[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: The best way to run a hidden service: one or two computers?
On Sat, Sep 25, 2010 at 5:04 PM, Mike Perry <mikeperry@xxxxxxxxxx> wrote:
> ...
>> however, if an attacker has access to read this locally they've
>> already compromised you to a degree that random mac affords no
>> protection...
>
> Is this really true?
yup. for the very few situations it is not true, you've designed a
virtual network and client environment with this class of information
leakage covered (read: you know what you're doing and what you're
defending against :)
> One of the things I've wondered about here is
> plugins, but since Torbutton disables them for other reasons I haven't
> really looked into it.
yes. this is one reason why Torbutton is great regardless of other
protections. the list of plug-ins exposing dangerous interfaces /
attack surface is about as long as the list of plug-ins for FFox,
Chrome only has a prayer as live browser instance (which it does well
by the way!).
IE, Opera, Safari, most are hopeless.
> For insance, I know Java can create a socket,
> and query the interface properties of that socket to get the interface
> IP. Why not mac address?
yup, and/or upstream router details sufficient to geo locate you,
expose public IP endpoint, etc. (like the "how i met your girlfriend"
attacks, many others...)
> And if not java, can one of flash,
> silverlight, pdf-javascript, or others do this?
yes.
> Already we have
> location features built in to the browser based on nearby Wifi MACs...
yes. :)
> The Java trick to get the interface IP does not require special privs,
> so a randomized MAC would in fact help this scenario, if it were
> somehow possible.
yes. :P
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk in the body. http://archives.seul.org/or/talk/