Firefox and Chrome Private Browsing Not So Private

Recently, Chad Tilbury posted a blog article on Flash Cookie Forensics. If you didn’t already know, Adobe Flash stores cookies (actually called LSO’s) on your computer that act more or less like regular HTTP cookies, except they never expire. This got me thinking about the built-in private browsing settings found in the current versions of Firefox (3.5.2) and Chrome (2.0). Both of these browsers have an easy to use private browsing setting that block histories, HTTP cookies, form data, etc. In Firefox, private browsing is called “Private Browsing”, and Chrome has “Incognito” mode. After reading this article, I began wondering just how private Firefox’s and Chrome’s privacy settings were when it comes to Flash cookies. A couple of simple tests showed me that there isn’t much privacy at all.

The tests were simple: locate the storage of Flash cookies (as demonstrated in Chad Tilbury’s article), and see if cookies are being saved while browsing in Firefox’s Private Browsing mode, and in Google Chrome’s Incognito mode. Here is a screenshot of the Flash cookies stored on my computer before I began internet surfing in Firefox:

Firefox Private Browsing Before Surfing the Net

Firefox Private Browsing Before Surfing the Net

And here is a screenshot of the stored Flash cookies after I surfed to hulu.com in Firefox Private Browsing mode:

Firefox Private Browsing after Surfing to Hulu

Firefox Private Browsing after Surfing to Hulu

As you can see, even when using Firefox Private Browsing, Flash cookies are saved to the computer. Let’s see how well Google Chrome’s Incognito mode does. Here is a before screenshot, with Chrome cracked open in Incognito mode and ready to surf:

Google Chrome in Incognito Before Surfing

Google Chrome in Incognito Before Surfing

After surfing to hulu.com in Chrome Incognito, the Flash cookie was clearly stored on my computer:

Google Chrome Incognito after Surfing to Hulu

Google Chrome Incognito after Surfing to Hulu

The problem really shouldn’t be a surprise based on how Flash cookies work, and I am not reporting any thing new. It might not really be the browsers’ fault. Flash cookies aren’t handled by Chrome or Firefox, and thus the browser has no way to block them (as far as I understand it). Still, the private browsing features in Chrome and Firefox are a complete false sense of privacy and security. One might make the argument that both browsers should be able to build in protection against Flash cookies. As Chad mentions in his article, Firefox has an add-on called BetterPrivacy that can manage Flash cookies, and No Script blocks Flash completely, so if an add-on can do it, why can’t it be built into the browser? By the way, as far as I can tell, there isn’t a similar add-on for Chrome.

(This article is dedicated to my friend, John.)

Update: For a follow up on how to block Flash Cookies, and a better implementation of Flash called Gnash, see my article Blocking Flash Cookies (and Improved Security with Gnash.

How to Install and Fix Stumbler Plus Crashes on an iPhone (Jailbroken)

Google seems to have a lot of older forum discussions about how to get Stumbler Plus to work on the iPhone. Most of these discussions revolve around an old upgrade that resulted in a crashing state for this app. However, I have found that new installations of Stumbler Plus from Cydia also crash, and the fixes described in a lot of the Google results don’t solve the problem.

Before you can do this, your phone must be jailbroken, and you need to have OpenSSH up and running. If you are using Windows, you will need a command line SSH client like Putty and pscp.exe. Remember to turn off OpenSSH on your iPhone after this is done (there is no need to leave the service running. Anyone can scan your phone and find the service running on your phone).

To install Stumbler Plus on a jailbroken iPhone, first install it from Cydia. The app will crash as soon as it is launched. Follow these instructions to get it working properly. If you are using Windows and have downloaded pscp.exe, use pscp.exe where these instructions say to use “scp” to copy the Stumbler package to your phone. Use putty to ssh into your phone to complete the rest of the steps from the Stumbler website. If you are not comfortable using putty, you can also use the MobileTerminal application from Cydia directly on your phone.

My Twitter

Follow me on Twitter: http://twitter.com/Dantheman_13

Naming Computers in LANDesk Upgrade

Late last year I wrote an article on how to rename computers before an image is applied during LANDesk’s OSD process (read this article first if you haven’t already). Here at CSN, we PXE boot our faculty/staff computers into LANDesk’s specially configured WinPE, which launches a GUI menu of OSD tasks. These OSD tasks can be anything really, but that is a story for another article. My previous article about injecting the computer name into the Sysprep.inf file used a VBScript. I have since then upgraded to an AutoIt script that gives us more options.

