Re: [SECURITY] [DSA 3211-1] iceweasel security update
Am 2015-05-18 um 01:12 schrieb Pedro Worcel: Keep in mind that if you use a non-tor browser in order to browse through Tor you would still be trackable to a degree. I would guess that there is no anonymity with tor anyway unless you use a virtual machine based solution like f.i. Whonix. Otherwise one would have to restrict oneself to using torsocks wget/lynx/w3m/elinks which I consider to be rather save browsers/ downloaders. If you do not have lynx/w3m/elinks you could even use wget + vim/mcedit/less in certain cases as me lately when downloading Debian: torsocks wget http://cdimage.debian.org/debian-cd/8.0.0/amd64/jigdo-dlbd/SHA512SUMS torsocks lynx http://atterer.org/jigdo/#download or: torsocks wget http://atterer.org/sites/atterer/files/2009-08/jigdo/jigdo-bin-0.7.3.tar.bz2 sha256sum jigdo-bin-0.7.3.tar.bz 58b8a6885822e55f365c99131c906f16ceaaf657c566e10f410d026704cad157 jigdo-bin-0.7.3.tar.bz2 torsocks wget http://cdimage.debian.org/debian-cd/8.0.0/amd64/jigdo-dlbd/debian-8.0.0-amd64-DLBD-1.jigdo/.template torsocks jigdo-bin-0.7.3/jigdo-lite debian-8.0.0-amd64-DLBD-1.jigdo sha512sum debian-8.0.0-amd64-DLBD-1.iso Shell sessions as above should usually not be necessary unless you download two times with wrong SHA512 over plain http. Both times jigdo had reported me a matching checksum; unfortunately the SHA512 definitely did not match. Usually you should be good with the first line applied on a plain http jigdo download (too bad that it does not support https + DNSSEC/DANE). I never leave a computer with preinstalled tor; I always boot from read-only media like a DVD. However some of these media are not entirely trustworthy: I always stop all unnecessary services (netstat -atupn) and often disable network-manager before going online. macchanger -a eth0 may also be helpful. Unnecessary to mention that anonymity gets lost as soon as your host operating system gets compromised. It is also well known that the NSA and possibly other intelligence services attack tor users on a regular basis if they are interested in what they are doing. Regards, Elmar Please see https://panopticlick.eff.org/ 2015-05-08 16:18 GMT+12:00 Riley Baird bm-2cvqnduybau5do2dfjtrn7zbaj246s4...@bitmessage.ch mailto:bm-2cvqnduybau5do2dfjtrn7zbaj246s4...@bitmessage.ch: I'm not from the iceweasel team, but I can assure you that most, if not all, of the bugs in Firefox have been accidental. If you are concerned about privacy (which is a good thing!), then I recommend that you use the Tor browser. If you don't trust that because it's based on Firefox, then try to find a browser that you do trust and tunnel it through Tor. If you don't trust Tor, then I don't know, maybe you could use someone else's computing device :) On Fri, 08 May 2015 03:47:01 +0200 Weber kwebe...@gmx.de mailto:kwebe...@gmx.de wrote: dear iceweasel team is it real that the bugs from mozilla and partners will never end? Dont you think there is a ns-agent at mozilla ? or even some at debian ? producing bugs and bugs and bugs more and more instead of less yes man it is ! Mozilla is a bought IP tracker and sniffer . IPs going over Google Server,which Mozilla uses for own work. north korea has 1000 agents and the us about 5000 or more? china 10 000 ? Now guess... for this reason i will ask you to harden iceweasel and icedove with best sec settings and with best data privacy , which i miss until today. no script is good, but it can be better. its not good to have a very fat browser changing every months its basic features and get fatter and fatter, open for more fatter unsecure apps and modules. (which are now checked, ok , but not for privacy! mozilla does not give any possibility in the app store ,that developers can / Must fill out with privacy and sec options/info. why? ) privacy is not ,when firefox-Icew. opens any !!! TCP silly app checker or else after i start it. and is not ,if google servers are standard in background, or any other social shit configs in the background users never can read in front in an easy way, and is not , if any other soft is loaded while using it. and is not , if the code is getting a bubble to 80 MB and no one can find a sec hole in one day. security and privacy is lost in debian ,too and in mozilla for many years now. mozilla dont want to change this,because they are not free anymore . this must be changed! money for programmers is good, but not in this way. they are big enough to make 200 mio without google. but they will not. they are in a hidden project as snowden told us. mozilla adverts in a very unfair way on their website with privacy, they lie to users,who
