Loading ...
Sorry, an error occurred while loading the content.

Re: [midatlanticretro] Fwd:

Expand Messages
  • Dave McGuire
    ... So did someone grab your password? What actually happened, any idea? The chances of that being a virus are pretty close to zero. -Dave -- Dave McGuire,
    Message 1 of 17 , May 15 11:38 AM
    • 0 Attachment
      On 05/15/2013 02:36 PM, Evan Koblentz wrote:
      >>> Bear in mind the aforementioned possibility that someone may have just
      >>> hacked your webmail,
      >
      > I very rarely do webmal. Usually POP3 via Thunderbird-on-Ubuntu and via my
      > BlackBerry. Only webmail I do is once in a while via my (ahem) Degnanco
      > account.

      So did someone grab your password? What actually happened, any idea? The
      chances of that being a virus are pretty close to zero.

      -Dave

      --
      Dave McGuire, AK4HZ
      New Kensington, PA
    • Dave McGuire
      ... I agree, especially Flash. Java, not so much...but then who runs applets anymore anyway. For non-applet-based apps, there really aren t any vectors for
      Message 2 of 17 , May 15 11:40 AM
      • 0 Attachment
        On 05/15/2013 01:18 PM, David Riley wrote:
        >> >> Damnit ... this stuff shouldn't happen on Linux.
        >> >
        >> > Bear in mind the aforementioned possibility that someone may have
        >> > just hacked your webmail, if you use webmail. Otherwise, yes, it
        >> > happens on Linux just like it happens on the Mac; as both platforms
        >> > increase their marketshare relative to Windows, they start to become
        >> > more attractive targets to misanthropes. It's still a far less
        >> > frequent occurrence, but it's a non-zero probability now.
        >>
        >> I've never really bought into that argument. It's more a
        >> matter of configuration management and crazy features being added to
        >> mail clients. My network sees *daily* attacks on its outward-facing
        >> machines...that has been the case as long as I can remember. No issues
        >> here.
        >>
        > I was talking more about vulnerabilities in client machines, especially in
        > terms of vulnerable Flash, Java, etc. which are increasingly popular targets
        > for t3h h4x0rz.

        I agree, especially Flash. Java, not so much...but then who runs applets
        anymore anyway. For non-applet-based apps, there really aren't any vectors
        for incursion.

        >> I wonder what actually did happen to Evan's setup.
        >>
        > I've put my two cents in. Web mail hijacking, especially if he uses Gmail as
        > a frontend, seems like a good possibility, but only if he uses web mail as a
        > frontend for his personal mail (which I don't know and am not going to pry).

        Yes, I agree here as well.

        -Dave

        --
        Dave McGuire, AK4HZ
        New Kensington, PA
      • Wesley Furr
        I would have to disagree...every foggy morning lately there have been serious Java flaws revealed...and patches that don t seem to address them all. That,
        Message 3 of 17 , May 15 3:59 PM
        • 0 Attachment
          I would have to disagree...every foggy morning lately there have been
          serious Java flaws revealed...and patches that don't seem to address them
          all. That, coupled with an update process that is far from easy or
          automatic for the average user, and you've got a serious security hole.
          It's bad enough that at work we have stopped automatically installing it on
          new PC's. Sure, most people may not use applets, but that doesn't mean they
          don't have an old version installed in their browser that is riddled with
          security holes, waiting on them to visit the wrong web site...

          Wesley


          -----Original Message-----

          I agree, especially Flash. Java, not so much...but then who runs applets
          anymore anyway. For non-applet-based apps, there really aren't any vectors
          for incursion.
        • Dave McGuire
          ... Actual external-access security holes IN THE JVM...the JVM which, by the way, doesn t do any network communication unless the program it s running opens a
          Message 4 of 17 , May 15 4:28 PM
          • 0 Attachment
            On 05/15/2013 06:59 PM, Wesley Furr wrote:
            > I would have to disagree...every foggy morning lately there have been
            > serious Java flaws revealed...and patches that don't seem to address them
            > all.

            Actual external-access security holes IN THE JVM...the JVM which, by
            the way, doesn't do any network communication unless the program it's
            running opens a socket...seriously?

            > That, coupled with an update process that is far from easy or
            > automatic for the average user, and you've got a serious security hole.

