Re: [SECURITY] [DSA 3211-1] iceweasel security update
Keep in mind that if you use a non-tor browser in order to browse through Tor you would still be trackable to a degree. Please see https://panopticlick.eff.org/ 2015-05-08 16:18 GMT+12:00 Riley Baird bm-2cvqnduybau5do2dfjtrn7zbaj246s4...@bitmessage.ch: I'm not from the iceweasel team, but I can assure you that most, if not all, of the bugs in Firefox have been accidental. If you are concerned about privacy (which is a good thing!), then I recommend that you use the Tor browser. If you don't trust that because it's based on Firefox, then try to find a browser that you do trust and tunnel it through Tor. If you don't trust Tor, then I don't know, maybe you could use someone else's computing device :) On Fri, 08 May 2015 03:47:01 +0200 Weber kwebe...@gmx.de wrote: dear iceweasel team is it real that the bugs from mozilla and partners will never end? Dont you think there is a ns-agent at mozilla ? or even some at debian ? producing bugs and bugs and bugs more and more instead of less yes man it is ! Mozilla is a bought IP tracker and sniffer . IPs going over Google Server,which Mozilla uses for own work. north korea has 1000 agents and the us about 5000 or more? china 10 000 ? Now guess... for this reason i will ask you to harden iceweasel and icedove with best sec settings and with best data privacy , which i miss until today. no script is good, but it can be better. its not good to have a very fat browser changing every months its basic features and get fatter and fatter, open for more fatter unsecure apps and modules. (which are now checked, ok , but not for privacy! mozilla does not give any possibility in the app store ,that developers can / Must fill out with privacy and sec options/info. why? ) privacy is not ,when firefox-Icew. opens any !!! TCP silly app checker or else after i start it. and is not ,if google servers are standard in background, or any other social shit configs in the background users never can read in front in an easy way, and is not , if any other soft is loaded while using it. and is not , if the code is getting a bubble to 80 MB and no one can find a sec hole in one day. security and privacy is lost in debian ,too and in mozilla for many years now. mozilla dont want to change this,because they are not free anymore . this must be changed! money for programmers is good, but not in this way. they are big enough to make 200 mio without google. but they will not. they are in a hidden project as snowden told us. mozilla adverts in a very unfair way on their website with privacy, they lie to users,who dont know how to protect themselfs. mozilla does this special setting behind to hide it from normal users! thats bad ! and they dont tell the users,what they do with the meta date they send to THIRD paries! ask them ! now! and send us the answer.! come on. bug is a program.! bugs ar bought/payed by third partners/agencies ! fuck this shit. sorry thats a bad work you do,and i ask you ,why nobody works against it or nobody wants to get rid of the trackers and perhaps sniffers.!? this linux is not the vision of the founders of Linux/GNU for NON - sniffing , tracking tools ! do it better now, please. reduce code, delete remote chat app video code , reduce any code which is is not stable and we dont need for html sites. we need no flash shit, no apps , we need a browser which is secure more than 2 days in the year! or: you create a second edition browser , which runs lighter and more secure / undependend as the original. if you can remember , as i dont know your age, firefox was working with 1 MB Code in version 1! it was good enough for the slowest flash/java/video site or other much badder websites. now we have 80 times more code!! and about 20-50 more bugs each year! and very much critical bugs which can froze a window or remote exploit a debian or windows. firefox was a very good browser for a starter team ! until they startet the bug program , infiltrating all people on earth as IE does ,as experts write in blogs sometimes with the help of adobe flash. if you dont want to do anything, please leave debian and let others do this work. ps. we know that google sponsors debian too. they sponsor even german newspapers to get more profit and rights on the www market ! thats not a way you should copy to GNU Linux. dont believe , if you type ps -ef , that you see all services on debian.its infiltrated in many of the 20 000 apps. some directly work with localhost mozilla engine other web services. some are called buffer overflow on bug lists. and now tell me how much you get that mozilla and google ist on debian nr 1. ? regards weber Am 01.04.2015 um 18:10 schrieb Salvatore Bonaccorso:
Re: Iceweasel and web browsers vulnerabilty concerning poodle.
Just something related I happened to stumble across: http://www.bit-tech.net/news/bits/2014/10/15/google-mozilla-sslv3/1
Re: Iceweasel and web browsers vulnerabilty concerning poodle.
