TRISQUEL MIGHT HAVE BEEN COMPROMISED

39 replies [Last post]
GNUser
Offline
Joined: 07/17/2013

Hello everyone.
So, here is what is going on: my trisquel system was somehow compromised. Every website I tried to access that had https, would load alright the https would be there, the small lock too, hotmail would give me the green bar... but EVERY site would do the same thing, a few seconds after it had loaded, the lock/green bar, would disapear and the https connection would be lost. I am not kidding, every website (wikipedia, startpage, hotmail, gmail, etc) would load https, but suddendly would turn into http (without any error message or something). This was clearly an attack to spy on my connections, and was done with Javascript. I tried running Abrowser with JS disabled and those websites would not turn http, they would stay in https with the small lock in place.
So, a Javascript attack was in place. HOWEVER, it was not performed by my ISP. I tried running other distros from livecd (mint, debian, tails, trisquel) and all of them would work alright, only Trisquel that I had installed in the hard drive would do that nasty trick. I also tried running with other internet connections, like other wifi and such, and everything would happen the same way (my trisquel would turn into http, livecds would not).
I also noticed that https everywhere was "invisible". What I mean is, I had it installed, but it wouldn't give me any options appearing and the websites would behave as if it was not present.

So, my system was compromised. Only mine though? I don't know.
I didn't do anything out of ordinary in the web lately. I hope I noticed it before my accounts were stolen... Anyway, I am alerting everyone, if my Trisquel was attacked (even with certain precautions put in place) so can yours be. Anyone noticed the same things lately?

I also run ClamAV in the home directory (trying to find a suspicious file that I might have downloaded) but it was all clean.

I have now formatted the computer already and reinstalled. Everything seems to be normal again. HOWEVER, I am not sure this is over. And I think it was important to let everyone know about this. Trisquel WAS compromised in my pc, it might be in yours too!

Pay attention, and if the Trisquel team would be so kind as to give me some feedback on it, I would really appreciate it.

One last question: why can't I install trisquel 6 using text mode, without internet connection? And why can't I see the full disk encryption option??

YoHooComics
Offline
Joined: 07/17/2013

Thanks for the heads up. My Trisquel laptop is not on the Internet yet (Nonfree firmware was needed for my wireless card, so I ordered a USB network adapter from ThinkPenguin), but I will make sure to watch out for that.
Also, I think I have heard of JavaScript being insecure, so may be the key is to disable JavaScript as a general rule in the future?

GNUser
Offline
Joined: 07/17/2013

No problem man =)
I wanted to let people know so they could check if their systems were also acting in "unusual ways". And of course, since you are going to connect to the internet, you should be careful with your security (activate firewall, disable ssh if you don't need it, etc).
As for JS... well, JS is not evil or dangerous per se. Truth is, JS is a language, and some people write good code in that language, some people write malicious evil code. And because of this, you can't really use the web without JS, because many websites that use good inocent JS won't work without it. LibreJS is not a solution either, because if a cracker was to attack people suing free/libre OS he would most likely write it in a way that LibreJS would accept it hoping that noone would actually read the code they were executing (what most people do right??).
So, unfortunately disabling JS is not good enough. =S
But I admit, JS was the culprit, because when I deactivated JS, https would stand as such, instead of turning into normal http.

Keep an open eye for anything and everything when you use the web.

Elad (not verified)
Elad

Thanks for raising awareness.

I am not experiencing any of the issues you are facing and have been using Trisquel 6 since it was a release candidate (I was using 5.5 before that).

I use NoScript aggressively and have HTTPS Everywhere enabled. I always avoid enabling javascript if I can. For instance, I use ViewTube for Youtube and the html version of Gmail (until I get around to setting up my mail server).

I found this and may be the cause of your problem;
http://www.blog.asafewebsite.com/2011/02/https-stripping-attack-using-sslstrip.html

GNUser
Offline
Joined: 07/17/2013

Hey there, no problem man =) Just wanted to let people know that there was a possibility of something going on.

That's the weird thing, I was using Noscript and https everywhere too! But at the point I noticed that strange behavior, I also noticed that https everywhere seemed to be only in the menus, as I couldn't get to the options and such... I think the javascript that was causing the problem, somehow managed to disable that extension! =S

Yeah, I thought it would be something like that (ssl strip) but here is the weird thing: it was happening at my OS only, in every website! So... it was not my ISP (livecds were fine and the same happened when I used other internet connections) it was not some website getting attacked (it was happening in every website)... =S

Thanks for the link though!

Like I said, I am not sure if it was an attack against Trisquel, linux, Ubuntu... or if it was targetting me! I only wanted to let people know that there was a possibility that Trisquel was under attack in some way.