Re: [SECURITY] [DSA 3211-1] iceweasel security update
I'm not from the iceweasel team, but I can assure you that most, if not all, of the bugs in Firefox have been accidental. If you are concerned about privacy (which is a good thing!), then I recommend that you use the Tor browser. If you don't trust that because it's based on Firefox, then try to find a browser that you do trust and tunnel it through Tor. If you don't trust Tor, then I don't know, maybe you could use someone else's computing device :) On Fri, 08 May 2015 03:47:01 +0200 Weber kwebe...@gmx.de wrote: dear iceweasel team is it real that the bugs from mozilla and partners will never end? Dont you think there is a ns-agent at mozilla ? or even some at debian ? producing bugs and bugs and bugs more and more instead of less yes man it is ! Mozilla is a bought IP tracker and sniffer . IPs going over Google Server,which Mozilla uses for own work. north korea has 1000 agents and the us about 5000 or more? china 10 000 ? Now guess... for this reason i will ask you to harden iceweasel and icedove with best sec settings and with best data privacy , which i miss until today. no script is good, but it can be better. its not good to have a very fat browser changing every months its basic features and get fatter and fatter, open for more fatter unsecure apps and modules. (which are now checked, ok , but not for privacy! mozilla does not give any possibility in the app store ,that developers can / Must fill out with privacy and sec options/info. why? ) privacy is not ,when firefox-Icew. opens any !!! TCP silly app checker or else after i start it. and is not ,if google servers are standard in background, or any other social shit configs in the background users never can read in front in an easy way, and is not , if any other soft is loaded while using it. and is not , if the code is getting a bubble to 80 MB and no one can find a sec hole in one day. security and privacy is lost in debian ,too and in mozilla for many years now. mozilla dont want to change this,because they are not free anymore . this must be changed! money for programmers is good, but not in this way. they are big enough to make 200 mio without google. but they will not. they are in a hidden project as snowden told us. mozilla adverts in a very unfair way on their website with privacy, they lie to users,who dont know how to protect themselfs. mozilla does this special setting behind to hide it from normal users! thats bad ! and they dont tell the users,what they do with the meta date they send to THIRD paries! ask them ! now! and send us the answer.! come on. bug is a program.! bugs ar bought/payed by third partners/agencies ! fuck this shit. sorry thats a bad work you do,and i ask you ,why nobody works against it or nobody wants to get rid of the trackers and perhaps sniffers.!? this linux is not the vision of the founders of Linux/GNU for NON - sniffing , tracking tools ! do it better now, please. reduce code, delete remote chat app video code , reduce any code which is is not stable and we dont need for html sites. we need no flash shit, no apps , we need a browser which is secure more than 2 days in the year! or: you create a second edition browser , which runs lighter and more secure / undependend as the original. if you can remember , as i dont know your age, firefox was working with 1 MB Code in version 1! it was good enough for the slowest flash/java/video site or other much badder websites. now we have 80 times more code!! and about 20-50 more bugs each year! and very much critical bugs which can froze a window or remote exploit a debian or windows. firefox was a very good browser for a starter team ! until they startet the bug program , infiltrating all people on earth as IE does ,as experts write in blogs sometimes with the help of adobe flash. if you dont want to do anything, please leave debian and let others do this work. ps. we know that google sponsors debian too. they sponsor even german newspapers to get more profit and rights on the www market ! thats not a way you should copy to GNU Linux. dont believe , if you type ps -ef , that you see all services on debian.its infiltrated in many of the 20 000 apps. some directly work with localhost mozilla engine other web services. some are called buffer overflow on bug lists. and now tell me how much you get that mozilla and google ist on debian nr 1. ? regards weber Am 01.04.2015 um 18:10 schrieb Salvatore Bonaccorso: - Debian Security Advisory DSA-3211-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso April 01, 2015 http://www.debian.org/security/faq
Re: [SECURITY] [DSA 3211-1] iceweasel security update
