[ale] nailing down firefox security and privacy - PT 1
Rich Faulkner
rfaulkner at 34thprs.org
Wed Oct 12 12:00:41 EDT 2011
Yeah, I think so. I used to talk about it as a case in point when
teaching ICND at New Horizons in Washington, DC almost 7-years ago.
Would have to go looking it up to quote it properly but that was the
gist of it...
On Wed, 2011-10-12 at 11:47 -0400, Michael Trausch wrote:
> We may be recalling the same case. I think that the problem was that
> the messages were friendly and inviting... something along the lines
> of "please try again" and so they did until they got in. Would have to
> look it up to be sure, though...
>
>
> On Oct 12, 2011 11:43 AM, "Rich Faulkner" <rfaulkner at 34thprs.org>
> wrote:
>
> I have yet to read this in its entirety but I do recall a
> court case where a commercial network was intruded upon and
> the intruder was found. In the end he was off the charges
> because there was no notice posted that the network was a
> private network and subject to restricted access...thereby
> implying "welcome" to outside access by anyone.
>
> I for one do not broadcast SSID and use WPA2 and even
> lock-down access by MAC. If I were to do anything contrary to
> locking-down the wireless network access I would expect
> uninvited "guests" to be using my bandwidth. IMHO that's just
> common sense. Is it illegal to enter a home (uninvited) where
> the doors are off the hinges? Perhaps (I'm not a lawyer). I
> do know it's illegal to enter a home (uninvited) when the
> doors are locked and dead-bolted. IMHO the same logic applies
> to networks and our home wireless devices...an open door is an
> invitation to unwanted guests.
>
> Otherwise, I have fought the same battles trying to get users
> to be the first line of defense and not believe technology to
> be the "great savior"....
>
> Rich in Lilburn
>
>
> On Wed, 2011-10-12 at 11:22 -0400, Michael B. Trausch wrote:
>
> > On 10/11/2011 05:38 PM, Ron Frazier wrote:
> > > I've been spending a good bit of time recently upgrading and configuring
> > > Firefox because Pandora decided it wasn't going to work after an upgrade
> > > they did. I was on Firefox 3.2.? and was holding back upgrading because
> > > of some UI changes in the new Firefox as well as some plugin
> > > compatibility problems. Eventually, I had to bite the bullet and
> > > upgrade. As I've mentioned in other posts, I like to keep my shields at
> > > the paranoid level, whether I'm running Windows or Linux. In fact, I
> > > run my Firefox configurations exactly the same on both systems, so this
> > > applies to this group. There are a number of security and privacy
> > > settings which come into play with Firefox, and it's not always obvious
> > > how to set them. I'm going to explain how I set mine up in order to
> > > maintain a high level of security as well as a decent level of
> > > functionality. There are also a number of handy plugins which I will
> > > explain. Hopefully, the research I've done will help others who want to
> > > keep their shields high. Some of you may already know this stuff, but
> > > some others probably don't. I have to relate a number of options
> > > settings. This will be a bit difficult in text, but bear with me.
> >
> > I have said it before, and I will say it again: The only way to "keep
> > the shields high" is to provide education. Technology (in particular,
> > things like you advocate here) can *not* save users from anything.
> >
> > Something has been bugging me the past month or two. Ron called me
> > (anonymously) "unethical" a while back on the list (though he didn't
> > name me in particular). I'll provide a bit of context so that the rest
> > of the group can recall. But before I do, I'm going to say this: I
> > find this brand of advice to, itself, be unethical. It propagates the
> > mindset that technology can solve our problems better than education,
> > and actively serves to lower the collective expectations of not only
> > end-users, but that of IT support people like myself who then have to do
> > even more hard work to try to get people to understand that they are the
> > key, not the software that is running on their computer. This way of
> > thinking costs me time and money simply because people are given a false
> > sense of security and truly believe that the technology will save them.
> > It is wrong to teach this to people because it is, and it ALWAYS WILL
> > BE, patently false.
> >
> > At one of the recent meetings, I was talking about how I had an open
> > wireless network, and how people who were unwelcome and used it were
> > redirected to a rather gruesome site, regardless of what they were
> > aiming for. Ron called this "unethical". Seeing as one must first be
> > unethical and steal my bandwidth in order to get to the thing, I fail to
> > understand how that is unethical. It is my personal, paid-for bandwidth
> > and equipment, and I can configure and use it in any way I desire as
> > long as I cause nobody harm. If someone causes harm to his or her self
> > by using my equipment (indeed, by unethically using my bandwidth), well,
> > them's the spoils. It is unethical to steal. Back when I was running
> > an open network (because I had devices that literally were unable to
> > perform secure encryption and I failed to see the point of WEP), if
> > someone would have asked me to use my network I would have quite likely
> > allowed it. I had no reason *not* to allow it. But you can't just join
> > my network and use it without permission.
> >
> > It seems that Ron thinks that an open wireless network somehow conveys
> > implicit permission to use it---and this is a problem with a lot of
> > society. They think the same thing. They think that if there isn't a
> > safeguard in place on something that they have the entitlement to go
> > through it.
