# [SOLVED] Google - can not open any link - malware ??

## Joseph_sys

I have a strange problem.  

I can not open any link in Google.  Bing work OK.

Any idea what to look for?

I'm using firefox.Last edited by Joseph_sys on Thu Feb 09, 2012 2:45 pm; edited 2 times in total

----------

## Jaglover

Did you install some anti-google plugin perhaps?   :Razz: 

----------

## Joseph_sys

 *Jaglover wrote:*   

> Did you install some anti-google plugin perhaps?  

 

I don't have any plugin's installed.

I tried one of me backup compute and it is doing the same thing, though my third backup is working OK; I can open an link in Google.

This is very strange.

I've tried re-compiling firefox installing firefox-bin nothing helps.

----------

## Joseph_sys

When I disable Java in Firefox I can open any link in Google, with Java enabled I can not open any link

I got an email from one local Linux user regarding hosts file. 

Apparently there's a malware running around that redirects all google services via the hosts file which superceded DNS.

All other sites work fine, but any google sites get directed

elsewhere.

But I don't have any more information on this.

----------

## Jaglover

In *nix systems user cannot write into hosts file, it has to be something else.

----------

## Joseph_sys

 *Jaglover wrote:*   

> In *nix systems user cannot write into hosts file, it has to be something else.

 

I've downgraded one of my boxes to Firefox-8 and linking from Google works OK

----------

## Jaglover

Usually problems like this are down to user settings. Have you tried creating a test user, does this problem still exist?

Anyhow, if you suspect your hosts file is compromised why don't you check it?

----------

## Joseph_sys

 *Jaglover wrote:*   

> Usually problems like this are down to user settings. Have you tried creating a test user, does this problem still exist?
> 
> Anyhow, if you suspect your hosts file is compromised why don't you check it?

 

I just created "test" profile and it works in the same way.

It has something to do with accepting "cookies" when I set "ask me every time" firefox refuses to open any Google link.

----------

## Jaglover

You do realize test profile and test user are not the same thing? A test user has clean home directory, whatever is screwed up for your user won't be there.

----------

## Joseph_sys

 *Jaglover wrote:*   

> You do realize test profile and test user are not the same thing? A test user has clean home directory, whatever is screwed up for your user won't be there.

 

No difference.

I just created a new "test" user and when I logged IN and open the firefox-9 and changed cookies to "ask me every time" I could not open any link in Google.

----------

## Joseph_sys

If I disable Java under: Preference --> Content: JavaScript

I can open Google links but I need "JavaScript" to be enabled as some of my internal program depend on it.

What is causing it?  I downgraded to Firefox-8 same thing.  I can not open any Google links if "JavaScript" is enabled.

----------

## Gusar

Just for the record: Java and JavaScript are two *completely* different things.

Anyway, I just got hit by the same issue. Google is getting crappier and crappier by the day, I tell you. What happened to the lean, mean, simple search engine that everyone fell in love with? Now they're just bloating it with unnecessary javascript crap.

Hmm, one idea: Do you accept cookies from google? I don't. If you don't either, try activating them and see if it works then.

----------

## swanson

Definitely a cookie requirement.

I use and have www.google.co.uk blocked from setting cookies. Unblocking allows the links to load. Must be some recent change, either deliberately to enforce tracking with their privacy changes but might possibly be a programming error by Google. 

Ghostery, AdBlockPlus and third party cookie blocking were not relevant. However still have all cookies deleted when session closes except those allowed. Will monitor to see what happens....

----------

## Joseph_sys

I noticed that too, if I set to accept the cookies it works.

I don't intent to accept Google cookies.  It seems to me Google is getting more evil than Mircrosoft.

I'll be switching to Bing.

----------

## Gusar

 *Joseph_sys wrote:*   

> I don't intent to accept Google cookies.

 

Neither do I. I'd rather install the NoScript extension or something similar and disable javascript for google. Or switch do DuckDuckGo as my search engine.

Ok, that was easy. Create the file user.js in Firefox's profile directory and put this in it:

```
user_pref("capability.policy.policynames", "nojs");

user_pref("capability.policy.nojs.sites", "http://www.google.com");

user_pref("capability.policy.nojs.javascript.enabled", "noAccess");
```

And voila, no javascript on google.com anymore.

----------

## Tolstoi

Got the same problem here.

Unfortunately your solution doesn't work for me Gusar.

----------

## swanson

And Google have pushed a fix according to Mozilla bug 725634. Works for me with blocked cookies again.

----------

## Gusar

 *swanson wrote:*   

> And Google have pushed a fix according to Mozilla bug 725634. Works for me with blocked cookies again.

 

Cool. I'll stick with my settings though, who needs javascript crap when a simple page gets the job done perfectly.

----------

## miroR

 *Joseph_sys wrote:*   

> If I disable Java under: Preference --> Content: JavaScript
> 
> I can open Google links but I need "JavaScript" to be enabled as some of my internal program depend on it.

 

I searched the preferences menus thorougly. Nowadays (end 2014), no such options...

Also, looking this up:

 *Gusar wrote:*   

>  *Joseph_sys wrote:*   I don't intent to accept Google cookies. 
> 
> Neither do I. I'd rather install the NoScript extension or something similar and disable javascript for google. Or switch do DuckDuckGo as my search engine.
> 
> Ok, that was easy. Create the file user.js in Firefox's profile directory and put this in it:
> ...

 

Which is, in the list below, the Firefox's profile directory where to maybe try and create such a user.js?

EDIT Mon 15 Dec 16:02:44 CET 2014:  I can't be ashamed and leave this without telling that I figured out that:

the Firefox's profile directory is:

```

~/.mozilla/firefox/<saltword>.default/

```

the prefs.js is there and, when I find time, I'll try and create the user.js there with these instructions.

No Schmoog the Schmoogle-Boogle-Joogle intrusion looked amiably at here either!

EDIT END

What are the ways people disable those (Javascript, Java, other...) today?

Because, this is what I got if I:

equery f firefox:

```

/etc

/etc/revdep-rebuild

/etc/revdep-rebuild/10firefox

/usr

/usr/bin

/usr/bin/firefox

/usr/lib64

/usr/lib64/firefox

/usr/lib64/firefox/application.ini

/usr/lib64/firefox/bin

/usr/lib64/firefox/browser

/usr/lib64/firefox/browser/blocklist.xml

/usr/lib64/firefox/browser/chrome

/usr/lib64/firefox/browser/chrome.manifest

/usr/lib64/firefox/browser/chrome/icons

/usr/lib64/firefox/browser/chrome/icons/default

/usr/lib64/firefox/browser/chrome/icons/default/default16.png

/usr/lib64/firefox/browser/chrome/icons/default/default32.png

/usr/lib64/firefox/browser/chrome/icons/default/default48.png

/usr/lib64/firefox/browser/components

/usr/lib64/firefox/browser/components/components.manifest

/usr/lib64/firefox/browser/components/libbrowsercomps.so

/usr/lib64/firefox/browser/extensions

/usr/lib64/firefox/browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}

/usr/lib64/firefox/browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}/icon.png

/usr/lib64/firefox/browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}/install.rdf

/usr/lib64/firefox/browser/icons

/usr/lib64/firefox/browser/icons/mozicon128.png

/usr/lib64/firefox/browser/omni.ja

/usr/lib64/firefox/browser/searchplugins

/usr/lib64/firefox/browser/searchplugins/amazondotcom.xml

/usr/lib64/firefox/browser/searchplugins/bing.xml

/usr/lib64/firefox/browser/searchplugins/eBay.xml

/usr/lib64/firefox/browser/searchplugins/google.xml

/usr/lib64/firefox/browser/searchplugins/twitter.xml

/usr/lib64/firefox/browser/searchplugins/wikipedia.xml

/usr/lib64/firefox/browser/searchplugins/yahoo.xml

/usr/lib64/firefox/chrome.manifest

/usr/lib64/firefox/components

/usr/lib64/firefox/components/components.manifest

/usr/lib64/firefox/components/libmozgnome.so

/usr/lib64/firefox/defaults

/usr/lib64/firefox/defaults/pref

/usr/lib64/firefox/defaults/pref/channel-prefs.js

/usr/lib64/firefox/dependentlibs.list

/usr/lib64/firefox/dictionaries

/usr/lib64/firefox/dictionaries/en-US.aff

/usr/lib64/firefox/dictionaries/en-US.dic

/usr/lib64/firefox/firefox

/usr/lib64/firefox/firefox-bin

/usr/lib64/firefox/libmozalloc.so

/usr/lib64/firefox/libmozsqlite3.so

/usr/lib64/firefox/libreplace_jemalloc.so

/usr/lib64/firefox/libxul.so

/usr/lib64/firefox/mozilla-xremote-client

/usr/lib64/firefox/omni.ja

/usr/lib64/firefox/platform.ini

/usr/lib64/firefox/plugin-container

/usr/lib64/firefox/removed-files

/usr/lib64/firefox/run-mozilla.sh

/usr/lib64/firefox/webapprt

/usr/lib64/firefox/webapprt-stub

/usr/lib64/firefox/webapprt/omni.ja

/usr/lib64/firefox/webapprt/webapprt.ini

/usr/lib64/firefox/xpcom-config.h

/usr/share

/usr/share/applications

/usr/share/applications/firefox.desktop

/usr/share/icons

/usr/share/icons/hicolor

/usr/share/icons/hicolor/128x128

/usr/share/icons/hicolor/128x128/apps

/usr/share/icons/hicolor/128x128/apps/firefox.png

/usr/share/icons/hicolor/16x16

/usr/share/icons/hicolor/16x16/apps

/usr/share/icons/hicolor/16x16/apps/firefox.png

/usr/share/icons/hicolor/22x22

/usr/share/icons/hicolor/22x22/apps

/usr/share/icons/hicolor/22x22/apps/firefox.png

/usr/share/icons/hicolor/24x24

/usr/share/icons/hicolor/24x24/apps

/usr/share/icons/hicolor/24x24/apps/firefox.png

/usr/share/icons/hicolor/256x256

/usr/share/icons/hicolor/256x256/apps

/usr/share/icons/hicolor/256x256/apps/firefox.png

/usr/share/icons/hicolor/32x32

/usr/share/icons/hicolor/32x32/apps

/usr/share/icons/hicolor/32x32/apps/firefox.png

/usr/share/pixmaps

/usr/share/pixmaps/firefox.png