Thanks and stay safe =)

jxself
Offline
Joined: 09/13/2010

Please select your subject titles more carefully.

The title of this thread should probably be changed to not be so be alarmist.

We don't need Chicken Littles spreading FUD about the distribution.

> why can't I install trisquel 6 using text mode, without internet connection?

Because the intention is to use the internet to download packages.

> And why can't I see the full disk encryption option??

It's in the text installer when you get to the partitioning phase. It's called "Use entire disk and set up encrypted LVM" or something along those lines.

GNUser
Offline
Joined: 07/17/2013

First, I am not a chicken little spreading fud! I am a user, who understands that if suddenly your browser starts turning https connections into http by itself, in every web site, something might be going on! And I am user who cares enough about the community to tell everyone "check if this is happening to you too, something fishy might be going on, let me know if you know anything about it..." It's a very different thing! And yes, the title is alarming because the situation is too!
You don't care about security and privacy (and so, about freedom)? Ok, be happy man! But I do and other people do too. Respect that.

As for the text mode installation, it's stupid that in order to use full disk encryption I need to be connected to the internet! How come it won't allow me to install unless I am connected to the internet? Everyhting needed is on the CD!
Anyway... thanks for the clarification, and please understand that this was aa important issue that deserved the attention I called for it.

jxself
Offline
Joined: 09/13/2010

> I am not a chicken little spreading fud!

Yes, you are. You started a thread with an alarming subject -- that the distro itself may be compromised. Not that your own personal computer might have been, but the distro itself. That's a far bigger issue and nothing you've stated supports such an alarm bell being rung.

In fact you've not provided any evidence of any such compromise and others in this thread have provided far more likely explanations.

Andresm

I am a member!

Offline
Joined: 11/21/2010

i agree with jxself at this point.

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

It looks like the forum maintainer (quidam himself?) agrees as well. The thread has been moved to where it belongs: the troll hole.

dadix
Offline
Joined: 07/01/2013

1. The first time when you have happened this you should clear the cache memory and the all history (from the beginning and all cookies) for your internet browser.
2. You may remove and reinstall again the browser to see if the errors are there.

GNUser
Offline
Joined: 07/17/2013

1. I already had my browser set to "never remember history". So, no cookies, no nothing... And I use Bleachbit regularly to clean cache and all of that. So... I don't think it was a matter of that. I am not saying it couldn't have been, but given the circumstances I don't think it was that.
2. I took a more radical approach: once I realised it was a problem within my OS (browser or not) I just deleted all partitions and installed again.

Do you think it was a vulnerability or just a... an accident? a problem with the browser, like in a bug and not a vulnerability being explored by an attack?

t3g
t3g
Offline
Joined: 05/15/2011

If its a vulnerability in Abrowser that is fixed in a newer version, then we have a problem. Generally when a new Firefox comes out, it takes weeks for Ruben to "clean" the browser and release the changed Firefox version as Abrowser.

What he needs to understand is that a web browser is the most used program for the majority of the population and its not safe to provide an old and potentially unsecure version.

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

So we have GNUser that pretends that "Trisquel has been compromised" because of a weird behavior when he browses the Web (I would bet on a misbehaving add-on or conjunction of add-ons) and t3g that claims, from those vague symptoms, that this is due to a vulnerability of Firefox 22 that was corrected in Firefox 23... but with no reference whatsoever.

Could we be a little bit serious please?

GNUser
Offline
Joined: 07/17/2013

Look Banana, I am not pretending. As I have stated before, I am user who knows that if your browser one day starts turning https connections into http connections by itself, something is not right. Is it an attack? Is it a bug? Is it a addon malfunctioning? I don't know. BUT it makes you LESS SECURE and MORE EASY TO SPY ON! So, I did what anyone should do: run a few tests and after that, alerted the community. As for t3g, he raised some good points, you should give him credit for that! If it was a security issue with firefox, it's important that Trisquel gets updates out sooner and faster! Unless we are not worried about security, in that case, forgive me for suggesting you should keep an eye on your https connections to make sure they were acting normal. -.-

Look, I was serious and so was t3g. If you can't do the same, because for you it was not a big deal... good for you, click you red shoes twice and live in kansas. But we are not in kansas anymore, this is a far more dangerous place, and we should keep an eye on everything suspicious...

As for the references you want so badly (given the fact that my opinion and t3g's opinion is of no value to you without a link attached to it):
https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
this link (though it is about esr) shows that some critical security updates have been performed lately. Which means, there is a possibility that 0 day JS attacks might be performed in Trisquel Abrowser (and even non 0 day, because of the delay in updates).

