flat assembler
Message board for the users of flat assembler.
 Home   FAQ   Search   Register 
 Profile   Log in to check your private messages   Log in 
flat assembler > Heap > Why we should always disable JS (and flash)

Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8, 9  Next
Author
Thread Post new topic Reply to topic
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15296
Location: Bigweld Industries
Install a VPN and make your security worse.

Most of the problems can be solved by disabling JS.

https://arstechnica.com/security/2017/01/majority-of-android-vpns-cant-be-trusted-to-make-users-more-secure/

Quote:
Two of the apps injected JavaScript code that delivered ads and tracked user behavior. JavaScript is a powerful programming language that can easily be used maliciously


Quote:
Of the 67 percent of VPN products that specifically listed enhanced privacy as a benefit, 75 percent of them used third-party tracking libraries to monitor users' online activities.



Last edited by revolution on 15 Feb 2017, 09:04; edited 1 time in total
Post 29 Jan 2017, 00:40
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15296
Location: Bigweld Industries
So no surprise to anyone here but as usual yet another JS problem:

https://www.theregister.co.uk/2017/02/05/chrome_56_quietly_added_bluetooth_snitch_api/ wrote:
“The Web Bluetooth API uses the GATT [Generic Attribute Profile – ed.] protocol, which enables your app to connect to devices such as light bulbs, toys, heart-rate monitors, LED displays and more, with just a few lines of JavaScript.”

Websites should be given more power and control over our computers and be able to grab whatever they want. Who are we to try and stand in the way of progress? [/sarcasm] Rolling Eyes
Post 09 Feb 2017, 08:50
View user's profile Send private message Visit poster's website Reply with quote
Jerry



Joined: 24 Dec 2016
Posts: 18
Location: Zeist, Netherlands
Post 15 Feb 2017, 06:24
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 6957
Location: ˛                              ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣ Posts: 6699
http://thehackernews.com/2017/02/bypass-aslr-browser-javascript.html

Quote:
According to the team, the only way you can protect yourself against AnC attacks is to enable plug-ins, such as NoScript for Firefox or ScriptSafe for Chrome, to block untrusted JavaScript code on web pages from running in the browser.



or maybe surf inside virtualbox, vmware, esx or etc container, or stop using browser?
Post 17 Feb 2017, 15:15
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15296
Location: Bigweld Industries
But how to define "untrusted JavaScript code"?

My definition: Anything that comes from an external source out of your control cannot be trusted. And anything that comes from an internal source within your contrl that might be subject to malware/APT/etc. should also be considered untrusted. So that would cover pretty much everything connected to the Internet.
Post 17 Feb 2017, 15:54
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 6957
Location: ˛                              ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣ Posts: 6699

revolution wrote:

But how to define "untrusted JavaScript code"?


those domain that you never heard before,

my whitelist would be, etc microsoft, google, (no choice, we got to trust them) then expand whitelist from what they trust,


revolution wrote:

My definition: Anything that comes from an external source out of your control cannot be trusted. And anything that comes from an internal source within your contrl that might be subject to malware/APT/etc. should also be considered untrusted. So that would cover pretty much everything connected to the Internet.


a definition like that will most probably, end up with total seclusion from others in physical,
Post 18 Feb 2017, 03:59
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15296
Location: Bigweld Industries
Well, like I said in the title, disable JS. You can't trust anything.

And BTW: We do have a choice, I don't allow google or MS to run scripts, and my system still works just fine.
Post 18 Feb 2017, 12:39
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 6957
Location: ˛                              ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣ Posts: 6699
well, disable js will disable the following:
- online banking,
- web based email
- online shopping websites,
- government services websites,
- and much more,

might be as well, stop using internet and de-subsribe data package?
Post 18 Feb 2017, 13:05
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15296
Location: Bigweld Industries
sleepsleep, sorry but you are wrong on all those counts. I can do all of the above in your list without JS.
Post 18 Feb 2017, 13:07
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 6957
Location: ˛                              ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣ Posts: 6699
https://arstechnica.com/security/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/


Quote:
According to a Friday morning tweet from the contest's organizers, members of Qihoo 360's security team carried out the hack by exploiting a heap overflow bug in Edge, a type confusion flaw in the Windows kernel and an uninitialized buffer vulnerability in VMware, contest organizers reported Friday morning on Twitter. The result was a "complete virtual machine escape."



really bad,
i could just assume, there are mechanism to escape from virtualbox too, heap overflow in firefox, safari, chrome, edge,

i should disable JS, flash and maybe the os itself?
Post 18 Mar 2017, 12:22
View user's profile Send private message Reply with quote
Trinitek



Joined: 06 Nov 2011
Posts: 257
Disable everything. Take your hard disk out and shoot it. Nothing is safe.
Post 18 Mar 2017, 22:25
View user's profile Send private message Reply with quote
YONG



Joined: 16 Mar 2005
Posts: 8000
Location: 22° 15' N | 114° 10' E

Trinitek wrote:
Disable everything. Take your hard disk out and shoot it. Nothing is safe.

