Yesterday I suddenly had problems with popup ads appearing on my system.
The first time I noticed it was while running zoom. Suddenly a little
(say 100x60) window opened up in the bottom right area of my screen with
a picture of a a wonman with large naked breasts appeared, was up for
about 7 sec with some text and then vanished. After I had closed zoom, (
and it was no longer running on my system) other such ads would appear
and then disappear, each time for only a few seconds. These would occur
in general with about an hour or so between them (although at least once
it was just a few minutes between two of them. Sometimes they were not
of naked women telling me they wanted me, but some advertisement for
something I did not have time to read, so it was not just zoom that was
doing this.

I usually have a chrome window open, I tried to shut down all web pages
which I thought might have been triggering this, but that did not help.
I finally shut down chrome entirely and that seems to have stopped the
show. I have not noticed this today, while I am using chrome again.

Does anyone know what could be doing this? I have never had this happen
before. Mind you I think I have had popups blocked and then when I
wanted to read a newpaper article I opened up the popups again as that
website demanded I do so to read the article, and did not block them
again afterwards, so that could have been the problem, with that web
site somehow keeping the web page open that was feeding them to my
system. But that is just a theory.

Does anyone else have with experience with something like this? Is it an indication that my system might have been hacked? Via Zoom? via Chrome?
via ????

Thanks.

--- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
* Origin: A noiseless patient Spider (2:250/1@fidonet)

William Unruh wrote:

Does anyone know what could be doing this?

Maybe you have a browser/chrome malware.

Chrome/ hamburger icon upper R/ Settings/ 3rd from bottom item Advanced/
opens to 6 items incl reset and cleanup or some such like restore
settings to their original defaults

Also in that hamburger is More tools/ Extensions

You shouldn't have any extensions in there you don't trust.


--
Mike Easter

--- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
* Origin: Air Applewood, The Linux Gateway to the UK & Eire (2:250/1@fidonet)

On Sat, 18 Apr 2020 22:28:25 -0000 (UTC), William Unruh wrote:

Yesterday I suddenly had problems with popup ads appearing on my system.
The first time I noticed it was while running zoom. Suddenly a little
(say 100x60) window opened up in the bottom right area of my screen with

Does anyone else have with experience with something like this?

Not me, I run firefox with NoScript. I middle click any link and ff
opens a new tab/window and brings up the site.

Is it an
indication that my system might have been hacked? Via Zoom? via Chrome?
via ????

It is a little late to ask that question. If a rootkit was installed
you can not use anything on the system to look for the hack.

Now, had you installed an Advanced Intrusion Detection Environment
like aide, you could run "aide --check" to see if there were any changes
or files modified.

Intrusion Detection Environment​ apps unhide, aide, osiris, ossec-hids, samhain, tripwire, snare, integrit, rkhunter, chkrootkit...


--- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
* Origin: A noiseless patient Spider (2:250/1@fidonet)

On 2020-04-18, William Unruh <unruh@invalid.ca> wrote:

Yesterday I suddenly had problems with popup ads appearing on my system.
The first time I noticed it was while running zoom. Suddenly a little
(say 100x60) window opened up in the bottom right area of my screen with
a picture of a a wonman with large naked breasts appeared, was up for
about 7 sec with some text and then vanished. After I had closed zoom, (
and it was no longer running on my system) other such ads would appear
and then disappear, each time for only a few seconds. These would occur
in general with about an hour or so between them (although at least once
it was just a few minutes between two of them. Sometimes they were not
of naked women telling me they wanted me, but some advertisement for something I did not have time to read, so it was not just zoom that was
doing this.

I usually have a chrome window open, I tried to shut down all web pages
which I thought might have been triggering this, but that did not help.
I finally shut down chrome entirely and that seems to have stopped the
show. I have not noticed this today, while I am using chrome again.

Does anyone know what could be doing this? I have never had this happen before. Mind you I think I have had popups blocked and then when I
wanted to read a newpaper article I opened up the popups again as that website demanded I do so to read the article, and did not block them
again afterwards, so that could have been the problem, with that web
site somehow keeping the web page open that was feeding them to my
system. But that is just a theory.

Does anyone else have with experience with something like this? Is it an indication that my system might have been hacked? Via Zoom? via Chrome?
via ????

My Dad had that on his windows machine and I was able to trace the
process responsible back to being an instance of chrome.

for linux the tool xwininfo may give useful diagnostics, but it
doesn't seem to work with Wayland apps.

--
Jasen.

--- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
* Origin: JJ's own news server (2:250/1@fidonet)

On Sat, 18 Apr 2020 18:28:25 -0400, William Unruh <unruh@invalid.ca> wrote:

Yesterday I suddenly had problems with popup ads appearing on my system.
The first time I noticed it was while running zoom. Suddenly a little
(say 100x60) window opened up in the bottom right area of my screen with
a picture of a a wonman with large naked breasts appeared, was up for

Either zoom or a website open in chrome (or any site used to provide ads for those sites) could have run javascript that launched a copy of the browser running
in the background, popping up that window to annoy you.

If you were running either zoom or chrome as root, then the system could easily
have been hacked, and the only way to confirm would be to boot from an external
device that wasn't mounted in read/write mode while the hack was running, and carefully examining the system for changes. Not easy to do, but possible.

If they were running as a user, a logout/in or reboot would end the loading of the
sites unless an entry was added to autostart it on user login. For that, reboot,
login as another user, and examine all files the user has write access that were
modified recently for any scripts, etc. that shouldn't be there. Also delete any files in the cache for the possibly infected user.

The zoom bombing that's been frequently happening has mostly been pranks that do
no real damage. Someone looking to steal from you isn't going to do stupid things
to make it obvious the system has been accessed.

There are different threat levels and acceptable risk levels for different people.

For an average person running any linux system, the primary threat is financial. If
you are concerned that it was more than just zoom bombing, and you use the possibly
infected account for anything financial, after ensuring the system is no longer
infected, change all passwords for financial websites.

For someone working with high value information, thanks to the mini os called uefi,
the motherboard and hard drives should be replaced as the firmware on either could
be infected leaving a persistent threat that cannot be easily found or removed.

Personally, if a reboot, or logout/login stops the popups, I wouldn't worry further
about it. But that's up to you. I wouldn't use zoom though, except possibly in vb guest created just for running zoom, so it doesn't have any access to the host
system's files. The media has made it clear, zoom is not designed to be secure.

Regards, Dave Hodgins

--
Change dwhodgins@nomail.afraid.org to davidwhodgins@teksavvy.com for
email replies.

--- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
* Origin: A noiseless patient Spider (2:250/1@fidonet)

On 19/04/2020 00.28, William Unruh wrote:

Yesterday I suddenly had problems with popup ads appearing on my system.
The first time I noticed it was while running zoom. Suddenly a little
(say 100x60) window opened up in the bottom right area of my screen with
a picture of a a wonman with large naked breasts appeared, was up for
about 7 sec with some text and then vanished. After I had closed zoom, (
and it was no longer running on my system) other such ads would appear
and then disappear, each time for only a few seconds. These would occur
in general with about an hour or so between them (although at least once
it was just a few minutes between two of them. Sometimes they were not
of naked women telling me they wanted me, but some advertisement for something I did not have time to read, so it was not just zoom that was
doing this.

I usually have a chrome window open, I tried to shut down all web pages
which I thought might have been triggering this, but that did not help.
I finally shut down chrome entirely and that seems to have stopped the
show. I have not noticed this today, while I am using chrome again.

Does anyone know what could be doing this? I have never had this happen before. Mind you I think I have had popups blocked and then when I
wanted to read a newpaper article I opened up the popups again as that website demanded I do so to read the article, and did not block them
again afterwards, so that could have been the problem, with that web
site somehow keeping the web page open that was feeding them to my
system. But that is just a theory.

Does anyone else have with experience with something like this? Is it an indication that my system might have been hacked? Via Zoom? via Chrome?
via ????

Suspicions:

- A site that enabled notifications. They need the browser that
activated them to be running.
- some popup from some site.
- some crap from zoom. It is known to be a bad thing.


Using Firefox, I can enable popups for a single tab or for a single site.


--
Cheers, Carlos.

--- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
* Origin: Air Applewood, The Linux Gateway to the UK & Eire (2:250/1@fidonet)

On 2020-04-19, Carlos E.R. <robin_listas@es.invalid> wrote:

On 19/04/2020 00.28, William Unruh wrote:

Yesterday I suddenly had problems with popup ads appearing on my system.
The first time I noticed it was while running zoom. Suddenly a little
(say 100x60) window opened up in the bottom right area of my screen with
a picture of a a wonman with large naked breasts appeared, was up for
about 7 sec with some text and then vanished. After I had closed zoom, (
and it was no longer running on my system) other such ads would appear
and then disappear, each time for only a few seconds. These would occur
in general with about an hour or so between them (although at least once
it was just a few minutes between two of them. Sometimes they were not
of naked women telling me they wanted me, but some advertisement for
something I did not have time to read, so it was not just zoom that was
doing this.

I usually have a chrome window open, I tried to shut down all web pages
which I thought might have been triggering this, but that did not help.
I finally shut down chrome entirely and that seems to have stopped the
show. I have not noticed this today, while I am using chrome again.

Does anyone know what could be doing this? I have never had this happen
before. Mind you I think I have had popups blocked and then when I
wanted to read a newpaper article I opened up the popups again as that
website demanded I do so to read the article, and did not block them
again afterwards, so that could have been the problem, with that web
site somehow keeping the web page open that was feeding them to my
system. But that is just a theory.

Does anyone else have with experience with something like this? Is it an
indication that my system might have been hacked? Via Zoom? via Chrome?
via ????

Suspicions:

- A site that enabled notifications. They need the browser that
activated them to be running.

I hate sites that demand popups and usually have them disabled. In this
case is was a newspaper site and I enabled them to read that site. Unfortunately I had no idea how to do it except by enabling them for everything. I had trouble today figuring how to block them-- the chrome settings page is not very transparent.
I think then I forgot about them and left popups enabled, so it is quite possible it was in that way that they got in.

- some popup from some site.
- some crap from zoom. It is known to be a bad thing.

Possibly. I am not at all sure that it is a "bad thing". It has suddenly
gotten a lot of light shone on them ( which is good) but with scrutiny
like that, almost anything will reveal warts. Skype has been around (
and is getting worse and worse under MS tutilage) and so people have not scrutinized it to nearly the same extent.

Using Firefox, I can enable popups for a single tab or for a single site.

It is possible I can do that with chrome as well.


--- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
* Origin: A noiseless patient Spider (2:250/1@fidonet)

On Sun, 19 Apr 2020 04:15:30 -0000 (UTC), William Unruh wrote:

I hate sites that demand popups and usually have them disabled. In this
case is was a newspaper site and I enabled them to read that site. Unfortunately I had no idea how to do it except by enabling them for everything.

When a site that won't display content, I click NoScript, and usually get
a list of domains wanting access. I temporally enable just the site and
see several more domains wanting access.

I also have installed privoxy proxy, told firefox to use it, added
several ad urls to privoxy's configuration file.
That cuts down on ads on the page.

--- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
* Origin: A noiseless patient Spider (2:250/1@fidonet)

On 19/04/20 02:12, David W. Hodgins wrote:

On Sat, 18 Apr 2020 18:28:25 -0400, William Unruh
<unruh@invalid.ca> wrote:

Yesterday I suddenly had problems with popup ads appearing
on my system.
The first time I noticed it was while running zoom.
Suddenly a little
(say 100x60) window opened up in the bottom right area of
my screen with
a picture of a a wonman with large naked breasts appeared,
was up for

Either zoom or a website open in chrome (or any site used to
provide ads for
those sites) could have run javascript that launched a copy
of the browser running
in the background, popping up that window to annoy you.