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

If any Trisquel user facing a malfunction she cannot explain would write in capital letters that "Trisquel might have been compromised", then the forum would be full of such messages. If, every other user could simply state, without any justification, that this is due to a vulnerability in the application, then that would be the (almost always wrong) answer to every request for help.

The "reference" you gave does not even relate to Trisquel's browser, which is based on Firefox 22 and not on the ESR branch. On the correct page, none of the vulnerabilities of Firefox 22 that were fixed in Firefox 23 (t3g wrote it was such a vulnerability to have the pleasure to criticize, one more time, Trisquel's lead developer) has a direct relation with SSL/TLS.

Sure, there exist vulnerabilities, such as this one that "could be exploited to run arbitrary code". But, now listen: if your system was compromised, it would not behave in a weird way. When bad guys gain control over a system, one of their main goal is to not be detected so that the system stays in their botnet. You can therefore be sure that your your HTTP connections were not systematically ceasing to be secure because your system was compromised.

Now please stop bragging about how you are worrying about security. Security is not a matter of "opinion" (as you write) and you obviously do not know much about it. And, please stop attacking every user of this forum who disagrees with you.

GNUser
Offline
Joined: 07/17/2013

>If any Trisquel user facing a malfunction she cannot explain would write in capital letters that "Trisquel might have been compromised", then the forum would be full of such messages. If, every other user could simply state, without any justification, that this is due to a vulnerability in the application, then that would be the (almost always wrong) answer to every request for help.

That would be true if people would not take the time to test the system and try to understand what was going on. I did. So... yeah, you are trying to make look like a newbie who only knows coming here for advice, which I am not.

>The "reference" you gave does not even relate to Trisquel's browser, which is based on Firefox 22 and not on the ESR branch. On the correct page, none of the vulnerabilities of Firefox 22 that were fixed in Firefox 23 (t3g wrote it was such a vulnerability to have the pleasure to criticize, one more time, Trisquel's lead developer) has a direct relation with SSL/TLS.

I know it was about esr. I was merely trying to show that there are vulnerabilities! I said that, why do you pretend you did not read what I wrote??
And I don't see why we should never call into question Trisquel, this forum, or the Trisquel developers. I am not saying we should not respect all their work, but we have the right to ask questions! And stating that the system might be compromised does not mean that the team is malicious. There could be a bug, a mistake, anything! People here overreact whenever someone says "The Trisquel team did a bad job on X or Y". WHY?? Everyone is called into question, for example, if I sometimes defend the Tor team for example, is because I took the time to read A LOT, know who were the persons involved in it, what their background was, study the way Tor worked, and always read when someone writes something about them that sounds "weird". I take those chances to make sure I am on the right team with the right players. And guess what... they all agree! Jacob for example, he always says "Why should you trust me? Test my work and let me know if it is correct!"
So... there, I don't think saying that the Trisquel team could perform better, or asking them for an explanation (like the whole google dns issue) is wrong.

> Sure, there exist vulnerabilities, such as this one that "could be exploited to run arbitrary code". But, now listen carefully: if your system was compromised, it would not behave in a weird way. When bad guys gain control over a system, one of their main goal is to not be detected so that the system stays in their botnet. You can therefore be sure that your your HTTP connections were not systematically ceasing to be secure because your system was compromised.

Well that depends on the bad guys. SSL Strip attacks would allow bad guys to get login information for example to email accounts. So... that would really depend. You are in no position at all to make that call.

> Now please stop bragging about how you are worrying about security. Security is not a matter of "opinion" (as you write) and you obviously do not know much about it. And, please stop attacking every user of this forum who disagrees with you.

Well, if you don't understand the dangers of ssl strip attacks, maybe you are the one who don't know a thing about security. You know, people have been treating me like I was a newbie when it comes to computers, GNU, linux, security, everything! Well, I might be new here in Trisquel, I always admitt that, but when it comes down to security and other computer affairs... I am no newbie. And you tried to make me look like that twice in this comment. Don't expect me to react with joy -.-
Also, I did not attack anyone. I gave each comment a personal direct reply. That took time and a lot of thought, but instead of realising that I was treating every opinion as an equal, you said I was attacking. Well, of course, ICarolongo (or something) gave a totally unrelated comment, almost as if he was accusing me of something. Well, I did not like that. But I did not attack anyone. Now, you (like other people here in this forum) don't like when someone tells you that you are wrong and states some obvious reasons why you are acting in a way that is not helpful to be issue at hand. While others might put up with that (I read many past threads, and sometimes you made people go away because you treated them like idiots) I won't. So, until I decide that it's time for me to leave, don't expect me to accept every word that comes out of your mouth as if it was pure and gold. I will question whoever and whatever I want, whenever I want. That is actually one of the key aspects in SECURITY, call into question everything to find the hidden shit... Just to let you know.