            It amounts to clicking two buttons on any release of Linux less than
            maybe five years old. It even tells you when updates are needed. I
            honestly hope I never meet the dolt for whom this is "far from easy".

            > It's bad enough that at work we have stopped automatically installing it on
            > new PC's. Sure, most people may not use applets, but that doesn't mean they
            > don't have an old version installed in their browser that is riddled with
            > security holes, waiting on them to visit the wrong web site...

            Well I have to agree with you there. But people who manage a
            network-connected system that poorly will get what they've got coming.
            ;) I don't think Evan falls into that category.

            -Dave

            --
            Dave McGuire, AK4HZ
            New Kensington, PA
          • Cory Smelosky
            ... I GENERALLY don t fit in to that category. I DO use dictionary words or a known-compromised password for systems that are local where compromise is
            Message 5 of 17 , May 15 4:37 PM
            • 0 Attachment
              On Wed, 15 May 2013, Dave McGuire wrote:

              >
              > On 05/15/2013 06:59 PM, Wesley Furr wrote:
              >> I would have to disagree...every foggy morning lately there have been
              >> serious Java flaws revealed...and patches that don't seem to address them
              >> all.
              >
              > Actual external-access security holes IN THE JVM...the JVM which, by
              > the way, doesn't do any network communication unless the program it's
              > running opens a socket...seriously?
              >
              >> That, coupled with an update process that is far from easy or
              >> automatic for the average user, and you've got a serious security hole.
              >
              > It amounts to clicking two buttons on any release of Linux less than
              > maybe five years old. It even tells you when updates are needed. I
              > honestly hope I never meet the dolt for whom this is "far from easy".
              >
              >> It's bad enough that at work we have stopped automatically installing it on
              >> new PC's. Sure, most people may not use applets, but that doesn't mean they
              >> don't have an old version installed in their browser that is riddled with
              >> security holes, waiting on them to visit the wrong web site...
              >
              > Well I have to agree with you there. But people who manage a
              > network-connected system that poorly will get what they've got coming.
              > ;) I don't think Evan falls into that category.
              >

              I GENERALLY don't fit in to that category.

              I DO use dictionary words or a known-compromised password for systems that
              are local where compromise is unlikely, or I really don't care if people
              get in to them/I want them in to it.

              > -Dave
              >
              > --
              > Dave McGuire, AK4HZ
              > New Kensington, PA
              >
              >
              > ------------------------------------
              >
              > Yahoo! Groups Links
              >
              >
              >
              >

              --
              Cory Smelosky
              http://gewt.net/ Personal stuff
              http://gimme-sympathy.org Experiments
            • B. Degnan
              Guys please take this thread offline, thnaks. ... them ... hole. ... it on ... mean they ... with ... that
              Message 6 of 17 , May 15 5:20 PM
              • 0 Attachment
                Guys please take this thread offline, thnaks.

                -------- Original Message --------
                > From: "Cory Smelosky" <b4@...>
                > Sent: Wednesday, May 15, 2013 8:07 PM
                > To: "Dave McGuire" <Mcguire@...>
                > Subject: Re: [midatlanticretro] Fwd:
                >
                > On Wed, 15 May 2013, Dave McGuire wrote:
                >
                > >
                > > On 05/15/2013 06:59 PM, Wesley Furr wrote:
                > >> I would have to disagree...every foggy morning lately there have been
                > >> serious Java flaws revealed...and patches that don't seem to address
                them
                > >> all.
                > >
                > > Actual external-access security holes IN THE JVM...the JVM which, by
                > > the way, doesn't do any network communication unless the program it's
                > > running opens a socket...seriously?
                > >
                > >> That, coupled with an update process that is far from easy or
                > >> automatic for the average user, and you've got a serious security
                hole.
                > >
                > > It amounts to clicking two buttons on any release of Linux less than
                > > maybe five years old. It even tells you when updates are needed. I
                > > honestly hope I never meet the dolt for whom this is "far from easy".
                > >
                > >> It's bad enough that at work we have stopped automatically installing
                it on
                > >> new PC's. Sure, most people may not use applets, but that doesn't
                mean they
                > >> don't have an old version installed in their browser that is riddled
                with
                > >> security holes, waiting on them to visit the wrong web site...
                > >
                > > Well I have to agree with you there. But people who manage a
                > > network-connected system that poorly will get what they've got coming.
                > > ;) I don't think Evan falls into that category.
                > >
                >
                > I GENERALLY don't fit in to that category.
                >
                > I DO use dictionary words or a known-compromised password for systems
                that
                > are local where compromise is unlikely, or I really don't care if people

