Watch a Cat Video, Get Hacked: the Death of Clear-Text

New submitter onproton writes: Citizen Lab released new research today on a targeted exploitation technique used by state actors involving "network injection appliances" installed at ISPs. These devices can target and intercept unencrypted YouTube traffic and replace it with malicious code that gives the operator control over the system or installs a surveillance backdoor. One of the researchers writes, "many otherwise well-informed people think they have to do something wrong, or stupid, or insecure to get hacked—like clicking on the wrong attachments, or browsing malicious websites...many of these commonly held beliefs are not necessarily true." This technique is largely designed for targeted attacks, so it's likely most of us will be safe for now — but just one more reminder to use https.

This is just evil.

[sabri]

And evil doesn't cover it.

Re:

[Lazere]

In other words, there has to be a bug on the client that lets the web page run arbitrary code

Yep, that's called a browser. Arbitrary code is exactly what a webpage or video is. This is the exact reason driveby malware via ad networks still happens. If you have ISP level access and can inject malicious code in unencrypted pages, you win. The solution to this, from a web hosts view, is to encrypt everything.

Re:This is just evil.

[mythosaz]

Rendering HTML isn't "executing arbitrary code" in any meaningful way.

Re:This is just evil.

[Noah Haders]

Rendering HTML isn't "executing arbitrary code" in any meaningful way.

"I disagree" -- hackers.

Re:This is just evil.

[LordLimecat]

Its running code, but not arbitrary. There are limits to what code is allowed to execute. The HTML5 spec does not, for instance, allow you to read arbitrary memory locations.

"Executing structured code" perhaps?

Clearly

[fyngyrz]

Java and so forth is not limited enough. Not even close. And outside of that, there's the whole "ooops, the bug let some code execute" that will plague browser-side executables forever, or as close to it as makes no difference.

This is one of the core (ha) problems with client-side execution in a general purpose machine.

If you want to host a reputable website, then the more you can put active functionality for the user in server-side CGI, the better you can actually take that high road. All this java-loaded stuff on websites is a constant invitation to problems. It's an idea that is only safe in a world without bad guys. And our world is hardly that -- even the ones that are supposed to be the good guys (the government) are bad guys now.

But if you can tell your users "turn off client side execution" and your website will still work, then all they need is a browser that can read HTML, CSS and CGI and follow the HTTP and HTTPS protocols. Then if you can get browser manufacturers to quit pretending that HTTPS provides "identity" so the browsers drop the SCARE tactics for self-signed certificates, we can all enjoy the web without nearly as much risk for the surfer or paid blackmail for the site owner.

For all of us who remember how to read and enjoy real web sites, this would just be another (good) day. On the other hand, if you're one of those who doesn't read, likes to type "tl;dr" (and thinks it's funny, instead of sad as heck) and/or one of the video-addicted, you're probably completely screwed. :)

Re:

[tepples]

then the more you can put active functionality for the user in server-side CGI, the better you can actually take that high road.

True, in the future, it'll become feasible to just stream web applications over the Internet using something like RDP, VNC, or OnLive. But in the present, the latency and monthly transfer cap of satellite and cellular Internet makes that impractical.

Then if you can get browser manufacturers to quit pretending that HTTPS provides "identity" so the browsers drop the SCARE tactics for self-signed certificates

What's wrong with identity? Without identity you can't be certain that a man in the middle isn't changing your traffic on the way in. If it's the cost, you can always get a certificate for a personal site without charge from StartSSL.

Re:

[fisted]

Do not you understand what CGI is, son? Protip: It's not Computer Generated Imagery in this context.

Re:

[fyngyrz]

I said they were "supposed" to be the good guys. And they are.

Re:

[Richy_T]

Yep. Hard to inject malware into a computer stuck on the BSOD.

Re:

[BancBoy]

Whew! I thought you were going to say hosts file. Thank heavens for that. Uh oh...

Re:This is just evil.

[mysidia]

Yep, that's called a browser. Arbitrary code is exactly what a webpage or video is.

No. Full stop. A webpage or video is a page which may contain some script language which is to be executed within a certain restricted context pertaining to the webpage domain.

It is code execution, but not arbitrary code execution. A webpage is not supposed to be able to run arbitrary code within the meaning of arbitrary instructions on the CPU; only certain safe instructions within a highly limited scope.

Re:

[Richy_T]

"sandbox" is the word you're reaching for.

Re:

[mysidia]

For example, if the browser is allowed to make network connections then it can run a spam-bot.

