That Kaspersky is apparently too stupid to fix this leak properly even after it was pointed out, suggests to me that their developers obviously are incompetent and the trust int hem doing AV right is approaching zero, if they can't even load a script into a website without leaking like the Iraqi marine.
One of India's largest telecom networks, known for self enforced censorship via deep packet inspection, has an AV on PlayStore with 10m installs.
> Reliance Jio does not sell or rent any Personal Information.
> Reliance Jio may provide your information or data to its partners, associates, service providers and third parties as necessary or appropriate
> Any personally identifiable information provided by you will not be considered as sensitive if it is freely available and / or accessible in the public domain.
If you don't want to be banned, you're welcome to email firstname.lastname@example.org and give us reason to believe that you'll follow the rules in the future.
Maybe consider cooling off before posting more?
I have seen my share of ridiculous security flaws in ALL OS'. Anyone remember when you could login on any mySQL server by simply trying enough times? That wasn't windows specific! (back in 2012!)
But then, I don't trust Microsoft, either.
In Debian, I can be reasonably confident that no information leaves the system without my authorization.
Edit: Just out of curiosity, am I wrong in mistrusting Microsoft, or in trusting Debian?
 There are enterprise solutions that may be better for centralized control in a mixed environment (osx/Linux/windows). Please consult your CISO
Except that I do use Windows without trusting Microsoft. I use install disks that I've purchased ~anonymously for cash. And I only run VMs, which hit the Internet via nested VPN chains, and sometimes Tor.
I don't think Microsoft minds or cares that your Windows VM telemetry gets send to them that way or any other way?
How are your VPNs and TOR helping you with the Microsoft you don't trust?
Sometimes I do need to put data on VMs that I want kept private. For that, I clone a Windows VM, add a virtual disk containing the data, and then start it with no network connectivity. When I'm done, I detach the data disk, and delete the VM.
If you set your timezone; that's already leaking 5 bits of information (37 timezones), it lets an observer narrow down your location. The times the VM is active can confirm this (by observing when the VM is more active vs not, your sleep pattern can be derived)
Your language setting can nail down north vs south hemisphere, that leaks another bit of information.
Since you come from a Tor endpoint, we can exclude with high probability old demographics and very young demographics (>65 and <14 years old), those seem to rarely use such tools. That eliminates about 34% of the population, leading to another 8 bits of entropy leaked. The usage pattern of the mouse can be used to confirm (shaky movements could indicate cognitive impairment common among elderly as well as usage habits like only using VMs outside common school times).
We're down to 19 bits; Only 500'000 people share these traits with you.
By profiling which websites you visit and the fact you're using tor, one can take a guess at your gender, likely male. Another bit is gone, 250'000 people left.
Identifying 1 in 250'000 people based on them using a VPN; depending on region between 18 and 30% of people use a VPN atleast once per month (statista), that fact alone leaves you with 13 bits on both ends of the range.
1 in 8000 people.
Are you certain you can hide among 8000 people? Because things like movies being watched or social network usage can further leak entropy and reduce your anonimity set. Your meatspace identity is protected by 13 bits.
And if you visit very specific websites, like LGBT-related content, this can be used to identify you as LGBT, moving you down to 4 bits of entropy. 16 people.
I know (and have known, unfortunately) multiple people over 60 that use Tor. Aha but such people are even rarer and therefore must be even easier to identify ... or are they? :)
In fact I know a handful of kids younger than 14 who have on occasion used Tor as well.
If you already (reasonably) assume the gender is most likely male, then you should know that is also less than one bit of information.
Etc. You need to try a bit harder :)
Same for over 60yo.
There is plenty of other ways to wittle away at the bits. I think you're overconfident.
Your analysis strikes me as implausible. Few adversaries could see all of those parameters. For example, it's typically Tor through a nested VPN chain. So it'd be nontrivial for a local observer to know that I'm using Tor. Or for a remote observer to know that I'm using VPNs.
And seriously, why would I use my meatspace timezone? But actually, I do sometimes, just to be more random. Also, my sleep schedule is highly irregular, as one can tell from my HN posting history.
About sleep schedule. I really don't have one. I work and sleep when I feel like it. And I nap. And I have modafinil and zolpidem available. And coffee.
If you charted my waking and sleeping times long-term, you'd find pretty much a random walk. I can be up as much as 30-40 hours, or as little as ~1 hour. And I can be sleeping for anywhere from ~1 hour to maybe 15 hours or more.
Fefe, a german blogger, had this analysis done using his posting history on his blog, allowing readers to not only determine his timezone, but when he was travelling and where.
Sure, mine is "regular". In the sense of regularly random.
