dc0de's & friends notes…

Tag: linux

Think you’re now untrackable? Think again. HTML5 is now tracking you.

by on Jul.22, 2014, under Information Security, Opinions, Privacy, Surveillance

We have worked long and hard in the Information Security world to keep ourselves anonymous for many reasons on the internet, and yet, he were are, with some new revelations, that we’re being tracked yet again.

CIA seal

CIA seal (Photo credit: Wikipedia)

We have seen may articles on the use of TOR, it’s beginnings, and how the CIA, DARPA and others have actually funded it to enable their resources to use the internet with anonymity, and that they have methods available to actually find the actual end user communicating using the service. (see Almost everyone involved in developing Tor was (or is) funded by the US government) for more info.

 

English: Tor Logo

English: Tor Logo (Photo credit: Wikipedia)

However, what I’m talking about here, is something that I heard this morning on the SANS Daily InfoSec Podcast for July 22, 2014, There is a topic of great interest to me.  Recently, I disabled flash in my browser, (Firefox on Linux), and moved to HTML5.  I did this to make my browsing more secure, however, the report from the Podcast showed me that this comes with a new privacy leak.  Meet the Online Tracking Device That is Virtually Impossible to Block, is the title of the writeup, and it shows, that in HTML5, there is;

Information Security Wordle: RFC2196 - Site Se...

Information Security Wordle: RFC2196 – Site Security Handbook (Photo credit: purpleslog)

“A new kind of tracking tool, canvas fingerprinting, is being used to follow visitors to thousands of top websites, from WhiteHouse.gov to YouPorn.”

Basically, as I understand it, canvassing is a method in HTML5 that allows a website to draw pixels in your browser, meant for drawing objects, and the difference in fonts, operating systems, and many other variables, there are now methods to fingerprint the system, and potentially the end user.  One of the primary offenders is the popular blog plugin called “AddThis

 

“First documented in a forthcoming paper by researchers at Princeton University and KU Leuven University in Belgium, this type of tracking, called canvas fingerprinting, works by instructing the visitor’s Web browser to draw a hidden image. Because each computer draws the image slightly differently, the images can be used to assign each user’s device a number that uniquely identifies it.”

The article is very disturbing, and they include a proof of concept URL to test your own browsers. If you want to see an example of fingerprinting, also take a look at http://www.browserleaks.com/canvas.

 

The only method that I can use to prevent this action is to use No-Script in Firefox, however, it makes any HTML5 page useless.

 

 

 

Stay tuned, I’m hopeful someone will create a browser plugin to selectively stop HTML5 from rendering pixels on your canvas, in a hidden format.  I’m proposing the name NO-CANVAS, something that works like No-Script, and allows you to whitelist sites, and or objects that request access to the HTML5 canvas.

 

Until then, I’m going to be taking a much closer look at what sites are doing with HTML5, and I’ve already added “AddThis” to my Adblock and No-Script plugins.

 

What are your thoughts, is this paranoia, or a significant risk?

 

 

 

 

 

 

Comments Off :, , , , , , , , , , more...

Of all the crazy things…

by on Apr.08, 2009, under Opinions

Ok, this one is a winner… bear with it, it’s pretty long. But, let me set the stage first…

– Friend of mine owns a company reselling HP product
– I do his IT support after hours
– HP sent him (unsolicited), a HP Mininote 2133 with Suse Linux Enterprise Desktop v.10, for surpassing a sales target

Ok… now given that, he asked me to set it up, so when he’s out traveling next week, he can show off HP’s nice little netbook. Sounds great so far…

So, I setup the netbook, create his user account on the box, and setup Evolution, and prepare to perform system updates, to ensure I have the best security posture on the system for his upcoming travel.

Here’s where it gets interesting. I was presented with a screen while adding the Novell repositories to the update manager, requesting my HP Software Key. So, I diig through the product box, all the cds, and all over the system. (external and internal). So, I go for the call to HP.

Well… the first three calls I make, get me to the wrong queue, every time, regardless that I tell the system that I’m calling for technical support on an HP Mini-note 2133 Netbook. I first end up in the Commercial Laptop Queue, they transfer me to a different group, where I receive a “Please enter the extension you’re trying to dial” message, and I hold for 3 minutes, to have an agent ask me what I’m holding for. He tells me that I’m in the wrong queue, and transfers me back to the Laptop Queue. (that’s 30 mins). I explain my situation to the Laptop queue again, they transfer me to the “mini notebook” group. After holding for 18 mins, I get someone in the Netbook group!!! Woohoo…

Only to be told that I’m in the WINDOWS netbook queue, and have to be transferred again. So, I hold, for another 15 mins, and actually get to the Linux, 2133, HP Mini-note queue.

