On October 1, 2015 3:01:55 PM Steve Kinney <admin@pilobilus.net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 09/30/2015 04:02 PM, stef wrote:
and they host all the juicy bits on documents on documentcloud, requiring anyone interested to expose themselves. it is not possible to download the dumps anonymously in a simple zip file, you really have to use goddamn javascript.
this is totally unacceptable. when approached on this, you get very irritated answers, if at all. to say "this stinks" is an understatement. it's a goddamn trap.
I am not inclined to believe that a "simple zip file" can be downloaded anonymously, without employing extraordinary OpSec procedures that would incidentally render javascript useless for tracking purposes. Not if the adversaries in your threat model include any official agency of any of the FVEYE countries, or any of the major private contractors working with them.
The network itself is the trap, with or without javascript, with or without obfuscation via TOR or etc. I would be much more concerned with the handling of those downloaded files on the local machine - if a trap is suspected, zero day exploits hidden in the files should be assumed.
:o)
-----BEGIN PGP SIGNATURE-----
[Snip] Agree with both sentiments, but - who the hell opens documents of dubious origin on a networked machine? Even on an airgapped machine, I still use a VM... -S