Re: [Freepto] freepto and flash

Delete this message

Reply to this message
Author: aab3r
Date:  
To: Everything about freepto
Subject: Re: [Freepto] freepto and flash
El 2015-07-10 08:40, vinc3nt escribió:
> after the hackingteam hack[1][2] we updated our website whit the
> following news:
>
> http://www.freepto.mx/en/news/
>
>
>> You may have known that the offensive security company HackingTeam has
>> been hacked, so lot of their data has been accessible.
>> As it appears, they have linux exploits, too. It seems that it mostly
>> is about a Flash 0day.
>> Freepto has been vulnerable to this, at least for 0.1.1.
>>
>> The current situation about Flash has much improved, because from 1.0
>> freepto has the flash-click-to-play feature.
>> The click-to-play is useful, but is not a magic wand: the user could
>> be convinced to allow flash if the domain "sounds familiar", despite
>> the actual content may not be authentic.
>> Therefore we don't believe that 1.0 is completely at safe from this
>> attack.
>
>
> We have also merged a pull request in order to removed Flash from
> Freepto:
>
> https://github.com/AvANa-BBS/freepto-lb/pull/149
>
> I think we should now discuss about:
>
> - release a new version of Freepto (v1.1) which include the last
> commit
> - provide documentation in order to mitigate flash based attack on
> existing Freepto
>
> What do you think about that?
>


Hi,

+ 1 to the release of a new version. And since we're talking about it,
some suggestions:

- As already said by Vinc3nt, disable/remove flash, because of security
concerns. Anyway, some of the more popular video sites use html5
nowadays.

- In /etc/apt/sources.list, change the line

deb http://http.debian.net/debian/ wheezy-updates main contrib non-free

for this one

deb http://httpredir.debian.org/debian/ wheezy-updates main contrib
non-free

as the former line produces an error with the signature verification.

- Set on hold fuse and ntfs-3g, as they trigger initramfs to update,
which shouldn't be done in Freepto.

- General update (122 packages as of today), specially tortp,
torbrowser-launcher. I've tried and all of them install fine (as long as
you hold fuse and ntfs-3g, and say "No" when prompted to update
/etc/tor/torrc).

As i said before, i can do any test you need as a final user.

Cheers!


>
>
> -----
> [1] https://wikileaks.org/hackingteam/emails
> [2]
> https://wikileaks.org/hackingteam/emails?q=freepto&mfrom=&mto=&title=&notitle=&date=&nofrom=&noto=&count=50&sort=0#searchresult