| View previous topic :: View next topic |
| Author |
Message |
miroR
l33t
Joined: 05 Mar 2008
Posts: 826
|
 Posted: Thu Oct 29, 2015 6:22 pm Post subject: Mozilla Cloud non-Decryptable Download? |
 |
|
EDIT 2015-11-05 23:19+01:00:
the title now:
Mozilla Cloud non-Decryptable Download?
This topic contains the intrusive disruption of my topic by another Gentoo member, for which I am unable to continue, if this post, currently last, is not removed:
< this same topic >
https://forums.gentoo.org/viewtopic-t-1031758.html#7837184
I hope this won't continue to be happening in other topics of mine.
I had wanted to try to contain the intrusive intentional ruining of my topic here:
Uninstalling dbus and *kits (to Unfacilitate Remote Seats)
https://forums.gentoo.org/viewtopic-t-992146-start-75.html#7837090
the reasons why there, and not here, is explained there clearly.
But to no avail. Yes I have reported the post. We'll see. (If the link to the intrusive post becomes dead, it has been removed.)
EDIT END
==== underneath here content unmodified, remains as of the first timestamp =====
Not sure at all what this will come out.
| Code: |
993e1cf1d0305fa519c9941189221c01b974d3596de21615768e20a7e521eac4 some-file
73a1f52a202450bab08632362bb74d38f4b1cbd8b45f92cbaf2314eb225d406f some-other-file
|
I make make un unrelated post (planned previously) out of this.
However, if this is something interesting (just take a look at how interesting this topic of mine
SSL Decode & My Hard-Earned Advice for SPDY/HTTP2 in Firefox
https://forums.gentoo.org/viewtopic-t-1029408.html
appears to be; currently3498 views), it is important that the files don't be easily dismissed as unauthentic.
Patience, I kindly ask of readers.
Last edited by miroR on Thu Nov 05, 2015 10:37 pm; edited 1 time in total |
|
| Back to top |
|
 |
khayyam
Watchman
Joined: 07 Jun 2012
Posts: 6227
Location: Room 101
|
| Posted: Thu Oct 29, 2015 6:43 pm Post subject: Re: Some issue with network |
|
|
| miroR wrote: | | However, if this is something interesting (just take a look at how interesting this topic of mine [...] appears to be; currently3498 views), it is important that the files don't be easily dismissed as unauthentic. |
miro ... yes, and if you include a URL in every post you make (as you do) then crawlers will harvest those links, and so the views increase ... isn't technology amazing. Your posts, this one especially, are esencially nonsensical, and you seem to be under the impression that people are reading.
best ... khay |
|
| Back to top |
|
|
miroR
l33t
Joined: 05 Mar 2008
Posts: 826
|
| Posted: Sat Oct 31, 2015 3:14 am Post subject: |
|
|
I'll now post what I had prepared previously.
---
| I wrote wrote: |
==== This is a completed content for the post of two days ago. Not touching that one. Nicer remains the timestamp. ===
Still not sure where this issue goes.
| Code: |
993e1cf1d0305fa519c9941189221c01b974d3596de21615768e20a7e521eac4 dump_151029_1757_g0n.pcap
73a1f52a202450bab08632362bb74d38f4b1cbd8b45f92cbaf2314eb225d406f Screen_151029_1757_g0n.mkv
|
No, I won't make un unrelated post out of this. What other topic I planned previously will go separately elsewhere.
These files are:
| Code: |
-rw-r--r-- 1 86340324 2015-10-29 18:32 dump_151029_1757_g0n.pcap
-rw-r--r-- 1 176027816 2015-10-29 18:32 Screen_151029_1757_g0n.mkv
|
or:
| Code: |
-rw-r--r-- 1 83M 2015-10-29 18:32 dump_151029_1757_g0n.pcap
-rw-r--r-- 1 168M 2015-10-29 18:32 Screen_151029_1757_g0n.mkv
|
and the priority is just the network capture. Screencast hopefully later, and maybe even in some other fashion (vimeo.com). No room on croatiafidelis.hr .