A script running on a page can make network connections; HOWEVER, it can only connect back to the same hostname that displayed the page.

Also, the connection can either be to a non-well-known port, or it can be to a HTTP/HTTPS URL with the same hostname.

Re:

[currently_awake]

If you have control of the network (ISP) between the user and the web site you can man-in-the-middle the crypto and do this with https.

https is useless

[bbn]

What good is https going to be against the state? You think they can not coerce Verisign et al to hand over a copy of the root keys?

Re:https is useless

[HaeMaker]

Correct. What make anyone think: NSA agents aren't working at Google, Microsoft, Verisign, etc. Anyone checks who actually signed the certs. Almost all devices trust a few DoD root certs by default. Going to slashdot is safe? No SSL here. Do any of these GIFs, JPGs or PNGs contain exploits? If they want you, they can't get you?

Re:

[grcumb]

Going to slashdot is safe? No SSL here.

GCHQ has already spoofed Slashdot [techdirt.com] in the past. So no, going to Slash dot is not safe.

If they want you, they can't get you?

All right then. Let's all just roll over and die, why don't we?

Look, I get your cynicism, but don't let it run to fatalism. There are things you can do:

• - Stop making it easy on them. Stop using Windows. Seriously [imagicity.com]. Understand that what's convenient for you is often convenient for them.
• - Stop using proprietary software at all. Yes, yes, HeartBleed nothing is safe bla bla bla. I'm not talking about safe, though; I'm talking a

Re:https is useless

[Altrag]

What's inconvenient for them is often impossible for us. Try running most AAA games under Linux. A few will come with ports, and a few more will deliver a port 2-3 years later when nobody cares anymore. The vast majority are either Windows-only or Windows+Mac. Indie games tend to be somewhat better for this but most casual gamers just want the big name games.

And it gets even worse in a business environment where you often have software restrictions imposed on you by corporate policy and frequently by the fact that you need to interact with vendors/customers who use Windows-only products.

"Just stop using Windows" is a stupid catchphrase. Its like trying to end starvation by saying "just give them food." Actually its worse because food is a pretty good solution to starvation whereas its pretty unproven that FOSS software is "objectively" safer than closed software (I mean its probably true, but until Linux becomes a significant hacking target, we can't say definitively that the lack of exploits is due to better software rather than due to fewer people attempting to exploit it.)

Similarly with Facebook. Its the "state of the art" in social media because of absolutely nothing to do with privacy protection. In fact a lot of its popularity was initially based on its _lack_ of privacy considerations -- "Facebook stalking" and such activities. I mean that probably wasn't the main driving factor (being fresh and simple right around the time that Myspace was bloating itself out of existing is likely the biggest contributing factor. I doubt FB would have gotten as big as it did if Myspace had stuck to being a site people actually enjoyed using rather than letting themselves be overrun by commercial interests.)

And lastly protocols. Protocols are king. If TOR or similar ever comes out with a product that you can just install and "it works," then we might be getting somewhere. I mean "it works" as in it starts up with Windows, and immediately funnels all traffic through its own pipes and doesn't significantly impact the speed of watching a cat video on Youtube and basically in all ways stays the fuck out of the way. If it can get to that level, we might see some better adoption. As long as its something you have to consciously connect and disconnect and slows down your connection by 50% and whatever else, it won't pick up widespread adoption. Look how long its taking IPv6 to get off the ground and its got built-in support by every major OS and network equipment provider! (Disclaimer: I haven't used TOR myself in a few years so I don't know how close to this ideal its gotten.)

At the end of the day, the real problem isn't Windows or lack of encryption or any other technical issue -- the problem is that 90% of the population doesn't care. Or I should say, doesn't care _enough_. We care enough to sign online petitions and shit that's easy to do in the hopes that someone who has more time on their hands will be able to make a difference (openmedia.ca up here in Canada is a great example of an organization that has taken the "enough" qualifier to heart and used online petitions to make significant changes in the way our government treats privacy and other online issues.)

But on their own? Most people are too busy to worry about things that have a very low chance of ever impacting them directly. Its one thing for the NSA to tap a billion email accounts. Its another for them to filter through that data and pick targets. Yes everyone gets uppity when they pick a target wrong, but unless that target happens to be "me", most people have jobs and families and other things to do than worry about it for longer than it takes to exclaim "damned go'ment!"

TL;DR: "just fix everything" is great in principle, pretty much impossible in practice.