If you were running either zoom or chrome as root, then the
system could easily
have been hacked, and the only way to confirm would be to
boot from an external

a trivial (for you) question :
as a single user with a single account (sudo enabled) I
could be defined an user with potential threats of that kind
..... but I think that, when launching apps like firefox from
Wiskers Menu without, invoking it normally and not via sudo,
I should not be using it "as root", would I ?
I mean, even the root user can launch apps without
necessarily endow them with superpowers, or not ?

device that wasn't mounted in read/write mode while the hack
was running, and
carefully examining the system for changes. Not easy to do,
but possible.

If they were running as a user, a logout/in or reboot would
end the loading of the
sites unless an entry was added to autostart it on user
login. For that, reboot,
login as another user, and examine all files the user has
write access that were
modified recently for any scripts, etc. that shouldn't be
there. Also delete
any files in the cache for the possibly infected user.

to your experience, what other strange behaviour should one
pay attention to in order to discover some hacking ? A part
from VISIBLE pop-ups ...
Sometimes I look into task list, but that is useful only
when I suspect sth wrong "a priori" so I know more or less
what to look for, and not in general, as many processes are
unknown to me but perfectly legal as system services

The zoom bombing that's been frequently happening has mostly
been pranks that do
no real damage. Someone looking to steal from you isn't
going to do stupid things
to make it obvious the system has been accessed.

pheew, never used zoom.
once in life gugol hangouts (denying webcamusage, or better,
i simply disconnected it)

There are different threat levels and acceptable risk levels
for different people.

For an average person running any linux system, the primary
threat is financial. If

that is stealing credit cards number stored somewhere ? Many
sites using E-carts store it also (dunno if just remotely,
locally and remotely, or just locally ... I think whichever
is the worst for me :) :) )

you are concerned that it was more than just zoom bombing,
and you use the possibly
infected account for anything financial, after ensuring the
system is no longer
infected, change all passwords for financial websites.

For someone working with high value information, thanks to
the mini os called uefi,
the motherboard and hard drives should be replaced as the
firmware on either could
be infected leaving a persistent threat that cannot be
easily found or removed.

Holy God ...
frigtening

Personally, if a reboot, or logout/login stops the popups, I
wouldn't worry further
about it. But that's up to you. I wouldn't use zoom though,
except possibly in a
vb guest created just for running zoom, so it doesn't have
any access to the host
system's files. The media has made it clear, zoom is not
designed to be secure.

Regards, Dave Hodgins

--
1) Resistere, resistere, resistere.
2) Se tutti pagano le tasse, le tasse le pagano tutti
Soviet_Mario - (aka Gatto_Vizzato)

--- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
* Origin: A noiseless patient Spider (2:250/1@fidonet)

On 19/04/2020 14.02, Soviet_Mario wrote:

On 19/04/20 02:12, David W. Hodgins wrote:

If you were running either zoom or chrome as root, then the system
could easily
have been hacked, and the only way to confirm would be to boot from an
external

a trivial (for you) question :
as a single user with a single account (sudo enabled) I could be defined
an user with potential threats of that kind .... but I think that, when launching apps like firefox from Wiskers Menu without, invoking it
normally and not via sudo, I should not be using it "as root", would I ?

If you are logged in as a normal user, and you run something from the DE
menu, they tend to be run as the normal user, unless you have
reconfigured the app to run as some other user (some DE's have a simple
option to pick another user, but tend to be that you need to provide a password unless you have also edited the sudoers).

I mean, even the root user can launch apps without necessarily endow
them with superpowers, or not ?

root is superuser, so root has to become a normal user with su/sudo and telling which user. The main thing is, you are just stupid if you use
root as a normal user, the only time you should and need to have root privileges is when you make system changes.
If you still think it's cool to run as root, then you can switch to
microsoft windows instead.

device that wasn't mounted in read/write mode while the hack was
running, and
carefully examining the system for changes. Not easy to do, but possible.

If they were running as a user, a logout/in or reboot would end the
loading of the
sites unless an entry was added to autostart it on user login. For
that, reboot,
login as another user, and examine all files the user has write access
that were
modified recently for any scripts, etc. that shouldn't be there. Also
delete
any files in the cache for the possibly infected user.

to your experience, what other strange behaviour should one pay
attention to in order to discover some hacking ? A part from VISIBLE
pop-ups ...

Anything out of the normal, as extra network traffic for example.
As we ain't using your computer, we can't say what is normal on it.
It's good to run things like rkhunter ckhrootkit calmav, sure they won't
be 100% detecting everything but at least you lessen the possibility for someone taking over your machine without you knowing it.

Sometimes I look into task list, but that is useful only when I suspect
sth wrong "a priori" so I know more or less what to look for, and not in general, as many processes are unknown to me but perfectly legal as
system services

There are methods to hid processes, so looking at the processes running
won't give you the whole picture of your computers activities.

There are different threat levels and acceptable risk levels for
different people.

For an average person running any linux system, the primary threat is
financial. If

that is stealing credit cards number stored somewhere ? Many sites using E-carts store it also (dunno if just remotely, locally and remotely, or
just locally ... I think whichever is the worst for me :) :) )

Storing card numbers and card holder data is regulated under PCI DSS, if
you don't follow the regulations you will not be able to process
MasterCard, Visa and JCB, most likely other cards will follow to ban you
too.

It may look for you as it's the e-cart that keeps your card data, but
it's the payment provider, which is a company providing a service to the e-commerce site you are buying from. If the e-commerce site would keep
your card data, it would be a high cost for them, PCI Audits annually,
fees to pay and even more if card holder data would leak.

you are concerned that it was more than just zoom bombing, and you use
the possibly
infected account for anything financial, after ensuring the system is
no longer
infected, change all passwords for financial websites.

For someone working with high value information, thanks to the mini os
called uefi,
the motherboard and hard drives should be replaced as the firmware on
either could
be infected leaving a persistent threat that cannot be easily found or
removed.

Holy God ...
frigtening

The scary thing is that you can have a malware installed on your CPU,
running on the Minix that Intel uses in their CPU's, the malware will
have total control of your computer regardless OS and of course access
to all data that the CPU accessing like authentication keys.

There is no way for you to check what is running on the Minix.

Personally, if a reboot, or logout/login stops the popups, I wouldn't
worry further
about it. But that's up to you. I wouldn't use zoom though, except
possibly in a
vb guest created just for running zoom, so it doesn't have any access
to the host
system's files.

A problem with virtualization is that it ain't as secure, you giving the GuestOS to close contact to the hardware, bugs in the virtualization
layer has in the past allowd GuestOS to access HostOS directly.

With the CPU bugs (mainly Intel), there is possibilities to get data
from the HostOS in the same way as you had run the application directly
in the HostOS.

I would recommend to not use Zoom at all, it's not their lack of
securing the conferences, it's also their homegrown encryption is so bad
that it's not much difference from sending the data in plain text.

--

//Aho

--- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
* Origin: Air Applewood, The Linux Gateway to the UK & Eire (2:250/1@fidonet)

On Sun, 19 Apr 2020 14:02:21 +0200, Soviet_Mario wrote:

On 19/04/20 02:12, David W. Hodgins wrote:

For an average person running any linux system, the primary
threat is financial. If

that is stealing credit cards number stored somewhere ?

From your standpoint, it is kinda a man in the middle crack.

The browser poisoned DNS Crack:
Let's say you have been surfing and have passed through a malware infected site. As you view pages/articles the malware gets a criminal site DNS
value into your browser's DNS cache for wherever you bank or use your
credit card. The next time you access that "secured" site, the criminal's
sites gets your critical information and sends you on to the real site.

Other crack is the malware attacks your router and configures it to
use the criminals DNS server.

For the browser crack, your only defense is always close/exit your
browser when you are going to log into any site that requires id/pw/credit card.

For the router crack, you need to be running your own DNS server.
I installed the bind package and have the name daemon server doing the look ups.
Best I can do to prevent router access via browser was to configure prioxy
to block access to my router ip address.

snippet from one of my privoxy configuration files.

{ +block +handle-as-image }
..adshuffle.*
adserver.adtechus.com/*
adserver.adtech.de/*
..mspmentor.net/*
..murdoog.com/*
neatfeedback.com/*
..pointroll.*
..bluestreak.*
tcr.tynt.com/*
..media-servers.net/*
..linksynergy.com/*
..unanimis.co.uk/*

{ +block }
192.168.11.1

##------------ end /var/local/config/xx__my.action ------------


--- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
* Origin: A noiseless patient Spider (2:250/1@fidonet)

On Sun, 19 Apr 2020 08:02:21 -0400, Soviet_Mario <SovietMario@cccp.mir> wrote:

a trivial (for you) question :
as a single user with a single account (sudo enabled) I
could be defined an user with potential threats of that kind
.... but I think that, when launching apps like firefox from
Wiskers Menu without, invoking it normally and not via sudo,
I should not be using it "as root", would I ?
I mean, even the root user can launch apps without
necessarily endow them with superpowers, or not ?

It depends on how sudo has been configured. Don't set it to cache the password.
Don't use setuid or setgid programs without ensuring it's necessary, and worth the risk.

Never run anything that accesses the internet as root, with the exception of distro supplied update utilities, or simple tools such as ping and traceroute when debugging a connection.

to your experience, what other strange behaviour should one
pay attention to in order to discover some hacking ? A part
from VISIBLE pop-ups ...
Sometimes I look into task list, but that is useful only
when I suspect sth wrong "a priori" so I know more or less
what to look for, and not in general, as many processes are
unknown to me but perfectly legal as system services

For all users, no matter what os they are using ... https://www.techsupportalert.com/safe-hex-safe-computing-practices.htm

First, remember that security is not a goal you can accomplish. It's a process built of many layers, that is always a work in progress.

For Mageia users, there is a tool called msec that produces daily and weekly reports of what is running when it does, that is accessing or listening to
the network. It includes a report of what's changed in that list since it last
ran, as well as what packages have been changed. Get used to what the reports show,
and pay attention to the changes. The msec tools can also be used to configure security based on your needs. https://doc.mageia.org/mcc/5/en/content/mcc-security.html

For all linux users, don't install packages that come from sources other then the distribution, without careful consideration. Avoid closed source packages like
zoom, unless you have no choice. If you must run a package like zoom, keep it in
a virtual machine. While there are security bugs found from time to time in the
various virtualization technologies, it's another layer of security that makes it
harder for malware to access your data.

Learn how to work with files that are kept encrypted while on disk, and only accessible when you actually need to work with the data they contain. There are
many ways to accomplish this, such as using an encrypted filesystem within files.

The only time one of my systems has been infected, it was with the virus called
ripper (back in dos 6.22 days). I was careless in that I used a brand new disk drive that had been partitioned by the retail store clerk, without scanning it for a virus first.
https://malware.wikia.org/wiki/Ripper
As it was a stealth rootkit, I only became aware of it when a program I'd written
did an md5sum check of itself and found it had been modified, so refused to run
with an error message explaining it had been changed.

For linux users, there are a wide variety of tools to do consistency checks for
files, such as aide. Learn about them, and use them.

There are distributions that are very security oriented, such as qubes os. https://www.qubes-os.org/faq/

Even if you don't decide to use it, it provides a useful guide to compartmentalization. The concepts it discusses can be implemented in many ways, such as using different logins for different functions.