```

And I need to be able to get rid of Javascript if I wanted to add hosts for Sleuthkit, for my problem deployed here on Sleuthkit I am very slowly working with these (? months ?)... and it said Javascript need be off.

----------

## miroR

And here's why I can't take the Schmoog, the Schmoogle-Boogle-Woogle. They're the pro hitsquad, along with the informants and generally the nuissance of the Internet.

Why you're letting your poor stingy lying hearts drown in money, all you the Schmoog? The heart of a human is for dignity, for truth, for respect, for love, and what do you do, poor obnoxious little monsters with washed faces claiming they just "do no evil"?

I'm already having two big issues on my hands, and I was trying to fully report the second one...

(the first one, a really big problem to solve, being postponed:

Recover partly overwritten luks volume?

https://forums.gentoo.org/viewtopic-t-1004014.html

and the second one is outside these parens)

[I was trying to fully report] the second one of my issues that break my back with intensity of a poor user's (me) research:

Syslog-ng from Delay in Logging to Broken Pipe and no Logging 

https://forums.gentoo.org/viewtopic-t-1001994.html#7667580

where you can read, currently (and if I make it to arrange well, I will keep that beginning to that post there):

Can't do.

Having errors with the Forums.

This is what I just sent to a moderator:

I'm trying to post:

http://croatiafidelis.hr/gnu/gentoo/Gen_141214_syslog-ng_sync_HID_2rr.txt

It is less then 80k.

================

It shows fine in preview.

================

Is cut short when submitted.

What do I do?

I've never yet had it that the preview is fine, but does not show like previewed when submitted.

Thanks,

Miro

--- 

But I do dumpcap captures, I conntrack log and I also screencast [1] what I do online, and I analyze those for times often multiple, and two and three digit multiple if needed, of the time that I spend online, and so, while the:

```

-rw-r--r-- 1 miro miro 1095251946 2014-12-16 00:00 Screen_141215_2238_g0n.mkv

---

6d899db25273f93cc2406b39387001d045c94c307831fa9f436d976bce6ade16  Screen_141215_2238_g0n.mkv

```

will tell you (I think I could, if I make it, post the ending part where the Schmoog intrusion occurred (but only errors with Forums show!), since 1GB is too much for a poor user like me to be posting; slow connection the mine, little space on my site) [it will tell you] that I did not seek the Schmoogle-Boogle-Woogle,

and while extremely likely also the:

```

-rw-r--r-- 1 root root 217114 2014-12-15 23:59 conntrack-E_141215_2238.log

---

d1307056728195c33eba83be881fdbce816a97be9eb4597296bc790acf25ec7d  conntrack-E_141215_2238.log

```

will agree with the former (and the latter below) if need be (and I'll keep them safe),

I can pronto offer you the Schmoog intrusion Internet packet capture traffic (also not complete, just the conversation with 173.194.113.85, the googlemail.l.google.com is already 26k):

```

-rw-r--r-- 1 root root 8304724 2014-12-15 23:56 dump_141215_2238_g0n.pcap

---

f8d59adc997d5f555a80afba0b502ef328e4ef6878b8f4809a6ccf9cc754ab2c  dump_141215_2238_g0n.pcap