This topic follows on the heels of this other topic:
SSL Decode & My Hard-Earned Advice for SPDY/HTTP2 in Firefox
https://forums.gentoo.org/viewtopic-t-1029408.html
|
You can check all with the traffic dump in the dir:
http://www.croatiafidelis.hr/foss/cap/cap-151029-MozCloud/
Here's the straight link:
http://www.croatiafidelis.hr/foss/cap/cap-151029-MozCloud/dump_151029_1757_g0n.pcap
tshark -n -q -r dump_151029_1757_g0n.pcap -z io,stat,0
| Code: |
========================================
| IO Statistics |
| |
| Duration: 1992.9 secs |
| Interval: 1992.9 secs |
| |
| Col 1: Frames and bytes |
|--------------------------------------|
| |1 |
| Interval | Frames | Bytes |
|--------------------------------------|
| 0.0 <> 1992.9 | 93301 | 83347395 |
========================================
|
tshark -q -r dump_151029_1757_g0n.pcap -z conv,ip
<but the resolved names in parentheses is of my addition> [*]
| Code: |
================================================================================
IPv4 Conversations
Filter:<No Filter>
| <- | | -> | | Total | Relative | Duration |
| Frames Bytes | | Frames Bytes | | Frames Bytes | Start | |
192.168.1.3 <-> 54.192.55.37(d3581xjroqhv5u.cloudfront.net) 47095 70986165 25543 1799129 72638 72785294 59.282923000 249.2311
192.168.1.3 <-> 91.198.174.192(METa.wikimedia.org) 1811 1394268 1850 208476 3661 1602744 14.401525000 1878.8822
192.168.1.3 <-> 91.198.174.208(upload.wikimedia.org) 1526 1557690 1405 146571 2931 1704261 14.644842000 1866.1800
192.168.1.3 <-> 67.215.92.219(www.opendns.com) 1400 1984347 987 97464 2387 2081811 55.222555000 21.1789
192.168.1.3 <-> 104.87.7.204(e4478.a.akamaiedge.net) 872 983483 650 69023 1522 1052506 1296.578943000 237.2263
192.168.1.3 <-> 79.133.35.202(orsn.net) 814 1116764 583 57255 1397 1174019 1912.621276000 61.3161
192.168.1.3 <-> 106.187.50.235(wiki.opennicproject.org) 401 206739 516 59582 917 266321 668.428752000 803.0666
192.168.1.3 <-> 173.239.79.210(observatory.eff.org) 282 89104 361 210384 643 299488 14.610474000 1932.7411
193.92.150.194(db.southeu.clamav.net) <-> 192.168.1.3 301 20105 301 349522 602 369627 1971.778438000 7.9034
208.117.229.246(ytstatic.l.google.com) <-> 192.168.1.3 262 30257 285 231203 547 261460 1294.235990000 118.1253
192.168.1.3 <-> 192.168.1.1 240 53976 241 19497 481 73473 14.347454000 1963.8573
193.198.233.211(pula.tile.openstreetmap.org) <-> 192.168.1.3 224 24565 226 169922 450 194487 1915.340281000 60.6354
207.241.224.26(wwwb-front2.us.archive.org) <-> 192.168.1.3 196 18105 202 200912 398 219017 717.542395000 70.5737
208.117.229.216(youtube-ui.l.google.com) <-> 192.168.1.3 126 12249 132 82777 258 95026 1295.664277000 115.6899
199.16.156.120(syndication.twitter.com) <-> 192.168.1.3 124 31324 130 33285 254 64609 918.258500000 605.8391
208.117.229.251(ytstatic.l.google.com) <-> 192.168.1.3 128 14023 123 39553 251 53576 1294.711558000 116.6539
216.58.208.74(googleapis.l.google.com) <-> 192.168.1.3 91 7973 111 114445 202 122418 1294.708016000 116.6989
192.168.1.3 <-> 104.87.23.15(e10776.b.akamaiedge.net) 99 31128 71 6842 170 37970 58.518070000 152.4074
192.168.1.3 <-> 104.92.100.137(e6640.g.akamaiedge.net) 87 92107 80 6348 167 98455 57.095759000 160.2028
192.168.1.3 <-> 104.244.43.44(PLAtfoRM.twitter.com) 68 32441 82 8598 150 41039 670.180128000 353.9075
192.168.1.3 <-> 104.244.43.108(PLAtfoRM.twitter.com) 61 8837 83 9090 144 17927 917.636938000 66.5593
192.168.1.3 <-> 23.37.43.27(e8218.ce.akamaiedge.net) 61 15537 68 7236 129 22773 66.944206000 1345.4188
192.168.1.3 <-> 173.194.113.183(csi.gstatic.com) 56 21454 68 6900 124 28354 1300.186735000 116.1969
192.168.1.3 <-> 37.252.170.182(secure.anycast.adnxs.com) 67 16811 48 9668 115 26479 68.518336000 60.6243
208.117.229.212(youtube-ui.l.google.com) <-> 192.168.1.3 55 5147 49 17320 104 22467 59.114340000 116.1468
199.16.156.52(syndication.twitter.com) <-> 192.168.1.3 47 6807 53 9996 100 16803 670.701160000 286.1726
192.168.1.3 <-> 54.192.12.211(d15a7gkmxinlzq.cloudfront.net) 50 41019 48 4338 98 45357 58.493768000 116.7505
