Announcement

Collapse
No announcement yet.

Riddle me this, BatMan!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Riddle me this, BatMan!

    I was running the "btrfs send --no-data -p parent child | btrfs receive --dump | grep ^update_extents" command against yesterday's and today's snapshots to see the differences between them. A 6MB txt file was dumped.
    Examining the data imagine my surprise when I found a LOT of the following lines in the listing:
    ./@202209011901/home/jerry/.mozilla/firefox/kntuu8o2.default-release/storage/default/https+++umass-my.sharepoint.com/cache/morgue/99/{9de0653d-cc4f-4838-9326-52a0c8f2c663}.final offset=0 len=1576
    I was curious about what "umass-my.sharepoint.com" was for, besides what one might suspect? Sharepoint is M$ technology. Why is FireFox dumping data to that source. I browsed to that URL and was greeted with
    ​​(can't upload image -- upload manager claims file is corrupt, but it is a Microsoft login screen - https://login.microsoftonline.com - for UMass Amherst)

    Since it requires a login name and password what is FireFox using to access that site and dump data? And, what kind of data are they dumping?

    jerry@jerry-hp17cn1xxx:~$ nslookup umass-my.sharepoint.com
    Server: 127.0.0.53
    Address: 127.0.0.53#53

    Non-authoritative answer:
    umass-my.sharepoint.com canonical name = umass.sharepoint.com.
    umass.sharepoint.com canonical name = 3163-ipv4e.clump.prod.aa-rt.sharepoint.com.
    3163-ipv4e.clump.prod.aa-rt.sharepoint.com canonical name = 18391-ipv4e.farm.prod.aa-rt.sharepoint.com.
    18391-ipv4e.farm.prod.aa-rt.sharepoint.com canonical name = 18391-ipv4e.farm.prod.sharepointonline.com.akadns.net.
    18391-ipv4e.farm.prod.sharepointonline.com.akadns.net canonical name = 18391-ipv4.farm.prod.aa-rt.sharepoint.com.dual-spo-0004.
    spo-msedge.net.
    18391-ipv4.farm.prod.aa-rt.sharepoint.com.dual-spo-0004.spo-msedge.net canonical name = dual-spo-0004.spo-msedge.net.
    Name: dual-spo-0004.spo-msedge.net
    Address: 13.107.138.9
    Name: dual-spo-0004.spo-msedge.net
    Address: 13.107.136.9
    and
    jerry@jerry-hp17cn1xxx:~$ whois 13.107.138.9

    #
    # ARIN WHOIS data and services are subject to the Terms of Use
    # available at: https://www.arin.net/resources/registry/whois/tou/
    #
    # If you see inaccuracies in the results, please report at
    # https://www.arin.net/resources/regis...acy_reporting/
    #
    # Copyright 1997-2022, American Registry for Internet Numbers, Ltd.
    #


    NetRange: 13.64.0.0 - 13.107.255.255
    CIDR: 13.104.0.0/14, 13.64.0.0/11, 13.96.0.0/13
    NetName: MSFT
    NetHandle: NET-13-64-0-0-1
    Parent: NET13 (NET-13-0-0-0-0)
    NetType: Direct Allocation
    OriginAS:
    Organization: Microsoft Corporation (MSFT)
    RegDate: 2015-03-26
    Updated: 2021-12-14
    Ref: https://rdap.arin.net/registry/ip/13.64.0.0



    OrgName: Microsoft Corporation
    OrgId: MSFT
    Address: One Microsoft Way
    City: Redmond
    StateProv: WA
    PostalCode: 98052
    Country: US
    RegDate: 1998-07-10
    Updated: 2022-03-28
    Comment: To report suspected security issues specific to traffic emanating from Microsoft online services, including the d
    istribution of malicious content or other illicit or illegal material through a Microsoft online service, please submit reports t
    o:
    Comment: * https://cert.microsoft.com.
    Comment:
    Comment: For SPAM and other abuse issues, such as Microsoft Accounts, please contact:
    Comment: * abuse@microsoft.com.
    Comment:
    Comment: To report security vulnerabilities in Microsoft products and services, please contact:
    Comment: * secure@microsoft.com.
    Comment:
    Comment: For legal and law enforcement-related requests, please contact:
    Comment: * msndcc@microsoft.com
    Comment:
    Comment: For routing, peering or DNS issues, please
    Comment: contact:
    Comment: * IOC@microsoft.com
    Ref: https://rdap.arin.net/registry/entity/MSFT