Re:

[grcumb]

TL;DR: "just fix everything" is great in principle, pretty much impossible in practice.

Okay, so go back to the top of my post and read it again for my response to 'It's too hard.' :-)

If you think that 'just fix everything' is what I'm saying, then you haven't even done me the justice of thinking about what I'm suggesting. I am saying that we geeks should know better, that we should do what we did in the 80s and 90s and turn our collective back on the well-trodden path and build our own internet, only this time with hookers and blackjack. Then I offered a few key suggestions about things we as

Re:

[Altrag]

I'm not sure which well-trodden path you're talking about.. the only significant change in "the internet" in the 80s and 90s was the introduction and popularization of the web, the latter of which really only gained ground when it became available out of the box with Win95. Sure there was AOL and Compuserv and whatnot but those weren't taken over by geeknet 0.1, they were taken over by easy access to Internet Explorer.

And yes, "we" as geeks should and mostly do know better.. that's why things like TOR exis

A dedicated IP costs 60 bucks more a year

[tepples]

Web admins in particular should turn on https by default since there's no reason not to unless you're intentionally being shady.

I agree that hosting providers ideally ought to offer HTTPS. But IE and IE wrappers on Windows XP doesn't support Server Name Indication (SNI), a TLS extension that allows the use of name-based virtual hosting. Nor do Android Browser and Android Browser wrappers on Android 2.x. Both of these SNI-ignorant browsers have reached their end of support, but until they actually pass out of use, hosts still need to accommodate them. This means most shared hosts will continue to require customers to upgrade to a VPS

Re:

[account_deleted]

Comment removed based on user account deletion

Console games

[tepples]

Try running most AAA games under Linux. A few will come with ports, and a few more will deliver a port 2-3 years later when nobody cares anymore. The vast majority are either Windows-only or Windows+Mac.

A lot don't even run under Windows because they're made for consoles. This is especially true of "party" games whose draw is offline multiplayer with two to four gamepads and a single TV.

Look how long its taking IPv6 to get off the ground and its got built-in support by every major OS and network equipment provider!

I guess a lot of that is because cities make it too hard to start a competing ISP.

Re:https is useless

[heypete]

What good is https going to be against the state? You think they can not coerce Verisign et al to hand over a copy of the root keys?

Sure, they could, but I doubt they are.

If VeriSign gets caught issuing bogus certs for the government, browser vendors will revoke their roots. That's basically a death sentence to companies like VeriSign (rather, their cert-issuing division).

While typical users won't notice, there's still plenty of risk to getting caught, particularly when targeting anyone using major web properties: Chrome, for example, has a bunch of high-profile sites "pinned" and will report back to Google if bogus certs are being used (they identified a bunch of MITMing with compromised certs in Iran in this way). Other add-ons like Perspectives make it easier to detect if unexpected certs are showing up.

Could they get away with issuing infrequently-used certs for highly-targeted, one-off uses? Possibly, but each time they do the risk to their entire business increases.

I suspect the government would much prefer to do things sneakily in the shadows, rather than involving major CAs in such a risky role.

Re:https is useless

[PopeRatzo]

If VeriSign gets caught issuing bogus certs for the government, browser vendors will revoke their roots.

Hasn't history taught us that, "They wouldn't dare" is not something on which to base trust?

I'm sure there was some dim bulb somewhere who believed, long ago, that AT&T "wouldn't dare" help the government spy on people because then all their customers would cancel their service.

No, you've got to do better than, "I wouldn't think of doing such a thing" when it comes to 21st century governments.

Re:

[IamTheRealMike]

No, you've got to do better than, "I wouldn't think of doing such a thing" when it comes to 21st century governments.

Alright. What do you propose?

Fundamentally, encrypting all traffic all the time requires a public key infrastructure and the only way we know how to build one that works is to have trusted third parties. You trust your browser, for example. Your browser maker outsources ID verification of websites to CA's.

Ultimately SSL cannot survive being explicitly banned or subverted by the state. It just

Re:

[PopeRatzo]

No system can survive explicitly being banned by the state.

Then we need to see if the state can survive banning privacy.

Re:

[advocate_one]

"browser vendors will revoke their roots."

Oh come on who are these "browser vendors"? Microsoft (definitely in the NSA's pocket), Apple, yup owned... Google? definitely owned as well... Mozilla? one is also left wondering about them as well... Opera?

at least with Firefox, we have source code...

Re:

[heypete]

>If VeriSign gets caught issuing bogus certs for the government, browser vendors will revoke their roots.

