[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] pidgin and tor

To: tor-talk@xxxxxxxxxxxxxxxxxxxx, sh-expires-12-2015@xxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] pidgin and tor
From: coderman <coderman@xxxxxxxxx>
Date: Mon, 12 Oct 2015 18:23:19 -0700
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 12 Oct 2015 21:23:31 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=oAd6AOTKwh8K2TUslzNDKIrTKowYqPydVxUfmax5k7c=; b=dOIEkgSsgXCVnNC+2Rhu8IxChe3Vw4c+wJMs3rPZ/mMHNmBCQ+EIpH2GxrdbpM9VfR F7SZbX5lqktT8rIZRFsY+agKYUdcRTk7KVIKm66LcYQuvswYHA5N8RnUFwNxJPI8cvgY dJuPIuQtihPmNvGvj/HZ5w3C+WHa2PPvyztMm6Keo90NQANLxO7CFYeJqAM8wC9HOu0t qRBp+KYYGN0Ayfmjk+SRLJCc3lLq8kG9LOfE5YDgOXHNAqBpVD7i6pZrgKFyuPzKF3Z0 mUJcXxBozJ+tiLh2o5awrOaHnp7jvA5W2UBGrn0WONWZU14cULlBJlni9Xln4PdkbiJD eOGA==
In-reply-to: <20151012224200.GA2119@xxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <5609B662.8010702@xxxxxxxxxxxxx> <560A62FD.7070308@xxxxxxxxxxxx> <829658081.4249.1443539214512.JavaMail.open-xchange@ox1app> <560B1BEF.20203@xxxxxxxxxxxxx> <CAJVRA1T_7RJEHQv9wcbTwSnv+05cKxE2TmRUYa08oTRYPDddeA@xxxxxxxxxxxxxx> <20151008191015.GC30048@xxxxxxxxxxxxxxxxxxxxx> <CAJVRA1SA22F4OHeTinPB+-Oqjsy8qS9bmfrEyH7hY2N1qBsNVw@xxxxxxxxxxxxxx> <20151012224200.GA2119@xxxxxxxxxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

On 10/12/15, sh-expires-12-2015@xxxxxxxxxxxxxxxx
<sh-expires-12-2015@xxxxxxxxxxxxxxxx> wrote:
> ...
> Thats what you fail to grasp, imho.

i appreciate education in all forms :)

> I am not sure, what "rogue remote execution" is, please elaborate.
> Sounds like an assassin sniper to me. ;)

i should have been more clear.

specifically, https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild/

'''
The vulnerability does not enable the execution of arbitrary code but
the exploit was able to inject a JavaScript payload into the local
file context. This allowed it to search for and upload potentially
sensitive local files.

The files it was looking for were surprisingly developer focused for
an exploit launched on a general audience news site, though of course
we donât know where else the malicious ad might have been deployed. On
Windows the exploit looked for subversion, s3browser, and Filezilla
configurations files, .purple and Psi+ account information, and site
configuration files from eight different popular FTP clients. On Linux
the exploit goes after the usual global configuration files like
/etc/passwd, and then in all the user directories it can access it
looks for .bash_history, .mysql_history, .pgsql_history, .ssh
configuration files and keys, configuration files for remina,
Filezilla, and Psi+, text files with âpassâ and âaccessâ in the names,
and any shell scripts. Mac users are not targeted by this particular
exploit but would not be immune should someone create a different
payload. [Update: weâve now seen variants that do have a Mac section,
looking for much the same kinds of files as on Linux.]
'''

> Again, you write "usability" you fail at understanding, that
> OP is looking for a convenient and secure solution (he asked
> about Pidgin being secure).

usability is not just convenience. but i see why you conflate the two.

> Sorry, but your vm-fanboyism isn't helpful at all.

i'd rather have langsec, for sure!

let's discuss cost... one much closer (near-term practical) than the other!

awaiting your next treatise on the quantification of attack surface
using appropriate cohort analysis of similar risk pools.

best regards,
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- Re: [tor-talk] pidgin and tor
  - From: coderman
- Re: [tor-talk] pidgin and tor
  - From: sh-expires-12-2015@xxxxxxxxxxxxxxxx
- Re: [tor-talk] pidgin and tor
  - From: coderman
- Re: [tor-talk] pidgin and tor
  - From: sh-expires-12-2015@xxxxxxxxxxxxxxxx

Prev by Author: Re: [tor-talk] Question
Next by Author: Re: [tor-talk] Question
Previous by thread: Re: [tor-talk] pidgin and tor
Next by thread: Re: [tor-talk] pidgin and tor
Index(es):
- Author
- Thread