192.168.1.3 <-> 74.125.136.141(appspot.l.google.com) 50 49669 40 3897 90 53566 1294.714544000 117.6672
216.137.59.141(dnn506yrbagrg.cloudfront.net) <-> 192.168.1.3 45 4512 41 26783 86 31295 59.223058000 116.0383
192.168.1.3 <-> 68.232.35.116(s11.gp1.wac.alphacdn.net) 50 31881 36 4050 86 35931 57.170370000 149.3047
216.58.211.4(wwW.google.com) <-> 192.168.1.3 44 5768 39 5230 83 10998 59.222866000 1354.1470
192.168.1.3 <-> 46.33.68.128(a1158.b.akamai.net) 37 6404 44 3912 81 10316 58.829964000 116.2763
208.117.229.250(ytstatic.l.google.com) <-> 192.168.1.3 39 3705 38 19415 77 23120 1298.278404000 116.0712
216.58.211.3(www.google.hr) <-> 192.168.1.3 40 4504 35 11993 75 16497 59.637909000 116.3867
208.117.229.213(youtube-ui.l.google.com) <-> 192.168.1.3 37 3541 34 12194 71 15735 1297.353593000 115.9963
192.168.1.3 <-> 173.194.116.185(pagead46.l.doubleclick.net) 32 13151 39 4005 71 17156 58.501609000 115.7495
208.117.229.217(youtube-ui.l.google.com) <-> 192.168.1.3 37 3618 33 11125 70 14743 1291.738397000 117.6083
192.168.1.3 <-> 54.246.123.254(data-collector-linkedin-prod-803114458.eu-west-1.elb.amazonaws.) 31 15502 39 4164 70 19666 65.741151000 65.5876
192.168.1.3 <-> 104.244.43.172(platform.twitter.com) 30 6242 39 4237 69 10479 1223.068003000 189.3098
192.168.1.3 <-> 173.194.116.220(dart.l.doubleclick.net) 30 12906 39 3813 69 16719 58.496705000 116.7201
216.58.209.168(www-googletagmanager.l.google.com) <-> 192.168.1.3 37 3185 32 22797 69 25982 58.465698000 115.6854
192.168.1.3 <-> 185.63.147.10(any-eu.www.linkedin.com) 32 9541 36 3837 68 13378 69.327707000 116.8225
216.58.211.35(www.google.hr) <-> 192.168.1.3 35 3683 27 9934 62 13617 1298.187182000 116.1833
192.168.1.3 <-> 173.194.112.250(pagead.l.doubleclick.net) 27 10512 35 3826 62 14338 1296.363420000 116.0318
192.168.1.3 <-> 50.31.164.174(bam.nr-data.net) 29 7729 33 4193 62 11922 66.302954000 116.9269
208.117.229.218(youtube-ui.l.google.com) <-> 192.168.1.3 32 3924 28 4920 60 8844 1296.574470000 61.8602
192.168.1.3 <-> 54.246.108.37(fanboy-web-linkedin-prod-935158116.eu-west-1.elb.amazonaws.com) 31 14062 28 2895 59 16957 70.308618000 61.7705
192.168.1.3 <-> 54.228.244.241(data-collector-linkedin-prod-803114458.eu-west-1.elb.amazonaws.) 31 14445 28 3022 59 17467 67.928440000 61.3584
208.117.229.249(ytstatic.l.google.com) <-> 192.168.1.3 30 4209 29 5726 59 9935 57.281102000 63.3404
192.168.1.3 <-> 46.137.124.98(www.bizographics.com) 30 13494 28 2991 58 16485 67.281565000 61.6806
192.168.1.3 <-> 173.194.112.89(pagead.l.doubleclick.net) 27 12060 29 2653 56 14713 57.106885000 116.1459
192.168.1.3 <-> 74.125.136.95(googleadapis.l.google.com) 26 3409 29 3620 55 7029 1294.706363000 115.6756
192.168.1.3 <-> 173.194.116.218(pagead46.l.doubleclick.net) 21 6160 24 3752 45 9912 529.405475000 115.8264
192.168.1.3 <-> 185.31.17.175(c.global-ssl.fastly.net) 22 16026 21 2065 43 18091 65.716976000 61.7831
192.168.1.3 <-> 173.194.113.90(pagead46.l.doubleclick.net) 18 2394 21 2879 39 5273 1296.801580000 115.5870
192.168.1.3 <-> 66.228.63.70(www.opennicproject.org) 30 7113 9 636 39 7749 1229.968277000 99.7276
192.168.1.3 <-> 104.244.43.12(platform.twitter.com) 16 4992 23 1935 39 6927 789.216954000 439.4942
127.0.0.1 <-> 127.0.0.1 36 3732 0 0 36 3732 1984.204172000 8.6515
192.168.1.3 <-> 17.171.8.16(ocsp.pki-apple.com.akadns.net) 16 4580 19 1526 35 6106 1292.914909000 115.5835
192.168.1.3 <-> 46.33.68.72(a1158.b.akamai.net) 16 3024 18 1676 34 4700 57.228615000 115.8789
192.168.1.3 <-> 93.184.220.29(cs9.wac.phicdn.net) 10 3060 14 2261 24 5321 56.073400000 26.2459
193.63.75.103(www.openstreetmap.org) <-> 192.168.1.3 13 1619 10 6299 23 7918 1913.250907000 6.6914
192.168.1.3 <-> 67.215.92.210(dashboard.opendns.com) 11 5765 12 1582 23 7347 58.906764000 11.1855
199.16.156.230(twitter.com) <-> 192.168.1.3 10 1018 12 4357 22 5375 1290.983939000 7.1214
205.178.187.13(www.networksolutions.com) <-> 192.168.1.3 12 840 9 636 21 1476 707.301071000 20.6142
192.168.1.3 <-> 188.40.2.4(osmtools.de) 9 1652 11 970 20 2622 1915.225345000 15.1181