> >
> > You know, there was a time when one could forget one's keys in their
> > ignition and the car would, with a very high degree of probability,
> > still be there when you got back to it. Today this doesn't happen. A
> > few months ago, I encountered a car for sale in a parking lot not far
> > from my home. The car was unlocked, and it had the keys in the
> > ignition. I called the number on the "for sale" sign in the window, and
> > let the guy know that the keys were still in the ignition and that the
> > car was unlocked. He was genuinely surprised that I did that. Why?
> > Because we expect people in today's society to generally suck, that's
> > why. I, too, would be surprised to receive such a phone call. People
> > feel that they are entitled to whatever they find, these days,
> > regardless of where they found it. An open network connection, an iPod
> > in an unlocked (or hell, even a locked) car, whatever. It is
> > disgusting. Our society is full of truly unethical elements.
> >
> > And no, for the record, I don't feel that it is in any way unethical to
> > do what I did, and if I were to, for whatever reason, be compelled to
> > run an open network again, I would do the very same thing that I did
> > before. It accomplished a very real goal: Unwelcome people only ever
> > joined my wireless network a single time. They never, ever came back.
> > It served its purpose, and it entertained me in the process. I see
> > absolutely nothing wrong with that at all.
> >
> > > While not directly related to Firefox, I strongly recommend using the
> > > OpenDNS ( http://opendns.com ) system to resolve your domain names.
> > > They automatically apply phishing protection to all DNS queries as far
> > > as I know. If you desire to, you can also filter certain sites based on
> >
> > I would strongly recommend that people NOT use OpenDNS. Why? Because:
> >
> > * They break the DNS standard. They do not return NXDOMAIN when they
> > should. Unfortunately, a fair number of ISPs engage in this
> > destructive behavior as well. This means that when you ping a
> > non-existent site, you actually wind up pinging a machine that is
> > alive and well and getting an erroneous result. This is bad.
> >
> > Such behavior also breaks SSL sessions in certain circumstances and
> > gives users a far more cryptic error than "the server appears to be
> > down". In the normal circumstance, a downed server or domain results
> > in an error saying that it wasn't found. In the case of using one
> > of these broken DNS servers and encountering a downed domain (or one
> > mistakenly identified as "bad", FSVO "bad"), you instead get a
> > very nasty message in your Web browser saying that your security
> > is in danger.
> >
> > * They are a blacklist. Blacklists contain errors. More on that
> > below.
> >
> > * They actively go through the data they collect, such as what users
> > are visiting what sites. They can use that information to "improve"
> > their database. More to the point, I don't trust them to not misuse
> > that information. Do you?
> >
> > * Even more to the point, do you think that the people you advocate
> > OpenDNS to are even capable of making the realization that they are
> > engaging in a decision that indicates that they trust the system
> > and the people behind it not to screw them in some way?
> >
> > > Now, on to Firefox. The latest version is 7.0.1. You should have this
> > > or later once you upgrade or install anew. They've been ramping the
> > > versions up very fast lately. The big thing in UI design these days
> > > seems to be to eliminate the menus. Personally, I hate this design.
> > > So, the first thing I do in this case is to turn the menus back on.
> > > Firefox will have a little orange "Firefox" button in the upper left.
> > > Click that, hover over options, and check menu bar to turn it on. You
> > > should now have a menu. You can select help, about to check the version
> > > number. In some systems, you will see a check for updates button in
> > > this window. Click View, hover over toolbars, and turn on the Add-on
> > > bar, if it's not already on. You can rearrange buttons in Firefox by
> > > clicking on the empty area to the right of the menu and clicking
> > > customize. You can then move things like the back and forward buttons
> > > around, or drag things from the dialog box to the menu areas or add-on bar.
> >
> > Minor technical nit, here: I've always had to enable the streamlined
> > menu. I don't understand why you dislike it, but I find it to be more
> > efficient, and it does yield more (albeit only slightly) real-estate to
> > the browser window.
> >
> > > My objective is to configure Firefox so there is no unauthorized
> > > scripting, little or no unauthorized tracking, little or no unauthorized
> > > storage of information on my PC, and no unauthorized pop-ups.
> >
> > I am sure that you realize that this is completely impossible without
> > causing damage to the user experience. Even if you get an end user to
> > install all the cruft, you will find yourself (or people like me, find
> > ourselves) supporting these users and having to explain to them that
> > it's their software that is causing the problem. Then they want to know
> > why their software isn't smart enough to just do what they mean. They
> > then want to know why they have to know anything about the whole bloody
> > mess, when all they want to do is get to their stupid games on Facebook.
> >
> > > A new installation of Firefox should not have any accumulated history.
> > > However, an upgrade might. If you want to start with a clean slate,
> > > clear all your history as follows. Click Tools, click Clear Recent
> > > History, select Everything in the drop down box. Below, you can observe
> > > check marks which show what will be cleared. All should be checked.