```

Enjoy a poor user's revelation!

```

No.     Time           Source                Destination           Protocol Length Info

   9983 4377.711995000 192.168.1.3           googlemail.l.google.com TCP      76     56304→https [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=101573435 TSecr=0 WS=128

Frame 9983: 76 bytes on wire (608 bits), 76 bytes captured (608 bits) on interface 0

Linux cooked capture

Internet Protocol Version 4, Src: 192.168.1.3 (192.168.1.3), Dst: googlemail.l.google.com (173.194.113.85)

Transmission Control Protocol, Src Port: 56304 (56304), Dst Port: https (443), Seq: 0, Len: 0

No.     Time           Source                Destination           Protocol Length Info

   9987 4377.757808000 googlemail.l.google.com 192.168.1.3           TCP      76     https→56304 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1430 SACK_PERM=1 TSval=418969980 TSecr=101573435 WS=128

Frame 9987: 76 bytes on wire (608 bits), 76 bytes captured (608 bits) on interface 0

Linux cooked capture

Internet Protocol Version 4, Src: googlemail.l.google.com (173.194.113.85), Dst: 192.168.1.3 (192.168.1.3)

Transmission Control Protocol, Src Port: https (443), Dst Port: 56304 (56304), Seq: 0, Ack: 1, Len: 0

No.     Time           Source                Destination           Protocol Length Info

   9988 4377.757912000 192.168.1.3           googlemail.l.google.com TCP      68     56304→https [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=101573481 TSecr=418969980

Frame 9988: 68 bytes on wire (544 bits), 68 bytes captured (544 bits) on interface 0

Linux cooked capture

Internet Protocol Version 4, Src: 192.168.1.3 (192.168.1.3), Dst: googlemail.l.google.com (173.194.113.85)

Transmission Control Protocol, Src Port: 56304 (56304), Dst Port: https (443), Seq: 1, Ack: 1, Len: 0

No.     Time           Source                Destination           Protocol Length Info

   9989 4377.758228000 192.168.1.3           googlemail.l.google.com TLSv1.2  236    Client Hello

Frame 9989: 236 bytes on wire (1888 bits), 236 bytes captured (1888 bits) on interface 0

Linux cooked capture

Internet Protocol Version 4, Src: 192.168.1.3 (192.168.1.3), Dst: googlemail.l.google.com (173.194.113.85)

Transmission Control Protocol, Src Port: 56304 (56304), Dst Port: https (443), Seq: 1, Ack: 1, Len: 168

Secure Sockets Layer

No.     Time           Source                Destination           Protocol Length Info

   9990 4377.805315000 googlemail.l.google.com 192.168.1.3           TCP      68     https→56304 [ACK] Seq=1 Ack=169 Win=43648 Len=0 TSval=418970028 TSecr=101573481

Frame 9990: 68 bytes on wire (544 bits), 68 bytes captured (544 bits) on interface 0

Linux cooked capture

Internet Protocol Version 4, Src: googlemail.l.google.com (173.194.113.85), Dst: 192.168.1.3 (192.168.1.3)

Transmission Control Protocol, Src Port: https (443), Dst Port: 56304 (56304), Seq: 1, Ack: 169, Len: 0

No.     Time           Source                Destination           Protocol Length Info

   9991 4377.808184000 googlemail.l.google.com 192.168.1.3           TLSv1.2  1486   Server Hello

Frame 9991: 1486 bytes on wire (11888 bits), 1486 bytes captured (11888 bits) on interface 0

Linux cooked capture

Internet Protocol Version 4, Src: googlemail.l.google.com (173.194.113.85), Dst: 192.168.1.3 (192.168.1.3)

Transmission Control Protocol, Src Port: https (443), Dst Port: 56304 (56304), Seq: 1, Ack: 169, Len: 1418

Secure Sockets Layer

No.     Time           Source                Destination           Protocol Length Info

   9992 4377.808292000 192.168.1.3           googlemail.l.google.com TCP      68     56304→https [ACK] Seq=169 Ack=1419 Win=32128 Len=0 TSval=101573531 TSecr=418970029

Frame 9992: 68 bytes on wire (544 bits), 68 bytes captured (544 bits) on interface 0

Linux cooked capture

Internet Protocol Version 4, Src: 192.168.1.3 (192.168.1.3), Dst: googlemail.l.google.com (173.194.113.85)

Transmission Control Protocol, Src Port: 56304 (56304), Dst Port: https (443), Seq: 169, Ack: 1419, Len: 0

No.     Time           Source                Destination           Protocol Length Info

   9993 4377.811135000 googlemail.l.google.com 192.168.1.3           TCP      1486   [TCP segment of a reassembled PDU]

Frame 9993: 1486 bytes on wire (11888 bits), 1486 bytes captured (11888 bits) on interface 0

Linux cooked capture

Internet Protocol Version 4, Src: googlemail.l.google.com (173.194.113.85), Dst: 192.168.1.3 (192.168.1.3)

Transmission Control Protocol, Src Port: https (443), Dst Port: 56304 (56304), Seq: 1419, Ack: 169, Len: 1418

No.     Time           Source                Destination           Protocol Length Info

   9994 4377.811174000 192.168.1.3           googlemail.l.google.com TCP      68     56304→https [ACK] Seq=169 Ack=2837 Win=35072 Len=0 TSval=101573534 TSecr=418970029

Frame 9994: 68 bytes on wire (544 bits), 68 bytes captured (544 bits) on interface 0

Linux cooked capture

Internet Protocol Version 4, Src: 192.168.1.3 (192.168.1.3), Dst: googlemail.l.google.com (173.194.113.85)

Transmission Control Protocol, Src Port: 56304 (56304), Dst Port: https (443), Seq: 169, Ack: 2837, Len: 0

No.     Time           Source                Destination           Protocol Length Info

   9995 4377.811495000 googlemail.l.google.com 192.168.1.3           TLSv1.2  420    Certificate

Frame 9995: 420 bytes on wire (3360 bits), 420 bytes captured (3360 bits) on interface 0

Linux cooked capture

Internet Protocol Version 4, Src: googlemail.l.google.com (173.194.113.85), Dst: 192.168.1.3 (192.168.1.3)

Transmission Control Protocol, Src Port: https (443), Dst Port: 56304 (56304), Seq: 2837, Ack: 169, Len: 352

[3 Reassembled TCP Segments (2906 bytes): #9991(1298), #9993(1418), #9995(190)]

Secure Sockets Layer

Secure Sockets Layer

No.     Time           Source                Destination           Protocol Length Info

   9996 4377.811528000 192.168.1.3           googlemail.l.google.com TCP      68     56304→https [ACK] Seq=169 Ack=3189 Win=37888 Len=0 TSval=101573534 TSecr=418970029

Frame 9996: 68 bytes on wire (544 bits), 68 bytes captured (544 bits) on interface 0

Linux cooked capture

Internet Protocol Version 4, Src: 192.168.1.3 (192.168.1.3), Dst: googlemail.l.google.com (173.194.113.85)

Transmission Control Protocol, Src Port: 56304 (56304), Dst Port: https (443), Seq: 169, Ack: 3189, Len: 0

No.     Time           Source                Destination           Protocol Length Info

   9997 4377.823322000 192.168.1.3           googlemail.l.google.com TLSv1.2  230    Client Key Exchange, Change Cipher Spec, Hello Request, Hello Request

Frame 9997: 230 bytes on wire (1840 bits), 230 bytes captured (1840 bits) on interface 0

Linux cooked capture

Internet Protocol Version 4, Src: 192.168.1.3 (192.168.1.3), Dst: googlemail.l.google.com (173.194.113.85)

Transmission Control Protocol, Src Port: 56304 (56304), Dst Port: https (443), Seq: 169, Ack: 3189, Len: 162

Secure Sockets Layer

No.     Time           Source                Destination           Protocol Length Info

  10006 4377.871051000 googlemail.l.google.com 192.168.1.3           TLSv1.2  314    New Session Ticket, Change Cipher Spec, Hello Request, Hello Request

Frame 10006: 314 bytes on wire (2512 bits), 314 bytes captured (2512 bits) on interface 0

Linux cooked capture

Internet Protocol Version 4, Src: googlemail.l.google.com (173.194.113.85), Dst: 192.168.1.3 (192.168.1.3)

Transmission Control Protocol, Src Port: https (443), Dst Port: 56304 (56304), Seq: 3189, Ack: 331, Len: 246

Secure Sockets Layer

No.     Time           Source                Destination           Protocol Length Info

  10007 4377.871110000 googlemail.l.google.com 192.168.1.3           TLSv1.2  125    Application Data

Frame 10007: 125 bytes on wire (1000 bits), 125 bytes captured (1000 bits) on interface 0

Linux cooked capture

Internet Protocol Version 4, Src: googlemail.l.google.com (173.194.113.85), Dst: 192.168.1.3 (192.168.1.3)

Transmission Control Protocol, Src Port: https (443), Dst Port: 56304 (56304), Seq: 3435, Ack: 331, Len: 57

Secure Sockets Layer

No.     Time           Source                Destination           Protocol Length Info

  10008 4377.871131000 googlemail.l.google.com 192.168.1.3           TLSv1.2  113    Application Data

Frame 10008: 113 bytes on wire (904 bits), 113 bytes captured (904 bits) on interface 0

Linux cooked capture

Internet Protocol Version 4, Src: googlemail.l.google.com (173.194.113.85), Dst: 192.168.1.3 (192.168.1.3)

Transmission Control Protocol, Src Port: https (443), Dst Port: 56304 (56304), Seq: 3492, Ack: 331, Len: 45

Secure Sockets Layer