PC Rename

First, let me give a brief explanation of our environment. We have a parent domain, and a child domain for students. We have four LANDesk agent configurations: one for labs and classrooms, one for office computers, one for laptops, and one for computers that don’t reside on our network. The LANDesk agent gets installed during the GUIRunOnce section of Sysprep. So, I upgraded our OSD task to prompt the technician to select which domain to join (or none), and which LANDesk agent to install. Here is the script. I won’t go through line by line like I did for the VBScript; you’ll just have to visit the AutoIt documentation website to look up some of the functions. Re-read my previous article on how I did the VBScript. The AutoIt script follows the exact same logic, but expands the idea to add more options.

#include <GUIConstantsEx.au3>

GUICreate("PC Rename", 250, 310) ; Create the GUI Window
GUICtrlCreateLabel("Enter the computer name:", 30, 10) ; Create a label
$computername = GUICtrlCreateInput("", 30, 30, 190, 20) ; Create the textbox
GUICtrlSetLimit(-1, 15) ; Limit the computer name to 15 characters
GUICtrlCreateGroup("Domain to join", 30, 60, 190, 90) ; Create the join domain "group" that surrounds the radio buttons
$optCSN = GUICtrlCreateRadio("CSN", 40, 80, 100, 20) ; Create the radio button to join the CSN domain
GUICtrlSetState(-1, $GUI_CHECKED) ; Set the CSN radio button as checked by default
$optSTUDENT = GUICtrlCreateRadio("STUDENT", 40, 100, 100, 20) ; Create the radio button to join the STUDENT domain
$optNONE = GUICtrlCreateRadio("Do not join a domain", 40, 120, 150, 20); Create the radio button to not join a domain
GUICtrlCreateGroup("", -99, -99, 1, 1)  ;close group

GUICtrlCreateGroup("LANDesk Agent", 30, 150, 190, 110) ; Create the agent "group" that surrounds the radio buttons
$optStaff = GUICtrlCreateRadio("Standard Staff/Faculty", 40, 170, 150, 20) ; Create the radio button to install the Faculty Staff agent
GUICtrlSetState(-1, $GUI_CHECKED) ; Set the Faculty Staff agent radio button as checked by default
$optDeepfreeze = GUICtrlCreateRadio("Deep Freeze Required", 40, 190, 170, 20) ; Create the radio button to install the Lab Classroom agent
$optLaptop = GUICtrlCreateRadio("Laptop/Roaming", 40, 210, 150, 20); Create the radio button to install the Roaming Laptop agent
$optRural = GUICtrlCreateRadio("Rural Site", 40, 230, 150, 20); Create the radio button to install the Rural Site agent
GUICtrlCreateGroup("", -99, -99, 1, 1)  ;close group

$okbutton = GUICtrlCreateButton("OK", 100, 270, 60)	; Create the OK button
GUISetState(@SW_SHOW) ; Show the GUI

$f = FileOpen("x:\LDClient\insertname.bat", 2) ; Create the insertname.bat file

While 1 ; infinite loop that waits for the GUI to receive a message
  $msg = GUIGetMsg() ; get any user input
  