Whether using different logins, or different virtual machines, the separations of what data is accessible to what user's programs are methods of implementing one level of security.

For threats such as meltdown and spectre, the only real protection is to disable
hyper threading. It cut's cpus available by 50%, but for most people the actual
impact of the reduction is minor.

For bugs in firmware, if the hardware allows it, burn new firmware images into the EPROM or flash memory, whenever the new version includes security fixes that
fix bugs that may apply to that system's usage. Be aware that burning firmware images may result in physical damage to the storage meaning the hardware will have
to be replaced, so take that concern into account too.

When buying new hardware, take the time to research known security issues with the hardware from that manufacturer.

Security is a process. It's up to you to decide what activities are worth what level of risk.

On example I'll give is router security. I have my router's ip address changed to a non default address, so if it's settings get remotely reset, I'll lose internet and lan access till I figure out what's wrong and fix it.
I don't use the router's dns server. I run bind on one of my systems, and use that as the name server for all systems on my lan. I also have it configured
to block many ad servers, as they are a notorious source of javascript malware.
https://github.com/Trellmor/bind-adblock

Regards, Dave Hodgins

--
Change dwhodgins@nomail.afraid.org to davidwhodgins@teksavvy.com for
email replies.

--- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
* Origin: A noiseless patient Spider (2:250/1@fidonet)

On 2020-04-18, William Unruh <unruh@invalid.ca> wrote:

Yesterday I suddenly had problems with popup ads appearing on my system.
The first time I noticed it was while running zoom. Suddenly a little
(say 100x60) window opened up in the bottom right area of my screen with
a picture of a a wonman with large naked breasts appeared, was up for
about 7 sec with some text and then vanished. After I had closed zoom, (
and it was no longer running on my system) other such ads would appear
and then disappear, each time for only a few seconds. These would occur
in general with about an hour or so between them (although at least once
it was just a few minutes between two of them. Sometimes they were not
of naked women telling me they wanted me, but some advertisement for something I did not have time to read, so it was not just zoom that was
doing this.

I usually have a chrome window open, I tried to shut down all web pages
which I thought might have been triggering this, but that did not help.
I finally shut down chrome entirely and that seems to have stopped the
show. I have not noticed this today, while I am using chrome again.

Does anyone know what could be doing this? I have never had this happen before. Mind you I think I have had popups blocked and then when I
wanted to read a newpaper article I opened up the popups again as that website demanded I do so to read the article, and did not block them
again afterwards, so that could have been the problem, with that web
site somehow keeping the web page open that was feeding them to my
system. But that is just a theory.

Does anyone else have with experience with something like this? Is it an indication that my system might have been hacked? Via Zoom? via Chrome?

Scan for processes, but it seems that it is chrome feature ;)
There is no ActiveX on Linux, as you can look what process
is responsible...

via ????

Thanks.

--
press any key to continue or any other to quit...
U ničemu ja ne uživam kao u svom statusu INVALIDA -- Zli Zec
Svi smo svedoci - oko 3 godine intenzivne propagande je dovoljno da jedan narod poludi -- Zli Zec
Na divljem zapadu i nije bilo tako puno nasilja, upravo zato jer su svi
bili naoruzani. -- Mladen Gogala

--- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
* Origin: usenet-news.net (2:250/1@fidonet)

On 2020-04-19, J.O. Aho <user@example.net> wrote:
....

I would recommend to not use Zoom at all, it's not their lack of
securing the conferences, it's also their homegrown encryption is so bad that it's not much difference from sending the data in plain text.

You know this how? I doubt that zoom allowed you access to their source
code for the encryption. It is of course possible you are right (many
people think encryption is easy) but that is not what you state. You
state it as a fact.



--- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
* Origin: A noiseless patient Spider (2:250/1@fidonet)

On 2020-04-19, Melzzzzz <Melzzzzz@zzzzz.com> wrote:

Scan for processes, but it seems that it is chrome feature ;)
There is no ActiveX on Linux, as you can look what process
is responsible...

The ad is not up for long enough-- less than 10 sec. To notice it, and
to react usually takes longer than that.

via ????

Thanks.

--- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
* Origin: A noiseless patient Spider (2:250/1@fidonet)

On Sun, 19 Apr 2020 12:09:49 -0400, William Unruh <unruh@invalid.ca> wrote:

On 2020-04-19, J.O. Aho <user@example.net> wrote:
...

I would recommend to not use Zoom at all, it's not their lack of
securing the conferences, it's also their homegrown encryption is so bad
that it's not much difference from sending the data in plain text.

You know this how? I doubt that zoom allowed you access to their source
code for the encryption. It is of course possible you are right (many
people think encryption is easy) but that is not what you state. You
state it as a fact.

There use of home grown encryption has been discussed in security and/or risk assessment areas, as well as in the general press.

For example https://tech.slashdot.org/story/20/04/03/165216/zooms-encryption-is-not-suited- for-secrets-and-has-surprising-links-to-china-researchers-discover

It uses poorly designed encryption between the end user and the zoom servers where
it's decrypted, prior to being re-encrypted for each of the other users of the same
meeting. It's very fast encryption/decryption, but not secure.

As a result, zoom usage has been banned by many governments and companies.

Regards, Dave Hodgins

--
Change dwhodgins@nomail.afraid.org to davidwhodgins@teksavvy.com for
email replies.

--- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
* Origin: A noiseless patient Spider (2:250/1@fidonet)

On 19/04/20 15:03, J.O. Aho wrote:

On 19/04/2020 14.02, Soviet_Mario wrote:

On 19/04/20 02:12, David W. Hodgins wrote:

If you were running either zoom or chrome as root, then
the system could easily
have been hacked, and the only way to confirm would be to
boot from an external

a trivial (for you) question :
as a single user with a single account (sudo enabled) I
could be defined an user with potential threats of that
kind .... but I think that, when launching apps like
firefox from Wiskers Menu without, invoking it normally
and not via sudo, I should not be using it "as root",
would I ?

If you are logged in as a normal user, and you run something

Dunno : I am logged in as single (I mean no other account
exist, and this user is an "admin") user.

from the DE menu, they tend to be run as the normal user,

Is it there a way to inquiry the privilege level of a
running process ?

unless you have reconfigured the app to run as some other
user (some DE's have a simple option to pick another user,
but tend to be that you need to provide a password unless
you have also edited the sudoers).

no, did not customize nothing

I mean, even the root user can launch apps without
necessarily endow them with superpowers, or not ?

root is superuser, so root has to become a normal user with
su/sudo and telling which user. The main thing is, you are
just stupid if you use root as a normal user, the only time
you should and need to have root privileges is when you make
system changes.

I have only one user created. When I try to execute some
processes (Synaptic, Gparted and Disks, BitBleach(root))
they asks me for password. From this I tend to think that,
in spite of being an admin, most of work still goes on as
plain user.
Firefox does not asks for password (apart from its internal
master pwd)

If you still think it's cool to run as root, then you can
switch to microsoft windows instead.

cool ? why exactly ?
Anyway, I am the only person on the machine, so I created
one user only. But I never try to escalate privileges if not
necessary (I.G. when some programs ask to, or when I am
denied to change some file and have to)

device that wasn't mounted in read/write mode while the
hack was running, and
carefully examining the system for changes. Not easy to
do, but possible.

If they were running as a user, a logout/in or reboot
would end the loading of the
sites unless an entry was added to autostart it on user
login. For that, reboot,
login as another user, and examine all files the user has
write access that were
modified recently for any scripts, etc. that shouldn't be
there. Also delete
any files in the cache for the possibly infected user.

to your experience, what other strange behaviour should
one pay attention to in order to discover some hacking ? A
part from VISIBLE pop-ups ...

Anything out of the normal, as extra network traffic for
example.

I don't run any lightweight network monitor.
It would be nice to fine one for XFCE. Just an icon on the
taskbar that, upon hovering the mouse over, pops up some
info dnld/upld speed and so.... do you know any ?

As we ain't using your computer, we can't say what is normal
on it.

no, I am not suspecting, I was just asking for some general
criteria

It's good to run things like rkhunter ckhrootkit calmav,

I have clamav but is not in autorun at startup.

I also have rkhunter (but I had forgotten to :)). Now I
launch it and see the response.

done (it scanned a lot of things !)

I got 2 warnings

/usr/bin/curl [ Warning ]
/usr/bin/lwp-request [ Warning ]
but dunno what the problem is. Should I try to reinstall
those packages ?


on network section the warning are more numerous

Checking for passwd file changes [ Warning ]
Checking for group file changes [ Warning ]
Checking if SSH root access is allowed [ Warning ]
Checking if SSH protocol v1 is allowed [ Warning ]
Checking for hidden files and directories [Warning]


Overall it does not seem worrying situation, but I


ckhrootkit no, I don't have it. I'll search later on the repo.

sure they won't be 100% detecting everything but at least
you lessen the possibility for someone taking over your
machine without you knowing it.

Sometimes I look into task list, but that is useful only
when I suspect sth wrong "a priori" so I know more or less
what to look for, and not in general, as many processes
are unknown to me but perfectly legal as system services

There are methods to hid processes, so looking at the
processes running won't give you the whole picture of your
computers activities.

ah, I did not know that.
:\

There are different threat levels and acceptable risk
levels for different people.

For an average person running any linux system, the
primary threat is financial. If

that is stealing credit cards number stored somewhere ?
Many sites using E-carts store it also (dunno if just
remotely, locally and remotely, or just locally ... I
think whichever is the worst for me :) :) )

Storing card numbers and card holder data is regulated under
PCI DSS, if you don't follow the regulations you will not be
able to process MasterCard, Visa and JCB, most likely other
cards will follow to ban you too.

I'm unaware of following or not following anything, I mean :
FF (and the sites) does what It deem proper. I SAVE login
info (under a master password), and surely this is a
potential threat, but otherwise it would be to error-prone
and annoying to manually fill forms :\

It may look for you as it's the e-cart that keeps your card
data, but it's the payment provider, which is a company
providing a service to the e-commerce site you are buying
from. If the e-commerce site would keep your card data, it
would be a high cost for them, PCI Audits annually, fees to
pay and even more if card holder data would leak.

I just used seldom Amazon, Ebay, Wind (IT service provider)
and a few others : all of them store the card number. But as
I said, dunno WHERE. I have no restricted policy on COOKIES,
so most might be saved HERE and not out ... too complex for
me to try to discover such details :(

you are concerned that it was more than just zoom
bombing, and you use the possibly
infected account for anything financial, after ensuring
the system is no longer
infected, change all passwords for financial websites.

For someone working with high value information, thanks
to the mini os called uefi,
the motherboard and hard drives should be replaced as the
firmware on either could
be infected leaving a persistent threat that cannot be
easily found or removed.

Holy God ...
frigtening

The scary thing is that you can have a malware installed on
your CPU, running on the Minix that Intel uses in their
CPU's, the malware will have total control of your computer
regardless OS and of course access to all data that the CPU
accessing like authentication keys.

yes, I had gotten such stuff would run transparently and
under the OS level, alas

There is no way for you to check what is running on the Minix.

here on this old machine (from 2010) maybe there is no such
stuff ... the new one ... who knows. It is a SiC computer,
intel.

Personally, if a reboot, or logout/login stops the
popups, I wouldn't worry further
about it. But that's up to you. I wouldn't use zoom
though, except possibly in a
vb guest created just for running zoom, so it doesn't
have any access to the host
system's files.

A problem with virtualization is that it ain't as secure,
you giving the GuestOS to close contact to the hardware,
bugs in the virtualization layer has in the past allowd
GuestOS to access HostOS directly.