HAHAHAHAno. Thanks to the demon that is backwards compatibility browser vendors have implicitly or explicitly confirmed that they cannot actually revoke root certs. Or, more specifically, that many websites rely on that particular root to verify their identity and would break horribly if a root cert got revoked. i.e. revoking a misbehaving root will break the web.

Why not? There have been roots that have been revoked due to being compromised and which have issued bogus certs (e.g. DigiNotar). That's caused some chaos, but people adapted.

Sure, VeriSign is large and commands (either directly or through its subsidiaries) a substantial fraction of the CA market. Nuking it would be a Very Big Deal that browsers wouldn't take lightly, but I have no doubt that if it were shown that VeriSign (or Comodo, or other CAs) were found to be issuing bogus certs for the government to

Re:

[mysidia]

were found to be issuing bogus certs for the government to compromise people, they'd get their roots pulled by browsers. That's a death sentence for a CA, hence my skepticism in response to the proposal that they're actively assisting governments.

They might engage in this indirectly by CROSS-SIGNING an intermediate CA which the government would have control over.

Verisign would then have plausible deniability, since the government agency produced all the required "audit papers" indicating compliance wi

Perspectives

[tepples]

The Perspectives extension works alongside the CA system to help the browser trust a certificate from an unrecognized CA. If multiple "notary" machines in different parts of the Internet see the same certificate, it's unlikely that the same entity is MITMing them all.

Re:

[heypete]

If VeriSign gets caught issuing bogus certs for the government, browser vendors will revoke their roots. That's basically a death sentence to companies like VeriSign (rather, their cert-issuing division).

I wouldn't be too sure of that.

Of all the companies that have aided the NSA, how many are out of business or even really hurting?

Companies like what? The ones making network-tapping hardware and whatnot cater toward a limited market, not the general public. Certificate authorities directly transact with server administrators, but their primary audience are end-users and they have wide public exposure. If a CA was found to be doing shady things, browsers would remove their roots. That'd basically kill off the offending CA.

Re:

[Charliemopps]

What good is https going to be against the state? You think they can not coerce Verisign et al to hand over a copy of the root keys?

That's not how it works. But of course, if they are inside Google, and Microsoft (and they are) then you're screwed. But, in my experience with keys, these sorts of attacks have to be very directed. You can't just "Hack everyone" it's an exploit you'd have to hack on an individual basis. Usually because most sites, and client computers are such unique devices. Most corporate websites have been developed over decades and are a mess of hundreds of different programmers over years. I'm involved peripherally in

Re:

[jedidiah]

Security is fine if you are no one of interest. It doesn't matter if it's physical security or computer security. Once you are important enough for anyone to be interested in, most security measures are completely meaningless. This is just the harsh reality.

For most of us, security measures just dissuade the opportunitistic idiot trying for an easy score with no particular interest in you as an individual.

Once you've managed to attract unwanted attention, you will have to engage more serious security measur

Worms exist

[tepples]

client computers are such unique devices

If significant subsets of PCs aren't monocultures with the same vulnerability, then how do worms like Blaster and Slammer spread and leave behind hooks to form botnets?

Re:https is useless

[AmiMoJo]

Chrome pins Google's certs, so if anyone did try to make new fake ones the browser would flag it up. I believe there is a plug-in for Firefox that alerts you when certs change too.

This vulnerability has been known for a long time.

Certificate Patrol

[DrYak]

I believe there is a plug-in for Firefox that alerts you when certs change too.

Certificate Patrol [mozilla.org] is an example of such extension.

It does detect strange changes in certificate authority (for exemple when a Man-In-Middle attacker is using a bogus certificate signed by rogue CA or by stolen keys from some CA).
It also detect un-called-for changes in certificate (for exemple, the actual authority has been coerced by the government to sign their spy-server keys, and thus you get a new legit-looking certificate, even if the old hasn't been revoked and and is still well within its validity

Re:

[drolli]

They dont have to hand over the keys. Just get another certificate from another vendor using fake identities.

Re:https is useless

[gameboyhippo]

Right. And if you have the keys then you can sign your own certificates. Thus allowing Eve to pretend she's Bob.

Re:

[strikethree]

Eve? Bob? Band of Brothers was destroyed in Eve years ago now. Stay up to date.

Re:

[grcumb]

Eve? Is Bob cheating on Alice?

Ah, she told you her name was Alice?

You poor naive thing....

Re:

[Richy_T]

Alice, what's the matter?