  Select
    Case $msg = $okbutton ; if the Ok button is pressed, check the options that the user selected
		If GUICtrlRead($computername) = "" Then ; if blank computer name, use the LANDesk inventory computer name for the name.
			FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf COMPUTERNAME=%Computer - Device Name%")
		Else ; else use the user input for the computer name
			FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf COMPUTERNAME=" & GUICtrlRead($computername))
		EndIf
		Select ; Chose the domain to join or not join a domain
			Case GUICtrlRead($optCSN) = $GUI_CHECKED ; Join CSN domain
				FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf DOMAIN=CSN")
				FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf NOWG=")
				FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf WG=;")
			Case GUICtrlRead($optSTUDENT) = $GUI_CHECKED ; Join STUDENT domain
				FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf DOMAIN=STUDENT")
				FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf NOWG=")
				FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf WG=;")
			Case GUICtrlRead($optNONE) = $GUI_CHECKED ; Join WORKGROUP and no domain
				FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf NOWG=;")
				FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf WG=")
		EndSelect
		Select ; Chose the Agent to isntall
			Case GUICtrlRead($optStaff) = $GUI_CHECKED ; Install the Staff faculty agent
				FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf AGENT=instfacst.bat")
			Case GUICtrlRead($optDeepfreeze) = $GUI_CHECKED ; Install the Lab Classroom agent
				FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf AGENT=instlabcl.bat")
				MsgBox(64, "Deep Freeze Reminder", "1.  Remember to run a scheduled Deep Freeze task for this computer in LANDesk Console after imaging is complete." & @CRLF & "2.  Set the System BIOS to auto power on every day at 11:00 pm.")
			Case GUICtrlRead($optLaptop) = $GUI_CHECKED ; Install the Laptop Roaming agent
				FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf AGENT=instlaptop.bat")
			Case GUICtrlRead($optRural) = $GUI_CHECKED ; Install the Rural agent
				FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf AGENT=instrural.bat")
		EndSelect
		ExitLoop
	Case $msg = $GUI_EVENT_CLOSE ; if the GUI is closed, the default is to name the computer using the LANDesk inventory, and not join a domain.
		FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf COMPUTERNAME=%Computer - Device Name%")
		FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf NONE=;")
		FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf WG=")
		FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf AGENT=instfacst.bat")
		ExitLoop
  EndSelect
WEnd 

AutoIt scripts can easily be converted into an executable using AutoIt’s “Compile Script to .exe” tool.

I guess I also owe an explanation on how tokreplw.exe works. You can probably get this file by downloading the trial version of LANDesk Management Suite. This command takes two inputs: a file and a pair of tokens. The file is obvious, this is the target file to look at for token replacement. The token syntax is VARIABLE=VALUE, where VARIABLE appears in your target file as %VARIABLE%, and the value is whatever you decide. For example let’s examine one line in the prename.au3 script, line 35:

FileWriteLine($f, "tokreplw c:\sysprep\sysprep.inf DOMAIN=CSN")

To help not confuse the Autoit portion of the code, we’ll break this down to the tokreplw command:

tokreplw c:\sysprep\sysprep.inf DOMAIN=CSN

So, the “c:\sysprep\sysprep.inf” file is targeted. Within this file, an occurrence of the variable %DOMAIN% will be replaced with the value of CSN, which is the name of our parent domain. If we crack open our sysprep.inf file (do an Advanced Edit in LANDesk Console), we have this:

[Identification]
%NOWG%JoinDomain=%DOMAIN%
DomainAdmin=csn\BadBoy
DomainAdminPassword=LeeroyJenkins
%WG%JoinWorkgroup=WORKGROUP

You can see the %DOMAIN% variable here. You will also notice several other variables as well. I use tokreplw to manipulate the sysprep.inf file dynamically, depending on what the technician chooses. If the tech selects to join a domain then %NOWG% becomes blank, and %DOMAIN% becomes the name of one of our two domains. The %WG% variable becomes a semicolon, which comments out the JoinWorkgroup line. If the tech does not select to join a domain, then %NOWG% becomes a semicolon, which comments out the JoinDomain line, and %WG% becomes blank. This configures the sysprep.inf file to join the computer to a workgroup instead.

Feel free to ask any questions about the script, and I will do my best to answer them.

Google Voice on the iPhone

You can currently get an invite for Google Voice. The invitation came right away for me. The only problem is Apple rejected the Google Voice app for iPhones. Of course, this isn’t a big deal for people who have jailbroken phones. With Cydia installed, you can download GV Mobile, and make phone calls through your Google Voice account.

So what is Google Voice, and why would you want one? Let me tell you right now that this thing is cool once you grasp how it works and see it in real time! GV works like this: Google gives you an account and a phone number. In your Google Voice account, you enter your cell phone number, home number, and/or work number. When someone calls your Google voice number, it forwards the phone call to all of your listed phone numbers! You can even specify which numbers ring based on who the caller is. If you have more than one phone, this really allows you to consolidate your phone numbers into one number. I am sure that if you spend any time thinking about the possibilities for this application, you can realize that the uses for this could be huge! For example, you can give your home or cell number to agencies or businesses, while keeping your Google Voice phone number private for friends and family. The main concept to remember here is that your Google Voice number isn’t tied to a phone or device, it is tied to you.