192.168.1.3 <-> 17.146.233.10(files.me.com) 9 3436 10 1501 19 4937 1292.427851000 4.1550
199.16.156.6(twitter.com) <-> 192.168.1.3 10 1018 9 4091 19 5109 926.159799000 5.6840
207.241.226.249(vlcbackup.archive.org) <-> 192.168.1.3 10 1203 8 880 18 2083 723.208901000 5.7509
224.0.0.1 <-> 10.16.96.1 15 930 0 0 15 930 114.177572000 1750.0431
207.241.224.2(archive.org) <-> 192.168.1.3 4 280 2 144 6 424 741.173875000 5.4068
255.255.255.255 <-> 0.0.0.0 2 818 0 0 2 818 0.027432000 3.3679
255.255.255.255 <-> 192.168.1.1 1 592 0 0 1 592 3.417719000 0.0000
================================================================================
|
The issue with this capture is not too hard to see for a trained eye. A huge portion of the entire capture of 83M, which is a huge traffic for simply browsing which I did for those 33 minutes, without downloading any video or another file of that order of magnitude, a huge portion is here:
grep cloudfro dump_151029_1757_g0n.conv-ip-with-names
<and the legend (the first two lines) is of my addition>
| Code: |
| <- | | -> | | Total | Relative | Duration |
| Frames Bytes | | Frames Bytes | | Frames Bytes | Start | |
192.168.1.3 <-> 54.192.55.37(d3581xjroqhv5u.cloudfront.net) 47095 70986165 25543 1799129 72638 72785294 59.282923000 249.2311
192.168.1.3 <-> 54.192.12.211(d15a7gkmxinlzq.cloudfront.net) 50 41019 48 4338 98 45357 58.493768000 116.7505
216.137.59.141(dnn506yrbagrg.cloudfront.net) <-> 192.168.1.3 45 4512 41 26783 86 31295 59.223058000 116.0383
|
and it is especially obvious that the one conversation of all, with the 54.192.55.37(d3581xjroqhv5u.cloudfront.net), downloaded into my system a little short of 70M (the 47095 Frames or 70986165 Bytes, under "<-" ), and so it has made for the great great majority of the traffic.
Maybe that is the regular way Firefox updates. It really may be.
But if it is the regular way Fox updates, then it ought to be in the open, for me, a user of Mozilla Firefox, a program that is Free Open Source Software, at least as it is claimed to be such but its developers (and I still hope they do keep to some standards, at least a significant part of its community).
I'll try and see if I can manage to get the TCP or SSL streams in the open, and see what exactly Mozilla downloaded into my system, and then I can, hopefully, find it in my system, and get an inkling at least, what it does, or is, there for.
Next.
---
[*] Compare with the output of:
thark -q -r dump_151029_1757_g0n.pcap -z hosts |
|
| Back to top |
|
|
miroR
l33t
Joined: 05 Mar 2008
Posts: 826
|
| Posted: Sat Oct 31, 2015 3:15 am Post subject: |
|
|
Then it ought to be in the open. For me. Encrypted with PFS (Perfect Forward Secrecy), so no one can snoop on it, but if I cared to store and keep the "CLIENT_RANDOM" keys in my $SSLKEYLOGFILE (or in some other fashion), then it must be open for me to see what Mozilla from its cloud downloaded into my system, if that was the case, as it looks to me.
The filter is: "ip.addr==54.192.55.37" (without quotes).
Or maybe better: "(ip.addr==54.192.55.37) || (ip.addr==54.192.12.211) || (ip.addr==216.137.59.141)" (without quotes), but pls. note that I'm guessing only...
I'll take this latest.
I entered (pasted) that string in the Wireshark filter, hit Enter to get that filtered display active, and then File > "Export Specified Packets". "Packet Range" is "All Packets", the "Displayed" is selected already, and I saved it as:
dump_151029_1757_g0n_MozCloud.pcap
If you, by doing the same, get:
| Code: |
-rw-r--r-- 1 miro miro 75195628 2015-10-30 16:45 dump_151029_1757_g0n_MozCloud.pcap
|
which is in human readable (the '-h' switch)
| Code: |
-rw-r--r-- 1 miro miro 72M 2015-10-30 16:45 dump_151029_1757_g0n_MozCloud.pcap
|
then probably my suggestions can be followed (and if you're into network capture, maybe you can tell all of us more; there will be encryption that I'm afraid I can not decrypt, later; perfectly possible only because my knowledge is insufficient, but also that not all tools are there for decryption, even if I were expert)...
