- Dec 23, 2014
- 8,040
English language can be ambiguous, like any other one.Well said MR Configurator Defender!
English language can be ambiguous, like any other one.Well said MR Configurator Defender!
The Internet is finished. No wonder Russia is the largest buyer and maker for typewriters lol
Do not underestimate NSA and CIA. They spy Russians for many years (and vice versa).They can't hack those,can they? I love being old school!
They can't hack those,can they? I love being old school!
Do not underestimate NSA and CIA. They spy Russians for many years (and vice versa).
Hence they keep secrets by typewriter
During much of the Cold War typewriters were state of the art, so they were the focus of spooks and spies just as mobile phone networks, emails and social networks are today. Techniques were developed to use cheap microphones to listen to key taps and decipher what was being written, spy cameras could peer over typist’s shoulders and undercover agents could photograph and leak documents. Debonair KGB agents were even tasked with seducing typists and winkling information from them.
In 1984 the NSA became paranoid about the extent of this sort of Russian infiltration and began what it called Project Gunman, under which it replaced every piece of communications equipment at embassies in Moscow and Leningrad. It shipped the old devices back to the US for analysis, and when they were X-rayed it was discovered that 16 IBM Selectric typewriters had been bugged. For eight years they had sent the contents of every single document to the Kremlin, via a man crouching outside with a radio receiver.
A good reason to sandbox the browser, and deny its access to cookies, history, passwords, etc. Strangely, the article stated this won't work on Internet Explorer, the one browser I wouldn't be caught dead using.
I am afraid that using legal HTML5 APIs for infecting a web browser is somewhat similar as using LOLBins (LOLLibs) for infecting the system.Before we get too bent out of shape over this, please note that it is just a Proof of Concept. It is not malware that actually exists. And, like so many thousands of other vulnerabilities, it will probably be patched by Google and Mozilla and MS before it hits the wild.
I miss the click to play option that was in flash. In html5 you maybe able to stop autoplay but media still loads, wastes your bandwith and resources.HTML5, which can not be blocked as easily as flash. Who would have thought. And this is just the beginning, so much for the hated flash.
It seems to utilize iframes like crypto-mining malware, so blocking them should help, like popup blockers do.
Sounds very logical to take this approach.I am waiting until this malware hits the streets before I change anything on my browser.
Before we get too bent out of shape over this, please note that it is just a Proof of Concept. It is not malware that actually exists. And, like so many thousands of other vulnerabilities, it will probably be patched by Google and Mozilla and MS before it hits the wild.
Except that there's actually no proof of concept, just a paper making allegations without any actual demonstration or code.
Please see
If there is indeed a way to achieve persistence, it's with a specific browser implementation, not the Service Worker API.
Moonchild
wrote:About Push in Pale Moon:
Pale Moon mixed content blocking
Service workers in Pale Moon:
Service workers are a terrible idea, unless you actually enjoy the idea of having your browser do stuff "in the background" that you have absolutely no control over.
We have no plans whatsoever to implement or enable this, because it's a privacy and security nightmare.
So based off reading this, in theory Scriptsafe could potentially stop the Javascript execution of this type malware, this stopping the infection?
~LDogg
That's an interesting point. The element being abused here is HTML5. Wikipedia says about it: "HTML 5 on its own cannot be used for animation or interactivity – it must be supplemented with CSS3 or JavaScript. "Or using the script blocker built in to Brave for everything but your trusted sites.
I think Scriptsafe is fairly easier and user friendly, plus you can choose what scripts to allow. Brave's in-built blocker just blocks everything without the chance to choose which ones you wish to allow. So it's either all Javascript on or off, this can break websites which use JS as it's source.Or using the script blocker built in to Brave for everything but your trusted sites.
Being able to run JavaScript before a page exists opens up many possibilities, and the first feature we're adding is interception and modification of navigation and resource requests. This lets you tweak the serving of content, all the way up to treating network-connectivity as an enhancement. It's like having a proxy server running on the client.
Brave does allow granular control of scripts, just so you're aware:Brave's in-built blocker just blocks everything without the chance to choose which ones you wish to allow. So it's either all Javascript on or off
You can make exceptions for the sites you want. I don't use Brave, but I do pretty much the same thing in Chrome. I bookmarked the Chrome settings page with the javascript button, and I have it toggled off, but to the right of the omnibar, Chrome puts a little javascript icon that I can click on, and make an exception for a certain site.So it's either all Javascript on or off, this can break websites which use JS as it's source.
~LDogg