No.     Time           Source                Destination           Protocol Length Info

  10013 4377.910838000 192.168.1.3           googlemail.l.google.com TCP      68     56304→https [ACK] Seq=331 Ack=3537 Win=40704 Len=0 TSval=101573634 TSecr=418970093

Frame 10013: 68 bytes on wire (544 bits), 68 bytes captured (544 bits) on interface 0

Linux cooked capture

Internet Protocol Version 4, Src: 192.168.1.3 (192.168.1.3), Dst: googlemail.l.google.com (173.194.113.85)

Transmission Control Protocol, Src Port: 56304 (56304), Dst Port: https (443), Seq: 331, Ack: 3537, Len: 0

No.     Time           Source                Destination           Protocol Length Info

  10016 4377.915120000 192.168.1.3           googlemail.l.google.com TLSv1.2  133    Application Data

Frame 10016: 133 bytes on wire (1064 bits), 133 bytes captured (1064 bits) on interface 0

Linux cooked capture

Internet Protocol Version 4, Src: 192.168.1.3 (192.168.1.3), Dst: googlemail.l.google.com (173.194.113.85)

Transmission Control Protocol, Src Port: 56304 (56304), Dst Port: https (443), Seq: 331, Ack: 3537, Len: 65

Secure Sockets Layer

No.     Time           Source                Destination           Protocol Length Info

  10017 4377.915161000 192.168.1.3           googlemail.l.google.com TLSv1.2  436    Application Data

Frame 10017: 436 bytes on wire (3488 bits), 436 bytes captured (3488 bits) on interface 0

Linux cooked capture

Internet Protocol Version 4, Src: 192.168.1.3 (192.168.1.3), Dst: googlemail.l.google.com (173.194.113.85)

Transmission Control Protocol, Src Port: 56304 (56304), Dst Port: https (443), Seq: 396, Ack: 3537, Len: 368

Secure Sockets Layer

No.     Time           Source                Destination           Protocol Length Info

  10018 4377.964740000 googlemail.l.google.com 192.168.1.3           TCP      68     https→56304 [ACK] Seq=3537 Ack=764 Win=45824 Len=0 TSval=418970188 TSecr=101573638

Frame 10018: 68 bytes on wire (544 bits), 68 bytes captured (544 bits) on interface 0

Linux cooked capture

Internet Protocol Version 4, Src: googlemail.l.google.com (173.194.113.85), Dst: 192.168.1.3 (192.168.1.3)

Transmission Control Protocol, Src Port: https (443), Dst Port: 56304 (56304), Seq: 3537, Ack: 764, Len: 0

No.     Time           Source                Destination           Protocol Length Info

  10019 4377.981261000 googlemail.l.google.com 192.168.1.3           TLSv1.2  367    Application Data

Frame 10019: 367 bytes on wire (2936 bits), 367 bytes captured (2936 bits) on interface 0

Linux cooked capture

Internet Protocol Version 4, Src: googlemail.l.google.com (173.194.113.85), Dst: 192.168.1.3 (192.168.1.3)

Transmission Control Protocol, Src Port: https (443), Dst Port: 56304 (56304), Seq: 3537, Ack: 764, Len: 299

Secure Sockets Layer

No.     Time           Source                Destination           Protocol Length Info

  10020 4377.981321000 192.168.1.3           googlemail.l.google.com TCP      68     56304→https [ACK] Seq=764 Ack=3836 Win=43520 Len=0 TSval=101573704 TSecr=418970203

Frame 10020: 68 bytes on wire (544 bits), 68 bytes captured (544 bits) on interface 0

Linux cooked capture

Internet Protocol Version 4, Src: 192.168.1.3 (192.168.1.3), Dst: googlemail.l.google.com (173.194.113.85)

Transmission Control Protocol, Src Port: 56304 (56304), Dst Port: https (443), Seq: 764, Ack: 3836, Len: 0

No.     Time           Source                Destination           Protocol Length Info

  10021 4377.981344000 googlemail.l.google.com 192.168.1.3           TLSv1.2  295    Application Data

Frame 10021: 295 bytes on wire (2360 bits), 295 bytes captured (2360 bits) on interface 0

Linux cooked capture

Internet Protocol Version 4, Src: googlemail.l.google.com (173.194.113.85), Dst: 192.168.1.3 (192.168.1.3)

Transmission Control Protocol, Src Port: https (443), Dst Port: 56304 (56304), Seq: 3836, Ack: 764, Len: 227

Secure Sockets Layer

No.     Time           Source                Destination           Protocol Length Info

  10022 4377.981365000 192.168.1.3           googlemail.l.google.com TCP      68     56304→https [ACK] Seq=764 Ack=4063 Win=46336 Len=0 TSval=101573704 TSecr=418970203

Frame 10022: 68 bytes on wire (544 bits), 68 bytes captured (544 bits) on interface 0

Linux cooked capture

Internet Protocol Version 4, Src: 192.168.1.3 (192.168.1.3), Dst: googlemail.l.google.com (173.194.113.85)

Transmission Control Protocol, Src Port: 56304 (56304), Dst Port: https (443), Seq: 764, Ack: 4063, Len: 0

No.     Time           Source                Destination           Protocol Length Info

  10023 4377.981374000 googlemail.l.google.com 192.168.1.3           TLSv1.2  109    Application Data

Frame 10023: 109 bytes on wire (872 bits), 109 bytes captured (872 bits) on interface 0

Linux cooked capture

Internet Protocol Version 4, Src: googlemail.l.google.com (173.194.113.85), Dst: 192.168.1.3 (192.168.1.3)

Transmission Control Protocol, Src Port: https (443), Dst Port: 56304 (56304), Seq: 4063, Ack: 764, Len: 41

Secure Sockets Layer

No.     Time           Source                Destination           Protocol Length Info

  10024 4377.981398000 192.168.1.3           googlemail.l.google.com TCP      68     56304→https [ACK] Seq=764 Ack=4104 Win=46336 Len=0 TSval=101573704 TSecr=418970203

Frame 10024: 68 bytes on wire (544 bits), 68 bytes captured (544 bits) on interface 0

Linux cooked capture

Internet Protocol Version 4, Src: 192.168.1.3 (192.168.1.3), Dst: googlemail.l.google.com (173.194.113.85)

Transmission Control Protocol, Src Port: 56304 (56304), Dst Port: https (443), Seq: 764, Ack: 4104, Len: 0

No.     Time           Source                Destination           Protocol Length Info

  10025 4377.981784000 192.168.1.3           googlemail.l.google.com TLSv1.2  109    Application Data

Frame 10025: 109 bytes on wire (872 bits), 109 bytes captured (872 bits) on interface 0

Linux cooked capture

Internet Protocol Version 4, Src: 192.168.1.3 (192.168.1.3), Dst: googlemail.l.google.com (173.194.113.85)

Transmission Control Protocol, Src Port: 56304 (56304), Dst Port: https (443), Seq: 764, Ack: 4104, Len: 41

Secure Sockets Layer

No.     Time           Source                Destination           Protocol Length Info

  10059 4378.071627000 googlemail.l.google.com 192.168.1.3           TCP      68     https→56304 [ACK] Seq=4104 Ack=805 Win=45824 Len=0 TSval=418970292 TSecr=101573704

Frame 10059: 68 bytes on wire (544 bits), 68 bytes captured (544 bits) on interface 0

Linux cooked capture

Internet Protocol Version 4, Src: googlemail.l.google.com (173.194.113.85), Dst: 192.168.1.3 (192.168.1.3)

Transmission Control Protocol, Src Port: https (443), Dst Port: 56304 (56304), Seq: 4104, Ack: 805, Len: 0

No.     Time           Source                Destination           Protocol Length Info

  10161 4436.471020000 192.168.1.3           googlemail.l.google.com TLSv1.2  109    Application Data

Frame 10161: 109 bytes on wire (872 bits), 109 bytes captured (872 bits) on interface 0

Linux cooked capture

Internet Protocol Version 4, Src: 192.168.1.3 (192.168.1.3), Dst: googlemail.l.google.com (173.194.113.85)

Transmission Control Protocol, Src Port: 56304 (56304), Dst Port: https (443), Seq: 805, Ack: 4104, Len: 41

Secure Sockets Layer

No.     Time           Source                Destination           Protocol Length Info

  10165 4436.516713000 googlemail.l.google.com 192.168.1.3           TCP      68     https→56304 [ACK] Seq=4104 Ack=846 Win=45824 Len=0 TSval=419028738 TSecr=101632194

Frame 10165: 68 bytes on wire (544 bits), 68 bytes captured (544 bits) on interface 0

Linux cooked capture

Internet Protocol Version 4, Src: googlemail.l.google.com (173.194.113.85), Dst: 192.168.1.3 (192.168.1.3)

Transmission Control Protocol, Src Port: https (443), Dst Port: 56304 (56304), Seq: 4104, Ack: 846, Len: 0

No.     Time           Source                Destination           Protocol Length Info

  10166 4436.516770000 googlemail.l.google.com 192.168.1.3           TLSv1.2  109    Application Data

Frame 10166: 109 bytes on wire (872 bits), 109 bytes captured (872 bits) on interface 0

Linux cooked capture

Internet Protocol Version 4, Src: googlemail.l.google.com (173.194.113.85), Dst: 192.168.1.3 (192.168.1.3)

Transmission Control Protocol, Src Port: https (443), Dst Port: 56304 (56304), Seq: 4104, Ack: 846, Len: 41

Secure Sockets Layer

No.     Time           Source                Destination           Protocol Length Info

  10168 4436.555864000 192.168.1.3           googlemail.l.google.com TCP      68     56304→https [ACK] Seq=846 Ack=4145 Win=46336 Len=0 TSval=101632279 TSecr=419028738

Frame 10168: 68 bytes on wire (544 bits), 68 bytes captured (544 bits) on interface 0