I now open that dump with those just exported specified packets selection in Wireshark.
Now at least we are dealing with only 7 tcp streams, while in the complete dump, there were 472 tcp streams
( you get streams out if you put [0-7] for $the_number in "tcp.stream eq $he_number" in the filter for that MozClould.pcap dump (and you get nothing if you put 8 or greater; and in the complete dump, you get a different tcp stream if you put [0-472] in "tcp.stream eq $the_number", such as "tcp.stream eq 3" or "tcp.stream eq 405", respectively )
.
But can these streams be decrypted? And if, how? |
|
| Back to top |
|
|
miroR
l33t
Joined: 05 Mar 2008
Posts: 826
|
| Posted: Sat Oct 31, 2015 3:17 am Post subject: |
|
|
I'll try and cut to the chase. Because I'm beginning to be in a hurry. I need Fox as I have to use internet banking for my monthly paying of my bills, and I have only in Fox some trust lingering, from among the javascipt enabled browsers that I could do those payments with.
But my not being able to decrypt the huge payload (we are just about coming to it next), is making me worry, and either I go and pay my bills at the counter instead of via the internet banking, or...
We still have dump_151029_1757_g0n_MozCloud.pcap open in Wireshark.
Enter the filter "tcp.stream eq 5" (without quotes).
Right click on any frame with TLS1.2, follow SSL stream, and save as:
dump_151029_1757_g0n_MozCloud_s5-ssl.dump
You should get:
| Code: |
$ ls -l dump_151029_1757_g0n_MozCloud_s5-ssl.dump
-rw-r--r-- 1 miro miro 136352 2015-10-30 22:30 dump_151029_1757_g0n_MozCloud_s5-ssl.dump
$ ls -lh dump_151029_1757_g0n_MozCloud_s5-ssl.dump
-rw-r--r-- 1 miro miro 134K 2015-10-30 22:30 dump_151029_1757_g0n_MozCloud_s5-ssl.dump
|
Can't delve into it, in a hurry for reason stated above, but it's some tiny adobe managed video, in some likelihood, but it's partial content, I think I saw somewhere when following it (just open it with:
| Code: |
$ hexedit dump_151029_1757_g0n_MozCloud_s5-ssl.dump
|
)
But it's this next stream... Do the same right click as before, but choose "Follow tcp stream" instead. And be patient. It's there, we have arrived at where the story might start to become interesting.
Be patient (unless you have a really powerful computor). Do save it as:
dump_151029_1757_g0n_MozCloud_s5.dump
but all those megabytes need a little time to reassemble from those some 40000 different frames (packets).
You should have this eventually:
| Code: |
$ ls -l dump_151029_1757_g0n_MozCloud_s5.dump
-rw-r--r-- 1 miro miro 67764933 2015-10-30 22:41 dump_151029_1757_g0n_MozCloud_s5.dump
$ ls -lh dump_151029_1757_g0n_MozCloud_s5.dump
-rw-r--r-- 1 miro miro 65M 2015-10-30 22:41 dump_151029_1757_g0n_MozCloud_s5.dump
$
|
And here my insufficient knowledge, or encryped content (coming at it in a moment), makes me unable to view what those 65M contain.
Get ready to follow by studying "man hexedit" (emerge hexedit it you haven't yet).
| Code: |
$ hexedit dump_151029_1757_g0n_MozCloud_s5.dump
|
Next, search for, in hex, string "474554" (without quotes), which is the string that GET'd content starts with, and take notice how many you find. They should be three (3) only.
Stay with the third 474554 that you found. Mark it. go to end. Copy.
You'll get a jocular warning ( my install is:
| Code: | # equery l hexedit
* Searching for hexedit ...
[IP-] [ ] app-editors/hexedit-1.2.13:0
# |
):
| Code: |
Hey, don't you think that's too big?!
Really copy (Yes/No)
|
Enjoy the joke, answer "y" and paste it into a file:
dump_151029_1757_g0n_MozCloud_s5_03.dump
Move again to the start of the third GET and truncate at that point.
Go to beginning, and from there get one, and another time to the start of GET. So you are at the second GET.
Just like before, mark, move to end, copy and paste into a file:
dump_151029_1757_g0n_MozCloud_s5_02.dump
To beginning, and move to the second GET, and truncate there.
