What we -should- do is focus on things that we can actually benefit from. Instead of mass-murder, why not fix the internet by fixing javascript (ie. dis, fucking, allow, whitelist basis only), fixing flash (bye), fixing CSS (stop reading my history and stop scanning my ports!) and fixing HTML so we don't need to rely on stupid things (flash, silverlight, the thing Google made) to make browsing an enjoyable experience.
I can deliver you a browser that is virtually unexploitable. Firefox running with NoScript,
How do you expect to "fix" HTML to provide advanced features after we've gotten rid of javascript, Flash, and Silverlight? And what does CSS have to do with reading your history and scanning your ports?
I suggest that if you want to be up to date with the web app security world, you should keep reading blogs of security researchers, and perhaps security research-related fora (like sla.ckers.org).
As for your first question, I suggest you read the HTML 6 specs that have been presented. Also, remember that a browser is just a t
Well, I just visited both of your links, and am unimpressed and unscared.
The CSS history one gave a very short list of what looked like guessed web sites which were mostly wrong (hint: I never visit msn or ebay or myspace, and it's months since I visited yahoo). It looked like blind guesswork, as the list had google, but not slashdot, for instance. Clicking through to see what information they claim to have logged, I encountered an empty list, not even the bogus guesses of wrong web sites that were on th
That list is the sites being tested, if it can detect any of them in your history, it shows red text in a box next to that item. The exploit can only check a specific list of items. The problem is a UI/implementation one, not a problem with the concept.
That list is the sites being tested, if it can detect any of them in your history, it shows red text in a box next to that item.
Perhaps you should check your code again.
It showed the red "visited" text in a box beside all of the incorrect IP addresses and the 127.0.0.1:8080 combination. I reiterate that my LAN is not on 192.168.0.* or 192.168.1.* but the page claims that I visited addresses 192.168.0.1 192.168.0.2 192.168.1.1 and 192.168.1.2 which is clearly impossible. In fact, it does that even when I use a PC which is directly connected to a public IP, and not on our home LAN.
FYI we have 8 fiber ports at home, each with a publ
It isn't my code. When I visited it, it correctly showed that I hadn't visited any of those IP addresses. The other page correctly identified which sites I had visited, even after clearing my history and after re-visiting them.
1 out of 5 websites were right, and honestly John Edward would have gotten at least 2 right, that includes the google that the site actually got right.
Okay, only a Professional Software Engineer can design webpages or write code. In BC, that's an actual discipline for Engineers. (I'm Electrical myself; one of my friends has her P.Eng in Software, and my alma mater was one of the first to offer it.)
See how that works?
The real problem is really your attitude, not the fact that "artsy-fartsies" are writing webpages in Dreamweaver. We can talk about the relative merits and security of Windows / OS ? / Lunix all day (which, really, is what/. is all about) but
I'm not really sure what you are running off about, but I'm fairly sure that at least a fair chunk of it is unrelated to my post which you are responding to...
I was simply indicating that getting rid of plugins like flash, locking down javascript, and in general getting the seperation of data and executable code right is never going to happen because the people who are currently calling the shots and driving the market either do not understand computer security, or do not make it a priority.
Because of that, I can see a future where active monitoring/detection of system changes is going to become more important. Maybe even services that either log into your machine and look at file size, diff, etc.. or actually make requests of your website, mimicking every possible thing a user could do, and look for unintended outcomes (file automatically downloading, for instance.)
I'm not saying that nontechnical users create security flaws, I'm saying that they demand features that cause security flaws, and the engineers that know better are not in positions to deny them the features. If a high payed media PHB demands that the website for [NEW HIT MOVIE] be made entirely with flash, a lowly engineer pointing out that flash is insecure is not going to get anywhere.
You are only "pretty sure" that there is "an" artist "somewhere" that can spell better than me? Well hell, I don't doubt it at all! In fact, I would be terribly suprised if I was a better speller than every single artist on the planet. I could even take your uncertainty as a compliment!
You are rather god-awful at this criticizing thing aren't you? You should work on your spelling nazi trolls some more if you want anyone around here to take you seriously...
Honestly, just making javascript operate on a whitelist basis only would reduce online malware attacks by about 99.5%
I realize that I am far from an average user, but I have been using computers for 30 years (the last 15 using Windows) and have never gotten a virus, worm, or any other form of malware on a single computer I have ever owned despite not really using AV software, always logging in as admin, and spending an inordinate amount of time acquiring software on 119th St.
