[quote=jondos]Yes, life is risky... But do not mix OS and hardware vulnerabilities with browser vulnerabilities. If you cannot execute code on an operating system, you can neither exploit OS nor hardware vulnerabilities. You are right that there have been a few attacks on image parsers that might be used to execute code. However, this is far more difficult to exploit and far better to protect against as against direct code execution like in JavaScript, Flash etc.[/quote]

Why not protect against all?

[quote]
[quote]Linux has a part of 0.7% so no one is interested in it.[/quote]

Maybe it is interesting to know that between 4% and 5% of JonDo users are using Linux. This is about as frequent as the use Mac OS X.[/quote]

By they way, you should officially support BSD. JonDo has worked on OpenBSD since I started using it, and I doubt there would be any problems getting it to work on FreeBSD or NetBSD. Java is very cross-platform after all and the BSDs are very similar to Linux.

The only painful thing on OpenBSD is compiling Java. But at least there is an excellent FAQ describing the process.
http://www.openbsd.org/faq/faq8.html#Programming

Sorry for spelling errors.

[quote] Hopefully while enabling them you will learn about there security risks.[/quote]

"There" should be "their".

[quote] if only because the bad guys have lest interest in those ones. [/quote]

"Lest" should be "less".

[quote] I use 62 pseudo-random four-character-type character passwords for certain important purposes, and no, I do not write them down.[/quote]

Huh?

I think you meant "62 character pseudo-random four-character-type passwords" not "62 pseudo-random four-character-type character passwords".

But if that's what you mean then how can you remember that much?

[quote]But if that's what you mean then how can you remember that much?[/quote]

Mnemonics.

KisKis
http://kiskis.sourceforge.net/

or
KeePass Password Safe
http://keepass.info/

will do it also
:cool:

FBI docs out home-brewed spyware probes

http://www.theregister.co.uk/2009/04/20/fbi_spyware/

There are still some more that are listen to you

http://static.cqpolitics.com/harman-3098436-page1.html?docID=hsnews-000003098436

http://blog.misec.net/2007/07/31/3/

[quote]
The following quote from page 16 of the affidavit leads me to believe that the FBI has several ready-made exploits, each targeted at a different browser:
It is requested that this court issue a search warrant authorizing … the use of multiple CIPAVs until one CIPAV is activated by the activating computer.
[/quote]

Based on the information it is collecting, such as the serial number, I think CIPAV is only targeted at closed source operating systems, quite possibly only Windows. So while I am sure that OpenBSD is the most secure operating system and that the most paranoid people should use that, plain ole Linux should be fine for most people.

But maybe I am wrong. Maybe CIPAV just skips serial number when running on an open source operating system. Maybe you are better off using OpenBSD just in case.

So we are suggesting is two lines of defence.

1. Use a text-only browser like Lynx or a locked-down graphical browser with JavaScript and plugins disabled, preferably JonDoFox. Lynx might be more secure than JonDoFox from security exploits but JonDoFox has the standardised headers and is prettier.

2. In case malicious code is permitted to run in spite of the use of a secured browser, let it run on an incompatible operating system, like OpenBSD or Linux. OpenBSD is the most secure, but Linux should be secure enough for most people because it is rarely used and people are not interested in writing malicious code for it.

A third line of defence might be possible.

Even if a browser vulnerability is exploited and the code is compatible with the operating system, limit the amount of useful data the spyware can gather.

OpenVPN allows a computer to forget its original IP address in favour of a proxy IP address. Thus, running spyware on a computer that has been OpenVPNed should result in the wrong IP address. Unfortunately, OpenVPN does not allowed layered encryption. However, using OpenVPN in addition to JonDo should not harm the security of JonDo. Then is there some way to get the computer to forget its MAC address and use a fake one?

Another option would be to do all web browsing through an operating system running on emulated hardware, such as qemu. Somehow make all traffic from the operating system on emulated hardware go through JonDo so that the operating system on emulated hardware cannot obtain a real external IP address. Would definitely involve a fake MAC address, since it is all hardware emulation anyway. Any spyware obtained while browsing would affect only the operating system on the emulated hardware, not the primary operating system. If qemu, an open source operating system like OpenBSD or Linux, and an IcedTea version of Java were used, then the whole thing would be open source and the JonDos team could distribute something pre-configured.

Also be careful of sensitive files, in case the spyware looks at the files. Container or file-level encryption strongly recommended. (Whole partition encryption recommended for defeating local adversaries, but only protects while the computer is off.) Also be sure to encrypt swap and /tmp and /var/tmp. OpenBSD has the best swap encryption, but for Linux at least make swap use a different random key on each boot. Try to do the same for /tmp and /var/tmp, if possible. AES is probably vulnerable to algebraic attacks, so try to encrypt files with Serpent or Twofish. Blowfish is also good, but is a precursor to Twofish.

If the spyware ends up running in a chroot or an operating system on emulated hardware, this could also protect sensitive files, assuming they are stored elsewhere.