Go to beginning, and from there go to the start of the last GET. Mark, move to end, copy and paste into a file:
dump_151029_1757_g0n_MozCloud_s5_01.dump
You should now have:
| Code: | $ ls -l dump_151029_1757_g0n_MozCloud_s5_0?.dump
-rw-r--r-- 1 miro miro 1484476 2015-10-30 23:36 dump_151029_1757_g0n_MozCloud_s5_01.dump
-rw-r--r-- 1 miro miro 13834287 2015-10-30 23:36 dump_151029_1757_g0n_MozCloud_s5_02.dump
-rw-r--r-- 1 miro miro 37479495 2015-10-30 23:35 dump_151029_1757_g0n_MozCloud_s5_03.dump
$ ls -lh dump_151029_1757_g0n_MozCloud_s5_0?.dump
-rw-r--r-- 1 miro miro 1.5M 2015-10-30 23:36 dump_151029_1757_g0n_MozCloud_s5_01.dump
-rw-r--r-- 1 miro miro 14M 2015-10-30 23:36 dump_151029_1757_g0n_MozCloud_s5_02.dump
-rw-r--r-- 1 miro miro 36M 2015-10-30 23:35 dump_151029_1757_g0n_MozCloud_s5_03.dump
$ |
Now, let's go get the gzip data, if we can:
| Code: |
$ hexedit dump_151029_1757_g0n_MozCloud_s5_03.dump
|
Search, in hex, for "1F8B08" (without quotes). Only one found. Mark. Move to end. Copy. Paste into file:
dump_151029_1757_g0n_MozCloud_s5_03.gz
And here we go, where I have no idea how to get what that data is:
| Code: |
$ file dump_151029_1757_g0n_MozCloud_s5_03.gz
dump_151029_1757_g0n_MozCloud_s5_03.gz: gzip compressed data, ASCII, extra field, encrypted
$
|
Do you see these unusual info the file command is telling us?
And sure, if I try:
| Code: |
$ gunzip dump_151029_1757_g0n_MozCloud_s5_03.gz
gzip: dump_151029_1757_g0n_MozCloud_s5_03.gz is encrypted -- not supported
$
|
And it's similar, if I process 02.dump like that, with:
| Code: |
$ file dump_151029_1757_g0n_MozCloud_s5_02.gz
dump_151029_1757_g0n_MozCloud_s5_02.gz: gzip compressed data, has CRC, extra field, has comment, encrypted, last modified: Sun Oct 19 05:36:28 2003
$ gunzip dump_151029_1757_g0n_MozCloud_s5_02.gz
gzip: dump_151029_1757_g0n_MozCloud_s5_02.gz is encrypted -- not supported
$
|
I'm not saying this isn't legitimate, as I don't know that it isn't.
Nor that it is legitimate.
I'm not so very bright, but neither stupid. I think I'll try and ask about this Mozilla devs, on their mailing list or some such place, or on Wireshark mailing list.
And in the meantime, I can't use Fox for internet banking, and the money that I need to pay, as every month, is due for payment...
Either I go to the bank or post office and pay over the counter (but what then do I have computers for?), or...
Regards!
EDIT 2015-11-01 21:06+01:00. corrected lapsus: 's/1F8B08/474554/'
Last edited by miroR on Sun Nov 01, 2015 8:06 pm; edited 1 time in total |
|
| Back to top |
|
|
miroR
l33t
Joined: 05 Mar 2008
Posts: 826
|
| Posted: Sat Oct 31, 2015 3:28 am Post subject: |
|
|
title will be:
Mozilla Cloud non-Decryptable Download?
================
(will change it later)
---
I owe you this one, readers, if there are any (maybe you better not read, or some will get upset if you do...)
I owe you this one, gentle readers:
| I wrote: | Either I go to the bank or post office and pay over the counter (but what then do I have computers for?), or...
|
Or...? Or what? lingers the question.
Well, what for did I figured out, for myself and for other people, how to install gentoo air-gapped:
Air-Gapped Gentoo Install, Tentative
https://forums.gentoo.org/viewtopic-t-987268.html
?
And why do I try to spread some good methods of backup (would have been better if I had time to make a separate tip for it, true):
Postfix smtp/TLS, Bkp/Cloning Mthd, Censorship/Intrusion
https://forums.gentoo.org/viewtopic-t-999436.html#7613044
?
Surely I wiped the hard disk clean with the Air-Gapped complete system backup, with the Air-Gapped that could not have any intrusions on it... By cloning the air-gapped master system onto this one... But all these methods are explained in the respective links just given.
And if this matter shows to be nothing to worry about, well, then it need to be possible to get the content of those downloads in the open. Without becoming a rocket scientist to be able to do it...
If Zilla is really FOSS (...hope lingering).
No one is allowed to encrypt things in my computer, behind my back, not even Mozilla (if that was really its cloud downloading in my machine).
And neither should behind your back, gentle readers.
And surely, I'm back to using Dillo. Such a fine worry-free experience. I dream good FOSS people will help the Dillo devs to make Dillo much much better, more complete, and competing with the commercial big browsers...
Back to the issue. Anyone knows how to decrypt those?
Can you help us (It is likely that other users will have issues like this)?
Because it might take me longish to figure this out....