Keep in mind that if you use a non-tor browser in order to browse through Tor you would still be trackable to a degree. Please see https://panopticlick.eff.org/ 2015-05-08 16:18 GMT+12:00 Riley Baird bm-2cvqnduybau5do2dfjtrn7zbaj246s4...@bitmessage.ch: I'm not from the iceweasel team, but I can assure you that most, if not all, of the bugs in Firefox have been accidental. If you are concerned about privacy (which is a good thing!), then I recommend that you use the Tor browser. If you don't trust that because it's based on Firefox, then try to find a browser that you do trust and tunnel it through Tor. If you don't trust Tor, then I don't know, maybe you could use someone else's computing device :) On Fri, 08 May 2015 03:47:01 +0200 Weber kwebe...@gmx.de wrote: dear iceweasel team is it real that the bugs from mozilla and partners will never end? Dont you think there is a ns-agent at mozilla ? or even some at debian ? producing bugs and bugs and bugs more and more instead of less yes man it is ! Mozilla is a bought IP tracker and sniffer . IPs going over Google Server,which Mozilla uses for own work. north korea has 1000 agents and the us about 5000 or more? china 10 000 ? Now guess... for this reason i will ask you to harden iceweasel and icedove with best sec settings and with best data privacy , which i miss until today. no script is good, but it can be better. its not good to have a very fat browser changing every months its basic features and get fatter and fatter, open for more fatter unsecure apps and modules. (which are now checked, ok , but not for privacy! mozilla does not give any possibility in the app store ,that developers can / Must fill out with privacy and sec options/info. why? ) privacy is not ,when firefox-Icew. opens any !!! TCP silly app checker or else after i start it. and is not ,if google servers are standard in background, or any other social shit configs in the background users never can read in front in an easy way, and is not , if any other soft is loaded while using it. and is not , if the code is getting a bubble to 80 MB and no one can find a sec hole in one day. security and privacy is lost in debian ,too and in mozilla for many years now. mozilla dont want to change this,because they are not free anymore . this must be changed! money for programmers is good, but not in this way. they are big enough to make 200 mio without google. but they will not. they are in a hidden project as snowden told us. mozilla adverts in a very unfair way on their website with privacy, they lie to users,who dont know how to protect themselfs. mozilla does this special setting behind to hide it from normal users! thats bad ! and they dont tell the users,what they do with the meta date they send to THIRD paries! ask them ! now! and send us the answer.! come on. bug is a program.! bugs ar bought/payed by third partners/agencies ! fuck this shit. sorry thats a bad work you do,and i ask you ,why nobody works against it or nobody wants to get rid of the trackers and perhaps sniffers.!? this linux is not the vision of the founders of Linux/GNU for NON - sniffing , tracking tools ! do it better now, please. reduce code, delete remote chat app video code , reduce any code which is is not stable and we dont need for html sites. we need no flash shit, no apps , we need a browser which is secure more than 2 days in the year! or: you create a second edition browser , which runs lighter and more secure / undependend as the original. if you can remember , as i dont know your age, firefox was working with 1 MB Code in version 1! it was good enough for the slowest flash/java/video site or other much badder websites. now we have 80 times more code!! and about 20-50 more bugs each year! and very much critical bugs which can froze a window or remote exploit a debian or windows. firefox was a very good browser for a starter team ! until they startet the bug program , infiltrating all people on earth as IE does ,as experts write in blogs sometimes with the help of adobe flash. if you dont want to do anything, please leave debian and let others do this work. ps. we know that google sponsors debian too. they sponsor even german newspapers to get more profit and rights on the www market ! thats not a way you should copy to GNU Linux. dont believe , if you type ps -ef , that you see all services on debian.its infiltrated in many of the 20 000 apps. some directly work with localhost mozilla engine other web services. some are called buffer overflow on bug lists. and now tell me how much you get that mozilla and google ist on debian nr 1. ? regards weber Am 01.04.2015 um 18:10 schrieb Salvatore Bonaccorso:
Re: [SECURITY] [DSA 3211-1] iceweasel security update
dear iceweasel team is it real that the bugs from mozilla and partners will never end? Dont you think there is a ns-agent at mozilla ? or even some at debian ? producing bugs and bugs and bugs more and more instead of less yes man it is ! Mozilla is a bought IP tracker and sniffer . IPs going over Google Server,which Mozilla uses for own work. north korea has 1000 agents and the us about 5000 or more? china 10 000 ? Now guess... for this reason i will ask you to harden iceweasel and icedove with best sec settings and with best data privacy , which i miss until today. no script is good, but it can be better. its not good to have a very fat browser changing every months its basic features and get fatter and fatter, open for more fatter unsecure apps and modules. (which are now checked, ok , but not for privacy! mozilla does not give any possibility in the app store ,that developers can / Must fill out with privacy and sec options/info. why? ) privacy is not ,when firefox-Icew. opens any !!! TCP silly app checker or else after i start it. and is not ,if google servers are standard in background, or any other social shit configs in the background users never can read in front in an easy way, and is not , if any other soft is loaded while using it. and is not , if the code is getting a bubble to 80 MB and no one can find a sec hole in one day. security and privacy is lost in debian ,too and in mozilla for many years now. mozilla dont want to change this,because they are not free anymore . this must be changed! money for programmers is good, but not in this way. they are big enough to make 200 mio without google. but they will not. they are in a hidden project as snowden told us. mozilla adverts in a very unfair way on their website with privacy, they lie to users,who dont know how to protect themselfs. mozilla does this special setting behind to hide it from normal users! thats bad ! and they dont tell the users,what they do with the meta date they send to THIRD paries! ask them ! now! and send us the answer.! come on. bug is a program.! bugs ar bought/payed by third partners/agencies ! fuck this shit. sorry thats a bad work you do,and i ask you ,why nobody works against it or nobody wants to get rid of the trackers and perhaps sniffers.!? this linux is not the vision of the founders of Linux/GNU for NON - sniffing , tracking tools ! do it better now, please. reduce code, delete remote chat app video code , reduce any code which is is not stable and we dont need for html sites. we need no flash shit, no apps , we need a browser which is secure more than 2 days in the year! or: you create a second edition browser , which runs lighter and more secure / undependend as the original. if you can remember , as i dont know your age, firefox was working with 1 MB Code in version 1! it was good enough for the slowest flash/java/video site or other much badder websites. now we have 80 times more code!! and about 20-50 more bugs each year! and very much critical bugs which can froze a window or remote exploit a debian or windows. firefox was a very good browser for a starter team ! until they startet the bug program , infiltrating all people on earth as IE does ,as experts write in blogs sometimes with the help of adobe flash. if you dont want to do anything, please leave debian and let others do this work. ps. we know that google sponsors debian too. they sponsor even german newspapers to get more profit and rights on the www market ! thats not a way you should copy to GNU Linux. dont believe , if you type ps -ef , that you see all services on debian.its infiltrated in many of the 20 000 apps. some directly work with localhost mozilla engine other web services. some are called buffer overflow on bug lists. and now tell me how much you get that mozilla and google ist on debian nr 1. ? regards weber Am 01.04.2015 um 18:10 schrieb Salvatore Bonaccorso: - Debian Security Advisory DSA-3211-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso April 01, 2015 http://www.debian.org/security/faq - Package: iceweasel CVE ID : CVE-2015-0801 CVE-2015-0807 CVE-2015-0813 CVE-2015-0815 CVE-2015-0816 Multiple security issues have been found in Iceweasel, Debian's version of the Mozilla Firefox web browser: Multiple memory safety errors, use-after-frees and other implementation errors may lead to the execution of arbitrary code, the bypass of security restrictions, denial of service or cross-site request forgery. For the stable distribution (wheezy), these problems have been fixed in version 31.6.0esr-1~deb7u1. For the unstable distribution (sid), these problems have been fixed in version