Now if you think Trisquel is not compromised and think it will never be... Well, leave this thread then. But I worry about security in Trisquel and others do too. We have all the right to. I HAVE ALL THE RIGHT TO, AFTER WHAT I EXPERIENCED! Might have been a targeted attack against me, but still... If it affected me, it would obviously affect other Trisquel users, so I still made a good decision letting everyone know.

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

First of all, you neither "come here for advice" nor to "ask questions". You came here to write a post entitled "TRISQUEL MIGHT HAVE BEEN COMPROMISED".

Now, I really have to thank you to show me that vulnerabilities exist. I did not know that. I am also very happy to know that pointing to this page is enough to claim that any malfunction of Trisquel's Web browser proves that the system has been compromised. Even if none of the listed vulnerability has anything to do with the symptoms.

I am very happy for you that you read a lot about TOR. Do the same about security and, before that, refrain yourself from writing that your issues are due to your system being compromised. You could start with SSL stripping that does *not* require any system to be compromised. It is a man-in-the-middle attack.

GNUser
Offline
Joined: 07/17/2013

> First of all, you neither "come here for advice" nor to "ask questions". You came here to write a post entitled "TRISQUEL MIGHT HAVE BEEN COMPROMISED".

Read my first post, and you will see the tests I did, the questions I asked. If you refuse to acknowledge them, you are just being stubborn.

> Now, I really have to thank you to show me that vulnerabilities exist. I did not know that. I am also very happy to know that pointing to this page is enough to claim that any malfunction of Trisquel's Web browser proves that the system has been compromised. Even if none of the listed vulnerability has anything to do with the symptoms.

You are being sarcastic and that only shows your lack of will to understand the issue at hand and cooperate. Also shows an attempt at ridicule. Well, I will explain again: I was merely saying that we have all the right to put Abrowser and Trisquel into question, as much as we have Mozilla Firefox. Abrowser suffers from any bugs Firefox does AND has the problem of not being up do date. So, there might be vulnerabilities that affect ALL firefox versions, including Abrowser, that could cause the problem I noticed, and those should be considered.
Got it now? -.^

> I am very happy for you that you read a lot about TOR. Do the same about security and, before that, refrain yourself from writing that your issues are due to your system being compromised. You could start with SSL stripping that does *not* require any system to be compromised. It is a man-in-the-middle attack.

I will let you know it's spelled Tor and not TOR (read this https://www.torproject.org/docs/faq.html.en#WhyCalledTor).
Also, And to let you know, I considered the possibility of a MIT (read the first post, instead of just arguing) but discarded that with the tests I made (was happening in all websites, but only with Trisquel, live CD was good). So, one possibility would be (tchanan...) that some kind of malware had found its way into the system (maybe installing as a fake addon in abrowser) and was messing with the https connections. That would be a compromised system (as the malware was INSIDE the system) and still would make me vulnerable to spying by my ISP for example.

You should really do some reading on REAL WORLD examples of how security is broken. Sometimes, the bad guys do the things you least expect and even some you think "they would not do".

Now, unless you have something to contribute (instead of just arguing) I believe we have talked everything we had to talk. You actually led the thread away from it's original purpose: my system was in some way compromised (either by an attacker or by a bug or even my something I did wrong) and is not using HTTPS anymore anywhere. Keep you eyes opened should the same happen to you, you will be prone to snooping from adversaries. Also, if anyone has any idea WHAT could have caused this, please, let me know.
If you have something to contribute do so, if not, excuse me, but I have better things to do than deal with you simply stating that I am wrong and should NEVER call Trisquel into question in any way or shape. -.-

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

*You* believe a system needs to be compromised for SSL stripping and *you* send me to "do some reading on REAL WORLD examples of how security is broken". Lol.

Since you ask me to do so, let me acknowledge that you asked two real questions at the end of your first post... and they have nothing to do with Trisquel being compromised (the title of the thread). The two only other questions earlier in your post are not requests for advice. They are just attempts to scare the Trisquel users who could believe that you know something about security. I cite:
So, my system was compromised. Only mine though? I don't know. I didn't do anything out of ordinary in the web lately. I hope I noticed it before my accounts were stolen... Anyway, I am alerting everyone, if my Trisquel was attacked (even with certain precautions put in place) so can yours be. Anyone noticed the same things lately?

Now, will you ridiculously pretend that you were actually requesting help there? You see, you fear I ridicule you, but you actually do that alone...

GNUser
Offline
Joined: 07/17/2013

> *You* believe a system needs to be compromised for SSL stripping and *you* send me to "do some reading on REAL WORLD examples of how security is broken". Lol.

