On Sun, Apr 19, 2020 at 12:33:19AM +0200, Oswald Buddenhagen wrote: > On Sat, Apr 18, 2020 at 12:04:05PM -0500, Derek Martin wrote: > > OK, please enlighten me: Tell me what you've learned, > > > nothing, because i don't care. ;) > > > how it's any worse than all the other information I demonstrated is > > necessarily leaked from the headers, and how it is in any way > > exploitable. > > > as the initial mail indicated, this is about data-mining *habits*. i > can use that to make a first guess about how insecure your system is > (judging by a long uptime)
I've already explained why it's not a good guess. And I've already pointed out that even if you happened to guess correctly, it tells you nothing about actual exploitable behavior. There are things one could do that would result in always having the same PID. One is using $edit_headers to make it so. A very plausible, real-world example would be if I happen to boot my laptop every day, and immediately start Mutt as the first thing I did, it would very likely have the same pid, day after day, because the boot sequence, and my behavior, are deterministic (at least until one of those things changes). That would look like a long uptime, but...not be. But it wouldn't matter, because this is not how someone with a clue would look for ways to attack you. And I'm not worried about someone who doesn't have a clue. > or make you feel paranoid by showing that i know how often you > restart your MUA (who knows what _else_ i learned?). I'm not interested in allaying uninformed paranoia. I'm only interested in protecting Mutt's users from real threats, by plugging legitimate holes. > i'm sure one could come up with other data points if one is inclined > so. This is not a compelling argument, and I'm equally sure that you can't. Since proving a negative is impossible, the burden is on you to prove you can. Do so, and I'll happily change my tune. I can't know everything so if you do find a way, I'll be wrong, and I won't be embarrassed to admit it. But I've been doing this kind of stuff for quite a while, and I don't think your chances are very good. > that my local host's name is revealed is mildly annoying, too. and > yes, i could avoid revealing that anyway by having my MTA > suppress/fake the Received headers appropriately for privacy (i > didn't check what software/config i'd have to use, but i'm willing > to bet that there _are_ options). As I pointed out already, the first legitimate mail gateway you talk to will add a header that includes the hostname or IP address of the machine it was talking to, so there's really only one thing you can do: Use an anonymizer. Most of those are pretty shady, and doing so may be likely to attract the attention of law enforcement or criminals. Anyone who cares to will be able to determine that you're using an anonymizer, which may suggest that you have something worth hiding. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0xDFBEAD02 -=-=-=-=- This message is posted from an invalid address. Replying to it will result in undeliverable mail due to spam prevention. Sorry for the inconvenience.
signature.asc
Description: PGP signature