Re:

[AaronLS]

Your response doesn't invalidate how cryptography works. It's solid math and there's no magic about it.

Re:https is useless

[TechyImmigrant]

If the state can forge certs, the state can redirect your traffic to their youtube proxy and insert the malware just behind the fake thing you authenticated with. Your own private keys will not protect you.

This is one of the many reasons why the public PKI is broken.

Re:

[PopeRatzo]

And that is, how things ought to be — unless we want to strip the state off their power to search us (and trail us).

That is a discussion we should have. "Searching" and "trailing" have come to mean something very different than they did when the US Constitution was written.

Yes, we should be having that discussion right now. A power to "search us (and trail us)" might very well not be something we want to have by default. They should first be required to meet a much higher standard than currently, a

Re:

[mi]

That is a discussion we should have.

We should. But, unless you are going to suggest, the government ought not to have such powers at all (as pla argues below) — ever — then this is not the place for this discussion.

Because if, in your opinion, sometimes they do legitimately need this capability, then they ought to remain able to circumvent https — without spooking the subject.

Re:

[PopeRatzo]

But, unless you are going to suggest, the government ought not to have such powers at all

I'm suggesting that it should not be an inherent power of government. It's one they are granted when evidence is presented to a court for a warrant. In a public hearing.

I'm pretty sure that the past decade has taught us that government does not respect this constitutional requirement. So, they should get a time out from those powers until they can demonstrate that they know how to behave. I would rather take my chanc

Re:

[mi]

It's one they are granted when evidence is presented to a court for a warrant. In a public hearing.

That's not how things are spelled-out in the Constitution. And it does not make any sense. A public hearing will alert the suspect.

I'm pretty sure that the past decade has taught us that government does not respect this constitutional requirement.

No, we've known it for much longer.

So, they should get a time out from those powers until they can demonstrate that they know how to behave.

They are not children, to

Re:

[PopeRatzo]

How about fraudsters, thieves, rapists and murderers, embezzlers of public funds and bribe-takers?

Where do you live, the Barbary Coast?

I don't think, I'm willing to have even a 10% higher rate of those things in exchange for unbeatable https.

OK, so I am willing to have a 10% higher rater of those things in exchange for unbeatable https and a government that has much stricter controls over it's police powers.

You must love the militarization of local police, all the masked and camouflaged cops driving Lenc

Re:https is useless

[pla]

unless we want to strip the state off their power to search us (and trail us).

Dingdingding! We have a winner!

Two and a half centuries ago we allowed the government those powers, under certain strict conditions, for the good of society as a whole. The government has repeatedly shown itself incapable of acting up to its side of that bargain. We The People therefore need to strip them of that power entirely. Can't find physical evidence of a crime without making my computer tell on me? Then It didn't happen.

"But we need the government to have those powers to preserve the public order", you say? No. The sort of crimes the NSA catches (heh, I typed that as "commits" and had to correct it) have nothing to do with you and I in our daily lives. They protect megacorps and the government itself, and nothing else.

Re:

[Richy_T]

It's the wrong question anyway. We shouldn't be trusting arbitrary third parties (Verisign, Thawte etc) to validate who we should trust. This has always been the case. This government stuff has just thrown it in the spotlight.

The violations of the constitution are pretty bad in themselves, however.

Re:

[currently_awake]

Modern society is based on trust. You trust the bridge you drive over to get to work won't fall down and kill you. You trust the brakes on your car will work. You trust the phone company to connect you to the police when someone breaks into your house. You can't live without trust. The issue isn't trust, it's how to enforce trust on fallible humans.

Re:

[Richy_T]

It's who you trust. I really known nothing about Thawte and Verisign and the however many it is CAs in the browser now (do you?) and one instance of lapse of trust from them (which has happened) and you're screwed. It's really just the wrong infrastructure and implementation.

Re:

[Noah Haders]

naïve. the NSA influenced the RSA standards board to introduce a cryptography algorithm that they had already hacked.

Re:

[AaronLS]

1. AC said SSL is magic, implying that they believe it is a hoax. I am simply pointing out they are an idiot who understands nothing about cryptography.
2. Saying that someone has identified a potential weakness in a cryptography algorithm doesn't change the fact that it is deterministic and well understood among cryptography experts. There is still nothing magic about it.
3. Your rebuttal implies that I was trying to claim that the NSA was innocent in some way or defend them. Obviously you have the worst

Re:

[Noah Haders]

Are we good? See below:

http://www.reuters.com/article... [reuters.com]

SAN FRANCISCO (Reuters) - As a key part of a campaign to embed encryption software that it could crack into widely used computer products, the U.S. National Security Agency arranged a secret $10 million contract with RSA, one of the most influential firms in the computer security industry, Reuters has learned.