Well, I explained it to you twice, I won't do it again. You can't read plain english, too bad. Go back to school. You are just playing an act of not understanding what I wrote actually, so, even better, like wolverine said "go fuck yourself".

You are just another "wannabe jedi master" here in the forum. There are a few, and you think you are greater than other users. Well, you are not. And believe me, I won't reply back to you in this thread, so... whatever, write whatever you want. Everyone has seen your play by now, so...

If anyone else thinks there is a discussion worth having about this issue, please feel free to comment, I will give back any details I can. Also, if you think we could make Trisquel more secure in some way (installing or uninstalling something, changing any firewall settings, etc), please let me know =) I REALLY look forward to make this system more secure.

Also, as a final word to the Trisquel main developer: I was not attacking you personally nor your work. I don't think anyone was even. So, the only thing we want is that security becomes a main priority in this project. Trisquel is about freedom, but how can we have freedom without privacy, and how can we have privacy without security? I still trust this project, even if by an accident or by a bad decision it is not "exactly as I would want it to be", I still trust it. So, I still support this GNU distro, and I will keep suggesting people to use it. Trisquel team, we only want to be heard and we want this distro to be become not only free but also secure. That is probably the reason sometimes we seem to "attack" this project. We are not attacking it, we only would like to change it a little bit ;) without forking of course xD

Keep up the good work everyone!

GNUser
Offline
Joined: 07/17/2013

@t3g: yes, exactly! Even the Tor team decided to use firefox esr to be able to keep up to date with the security issues, and even they have some trouble to deliver solutions on time (even if they do an amazing job, which I admire the most!).
I wonder, what is the difference between Abrowser and firefox? If it's just a matter of suggesting non free addons, I could use firefox (checking in abrowser which addons were free and what were not). OR if GNUIcecat is more up to date with firefox releases, maybe use that... I don't know, I will have to do some reading.
Truth is, firefox has been receiving critical security updates lately, it's VERY important to stay on the track with them.

Thanks for the comment, you gave me some things to think about =)

oysterboy

I am a member!

I am a translator!

Offline
Joined: 02/01/2011

+1 MagicBanana & jxself. Let's be careful and not jump to conclusions when weird things happen on our computers.

A few months ago I experienced some very weird behaviors in my browser. Turns out it was a user script that I had installed (and forgotten about) that was misbehaving.

GNUser
Offline
Joined: 07/17/2013

You are right in saying we shouldn't jump to conclusions. That's why I did a few tests before posting here (I tried other internet connections, I tried livecds, I reinstalled everything...)

Notice I said "might", not "is" or "has been". I let people know that my system was acting in an UNSECURE way and asked if anyone was noticing the same, and that they should keep an eye on it, in case it was an attack targetting Trisquel users.
If it was not the case, good! But it would be naive to let this pass as if nothing had happened. And I don't see the harm in people saying "it might have been this or that".

Now, you said it might have been a script doing something it shouldn't. Well, that might be the case. And I will be carefull (even more lol) about what I install in my system. But I don't think it was that.... Because if it was, disabling JS would not affect it (user scripts run in either scenario).

Thanks for your comment anyway.

icarolongo
Offline
Joined: 03/26/2011

Why one GNUuser uses Hotmail?

GNUser
Offline
Joined: 07/17/2013

You realise that your comment was like... TOTALLY OFF TOPIC??
Honestly, I am starting to think that people don't care about security... -.-
You don't care about Abrowser droping secure connections without alerting you, you care about why I use hotmail??? -.-

Well, to satisfy your curiosity (not that it was an important or even particularly smart question) I was in the process of dropping hotmail (which used to be my email account for years now) and use lavabit. But when lavabit was closed, I had to stay with hotmail, until I decided what to do next. And honestly, what, just because I am using hotmail I don't have the right to use https????
-.- and by the way, I am GNUser! not GNUuser. Learn to read (and start reading internet security related things).

andrew
Offline
Joined: 04/19/2012

On 16/08/13 11:19, gnuser wrote:
> I am not kidding, every website (wikipedia, startpage, hotmail,
> gmail, etc) would load https, but suddendly would turn into http
> (without any error message or something).

Although this isn't really a bug report, "how to report bugs
effectively": http://www.chiark.greenend.org.uk/~sgtatham/bugs.html

It might be worth trying an Abrowser session in safe mode:
http://kb.mozillazine.org/Safe_Mode

If that doesn't help, try using a new profile, and report back:
http://kb.mozillazine.org/Opening_a_new_instance_of_your_Mozilla_application_with_another_profile

See if you can find something reproducible, like "I visit
https://en.wikipedia.org/wiki/Trisquel and it redirects me to
"http://en.wikipedia.org/wiki/Trisquel every time."