(If I do, I'll tell all of you!)
Regards! |
|
| Back to top |
|
|
miroR
l33t
Joined: 05 Mar 2008
Posts: 826
|
| Posted: Sat Oct 31, 2015 3:53 am Post subject: |
|
|
Ah, and I forgot.
The entire snapshot of the system, with that download in it, is saved, and will be available for weeks, maybe even months from now.
With the backup/cloning method that I linked to in the previous post.
So no information, if there some real expert happens to want to look into this, has been lost.
Good night! |
|
| Back to top |
|
|
miroR
l33t
Joined: 05 Mar 2008
Posts: 826
|
| Posted: Sun Nov 01, 2015 1:03 pm Post subject: |
|
|
I can not believe I had forgotten to post the SSLKEYLOGFILE-151029.log....
It is there now.
No, that wouldn't decrypt the Moz Cloud download, no. But that decrypts everything else.
Anyway, I updated the:
http://www.croatiafidelis.hr/foss/cap/cap-151029-MozCloud/
and you can get the files by downloading just the dLo.sh, and 'chmod 755' to it, then into an empty new dir where you have privs, and ./dLo.sh to get all the files. I am now also uploading the Screen_151029_1757_g0n.mkv, but I'm afraid I won't have that much room left on my NGO's website...
And I mailed to Mozilla dev-security mailing list:
Mozilla Cloud non-Decryptable Download?
| Code: |
https://groups.google.com/forum/#!topic/mozilla.dev.security/abSHPU4EaP8
|
the link above is for pasting into your browser's address bar, because, like this:
https://groups.google.com/forum/#!topic/mozilla.dev.security/abSHPU4EaP8
the '/#!' seems to erroneously end the reading of the address for phpBB...
EDIT 2015-11-01 20:42+01:00:
Ah, managed to get the address, it's the Schmoog's way, nobody else's:
https://groups.google.com/d/msg/mozilla.dev.security/abSHPU4EaP8/s-5UMFJsCAAJ
(such as, it don't let me view it with Dillo, the shingilibindildiyots!)
EDIT END
(
Anyway, only the Schmoog, really, could come up with such a standard for http addresses. The Schmoog rapist of the standards, like with the SPDY and the HTTP2, which you can read about in the topic which this one you're reading follows on the heels of; but I must not give you the link, as that would surge the views of it, and some people would get upset... Find the link in the first post...
Which first post of this topic will be expanded with some more necessary details only when no shadow of doubt is left as to authenticity of the event of the apparent Moz cloud autodownload into my machine, non-decryptable for me, the user, having happened when I claim, by the virtue of the traffic dump and the screencast being verifiable to have been taken when I posted that first post in this topic)
Which first post of this topic will be expanded with some more necessary details when more views, by different viewers, dispell any shadow of doubt in the authenticity of the traffic dump and screencast.
And only then can I also change the title of this topic to "Mozilla Cloud non-Decryptable Download?"
)
Regarding my post to Mozilla dev-security ML, let's see if I get any info back...
Last edited by miroR on Sun Nov 01, 2015 7:46 pm; edited 1 time in total |
|
| Back to top |
|
|
miroR
l33t
Joined: 05 Mar 2008
Posts: 826
|
|
| Back to top |
|
|
miroR
l33t
Joined: 05 Mar 2008
Posts: 826
|
| Posted: Sun Nov 01, 2015 8:19 pm Post subject: |
|
|
I'm not letting go of this. I'll try and ask on Wireshark ML, if I don't get any replies from Moziila devs. I mean any real replies...
The last reply, so far, is so general, and so dry... So hitting-oneself-in-the-mind's-eyes and beating-ones-brain to churn out a dry-kind empty reply... that it makes me sad.
Looks like really this is some abuse attempted on my machine, from Mozilla Cloud addresses.
But... Before I change the title; which is not yet, too few views, at which time I can take the opportunity to say it more forcefully, right there upfront and very clearly in the first post...
Which I can not edit, the first post, yet, because of the shintilibidintitty "advice" there posing like a thought exudision...
Before that, I am advising readers who wish to understand what this is about, that they need to study the link given upfront, else they can not figure this issue here at all...
Again, get familiar with this:
SSL Decode & My Hard-Earned Advice for SPDY/HTTP2 in Firefox
https://forums.gentoo.org/viewtopic-t-1029408.html
else you can not understand here. |
|
| Back to top |
|
|
miroR
l33t
Joined: 05 Mar 2008
Posts: 826
|
|
| Back to top |
|
|
khayyam
Watchman
Joined: 07 Jun 2012
Posts: 6227
Location: Room 101
|
| Posted: Wed Nov 04, 2015 7:52 pm Post subject: |
|
|
| miroR wrote: | Over in a new topic of mine:
Mozilla Cloud non-Decryptable Download?
