Vault 7

Luna Tic · Unread post by **Luna Tic** » 2017-03-10, 14:39

What do you think about the Vault 7 leak?
I am not looking for political debate, I am interested in the technical aspects, in general and also how it might affect The Best Browser. Is it a cause for worry? Is there anything we can/need do to protect against those things?
I would be escpecially interested in your expert opinion, Oh Scion of Our Planetary Companion (Moonchild), if you care to opine.

dark_moon · Unread post by **dark_moon** » 2017-03-10, 18:38

The most leaks are zero day bugs for old software so i wouldnt say the leak is a real problem for us users.

Unread post by **Moonchild** » 2017-03-10, 20:13

I had to look up what this is all about.

The Vault 7 Leaks is the code name for a massive leak released by Wikileaks in early March 2017, containing documents that purportedly discuss hacking tools used by the United States Central Intelligence Agency (CIA) to compromise the security of various devices connected to the internet, including smart phones, computers and smart TVs.

Why would this concern us? If the security of those devices affected is not in order, then that is something the manufacturers of those devices need to address.
Thanks to the nature of Open Source, anyone can (sec) audit Pale Moon and point out any vulnerabilities found (please do if you find them -- but in private message to not unnecessarily disclose it before we had a chance to look at it and patch it)

Luna Tic · Unread post by **Luna Tic** » 2017-03-10, 23:26

Thanks for the reply.

Moonchild wrote:Why would this concern us?

I don't know, that is why I asked. What I have seen on various parts of the interwebz the opinions ranged from "Don't worry about it" to "End of the internet as we know it". And also considering the extent of my knowledge in security matters (it could easily fit in a tweet), I decided to ask a source I can trust.

dark_moon · Unread post by **dark_moon** » 2017-03-11, 10:10

The leak only show what we all know:
# Always keep all your systems up-2-date
# Use encryption where possible

If you follow that rules, youre fine.

rabnbeinn · Unread post by **rabnbeinn** » 2017-03-11, 11:03

They're finding their way around encryption.

These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman by hacking the "smart" phones that they run on and collecting audio and message traffic before encryption is applied.

dark_moon · Unread post by **dark_moon** » 2017-03-11, 11:13

rabnbeinn wrote:They're finding their way around encryption.

These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman by hacking the "smart" phones that they run on and collecting audio and message traffic before encryption is applied.

Yeah but only on very old smartphone systems.
So if you folllow rule #1, you safe

Unread post by **Moonchild** » 2017-03-11, 11:19

dark_moon wrote:# Use encryption where possible

Rather, "Use encryption where prudent". i.e.: When dealing with private or sensitive matters.
I still disagree with "where possible" because it will almost always be possible, but not always be the best thing to do.

rabnbeinn · Unread post by **rabnbeinn** » 2017-03-11, 11:59

Yeah but only on very old smartphone systems.
So if you folllow rule #1, you safe

Who's to say they can't crack newer smart phones, in all probability they can and we wont find out about until it is leaked (if ever).
And you are never safe (IMHO). If a hacker really wants in, he/she WILL get in eventually.

This is just my view and I believe a hell of a lot of others too.

tuxman · Unread post by **tuxman** » 2017-03-11, 12:53

Luna Tic wrote:What do you think about the Vault 7 leak?

Obviously Open Source is easily attackable and everyone should try to avoid using it.

dark_moon · Unread post by **dark_moon** » 2017-03-11, 13:12

tuxman wrote:Obviously Open Source is easily attackable and everyone should try to avoid using it.

That is crap. Every software is attackable but with OpenSource you can check if the code is secure and help to fix bugs.

fillerup · Unread post by **fillerup** » 2017-03-11, 13:52

dark_moon wrote:
tuxman wrote:Obviously Open Source is easily attackable and everyone should try to avoid using it.
That is crap. Every software is attackable but with OpenSource you can check if the code is secure and help to fix bugs.

sarcasm mate..

dark_moon · Unread post by **dark_moon** » 2017-03-11, 13:53

Damn, he got me

tuxman · Unread post by **tuxman** » 2017-03-11, 16:10

Why is 7-zip on the list and WinRAR is not?

kizo07 · Unread post by **kizo07** » 2017-03-11, 16:13

Reading all this, I'm pretty worried now...
I'm owner one of those 'smart Samsung fridge'...you know, connected to net, warnings when you are empty for milk...etc.
Just wonder, should I change my eating habits from now?...or get new fridge?...or is it some workaround?
Theoretically thinking...when I have guests and we have evening theme 'Midle East food' f.e. eating a lot Falafels, kebab...etc.

What I'm afraid that my fridge gonna blab to NSA and next morning my backyard are full with special forces, choppers, tanks...
Hmm...scary stuff. Is it enough just to change food labels, f.e. put bananas labels on Falafels...or?

billmcct · Unread post by **billmcct** » 2017-03-11, 16:36

At least Notepad++ took it as serious.

http://www.ghacks.net/2017/03/09/notepa ... erability/

Luna Tic · Unread post by **Luna Tic** » 2017-03-11, 20:28

kizo07 wrote:Hmm...scary stuff. Is it enough just to change food labels, f.e. put bananas labels on Falafels...or?

If that gets you scared, what about this nightmare scenario? Truly horrific to even imagine it...
They replace your Pedigree Jumbones with Whiskas Perfect Portions.

Unread post by **Moonchild** » 2017-03-11, 23:54

A few points of clarification for the "software hacks":

These are all DLL hijacking "hacks". This means that you have to, one way or another, already get malware on your system to replace a legitimate dll with a compromised one before this can take place.
The main vulnerabilities listed are in common dlls used by portable versions of applications or applications that are often installed in folders that have no special protection; this is because many portable frameworks will have a program look into the portable application folder(s) before looking in system folders, and in the case of portable applications, those folders will not be protected (unlike %program files%).
This also underlines why installing an application in anything but the designated program files folder is generally a bad idea, especially if it's in e.g. local application data like the Chromium framework tends to do.

kizo07 · Unread post by **kizo07** » 2017-03-12, 00:58

Moonchild, while generally speaking I'm agree with you, especially if we talking about 'already get malware on your system'.
On the other side I think it's relative easy to 'protect' anyway. By simply monitor your environment.
Hence, I use for years, 'Spy-The-Spy' a file monitor, 'monitors system and other folders for any new exe's or dll's being added or renamed'.
http://www.mediachance.com/free/spythespy.htm
It's very simple, very old, but still very efficient and useful a peace off software, at least for me. Only 500kB and works as portable, thus can uses on USB too.

Luna Tic, no it's not...it's different, dogs have masters, cats have staff

John connor · Unread post by **John connor** » 2017-03-12, 03:20

billmcct wrote:At least Notepad++ took it as serious.

http://www.ghacks.net/2017/03/09/notepa ... erability/

Wow, Notepad ++ of all things. I use that all the time. Will update.

Pale Moon forum

Vault 7

Vault 7

Re: Vault 7

Re: Vault 7

Re: Vault 7

Re: Vault 7

Re: Vault 7

Re: Vault 7

Re: Vault 7

Re: Vault 7

Re: Vault 7

Re: Vault 7

Re: Vault 7

Re: Vault 7

Re: Vault 7

Re: Vault 7

Re: Vault 7

Re: Vault 7

Re: Vault 7

Re: Vault 7

Re: Vault 7