With the CPU bugs (mainly Intel), there is possibilities to
get data from the HostOS in the same way as you had run the
application directly in the HostOS.

I would recommend to not use Zoom at all, it's not their
lack of securing the conferences, it's also their homegrown
encryption is so bad that it's not much difference from
sending the data in plain text.

luckily I don't need Zoom.

Do you think the half a dozen warnings got from RKHUNTER are
worth while ?




--
1) Resistere, resistere, resistere.
2) Se tutti pagano le tasse, le tasse le pagano tutti
Soviet_Mario - (aka Gatto_Vizzato)

--- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
* Origin: A noiseless patient Spider (2:250/1@fidonet)

On 19/04/20 15:28, Bit Twister wrote:

On Sun, 19 Apr 2020 14:02:21 +0200, Soviet_Mario wrote:

On 19/04/20 02:12, David W. Hodgins wrote:

For an average person running any linux system, the primary
threat is financial. If

that is stealing credit cards number stored somewhere ?

From your standpoint, it is kinda a man in the middle crack.

The browser poisoned DNS Crack:
Let's say you have been surfing and have passed through a malware infected site. As you view pages/articles the malware gets a criminal site DNS
value into your browser's DNS cache for wherever you bank or use your
credit card. The next time you access that "secured" site, the criminal's sites gets your critical information and sends you on to the real site.

Other crack is the malware attacks your router and configures it to
use the criminals DNS server.

For the browser crack, your only defense is always close/exit your
browser when you are going to log into any site that requires id/pw/credit

card.

For the router crack, you need to be running your own DNS server.
I installed the bind package and have the name daemon server doing the look

ups.

Best I can do to prevent router access via browser was to configure prioxy
to block access to my router ip address.

snippet from one of my privoxy configuration files.

{ +block +handle-as-image }
.adshuffle.*
adserver.adtechus.com/*
adserver.adtech.de/*
.mspmentor.net/*
.murdoog.com/*
neatfeedback.com/*
.pointroll.*
.bluestreak.*
tcr.tynt.com/*
.media-servers.net/*
.linksynergy.com/*
.unanimis.co.uk/*

{ +block }
192.168.11.1

##------------ end /var/local/config/xx__my.action ------------

I can't cope with such level of handling ... really, too
complicated for me :(

--
1) Resistere, resistere, resistere.
2) Se tutti pagano le tasse, le tasse le pagano tutti
Soviet_Mario - (aka Gatto_Vizzato)

--- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
* Origin: A noiseless patient Spider (2:250/1@fidonet)

On 19/04/20 16:27, David W. Hodgins wrote:

On Sun, 19 Apr 2020 08:02:21 -0400, Soviet_Mario=20
<SovietMario@cccp.mir> wrote:
=20

a trivial (for you) question :
as a single user with a single account (sudo enabled) I
could be defined an user with potential threats of that kind
.... but I think that, when launching apps like firefox from
Wiskers Menu without, invoking it normally and not via sudo,
I should not be using it "as root", would I ?
I mean, even the root user can launch apps without
necessarily endow them with superpowers, or not ?

=20
It depends on how sudo has been configured. Don't set it to=20
cache the password.
Don't use setuid or setgid programs without ensuring it's=20
necessary, and worth
the risk.
=20
Never run anything that accesses the internet as root, with=20
the exception of
distro supplied update utilities, or simple tools such as=20
ping and traceroute
when debugging a connection.
=20

to your experience, what other strange behaviour should one
pay attention to in order to discover some hacking ? A part
from VISIBLE pop-ups ...
Sometimes I look into task list, but that is useful only
when I suspect sth wrong "a priori" so I know more or less
what to look for, and not in general, as many processes are
unknown to me but perfectly legal as system services

=20
For all users, no matter what os they are using ... https://www.techsupportalert.com/safe-hex-safe-computing-practices.htm =

=20
=20
First, remember that security is not a goal you can=20
accomplish. It's a process
built of many layers, that is always a work in progress.
=20
For Mageia users, there is a tool called msec that produces=20
daily and weekly
reports of what is running when it does, that is accessing=20
or listening to
the network.=C2=A0 It includes a report of what's changed in that=20
list since it last
ran, as well as what packages have been changed. Get used to=20
what the reports show,
and pay attention to the changes. The msec tools can also be=20
used to configure
security based on your needs. https://doc.mageia.org/mcc/5/en/content/mcc-security.html
=20
For all linux users, don't install packages that come from=20
sources other then
the distribution, without careful consideration. Avoid=20
closed source packages like
zoom, unless you have no choice. If you must run a package=20
like zoom, keep it in
a virtual machine. While there are security bugs found from=20
time to time in the
various virtualization technologies, it's another layer of=20
security that makes it
harder for malware to access your data.
=20
Learn how to work with files that are kept encrypted while=20
on disk, and only
accessible when you actually need to work with the data they=20
contain. There are
many ways to accomplish this, such as using an encrypted=20
filesystem within files.
=20
The only time one of my systems has been infected, it was=20
with the virus called
ripper (back in dos 6.22 days). I was careless in that I=20
used a brand new disk
drive that had been partitioned by the retail store clerk,=20
without scanning it
for a virus first.
https://malware.wikia.org/wiki/Ripper
As it was a stealth rootkit, I only became aware of it when=20
a program I'd written
did an md5sum check of itself and found it had been=20
modified, so refused to run
with an error message explaining it had been changed.
=20
For linux users, there are a wide variety of tools to do=20
consistency checks for
files, such as aide. Learn about them, and use them.
=20
There are distributions that are very security oriented,=20
such as qubes os.
https://www.qubes-os.org/faq/
=20
Even if you don't decide to use it, it provides a useful=20
guide to
compartmentalization. The concepts it discusses can be=20
implemented in many
ways, such as using different logins for different functions.
=20
Whether using different logins, or different virtual=20
machines, the separations
of what data is accessible to what user's programs are=20
methods of implementing
one level of security.
=20
For threats such as meltdown and spectre, the only real=20
protection is to disable
hyper threading. It cut's cpus available by 50%, but for=20
most people the actual
impact of the reduction is minor.
=20
For bugs in firmware, if the hardware allows it, burn new=20
firmware images into
the EPROM or flash memory, whenever the new version includes=20
security fixes that
fix bugs that may apply to that system's usage. Be aware=20
that burning firmware
images may result in physical damage to the storage meaning=20
the hardware will have
to be replaced, so take that concern into account too.
=20
When buying new hardware, take the time to research known=20
security issues with
the hardware from that manufacturer.
=20
Security is a process. It's up to you to decide what=20
activities are worth what
level of risk.
=20
On example I'll give is router security. I have my router's=20
ip address changed
to a non default address, so if it's settings get remotely=20
reset, I'll lose
internet and lan access till I figure out what's wrong and=20
fix it.
I don't use the router's dns server. I run bind on one of my=20
systems, and use
that as the name server for all systems on my lan. I also=20
have it configured
to block many ad servers, as they are a notorious source of=20
javascript malware.
https://github.com/Trellmor/bind-adblock
=20
Regards, Dave Hodgins
=20

a full fledged tutorial !

I'll have a look at QUBES, to have it on a DVD for any evenience


--=20
1) Resistere, resistere, resistere.
2) Se tutti pagano le tasse, le tasse le pagano tutti
Soviet_Mario - (aka Gatto_Vizzato)


--- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
* Origin: A noiseless patient Spider (2:250/1@fidonet)

William Unruh wrote:

The ad is not up for long enough-- less than 10 sec. To notice it, and
to react usually takes longer than that.

Did you clean up your browser yet?

From: Mike Easter
Subject: Re: popup ads appearing on my system.
Date: Sat, 18 Apr 2020 15:42:39 -0700
Message-ID: <hg1e30F7qddU1@mid.individual.net>

http://al.howardknight.net/?ID=158731801800

--
Mike Easter

--- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
* Origin: Air Applewood, The Linux Gateway to the UK & Eire (2:250/1@fidonet)

On Sun, 19 Apr 2020 12:56:48 -0400, Soviet_Mario <SovietMario@cccp.mir> wrote:

Dunno : I am logged in as single (I mean no other account
exist, and this user is an "admin") user.

If the command "id -u" returns anything other than 0 then you are not logged
in as root. The definition of and admin user varies from one distribution to another, as each one sets up default security as decided by it's packagers.

from the DE menu, they tend to be run as the normal user,

Is it there a way to inquiry the privilege level of a
running process ?

Many ways. The commands top, htop, the kde gui program ksysguard, or the gnome gui program systemmonitor will all show which user each programs is running as.

no, did not customize nothing

That means you are relying on the distribution's packagers to have selected acceptable defaults. Likely true.

I have only one user created. When I try to execute some
processes (Synaptic, Gparted and Disks, BitBleach(root))
they asks me for password. From this I tend to think that,
in spite of being an admin, most of work still goes on as
plain user.

Correct. Most gui login programs will not allow you to log in directly as
root.

Firefox does not asks for password (apart from its internal
master pwd)

If you still think it's cool to run as root, then you can
switch to microsoft windows instead.

cool ? why exactly ?

The implication is that if you choose to run everything as root, then you would
be better off using windows, since it demonstrates a complete lack of care about
your data. Even windows has some security, though it is poor. Running everything
as root pretty well means having no security.

Anyway, I am the only person on the machine, so I created
one user only. But I never try to escalate privileges if not
necessary (I.G. when some programs ask to, or when I am
denied to change some file and have to)

The one user you created is a normal user (even if it has admin privileges). The
root user is created very early in the installation process on all linux systems.

The admin privileges just means the id can do more than a user who doesn't have
admin privileges, but not nearly as much as root can do. What additional permissions are granted to an admin user varies from one distribution to another,
and is largely dependent on what packages have been installed.

I don't run any lightweight network monitor.
It would be nice to fine one for XFCE. Just an icon on the
taskbar that, upon hovering the mouse over, pops up some
info dnld/upld speed and so.... do you know any ?

See if the distribution you're using has the package net_monitor available.

It's good to run things like rkhunter ckhrootkit calmav,

Both rkhunter and chkrootkit have false positives. For them to be of any use, you'll have to learn which of the items they report are false.

It's best to run them right after a new install, so you can get used to which items they falsely report as being a problem, with that distribution's default setup.

I have clamav but is not in autorun at startup.

Note that clamav is used to scan for windows malware. It's only useful if the linux system is either being used to scan windows installations on the same computer, or to scan files that will be made available for windows users.

Regards, Dave Hodgins

--
Change dwhodgins@nomail.afraid.org to davidwhodgins@teksavvy.com for
email replies.

--- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
* Origin: A noiseless patient Spider (2:250/1@fidonet)

On 19/04/2020 18.56, Soviet_Mario wrote:

On 19/04/20 15:03, J.O. Aho wrote:

On 19/04/2020 14.02, Soviet_Mario wrote:

On 19/04/20 02:12, David W. Hodgins wrote:

If you were running either zoom or chrome as root, then the system
could easily
have been hacked, and the only way to confirm would be to boot from
an external

a trivial (for you) question :
as a single user with a single account (sudo enabled) I could be
defined an user with potential threats of that kind .... but I think
that, when launching apps like firefox from Wiskers Menu without,
invoking it normally and not via sudo, I should not be using it "as
root", would I ?

If you are logged in as a normal user, and you run something

Dunno : I am logged in as single (I mean no other account exist, and
this user is an "admin") user.