I don't deny that these things exist but obviously the user is the weakest link as everything you have said is already available to any user who know
Question: What is your process to determine that every computer you've ever owned has never been compromised by malware? Are you doing some kind of checksum on system function and monitoring each inbound and outbound network packet? Not all malware generates a big red flashing skull on your screen. The malware that operates quietly and gives no indication you have a problem is the stuff you need to worry about. Malware frequently actively attacks anti-virus software on top of this; leading to an increa
You are well informed and protected, but even plain CSS is an attack vector. Yes, to be safe, you need to disable CSS http://search.slashdot.org/comments.pl?sid=1537058&cid=31023480 [slashdot.org]. Also, extensions like LocalRodeo, SafeHistory and SafeCache might be worthy add-ons to your arsenal. Although some of those extensions might be deprecated/unusable in the latest version of Firefox/Iceweasel (even with Nightly Tester Tools).
So - I'm sitting here, reading about this newest manifestation of exploitable exploits, and wondering: "how does all this affect Debian?"
Then you offer up some solutions that would actually start to FIX THE PROBLEMS.
No script - check.
Adblock plus - check.
Turn off Flash - check.
Ditch silverlight/moonlight - check.
Disable Java - check.
What's left? Oh yeah - don't click on obvious bogus links, and don't agree to download a virus scanner. Like, I really need on on Debian.
What does that leave? Hmmmm. A damn good firewall - check. Firestarter may not be the best, but it hasnt' failed me yet!
Has anyone mentioned in this thread yet, that security is not a product - instead it is an ongoing process? I guess I just did.
Houston, all systems are go. May we have clearance for lift off?
I have a better solution, turn off your wifi or unplug that Cat 5 cable. You see, if you kill off all ads you have no way for anyone to make money and guess what there will be no internet because someone has to pay for it. So please do that. I call that leeching.
You might call it marching to the beat of a different drum, rather than leeching.
Have you not been paying attention? Those advertisements are a vector with which to bypass security measures. Pay for the internet? DUHHH - my DSL is paid for. $79/month. What exactly am I helping anyone to pay for, if I permit advertisers to pwn my machines?
Maybe you're suggesting that I've done something immoral every time in my life that I've NOT WATCHED a commercial on television? Hmmm. There should be a law, huh? G
Well if net neutrality doesn't get passed, that is our future. I know the RIAA would love to waterboard some people. And since when did advertisers not pwn machines? Cough google cough
cough microsoft cough.
Or did you mean someone Proctor and gamble?
All your post tells me is that you never caught Vundo on your computer. Your attitude toward bored, Russian malware writers drastically changes. The first time you get it, it's as painful as a digital kidney stone -- and someone, somewhere is making money from your suffering.
Cleaned up Vundo many times at work. Yes it can be tricky, but I still maintain that it is not worth murdering someone over. I don't have any love for malware writers, but I do have lots of love for the punishment fitting the crime, and tons of love for not having stupid knee-jerk over reactions to things.
I suppose where you work, wasting 2 peoples' entire mornings every time someone reads the news without updating their Java version is not considered "painful"
After what I went through, in those early days, oh boy... when I find the bastard who wrote Vundo, I will kill him with my bare hands. He can think the awesome things he bought with what little money he made as the light fades from his eyes and his soul is slowly gripped by the eternal horrors of Hell. Will you then consider jailtime too severe a p
Stealing my identity and buying a mansion... thus ruining my life into permenant bankrupcy as well as my family... yeah, you can go and have that done to you while the identity thief gets a slap on the wrist. For ruining my entire family's lives, I'd sure as hell want to see them executed.
It gives you a few rather hard years while you prove to everyone involved it wasn't you who purchased the mansion, but I doubt it ruins your life. 15-20 years in prison should be enough to pay for that.
I'm sure many of Madoff's investors would disagree.
While my original comment was somewhat tongue-in-cheek I think this game between the virus writers and anti-virus writers is far more serious than most people realize.
Having your identity stolen and your credit rating ruined can be a life changing event. Lawsuits and even jail time for you are possibilities.
These days, having you computer hacked into, damaged, or data deleted can the be the equivalent of someone breaking into your home and destroying things
Their idea of an offer you can't refuse is an offer... and you'd better
not refuse.
Should Be Shot (Score:3, Insightful)
Malware and Virus authors should be lined up against a wall and shot. They are cancers and need to be irradiated.
Re: (Score:2)
I mean eradicated...although irradiated would probably work well too.
Re:lol (Score:4, Funny)
screwed up...what can I say?
Re: (Score:2, Informative)
FWIW, I prefer "irradiated". That would kill them AND the cooties they carry.
Re: (Score:3, Insightful)
What we -should- do is focus on things that we can actually benefit from. Instead of mass-murder, why not fix the internet by fixing javascript (ie. dis, fucking, allow, whitelist basis only), fixing flash (bye), fixing CSS (stop reading my history and stop scanning my ports!) and fixing HTML so we don't need to rely on stupid things (flash, silverlight, the thing Google made) to make browsing an enjoyable experience.
