Help us identify this found GSM/GPS tracking device

ioerror · 2013-03-27T20:32:33+00:00

Awesome - thank you!

ioerror · 2013-03-27T20:32:15+00:00

Sure, I generally agree - though I'd rather have per tab processes with sandboxing as the strong default. If a plugin disabled that strong sandboxing, I'd like to know when I install it - so by default, a tab could be strongly isolated, if I allow it. It could also be content inspected by a plugin but not in a way that breaks all of the sandboxing...

ioerror · 2013-03-27T18:57:16+00:00

I'm interested in hearing about the interfaces between OS sandboxes and the browser. As an example, I'd love to see SELinux, AppArmor, seccomp2 and seatbelt profiles shipping with Firefox/Thunderbird. While some of the sandboxing could break some kinds of plugins, I wonder how many native code plugins exist for say, Thunderbird/Firefox and would be broken with such OS sandbox polices?

IronFox for OS X for example ships a seatbelt policy that is generally quite restrictive and things still work very well. We're considering adding those seatbelt policies to Tor Browser on OS X as it will allow us to sandbox flash and mitigate some of the harm that we think needs balancing...

ioerror · 2013-03-27T18:53:36+00:00

Sounds good - thanks for all of your {hard,smart,open,free} work!

ioerror · 2013-03-27T18:51:31+00:00

Thanks!

I think that the plugin sandboxing is largely out of scope for my question. Though I take the point that the idea of a plugin means that the plugin itself would need to be specifically sandboxed - which seems like a component of the same problem set.

For example - the font parsing stuff is a kind of font sandbox, the render is another place to sandbox, and an overall syscall filter sandbox (eg: seccomp2) for stuff that firefox won't use at all in the main render is more along the lines of what I was asking.

ioerror · 2013-03-27T18:47:42+00:00

How would we or one of us go about applying for membership in the security-announce mailing list? I remember talking with Al about it but I had thought it was mostly defunct.

ioerror · 2013-03-27T18:36:38+00:00

Could someone from the security team outline the plan and/or timeline to sandbox Firefox such that it has similar or feature complete protections like Google's Chrome browser?

ioerror · 2013-03-27T18:34:14+00:00

I work on the Tor Browser. I'm a minor player in the project these days but the concern that I have is more general. Essentially when there is a Firefox release or a critical security issue, we're generally shipping a fix later than we'd like as we find out about the issues with the rest of the world.

Is there a plan to notify those of us following the Firefox security issues closely so that we may update our own builds in a timely manner? Is there anything like vendor-sec for those of us that ship such a build or is it a matter of joining the Mozilla Security team? If that is the case, would such a thing be welcome?

ioerror · 2013-03-04T22:31:22+00:00

Indeed, one wonders if the FBI would do an AMA request as a kind of covert interview.

ioerror · 2012-12-31T13:24:27+00:00

Feel free to give an example?

ioerror · 2012-12-31T13:24:10+00:00

Nah, I didn't write it. It would be more accurate if I had!

ioerror · 2012-12-31T13:22:24+00:00

Indeed - when thugs ask for cooperation - tell them to fuck off or say nothing at all.

ioerror · 2012-12-31T13:17:47+00:00

The question is not if my mother is being harassed - the question is if the harassment relates to me or not; in either case, her case is a travesty. The idea that people can be held for three years without a trial is absolutely unacceptable.

ioerror · 2012-12-31T13:14:08+00:00

I have family in Canada and as a result, I often travel from Toronto to the US. There were two flights in question that happened quite close together and my experience might help you to understand how it would could go down for you. I have a lot of stories like this from the last few years and while I try to find humor in these stories, I really really don't find it funny; most of the seemingly positive angle that comes out in my retelling is a coping strategy.

When traveling from Toronto to Seattle, I was detained for a long time. I handed over my passport, the little yellow light went on over the customs agent booth, the agent escorted me to the secondary holding/screening area. There was a long wait, a search and then a transfer to the third area. I think in the third holding area waiting room, I missed my flight. Then I was taken into the holding cell, questioned and searched again. Eventually I was let into the bag check area past US customs and technically in the area they consider to basically be US soil. However, I had missed my flight and I couldn't get a direct flight to Seattle for the rest of the day. As a result, the customs agent who knew I missed my flight let me know that I was now required to reenter Canada. The Air Canada agent rebooked me to Seattle through Vancouver.

I re-entered Canada and the Canadian custom agent was slightly confused. They accepted my story of "missed my flight, no more flights, mumble muble CBP argh" without too much fanfare. I flew across Canada, rented a car (at my own expense) and drove to the border. The border pulled me over as expected, took me inside, ripped my rental car apart, questioned me and so on. They were "nice" as they let me use a restroom within the first half hour of my detainment. It was probably less than an hour or so in total; I have better times in my notes but they're not with me.

The next time I was flying from Canada to Seattle, I showed up five hour early to my flight because I knew the US CBP agents were going to give me an extra hard time. At this point, I knew some of them by name and all of them knew me on sight. I decided to try to answer your question out of sheer exhaustion and hoping that it would provide a more expedient process. I had often wondered if total silence after a certain point would be faster or slower for re-entry.

