[ale] nailing down firefox security and privacy - PT 1

Rich Faulkner rfaulkner at 34thprs.org
Wed Oct 12 11:41:20 EDT 2011


I have yet to read this in its entirety but I do recall a court case
where a commercial network was intruded upon and the intruder was found.
In the end he was off the charges because there was no notice posted
that the network was a private network and subject to restricted
access...thereby implying "welcome" to outside access by anyone.  

I for one do not broadcast SSID and use WPA2 and even lock-down access
by MAC.  If I were to do anything contrary to locking-down the wireless
network access I would expect uninvited "guests" to be using my
bandwidth.  IMHO that's just common sense.  Is it illegal to enter a
home (uninvited) where the doors are off the hinges?  Perhaps (I'm not a
lawyer).  I do know it's illegal to enter a home (uninvited) when the
doors are locked and dead-bolted.  IMHO the same logic applies to
networks and our home wireless devices...an open door is an invitation
to unwanted guests.  

Otherwise, I have fought the same battles trying to get users to be the
first line of defense and not believe technology to be the "great
savior"....

Rich in Lilburn


On Wed, 2011-10-12 at 11:22 -0400, Michael B. Trausch wrote:

> On 10/11/2011 05:38 PM, Ron Frazier wrote:
> > I've been spending a good bit of time recently upgrading and configuring 
> > Firefox because Pandora decided it wasn't going to work after an upgrade 
> > they did.  I was on Firefox 3.2.? and was holding back upgrading because 
> > of some UI changes in the new Firefox as well as some plugin 
> > compatibility problems.  Eventually, I had to bite the bullet and 
> > upgrade.  As I've mentioned in other posts, I like to keep my shields at 
> > the paranoid level, whether I'm running Windows or Linux.  In fact, I 
> > run my Firefox configurations exactly the same on both systems, so this 
> > applies to this group.  There are a number of security and privacy 
> > settings which come into play with Firefox, and it's not always obvious 
> > how to set them.  I'm going to explain how I set mine up in order to 
> > maintain a high level of security as well as a decent level of 
> > functionality.  There are also a number of handy plugins which I will 
> > explain.  Hopefully, the research I've done will help others who want to 
> > keep their shields high.  Some of you may already know this stuff, but 
> > some others probably don't.  I have to relate a number of options 
> > settings.  This will be a bit difficult in text, but bear with me.
> 
> I have said it before, and I will say it again:  The only way to "keep
> the shields high" is to provide education.  Technology (in particular,
> things like you advocate here) can *not* save users from anything.
> 
> Something has been bugging me the past month or two.  Ron called me
> (anonymously) "unethical" a while back on the list (though he didn't
> name me in particular).  I'll provide a bit of context so that the rest
> of the group can recall.  But before I do, I'm going to say this:  I
> find this brand of advice to, itself, be unethical.  It propagates the
> mindset that technology can solve our problems better than education,
> and actively serves to lower the collective expectations of not only
> end-users, but that of IT support people like myself who then have to do
> even more hard work to try to get people to understand that they are the
> key, not the software that is running on their computer.  This way of
> thinking costs me time and money simply because people are given a false
> sense of security and truly believe that the technology will save them.
>  It is wrong to teach this to people because it is, and it ALWAYS WILL
> BE, patently false.
> 
> At one of the recent meetings, I was talking about how I had an open
> wireless network, and how people who were unwelcome and used it were
> redirected to a rather gruesome site, regardless of what they were
> aiming for.  Ron called this "unethical".  Seeing as one must first be
> unethical and steal my bandwidth in order to get to the thing, I fail to
> understand how that is unethical.  It is my personal, paid-for bandwidth
> and equipment, and I can configure and use it in any way I desire as
> long as I cause nobody harm.  If someone causes harm to his or her self
> by using my equipment (indeed, by unethically using my bandwidth), well,
> them's the spoils.  It is unethical to steal.  Back when I was running
> an open network (because I had devices that literally were unable to
> perform secure encryption and I failed to see the point of WEP), if
> someone would have asked me to use my network I would have quite likely
> allowed it.  I had no reason *not* to allow it.  But you can't just join
> my network and use it without permission.
> 
> It seems that Ron thinks that an open wireless network somehow conveys
> implicit permission to use it---and this is a problem with a lot of
> society.  They think the same thing.  They think that if there isn't a
> safeguard in place on something that they have the entitlement to go
> through it.
> 
> You know, there was a time when one could forget one's keys in their
> ignition and the car would, with a very high degree of probability,
> still be there when you got back to it.  Today this doesn't happen.  A
> few months ago, I encountered a car for sale in a parking lot not far
> from my home.  The car was unlocked, and it had the keys in the