I can deliver you a browser that is virtually unexploitable. Firefox running with NoScript,
Re: (Score:1)
Re: (Score:1)
Everything. I'll just throw a couple of links at you and then you can go be scared.
http://ha.ckers.org/weird/javascriptless-port-scanning.cgi [ckers.org], http://ha.ckers.org/weird/CSS-history.cgi [ckers.org].
I suggest that if you want to be up to date with the web app security world, you should keep reading blogs of security researchers, and perhaps security research-related fora (like sla.ckers.org).
As for your first question, I suggest you read the HTML 6 specs that have been presented. Also, remember that a browser is just a t
Re: (Score:3, Informative)
I'll just throw a couple of links at you and then you can go be scared.
http://ha.ckers.org/weird/javascriptless-port-scanning.cgi [ckers.org], http://ha.ckers.org/weird/CSS-history.cgi [ckers.org].
Well, I just visited both of your links, and am unimpressed and unscared.
The CSS history one gave a very short list of what looked like guessed web sites which were mostly wrong (hint: I never visit msn or ebay or myspace, and it's months since I visited yahoo). It looked like blind guesswork, as the list had google, but not slashdot, for instance. Clicking through to see what information they claim to have logged, I encountered an empty list, not even the bogus guesses of wrong web sites that were on th
Re: (Score:2)
Re: (Score:3, Informative)
That list is the sites being tested, if it can detect any of them in your history, it shows red text in a box next to that item. The exploit can only check a specific list of items. The problem is a UI/implementation one, not a problem with the concept.
Re: (Score:2)
That list is the sites being tested, if it can detect any of them in your history, it shows red text in a box next to that item.
Perhaps you should check your code again.
It showed the red "visited" text in a box beside all of the incorrect IP addresses and the 127.0.0.1:8080 combination. I reiterate that my LAN is not on 192.168.0.* or 192.168.1.* but the page claims that I visited addresses 192.168.0.1 192.168.0.2 192.168.1.1 and 192.168.1.2 which is clearly impossible. In fact, it does that even when I use a PC which is directly connected to a public IP, and not on our home LAN.
FYI we have 8 fiber ports at home, each with a publ
Re: (Score:2)
It isn't my code.
When I visited it, it correctly showed that I hadn't visited any of those IP addresses. The other page correctly identified which sites I had visited, even after clearing my history and after re-visiting them.
Re: (Score:2)
Neither of those links provided any kind of accurate information. Very non-scary, I have to say.
Re: (Score:2)
Re: (Score:3)
The reason this will never happen (and it should) is because we have art students, not engineers, designing our websites, and thus calling the shots.
Some parts of computing should just not be done by non-technical users, designing secure systems is one of them.
Re: (Score:3, Interesting)
Okay, only a Professional Software Engineer can design webpages or write code. In BC, that's an actual discipline for Engineers. (I'm Electrical myself; one of my friends has her P.Eng in Software, and my alma mater was one of the first to offer it.)
See how that works?
The real problem is really your attitude, not the fact that "artsy-fartsies" are writing webpages in Dreamweaver. We can talk about the relative merits and security of Windows / OS ? / Lunix all day (which, really, is what /. is all about) but
Re: (Score:2)
I'm not really sure what you are running off about, but I'm fairly sure that at least a fair chunk of it is unrelated to my post which you are responding to...
I was simply indicating that getting rid of plugins like flash, locking down javascript, and in general getting the seperation of data and executable code right is never going to happen because the people who are currently calling the shots and driving the market either do not understand computer security, or do not make it a priority.
In my opinion, t
Re: (Score:2)
"We're outgunned and outnumbered."
Because of that, I can see a future where active monitoring/detection of system changes is going to become more important. Maybe even services that either log into your machine and look at file size, diff, etc.. or actually make requests of your website, mimicking every possible thing a user could do, and look for unintended outcomes (file automatically downloading, for instance.)
Re: (Score:2, Insightful)
If those non-technical users are able to create security holes, than that's the engineer's fault.
Re: (Score:3, Insightful)
I'm not saying that nontechnical users create security flaws, I'm saying that they demand features that cause security flaws, and the engineers that know better are not in positions to deny them the features. If a high payed media PHB demands that the website for [NEW HIT MOVIE] be made entirely with flash, a lowly engineer pointing out that flash is insecure is not going to get anywhere.
Re: (Score:2)
You are only "pretty sure" that there is "an" artist "somewhere" that can spell better than me? Well hell, I don't doubt it at all! In fact, I would be terribly suprised if I was a better speller than every single artist on the planet. I could even take your uncertainty as a compliment!
You are rather god-awful at this criticizing thing aren't you? You should work on your spelling nazi trolls some more if you want anyone around here to take you seriously...
