Archive for the Security Category

An update from the field by a friend of a friend on the situation in Turkey.
It's hard to believe Erdogan's criminal regime sits practically inside Europe and is a prominent member of NATO.

Today 11 HDP (Peoples’ Democracy Party) parliamentarians were taken into custody. And to-date, 170 media outlets have been banned, 130 journalists in prison, and 30 democratically elected Kurdish Mayors in prison.

Today, the Turkish police took eleven HDP (Peoples’ Democracy Party) parliamentarians, including the co-chairs Selahattin Demirtas and Figen Yuksekdag, into custody in after-midnight raids. The MPs’ houses and the party’s headquarters were raided, doors were broken and the parliamentarians were forcefully detained.

In the past several months, the government has been using the coup attempt on July 15th as an opportunity to consolidate its rule by eliminating every single oppositional voice in the country, especially the HDP, which halted the authoritarian project of a presidential system both in the June and November elections in 2015 by preventing his AKP to win sufficient number of parliamentary seats to make the necessary constitutional changes.

About 30 democratically elected Kurdish mayors are in prison now and about 70 of them have been dismissed by the central government.

The freedom of expression has been almost entirely undermined. With government decrees with the power of law, over 170 media outlets have been banned. More than 130 journalists are in prison, also including some world-renowned authors and intellectuals.

Most recently, two Kurdish news agencies and several Kurdish dailies were closed and the chief-editor, columnists and journalists of the pro-Republican People Party (CHP) daily Cumhuriyet were detained. Many academics are under criminal investigation for signing a peace petition.

Friends from around the globe, these are days when we most need international solidarity.

On April the 7th at 22:53, Aaron wrote:

I just read a Digital Trends article that states NoScript is a security breach. What's the story here???

It's a story of FUD and sensationalism, which got reported in such a careless way that now makes explaining and correcting readers' perception an uphill battle.
They've just demonstrated that rather than invoking a low-level function directly, like any installed add-on could do anyway, a malicious Firefox extension that has already been approved by an AMO code reviewer and manually installed by the user can invoke another add-on that the same user had previously installed and perform the low-level tasks on its behalf, not in order to gain any further privilege but just for obfuscation purposes.

It's like saying that you need to uninstall Microsoft Office immediately because tomorrow you may also install a virus that then can use Word's automation interface to replicate itself, rather than invoking the OS input/output functions directly. Or that, for the same reasons, you must uninstall any Mac OS application which exposes an AppleScript interface.

BTW, if you accept this as an Office or AppleScript vulnerability, Adblock Plus is not less "vulnerable", so to speak, than the other mentioned add-ons, despite what the article states. It's just that those "researchers" were not competent enough to understand how to "exploit" it.

And I'm a bit disappointed of Nick Nguyen who, rather than putting some effort in rebutting this cheap "research", chose the easier path of pitching our new WebExtensions API, whose better insulation and permissions system actually makes this specific scenario less likely and deserves to be praised anyway, but does not and could not prevent the almost infinite other ways to obfuscate malicious intent available to any kind of non-trivial program, be it a Chrome extension, an iOS app or a shell script. Only the trained eye of a code reviewer can mitigate this risk, and even if there's always room for improvement, this is what makes AMO stand out among the crowd of so called "market places".

I'm glad to announce noscript.net, flashgot.net and hackademix.net have been finally switched to full, permanent TLS with HSTS

Please do expect a smörgåsbord of bugs and bunny funny stuff :)

If NoScript keeps disappearing from your Firefox, Avast! Antivirus is likely the culprit.
It's gone Berserk and mass-deleting add-ons without a warning.
I'm currently receiving tons of reports by confused and angry users.
If the antivirus is dead (as I've been preaching for 7 years), looks like it's not dead enough, yet.

Notice to mariners: starting with NoScript version 2.6.6.9 (ATM still a RC) and next version of FlashGot (1.5.5.6, most likely) the packages (XPIs) of my Firefox add-ons won’t be signed anymore.

Almost no other Firefox extension gets signed these days (NoScript and FlashGot had been among the earliest and few for a long time), and AMO being the only authorized repository you can install the add-on from by default, there’s little or no point in keeping the relatively expensive and clunky signature machinery in place.

You probably noticed AMO lags quite a lot behind stable versions. That’s because the editorial staff manually checks every line of code published as “stable” for security issues and known performance problems. Therefore, if you’d like to always run the latest and safest (a good idea for a security tool like NoScript), you may want to switch to the fast lane, i.e. the automatically up-to-date beta channel, by installing 2.6.6.9rc1 now.

Bad Behavior has blocked 6004 access attempts in the last 7 days.