But they still have no clue who I am. Which is all that concerns me.
Why do I take such precautions? Well, I've been an anonymous coward for a couple decades. I've corresponded with many people, and played with many projects. I honestly have no idea who might be after me, or for what. Ideally, nobody, for nothing. But ...
Given that, I take whatever precautions I practically can.
And it's also a hobby. Perhaps like building little ships in glass bottles. But hopefully maybe useful to someone.
The idea is everyone pools their threat data and immunity to new threats can be rapidly disseminated via Azure. The time window any new malware has to exploit Windows 10 anywhere in the world is measured in 10s of minutes now. It’s impressive stuff. The ISG can spread immunity much faster than malware can spread itself.
Of course wearing my cynics hat, they never bothered to backport it to Windows XP and that’s why the NHS was hit with WannaCry. But the other side is that they had plenty of time to upgrade...
Linux would badly need AV if it was a more popular desktop OS. Right now the user base is just too small to be a valuable target.
A regular Linux distro (without SELinux or some kind of application sandboxing and a hardened setup including NOEXEC home, forbidding ptrace, ...) is very susceptible to compromise.
All it takes is somehow getting the system to execute one unprivileged shell script and your user is permanently hosed.
An attacker can spy on everything, including other applications memory, unless they prevent it. Browsers are also easily compromised by just injecting a extension that can spy on everything.
Also he lack of dynamic firewalls makes it hard to monitor/prevent unwanted network traffic. (which could often be easily circumvented, though)
And if you decided to add third-party apt repository, for example, to use Node.JS or VS Code, you give permanent root access to the owner of repository. Also, some third-party .deb packages (for example, Slack) automatically add their repository and public key to apt sources list upon installation.
For example, there is a third-party repository, that allows installing multiple versions of PHP in Debian. This repository replaces cryptographic libraries provided by Debian with its own ones (you can see those packages here: https://packages.sury.org/php/pool/main/o/openssl/ )
Also, in Linux unprivileged program, run under "nobody" account, can read all unique hardware identifiers like MAC address, HDD serial number etc.
So I work only in VMs. I do nothing on host machines except to run VMs, and keep the OS up to date. And I compartmentalize rigorously. Minimally in different VMs. When it matters more, in different host machines. And when it really matters, in different host machines on different LANs. Only text files cross important security boundaries. And machines that my ~anonymous personas use never see anything about my meatspace identity.
This is, of course, just a hobby.
When part of your core functionality is dependent on coverage and total install count, you're never going to beat someone who leverages control of a lower part of the stack.
Debian and openbsd are probably as close as it gets to having an actually secure system, and if I had to pick an os for a very critical application, it would definitely be one of those. But really, honestly, any of debian, ubuntu, fedora, alpine, arch, gentoo, slackware; freebsd, openbsd, netbsd, dragonflybsd are probably more than sufficient for any practical need you might have for privacy and security.
(I'm not saying you should not trust Debian though.)
I do wonder if a stateful OS such as nixOS can help mitigate the threat of malware easier (sans extradition of data, for that we'd need capability-based security, or something like pledge). If it'd be user-friendly, like TimeMachine, that is.
Only if you are not running a webbrowser
> Edit: Just out of curiosity, am I wrong in mistrusting Microsoft, or in trusting Debian?
Only fools trust Microsoft (or Google, or Facebook). I slightly hoped they were turning in the right direction in win 2000 and xp and even 7. But vista and the rest shown their true nature.
About Debian i have mixed feelings. On one hand they are a very respectable distribution, on the other hand - systemd.
Touché. I am not hard-core enough to browse in terminal. I don't use Chrome/Chromium though.
I actually rather like systemd. Most of the time, at least. But yes, I know the controversy. So do you like Devuan?
From a security POV Desktop Linux is an utter disaster.
For attackers it's like going back a decade in time.
Security from what? By default, there are no services listening. And what malware runs on Linux?
Desktop linux, not "the Linux kernel". The kernel isn't amazing, but on the desktop side you regularly see downright absurd stuff like this
and less surprising bugs like this https://donncha.is/2016/12/compromising-ubuntu-desktop/
The quality of software outside of some widely deployed server software tends to be quite poor, exploit mitigations are not being implemented.
>And what malware runs on Linux?
Far too many to list. You can easily find hundreds of public examples. This terrible wikipedia page provides a decent starting point with a list of names to google https://en.wikipedia.org/wiki/Linux_malware
That's a bug which only occurs on five year old distributions and which was fixed years before any exploit was ever found. Honestly if that's being brought up as a bad example Linux is looking pretty good compared to other operating systems.
