Insecurities in Privoxy Configurations - Details
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
At the end of October, updated Vidalia bundles were released that
addressed some insecurities in the Privoxy configuration in versions
prior to 0.1.2.18. A brief advisory was posted at the time [1].
Full details and sample exploit code are now available from [2].
For those impatient to get back to debating the finer points of the
law and legal responsibilities, here is the two minute version.
Privoxy has three configuration options of interest:
- enable-remote-http-toggle
- enable-remote-toggle
- enable-edit-actions
1) If the 'enable-remote-http-toggle' option is set, any client side
technology that can generate HTTP headers can bypass Privoxy
content filtering by adding a header of: "X-Filter: No".
2) If the 'enable-remote-toggle' option is set, then any web browser
vulnerabilities that can spoof HTTP Referer headers can be used to
completely disable Privoxy filtering.
For Firefox 2.0.0.9 and prior, the following HTML snippet is typically
sufficient to disable Privoxy:
http://config.privoxy.org/";>
setTimeout('document.forms["pwn"].submit()', 100);
alert("wait for it");
window.location = "http://config.privoxy.org/toggle?set=disable";;
3) If the 'enable-edit-actions' option is set, then any web browser
vulnerability that can spoof HTTP Referer headers and determine the
modification time of the 'user.action' file can modify the Privoxy
configuration.
Most recent Vidalia bundles for Windows install the 'user.action' file
with a consistent file time. If a user has never edited any actions,
then the time is known (usually within plus or minus one hour). One
of the sample Privoxy filter rules includes actions that can be used
to block all web requests simply by specifying a URL value of "./".
Using Referer spoofing and the known modification time of the
'user.action' file, a malicious script could generate requests that
would completely block all user web traffic through Privoxy.
[1] http://archives.seul.org/or/talk/Oct-2007/msg00291.html
[2] http://pseudo-flaw.net/content/tor/vidalia-insecure-privoxy-
configuration/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (Darwin)
iD8DBQFHTwE0WbVJrJm/lrsRAkqgAKCDeFXZ5FQZYU/eFRhdmUNNMnPZLACg9smu
1cKofQuX3N03Op/ZMLRQ45M=
=H0zA
-END PGP SIGNATURE-
Re: court trial against me - the outcome
I agree. But here is what one judge in Colorado did to a juror who told others about nullification: http://www.levellers.org/jrp/orig/jrp.natllawj.htm She was jailed for a period of time and after a lengthy defense, eventually release. The question maybe we should be asking is not "what are the rules" but "how are we going to take back our Country and Freedom"? I, for one, do not trust government employees, who are frequently the bottom of the barrel, imnsho, to decide what is legal and what is not legal. On Wed, 28 Nov 2007 19:22:46 -0600 (CST), "Scott Bennett" <[EMAIL PROTECTED]> said: > On Mon, 26 Nov 2007 16:46:03 -0800 "F. Fox" <[EMAIL PROTECTED]> > wrote: > >Andrew Del Vecchio wrote: > >> Mark, > >>In absentia was always there, it just wasn't SOP like it is now. BTW, > >> are you familiar with jury nullification? It was a victim of the last > >> round of substance prohibition in the 20s and 30s. Essentially, jurors > >> have the (no longer honored) right to find a defendant 'not guilty' if > >> they feel that the law he is accused of breaking is BS. See > >> http://fija.org/ for more details. > >> > >> ~Andrew > >(much snippage) > > > >It's a shame they don't have that right any more. > > Where did you get that idea? In all countries with juries modeled > upon > or descended from the English common law juries, nullification is still > an > option available to juries. Moreover, it is the *duty* of jurors to > exercise > it in appropriate situations. The U.S. is a special case of such > countries > in that an acquittal is final and unreviewable by any court. The "no > double > jeopardy" clause of Amendment VII to the Constitution for the United > States > of America was put there to prevent retrials of charges against persons > for > which those persons have been acquitted, an abuse that still goes on > today > in Canada and England. Nevertheless, jury nullification is a legitimate > duty of jurors in standing between the state and the individual, in which > the state must get the permission of a cross-section of the populace to > administer punishments, to prevent abuses, even in countries where the > state > can keep retrying its victims with jury after jury until it finds a jury > that > will convict. The delays and expense involved can keep an innocent > person > alive at least that much longer and may eventually cause the state to > give up > its prosecution of the charge(s) against that individual. > Colonial juries often protected colonists against the Crown's > abuses, > which lead to creation of courts of admiralty (known today as > administrative > law courts, now unconstitutional yet upheld by the U.S. Supreme Court), > which > did not use juries. I gather that such courts resemble the court that > Mirko > faced in Germany. I don't know enough about Germany's judicial system to > know > whether any trials there use juries of peers today, but it is noteworthy > that > the 1500-year-old English tradition of trial by peers was brought to > England > by the Saxons. If it no longer survives in Germany, then that is tragic. > In any case, tor server operators in the U.K., the U.S. of A., > Canada, > and Australia need to be informed of their rights should they ever serve > on > juries. Although a prosecutor might eliminate them from a jury trying a > case > against another tor server operator, it is entirely possible that the > prosecutor might not think to ask the potential jurors whether they knew > about > tor. It is also in the interests of tor server operators in these > countries > to help spread the information about jurors' rights throughout the > general > populations to increase the chances of getting at least one informed > juror > selected to serve as a juror in any particular trial of a tor server > operator. > > > >Laws have a purpose IMO, but they should go only as far as is absolutely > >necessary. > > > Naturally, the peoples of the various countries have their own views > of > the laws of their countries, and those views may agree or disagree with > the > views of prosecutors in those countries. Where juries of peers are > trying > the cases, juries have the power and the duty to correct the prosecutors. > In the U.S., juries successfully undermined the Fugitive Slave Act, > alcohol > prohibition, and other abuses by refusing to convict, thereby refusing to > confirm the actions of the Congresses that had passed those Acts. If > this > option is not available to the people of Germany, then they may wish to > reconsider, and possibly revise, the current form of their judicial > system. > After all, governments only legitimately exist to serve the People. > When and where they are not serving the People, they are obviously > illegitimate. > > > Scott Bennett, Comm. ASMELG, CFIAG > ** > * Internet: benn
Re: German Tor Legal Fund
Alexander W. Janssen wrote:
>Onion wrote:
>> That's why I'd also prefer a name covering all facets of OR like
>> 'Deutsche Anonymisierserver Initiative - DASI gegen Stasi', with
>> equivalent shorthand expressions ('British [...] Anonymisation Server
>> Initiative' = 'BASI') easy to adapt to areas of other languages.