Re: (Score:1)
Honestly, just making javascript operate on a whitelist basis only would reduce online malware attacks by about 99.5%
I realize that I am far from an average user, but I have been using computers for 30 years (the last 15 using Windows) and have never gotten a virus, worm, or any other form of malware on a single computer I have ever owned despite not really using AV software, always logging in as admin, and spending an inordinate amount of time acquiring software on 119th St.
I don't deny that these things exist but obviously the user is the weakest link as everything you have said is already available to any user who know
Re: (Score:1)
Re: (Score:2)
So - I'm sitting here, reading about this newest manifestation of exploitable exploits, and wondering: "how does all this affect Debian?"
Then you offer up some solutions that would actually start to FIX THE PROBLEMS.
No script - check.
Adblock plus - check.
Turn off Flash - check.
Ditch silverlight/moonlight - check.
Disable Java - check.
What's left? Oh yeah - don't click on obvious bogus links, and don't agree to download a virus scanner. Like, I really need on on Debian.
What does that leave? Hmmmm. A damn
Re: (Score:1)
You are well informed and protected, but even plain CSS is an attack vector. Yes, to be safe, you need to disable CSS http://search.slashdot.org/comments.pl?sid=1537058&cid=31023480 [slashdot.org]. Also, extensions like LocalRodeo, SafeHistory and SafeCache might be worthy add-ons to your arsenal. Although some of those extensions might be deprecated/unusable in the latest version of Firefox/Iceweasel (even with Nightly Tester Tools).
Re: (Score:1)
So - I'm sitting here, reading about this newest manifestation of exploitable exploits, and wondering: "how does all this affect Debian?"
Then you offer up some solutions that would actually start to FIX THE PROBLEMS.
No script - check.
Adblock plus - check.
Turn off Flash - check.
Ditch silverlight/moonlight - check.
Disable Java - check.
What's left? Oh yeah - don't click on obvious bogus links, and don't agree to download a virus scanner. Like, I really need on on Debian.
What does that leave? Hmmmm. A damn good firewall - check. Firestarter may not be the best, but it hasnt' failed me yet!
Has anyone mentioned in this thread yet, that security is not a product - instead it is an ongoing process? I guess I just did.
Houston, all systems are go. May we have clearance for lift off?
I have a better solution, turn off your wifi or unplug that Cat 5 cable. You see, if you kill off all ads you have no way for anyone to make money and guess what there will be no internet because someone has to pay for it. So please do that. I call that leeching.
Re: (Score:2)
You might call it marching to the beat of a different drum, rather than leeching.
Have you not been paying attention? Those advertisements are a vector with which to bypass security measures. Pay for the internet? DUHHH - my DSL is paid for. $79/month. What exactly am I helping anyone to pay for, if I permit advertisers to pwn my machines?
Maybe you're suggesting that I've done something immoral every time in my life that I've NOT WATCHED a commercial on television? Hmmm. There should be a law, huh? G
Re: (Score:1)
Re: (Score:1)
Firefox running with NoScript
Just to whinge for a moment, Firefox+NoScript really get on my tits. Seems like it wants to add a new update to one or the other every bloody day.
Re: (Score:2, Informative)
Covered in the Q&A on NoScript's page: http://noscript.net/faq#qa2_6 [noscript.net].
The answer Maone gives is detailed, and contains a few "fixes" for your on-your-tit-getting.
Re: (Score:1, Offtopic)
Re: (Score:2)
I also say execution for jaywalking, littering, and spitting in public.
Re: (Score:2)
Are you sure it's an over reaction?
Re: (Score:1, Troll)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
After what I went through, in those early days, oh boy... when I find the bastard who wrote Vundo, I will kill him with my bare hands. He can think the awesome things he bought with what little money he made as the light fades from his eyes and his soul is slowly gripped by the eternal horrors of Hell. Will you then consider jailtime too severe a p
Re: (Score:2)
Only if the malware directly caused loss of life, or raped some kids or something, would I even consider such a punishment fair.
No, messing up your PC, making your admin job harder, or even stealing your identity and buying a mansion in your name should not be a capital crime.
Re: (Score:2)
Stealing my identity and buying a mansion... thus ruining my life into permenant bankrupcy as well as my family... yeah, you can go and have that done to you while the identity thief gets a slap on the wrist. For ruining my entire family's lives, I'd sure as hell want to see them executed.
It gives you a few rather hard years while you prove to everyone involved it wasn't you who purchased the mansion, but I doubt it ruins your life. 15-20 years in prison should be enough to pay for that.
Re: (Score:2)
I'm sure many of Madoff's investors would disagree.
While my original comment was somewhat tongue-in-cheek I think this game between the virus writers and anti-virus writers is far more serious than most people realize.
Having your identity stolen and your credit rating ruined can be a life changing event. Lawsuits and even jail time for you are possibilities.
These days, having you computer hacked into, damaged, or data deleted can the be the equivalent of someone breaking into your home and destroying things