> > > Click Clear Now. Note, if some of the sites you've been using depend on
> > > history or preferences, you'll have to reset them.
> >
> > Great way to lock people out of their accounts, this is. A lot of
> > people rely on their Web browser to store their credentials for them.
> > Tell them to do this and they'll be fighting for a long time (and
> > usually unnecessarily frustrated while doing so) getting password resets
> > done for them on all of their common things like Facebook or their
> > bank/credit card/whatever sites. Especially those stupid sites that
> > think that the lack of a cookie means that you have to go through
> > special verification processes.
> >
> > > Block pop-up windows - ON (or checked)
> >
> > That is the default.
> >
> > > Enable JavaScript - ON (Disabling would be more secure and safer, but
> > > many websites would break. We'll deal with this using the NoScript plugin.)
> >
> > NoScript isn't a solution, either.
> >
> > > Click the Advanced button beside the JavaScript line and set these options.
> > >
> > > Allow scripts to:
> > >
> > > Move or resize existing windows - OFF (or unchecked)
> > > Raise or lower windows - OFF
> > > Disable or replace context menus - OFF
> >
> > Most excellent. Now software like Redmine won't work. Congrats!
> >
> > > Remember my download history - OFF (You could turn this on if desired.)
> >
> > What does this accomplish?
> >
> > > Remember my search and form history - OFF ( ditto )
> >
> > What does this accomplish?
> >
> > > Clear history when Firefox closes - ON
> >
> > What does this accomplish? The so-called "awesome bar" is a lot more
> > useful to users when their history is kept. So by doing this, you
> > effectively disable the additional (and quite useful) functionality.
> >
> > > Click the Security tab. Set the following.
> > >
> > > Warn me when sites try to install addons - ON
> >
> > This is the default.
> >
> > > Block reported attack sites - ON
> > > Block reported web forgeries - ON
> >
> > I have only ever encountered false positives with these settings; I view
> > them as useless.
> >
> > > Remember passwords for sites - OFF (I prefer to remember my own
> > > passwords or have something like Lastpass do it.)
> >
> > You're in the minority, unfortunately.
> >
> > > Use a master password - ON (Then complete the dialog box to set it.)
> >
> > Why do that if you're not saving passwords in Firefox?
> >
> > > Click OK to save all the options and dismiss the options screen.
> > >
> > > Now, open a blank browser tab.
> > >
> > > Type about:permissions in the web address blank and hit enter.
> > >
> > > You will get a screen which allows you to set the default permissions
> > > for sites as well as override them for specific sites. Click the All
> > > Sites line in the upper left. Set the default permissions as follows.
> > >
> > > Store passwords - BLOCK
> >
> > Again, you're in the minority. I have never managed to convince anyone
> > not to use the built-in password storage.
> >
> > > Share location - BLOCK
> >
> > What's wrong with "Always Ask"? Most people ignore the request anyway,
> > and the rest often say no when asked.
> >
> > > Set cookies - ALLOW FOR SESSION
> > > Open Pop-up windows - BLOCK
> > > Maintain offline storage - BLOCK
> >
> > What does this truly accomplish, other than a false sense of security?
> >
> > > You can now close this tab, or go to another web page.
> > >
> > > That's it for the basic Firefox configuration, but we're just
> > > beginning. In the next post, I'll talk about how to set up the NoScript
> > > and Ghostery plugins. I hope to complete the other posts tonight and
> > > tomorrow.
> >
> > NoScript, and plugins like it, are nice in theory. In practice most
> > users view them as a burden and something else that they have to manage.
> >
> > It is far easier to get people to understand that they shouldn't just
> > click every single stupid link in their email, on the Web, or in a program.
> >
> > That said, there is very little *true* problem with running JavaScript.
> > Today's Web developers require JavaScript be enabled. After all, we
> > can even have that on phones these days.
> >
> > If we were running Python in the browser, that'd be a little bit
> > different since there is (at least to my knowledge) no truly sandboxed
> > version of Python available. But JavaScript is virtually always
> > sandboxed, and cannot do any real harm to your system.
> >
> > Keeping a computer secure is all about what the person sitting at the
> > keyboard knows, not about what software is running on the computer. It
> > has always been this way and it will always continue to be this way.
> > Educate users; tell them why they shouldn't go browsing every possible
> > link they find, give them an idea of what types of sites can be trusted
> > versus not trusted, tell them why they should have some idea of what is
> > on the other end and whether or not they should trust it.
> >
> > And tell them why they shouldn't have ad blocking software installed,
> > too. People keep that shit up, we'll have to pay for everything on the
> > Internet out of our wallets, instead of just the things that aren't
> > ad-supported. I suspect that you disagree with me on that, too.
> > Wouldn't surprise me, when I had heavy traffic to my blog and I had
> > Google AdWords on it (hey, they're quite non-intrusive), I had something
> > like 99% of people blocking the ads. Everybody expects something for
> > nothing these days.
> >
> > --- Mike
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
>
>
>
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20111012/88d2db04/attachment-0001.html
More information about the Ale
mailing list