> ignition.  I called the number on the "for sale" sign in the window, and
> let the guy know that the keys were still in the ignition and that the
> car was unlocked.  He was genuinely surprised that I did that.  Why?
> Because we expect people in today's society to generally suck, that's
> why.  I, too, would be surprised to receive such a phone call.  People
> feel that they are entitled to whatever they find, these days,
> regardless of where they found it.  An open network connection, an iPod
> in an unlocked (or hell, even a locked) car, whatever.  It is
> disgusting.  Our society is full of truly unethical elements.
> 
> And no, for the record, I don't feel that it is in any way unethical to
> do what I did, and if I were to, for whatever reason, be compelled to
> run an open network again, I would do the very same thing that I did
> before.  It accomplished a very real goal:  Unwelcome people only ever
> joined my wireless network a single time.  They never, ever came back.
> It served its purpose, and it entertained me in the process.  I see
> absolutely nothing wrong with that at all.
> 
> > While not directly related to Firefox, I strongly recommend using the 
> > OpenDNS ( http://opendns.com ) system to resolve your domain names.  
> > They automatically apply phishing protection to all DNS queries as far 
> > as I know.  If you desire to, you can also filter certain sites based on 
> 
> I would strongly recommend that people NOT use OpenDNS.  Why?  Because:
> 
>  * They break the DNS standard.  They do not return NXDOMAIN when they
>    should.  Unfortunately, a fair number of ISPs engage in this
>    destructive behavior as well.  This means that when you ping a
>    non-existent site, you actually wind up pinging a machine that is
>    alive and well and getting an erroneous result.  This is bad.
> 
>    Such behavior also breaks SSL sessions in certain circumstances and
>    gives users a far more cryptic error than "the server appears to be
>    down".  In the normal circumstance, a downed server or domain results
>    in an error saying that it wasn't found.  In the case of using one
>    of these broken DNS servers and encountering a downed domain (or one
>    mistakenly identified as "bad", FSVO "bad"), you instead get a
>    very nasty message in your Web browser saying that your security
>    is in danger.
> 
>  * They are a blacklist.  Blacklists contain errors.  More on that
>    below.
> 
>  * They actively go through the data they collect, such as what users
>    are visiting what sites.  They can use that information to "improve"
>    their database.  More to the point, I don't trust them to not misuse
>    that information.  Do you?
> 
>  * Even more to the point, do you think that the people you advocate
>    OpenDNS to are even capable of making the realization that they are
>    engaging in a decision that indicates that they trust the system
>    and the people behind it not to screw them in some way?
> 
> > Now, on to Firefox.  The latest version is 7.0.1.  You should have this 
> > or later once you upgrade or install anew.  They've been ramping the 
> > versions up very fast lately.  The big thing in UI design these days 
> > seems to be to eliminate the menus.  Personally, I hate this design.  
> > So, the first thing I do in this case is to turn the menus back on.  
> > Firefox will have a little orange "Firefox" button in the upper left.  
> > Click that, hover over options, and check menu bar to turn it on.  You 
> > should now have a menu.  You can select help, about to check the version 
> > number.  In some systems, you will see a check for updates button in 
> > this window.  Click View, hover over toolbars, and turn on the Add-on 
> > bar, if it's not already on.  You can rearrange buttons in Firefox by 
> > clicking on the empty area to the right of the menu and clicking 
> > customize.  You can then move things like the back and forward buttons 
> > around, or drag things from the dialog box to the menu areas or add-on bar.
> 
> Minor technical nit, here:  I've always had to enable the streamlined
> menu.  I don't understand why you dislike it, but I find it to be more
> efficient, and it does yield more (albeit only slightly) real-estate to
> the browser window.
> 
> > My objective is to configure Firefox so there is no unauthorized 
> > scripting, little or no unauthorized tracking, little or no unauthorized 
> > storage of information on my PC, and no unauthorized pop-ups.
> 
> I am sure that you realize that this is completely impossible without
> causing damage to the user experience.  Even if you get an end user to
> install all the cruft, you will find yourself (or people like me, find
> ourselves) supporting these users and having to explain to them that
> it's their software that is causing the problem.  Then they want to know
> why their software isn't smart enough to just do what they mean.  They
> then want to know why they have to know anything about the whole bloody
> mess, when all they want to do is get to their stupid games on Facebook.
> 
> > A new installation of Firefox should not have any accumulated history.  
> > However, an upgrade might.  If you want to start with a clean slate, 
> > clear all your history as follows.  Click Tools, click Clear Recent 
> > History, select Everything in the drop down box.  Below, you can observe 
> > check marks which show what will be cleared.  All should be checked.  