Sad but true. A wise forum member once said:

"... a perfectly secure system is one that is never turned on."

Refer to:
https://board.flatassembler.net/topic.php?p=192352#192352

Sounds kind of philosophical to me.

Wink
Post 19 Mar 2017, 01:58
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15296
Location: Bigweld Industries
Just don't make the mistake of expecting perfect security and you should be fine. Assume everything is monitored and logged and only send out non-confidential public information.
Post 19 Mar 2017, 05:54
View user's profile Send private message Visit poster's website Reply with quote
TmX



Joined: 02 Mar 2006
Posts: 792
Location: Jakarta, Indonesia
Any experienced web developers here?
How many of you write web apps without JS, at all?
So on the front end side, only HTML and CSS are used.

This might be interesting Smile
Post 23 Mar 2017, 09:06
View user's profile Send private message Reply with quote
Furs



Joined: 04 Mar 2016
Posts: 889

revolution wrote:
Just don't make the mistake of expecting perfect security and you should be fine. Assume everything is monitored and logged and only send out non-confidential public information.

Or run your browser in a sandbox and before doing something sensitive just kill the entire sandbox and start fresh?

Needless to say, you should trust a company for its services as long as you use them. I trust Google with its services (e.g. email, drive), there's no point disabling JS here, they can look into my account anyway.

If I go to online banking I of course also enable JS for the bank's site, same reason.

Just kill the sandbox before "switching" websites or doing anything you want to not have the chance to be tracked by malicious JS.


And if you say, well, how do you know what JS the site imports, it's easy, use NoScript or similar and only enable those you want. People make this paranoia way more complicated than it is.

Obviously if the malicious code escaped the sandbox (kernel exploit?) you're toast, goes without saying, different problem.

To be honest I find it crazy to disable all JS and not use the sandbox approach. Not because of disabling JS but because it means that person doesn't use a sandbox (most likely).

Do you think HTML and CSS can't be exploited with a bug? Always assume the worst! (and draw the line at a heavy point, such as kernel exploit, which is literally nothing you can do about it except hope it gets patched)
Post 23 Mar 2017, 12:26
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15296
Location: Bigweld Industries
Sandboxes do not stop tracking, logging, monitoring.

VMs do not stop tracking, logging, monitoring.

All your stuff gets sent out in only one way, regardless of VMs or sandboxes; it all goes to your ISP.
Post 23 Mar 2017, 15:54
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 6957
Location: ˛                              ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣ Posts: 6699
vault 7 black matter
http://www.theinquirer.net/inquirer/news/3007101/dark-matter-wikileaks-latest-vault-7-dump-claims-cia-infects-factory-fresh-iphones

imagine people are holding and treasuring this shit that anytime could devolve into device which spy them 24x7, Laughing hilarious!
Post 23 Mar 2017, 23:09
View user's profile Send private message Reply with quote
Furs



Joined: 04 Mar 2016
Posts: 889

revolution wrote:
Sandboxes do not stop tracking, logging, monitoring.

VMs do not stop tracking, logging, monitoring.

All your stuff gets sent out in only one way, regardless of VMs or sandboxes; it all goes to your ISP.

What kind of tracking are you referring to?

I only consider tracking when a website knows what I have done in the past or what I will do in the future (even other websites I visit), that's the real definition of tracking malware. If you have a website you want to visit without any prior scripts knowing about it, then it's no problem -- kill the sandbox, then visit the site. Went somewhere and want to visit a potentially tracking site? Kill the sandbox (remove all history) then visit it.

If you mean tracking as in, the website records when you visit itself, then I don't know what to say. It's like going out in a restaurant and wanting to be invisible. Confused

At least you could use a VPN I guess, but I don't find it worth it.
Post 24 Mar 2017, 00:17
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15296
Location: Bigweld Industries
If your ISP is AT&T, for example, just asks them how much information they give to the government and sell to marketers. And after you receive the answer come back here and report how much logging, tracking and monitoring was prevented by a sandbox.
Post 24 Mar 2017, 00:20
View user's profile Send private message Visit poster's website Reply with quote
Furs



Joined: 04 Mar 2016
Posts: 889
Oh that's true but I don't see how that has anything to do with JS malware. Sandbox protects you from external bugs and exploits in browser (JS included), which is what I was referring to. Razz

Obviously, hiding your activity from your ISP is much more difficult and requires a VPN.

It doesn't mean the sandbox is bad though, I mean malware JS can still spy on you even with a VPN or even take over your PC. It's a different kind of "protection". You need both if you really want to be anonymous.

And btw all US ISPs are shit, their internet is like 3rd world, never truly understood why.

"lack of competition" I just don't understand why, when certain parts in Europe has fiber optics, and countries like Japan too.
Post 24 Mar 2017, 00:24
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8, 9  Next

< Last Thread | Next Thread >

Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2005 phpBB Group.

Main index   Download   Documentation   Examples   Message board
Copyright © 2004-2016, Tomasz Grysztar.