[tor-talk] pidgin and tor

coderman coderman at gmail.com
Tue Oct 13 01:23:19 UTC 2015 

On 10/12/15, sh-expires-12-2015 at quantentunnel.de
<sh-expires-12-2015 at quantentunnel.de> wrote:
> ...
> Thats what you fail to grasp, imho.

i appreciate education in all forms :)



> I am not sure, what "rogue remote execution" is, please elaborate.
> Sounds like an assassin sniper to me. ;)

i should have been more clear.

specifically, https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild/

'''
The vulnerability does not enable the execution of arbitrary code but
the exploit was able to inject a JavaScript payload into the local
file context. This allowed it to search for and upload potentially
sensitive local files.

The files it was looking for were surprisingly developer focused for
an exploit launched on a general audience news site, though of course
we don’t know where else the malicious ad might have been deployed. On
Windows the exploit looked for subversion, s3browser, and Filezilla
configurations files, .purple and Psi+ account information, and site
configuration files from eight different popular FTP clients. On Linux
the exploit goes after the usual global configuration files like
/etc/passwd, and then in all the user directories it can access it
looks for .bash_history, .mysql_history, .pgsql_history, .ssh
configuration files and keys, configuration files for remina,
Filezilla, and Psi+, text files with “pass” and “access” in the names,
and any shell scripts. Mac users are not targeted by this particular
exploit but would not be immune should someone create a different
payload. [Update: we’ve now seen variants that do have a Mac section,
looking for much the same kinds of files as on Linux.]
'''


> Again, you write "usability" you fail at understanding, that
> OP is looking for a convenient and secure solution (he asked
> about Pidgin being secure).

usability is not just convenience. but i see why you conflate the two.



> Sorry, but your vm-fanboyism isn't helpful at all.

i'd rather have langsec, for sure!

let's discuss cost... one much closer (near-term practical) than the other!

awaiting your next treatise on the quantification of attack surface
using appropriate cohort analysis of similar risk pools.


best regards,

More information about the tor-talk mailing list