Linux cooked capture

Internet Protocol Version 4, Src: 192.168.1.3 (192.168.1.3), Dst: googlemail.l.google.com (173.194.113.85)

Transmission Control Protocol, Src Port: 56304 (56304), Dst Port: https (443), Seq: 846, Ack: 4145, Len: 0

No.     Time           Source                Destination           Protocol Length Info

  10185 4495.472557000 192.168.1.3           googlemail.l.google.com TLSv1.2  109    Application Data

Frame 10185: 109 bytes on wire (872 bits), 109 bytes captured (872 bits) on interface 0

Linux cooked capture

Internet Protocol Version 4, Src: 192.168.1.3 (192.168.1.3), Dst: googlemail.l.google.com (173.194.113.85)

Transmission Control Protocol, Src Port: 56304 (56304), Dst Port: https (443), Seq: 846, Ack: 4145, Len: 41

Secure Sockets Layer

No.     Time           Source                Destination           Protocol Length Info

  10189 4495.518229000 googlemail.l.google.com 192.168.1.3           TLSv1.2  109    Application Data

Frame 10189: 109 bytes on wire (872 bits), 109 bytes captured (872 bits) on interface 0

Linux cooked capture

Internet Protocol Version 4, Src: googlemail.l.google.com (173.194.113.85), Dst: 192.168.1.3 (192.168.1.3)

Transmission Control Protocol, Src Port: https (443), Dst Port: 56304 (56304), Seq: 4145, Ack: 887, Len: 41

Secure Sockets Layer

No.     Time           Source                Destination           Protocol Length Info

  10190 4495.518289000 192.168.1.3           googlemail.l.google.com TCP      68     56304→https [ACK] Seq=887 Ack=4186 Win=46336 Len=0 TSval=101691241 TSecr=419087739

Frame 10190: 68 bytes on wire (544 bits), 68 bytes captured (544 bits) on interface 0

Linux cooked capture

Internet Protocol Version 4, Src: 192.168.1.3 (192.168.1.3), Dst: googlemail.l.google.com (173.194.113.85)

Transmission Control Protocol, Src Port: 56304 (56304), Dst Port: https (443), Seq: 887, Ack: 4186, Len: 0

No.     Time           Source                Destination           Protocol Length Info

  10336 4553.552583000 192.168.1.3           googlemail.l.google.com TLSv1.2  109    Application Data

Frame 10336: 109 bytes on wire (872 bits), 109 bytes captured (872 bits) on interface 0

Linux cooked capture

Internet Protocol Version 4, Src: 192.168.1.3 (192.168.1.3), Dst: googlemail.l.google.com (173.194.113.85)

Transmission Control Protocol, Src Port: 56304 (56304), Dst Port: https (443), Seq: 887, Ack: 4186, Len: 41

Secure Sockets Layer

No.     Time           Source                Destination           Protocol Length Info

  10344 4553.597930000 googlemail.l.google.com 192.168.1.3           TLSv1.2  133    Application Data

Frame 10344: 133 bytes on wire (1064 bits), 133 bytes captured (1064 bits) on interface 0

Linux cooked capture

Internet Protocol Version 4, Src: googlemail.l.google.com (173.194.113.85), Dst: 192.168.1.3 (192.168.1.3)

Transmission Control Protocol, Src Port: https (443), Dst Port: 56304 (56304), Seq: 4186, Ack: 928, Len: 65

Secure Sockets Layer

No.     Time           Source                Destination           Protocol Length Info

  10345 4553.597974000 192.168.1.3           googlemail.l.google.com TCP      68     56304→https [ACK] Seq=928 Ack=4251 Win=46336 Len=0 TSval=101749321 TSecr=419145817

Frame 10345: 68 bytes on wire (544 bits), 68 bytes captured (544 bits) on interface 0

Linux cooked capture

Internet Protocol Version 4, Src: 192.168.1.3 (192.168.1.3), Dst: googlemail.l.google.com (173.194.113.85)

Transmission Control Protocol, Src Port: 56304 (56304), Dst Port: https (443), Seq: 928, Ack: 4251, Len: 0

No.     Time           Source                Destination           Protocol Length Info

  10346 4553.597994000 googlemail.l.google.com 192.168.1.3           TLSv1.2  113    Application Data

Frame 10346: 113 bytes on wire (904 bits), 113 bytes captured (904 bits) on interface 0

Linux cooked capture

Internet Protocol Version 4, Src: googlemail.l.google.com (173.194.113.85), Dst: 192.168.1.3 (192.168.1.3)

Transmission Control Protocol, Src Port: https (443), Dst Port: 56304 (56304), Seq: 4251, Ack: 928, Len: 45

Secure Sockets Layer

No.     Time           Source                Destination           Protocol Length Info

  10347 4553.598009000 192.168.1.3           googlemail.l.google.com TCP      68     56304→https [ACK] Seq=928 Ack=4296 Win=46336 Len=0 TSval=101749321 TSecr=419145817

Frame 10347: 68 bytes on wire (544 bits), 68 bytes captured (544 bits) on interface 0

Linux cooked capture

Internet Protocol Version 4, Src: 192.168.1.3 (192.168.1.3), Dst: googlemail.l.google.com (173.194.113.85)

Transmission Control Protocol, Src Port: 56304 (56304), Dst Port: https (443), Seq: 928, Ack: 4296, Len: 0

No.     Time           Source                Destination           Protocol Length Info

  10348 4553.598193000 googlemail.l.google.com 192.168.1.3           TCP      68     https→56304 [FIN, ACK] Seq=4296 Ack=928 Win=45824 Len=0 TSval=419145817 TSecr=101749275

Frame 10348: 68 bytes on wire (544 bits), 68 bytes captured (544 bits) on interface 0

Linux cooked capture

Internet Protocol Version 4, Src: googlemail.l.google.com (173.194.113.85), Dst: 192.168.1.3 (192.168.1.3)

Transmission Control Protocol, Src Port: https (443), Dst Port: 56304 (56304), Seq: 4296, Ack: 928, Len: 0

No.     Time           Source                Destination           Protocol Length Info

  10349 4553.598339000 192.168.1.3           googlemail.l.google.com TLSv1.2  113    Application Data

Frame 10349: 113 bytes on wire (904 bits), 113 bytes captured (904 bits) on interface 0

Linux cooked capture

Internet Protocol Version 4, Src: 192.168.1.3 (192.168.1.3), Dst: googlemail.l.google.com (173.194.113.85)

Transmission Control Protocol, Src Port: 56304 (56304), Dst Port: https (443), Seq: 928, Ack: 4297, Len: 45

Secure Sockets Layer

No.     Time           Source                Destination           Protocol Length Info

  10350 4553.598786000 192.168.1.3           googlemail.l.google.com TLSv1.2  99     Encrypted Alert

Frame 10350: 99 bytes on wire (792 bits), 99 bytes captured (792 bits) on interface 0

Linux cooked capture

Internet Protocol Version 4, Src: 192.168.1.3 (192.168.1.3), Dst: googlemail.l.google.com (173.194.113.85)

Transmission Control Protocol, Src Port: 56304 (56304), Dst Port: https (443), Seq: 973, Ack: 4297, Len: 31

Secure Sockets Layer

No.     Time           Source                Destination           Protocol Length Info

  10351 4553.598880000 192.168.1.3           googlemail.l.google.com TCP      68     56304→https [FIN, ACK] Seq=1004 Ack=4297 Win=46336 Len=0 TSval=101749322 TSecr=419145817

Frame 10351: 68 bytes on wire (544 bits), 68 bytes captured (544 bits) on interface 0

Linux cooked capture

Internet Protocol Version 4, Src: 192.168.1.3 (192.168.1.3), Dst: googlemail.l.google.com (173.194.113.85)

Transmission Control Protocol, Src Port: 56304 (56304), Dst Port: https (443), Seq: 1004, Ack: 4297, Len: 0

No.     Time           Source                Destination           Protocol Length Info

  10355 4553.644892000 googlemail.l.google.com 192.168.1.3           TCP      62     https→56304 [RST] Seq=4297 Win=0 Len=0

Frame 10355: 62 bytes on wire (496 bits), 62 bytes captured (496 bits) on interface 0

Linux cooked capture

Internet Protocol Version 4, Src: googlemail.l.google.com (173.194.113.85), Dst: 192.168.1.3 (192.168.1.3)

Transmission Control Protocol, Src Port: https (443), Dst Port: 56304 (56304), Seq: 4297, Len: 0

VSS-Monitoring ethernet trailer, Source Port: 18080

No.     Time           Source                Destination           Protocol Length Info

  10356 4553.646003000 googlemail.l.google.com 192.168.1.3           TCP      62     https→56304 [RST] Seq=4297 Win=0 Len=0

Frame 10356: 62 bytes on wire (496 bits), 62 bytes captured (496 bits) on interface 0

Linux cooked capture

Internet Protocol Version 4, Src: googlemail.l.google.com (173.194.113.85), Dst: 192.168.1.3 (192.168.1.3)

Transmission Control Protocol, Src Port: https (443), Dst Port: 56304 (56304), Seq: 4297, Len: 0

VSS-Monitoring ethernet trailer, Source Port: 18080

No.     Time           Source                Destination           Protocol Length Info

  10357 4553.646723000 googlemail.l.google.com 192.168.1.3           TCP      62     https→56304 [RST] Seq=4297 Win=0 Len=0

Frame 10357: 62 bytes on wire (496 bits), 62 bytes captured (496 bits) on interface 0

Linux cooked capture

Internet Protocol Version 4, Src: googlemail.l.google.com (173.194.113.85), Dst: 192.168.1.3 (192.168.1.3)

Transmission Control Protocol, Src Port: https (443), Dst Port: 56304 (56304), Seq: 4297, Len: 0

VSS-Monitoring ethernet trailer, Source Port: 18080