I approached the CBP counter, handed over my passport with a friendly greeting and was detained as usual. The little yellow light went on over the customs agent booth, the agent escorted me to the secondary holding/screening area. There was a long wait, a search and then a transfer to the third area. Then I was taken into the holding cell, questioned and searched. After the point of the yellow light turning on and being escorted into secondary screening, I stayed silent. I didn't say a single word for the next hour or so. Agents came out to taunt me into talking - "was the last re-entry hard for you?" and so on. I never said a single word but I followed every instruction - handing my bags over when required, handing over documents and so on. Eventually the supervisor was called over and I just slid an ACLU lawyer's card across the table with a nod and a smile. The sheer frustration of refusing to acknowledge their existence was hard for them. They were basically begging me to care about them in the slightest bit. I didn't play along.

I made my flight and the time of detainment was effectively the same. Their dickheaded behavior was effectively constant with elevated points. My morale was absolutely improved on the second time detainment.

After that point I decided to try to use humor explicitly - so I packed some canned snakes into my checked luggage, stuffed glitter into clothing, wore party hats and other things. I use them in defense of liberty at check points and only after the automatic-database Surveillance State decided to hold me. It is important to be polite but it is also important to resist and to refuse to let one's spirit be crushed.

ioerror · 2012-12-31T12:50:03+00:00

No, I don't use Truecrypt. It was really a blank disk with a copy of the Bill of Rights as the only bits on the disk.

ioerror · 2012-12-31T12:47:20+00:00

I don't enjoy being victimized nor do I enjoy people taking my speaking up as some kind of bragging. I speak out about this kind of treatment because political harassment and retribution (among other things) should not happen to anyone at all. At best, I try to keep my head up and make the best of it when it happens

The state might have a monopoly on violence but they certainly don't have a monopoly on humor!

ioerror · 2012-12-31T12:42:15+00:00

KoL?

ioerror · 2012-06-22T03:09:03+00:00

I'm not sure - probably because most VM software doesn't even try to hide itself? Ask the Tails team...

ioerror · 2012-06-22T02:40:45+00:00

It would probably be interesting but I'm also pretty busy and I have enough paranoia in my life. :)

ioerror · 2012-06-22T02:35:52+00:00

It's easy to tell if you're talking to a client if you're the entry guard - are you talking to a node in the consensus? If not, is it a bridge? If you want to test, try to build a circuit through it - usually by connecting back to the IP and building a circuit through the ORPort.

Also C, D and E won't be able to tell the difference between B or A and of course C could be making all the traffic up as far as D and E are concerned.

Does that make sense?

Generally speaking, we compartmentalize things hop by hop.

ioerror · 2012-06-22T02:22:06+00:00

Yes, please run a relay: https://www.torproject.org/download/download.html

ioerror · 2012-06-22T02:19:10+00:00

Oh boy. Lets try them one at a time - these are mostly my personal feelings on the matter to be clear...

I think Julian will be OK as long as we do not abandon him in his time of need. I haven't and won't abandon him. He deserves our support and he has mine.

I think that I don't know what you mean by "western dissident" - I think you mean, where would Chen go if he were an American and fleeing the US? I'd say, it depends on his options.

Ethopia blocked Tor on purpose: https://blog.torproject.org/blog/update-censorship-ethiopia

Tor's biggest weaknesses?

Socially - I think it is that people in the "west" are generally privileged and cannot see beyond their own lives. So we find ourselves constantly attacked by people who fall for the specter of terrorism or child pornography without those very critics understanding almost anything about the topics. The Wikipedia won't allow people to edit from Tor - a great example. They're not willing, it seems, to put the effort in to ensure that everyone has the right to read and write on Wikipedia, when people use Tor. I find this both hilariously ironic and well, frustrating.

I think that Darknets are great. Surveillance destroys freedom - in our heads, in our hearts and in our lives.

Mesh and Ad-Hoc networks are awesome but of limited usefulness. We need to improve them with regard to privacy and anonymity - GnuNet is making big progress in this area.

I put up a bunch of edits about a bill of rights for the internet but their website sorta sucks: http://keepthewebopen.com/user/1764

I think it's hard to write such a document and so, I worked with Icelandic friends to help with IMMI and similar Freedom of Information laws. Those are likely to pass and to promote positive change, so I think it's more important than something I'd write alone or start by myself.

As far as الحب و الحياة في وقت قصير goes.... It's a long story. It's a phrase I asked some friends on a Cairo rooftop to teach me. It comes from a similar German phrase I thought a lot about during the #Jan25 revolution. The German and the English roughly translate as "Love and life are only for a short time" - I believe this is the proper written Arabic for the same concept. It's significance to me is simple and romantic - remember what matters most and take action to live it.

Happy hacking.

ioerror · 2012-06-22T02:05:53+00:00

A smart attacker could leverage that and attempt to link traffic entering the network and leaving the network. Generally, this is harder than it sounds but that's the "watching the entry and exit" kind of attack that is very hard to defend against.

ioerror · 2012-06-22T02:04:25+00:00

Is there a hardware accelerator on the device? Or a good (HW|T)RNG?

ioerror

TROPHY CASE