I don't think we're reading the same post unless you got confused by the part where he discusses the exploit not the bug.
> Honestly if that's being brought up as a bad example Linux is looking pretty good compared to other operating systems.
Compared to what? FreeBSD? Certainly not any modern desktop OS.
MSFT is investing heavily in exploit mitigations while Linux distros are probably still struggling with ASLR. https://www.blackhat.com/docs/us-16/materials/us-16-Weston-W...
shellrc and profile as well as almost all core unix tools allow running arbitrary code.
You can even bend the paths of bashrc and friends so the user can't trivially inspect them without dropping to root first (at which point, arbitrary code can trivially obtain root access too)
Why do you? Edit: Or maybe I'm misinterpreting?
In fact more than 95% of people are not presently in the US.
Most installs are from individual people in and outside of the US.
I suspect it is mandated by some sort of compliance requirement, and the IT departments are just ticking a box. Maybe that's how this industry is still alive.
The AV needs to be up to date, pervasive, and with central reporting. Here is where simply having Windows Defender installed falls flat -- when it finds some malware on Betty's computer, you can't be sure what the scope was until you investigate yet standalone Windows Defender won't give you that information. So you need the enterprise version with the reporting console, alerts, etc.
AV is a nuisance for most of us, and I've gone sans it for many years, but it's critical in most workplaces because there are a lot of people who will happily run that program, etc, and you can't catch everything at the edge.
It doesn't mandate it explicitly, but your auditor may get fussy if you can't answer questions about the relevant controls with a clear answer.
I imagine things are different for people on PCIe NVMe SSD but Windows (or any modern OS I guess with any antivirus) is not so good if we are on spinning rust.
I think if we insist on real-time file scanning, the least we can do is provide at least a decent SATA SSD like the Samsung 860 EVO and adequate RAM to avoid thrashing.
(Enabling RAPID mode basically creates an invisible RAM disk and uses it under the hood.)
Gotta say, it works amazingly well. I am getting almost PCI/NVMe speeds on my SATA III SSD.
Sorry if this is obvious but does that mean we will have a better experience with a total of 32GB RAM than say 8GB? I have not worked with RAM disk before...
Make an AV, that does not really do anything, but can be used by thoughtful companies to "tick the box". Sell licenses and then do only the minimum required for compliance.
It could be described that it uses Windows Defender service to provide the basis of AV solution.
For ransomware anyway. If they're targeting you specifically they'll find out what you're running and customize against it.
Nobody told NC State to require anti-virus, and the same company that created the requirements isn't going to accept some "minimal" solution to check their own box. Instead they will maintain a list of approved software, and your solution won't be on it.
That said, I don't know if there's any compelling reason to use something beyond what the OS vendor already provides.
AV is still super important to have for people who don't understand that downloading a fake flash player to watch the newest game of thrones episode isn't the best idea. And there's a lot of those people out there.
I'm not sure why anyone would use any other than Defender TBH. I wonder if perhaps it's licensed separately for enterprises?
I run Linux and have ClamAV installed for some compliance thingy, yet I have never run it (the compliance thingy tells me to have AV installed, not to actually run it). I can totally recommend some up-to-date Linux distro in case you want to steer clear of "virusses (etc)".
I presume this wouldn't allow tracking in private browsing mode (I guess Firefox doesn't use the standard user agent), but still not good.
Just a subsidiary.
And there are other risks to users. Once that data has been collected, others may access it, and use it in far more damaging ways. Users in China or Saudi Arabia, for example, may end up in jail, or worse.
From the screenshot in the article, there doesn't appear to be a kaspersky browser extension in use.
I guess it would have to be a MITM of some sort. Either by installing a cert or by getting the TLS keys from the browser, I suppose?
From my experience most fail to check the original CA meaning anyone can intercept your traffic...
User <-1-> antivirus <-2-> Site
User <-1-> antivirus <-2-> Hostile <-3-> Site
Edit: Especially frightening given allegations of FSB ties that other users pointed out https://en.wikipedia.org/wiki/Kaspersky_bans_and_allegations...
If you're paranoid enough to use a VPN for 'private' traffic, you should probably be running such sessions in a VM using something like the tails live CD.
But using Tails in VMs isn't recommended. Better is using Whonix, because it isolates the Tor client and userland in separate VMs. It also has a LiveCD mode. And for added security, you can run it in Qubes.
My threat model is mainly about preventing potential adversaries from learning my ISP-assigned IP address. I don't care all that much if a VM, or even a host machine, gets pwned. My stuff is well enough compartmentalized that I'd at most lose some work. But not my privacy.
A good time to remind people that thr U.S. government is not a fan of kaspersky products.