequestPolicy (aggressive) + Adblock Plus (custom rules only) + BetterPrivacy + Perspectives + RefControl + Server Spy + HTTPS Everywhere (with a single default rule) + Ghostery (aggressive) + TACO/Abine (aggressive) + a few tools (such as Console2, AIO, Flagfox, GreaseMonkey, etc.) that's it, run a tight ship, no problems and always stable (well at least 99.9% up time ) and I like to randomly screw with my UA just to have a little fun

A lot of that list sounds familiar . Do you get much benefit from Ghostery, though, if you use RequestPolicy aggressively?

HTTPS Finder is (designed as) a good companion to HTTPS Everywhere. It probes sites for HTTPS support, and can write HTTPS Everywhere rules for you.

NB This is slightly off-topic from NoScript sightings; if anyone wants to split it to eg Extras > Security, feel free.

Thrawn wrote:Do you get much benefit from Ghostery, though, if you use RequestPolicy aggressively?

I use RP (aggressively, I guess), and haven't felt a need for Ghostery. One person's opinion only.

NB This is slightly off-topic from NoScript sightings; if anyone wants to split it to eg Extras > Security, feel free.

Agreed. Done, and a good suggestion.

(Not strictly Security, but very much related to privacy -- not exactly the same thing, although related -- so put it in Web Tech rather than Security. OK?)

Thrawn wrote:A lot of that list sounds familiar . Do you get much benefit from Ghostery, though, if you use RequestPolicy aggressively?

Well not so much, much of them are redundancies to ensure anything that slips through a possible crack, gets nabbed later down the chain. Hence layering. NS + RP takes care of 99% of my needs crippling things. All the rest are to tweak and fine grain the leftovers of that possible 1% by using special patterns to block residuals in ABP and also to tweak my regularly used websites to trim the fat so they look and feel streamlined like I like without the busy crap. BP is mostly to automate the LSO dumping, although Tom has a batch script that would do it too, Ghostery handles any web bugs that get through or are not wide enough to get snagged, also dumps the similar silverlight LSOs as well. Also performs some cookie managements which in conjunction with ABINE/TACO cripples the rest, tighten up the security of the browser and hidden settings in itself and we are golden. The server spy is for me to know what I am running against, flagfox is for quick locations and network tools, GM is for scripting, RefControl is to manage header cleaning and that's pretty much a recipe for a completely locked up profile.

Re: LSOs:
I use Sandboxie, which is set to delete everything in the sandbox (which would otherwise be on your HD) on every close, so any LSOs get dumped automatically.

And I do close/restart fairly often, unlike a certain disgruntled user elsewhere on this forum.

Yeah I run in Sandboxie here and there but not as a regular production use of the browser because I need easier read/write access without having to deal with the constant, recovering interface. And for me adding a DMZ if you will, for where to write without asking, pretty much defeats the purpose of it. So I only use Sandboxie if I need to do something that I need an additional layer of isolation, but not as my primary usage, the lack of settings retention and tweaks sticking without additional steps is a burden I don't need with my extensive usage but I close my browser quite often enough that its not really an issue.

GµårÐïåñ wrote:Yeah I run in Sandboxie here and there but not as a regular production use of the browser because I need easier read/write access without having to deal with the constant, recovering interface. And for me adding a DMZ if you will, for where to write without asking, pretty much defeats the purpose of it. So I only use Sandboxie if I need to do something that I need an additional layer of isolation, but not as my primary usage, the lack of settings retention and tweaks sticking without additional steps is a burden I don't need with my extensive usage but I close my browser quite often enough that its not really an issue.

I add write permissions to bookmarks, site permissions (cookie etc.), and general prefs.js file. Simple one-time change to config file.
There might be some theoretical weakening of protection, but I haven't experienced any issues.
If you know of a viable attack in the wild, or POC, that could use these vectors, by all means, I'd like to see it.