Ok. So, I go through the 9 rings of hell, and I get to the right queue. I’m expecting some solution to the issue. After all, I’ve got the serial number of the unit, explained that the company is a reseller, and how the unit was received. It’s just a matter of someone telling me the associated software license key.

Nope. That’s not going to happen. You see, I’m told, by not one, but THREE different HP Support people, that I need to have a Software Subscription or “HP Carepaq” for the unit. Ok, so, I’m asking them for the part number, so it can be added to the unit.

I’m told, that if the Carepaq isn’t ordered with the Unit, that you (get this!) CANNOT purchase one for the unit after the fact.

I’m stunned. So, I repeat back to the people who have told me this, “If I understand you correctly, you’re telling me that I cannot purchase a software support contract with HP for the Novell SLED 10 software that shipped on a Netbook that was ‘gifted’ to my reseller friend?”

They all validated that you CANNOT purchase this after the fact… only with the original order.

Now, as someone with a “little” bit of sales experience, If this is true, then HP is going to tank like GM. I was ready to purchase the software support/Carepaq, and frantically tried to find out what is necessary, so that a HP Reseller could show off their product.

I felt like I was standing in the middle of a store, with a wad of $100 bills, waving wildly over my head, screaming for someone to help me… and getting NO response. Hello HP? Can this even be true? Does anyone know if I can get the upgrades for SLED10/SLED11 on the HP Mini-note 2133 with 4gb SDD? Is it true I can’t PURCHASE a software upgrade license?

So, I gave the netbook to my friend, setup for his out of town trip, and informed him that if we cannot get the software upgrade / license from HP, that I’ll simply wipe it out, and load EasyPeasy. After all, I KNOW that will update without any issues.

Oh, and on the bottom of the unit by it’s Serial #, there’s a label that states, “1 year warranty”, and during one of my discussions with strangers in a foreign land, I was told that the warranty expires this July. The unit was received only 3 weeks ago. I guess the 2133’s aren’t selling that well, as this one’s been on a bench somewhere for 3/4’s of a year.

If anyone can help, please let me know… if not, I’ll keep you posted on the installation of Ubuntu.

(oh, and now I REALLY love my Asus eeePc.)

5 Comments :, , , , , , , , , , , , , more...

Of all the crazy things…

by on Apr.08, 2009, under Opinions

Ok, this one is a winner… bear with it, it’s pretty long. But, let me set the stage first…

– Friend of mine owns a company reselling HP product
– I do his IT support after hours
– HP sent him (unsolicited), a HP Mininote 2133 with Suse Linux Enterprise Desktop v.10, for surpassing a sales target

Ok… now given that, he asked me to set it up, so when he’s out traveling next week, he can show off HP’s nice little netbook. Sounds great so far…

So, I setup the netbook, create his user account on the box, and setup Evolution, and prepare to perform system updates, to ensure I have the best security posture on the system for his upcoming travel.

Here’s where it gets interesting. I was presented with a screen while adding the Novell repositories to the update manager, requesting my HP Software Key. So, I diig through the product box, all the cds, and all over the system. (external and internal). So, I go for the call to HP.

Well… the first three calls I make, get me to the wrong queue, every time, regardless that I tell the system that I’m calling for technical support on an HP Mini-note 2133 Netbook. I first end up in the Commercial Laptop Queue, they transfer me to a different group, where I receive a “Please enter the extension you’re trying to dial” message, and I hold for 3 minutes, to have an agent ask me what I’m holding for. He tells me that I’m in the wrong queue, and transfers me back to the Laptop Queue. (that’s 30 mins). I explain my situation to the Laptop queue again, they transfer me to the “mini notebook” group. After holding for 18 mins, I get someone in the Netbook group!!! Woohoo…

Only to be told that I’m in the WINDOWS netbook queue, and have to be transferred again. So, I hold, for another 15 mins, and actually get to the Linux, 2133, HP Mini-note queue.

Ok. So, I go through the 9 rings of hell, and I get to the right queue. I’m expecting some solution to the issue. After all, I’ve got the serial number of the unit, explained that the company is a reseller, and how the unit was received. It’s just a matter of someone telling me the associated software license key.