Please note that any HTTPS website can redirect you back to HTTP, or
include a link to the HTTP version of their website. You could use an
addon like HttpFox to check the headers that are being sent, to get more
of an idea of what's happening.

https://addons.mozilla.org/en-US/firefox/addon/httpfox/

Also, are you using your own computer? Or have you installed any
certificates in your web browser? These may sound like a dumb questions,
but another university I go to just started doing a TLS MITM attack with
forged certificates. (I am in the process of complaining about this).
Apparently some schools/universities/workplaces encourage their network
users to install their own root certificate so they can spy on what
their doing over TLS, or automatically redirect them to HTTP plaintext.

Andrew.

GNUser
Offline
Joined: 07/17/2013

First of all, thanks for your comment, you really raised some good points!

However, I will not be able to answer all your questions, because, like I said, I already reinstalled Trisquel, deleting everything that I had in my HD. I would not have done it if I had another computer available, but right now I only have one available and I need it working. =S I would have prefered to investigate it deeper, but it really was not an option, I needed a solution =S

However, I will try to address all your questions one way or another:

I did not try safe mode. It was one test that I did not thought of. My mistake.

One reproducible thing would be "Everytime I connect to "https://startpage.com" it will drop the lock and the "s" and redirect me to "http://startpage.com/#" Notice that it adds the # symbol". Another would be the fact that the green bar in hotmail would also disappear, but I couldn't notice any change in the url. HOWEVER, it wouldn't happen if JS was disabled, so, I can pretty much be sure that JS was being used to do the trick. However, it was happening in all websites (duckduckgo, startpage, hotmail, trisquel, etc).

I was using https everywhere addon and noscript addon, so it should not happen. Also, if the connection to https was somehow damaged, it should have given me the "this connection is insecure" kind of thing alert. That never happened, the browser was acting as if it was all too normal.

I am using my computer, the same one I have always been using. I did not install any certificates. Also, I was not using wifi at the moment, so a "typical" sslstrip attack is unlike. More likely, something got itself inside the browser/system and started running malicious JS.

The only thing I installed was Linterna Magica, Lightspark and Gnash. I was testing if having those flash players would improve my browsing experience. HOWEVER, I did not noticed that behavior right away after installing those. I still have to say though, they did not improve my browsing :P I am sticking with html5 lol.

I hope some of this made sense to you. I thank you again for taking the time to write the comment, and I don't think those were dumb questions. I actually thought it could be my ISP but I proved it was not. I thought it could be hardware, but it proved not to be so.
I can't really know WHAT it was anymore, as I installed a fresh new version. But, I still think I did the right thing alerting the community. Whatever the reason was, if it affected my system it could affects others. So... just keep an eye, and if someone notices anything, post here!

Thanks again =)

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

Linterna Mágica is known to create problems involving the addition of the # sign at the end of the URL.

That confirms my first guess. Would you now admit that you were wrong to claim that your system was compromised?

GNUser
Offline
Joined: 07/17/2013

The link you provided is in french, which I can't read. So, I won't be able to extract any information from there. I am sorry.

HOWEVER, I had already tested (using the livecds) if adding the # symbol would cause it. It did not. And to be sure I just tried it right now with Tor Browser, and if I write "https://startpage.com/#" it will stay with the lock and https connection. So, no, simply adding # at the end would not cause that. AND even if it did, it would still be a compromising of the system, as anyone could install linterna mágica and have their https connections screwed. It would still be something that needed to be addressed. Since the beginning I always admitted the possibility of having done something stupid with the system. Just had no clue what it could be. Now, linterna magica could be that stupid thing, but it wasn't. Still, I might be the sole responsible for the system compromise. I am not denying that. But SHARING the experience WILL help PROTECT other users.

And by the way, the # symbol, would only appear in starpage, and not duckduckgo for example. Still, duckduckgo would also lose https connection.

So, that is still not the answer.
Thanks for the information anyway, even if you are now only determined on making me look like an idiot (even if you might not be right). Still, people who speak french will gain something from reading your link. So... even if I have to keep up with your attitude for the next days/weeks/months it was good for the community. I am happy =)

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

In the thread in French, shokin was reporting in his first post that "the address of *almost* any page that his browser was loading would have, after 1-2 seconds, a # appended to it". The example he gave was a page accessed through HTTPS. He then added, in this message, that "the problem was disappearing when unchecking the box that activates Javascript". The similarities with what you described are obvious.