There is no single user Linux, you will always have multiple users, one
of those is root, some distributions prevents you to login as root by
default, but sure you can become or execute as root with help of sudo.

So if your user is root, then you have all the power in the world, if
your user has another name, it needs in most cases authenticate itself
before it can execute or assume with help of sudo, but still the user is unprivileged in regards of what they can do without sudo.

from the DE menu, they tend to be run as the normal user,

Is it there a way to inquiry the privilege level of a running process ?

Of those that not hidden, "ps aux" will tell you as whom each process is
run.

I mean, even the root user can launch apps without necessarily endow
them with superpowers, or not ?

root is superuser, so root has to become a normal user with su/sudo
and telling which user. The main thing is, you are just stupid if you
use root as a normal user, the only time you should and need to have
root privileges is when you make system changes.

I have only one user created. When I try to execute some processes (Synaptic, Gparted and Disks, BitBleach(root)) they asks me for
password.

Then your user ain't root, had it been root, then you wouldn't been
asked for a password.

to your experience, what other strange behaviour should one pay
attention to in order to discover some hacking ? A part from VISIBLE
pop-ups ...

Anything out of the normal, as extra network traffic for example.

I don't run any lightweight network monitor.
It would be nice to fine one for XFCE. Just an icon on the taskbar that, upon hovering the mouse over, pops up some info dnld/upld speed and
so.... do you know any ?

Quite many uses conky or GKrellM, at least one of those should be part
of your distributions repository. Then you can see graphs of your
network, cpu, ram, swap and so on depending on what you configure to see.

As we ain't using your computer, we can't say what is normal on it.

no, I am not suspecting, I was just asking for some general criteria

It's good to run things like rkhunter ckhrootkit calmav,

I have clamav but is not in autorun at startup.

I also have rkhunter (but I had forgotten to :)). Now I launch it and
see the response.

done (it scanned a lot of things !)

I got 2 warnings

/usr/bin/curl    [ Warning ]
/usr/bin/lwp-request    [ Warning ]
but dunno what the problem is. Should I try to reinstall those packages ?

You should see in the log why it's a warning, it will tell you more.
if you are lazy, just grep the rows from the log:

grep Warning /var/log/rkhunter.log

as rkhunter keeps it's own database over some important files, it may be
that you never run "rkhunter --propupd" after you updated your system,
so the checksum will differ.

Sure, you can reinstall the packages and then run the propupd.

on network section the warning are more numerous

Checking for passwd file changes    [ Warning ]
Checking for group file changes    [ Warning ]

This can be that you installed like mariadb after the first run of
rkhunter, then you have new user and group in your passwd/group files.

Checking if SSH root access is allowed    [ Warning ]
Checking if SSH protocol v1 is allowed    [ Warning ]

You should update your SSH config, disable protocol v1 and deny root access.

Checking for hidden files and directories    [Warning]

This is a bit tricky, you have to check the log for what
directories/files has been found, don't nervelessly mean you have been compromised, it can just be some directories created by your distro.

If distro created directories/files, you should whitelist them.

There are different threat levels and acceptable risk levels for
different people.

For an average person running any linux system, the primary threat
is financial. If

that is stealing credit cards number stored somewhere ? Many sites
using E-carts store it also (dunno if just remotely, locally and
remotely, or just locally ... I think whichever is the worst for me
:) :) )

Storing card numbers and card holder data is regulated under PCI DSS,
if you don't follow the regulations you will not be able to process
MasterCard, Visa and JCB, most likely other cards will follow to ban
you too.

I'm unaware of following or not following anything, I mean : FF (and the sites) does what It deem proper. I SAVE login info (under a master password), and surely this is a potential threat, but otherwise it would
be to error-prone and annoying to manually fill forms :\

You can use a password manager, you store the password there, each time
you need it you fetch it from the manager and paste into the password field.

In some browsers like SeaMonkey you can have a master password, each
time the browser needs a password, it asks you for the master password
to decrypt the passwords before using it in the form.

There is no way for you to check what is running on the Minix.

here on this old machine (from 2010) maybe there is no such stuff ...
the new one ... who knows. It is a SiC computer, intel.

Unless your CPU was from before 2008, then you will be having ME on your
Intel CPU.

--

//Aho

--- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
* Origin: Air Applewood, The Linux Gateway to the UK & Eire (2:250/1@fidonet)

Bit Twister writes:

Best I can do to prevent router access via browser was to configure
prioxy to block access to my router ip address.

Best that you can do to prevent router access via browser is to run a
router that has no Web server. Mine is accessible only from the LAN and
only via ssh.
--
John Hasler
jhasler@newsguy.com
Dancing Horse Hill
Elmwood, WI USA

--- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
* Origin: Dancing Horse Hill (2:250/1@fidonet)

Soviet_Mario writes:

I have only one user created. When I try to execute some processes
(Synaptic, Gparted and Disks, BitBleach(root)) they asks me for
password. From this I tend to think that, in spite of being an admin,
most of work still goes on as plain user.

"Being an admin" just means that you are in the sudoers file with
permission to run programs as root if and only if you give your
password. Every other program you start runs as a normal user (you).
--
John Hasler
jhasler@newsguy.com
Dancing Horse Hill
Elmwood, WI USA

--- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
* Origin: Dancing Horse Hill (2:250/1@fidonet)

On 2020-04-19, David W. Hodgins <dwhodgins@nomail.afraid.org> wrote:
....

There use of home grown encryption has been discussed in security and/or

risk

assessment areas, as well as in the general press.

For example

https://tech.slashdot.org/story/20/04/03/165216/zooms-encryption-is-not-suited- for-secrets-and-has-surprising-links-to-china-researchers-discover

It of course gives no indication as to what that encryption is. It tends
to be vitiated by their rant against China. We know that the USA puts
pressure on companies to reveal keys, and zoom has many many people in
the USA. But they have to pick on China, which is the modern boogie
man. We have gone away from Muslims to China. I can understand Trump
doing it to try to throw dust to hide his own incompetence, but everyone
seems to be stampeeding onto that wagon. I have no idea why these are "surprising links".

It uses poorly designed encryption between the end user and the zoom servers

where

it's decrypted, prior to being re-encrypted for each of the other users of

the same

meeting. It's very fast encryption/decryption, but not secure.

As a result, zoom usage has been banned by many governments and companies.

Many of whom know even less about encryption or security.

--- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
* Origin: A noiseless patient Spider (2:250/1@fidonet)

On 2020-04-19, Mike Easter <MikeE@ster.invalid> wrote:

William Unruh wrote:

The ad is not up for long enough-- less than 10 sec. To notice it, and
to react usually takes longer than that.

Did you clean up your browser yet?

Yes, and I have not seen those ads again.
I will have to keep an eye on things however.

From: Mike Easter
Subject: Re: popup ads appearing on my system.
Date: Sat, 18 Apr 2020 15:42:39 -0700
Message-ID: <hg1e30F7qddU1@mid.individual.net>

http://al.howardknight.net/?ID=158731801800

--- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
* Origin: A noiseless patient Spider (2:250/1@fidonet)

On 2020-04-19, Soviet_Mario <SovietMario@CCCP.MIR> wrote:

On 19/04/20 15:03, J.O. Aho wrote:

On 19/04/2020 14.02, Soviet_Mario wrote:

On 19/04/20 02:12, David W. Hodgins wrote:

If you were running either zoom or chrome as root, then
the system could easily
have been hacked, and the only way to confirm would be to
boot from an external

a trivial (for you) question :
as a single user with a single account (sudo enabled) I
could be defined an user with potential threats of that
kind .... but I think that, when launching apps like
firefox from Wiskers Menu without, invoking it normally
and not via sudo, I should not be using it "as root",
would I ?

If you are logged in as a normal user, and you run something

Dunno : I am logged in as single (I mean no other account
exist, and this user is an "admin") user.

No idea what you mean by "admin" in a linux context. Or are you using
Windows?

from the DE menu, they tend to be run as the normal user,

Is it there a way to inquiry the privilege level of a
running process ?

ps will give you clue.

unless you have reconfigured the app to run as some other
user (some DE's have a simple option to pick another user,
but tend to be that you need to provide a password unless
you have also edited the sudoers).

no, did not customize nothing

I mean, even the root user can launch apps without
necessarily endow them with superpowers, or not ?

A root user has access to everything on the machine. It can open and
alter any file on the machine. If a hacker breaks in, then as root he
can run anything.

I have only one user created. When I try to execute some
processes (Synaptic, Gparted and Disks, BitBleach(root))
they asks me for password. From this I tend to think that,
in spite of being an admin, most of work still goes on as
plain user.

Which means you have at least one other user on your machine. In fact
you probably have about 50 of them. Look in /etc/passwd. Those are all
users.

Firefox does not asks for password (apart from its internal
master pwd)

If you still think it's cool to run as root, then you can
switch to microsoft windows instead.

cool ? why exactly ?
Anyway, I am the only person on the machine, so I created
one user only. But I never try to escalate privileges if not
necessary (I.G. when some programs ask to, or when I am
denied to change some file and have to)

By escalate priviledge I assume you mean run as root.

device that wasn't mounted in read/write mode while the
hack was running, and
carefully examining the system for changes. Not easy to
do, but possible.

If they were running as a user, a logout/in or reboot
would end the loading of the
sites unless an entry was added to autostart it on user
login. For that, reboot,
login as another user, and examine all files the user has
write access that were
modified recently for any scripts, etc. that shouldn't be
there. Also delete
any files in the cache for the possibly infected user.

to your experience, what other strange behaviour should
one pay attention to in order to discover some hacking ? A
part from VISIBLE pop-ups ...

Anything out of the normal, as extra network traffic for
example.

I don't run any lightweight network monitor.
It would be nice to fine one for XFCE. Just an icon on the
taskbar that, upon hovering the mouse over, pops up some
info dnld/upld speed and so.... do you know any ?

gkrellm?

As we ain't using your computer, we can't say what is normal
on it.

no, I am not suspecting, I was just asking for some general
criteria

It's good to run things like rkhunter ckhrootkit calmav,

I have clamav but is not in autorun at startup.

I also have rkhunter (but I had forgotten to :)). Now I
launch it and see the response.

done (it scanned a lot of things !)

I got 2 warnings

/usr/bin/curl [ Warning ]
/usr/bin/lwp-request [ Warning ]
but dunno what the problem is. Should I try to reinstall
those packages ?

on network section the warning are more numerous

Look in /var/log/rkhunter for details on the warnings.

Checking for passwd file changes [ Warning ]
Checking for group file changes [ Warning ]
Checking if SSH root access is allowed [ Warning ]
Checking if SSH protocol v1 is allowed [ Warning ]
Checking for hidden files and directories [Warning]

Overall it does not seem worrying situation, but I

ckhrootkit no, I don't have it. I'll search later on the repo.

sure they won't be 100% detecting everything but at least
you lessen the possibility for someone taking over your
machine without you knowing it.

Sometimes I look into task list, but that is useful only
when I suspect sth wrong "a priori" so I know more or less
what to look for, and not in general, as many processes
are unknown to me but perfectly legal as system services

There are methods to hid processes, so looking at the
processes running won't give you the whole picture of your
computers activities.

ah, I did not know that.
:\

There are different threat levels and acceptable risk
levels for different people.

For an average person running any linux system, the
primary threat is financial. If

that is stealing credit cards number stored somewhere ?
Many sites using E-carts store it also (dunno if just
remotely, locally and remotely, or just locally ... I
think whichever is the worst for me :) :) )

Storing card numbers and card holder data is regulated under
PCI DSS, if you don't follow the regulations you will not be
able to process MasterCard, Visa and JCB, most likely other
cards will follow to ban you too.