    OrgTechHandle: IPHOS5-ARIN
    OrgTechName: IPHostmaster, IPHostmaster
    OrgTechPhone: +1-425-538-6637
    OrgTechEmail: iphostmaster@microsoft.com
    OrgTechRef: https://rdap.arin.net/registry/entity/IPHOS5-ARIN

    OrgTechHandle: MRPD-ARIN
    OrgTechName: Microsoft Routing, Peering, and DNS
    OrgTechPhone: +1-425-882-8080
    OrgTechEmail: IOC@microsoft.com
    OrgTechRef: https://rdap.arin.net/registry/entity/MRPD-ARIN

    OrgAbuseHandle: MAC74-ARIN
    OrgAbuseName: Microsoft Abuse Contact
    OrgAbusePhone: +1-425-882-8080
    OrgAbuseEmail: abuse@microsoft.com
    OrgAbuseRef: https://rdap.arin.net/registry/entity/MAC74-ARIN


    #
    # ARIN WHOIS data and services are subject to the Terms of Use
    # available at: https://www.arin.net/resources/registry/whois/tou/
    #
    # If you see inaccuracies in the results, please report at
    # https://www.arin.net/resources/regis...acy_reporting/
    #
    # Copyright 1997-2022, American Registry for Internet Numbers, Ltd.
    #
    "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
    – John F. Kennedy, February 26, 1962.

    #2
    How do I stop Firefox from sending data?
    To disable the sharing of this data:
    1. In the Menu bar at the top of the screen, click Firefox and select Preferences. Click the menu button and select Settings.
    2. Select the Privacy & Security panel.
    3. Uncheck the boxes under the section, Firefox Data Collection and Use.
    Using Kubuntu Linux since March 23, 2007
    "It is a capital mistake to theorize before one has data." - Sherlock Holme

    Comment


    • GreyGeek
      GreyGeek commented
      Editing a comment
      That's the first thing I always do when setting up FF.

    #3
    Have you actually investigated the physical cache files in your mozilla profile, and research what they may contain?

    Start with Occam's Razor. First thing to consider is that the cached item is an image or resource someone has linked to that is stored or hosted on a page on UMass Amherst's web servers, and created or shared using MS Sharepoint. many large organizations and universities use this. Could be faculty or student created web pages, images, and documents. The address you are seeing is a directory, perhaps? Which logically would require a login.

    Take a look at the actual cache files in your profile, you might see which page linked to something on the UMass servers.

    Some times it is easy.
    I see a folder for patreon in my cache (created 27 August), and I know I have not visited that website in recent memory.
    However, in this case the full name of the folder makers it a bit obvious what sourced it, once I see the full string.
    https+++www.patreon.com^partitionKey=%28https%2Cki tguru.net%29

    In your case, you might look into the specific files in a text editor and peek at the file contents and see if they give better info, or maybe if there are are other directories similar to my example that might provide clues.
    Last edited by claydoh; Sep 04, 2022, 09:53 AM.
    I'll ask Jeeves

    Comment


    • GreyGeek
      GreyGeek commented
      Editing a comment
      Ya, I saw those. The "morgue" folder contains about 100 numbered folders, and those folders contain one or two files each, Some are just html functions and some are binary blobs or base64 files. The biggest one contained a "bootstrapper" header followed by a binary blob. I looked for a login name and password but couldn't find any. Probably encrypted.
      I didn't see anything similar in brave-browser's config files.

    #4
    Brave and Chrome, et al use different methods of caching data, definitely using different names,

    These folders pertain to the function called "Service Workers" which is
    a script that executes in the background allowing web pages to provide
    features like push notifications, background sync, and more.

    What you're seeing is a cache folder for that data. The morgue folders
    might be data from the browser cache that is still needed for the
    service worker.

    All of that data is considered part "Offline Website Data". To clear
    that data, use the Clear History tool, and make sure "Offline Website
    data" is checkmarked.

    More info about service workers:
    https://developer.mozilla.org/en-US/...I/Using_Servic e_Workers
    https://developers.google.com/web/fu...ervice-workers
    Absolutely clears nothing up at all

    A neat utility: about:cache in the url bar
    There are GUI cache views as well, if the rabbit holes are calling..........must.....re....sisttt.......
    I'll ask Jeeves

    Comment

    Working...
    X