GV also has a lot of neat features, particularly related to voicemail. You can have different greetings for different callers or groups of callers based on your Google Contacts. You can listen to voicemail on the Google Voice webpage. Voicemail is transcribed into text, both when you receive it on your phone (at least for the iPhone), and when you check it on the web. You can forward voicemail recordings to email, or even embed them on websites. GV can record phone call conversations, and listen to a voicemail message as it is being recorded. If you decide to take the call, you can do that too (provided the caller doesn’t hang up of course). Here is the list of things GV can do with links to short videos on how they work.

The one last thing that impressed me, and really sold me on Google Voice, is the international rates. This alone is a good reason to have Google Voice. I occasionally have the need to call Australia, which is only $0.03 a minute. Compare that to my cell phone provider’s international rate, which is $3.50 per minute for the same phone call. I just couldn’t pass that up.

Unfortunately, Google Voice is only available in the USA. There are plans to add it in other countries though. I highly advise folks to go to the GV website and apply for an invitation. If you have a Google or Gmail account, use that if you can. I don’t know if it makes a difference, but I signed up using my Gmail account which I have had for a few years now, and got my invitation instantly. Good luck!

Internet Communities Making Revolutionary Changes

I’ve recently discovered an interesting phenomenon creeping up on then net. Well, political grassroots movements are not new to the internet at all. Every organization out there has a website, some using technology with varying levels of effectiveness. Politicians are using the net to communicate their platforms. Online communities have been around for a long time, from the early days of Usenet, to web bulletin boards, and now Web 2.0 sites like Youtube, Facebook, and Twitter. One impressive grassroots Youtube movement in particular has caught my eye as a movement that has stood out with a rather amazing and recent success story.

A couple of months ago, I watched an interesting vlog on Youtube from AtheneWins. As an ex-WoW player, I’ve watched Athene videos before, particularly for their humor. The rather large following that Athene videos have created apparently lead to a spin-off by the amateur film makers of the AtheneWins videos, I Power. I Power’s focus was self-improvement, and, more to the point of this article, politics. I Power has taken a particular stance on supporting Net Neutrality in Europe.

I had known about Net Neutrality before, but this was the first that I heard about it being considered in European Parliament. As a US citizen, I suddenly became increasingly interested in Net Neutrality. If laws could be passed in Europe that allow ISP’s or governments to restrict what their users can view on the internet, why couldn’t it happen in the US?

Inspiration happened when I Power posted an “emergency” video on on Youtube that encouraged Europeans to contact their Parliament, and support Net Neutrality. The video got 40,000 hits. As a skeptical, somewhat apathetic American, I had to wonder just how this would affect the European Parliament’s decision on whether or not to allow ISP’s to control the content of the internet as it’s delivered to their customers.

A few days later, I Power posted this follow up video announcing a victory in protecting Net Neutrality. Apparently, European Parliament members received so many letters, emails, and phone calls, that they realized just how important Net Neutrality is to the internet as we know it today, and refused to allow ISP’s the ability to control what content their users could view. I couldn’t believe it!

This is a very real example of how online communities are making their voices heard, and making a difference. You always hear about how the “world is being changed by technology”, and the “internet is a huge part of change”. From politicians using Youtube and Twitter to spread their campaign message, to the leaked Iran protests videos (which Iran’s government has tried to suppress by blocking direct access to Youtube), these are more than just buzz words. The success of I Power stands out as one of the most impressive examples of how every day people can use technology to make their voices heard, and when voices are heard by politicians (in democratic countries), change can become a reality.

A Windows SSH Client with Tabs

I’ve decided to upload my SSH client code, written in C# for Windows, to Sourceforge. This is very unfinished, buggy, and probably not well written. There is no installer yet. I need to update the telnet code since the library I am using (and had to hack to include some basic telnet negotiation code) has been updated. I am not sure how much of the telnet code I need to change, but the library looks like it has been improved quite a bit. The site manager portion of the code is also very unfinished, and I would like to finish that as well before making an installer for this program.

Here’s the code