Nope. That’s not going to happen. You see, I’m told, by not one, but THREE different HP Support people, that I need to have a Software Subscription or “HP Carepaq” for the unit. Ok, so, I’m asking them for the part number, so it can be added to the unit.

I’m told, that if the Carepaq isn’t ordered with the Unit, that you (get this!) CANNOT purchase one for the unit after the fact.

I’m stunned. So, I repeat back to the people who have told me this, “If I understand you correctly, you’re telling me that I cannot purchase a software support contract with HP for the Novell SLED 10 software that shipped on a Netbook that was ‘gifted’ to my reseller friend?”

They all validated that you CANNOT purchase this after the fact… only with the original order.

Now, as someone with a “little” bit of sales experience, If this is true, then HP is going to tank like GM. I was ready to purchase the software support/Carepaq, and frantically tried to find out what is necessary, so that a HP Reseller could show off their product.

I felt like I was standing in the middle of a store, with a wad of $100 bills, waving wildly over my head, screaming for someone to help me… and getting NO response. Hello HP? Can this even be true? Does anyone know if I can get the upgrades for SLED10/SLED11 on the HP Mini-note 2133 with 4gb SDD? Is it true I can’t PURCHASE a software upgrade license?

So, I gave the netbook to my friend, setup for his out of town trip, and informed him that if we cannot get the software upgrade / license from HP, that I’ll simply wipe it out, and load EasyPeasy. After all, I KNOW that will update without any issues.

Oh, and on the bottom of the unit by it’s Serial #, there’s a label that states, “1 year warranty”, and during one of my discussions with strangers in a foreign land, I was told that the warranty expires this July. The unit was received only 3 weeks ago. I guess the 2133’s aren’t selling that well, as this one’s been on a bench somewhere for 3/4’s of a year.

If anyone can help, please let me know… if not, I’ll keep you posted on the installation of Ubuntu.

(oh, and now I REALLY love my Asus eeePc.)

Comments Off :, , , , , , , , , , , , , more...

The Universal Netboot lnstaller…UNetbootin

by on Jan.04, 2009, under Computers, Hardware, Software, Tools

This entry is part 1 of 1 in the series Useful Tools

Here’s a cool tool I found, by accident.  It may be old to some of you, but I find it to be very useful.  It allows me to make bootable USB sticks, very easily. Sourceforge Project Page Wikipedia Entry UNetbootin is an amazing tool, well written and multi-platform.  I have used this tool to create several USB Bootable flash drives, and really enjoy it’s ease of use.  There are several options for well known distributions, that will create a bootable USB flash disk, and download the latest iso image to build your flash distro. **You can also install your own distribution of choice, as seen in the screen shot below:

http://unetbootin.sourceforge.net/#introduction

Options in the current version, are: Arch Linux, BackTrack, CentOS, CloneZilla, Damn Small Linux, Debian, Dream Linux, Elive, FaunOS, Fedora, FreeBSD, FreeDOS, FrugalWare, Gentoo, Gujin, Kubuntu, Linux Mint, Mandriva, NetBSD, NTPasswd, openSUSE, Ophcrack, Parted Magic, PCLinuxOS, Puppy Linux, Slax, SliTaz, Smart Boot Manager, Super Grub Disk, Ubuntu, Xubuntu, and Zenwalk.

If you don’t see your distro of choice, you can simply download the iso image, and select it from your hard drive.  I used it to install SumoLinux from iso onto a 32GB usb stick recently, and it worked flawlessly.   As I am writing this, I’m also installing SliTaz onto a 1MB USB stick, and including the download of the ISO, from start to finish, took only a few steps.

  1. Insert the target usb stick
  2. Launch UNetbootin
  3. Select the drive from the dropdown, (My only USB inserted was F:\, and was preselected)
  4. Select the distribution from the dropdown list
  5. Press “OK”

The Slitaz distro was 26Mb, so it took a minute or two to download, and then the build process begins:

UNetbootin - SliTaz download

Once downloaded, the process only takes about 60 seconds:

UNetbootin - SliTaz installed

I am very happy to have found it, and wish to thank Geza Kovacs (tuxcantfly) [The Author of UNetbootin], and all those who helped.  This is a great tool!

1 Comment :, , , , , more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Visit our friends!

A few highly recommended friends...