Documents leaked by former NSA contractor Edward Snowden show that the NSA created and promulgated a flawed formula for generating rand

Reduced rights

[SQLGuru]

This is one of the reasons that I don't use an admin/root level account for normal activity. If I need those privs, I'll escalate my rights for a single action. While that also won't prevent all hacks, it drastically reduces my exposure.

Re:

[vux984]

This is one of the reasons that I don't use an admin/root level account for normal activity.

A good practice to be sure.

While that also won't prevent all hacks, it drastically reduces my exposure.

Well, at least your device drivers are safe, and its a little harder for you to join a bot net.

But pretty much everything you have of value can be accessed from user space, including all your documents. That's generally what identity and data thief hackers (and state actors) want.

Re:

[SQLGuru]

They also have a harder time installing executable code.....if my browsing user can't install code, then they've only got memory to play with.

Re:

[vux984]

not entirely true. It just can't install it in c:\program files or your platforms equivalent. It can drop executables in folders you DO have access to though, and run them from there. And even get them to auto run if it puts the start command in a settings file you can edit as that user.

Re:

[MightyMartian]

Well, there have been a whole host of attacks associated with vulnerable versions of Flash and Java that could at least cripple a profile. I ran up against one of them around 2010. One of the staff at one of our remote locations suddenly had all their files supposedly disappear, desktop wiped out and the like, and a notification about a ransom if they wanted the files back. The user had no admin privileges, so I checked, and sure enough, the other profiles were untouched. What had happened is the auto updat

Re:

[sqlrob]

A shell / powershell script is plain text.

Re:

[jhantin]

A shell / powershell script is plain text.

Well then, the obvious solution is to disable #! recognition and set-executionpolicy restricted, so shell scripts become useless! ... then watch as everything grinds to a screeching halt.

Oh well, back to the drawing board.

Re:

[AmiMoJo]

Run your browser in a VM, preferably using a different OS to the host. No access to the host filesystem, isolated from the real machine. Then at least only your browser data is vulnerable.

Re:

[SigmundFloyd]

Run your browser in a VM, preferably using a different OS to the host. No access to the host filesystem, isolated from the real machine.

Simply chroot the browser, no?

chroot is for cross-compiling, not security

[raymorris]

It's trivial to step out of chroot. Chroot was not designed for security. It's very similar to cd and getting out basically consists of making a symlink and doing cd. Chroot is for cross-compiling, installing grub, etc. - changing the DEFAULT. value of / that your session uses.

AMD's virtualization is much more appropriate for security, as it's designed to make it such that a guest can't even KNOW whether it's a guest or not, much less escape and access the host system.

Re:

[SigmundFloyd]

getting out [of chroot] basically consists of making a symlink and doing cd.

OK, but - unless I'm missing something - you can't do that while chrooted. A browser running chrooted can't execute code that will make links to "out of chroot".

file handles aren't chrooted

[raymorris]

There are several ways. Some use the fact that file handles aren't chrooted. You can, for example, call fchdir() with handle inside the chroot, then chdir(..) several times. If the wrapper changed the working directory of the process before chroot, the escape code needs to fchdir to a directory other than the chroot root, so it'll mkdir first.

There IS some level of inconvenience to escaping chroot, so there is a degree of security against an unsophisticated attack. I guess it could be compared to lock

Re:

[TechyImmigrant]

What makes you think that they aren't?

Re:

[Richy_T]

Android actually uses standard Unix rights to do its separation. I wonder how hard it would be to apply that to a more regular Linux install. It would mean effectively turning it into a single user system, of course (though there may be a way to make it limited multi).

I'd love to use https!

[XanC]

...So why does Slashdot redirect HTTPS back to HTTP??

Re:I'd love to use https!

[Anonymous Coward]

because slashdot is not run by tech people anymore, its just a large ignorant media conglomerate that cares not for it users until it starts to affect the bottom line.

Besides enabling https could take minutes of labor time from literally ones of administrators to implement that's not free you know

ftfy

[raymorris]

it's just a large ignorant media conglomerate that cares not for its AUDIENCE

FTFY

Re:

[Anonymous Coward]

Simplicity and overhead.