```

Of course, it's encrypted traffic, this is something only experts could decode. But in case there is a will by someone proven knowledgeable enough to decode such conversations, via the Sleuthkit, maybe, only maybe because I am not very advanced, and I don't know if I could, but maybe I will be able to make it to prepare the partition dumps with the current state frozen in a DMZ for them to access, and then for us to reveal fully what those stingy lying Schmoog did...

You're not freaking invited, you Schmoog the Zhboogle Goog! Stay away from me, I detest you. Have you own monstrous life dangling with moneys in your petty little hearts when you have to, but leave who don't want you alone. Thank you! 

There will be no more correcting of this post here above the line that you see below, because I want to publictimestamp it. If there will be typoes/other kind of mistake to correct, I'll do it below that line.

I'm taking care to prepare this well, and it's already stowed away safely all that is part and parcel to this story off this online system, because the Schmoog intrusion is an event that potentially cuts your connection along with, sure snooping on you, but also possibly stealing your data as well as even potentially deleting things... And I'm not an expert to take that e-leviathen on when it attacks me, other than hit and run away. I have this file's hashes for the publictimestamp (PTS) taken offline, and if I don't make it to post this on the Gentoo Forums under:

Google - can not open any link - malware ??

https://forums.gentoo.org/viewtopic-t-912056.html

while it then might have a later PTS corresponding to when I do manage to both PTS it before I post it, there will be another frozen system partitions dump that I will safekeep for a while, with all the system logs to prove that the dirty Schmoog intruded on me without a reason along with totally univitedly. There are other conversations in that packet capture of my 1h 22min online attempts to post on Gentoo Forums (but, apart from one single checking of the link to:

NSA's Operation Orchestra Annual Status Report

http://video.fosdem.org/2014/Janson/Sunday/NSA_operation_ORCHESTRA_Annual_Status_Report.webm

and three, 3, files uploaed via sftp, I did not seek any other connections!). The other ones are with content1.mail.am0.yahoodns.net (68.142.230.8 :Cool:  and e8218.ce.akamaiedge.net (23.37.43.27). That latter is a CA, I think, but while that don't make it a fine player, it was invited, because I sftp'd tonight's files (or last night's in CET) to http://croatiafidelis.hr/gnu/gentoo/ --the Gen_141214_syslog-ng_sync_HID_2rr.txt{,sig,sum} files-- (it caters for my hoster). The Yahoo, about same as for the Schmoog can be said. Tired of these e-leviathans.

[1] The commands which I use to do it, I described in:

No content in overlays.gentoo.org

https://forums.gentoo.org/viewtopic-t-1005576.html

Again, any possible corrections, outside of the body of this text delimited with the "=== cut off from" line(s) (plural in parens because I sometimes put then in the top as well). Exception: there will be a diff needed if there show to be (true) formatting errors on my part or such gravely debilitating to reading pleasure mistakes/other grave mistakes (the latter not likely to be the case here).

======= cut off from this line to end if verifying hashes =======

File corresponding to this post: Gen_141216_Schmoog_cookies_Firefox_Intrusion.txt,

has Publictimestamp # 1250582

-- 

publictimestamp.org/ptb/PTB-22356 sha256 2014-12-16 03:01:45

0C37E7E93D7373D4D062DFC4E33907F3BA25A787A2852455DA7CA9C59D77B656

----------

## miroR

I have decided to move my reply to Princess Nell here where I believe it belongs, more appropriately.

It was originally in this topic:

Updating and keeping your Gentoo non-poeterized

https://forums.gentoo.org/viewtopic-t-1012022-start-25.html#7713604

You can see that I have linked to here from there, so nothing of the conversation is lost. No time to beg and wait for Moderators and Administrators to do it better, while this was quick and should work...

And there is a backdoorish program there that I identified, This topic is noise for that one, as that one would be noise here.

---

 *Princess Nell wrote:*   

> What do your packet traces say about a firefox instance where e.g. "safe browsing" is disabled completely, and the resp. about:config URLs have been emptied? What if OCSP is disabled?

 

I'll have to study your suggestions, as I don't even, yes I just now got a notion, ddg.gg gave me, of OCSP:

 *DuckDuckgo.com wrote:*   

> 
> 
> OCSP Stapling has landed in the latest Nightly builds of Firefox! OCSP stapling is a mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner.

 

As for safe browsing, wasn't that previously called phishing protection? No? Then: tell me more. Yes? Thne: Bogus. They don't protect from Schmoog the Surveillance Engine. Schmoog lives there, I still think.

(And I think it's: Yes)

 *Quote:*   

> The next step is going through about:config, look for https?://, check what those entries are about, and if necessary empty them as well. How much behind-your-back-tracffic is left then?

 

Would there be no Schmoog, no Akamai (which I,

in this topic on Firefox and Google, where I moved my replies to you, as you can see, which I suggested to you in the topic on non-poeterized Gentoo to post, here, about that. see there the title Google - can not open any link - malware ??", [Akamai] which I previously thought not fishy), no cloud? _That_ is the question,

You seem not to get it, to some extent. Google is the top data harvester, I don't think that can be put in doubt.

 *Quote:*   

> Yeah, I'm probably just dabbling. Until recently, most of my privacy needs were taken care of by ff add-ons, and it was a slow process realizing what modern browsers are up to in the background. Creeping featuritis and "market pressures" are taking their toll on FOSS, and some entities, companies and other, act as if they've lost the effing plot

 

This goes to:

 *Quote:*   

> (yes, I'm looking at you, major commercial Linux vendor).

 

the Roman-Empire-like superpower Army's main supplier, the Red Hat, doesn't it? (Wouldn't be a problem, but what's that got to do with us, the FOSS?)...

Aargh, I'm tired of chasing links, but I must go and get the link for you, to an article by the IgnorantGuru... Wait... Is it this one(?):

Julian Assange: Debian Is Owned By The NSA

https://igurublog.wordpress.com/2014/04/08/julian-assange-debian-is-owned-by-the-nsa/

(pls don't be chased away by the title, it is tactically and to some extent factually wrong, one of the biggest mistakes of IgnorantGuru the writer; the article contains fine information)

Princess, you need to see those packet captures that I linked above, or if you don't understand them, familiarize with Wireshark or straight with dumpcap or tcpdump (just in case you haven't yet).

 *jonathan183 wrote:*   

> I use links most of the time ... I use firefox for sites where I need to. When I do use firefox I use noscript and only enable the minimum to get things working. I tend to disable the reporting stuff as well.
> 
> One of the banks I use with links ... which is great, the other I use needs scripts so it's back to firefox for me ...
> 
> I tried qupzilla, midori, netsurf and a few others - but for me links in a framebuffer display works best if scripts are not needed otherwise firefox. I use separate users for general surfing, emails (mutt or claws-mail), online bank, accessing documents etc.
> ...

 

Valuable experience! Will be remembered here. links really better than lynx? Tried links too, but not so extensively,

I so have to use Firefox for internet-banking (Javascript based), but it's always Google spying during my time online. I already have plenty of stuff made with my:

The: uncenz

https://github.com/miroR/uncenz

(primitive, dirty, incompetent) program (but as idea, it is worth your consideration, kind readers)

and in the way I did the captures/screencasts previously, as I explained here: 

No content in overlays.gentoo.org

https://forums.gentoo.org/viewtopic-t-1005576.html#7661362

but presenting is so much work.

Somebody pls. prove me wrong, if you can, I'm pasting what you may have already read:

 *in the topic about keeping Gentoo non-poeterized wrote:*   

> 
> 
> What I know, and don't like in the least, actually despise, is the first thing Firefox does is it hauls over all the data about you into the cloud. The first time it connects. And, sure, updates the cloud every next time. Data harvesting. I've seen it in all packet captures. 
> 
> And it facilitates Google spying to the utmost. None of that when browsing with dillo and lynx.
> ...

 

And it looks to me I stumbled on a bug again, with webkit-gtk, and I think I first have to finish the reporting on it, here in this topic, and probably in the Bugzilla.

And, talking of browsers, I really like dillo! It's not its prime time, and you do need to be, as the author suggests in its user documentation, upfront, advanced user to to really benefit from it, but, you know what: I trust the author.

It's been sea calm, in comparison to any time of mine online with Schmooglefox, my online with dillo, sisters and brothers in *nix! And I wish Vis Major (Latin), keeps dillo's developers spiteful, strong and lucid, and as soon as they get an alpha version with Javascript, I believe (unless they tell me otherwise in the Announcement), that I'll be safer with dillo on Internet banking pages, than with Firefox. Yes!

Dillo looks to me very safe!

----------

## steveL

 *miroR wrote:*   

> I have decided to move my reply to Princess Nell here where I believe it belongs, more appropriately.

 

Jeez, miroR, you don't dig up 3 year old threads, and then take them over with the toilet-paper approach to blogging.

 *Quote:*   

> You can see that I have linked to here from there, so nothing of the conversation is lost.

 

I really wish it were, sometimes; you need to start editing your output for length.

Sometimes there's good stuff in there, but it's so much effort to cut through the dross, that the effort becomes too much, and one is tempted just to ignore the poster.

Hopefully you can see that your verbiage is having a counter-productive effect. If not, believe me that is all I'm trying to get you to see.

----------

## miroR

Princess Nell wrote in the other topic, these fine two posts that I am hereby replying to by first quoting them completely.