In that subsequent message, I suggested shokin to deactivate, one by one, the GreaseMonkey scripts he installed. Quantumgravity wrote that it was indeed a good idea because he had solved this same problem by deactivating Linterna Mágica. Finally, shokin humorously confirmed that this lantern was indeed doing the dark magic on his computer. It was as well on your system. That is obvious. That *is* the answer.

The French thread is "normal". In particular, shokin clearly explains the symptoms and nobody ever suggests that the computer could have been compromised. Such a conclusion makes no sense: as I wrote earlier, a computer that is compromised does not behave in a weird way.

As a conclusion, it was completely unjustified to "alert everyone" (your words) that "TRISQUEL MIGHT HAVE BEEN COMPROMISED" (because Firefox has known vulnerabilities... even if none of them matches the issue), that you "clearly" suffered "an attack to spy on [your] connections", that " Trisquel WAS compromised in [your] pc", etc. And as andrew wrote, you really need to read that document.

And just to be clear: I am certain that Linterna Mágica is not malware. This script, written by ivaylo (a Trisquel user), must simply malfunction in an environment ivaylo never tested. Probably, in conjunction with HTTPS Everywhere since you mentioned that you had this other add-on installed (and that the issue was occurring on pages accessed through HTTPS).

GNUser
Offline
Joined: 07/17/2013

First, you are wrong.
Second, fuck you asshole full of shit! Stop trying to hide any problems in Trisquel and stop shutting down people who want to call things into question. It's their right, they are free as much as you are!

Oh and third, you know nothing about internet security in the real world, so don't even talk about that. You know nothing, you are just an asshole who thinks he is greater than others.

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

Let us sum up:

  1. Two users of Trisquel, shokin and quantumgravity, recently had the following very specific issues: when using Abrowser with Linterna Mágica, some URL loaded through HTTPS would have a # sign appended after 1-2 seconds. That was not happening when JavaScript was disabled.
  2. A new user of Trisquel, GNUser has the same setting and reports the same very specific symptoms in the middle of a bunch of alerting messages about how "TRISQUEL MIGHT HAVE BEEN COMPROMISED".

When we explain GNUser that his issue, like shokin's and quantumgravity's, must be due to Linterna Mágica misbehaving in presence of another add-on (probably HTTPS Everywhere), we are simply answered that "[we] are wrong" and to go "fuck [our] assholes full of shit". No additional argument.

GNUser thinks Trisquel was compromised. He says it is his "opinion". According to him, explaining why his system was certainly not compromised is being against freedom of speech. It is wanting "this place to be like 1984 in internet version, where they can control everything and everyone". People who do that "are assholes who need to be told to SHUT THE FUCK UP, and [GNUser] will be there to do that". Appreciate the contradiction.

GNUser thinks he suffered SSL stripping, an attack that does not require any computer to be compromised. If we tell him that SSLstrip is a man-in-a-middle attack, he answers that we "know nothing about internet security in the real world" (in the "real world", SSLstrip requires a compromised system?!). That "[we] are just assholes who thinks they are greater than others". Again: appreciate the contradiction.

GNUser
Offline
Joined: 07/17/2013

For those who like to be lied to, read what MAgic Banana wrote. Those who want to know the truth and decide by themselves, read the whole thread (the one that was cowardly and unjustly moved to the Troll Hole).

Although, given the way Magic Banana and others have been treating me, I do feel like living among the Trolls. Good thing I don't fear them.

quantumgravity
Offline
Joined: 04/22/2013

Why don't you get it?
I, shokin and even another member (I can't find the thread anymore) experienced the same problems like you.
We all removed linterna magica and the problem disappeared.
We are all eager to make trisquel more secure, but just if there is a real problem.
You experienced some strange behavior, reinstalled your system so we will never be able to find out what it was and now your just making claims without evidence.
Magic Banana pointed out lots of good reasons why there is no need to make such claims;
instead of providing any other argument you just insulted him and talked about your great knowledge on internet security which I consider as at least doubtable after this whole thread.

Benjamin Rochefort
Offline
Joined: 08/03/2013

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Le 2013-08-16 20:34, name at domain a écrit :
> The only thing I installed was Linterna Magica

So you were using a script after all. I'm ready to bet that Linterna
Magica is the culprit. I have already observed that kind of behavior.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJSDsjcAAoJEIPOvYLpp5MJ3gIIANeitVoH+3IRFyTqJNwRWKYi
pl0ADRDtWMR5cKkjr4CGv5w+y5lfHz4+TQLCJX1GLIGnMUNJrAMn+zTBDtXgIBE6
lUW8uVsg92bdc/iGWwZOddFRuNKJiF+8weIyp4sWy0G5wzFZSFY90mdHNkWxE96v
kBJ+83SRiKhkK3u9pJ10ppgxgeHDI0uTbeByl+aNS+aic3qElpn/Al1qL28rAknh
R4udIU0XrV4ZEmYW4x7iKb++f8dMt91rF/O085vJrjdbU/i53cINzD/g5H0Mdqup
1CuKCa7Nph/CUlLT0kqKiCQvO1yoLIPvBbmMT3XCjTUyEg8Cy2Eg0OTDCCd3L5g=
=0MuJ
-----END PGP SIGNATURE-----

