[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] pidgin and tor

On 10/12/15, sh-expires-12-2015@xxxxxxxxxxxxxxxx
<sh-expires-12-2015@xxxxxxxxxxxxxxxx> wrote:
> ...
> Thats what you fail to grasp, imho.

i appreciate education in all forms :)

> I am not sure, what "rogue remote execution" is, please elaborate.
> Sounds like an assassin sniper to me. ;)

i should have been more clear.

specifically, https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild/

The vulnerability does not enable the execution of arbitrary code but
the exploit was able to inject a JavaScript payload into the local
file context. This allowed it to search for and upload potentially
sensitive local files.

The files it was looking for were surprisingly developer focused for
an exploit launched on a general audience news site, though of course
we donât know where else the malicious ad might have been deployed. On
Windows the exploit looked for subversion, s3browser, and Filezilla
configurations files, .purple and Psi+ account information, and site
configuration files from eight different popular FTP clients. On Linux
the exploit goes after the usual global configuration files like
/etc/passwd, and then in all the user directories it can access it
looks for .bash_history, .mysql_history, .pgsql_history, .ssh
configuration files and keys, configuration files for remina,
Filezilla, and Psi+, text files with âpassâ and âaccessâ in the names,
and any shell scripts. Mac users are not targeted by this particular
exploit but would not be immune should someone create a different
payload. [Update: weâve now seen variants that do have a Mac section,
looking for much the same kinds of files as on Linux.]

> Again, you write "usability" you fail at understanding, that
> OP is looking for a convenient and secure solution (he asked
> about Pidgin being secure).

usability is not just convenience. but i see why you conflate the two.

> Sorry, but your vm-fanboyism isn't helpful at all.

i'd rather have langsec, for sure!

let's discuss cost... one much closer (near-term practical) than the other!

awaiting your next treatise on the quantification of attack surface
using appropriate cohort analysis of similar risk pools.

best regards,
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to