I'm unaware of following or not following anything, I mean :

His comment was if you are accepting credit cards to have others pay
you, not you as a user of those credit cards.

FF (and the sites) does what It deem proper. I SAVE login
info (under a master password), and surely this is a
potential threat, but otherwise it would be to error-prone
and annoying to manually fill forms :\

It may look for you as it's the e-cart that keeps your card
data, but it's the payment provider, which is a company
providing a service to the e-commerce site you are buying
from. If the e-commerce site would keep your card data, it
would be a high cost for them, PCI Audits annually, fees to
pay and even more if card holder data would leak.

I just used seldom Amazon, Ebay, Wind (IT service provider)
and a few others : all of them store the card number. But as
I said, dunno WHERE. I have no restricted policy on COOKIES,
so most might be saved HERE and not out ... too complex for
me to try to discover such details :(

Yes, they may or may not store your credit cards on their system.
However you browser may also store your credit cards in the browser.
On chrome Settinggs->AutoFill-> PaymentMethods

you are concerned that it was more than just zoom
bombing, and you use the possibly
infected account for anything financial, after ensuring
the system is no longer
infected, change all passwords for financial websites.

For someone working with high value information, thanks
to the mini os called uefi,
the motherboard and hard drives should be replaced as the
firmware on either could
be infected leaving a persistent threat that cannot be
easily found or removed.

Holy God ...
frigtening

The scary thing is that you can have a malware installed on
your CPU, running on the Minix that Intel uses in their
CPU's, the malware will have total control of your computer
regardless OS and of course access to all data that the CPU
accessing like authentication keys.

yes, I had gotten such stuff would run transparently and
under the OS level, alas

There is no way for you to check what is running on the Minix.

here on this old machine (from 2010) maybe there is no such
stuff ... the new one ... who knows. It is a SiC computer,
intel.

Personally, if a reboot, or logout/login stops the
popups, I wouldn't worry further
about it. But that's up to you. I wouldn't use zoom
though, except possibly in a
vb guest created just for running zoom, so it doesn't
have any access to the host
system's files.

A problem with virtualization is that it ain't as secure,
you giving the GuestOS to close contact to the hardware,
bugs in the virtualization layer has in the past allowd
GuestOS to access HostOS directly.

With the CPU bugs (mainly Intel), there is possibilities to
get data from the HostOS in the same way as you had run the
application directly in the HostOS.

I would recommend to not use Zoom at all, it's not their
lack of securing the conferences, it's also their homegrown
encryption is so bad that it's not much difference from
sending the data in plain text.

luckily I don't need Zoom.

Do you think the half a dozen warnings got from RKHUNTER are
worth while ?

--- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
* Origin: A noiseless patient Spider (2:250/1@fidonet)

On 19/04/2020 06.15, William Unruh wrote:

On 2020-04-19, Carlos E.R. <robin_listas@es.invalid> wrote:

On 19/04/2020 00.28, William Unruh wrote:

....

Suspicions:

- A site that enabled notifications. They need the browser that
activated them to be running.

I hate sites that demand popups and usually have them disabled. In this
case is was a newspaper site and I enabled them to read that site.

Notifications is not the same thing as popups.

Unfortunately I had no idea how to do it except by enabling them for everything. I had trouble today figuring how to block them-- the chrome settings page is not very transparent.
I think then I forgot about them and left popups enabled, so it is quite possible it was in that way that they got in.

- some popup from some site.
- some crap from zoom. It is known to be a bad thing.

Possibly. I am not at all sure that it is a "bad thing". It has suddenly gotten a lot of light shone on them ( which is good) but with scrutiny
like that, almost anything will reveal warts. Skype has been around (
and is getting worse and worse under MS tutilage) and so people have not scrutinized it to nearly the same extent.

Using Firefox, I can enable popups for a single tab or for a single site.

It is possible I can do that with chrome as well.

--
Cheers, Carlos.

--- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
* Origin: Air Applewood, The Linux Gateway to the UK & Eire (2:250/1@fidonet)

On Sun, 19 Apr 2020 15:51:26 -0400, William Unruh <unruh@invalid.ca> wrote:

No idea what you mean by "admin" in a linux context. Or are you using Windows?

It's quite common on linux systems. On Mageia systems ...
$ id adm
uid=3(adm) gid=4(adm) groups=4(adm)
# ls -l /var/log/security|tail -n 1
-rw-r----- 1 root adm 8098 Apr 12 04:23 writable.weekly.yesterday

It allows users who have been added to the adm group to read the security reports,
without giving them full root authority.

A root user has access to everything on the machine. It can open and
alter any file on the machine. If a hacker breaks in, then as root he
can run anything.

The root user can, but things like the immutable flag may need to be unset before
the file can be modified or removed.

Regards, Dave Hodgins

--
Change dwhodgins@nomail.afraid.org to davidwhodgins@teksavvy.com for
email replies.

--- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
* Origin: A noiseless patient Spider (2:250/1@fidonet)

On Sun, 19 Apr 2020 15:23:34 -0400, William Unruh <unruh@invalid.ca> wrote:

On 2020-04-19, David W. Hodgins <dwhodgins@nomail.afraid.org> wrote:
...

There use of home grown encryption has been discussed in security and/or risk
assessment areas, as well as in the general press.

For example https://tech.slashdot.org/story/20/04/03/165216/zooms-encryption-is-not-suited- for-secrets-and-has-surprising-links-to-china-researchers-discover

It of course gives no indication as to what that encryption is. It tends

For details of how bad it is, see https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-th e-confidentiality-of-zoom-meetings/

Regards, Dave Hodgins

--
Change dwhodgins@nomail.afraid.org to davidwhodgins@teksavvy.com for
email replies.

--- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
* Origin: A noiseless patient Spider (2:250/1@fidonet)

On 2020-04-19, David W. Hodgins <dwhodgins@nomail.afraid.org> wrote:

On Sun, 19 Apr 2020 15:51:26 -0400, William Unruh <unruh@invalid.ca> wrote:

No idea what you mean by "admin" in a linux context. Or are you using
Windows?

It's quite common on linux systems. On Mageia systems ...
$ id adm
uid=3(adm) gid=4(adm) groups=4(adm)
# ls -l /var/log/security|tail -n 1
-rw-r----- 1 root adm 8098 Apr 12 04:23 writable.weekly.yesterday

user adm is not admin which was what he said. Group id is not user id.

He claimed that he was the sole user and he was admin. I was trying to
clarify what he meant. wheel is often more powerful than adm.

It allows users who have been added to the adm group to read the security

reports,

without giving them full root authority.

A root user has access to everything on the machine. It can open and
alter any file on the machine. If a hacker breaks in, then as root he
can run anything.

The root user can, but things like the immutable flag may need to be unset

before

the file can be modified or removed.

Which the root user can change. But how many files on a Mageia install
are immutable? Any?

Regards, Dave Hodgins

--- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
* Origin: A noiseless patient Spider (2:250/1@fidonet)

On 2020-04-19, David W. Hodgins <dwhodgins@nomail.afraid.org> wrote:

On Sun, 19 Apr 2020 15:23:34 -0400, William Unruh <unruh@invalid.ca> wrote:

On 2020-04-19, David W. Hodgins <dwhodgins@nomail.afraid.org> wrote:
...

There use of home grown encryption has been discussed in security and/or risk
assessment areas, as well as in the general press.

For example https://tech.slashdot.org/story/20/04/03/165216/zooms-encryption-is-not-suited- for-secrets-and-has-surprising-links-to-china-researchers-discover

It of course gives no indication as to what that encryption is. It tends

For details of how bad it is, see

https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-th e-confidentiality-of-zoom-meetings/

They use AES 128. Which is not bad. They use ECB which is not ideal, and
does leak some information, but not much. Can you decrypt an ECB stream
with AES 128? Not as far as I know. As far as I know, AES is even secure against chosen plaintext attacks.

Again, as I said way back, they really really should allow the users to geenrate the key, and I do agree that the encryption should be end to
end, with key exchange being done by DH or RSA. That is far more of a
concern to me as far as security is concerned. They could use the most watertight encryption that the world has ever known. If they generate
the keys, they can decrypt, whether they are in China, the USA or the
Maldives.



As I also said, I would also be far more concerned that they are based in the USA. We KNOW that the US government puts pressure on companies to
release their keys.

Regards, Dave Hodgins

--- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
* Origin: A noiseless patient Spider (2:250/1@fidonet)

On 4/18/20 8:12 PM, David W. Hodgins wrote:

Personally, if a reboot, or logout/login stops the popups, I wouldn't
worry further
about it. But that's up to you. I wouldn't use zoom though, except
possibly in a
vb guest created just for running zoom, so it doesn't have any access to
the host
system's files. The media has made it clear, zoom is not designed to be secure.

The above is yet another reason to be glad I'm not on our local Town
Board. Because of covid concerns, they've taken to holding their public meetings via zoom.
In a hasty set-up, they've fulfilled the public access requirement by
having someone use a phone (probably an iphone) to stream an image from
a laptop (probably the Town Clerk's) to the town's web and Facebook pages.

It's definitely a kludge, but it works. Kinda.

TJ

--- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
* Origin: A noiseless patient Spider (2:250/1@fidonet)

On 2020-04-19, David W. Hodgins <dwhodgins@nomail.afraid.org> wrote:

On Sun, 19 Apr 2020 15:23:34 -0400, William Unruh <unruh@invalid.ca> wrote:

On 2020-04-19, David W. Hodgins <dwhodgins@nomail.afraid.org> wrote:
...

There use of home grown encryption has been discussed in security and/or risk
assessment areas, as well as in the general press.

For example https://tech.slashdot.org/story/20/04/03/165216/zooms-encryption-is-not-suited- for-secrets-and-has-surprising-links-to-china-researchers-discover

It of course gives no indication as to what that encryption is. It tends

For details of how bad it is, see

https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-th e-confidentiality-of-zoom-meetings/

Note that many things in that document are just silly and bad. It is not
a "rollyour own" crypto. They use AES, which is the standard. They use
128 bit key AES, which is not as strong as 256bit AES, but is no slouch.
(AFAIK no claims to have reversed 128 bit AES). The use it in CBC mode,
which, under some circumstances can leak some information. Certainly
video mode, or audio, the leakage is completely negligible-- In cases
there there are many many repeats of the same 16 byte (128 bit) blocks,
it can do so (which is what that Penguin shows) but as even that page
says, if for example one compresses the image, that goes away-- repeated
16 byte blocks get compressed away. One huge advantage of CBC mode is
that it is error tolerant. Even if bytes get altered in transmission,
they affect only the 16nyte block they are part of not other parts.

Now, for me the biggest problems are the key generation and transport.
Key generation should take place on the host's system, not by zoom. (I
do not know where it is generated, but the suggestion is that it is
generated by "central office". Key transport should take place in such a
way that only the endpoints know what the key is. There are certainly
transport techniques which allow that to happen.

They really really should make the encryption protocol and techniques
public. On the other hand they differ in this in no way from almost all
other systems. Almost noone makes theirs public, for fear of encouraging attacks, and rely on the "Trust us" mantra.

Does this mean noone should use it? No. Does it mean if you are
discussing politically sensitive material you should be careful.
Definitely. It is almost certainly far harder to "wiretap" the material
than over a phone call. Are companies throwing out all their phones
because they might be tapped, or ATT (or NSA or FBI or.... might listen
in?) If you are exchaging missile codes, do not use zoom. But surely
that is obvious even if these audits had found nothing wrong.