----

 *Princess Nell wrote:*   

> OCSP: https://en.wikipedia.org/wiki/Ocsp. The problem with it is: you use https as much as possible to stop 3rd parties from learning URLs and contents, and then your browser contacts a 3rd party every time you use https. That's just crazy.
> 
> "Safe browsing", yes, that's phishing and malware protection. I was just going by the corresponding about.config entries (browser.safebrowsing prefix). https://support.mozilla.org/en-US/kb/how-does-phishing-and-malware-protection-work makes it clear this is a Google service.

 

----

 *Princess Nell wrote:*   

> I've run a little experiment here.
> 
> Set up a test user with a completely new firefox profile. Just change it so that the home page points to www.gentoo.org. Disable all daemons that listen to or create network traffic (ntp, ssh etc.). Then run a network dump and start firefox, close it when the page has loaded completely. Result is around 3.5k packets.
> 
> Now run the same experiment again with my normal browser settings, ie. about:config variables relating to OCSP, safe-browsing etc. disabled, and all add-ons disabled. The result is some 150 packets. Enabling add-ons adds some 70 more packets, but I didn't check in detail which add-on causes which traffic. More importantly, other than DNS and certain multicast stuff, I see no traffic not relating to the loading of www.gentoo.org.
> ...

 

----

As you can see, Princess Nell, the first thing I did is took care of your posts so that your work to present it is not lost in the least.

But pls. take time and understand what I wrote there, in my last post before I left[*], in the topic from which I removed my post with my considerate replies to you and jonathan183, so now you can read them, intact (only adapted the talk of topic this or that for the location).

I'm still tired, I'm posting this because I see that you have invested serious work on the issue.

But you have to give me time to reply. I'm busy with other things, which are currently much more important, and not only to me (such as I have been welcomed to contribute, probably some of the more simple documentation, to hardened in the nascent Devuan...

These issues, however, do interest me, and when I'm back, I try and reach you so we continue discussion, or join here if the discussion have evolved in the meantime.

Thank you!

---

[*] -- That research got me pretty tired in the end... and will they reply and post? Or will they hide problems instead? That is the issue you, steveL should ponder over, too, IMO, instead of telling me off. Do you not understand that that is backdoorish behavior there? They will hide problems more easily, if that side prevails in among Gentoo higher ranking and decision-making members who I address to there, much more easily if that point of mine is subdued by what is not really related anymore to `keeping your Gentoo non-poeterized' as I called the topic, but is related to Google and Firefox here, and not poeterware... Pls. understand, both of you, steveL and  Princess Nell. Thank you!

----------

## Princess Nell

You could do worse than heeding steveL's suggestions.

----------

## miroR

I'll try and see what my Firefox, that never saw any online, because it is from my master Gentoo machine that never ever sees any online, as I never connect it to the internet, has on me.

[I'll try and see what my Firefox has on me], before I even fire it up in this cloned Gentoo machine, cloned from that master Gentoo machine (dd dump save the master box's system patitions, and dd dump restore them onto this cloned box, and some configuration to do, same MBO and same or very similar hardware in both).

Why? Because of the insistence on the possible goodness or fixability of it, by Princess Nell here, and also elsewhere by others, in the face of my demonstrations.

In the face of my demonstrations, with links deployed in full view, which links lead you to full presentations, minimal effort --but not negligeable, unless advanced-- needed on your part to understand those, yes, but those complete presententions of concrete short intervals of real time of mine online are fruit of incomparably more effort invested from my part as far as those choice moments go.

All that particular time invested to present those is on top of the broader effort, because those are the choice kind of moments that are not necessarily repeatable, a one-time events, and likely not reproducible: the bot that did the sending of mail from my machine on me in the clickjacking presentation.

You can try and tell me if it would do the same on your machine, or was it programmed to work only on some chosen connections, like mine, a dissenter's connection?

(Schmoog and Yooch are at whichever the local regime's service, and in cahoots for privacy breaking, and they trade with them the info and do dirty deals, and also local personnel work in the local tasks and whatever is of any regional work/area-of-interest/other.)

And another reason why I decided to [try and see what my Firefox] has on me, is also because of this:

https://forums.gentoo.org/viewtopic-t-1012022.html#7713332

where I only asked somebody to kindly report if this page:

Uninstalling dbus and *kits (to Unfacilitate Remote Seats is excessively broad, and and so not displayed in full breadth in Firefox on a 1024x768 display.

Got no reply, so that'll be the sole page that I will open. The check is only an excuse. I want to show firefox's data harvesting, just the beginning of it, how it works.

And for that purpose I'm preparing this text upfront.

Why? Because I want to post the identificating SHA256 sums of both the packet capture Pcap-ng file and of the screencast, of that short interval of time. So I can take my time to explain what happened, and noone can really doubt, once --whenever at any later time-- they get those exact files downloaded for themselves, that I was inventing things, or that I messed up with those files.

So, the Firefox is vanilla, vergin, untouched by any connections from the outer, the internet, world, yet.

I'll try and remember to rename/hide via, sed'ing, the salt (the f8rsbgui.default) and my username, and such, as usual, before posting this publically.

I cd into:

```

cd ~/.mozilla/firefox/f8rsbgui.default

```

This is of my interest:

```

ukrainian@mybox ~/.mozilla/firefox/f8rsbgui.default $ ls -l *.sqlite

-rw-r--r-- 1 miro miro  229376 2015-02-15 15:03 content-prefs.sqlite

-rw-r--r-- 1 miro miro  524288 2014-05-11 16:06 cookies.sqlite

-rw-r--r-- 1 miro miro  196608 2014-11-21 23:18 formhistory.sqlite

-rw-r--r-- 1 miro miro 1146880 2015-03-11 05:52 healthreport.sqlite

-rw-r--r-- 1 miro miro  884736 2014-06-04 23:06 netpredictions.sqlite

-rw-r--r-- 1 miro miro   65536 2015-02-15 15:03 permissions.sqlite

-rw-r--r-- 1 miro miro 1671168 2015-03-11 06:09 places.sqlite

-rw-r--r-- 1 miro miro  327680 2014-05-14 19:31 signons.sqlite

-rw-r--r-- 1 miro miro   98304 2014-05-16 04:42 webappsstore.sqlite

ukrainian@mybox ~/.mozilla/firefox/f8rsbgui.default $ 

```

Maybe this will be reproducible for readers to some extent, to see their SchmoogleFox conditions. And, no, I don't want to be looking into the GUI for these. I like better text than GUI. Text is workable better than pictures. And also, at this point in time I don't know where this will lead me, I hope it won't end in a flop, as sometimes my bungled researches do...

```

mkdir /some/where/Gen_150311_SchmoogleFox_VIRGIN.d/

```

Some reading of `man sqlite3' (if not there, probably `emerge sqlite'), and I think I'll be able, later when I research, to work those databases and get texts out of them, at the least.

If you run this in the fashion that I show here, in a new dir created somewhere out of system dirs, you shouldn't suffer any harm, IMO, but try at your own risk anyway.

First:

```

cd /some/where/Gen_150311_SchmoogleFox_VIRGIN.d/

```

Just this line, for starters, I tried this:

```

for i in `ls -1 *.sqlite|sed 's/\.sqlite//'` ; do sqlite3 -line $i.sqlite '.dump' > $i.txt ; done ;

```

To see what that gave me, I ran:

```

for i in `ls -1 *.txt` ; do ls -l $i ; read FAKE ; cat $i ; read FAKE ; done ;

```

`read FAKE' only allows you, the first one: to see which of the text file is going to be cat'ed, and, the second one, to peruse that cat'ed text file.

Oh, not to forget, this is the `vergin, untouched' state of those databases is:

```

cbac0f1510a231edf5e5cad1869d6ce12ca5a854c07391fc39cfdd33fd8667c9  content-prefs.sqlite

242c518010873f8c49c42c4691f831d6c37766fced64426a98183199e96401e5  cookies.sqlite

0adbec425c7718942e166bba45eec0c5d3d2aad533b6ed84b513246d63173c2f  formhistory.sqlite

c362997a0e3936914fe81b9c6ba30dce659e1712d73141b7148ba2b2addf990c  healthreport.sqlite

4c1eff3cf28c183638979a01809391e221421fba22e4152bae1a66a734bc9a05  netpredictions.sqlite

5b85e169d275f27f7f17755843ac249c43ee66878094ee095fdd969d18455e44  permissions.sqlite

9fe46c00c7275d502f52a45e6992da55387c7b804c8c831e174507658a091d4f  places.sqlite

d53020b2ab13bcd31ac62704ce2b3d4012e8577b0142a352e9d6d52f377461ec  signons.sqlite

7d503696d47e474721f1ab8aa5279edca705cf7d759dc15454e1b6891e285e80  webappsstore.sqlite

```

I've been using dillo, which is incomplete yet, and has no Javascript yet (and Javascript is surely needed, sometimes, only sometimes but needed), but which I like very much. dillo is very honest, in my strong conviction. There's none of what the big browsers do: spying and such, in dillo, none of that whatsover.