GNUser
Offline
Joined: 07/17/2013

Thanks for the comment. However, read the one I wrote just above yours.
It's hard for me to believe linterna magica was the culprit, because that would be like saying "linterna magica will always break your https connections" :P

GNUser
Offline
Joined: 07/17/2013

So... we came to this.
Now I miss OpenBSD community. They might be rough and tough, but they are HONEST!
Unlike them, this forum has pretended to be a serious one, but now shows his true face: don't like a thread, hide it deep in the Troll Hole. Think that someone might be questioning the "saint" that is Trisquel developer, instead of offering any reason just try to shut him down.
In the OpenBSD, yeah they might flame you, but they also got your back. Here, we have people who are always there to criticize and harass users who speak their thoughts out loud, but they are not there to help people who need.
Take for example the thread where Lembas asked a simples question: how to associate one file with one program? The only people who tried to help were me and janlete. As for the users who have constantly harassed me (like the asshole, AKA quantumgravity, or the guy who thinks knows everything about seurity, AKA Magic Banana, and others) they didn't go there to help. Probably they thought it was "too dumb" for their "sensible voices and great knowledges" and decided to let Lembas on his own. Well, I say, fuck them! And fuck the guy who is full of shit and moved the topic to a different location without posting in the thread itself explaining his actions. All of them are full of shit!

My first post was here in the Troll Hole. I have nothing against the place. But there are stupid pieces of shit here who think that they will shut me down and make my last post also be here. Well, I will tell you this, it will not. There are people here who need help with questions, and I will be there to help them. There are issues that need to be called into question, and I will do so. There are assholes here who need to be told to SHUT THE FUCK UP, and I will be there to do that. No one will take me down that easily.

I will however let everyone know that I am currently moving to another distro. Trisquel has shown to be unworthy of any trust, because not only they provide late security updates and poor support, but they also try to hide their stupid decisions (google dns, anyone..?) and hope that those assholes ful of shit will be there to attack anyone who says "Trisquel is doing this or is configured like that and I think I have a better idea". Well, this distro deserves no more trust from me. So, I will move to another distro. One that actually respects their users, instead of having people (maybe they are all the same actually, using fake accounts to have numbers advantage) attacking those who speak freely.

Yes, because people here like free software, but they don't like free speech. They don't want you to use the word piracy, even if that's what they do. They don't like people to point errors and weaknesses in Trisquel, even if those could be easily fixed. No... they want this place to be like 1984 in internet version, where they can control everything and everyone.

Like I said, I will not leave the community, I will probably spend less time here mainly to help people who need help) but I won't abandon this community. Some people might have wanted me to leave, but I won't. If there are weaknesses in Trisquel, they will be revealed, and if I suspect anything I will alert people. If someone has a doubt, I will try to answer. If someone wants FREE options to pirated content, I will provide them (I know more about those than the asshole pirates like quantumgravity).

As fot the assholes like quantumgravity, Magic Banana, onpon4, and others... FUCK YOU MOTHERFUCKERS, YOU WON'T KEEP ME SILENT!
.|.

My apologies for everyone who came here to learn about what was wrong with Trisquel (Abrowser way behind firefox security updates, google dns activated by default, firewall disabled in default installation, among other things, so just you know the truth) but you had to read this reply. Anyone who will use any common sense will see that I was harassed multiple times and here I was unjustly moved away. I will not take that from anyone. I will keep replying back to anyone who has serious concerns over their security and privacy (without security you have no privacy and without privacy you have no freedom, no matter the license you use!), and will provide help to anyone who wants and needs... Except those assholes full of shit in their mouths I mentioned earlier.

onpon4
Offline
Joined: 05/30/2012

Blah blah blah, I hate you all, blah blah blah, I'm better than you, blah blah blah you're trying to censor me, blah blah blah...

This thread most definitely belongs in the troll hole. It's FUD. A new user who doesn't know any better could come across this post and think that Trisquel is dangerous because some guy who knows nothing about security thinks he's a security expert.

How old are you, anyway? I sure hope you're no older than 12, because that's the age you're acting like.

onpon4
Offline
Joined: 05/30/2012

By the way, why the heck are you mad at me? I didn't even post in this thread.