(ignore at will)
First of all, I'm not fond of political discussions in tech groups,
but in this specific case of an aid, that was developed not least for
sociopolitical reasons, motivating statements can't be misplaced.
>Puh, although I get the pun I wouldn't like the Stasi-reference in the
>organisation's name.
>After all, the Stasi was an organisation known to abduct and kill, and
>to harass an entire nation.
>Though we're just facing some enormous changes in privacy- and
>security-policy no one in Germany can say that "it's as bad as it was
>with the Stasi". If someone really thinks that way, I'd advice to get a
>good textbook on history...
We're on the cusp of mass surveillance and profiling of unprecedented
quality. I fear, in a few years we'll long for the kind of
intervention the former Stasi was able to achieve. Our future
dictator, and history told us that no society is immune to populist
seducers, will not only have all tools at his disposal to build a
stable totalitarian regime. We even vest him with the legal authority
for an unrestricted use of that power. Taking over our country will be
a bargain nobody can refuse. By rights it's the duty of our
representatives to minimize such risks instead of increasing them and
undermining our democratic principles, e.g. by persecuting and
denouncing those who take their civic duties seriously.
>I have no problems to use references to the Stasi in a polemic context,
>but to make it your whole slogan wouldn't be fair to the victims of the
>Stasi.
I agree. The optional 'DASI statt Stasi' slogan only aimed at making
the implications of our government's plans somewhat clearer. I got the
impression, that people aren't aware of the consequences for our all's
lives and only notice some anarchists opposing their reigning
protectors.
>We're just in the phase of making up the articles of the organisation.
>The preliminary name for the organisation is "Privacy Legal Fund (Germany)".
Getting on with that initiative is good news for our country. Thanks.
Onion
Re: court trial against me - the outcome
On Thu, 29 Nov 2007 13:10:43 -0700 [EMAIL PROTECTED] wrote >I agree. But here is what one judge in Colorado did to a juror who told Agree with what? Some context would help here. >others about nullification: >http://www.levellers.org/jrp/orig/jrp.natllawj.htm > >She was jailed for a period of time and after a lengthy defense, >eventually release. Laura Kriho was definitely victimized by both judge and prosecution. My recollection is that she was not jailed for more than a few hours at most, but that memory could be faulty. The judge took many months to get around to issuing a decision. Colorado law places a time limit upon judges for such decisions. If the time limit is exceeded, the law says the judge forfeits his/her salary for that quarter and must return the money to the state. AFAIK, Judge Nieto never returned the money and is probably guilty of defrauding the state of Colorado or some similar charge, but he will not likely ever be prosecuted or removed from office for his offenses. As tyranny advances, it becomes more painful for those who would resist it. If the tyrants are not corrected, then eventually their policies toward resisters become so draconian that a majority of the people finds the situation intolerable. What happens next after that is always a gamble. Like going to the dentist to get the cavities filled before they get so bad that they necessitate extracting the teeth, it is better to resist like Laura Kriho did when resisting is not life-threatening than to let the situation deteriorate to the point where the situation *becomes* life- threatening. > >The question maybe we should be asking is not "what are the rules" but >"how are we going to take back our Country and Freedom"? I, for one, do >not trust government employees, who are frequently the bottom of the >barrel, imnsho, to decide what is legal and what is not legal. > You will recall that the Founders left us four boxes to use in defense of our freedom, right? There are many countries wherein the People are denied all of those boxes, so we in the U.S. are among the fortunate. It is up to us to use those boxes as needed and as appropriate. Box #2 appears to have been circumvented at last by one branch of the War Party, and the other branch is undoubtedly beside itself with desperation to gain the use of the same technology. That still leaves us boxes #1 and #3 to use for now. tor is one technology that helps us to hang onto that first box. PGP is another. I hope that we don't have to open box #4, but it may well be that some individuals have already opened it once or twice in recent years. We do have the historical record of the Battle of Athens that occurred shortly after the end of World War II, so we know that it has happened on a larger scale within living memory as well, but that sort of thing really has to be the last resort. Use tor, and stay informed! [stepping down from box #1...] Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * *-- Gov. John Hancock, New York Journal, 28 January 1790 * **