Regards, Dave Hodgins

--- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
* Origin: A noiseless patient Spider (2:250/1@fidonet)

On 20/04/2020 23.23, William Unruh wrote:

On 2020-04-19, David W. Hodgins <dwhodgins@nomail.afraid.org> wrote:

For details of how bad it is, see
https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-th e-confidentiality-of-zoom-meetings/

Note that many things in that document are just silly and bad. It is not
a "rollyour own" crypto. They use AES, which is the standard. They use
128 bit key AES, which is not as strong as 256bit AES, but is no slouch. (AFAIK no claims to have reversed 128 bit AES). The use it in CBC mode, which, under some circumstances can leak some information. Certainly
video mode, or audio, the leakage is completely negligible-- In cases
there there are many many repeats of the same 16 byte (128 bit) blocks,
it can do so (which is what that Penguin shows) but as even that page
says, if for example one compresses the image, that goes away-- repeated
16 byte blocks get compressed away. One huge advantage of CBC mode is
that it is error tolerant. Even if bytes get altered in transmission,
they affect only the 16nyte block they are part of not other parts.

Take a look at this image: https://theintercept.imgix.net/wp-uploads/sites/1/2020/04/ecb-540x235.png?[obje ct+Object]=

You will see why you don't want to use ECB.

Also the 5 of the key generation machines are located in China and it
seems that those 5 is most often used for chat encryption, keep in mind
that Zoom shares the keys with the Chinese government.

Now, for me the biggest problems are the key generation and transport.
Key generation should take place on the host's system, not by zoom. (I
do not know where it is generated, but the suggestion is that it is
generated by "central office".

It's generated on 73 different cloud servers, 5 located in China and the
rest in US.

Key transport should take place in such a
way that only the endpoints know what the key is. There are certainly transport techniques which allow that to happen.

As long as you think the Chinese government is part of your
conversation, then it's kind of ok.

They really really should make the encryption protocol and techniques
public. On the other hand they differ in this in no way from almost all
other systems. Almost noone makes theirs public, for fear of encouraging attacks, and rely on the "Trust us" mantra.

Many do release whitepapers on their encryption or have third party assessments.

--

//Aho


--- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
* Origin: Air Applewood, The Linux Gateway to the UK & Eire (2:250/1@fidonet)

["Followup-To:" header set to alt.os.linux.mageia.]
On 2020-04-21, J.O. Aho <user@example.net> wrote:

On 20/04/2020 23.23, William Unruh wrote:

On 2020-04-19, David W. Hodgins <dwhodgins@nomail.afraid.org> wrote:

For details of how bad it is, see
https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-th e-confidentiality-of-zoom-meetings/

Note that many things in that document are just silly and bad. It is not
a "rollyour own" crypto. They use AES, which is the standard. They use
128 bit key AES, which is not as strong as 256bit AES, but is no slouch.
(AFAIK no claims to have reversed 128 bit AES). The use it in CBC mode,
which, under some circumstances can leak some information. Certainly
video mode, or audio, the leakage is completely negligible-- In cases
there there are many many repeats of the same 16 byte (128 bit) blocks,
it can do so (which is what that Penguin shows) but as even that page
says, if for example one compresses the image, that goes away-- repeated
16 byte blocks get compressed away. One huge advantage of CBC mode is
that it is error tolerant. Even if bytes get altered in transmission,
they affect only the 16nyte block they are part of not other parts.

Take a look at this image:

https://theintercept.imgix.net/wp-uploads/sites/1/2020/04/ecb-540x235.png?[obje ct+Object]=

You will see why you don't want to use ECB.

Oh come off it. Yes, as I said a picture which has bunches of 16 byte
blocks which are exactly the same, ECB is problematic. But there are trivial ways of changing that. put in single bit dittering in each byte, or
compressing the file (which as far as I know zoom does already) The
question is not whether one can find cases where it is bad, the question
is whether in a real life case it is bad.

Also the 5 of the key generation machines are located in China and it
seems that those 5 is most often used for chat encryption, keep in mind
that Zoom shares the keys with the Chinese government.

And that is also as far as anyone knows, crap. On the same level you do
Know that Skype and google and ... all share everything with teh US government:-) [And no, of course I do not know that, just as you do not
know what you are saying]

Now, for me the biggest problems are the key generation and transport.
Key generation should take place on the host's system, not by zoom. (I
do not know where it is generated, but the suggestion is that it is
generated by "central office".

It's generated on 73 different cloud servers, 5 located in China and the rest in US.

I agree completely that key generation does not belong on servers. It
belongs on the host machine. And for most people, what they are using
zoom for is simply not sensitive information. Zoom is almost certainly
more secure than the telephone.

Key transport should take place in such a
way that only the endpoints know what the key is. There are certainly
transport techniques which allow that to happen.

As long as you think the Chinese government is part of your
conversation, then it's kind of ok.

What are you talking about. Do you know what key transport is? To repeat
what I said.
"Key transport should take place in such a way that only the endpoints know what the key is."

Do you want me to repeat that again?

They really really should make the encryption protocol and techniques
public. On the other hand they differ in this in no way from almost all
other systems. Almost noone makes theirs public, for fear of encouraging
attacks, and rely on the "Trust us" mantra.

Many do release whitepapers on their encryption or have third party assessments.

--- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
* Origin: A noiseless patient Spider (2:250/1@fidonet)

William Unruh <unruh@invalid.ca> writes:

Note that many things in that document are just silly and bad. It is not
a "rollyour own" crypto. They use AES, which is the standard. They use
128 bit key AES, which is not as strong as 256bit AES, but is no slouch. (AFAIK no claims to have reversed 128 bit AES). The use it in CBC mode, which, under some circumstances can leak some information. Certainly
video mode, or audio, the leakage is completely negligible-- In cases
there there are many many repeats of the same 16 byte (128 bit) blocks,
it can do so (which is what that Penguin shows) but as even that page
says, if for example one compresses the image, that goes away-- repeated
16 byte blocks get compressed away. One huge advantage of CBC mode is
that it is error tolerant. Even if bytes get altered in transmission,
they affect only the 16nyte block they are part of not other parts.

ECB, not CBC, and presumably unauthenticated. They say they’re replacing
it with GCM, at which point we can worry about how they select IVs.

ECB breaks in the presence of colliding plaintext blocks. Compressed
data ought to be a sweet spot for minimizing collisions: patterns in the
output are opportunities for improving the compression. So I don’t think
ECB is the big problem here. (The penguin is a nice illustration but
also rather misleading.)

Unauthenticated ECB is also very malleable although I’m not sure how
you’d go about exploiting it in this scenario.

It is however a design smell. If someone picked ECB, it’s reasonable to suspect that their other cryptographic decisions weren’t great, and it
does seem that the key generation is centralized, meaning the security
is in practice not end-to-end.

But all this is largely irrelevant when the meeting IDs are so easy to
guess that anyone can join them by making a reasonably lucky guess...

--
https://www.greenend.org.uk/rjk/

--- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
* Origin: terraraq NNTP server (2:250/1@fidonet)

On 21/04/2020 08.18, William Unruh wrote:

["Followup-To:" header set to alt.os.linux.mageia.]
On 2020-04-21, J.O. Aho <user@example.net> wrote:

On 20/04/2020 23.23, William Unruh wrote:

On 2020-04-19, David W. Hodgins <dwhodgins@nomail.afraid.org> wrote:

For details of how bad it is, see
https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-th e-confidentiality-of-zoom-meetings/

Note that many things in that document are just silly and bad. It is not >>> a "rollyour own" crypto. They use AES, which is the standard. They use
128 bit key AES, which is not as strong as 256bit AES, but is no slouch. >>> (AFAIK no claims to have reversed 128 bit AES). The use it in CBC mode,
which, under some circumstances can leak some information. Certainly
video mode, or audio, the leakage is completely negligible-- In cases
there there are many many repeats of the same 16 byte (128 bit) blocks,
it can do so (which is what that Penguin shows) but as even that page
says, if for example one compresses the image, that goes away-- repeated >>> 16 byte blocks get compressed away. One huge advantage of CBC mode is
that it is error tolerant. Even if bytes get altered in transmission,
they affect only the 16nyte block they are part of not other parts.

Take a look at this image:
https://theintercept.imgix.net/wp-uploads/sites/1/2020/04/ecb-540x235.png?[obje ct+Object]=

You will see why you don't want to use ECB.

Oh come off it. Yes, as I said a picture which has bunches of 16 byte
blocks which are exactly the same, ECB is problematic. But there are trivial ways of changing that. put in single bit dittering in each byte, or compressing the file (which as far as I know zoom does already) The
question is not whether one can find cases where it is bad, the question
is whether in a real life case it is bad.

ECB is bad and should NEVER be used. Even if you compress data before,
you will leak a lot of data.

Also the 5 of the key generation machines are located in China and it
seems that those 5 is most often used for chat encryption, keep in mind
that Zoom shares the keys with the Chinese government.

And that is also as far as anyone knows, crap. On the same level you do
Know that Skype and google and ... all share everything with teh US government:-) [And no, of course I do not know that, just as you do not
know what you are saying]

There are differences how the data is used, even FSB is a nice kid
compared with the Chinese. Companies tied close to the Chinese Communist
party benefits a lot from the data that the government collects from
foreign businesses.
Sure NSA and FSB helps domestic companies to get hold of information,
but this is more on request bases instead of a constant stream from the agencies to the companies.

Now, for me the biggest problems are the key generation and transport.
Key generation should take place on the host's system, not by zoom. (I
do not know where it is generated, but the suggestion is that it is
generated by "central office".

It's generated on 73 different cloud servers, 5 located in China and the
rest in US.

I agree completely that key generation does not belong on servers. It
belongs on the host machine. And for most people, what they are using
zoom for is simply not sensitive information. Zoom is almost certainly
more secure than the telephone.

Sure the phone is insecure, but the difference is that only those can
listen who can access the lines where the audio is sent, this mean for
US users it would just be NSA, not like with Zoom, no matter where the
Chinese government has the possibility to take part of your data.

Key transport should take place in such a
way that only the endpoints know what the key is. There are certainly
transport techniques which allow that to happen.

As long as you think the Chinese government is part of your
conversation, then it's kind of ok.

What are you talking about. Do you know what key transport is? To repeat
what I said.
"Key transport should take place in such a way that only the endpoints know

what the key is."

That ain't the case for Zoom.

--

//Aho

--- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
* Origin: Air Applewood, The Linux Gateway to the UK & Eire (2:250/1@fidonet)

On Tue, 21 Apr 2020 10:04:01 +0200, J.O. Aho wrote:

On 21/04/2020 08.18, William Unruh wrote:

["Followup-To:" header set to alt.os.linux.mageia.]
On 2020-04-21, J.O. Aho <user@example.net> wrote:

On 20/04/2020 23.23, William Unruh wrote:

On 2020-04-19, David W. Hodgins <dwhodgins@nomail.afraid.org> wrote:

For details of how bad it is, see
https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-th e-confidentiality-of-zoom-meetings/

Note that many things in that document are just silly and bad. It is not >>>> a "rollyour own" crypto. They use AES, which is the standard. They use >>>> 128 bit key AES, which is not as strong as 256bit AES, but is no slouch. >>>> (AFAIK no claims to have reversed 128 bit AES). The use it in CBC mode, >>>> which, under some circumstances can leak some information. Certainly
video mode, or audio, the leakage is completely negligible-- In cases
there there are many many repeats of the same 16 byte (128 bit) blocks, >>>> it can do so (which is what that Penguin shows) but as even that page
says, if for example one compresses the image, that goes away-- repeated >>>> 16 byte blocks get compressed away. One huge advantage of CBC mode is
that it is error tolerant. Even if bytes get altered in transmission,
they affect only the 16nyte block they are part of not other parts.