                > get in to them/I want them in to it.
                >
                > > -Dave
                > >
                > > --
                > > Dave McGuire, AK4HZ
                > > New Kensington, PA
                > >
                > >
                > > ------------------------------------
                > >
                > > Yahoo! Groups Links
                > >
                > >
                > >
                > >
                >
                > --
                > Cory Smelosky
                > http://gewt.net/ Personal stuff
                > http://gimme-sympathy.org Experiments
                >
                >
                > ------------------------------------
                >
                > Yahoo! Groups Links
                >
                >
                >
              • Brian Schenkenberger, VAXman-
                ... DITTO! -- VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)ORG Well I speak to machines with the voice of humanity.
                Message 7 of 17 , May 15 5:25 PM
                • 0 Attachment
                  "B. Degnan" <billdeg@...> writes:

                  >Guys please take this thread offline, thnaks.

                  DITTO!

                  --
                  VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)ORG

                  Well I speak to machines with the voice of humanity.
                • Wesley Furr
                  In doing reading about some of the malware that is out there that I ve run across (we re talking Windows systems here), it has been noted that several of the
                  Message 8 of 17 , May 15 6:25 PM
                  • 0 Attachment
                    In doing reading about some of the malware that is out there that I've run
                    across (we're talking Windows systems here), it has been noted that several
                    of the serious ones often use Java as an attack vector. I'm honestly not a
                    Java expert...but presumably it summons the java browser plugin and then
                    takes advantage of it that way...and all that takes is to get them to visit
                    a malware-ridden web page.

                    Again, I'm talking about Windows. To update in Windows, you have to
                    actually click the pop-up in the system tray that says "please update
                    me"...and most average users don't pay any attention to things like that.
                    Then after you click on it, you have to say yes, please install the update.
                    Then it disappears for a short time. Then it pops up in the system tray and
                    says "hey, now I'm ready to install that update you just let me download".
                    Then when you click on it (again, if the user does so) it comes up and goes
                    through a typical full install looking process...you know the ones, ok, yes,
                    sure ok, yep, next, yep, ok, whatever...finish. Perhaps easy...but still
                    cumbersome...and far from automatic...which is what it takes for probably
                    90% of the average users out there to actually do an update. Not talking
                    about the knowledgeable folks such as frequent this forum...think about your
                    mother or grandmother for a minute...are they likely to notice and act on
                    that process?

                    Wesley


                    -----Original Message-----

                    Actual external-access security holes IN THE JVM...the JVM which, by the
                    way, doesn't do any network communication unless the program it's running
                    opens a socket...seriously?

                    It amounts to clicking two buttons on any release of Linux less than
                    maybe five years old. It even tells you when updates are needed. I
                    honestly hope I never meet the dolt for whom this is "far from easy".
                  • Dave
                    ... You don t. There are three settings:- 1. As you describe 2. Download then prompt. This is what I have on mine. 3. Download and install. Modern windows
                    Message 9 of 17 , May 16 9:09 AM
                    • 0 Attachment
                      On 16/05/2013 02:25, Wesley Furr wrote:
                      > In doing reading about some of the malware that is out there that I've run
                      > across (we're talking Windows systems here), it has been noted that several
                      > of the serious ones often use Java as an attack vector. I'm honestly not a
                      > Java expert...but presumably it summons the java browser plugin and then
                      > takes advantage of it that way...and all that takes is to get them to visit
                      > a malware-ridden web page.
                      >
                      > Again, I'm talking about Windows. To update in Windows, you have to
                      > actually click the pop-up in the system tray that says "please update
                      > me"...and most average users don't pay any attention to things like that.
                      > Then after you click on it, you have to say yes, please install the update.
                      You don't. There are three settings:-

                      1. As you describe
                      2. Download then prompt. This is what I have on mine.
                      3. Download and install. Modern windows systems set this by default. For
                      most "users" this is sensible. Recent versions set this as a default

                      However Java has its own updater which has similar options. These days I
                      run with Java disabled in the browser. It doesn't seem to break much...

                      Dave
                      G4UGM
                    Your message has been successfully submitted and would be delivered to recipients shortly.