HTTPS has overhead in encrypting all content. This can be mitigated by processors with AES instruction set, but it still impacts the scalability for the site. Most content on slashdot can probably be cached and thus CPU usage is kept to a minimum as users scale.

Staying in HTTPS but requesting HTTP resources has to be done carefully to avoid browsers from throwing cross domain violations. It's more trouble than it's worth.

No one with the know-how and resources to capture your slash

Re:

[choprboy]

Staying in HTTPS but requesting HTTP resources has to be done carefully to avoid browsers from throwing cross domain violations. It's more trouble than it's worth.

I think that is the real crux... I was stunned to recently see that, in a completely clean browser, just going to the Slashdot root page loads 45 third-party domain cookies. That is excluding slashdot.org and dice.com properties....

Re:

[tepples]

Someone who hijacks your session identifier from a cleartext cookie can change your password.

Identity providers

[tepples]

That's true of Slashdot because Slashdot isn't an ID provider. But some other sites, such as Facebook, Twitter, Google, and webmail, are identity providers. If you compromise a user's Twitter account, you compromise the user's account at any service that uses "Login with Twitter". If you compromise a user's webmail account, you compromise the user's account at every service that lets the user recover his password through e-mail. That's why the major identity providers have gone all HTTPS all the time.

Because most ad networks are HTTP

[tepples]

Until very recently, major advertising networks were available only through HTTP, not HTTPS. Only in September of last year did AdSense announce HTTPS support [blogspot.com].

Ads are mixed content

[tepples]

Everybody else is using HTTPS except Slashdot.

Does this include "everybody else" that uses the major ad networks? Using an HTTP-only ad network in an HTTPS site won't work because of mixed content policy.

Re:

[account_deleted]

Comment removed based on user account deletion

Flash vulnerability?

[Animats]

Presumably this attack is via a Flash vulnerability. So why is there no mention of Adobe in the article? Why isn't Adobe being held responsible? Why are there still vulnerabilities in Flash? Who audits that code? Well?

Re:Flash vulnerability?

[timeOday]

No, I don't think it's a Flash vulnerability. It is awfully obscured in the article by general hand-waving, but I think the idea here is to trick people into installing an executable that isn't really Flash by causing an executable that presents itself as a Flash update to request installation. Since this happens while they are visiting youtube (with a man-in-the-middle doing the injection), the user may assume it is a legit update and install the malware.

In other words, Flash and Java are "exploited" only in the sense that people are so used to being pushed security updates, that they may accept a fake update delivered on an insecure connection. Accepting a so-called Flash update from any untrusted site would accomplish the same thing. It really just boils down to the fact that every site is an untrusted site if you're not using https, since you don't know who all is in the middle.

Re:

[Animats]

It is awfully obscured in the article by general hand-waving...

Agreed. Anyone know what kind of exploit this is?

Re:Flash vulnerability?

[onproton]

From the article: "A step-by-step breakdown of how such an attack might occur is as follows: 1. A target is selected and their name is entered into the Network Injection GUI. 2. The target’s traffic stream is located based on their ISP’s RADIUS records. 3. As per the rule on the network injector (as shown in Figure 14), the appliance waits for the target to visit YouTube. 4. When this traffic is identified, it is redirected to the network injection appliance. 5. The legitimate video is blocked and malicious flash (SWF) is injected into the clear-text portion of the traffic. (Represented by the kitty skull and cross bones.) 6. The target is presented with a dialogue to upgrade their flash installation. If this upgrade is accepted the malicious SWF enables the installation of a ‘scout agent’ which provides target validation. 7. If the target is assessed as correct (i.e., the desired person), and safe for install (not a malware analysis honeypot), then the full agent is deployed. 8. Surveillance of the target commences."

Re:

[Animats]

Didn't look at the source of a Youtube page, did you? Look for "http://s.ytimg.com/yts/swfbin/player-vflZsDuOu/watch_as3.swf". Videos can also play with "HTML5 video", but there's Flash code there to be executed.

All the more reason--

[wierd_w]

Really, revelations like this are all the more reason to run a fully rom based OS for anything touching the internet.

Before somebody says something absurd, this is basically what a thin client does anyway. The difference is that you keep the system image inside the thin client itself, rather than pulling it from the network. A modified chromebook would work just fine. An sdcard slot that is hardware designed to be electronically incapable of raising its line voltages to write-enable levels, while still being physically accessible by the owner, would round out the package for where to store the system image.

Everything else is stored exclusively in RAM, and blanks completely on power off.

If the user WANTS persistent data, they can use external media. it comes in quite acceptable sizes these days.