(which I can not change the subject of the topic into the one above yet, for reasons easily understood if you read there)
I had posted this:
| I recently wrote: | Not sure at all what this will come out.
| Code: |
993e1cf1d0305fa519c9941189221c01b974d3596de21615768e20a7e521eac4 some-file
73a1f52a202450bab08632362bb74d38f4b1cbd8b45f92cbaf2314eb225d406f some-other-file
|
I make make un unrelated post (planned previously) out of this.
However, if this is something interesting (just take a look at how interesting this topic of mine
SSL Decode & My Hard-Earned Advice for SPDY/HTTP2 in Firefox
https://forums.gentoo.org/viewtopic-t-1029408.html
appears to be; currently3498 views), it is important that the files don't be easily dismissed as unauthentic.
Patience, I kindly ask of readers. |
==========
and before you know it, there was this reply:
| khayyam wrote: | | miroR wrote: | | However, if this is something interesting (just take a look at how interesting this topic of mine [...] appears to be; currently3498 views), it is important that the files don't be easily dismissed as unauthentic. |
miro ... yes, and if you include a URL in every post you make (as you do) then crawlers will harvest those links, and so the views increase ... isn't technology amazing. Your posts, this one especially, are esencially nonsensical, and you seem to be under the impression that people are reading.
best ... khay |
Now, since I do not want to disturb that topic... It has been sufficiently disturbed by that khayyam's remark, and since I am a little sick of such topic-pooping, I want to post a few words about it here, not there.
Because this topic (the "Uninstalling dbus and *kits (to Unfacilitate Remote Seats)" is over, technically.
It is technically over, this topic. There is little technical to add about it, other than start a new topic.
But that one is NOT.
But I will write a few more words about it, when I find tine... Because on top of the fact that I work at turtle-speed even at my best, I've also been working at only 10-20% effectiveness, and that only when I managed to get out of bed. Just allergy, but a very very disruptive one...
I'll try and explain why exactly here, I want to post. But it is in brief: this khayyam guy just can't get over our little clash that we had here, and to understand why he decided to try and poop out that new topic of mine, it is necessary to remember what happened here btwn me and him.
Just go back to my, I think, second previous post of mine in the third (first previous) page of this topic:
<this same topic>
https://forums.gentoo.org/viewtopic-t-992146-start-50.html#7661780 |
miro ... more nonsense, its not like everyone (steveL, krinn, and many others) haven't said the exact same thing, so, no, I'm certainly "over" it (whatever that "it" happens to be in your imagination). If you have a problem with the post, or my previous posts, then use the 'report' button.
best ... khay |
|
| Back to top |
|
|
miroR
l33t
Joined: 05 Mar 2008
Posts: 826
|
| Posted: Wed Mar 30, 2016 2:26 pm Post subject: Re: Some issue with network |
|
|
| khayyam wrote: | | miroR wrote: | | However, if this is something interesting (just take a look at how interesting this topic of mine [...] appears to be; currently3498 views), it is important that the files don't be easily dismissed as unauthentic. |
miro ... yes, and if you include a URL in every post you make (as you do) then crawlers will harvest those links, and so the views increase ... isn't technology amazing. Your posts, this one especially, are esencially nonsensical, and you seem to be under the impression that people are reading.
best ... khay |
Just, that topic of mine:
SSL Decode & My Hard-Earned Advice for SPDY/HTTP2 in Firefox
https://forums.gentoo.org/viewtopic-t-1029408.html
is now:
8726
views. |
|
| Back to top |
|
|
Ant P.
Watchman
Joined: 18 Apr 2009
Posts: 6920
|
| Posted: Wed Mar 30, 2016 2:44 pm Post subject: |
|
|
| Eight thousand views from Googlebot, your best friend! |
|
| Back to top |
|
|
khayyam
Watchman
Joined: 07 Jun 2012
Posts: 6227
Location: Room 101
|
| Posted: Wed Mar 30, 2016 3:21 pm Post subject: Re: Some issue with network |
|
|
| miroR wrote: | | Just, that topic of mine is now: 8726 views. |
... shall I explain again how 'views' are calculated, and how meaningless they are as a metric for quality? |
|
| Back to top |
|
|
Akkara
Bodhisattva
Joined: 28 Mar 2006
Posts: 6702
Location: &akkara
|
| Posted: Wed Mar 30, 2016 7:02 pm Post subject: |
|
|
miroR: Please stop bumping this. A good half those views are from myself and other moderators wondering what to do with it. They are NO indication whatsoever of the quality (or lack thereof) of the topic. And by you posting here, this thread's count wil go up by a few 100 as I, others, and a myriad of Google/Bing/Alibaba/etc bots all come around to see what's new and index it all. And, by my posting this, the count here will go by a bunch more. Did you know that if you view your own thread, the count goes up? Wheee! let's play the game, can we make it to 9000?
You have been warned.
Locked.
_________________
Many think that Dilbert is a comic. Unfortunately it is a documentary. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
