Re: Another Method to Block Java Hijinks

["Kyle Williams" <kyle.kwilliams@xxxxxxxxx>]

On 4/12/07, scar <scar@xxxxxxxxxx> wrote:

norvid @ 2007/04/05 17:18:
> On 4/5/07, James Muir <jamuir@xxxxxxxxxxxxxxx> wrote:
>> norvid wrote:
>> > On 4/5/07, James Muir < jamuir@xxxxxxxxxxxxxxx> wrote:
>> >> norvid wrote:
>> >
>> > <snip>
>> >
>> >> I've heard that properly configuring a firewall can be tricky.  In any
>> >> case, using a firewall still doesn't protect from Java applets reading
>> >> identifying information locally and sending it back through the
>> >> anonymous connection.
>> >
>> > Actually, I believe that with the browser denied access to the
>> > internet, the normal 2-way java applet communication is prevented.
>> > Please try the test I mentioned.
>>
>> In the tests that I have done previously, the Java VM inherits the proxy
>> settings listed in the browser (at least this is what is supposed to
>> happen; sometimes this does not happen).  So if the browser is
>> configured to use Privoxy and these setting are communicated correctly
>> to the Java VM, what is there to stop a Java applet from sending back
>> data through Privoxy?
>
> I don't know the answers to these questions other than to say that I
> am not configuring any of the proxy settings in the Java VM.  They are
> the default.
>
> I have tried to configure Java VM proxy settings with no apparent
> success.  I have no idea why this does not work.
>
> My test might best be performed on a Windows machine as the
> availability of software firewalls is fairly extensive.  Alot of these
> are easily configurable to block the browser and allow Privoxy access.
> Although I don't have much experience with Linux, I'm guessing that
> it might be a little more difficult to configure than Windows.
>
> I am certain that on my machine using two different firewalls, the
> very specific test I detailed will not determine my real IP even
> though Java is enabled.  Of course it cannot determine my IP if Java
> is disabled also.
>

 

i think what we are trying to say here, is: even though this configuration may prevent java from determining the user's IP, it does not prevent java from determining other personal information.

this information may include: the local time of the user's machine, screen resolution & color depth, operating system & browser version (if this is found to differ from the UserAgent reply, isn't that suspicious?), and probably many, many other items.  these could be just as revealing as an IP address.  so, unfortunately, i don't see the point of this configuration with anonymity in mind.

The local time of the user machine, that could be useful.  
But if you want to know that the screen size is 1024x768, sure, you just got the screen size of my VM.  That doesn't tell you that my real screen size is 1280x1024, 1600x1200, or whatever.  As for my OS, I don't care that you find out I'm running Windows, in a VM.
Then what possible REAL information would you be able to find?

Seriously, someone...anyone, show me how much information you could get using Java, _javascript_, or Flash against JanusVM; I don't think you would get much USEFUL information.

Specifically:
* What information can you find out that is REAL AND TRUE about the user and/or environment they are using? 
* How would you use this information to track the user to their point of origin or source?
* How can this information compromise the safety / privacy of the user?
* Can any of the recovered information be used to calculate the users personality or browsing habits? (such as tracking pedophiles, like HD Moore wants to do.)

I would be using JanusVM for the transparent proxy layer, Windows XP Pro for the OS, and both IE and Firefox for the test.  Two VM will be running with VMWare Server, JanusVM and Windows XP.  

If anyone is up for this, just let me know.
Personally, java is nice but I hate coding it and have lots to do already, otherwise I would do it myself.  
I would love to see good results, and have someone make me eat my words.  But as it stands, I think JanusVM is your best bet (for now) to protect yourself against Java/_javascript_/Flash leaking your real IP or other useful information.

(HD Moore, you up for this?  If so, let me know because I have a couple of ideas for ya.  ;-)


Regards, 
~Kyle