I haven't actually seen or thought of a vector per se. But since I handle live viruses, metamorphic worms, etc, ANY opening to an outside memory space is an escape route. Remember they are designed to exploit ANY opening. I'll leave it at that. Otherwise, my routine "stuff" with the tight setup and frequent clean up has provided me no issues to need the extra layer on a constant basis. Plus, as discussed in the past, the way that Sandboxie is designed, actually not to single it out, how ANY sandbox is written, they are memory/disk direct allocation schemes using some variation of C which can easily be hopped by a metamorphic DMA/DDA code and still get out. I handle the "bad" stuff inside a sandbox inside an isolated VM and then burn down rome when I am done, literally.

GµårÐïåñ wrote:I haven't actually seen or thought of a vector per se. But since I handle live viruses, metamorphic worms, etc, ANY opening to an outside memory space is an escape route. Remember they are designed to exploit ANY opening.

Yes, of course, our needs are different, my friend. If you are doing malware analysis, then you need complete quarantine. (Some AV vendors claim to do secure quarantine of viruses they find on your machine. IDK how secure they are, as I've not had an alarm.)

For my daily browsing, as an average user who works very hard to avoid malware, I find Sandboxie to be one more useful layer of defense-in-depth, though not perfect, as nothing is. But every layer helps ...

Plus, as discussed in the past, the way that Sandboxie is designed, actually not to single it out, how ANY sandbox is written, they are memory/disk direct allocation schemes using some variation of C which can easily be hopped by a metamorphic DMA/DDA code and still get out.

Do you know of a benign POC of that somewhere? I'd certainly like to test it.

Those so called "quarantines" by AV are just folders locked using low level ACL permission to restrict but in no way a sandbox like they call it, the content can be activated on something as benign as a system consistency scan, depending on how the payload is coded. Those are a joke. The sandbox that sandboxie provides is a bit more elaborate and for all intents and purposes pretty tight.

I don't have the POC and white papers on hand but check your PM, I will shoot you two articles that I consulted on for proofing and conceptual accuracy, you might respect the reading. Although I warn you, a bit lengthy and foreign-translated so don't be too harsh on the writing, they did their best.

I read the first article, "Taipan Weapons Targeted Attack".

Their targets were: IE (don't have), MS Office and Excel (don't have, and always scan unexpected documents before opening), and *Adobe* PDF reader (don't have; I use Foxit). The PDF exploit was embedding, say, a Flash video in the PDF. My .pdf reader does not support such things, nor even support JavaScript.

So the article was a good reminder to stay away from MS and Adobe.

The "sandboxing" they attacked was not external, third-party sandboxes like Sandboxie, but rather the (well-intentioned) attempts by vendors to provide *internal* sandboxing of some processes, components, etc., as in Flash videos.

I did not see a direct attack against Sandboxie or any similar program capable of denying write permissions to *any* application.
I look forward to the other material, and certainly to a POC if you do find one. Thanks for the paper and for your time.

Tom T. wrote:

GµårÐïåñ wrote:I haven't actually seen or thought of a vector per se. But since I handle live viruses, metamorphic worms, etc, ANY opening to an outside memory space is an escape route. Remember they are designed to exploit ANY opening.

Yes, of course, our needs are different, my friend. If you are doing malware analysis, then you need complete quarantine. (Some AV vendors claim to do secure quarantine of viruses they find on your machine. IDK how secure they are, as I've not had an alarm.)

For my daily browsing, as an average user who works very hard to avoid malware, I find Sandboxie to be one more useful layer of defense-in-depth, though not perfect, as nothing is. But every layer helps ...

Plus, as discussed in the past, the way that Sandboxie is designed, actually not to single it out, how ANY sandbox is written, they are memory/disk direct allocation schemes using some variation of C which can easily be hopped by a metamorphic DMA/DDA code and still get out.

Do you know of a benign POC of that somewhere? I'd certainly like to test it.

As another 'daily browsing' user, does anyone (particularly GµårÐïåñ) have an opinion on the effectiveness of Ubuntu's AppArmor profile for Firefox?