FireFox privacy mode not so private...

True, no passwords there. Though one way encryption means nothing, since these could be, via some attack vector, siphoned off to be cracked – in theory at least.

Still the question remains, why would Java need to mmap /etc/passwd?

That page is a bit misleading, imho. Take the following item for example:

Web cache files: No temporary Internet files or cached files from web pages will be saved until you turn off Private Browsing.

What does “cached files from web pages” mean? Would regular user assume it also covers Flash, Java or whatever other plugin the page has? What if there are no visible plugins on the page? Naturally, no one should trust ANY promise of safe and private browsing, some people might just assume things, like I did before I realized what Privacy Mode really is.

Cracking password in linux/unix is not as easy as in Windows. It is encrypted one way so when you put in your password you don’t decrypt your password, you compare the result of the password you gave with the result of the password you got. I can’t recall how it exactly is made in linux, i read about it somewhere but you should know that if your password isn’t “password” or some easy crap then it is VERY hard to crack it.

I recommend this website to read some interesting stuff. Some are outdated but some are still relevant.

And this to harden your linux box :slight_smile:

One way encryptions, also known as hashes, all have one common flaw: there are collisions. Meaning, there are more than one string sequence that will be hashed the same.

Different algos present different collision probabilities and therefore different difficulties to crack them (by finding same string or another that produces same hash).

md5 is weakest.
sha1 recently got a collision algo developed.
blowfish is, afaik, very strong, and used by default in OpenSuse. Also, blowfish is a cypher, not a hash.
There are of course many others. Personally I prefer RipeMD160.

md5 are biggest problem because there are many distributed rainbow tables that can nowadays crack a pass within seconds.

www. freerainbowtables .com

I remember there was somewhere an option in openSUSE to set a stronger hashing algorithm. I can’t remember where but such option exists in openSUSE.

About md5 and sha1 weaknesses is true bit *nix systems use salts what makes it A LOT harder to crack the password :slight_smile:

This is a know problem of any anonimizer. What can I say, already using http traffic instead of https is just wrong for these institutions.There is an evident lack of knowledge on security risk. This begins with the fact that people connect with their laptop on public hotspots without VPN. But a lack of security culture is not a lack of principle. If tor would be so “easy” to bring to uselessness, the people running tor servers wouldn’t be exposed to aggression of their states the way they are. Privacy is a long chain of different factors and the use of tor can be part of it (with all known - and well exposed limits).

If you want to be sure, VPN is not good enough by the way. A lot of providers of VPN services use PPTP protocol which is merely cosmetic. OpenVPN and Openswan are better but rare beasts in dead. Generally it is claimed that you should use ssh with vpn.

But still, used correctly tor is IMO an advantage.

Openswan and Openvpn are btw another advantage of Linux over Win7

Try the betterprivacy plugin for firefox which handles these flash based cookies.