This could very easily be done with a chromebook with some simple modifications. Instead of doing google chrome, pack it with a squashfs knoppix image.

watch all the seditious cat videos you want.

Simpler way: virtualization + snapshot

[raymorris]

You COULD modify the hardware etc., or just fire up Virtualbox, KVM, or qemu full screen for your web browsing and such. Set the virtualized image read-only, except when installing new software on it.

Beneath the virtual machine can either be a dedicated hypervisor or an very small Linux installation which has only a tiny attack surface.

Re:

[raymorris]

> I suppose one could set up a set of RAM disks mapped to the appropriate paths if there is enough memory available in the VM, but those would only exist for the current session and would get wiped out each time the VM was shut down.

Yep, that's generally how you do it. As the title of my post suggests, you can also use on-disk snapshots for that, so again any altered files are reset on reboot. Reboot can take only seconds because many of the OS disk blocks are cached in host RAM. Live CDs have those pa

Re:

[El_Oscuro]

I once had a computer which did that, a Commodore 64. I am pretty sure most others at that time were that way too. The whole "store the O/S on a R/W hard drive" was an IBM PC/Microsoft idea, as were viruses.

A ROM based system with Ubuntu or Knoppix would be pretty sweet for surfing teh Interwebs.

Re:

[wierd_w]

That would work too, but getting your hands on CF cards is getting harder and harder, and so is the likelihood that end users will have a card reader capable of using them.

Chromebooks dont use CF.

This does throw a nasty little wrinkle in.
we would need a custom SD card ASIC that purposefully does not accept writes, and does not have any code inside its firmware to facilitate writes.

That's gonna make it significantly more expensive though.

there's a possible alternative though, but it still requires custom har

I must be missing something

[K. S. Kyosuke]

How is HTTPS going to protect me against this? It doesn't solve the problem of holey network-facing applications.

Not wrong, or stupid, or insecure, just run Flash

[raymorris]

TFS says:
> many otherwise well-informed people think they have to do something wrong, or stupid, or insecure to get hacked—like clicking on the wrong attachments, or browsing malicious websites...many of these commonly held beliefs are not necessarily true. ... [Adobe Flash can be exploited by an ISP].

Hmm, so you don't have to do something stupid or insecure, just run Flash and Java. :)

Flash is mostly used for ads and malware, neither of which I want, so I don't run Flash in my default browsers. Fo

YouTube videos with ads require Flash

[tepples]

Many YouTube videos with advertisements require Flash. If you try to view them on a PC without Flash, you get a notice that Flash is required. If you try to view them on a platform to which Flash is not ported, such as iOS or Android 4.1+, you get "The content owner has not made this video available on mobile. Besides, what's the alternative to Flash game sites like Newgrounds and Kongregate?

Tax Rebate

[CanHasDIY]

state actors involving "network injection appliances" installed at ISPs.

So, since we're being charged by the bit now, and the government is taking my bits (that we pay for) off the pipe and replacing them with their bits (that we also pay for)... wouldn't that imply that these "state actors" should be on the hook for at least part of our ISP usage bills?

Wait

[DarkOx]

many otherwise well-informed people think they have to do something wrong, or stupid, or insecure

Wait how does executing code delivered over a clear text channel without some other strong attribution and integrity controls in place not count as stupid or insecure.

Then we have slashdot here were we shove our session cookies back and forth in clear text. Not ideal but I don't execute code from slashdot (noscript) and I don't reuse my user name ore password elsewhere. So that lowers my exposure somewhat.

The browser makes need to at this point:
Disable the execution of any script or content of any script

Allow only HTTPS active content

[Giorgio Maone]

NoScript Options>Advanced>HTTPS> Forbid Active Content unless it comes from a secure (HTTPS) connection [noscript.net].

Painful, yes, but it should take care of this kind of attacks, as long as you can trust HTTPS (e.g. with Convergence [convergence.io]).

Furthermore, NoScript 2.6.8.37rc2 [noscript.net] introduce an experimental "Allow HTTPS scripts globally on HTTPS documents" mode (in Advanced>HTTPS>Permissions) if you value convenience over finer grained security.

Re:

[The MAZZTer]

This is why your browser will NOT display the green lock if a HTTPS pages references HTTP resources.

Re:

[zlives]

the article talks about state actors with physical access to ISP's... i don't think https is going to protect anyone that is target in such a manner.

Re:

[ArcadeMan]

That's why I only use HTTPSOS.