Sorry about the double email, this is the original source for Mozilla https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/ 2014-10-17 9:12 GMT+13:00 Pedro Worcel pe...@worcel.com: Just something related I happened to stumble across: http://www.bit-tech.net/news/bits/2014/10/15/google-mozilla-sslv3/1
Re: concrete steps for improving apt downloading security and privacy
2014-07-07 12:13 GMT-08:00 Andrea Zwirner and...@linkspirit.org: Can you proof it? Or maybe, you can tell the list what the attached image - that is encrypted with Moritz Muehlenhoff's and Florian Weimer's public keys - represent? Cheers (and thanks Mr. Moritz and Mr. Florian - who were the only I had in my keyring - to accept being the judges of the challenge). :-) I am very new with crypto, but I do not think he will be able to prove it with cryptography such as is used in modern browsers, maybe in ECB mode as described here: http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Electronic%20codebook%20%28ECB%29 HTTPs hardly solves any problem with state-level monitoring, I don't think, after all, CAs can be compelled to produce certs, or even compromised (e.g. http://googleonlinesecurity.blogspot.co.nz/2014/07/maintaining-digital-certificate-security.html ) Implementing cert pinning OTOH, that might be better.
Re: SSL for debian.org/security?
Also, what is to prevent someone interfering with the creation of the certificate that will be embedded in the device (or poor pseudo-random while generating it, etc.), and what would be the cost of replacing the certificate inside the device once/if compromised? 2013/11/12 Andreas Kuckartz a.kucka...@ping.de Hans-Christoph Steiner: The crypto smartcard (aka Hardware Security Module) are some work to setup, but not really all that much. And they are easy to use once setup. And they provide a huge boost in the security of the certificate. Such hardware also costs a significant amount of money. Are there better ways to spend money to improve the security ? Cheers, Andreas -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5281c93a.8040...@ping.de -- GPG: http://is.gd/droope http://is.gd/signature_
Re: SSL for debian.org/security?
I fail to see what would make what hard, could you please explain? 2013/10/30 Jonathan Spearman j...@jstc.info -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 If I am not misunderstanding this. The object is to secure the site so it won't be hacked. Why is there this need to use TOR? If I am not wrong, This site is about resolving issues related to security of debian, Not doing some underground espionage type activities. I think using good judgement and the tools to secure the site is way more important than trying to hide from the NSA or some government. Please people get a grip. This is why Linux has a hard time being in the mainstream. Not because it's less secure or not like that other OS, but because you have people making the usage of it hard for a normal user to just get information and use the product. Some of you really need to stop watching the news and just enjoy the freedom that Linux brings. On 10/29/2013 04:44 AM, Jordon Bedwell wrote: On Tue, Oct 29, 2013 at 4:29 AM, Nikolay Kubarelov n...@tightwax.com wrote: I would use Tor hidden service instead of SSL. Wait: What? Can't tell if serious. - -- Thanks, Jonathan Spearman This e-mail may contain confidential and/or privileged information. This information is intended only for the use of the individual(s) and entity(ies) to whom it is addressed. If you are the intended recipient, further disclosures are prohibited without proper authorization. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden and possibly a violation of federal or state law and regulations. Jonathan Spearman claims all applicable privileges related to this information. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJScG6BAAoJEKQxbSvZA5vgnMAIAKLS/4M3XmRch4ry5Ng54AsZ 5VLmTZ//kXaU6vNzb0EKrleoTnCNTARZHj6f/eeO6vWxQ6WflfZYsaKAjyWGdLky NY6EKteAbOsNSfPlv0XcQdY0GSTkutk8I/A1Bpof+EXWRGDpGiO+lfYOGy2zO3EO fyG+5U3b7MpYlbPWELrN7BqUhl9NbhK3yxkZLigVRbdRbD24+ezNFsJciz2rwfF9 N+2VPN2DJVZGVNIjkh0jS7yaMcumMcurEc1lWavh8qlzNxeVkY1Pp8o6c5qN8Iwl E1dHvdoHZbLTuYKA27/NxcnTDmYReKCyS9jgG/8dnWsPJ0H0oQkqNH8k1ejJbGc= =w9Eq -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52706e8c.6030...@jstc.info -- GPG: http://is.gd/droope http://is.gd/signature_
[NodeJS NPM] security concerns
Hi. NPM nodejs package manager doesn't check for https signatures comunicating with the central repo, which could give an attacker with MITM capabilities the possibility to execute code. The issue is here https://github.com/isaacs/npm/issues/1204. The maintainer considers this to be a bug that is on his eventually list. Some interesting quotes: You should be very careful telling those you've never met how little they care about something. If I didn't care about security at all, I wouldn't work on it at all. However, you are making the mistake of most security-focused engineers, and apparently missing that there is anything *else* to be concerned with. This is a classic cognitive bias of over-estimating the threat of a low-probability failure mode. If there are linux distros picking up *such an immature and developmental*project like npm, then *it is to their folly*. I never suggested that they do such a thing, and in fact, have campaigned several times to have npm removed from other package manager indexes. People should install node and npm from the source code. In a year or two, it might be a good idea, but for now, npm is still changing too quickly, and is too unstable. I find it quite baffling, since node is a pretty popular language and npm is the most pupular way for them to install packages, but hey. I just thought it would be interesting to let you guys know and would be quite interested to hear your thoughts. Thanks, Pedro -- GPG: http://is.gd/droope http://is.gd/signature_