Take a look at this image:
https://theintercept.imgix.net/wp-uploads/sites/1/2020/04/ecb-540x235.png?[obje ct+Object]=

You will see why you don't want to use ECB.

Oh come off it. Yes, as I said a picture which has bunches of 16 byte
blocks which are exactly the same, ECB is problematic. But there are trivial
ways of changing that. put in single bit dittering in each byte, or
compressing the file (which as far as I know zoom does already) The
question is not whether one can find cases where it is bad, the question
is whether in a real life case it is bad.

ECB is bad and should NEVER be used. Even if you compress data before,
you will leak a lot of data.

Also the 5 of the key generation machines are located in China and it
seems that those 5 is most often used for chat encryption, keep in mind
that Zoom shares the keys with the Chinese government.

And that is also as far as anyone knows, crap. On the same level you do
Know that Skype and google and ... all share everything with teh US
government:-) [And no, of course I do not know that, just as you do not
know what you are saying]

There are differences how the data is used, even FSB is a nice kid
compared with the Chinese. Companies tied close to the Chinese Communist party benefits a lot from the data that the government collects from
foreign businesses.
Sure NSA and FSB helps domestic companies to get hold of information,
but this is more on request bases instead of a constant stream from the agencies to the companies.

Now, for me the biggest problems are the key generation and transport. >>>> Key generation should take place on the host's system, not by zoom. (I >>>> do not know where it is generated, but the suggestion is that it is
generated by "central office".

It's generated on 73 different cloud servers, 5 located in China and the >>> rest in US.

I agree completely that key generation does not belong on servers. It
belongs on the host machine. And for most people, what they are using
zoom for is simply not sensitive information. Zoom is almost certainly
more secure than the telephone.

Sure the phone is insecure, but the difference is that only those can
listen who can access the lines where the audio is sent, this mean for
US users it would just be NSA, not like with Zoom, no matter where the Chinese government has the possibility to take part of your data.

Key transport should take place in such a
way that only the endpoints know what the key is. There are certainly
transport techniques which allow that to happen.

As long as you think the Chinese government is part of your
conversation, then it's kind of ok.

What are you talking about. Do you know what key transport is? To repeat
what I said.
"Key transport should take place in such a way that only the endpoints know what the key is."

That ain't the case for Zoom.

J.O. Aho understates the case against China and its involvement in computers and communications.

Chinese military and governmental officials have declared communications
a critical strategic arena in all aspects for China. All Aspects. That includes hacking and cracking the networks of others, government
supervision and monitoring of China's networks by many thousands of
personnel (yeah, China has a lot of people to put on a problem regarded
as important), and domination of outgoing communications channels
whenever possible with propaganda advantageous to China, to include disinformation, misinformation, lies, and when convenient carefully
chosen truths.

The Chinese themselves have repeatedly discussed the saturated
government control of communications means and themes since 1949
when Mao's communists took over. China's government tells you and
others what it wants you to believe, or at least act as if you believe,
and it wants to know everying of significance that you know which is
possibly of consequence to Communist Party rule. That is encompassing,
and China's government is very serious about it. Only capability,
not truth or morality or human rights, are of importance to them.

Implications in computers and communications are profound.

Cheers!

jim b.

--
UNIX is not user-unfriendly, it merely expects users to be computer-friendly.

--- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
* Origin: A noiseless patient Spider (2:250/1@fidonet)

On 2020-04-21, Jim Beard <jim.beard@verizon.net> wrote:
....

Now, for me the biggest problems are the key generation and transport. >>>>> Key generation should take place on the host's system, not by zoom. (I >>>>> do not know where it is generated, but the suggestion is that it is
generated by "central office".

It's generated on 73 different cloud servers, 5 located in China and the >>>> rest in US.

I agree completely that key generation does not belong on servers. It
belongs on the host machine. And for most people, what they are using
zoom for is simply not sensitive information. Zoom is almost certainly
more secure than the telephone.

Sure the phone is insecure, but the difference is that only those can
listen who can access the lines where the audio is sent, this mean for
US users it would just be NSA, not like with Zoom, no matter where the
Chinese government has the possibility to take part of your data.

The US govt has also stated that they have the right to listen in on communications and has pressured the companies to release their data and
to break the communication protections of users. Now it probably is not
quite as bad as China I agree, but I certainly do not know that it is
not.

Key transport should take place in such a
way that only the endpoints know what the key is. There are certainly >>>>> transport techniques which allow that to happen.

As long as you think the Chinese government is part of your
conversation, then it's kind of ok.

What are you talking about. Do you know what key transport is? To repeat >>> what I said.
"Key transport should take place in such a way that only the endpoints know what the key is."

That ain't the case for Zoom.

Yes, that is what I said. But THAT is the issue to be concerned about.
Not whether or not they use ECB. Their use of ECB indicates a certain
level of incompetence I agree, but incompetence is not malice.

J.O. Aho understates the case against China and its involvement in computers and communications.

I am not going to get into an argument as to whether or not China is, in
some of its behaviour, nasty. This thread is NOT about China. It is
about Zoom, and the fact that they have Chinese links is largely
irrelevant. The question is whether it is malice or incompetence that
has produced what Zoom is doing now. I will hold to Sturgeons law until
it is proven otherwise. Apple makes almost everything in their systems
in China. So we should all abandon any Apple products? What I am seeing
here is straight out of 1984.

Chinese military and governmental officials have declared communications
a critical strategic arena in all aspects for China. All Aspects. That includes hacking and cracking the networks of others, government
supervision and monitoring of China's networks by many thousands of
personnel (yeah, China has a lot of people to put on a problem regarded
as important), and domination of outgoing communications channels
whenever possible with propaganda advantageous to China, to include disinformation, misinformation, lies, and when convenient carefully
chosen truths.

Christ had a little aphorism about this. "motes and beams".

The Chinese themselves have repeatedly discussed the saturated
government control of communications means and themes since 1949
when Mao's communists took over. China's government tells you and
others what it wants you to believe, or at least act as if you believe,
and it wants to know everying of significance that you know which is
possibly of consequence to Communist Party rule. That is encompassing,
and China's government is very serious about it. Only capability,
not truth or morality or human rights, are of importance to them.

Implications in computers and communications are profound.

--- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
* Origin: A noiseless patient Spider (2:250/1@fidonet)

On 2020-04-21, Jim Beard <jim.beard@verizon.net> wrote:

That ain't the case for Zoom.

J.O. Aho understates the case against China and its involvement in computers and communications.

Here is Zoom's statement about the Chinese servers: https://blog.zoom.us/wordpress/2020/04/03/response-to-research-from-university- of-torontos-citizen-lab/

.......

However, in February, Zoom rapidly added capacity to our Chinese region to handle a massive increase in demand. In our haste, we mistakenly added our two Chinese datacenters to a lengthy whitelist of backup bridges, potentially enabling non-Chinese clients to — under extremely limited circumstances — connect to them (namely when the primary non-Chinese servers were unavailable). This configuration change was made in February.

Importantly:

Upon learning of the oversight yesterday, we immediately took the mainland China datacenters off of the whitelist of secondary backup bridges for users outside of China.
This situation had no impact on our Zoom for Government cloud, which is a separate environment available for our government customers and any others who request the specifications of that environment.
Zoom has layered safeguards, robust cybersecurity protection, and internal controls in place to prevent unauthorized access to data, including by Zoom employees — regardless of how and where the data gets routed.


--------------------------------------------------
So, incompetence rather than malice is what it looks like to me.


--- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
* Origin: A noiseless patient Spider (2:250/1@fidonet)

On Tue, 21 Apr 2020 20:52:32 +0000, William Unruh wrote:

On 2020-04-21, Jim Beard <jim.beard@verizon.net> wrote:

That ain't the case for Zoom.

J.O. Aho understates the case against China and its involvement in computers
and communications.

Here is Zoom's statement about the Chinese servers:

https://blog.zoom.us/wordpress/2020/04/03/response-to-research-from-university- of-torontos-citizen-lab/

......

However, in February, Zoom rapidly added capacity to our Chinese region to

handle a massive increase in demand. In our haste, we mistakenly added our two Chinese datacenters to a lengthy whitelist of backup bridges, potentially enabling non-Chinese clients to — under extremely limited circumstances — connect to them (namely when the primary non-Chinese servers were unavailable). This configuration change was made in February.

Importantly:

Upon learning of the oversight yesterday, we immediately took the mainland

China datacenters off of the whitelist of secondary backup bridges for users outside of China.

This situation had no impact on our Zoom for Government cloud, which is a

separate environment available for our government customers and any others who request the specifications of that environment.

Zoom has layered safeguards, robust cybersecurity protection, and internal

controls in place to prevent unauthorized access to data, including by Zoom employees — regardless of how and where the data gets routed.

--------------------------------------------------
So, incompetence rather than malice is what it looks like to me.

The one does not rule out the other. Both can be operative.

What you call "malice" (it might also be termed "soverign intent") I
consider certain in the case of China.

Whether what you call "incompetence" was a factor or not, I consider
of no importance, in this instance.

Cheers!

jim b.

--
UNIX is not user-unfriendly, it merely expects users to be computer-friendly.

--- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
* Origin: A noiseless patient Spider (2:250/1@fidonet)

On 2020-04-22, Jim Beard <jim.beard@verizon.net> wrote:

On Tue, 21 Apr 2020 20:52:32 +0000, William Unruh wrote:

On 2020-04-21, Jim Beard <jim.beard@verizon.net> wrote:

That ain't the case for Zoom.

J.O. Aho understates the case against China and its involvement in computers
and communications.

Here is Zoom's statement about the Chinese servers:
https://blog.zoom.us/wordpress/2020/04/03/response-to-research-from-university- of-torontos-citizen-lab/

......

However, in February, Zoom rapidly added capacity to our Chinese region to handle a massive increase in demand. In our haste, we mistakenly added our two Chinese datacenters to a lengthy whitelist of backup bridges, potentially enabling non-Chinese clients to — under extremely limited circumstances — connect to them (namely when the primary non-Chinese servers were unavailable). This configuration change was made in February.

Importantly:

Upon learning of the oversight yesterday, we immediately took the mainland China datacenters off of the whitelist of secondary backup bridges for users outside of China.
This situation had no impact on our Zoom for Government cloud, which is a separate environment available for our government customers and any others who request the specifications of that environment.
Zoom has layered safeguards, robust cybersecurity protection, and internal controls in place to prevent unauthorized access to data, including by Zoom employees — regardless of how and where the data gets routed.


--------------------------------------------------
So, incompetence rather than malice is what it looks like to me.

The one does not rule out the other. Both can be operative.

That may be true. But then you need a lot more evidence than what you
have in the case of Zoom.

What you call "malice" (it might also be termed "soverign intent") I consider certain in the case of China.

Zoom is not a Chinese program. We are discussing Zoom here, not China,
not Trump, not Russia.

Whether what you call "incompetence" was a factor or not, I consider
of no importance, in this instance.

We are discussing Zoom here and the meaning of the "evidence" that the Toronto labs
demonstrated. If you want to discuss geopolitics, perhaps another place
might be more appropriate.



--- MBSE BBS v1.0.7.13 (GNU/Linux-x86_64)
* Origin: A noiseless patient Spider (2:250/1@fidonet)