And also, the state of this machine as far as internet goes is: it's pretty fresh.

These are the screencast, all of forums.gentoo.org and such non-intrusive sites only, and some getting and sending of mail, with really good programs (see my Postfix... Bkp/Cloning... topic which contains the tip):

```
ukrainian@mybox /some/where/Gen_150311_SchmoogleFox.d $ ls -l ../Screen_15031*

-rw-r--r-- 1 miro miro   8372044 2015-03-10 09:29 ../Screen_150310_0925_ukrabox.mkv

-rw-r--r-- 1 miro miro  31460664 2015-03-10 09:48 ../Screen_150310_0932_ukrabox.mkv

-rw-r--r-- 1 miro miro  10425929 2015-03-10 09:52 ../Screen_150310_0948_ukrabox.mkv

-rw-r--r-- 1 miro miro  12336112 2015-03-10 09:58 ../Screen_150310_0957_ukrabox.mkv

-rw-r--r-- 1 miro miro   2126252 2015-03-10 14:37 ../Screen_150310_1350_ukrabox.mkv

-rw-r--r-- 1 miro miro  83136413 2015-03-10 16:03 ../Screen_150310_1534_ukrabox.mkv

-rw-r--r-- 1 miro miro 372075588 2015-03-10 17:16 ../Screen_150310_1603_ukrabox.mkv

-rw-r--r-- 1 miro miro  33839753 2015-03-10 18:46 ../Screen_150310_1829_ukrabox.mkv

-rw-r--r-- 1 miro miro 106252010 2015-03-10 21:38 ../Screen_150310_2109_ukrabox.mkv

-rw-r--r-- 1 miro miro 193128561 2015-03-11 16:54 ../Screen_150311_1547_ukrabox.mkv

-rw-r--r-- 1 miro miro  53714326 2015-03-11 18:16 ../Screen_150311_1806_ukrabox.mkv

ukrainian@mybox /some/where/Gen_150311_SchmoogleFox.d $
```

```

for i in ../Screen_15031* ; do midentify $i | grep LENG | cut -d= -f2 >> times ; done ; echo `cat times` | sed 's/ /+/g' | bc ; rm times

17708.56

```

Only some less then 5 hours the total screencasting time (and I was despondent because of a flop I hadin the topic "Updating and keeping your Gentoo non-poetterized" and I forget to run uncenz-kill from my uncenz program idea.. So it's probably only around three hours or even less online, since I cloned this one system the day before yesterday from the master system, and prepared it for online).

[ Obviously you will, in the screencast, see me --well I mean my screen's moving pictures, posting of this text, but without what you, hopefully see below, and which is the hashes of the screencast and the packet capture during the posting of this. These below I have, hopefully, posted after the event. (Ah, the corrections of eventual typoes or other errors, as well as checking of the links included, also follows later... Oh, and you can see that I'm placing a really high bet here. I don't know for absolutely sure what will really happen in this probably less than a minute, at all!) ]

```

72f2dce0639579c5138a4a354fbc3f2937484af30db3de8ee7611f78e8a3df7c  Screen_150311_1944_ukrabox.mkv

8eafcf03fc2b480df58fbacdd176e79626fa0a10a4909016c00f08317f1de152  Screen_150311_1948_ukrabox.mkv

ad90d5c391528f99a811ddf35f8804b76a0d21411467bf3ec08b8ec029731ac9  dump_150311_1944_ukrabox.pcap

5cdacc8b8e4b53865713aacaac5e4ab43029f1b13e6af231f067b45597c88ff2  dump_150311_1948_ukrabox.pcap

```

----------

## Ant P.

Too late! The CIA already has radio-controlled backdoors embedded in your CPU.

----------

## miroR

This continues from:

( this same topic, page 1 )

https://forums.gentoo.org/viewtopic-t-912056.html#7715488

This is from my NGO CroatiaFidelis hoster's server that the regime doesn't let me use miro.rovis@croatiafidelis.hr address from (they're probably a little ashamed, just a little, from the minimum humanity they have left, and I still get some, only some, mail to it, such as from Gentoo Bugzilla, but can not reply to it from miro.rovis@croatiafidelis.hr... See in one of the links to other topics of mine on Gentoo Forums, the Postfix... Censorship... link)...

So this is related to here where you're reading:

```
# ls -BAgo *_150311_194?_ukrabox.* 

-rw-r--r-- 1   353024 Mar 12 00:30 dump_150311_1944_ukrabox.pcap

-rw-r--r-- 1   628596 Mar 12 00:31 dump_150311_1948_ukrabox.pcap

-rw-r--r-- 1 19297022 Mar 12 00:27 Screen_150311_1944_ukrabox.mkv

-rw-r--r-- 1 14743468 Mar 12 00:30 Screen_150311_1948_ukrabox.mkv

-rw-r--r-- 1      482 Mar 12 00:35 where_150311_1944_ukrabox.sum

-rw-r--r-- 1      819 Mar 12 00:35 where_150311_1944_ukrabox.sum.sig

-rw-r--r-- 1      110 Mar 12 00:31 where_150311_1944_ukrabox.txt

#
```

And the links are, wait...

Aaah, just open this page and only what contains the string `_150311_194' is

related to here where you're reading:

http://www.croatiafidelis.hr/gnu/gentoo/moz-1st-harvest/

It's all there.

I haven't studied those yet in detail, only summarily. But enough to see that I

was only partly wrong. Right at these first few minutes of SchmoogleFox running, there hasn't been any connection to

the Schmoog itself, and my remarks in the first screencast (you can see me typing while I angrily wait for the long first harvest to end) are, in that sense, wrong expectation on my part of what the upload was (it was pure Moz, not Schmoog).Last edited by miroR on Thu Mar 12, 2015 8:30 am; edited 1 time in total

----------

## miroR

And I added:

http://www.croatiafidelis.hr/gnu/gentoo/moz-1st-harvest/dump_150311_1944_ukrabox.html

where you can see that the connections that I went for, in that first packet capture, was the connection to Gentoo Forums:

```
gossamer-ipvs-forums-v4v6.gentoo.org
```

and, also, to:

```
s.eff.org
```

(that's the HTTPS Everywhere plugin)

Also, the 

```
10.16.96.1
```

 line is fine, that's the IPTV.

And the privider shows to me only the local router address (Chinese style, all hidden):

```
192.168.1.1
```

and let me see only my local address it gave me:

```
192.168.1.2
```

services.addons.mozilla.org may be needed too.

But, these:

```
cs9.wac.edgecastcdn.net

tiles.r53-2.services.mozilla.com

a1603.g1.akamai.net

locprod1-elb-eu-west-1.prod.mozaws.net

dtex4kvbppovt.cloudfront.net

fhr.data.mozilla.com
```

is collecting (harvesting) data.

And what all the gui, does it have an option to the effect of "I don't want my data harvested by you Moz?" Or, better yet, as Fitzcarraldo in a misplaced post gave us a script (better scripts than gui, but, I'm yet to study it), can it really help here?

I don't want no data harvested on me. Can you, if you're reading this, Fitzcarraldo, tell how to use Firefox without it? Or anybody?

----------

## miroR

 *steveL wrote:*   

>  *miroR wrote:*   I have decided to move my reply to Princess Nell here where I believe it belongs, more appropriately. 
> 
> Jeez, miroR, you don't dig up 3 year old threads, and then take them over with the toilet-paper approach to blogging.
> 
>  *Quote:*   You can see that I have linked to here from there, so nothing of the conversation is lost. 
> ...

 

I left the quote comprehensive, as I don't cut out of context.

But I want to point. at this objection only, for my replying:

 *Quote:*   

> you don't dig up 3 year old threads

 

How about this, 11 yrs (that's eleven years old) thread, where you see it perfectly fit to go, you, as well as me, on about the topic? And it is, perfectly fit to continue on that topic. Perfectly! This thread:

Need help creating ebuild for "lurker"

https://forums.gentoo.org/viewtopic-t-228582.html

If that is fine, and it really is, why not post about Firefox and Google in the topic on Firefox and Google, and not in the topic about depoetterizing? This is still in all essence, the same issue, as it was three years ago.

We're at an enpasse now, and I will not be to blame if my topic on non-poetterized Gentoo updating and keeping at, is ruined, as there is a chance for that to happen.

Thank you for your kind attention, whoever is kindly reading this.

--

Princess Nell and Fitzcarraldo may even have a solution, but this presentation in my some three previous posts to this one, is absolutely essential at understanding of those solutions.

[This presentation, in this topic, is absolutely essential at understanding of those solutions.] Well it is, for any non-advanced users, and I hope we're not catering only for the elitists here on Gentoo Forums...

And the place where to continue about them, IMO, is here, not there.

--

Thanks again.

----------