> > Click Clear Now.  Note, if some of the sites you've been using depend on 
> > history or preferences, you'll have to reset them.
> 
> Great way to lock people out of their accounts, this is.  A lot of
> people rely on their Web browser to store their credentials for them.
> Tell them to do this and they'll be fighting for a long time (and
> usually unnecessarily frustrated while doing so) getting password resets
> done for them on all of their common things like Facebook or their
> bank/credit card/whatever sites.  Especially those stupid sites that
> think that the lack of a cookie means that you have to go through
> special verification processes.
> 
> > Block pop-up windows - ON (or checked)
> 
> That is the default.
> 
> > Enable JavaScript - ON (Disabling would be more secure and safer, but 
> > many websites would break.  We'll deal with this using the NoScript plugin.)
> 
> NoScript isn't a solution, either.
> 
> > Click the Advanced button beside the JavaScript line and set these options.
> > 
> > Allow scripts to:
> > 
> > Move or resize existing windows - OFF (or unchecked)
> > Raise or lower windows - OFF
> > Disable or replace context menus - OFF
> 
> Most excellent.  Now software like Redmine won't work.  Congrats!
> 
> > Remember my download history - OFF (You could turn this on if desired.)
> 
> What does this accomplish?
> 
> > Remember my search and form history - OFF  (   ditto  )
> 
> What does this accomplish?
> 
> > Clear history when Firefox closes - ON
> 
> What does this accomplish?  The so-called "awesome bar" is a lot more
> useful to users when their history is kept.  So by doing this, you
> effectively disable the additional (and quite useful) functionality.
> 
> > Click the Security tab.  Set the following.
> > 
> > Warn me when sites try to install addons - ON
> 
> This is the default.
> 
> > Block reported attack sites - ON
> > Block reported web forgeries - ON
> 
> I have only ever encountered false positives with these settings; I view
> them as useless.
> 
> > Remember passwords for sites - OFF (I prefer to remember my own 
> > passwords or have something like Lastpass do it.)
> 
> You're in the minority, unfortunately.
> 
> > Use a master password - ON (Then complete the dialog box to set it.)
> 
> Why do that if you're not saving passwords in Firefox?
> 
> > Click OK to save all the options and dismiss the options screen.
> > 
> > Now, open a blank browser tab.
> > 
> > Type about:permissions in the web address blank and hit enter.
> > 
> > You will get a screen which allows you to set the default permissions 
> > for sites as well as override them for specific sites.  Click the All 
> > Sites line in the upper left.  Set the default permissions as follows.
> > 
> > Store passwords - BLOCK
> 
> Again, you're in the minority.  I have never managed to convince anyone
> not to use the built-in password storage.
> 
> > Share location - BLOCK
> 
> What's wrong with "Always Ask"?  Most people ignore the request anyway,
> and the rest often say no when asked.
> 
> > Set cookies - ALLOW FOR SESSION
> > Open Pop-up windows - BLOCK
> > Maintain offline storage - BLOCK
> 
> What does this truly accomplish, other than a false sense of security?
> 
> > You can now close this tab, or go to another web page.
> > 
> > That's it for the basic Firefox configuration, but we're just 
> > beginning.  In the next post, I'll talk about how to set up the NoScript 
> > and Ghostery plugins.  I hope to complete the other posts tonight and 
> > tomorrow.
> 
> NoScript, and plugins like it, are nice in theory.  In practice most
> users view them as a burden and something else that they have to manage.
> 
> It is far easier to get people to understand that they shouldn't just
> click every single stupid link in their email, on the Web, or in a program.
> 
> That said, there is very little *true* problem with running JavaScript.
>  Today's Web developers require JavaScript be enabled.  After all, we
> can even have that on phones these days.
> 
> If we were running Python in the browser, that'd be a little bit
> different since there is (at least to my knowledge) no truly sandboxed
> version of Python available.  But JavaScript is virtually always
> sandboxed, and cannot do any real harm to your system.
> 
> Keeping a computer secure is all about what the person sitting at the
> keyboard knows, not about what software is running on the computer.  It
> has always been this way and it will always continue to be this way.
> Educate users; tell them why they shouldn't go browsing every possible
> link they find, give them an idea of what types of sites can be trusted
> versus not trusted, tell them why they should have some idea of what is
> on the other end and whether or not they should trust it.
> 
> And tell them why they shouldn't have ad blocking software installed,
> too.  People keep that shit up, we'll have to pay for everything on the
> Internet out of our wallets, instead of just the things that aren't
> ad-supported.  I suspect that you disagree with me on that, too.
> Wouldn't surprise me, when I had heavy traffic to my blog and I had
> Google AdWords on it (hey, they're quite non-intrusive), I had something
> like 99% of people blocking the ads.  Everybody expects something for
> nothing these days.
> 
> 	--- Mike
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20111012/fd389f44/attachment-0001.html 


More information about the Ale mailing list