Loading ...
Sorry, an error occurred while loading the content.

Re: [midatlanticretro] Fwd:

Expand Messages
  • Dave McGuire
    ... I agree, especially Flash. Java, not so much...but then who runs applets anymore anyway. For non-applet-based apps, there really aren t any vectors for
    Message 1 of 17 , May 15, 2013
    • 0 Attachment
      On 05/15/2013 01:18 PM, David Riley wrote:
      >> >> Damnit ... this stuff shouldn't happen on Linux.
      >> >
      >> > Bear in mind the aforementioned possibility that someone may have
      >> > just hacked your webmail, if you use webmail. Otherwise, yes, it
      >> > happens on Linux just like it happens on the Mac; as both platforms
      >> > increase their marketshare relative to Windows, they start to become
      >> > more attractive targets to misanthropes. It's still a far less
      >> > frequent occurrence, but it's a non-zero probability now.
      >>
      >> I've never really bought into that argument. It's more a
      >> matter of configuration management and crazy features being added to
      >> mail clients. My network sees *daily* attacks on its outward-facing
      >> machines...that has been the case as long as I can remember. No issues
      >> here.
      >>
      > I was talking more about vulnerabilities in client machines, especially in
      > terms of vulnerable Flash, Java, etc. which are increasingly popular targets
      > for t3h h4x0rz.

      I agree, especially Flash. Java, not so much...but then who runs applets
      anymore anyway. For non-applet-based apps, there really aren't any vectors
      for incursion.

      >> I wonder what actually did happen to Evan's setup.
      >>
      > I've put my two cents in. Web mail hijacking, especially if he uses Gmail as
      > a frontend, seems like a good possibility, but only if he uses web mail as a
      > frontend for his personal mail (which I don't know and am not going to pry).

      Yes, I agree here as well.

      -Dave

      --
      Dave McGuire, AK4HZ
      New Kensington, PA
    • Wesley Furr
      I would have to disagree...every foggy morning lately there have been serious Java flaws revealed...and patches that don t seem to address them all. That,
      Message 2 of 17 , May 15, 2013
      • 0 Attachment
        I would have to disagree...every foggy morning lately there have been
        serious Java flaws revealed...and patches that don't seem to address them
        all. That, coupled with an update process that is far from easy or
        automatic for the average user, and you've got a serious security hole.
        It's bad enough that at work we have stopped automatically installing it on
        new PC's. Sure, most people may not use applets, but that doesn't mean they
        don't have an old version installed in their browser that is riddled with
        security holes, waiting on them to visit the wrong web site...

        Wesley


        -----Original Message-----

        I agree, especially Flash. Java, not so much...but then who runs applets
        anymore anyway. For non-applet-based apps, there really aren't any vectors
        for incursion.
      • Dave McGuire
        ... Actual external-access security holes IN THE JVM...the JVM which, by the way, doesn t do any network communication unless the program it s running opens a
        Message 3 of 17 , May 15, 2013
        • 0 Attachment
          On 05/15/2013 06:59 PM, Wesley Furr wrote:
          > I would have to disagree...every foggy morning lately there have been
          > serious Java flaws revealed...and patches that don't seem to address them
          > all.

          Actual external-access security holes IN THE JVM...the JVM which, by
          the way, doesn't do any network communication unless the program it's
          running opens a socket...seriously?

          > That, coupled with an update process that is far from easy or
          > automatic for the average user, and you've got a serious security hole.

          It amounts to clicking two buttons on any release of Linux less than
          maybe five years old. It even tells you when updates are needed. I
          honestly hope I never meet the dolt for whom this is "far from easy".

          > It's bad enough that at work we have stopped automatically installing it on
          > new PC's. Sure, most people may not use applets, but that doesn't mean they
          > don't have an old version installed in their browser that is riddled with
          > security holes, waiting on them to visit the wrong web site...

          Well I have to agree with you there. But people who manage a
          network-connected system that poorly will get what they've got coming.
          ;) I don't think Evan falls into that category.

          -Dave

          --
          Dave McGuire, AK4HZ
          New Kensington, PA
        • Cory Smelosky
          ... I GENERALLY don t fit in to that category. I DO use dictionary words or a known-compromised password for systems that are local where compromise is
          Message 4 of 17 , May 15, 2013
          • 0 Attachment
            On Wed, 15 May 2013, Dave McGuire wrote:

            >
            > On 05/15/2013 06:59 PM, Wesley Furr wrote:
            >> I would have to disagree...every foggy morning lately there have been
            >> serious Java flaws revealed...and patches that don't seem to address them
            >> all.
            >
            > Actual external-access security holes IN THE JVM...the JVM which, by
            > the way, doesn't do any network communication unless the program it's
            > running opens a socket...seriously?
            >
            >> That, coupled with an update process that is far from easy or
            >> automatic for the average user, and you've got a serious security hole.
            >
            > It amounts to clicking two buttons on any release of Linux less than
            > maybe five years old. It even tells you when updates are needed. I
            > honestly hope I never meet the dolt for whom this is "far from easy".
            >
            >> It's bad enough that at work we have stopped automatically installing it on
            >> new PC's. Sure, most people may not use applets, but that doesn't mean they
            >> don't have an old version installed in their browser that is riddled with
            >> security holes, waiting on them to visit the wrong web site...
            >
            > Well I have to agree with you there. But people who manage a
            > network-connected system that poorly will get what they've got coming.
            > ;) I don't think Evan falls into that category.
            >

            I GENERALLY don't fit in to that category.

            I DO use dictionary words or a known-compromised password for systems that
            are local where compromise is unlikely, or I really don't care if people
            get in to them/I want them in to it.

            > -Dave
            >
            > --
            > Dave McGuire, AK4HZ
            > New Kensington, PA
            >
            >
            > ------------------------------------
            >
            > Yahoo! Groups Links
            >
            >
            >
            >

            --
            Cory Smelosky
            http://gewt.net/ Personal stuff
            http://gimme-sympathy.org Experiments
          • B. Degnan
            Guys please take this thread offline, thnaks. ... them ... hole. ... it on ... mean they ... with ... that
            Message 5 of 17 , May 15, 2013
            • 0 Attachment
              Guys please take this thread offline, thnaks.

              -------- Original Message --------
              > From: "Cory Smelosky" <b4@...>
              > Sent: Wednesday, May 15, 2013 8:07 PM
              > To: "Dave McGuire" <Mcguire@...>
              > Subject: Re: [midatlanticretro] Fwd:
              >
              > On Wed, 15 May 2013, Dave McGuire wrote:
              >
              > >
              > > On 05/15/2013 06:59 PM, Wesley Furr wrote:
              > >> I would have to disagree...every foggy morning lately there have been
              > >> serious Java flaws revealed...and patches that don't seem to address
              them
              > >> all.
              > >
              > > Actual external-access security holes IN THE JVM...the JVM which, by
              > > the way, doesn't do any network communication unless the program it's
              > > running opens a socket...seriously?
              > >
              > >> That, coupled with an update process that is far from easy or
              > >> automatic for the average user, and you've got a serious security
              hole.
              > >
              > > It amounts to clicking two buttons on any release of Linux less than
              > > maybe five years old. It even tells you when updates are needed. I
              > > honestly hope I never meet the dolt for whom this is "far from easy".
              > >
              > >> It's bad enough that at work we have stopped automatically installing
              it on
              > >> new PC's. Sure, most people may not use applets, but that doesn't
              mean they
              > >> don't have an old version installed in their browser that is riddled
              with
              > >> security holes, waiting on them to visit the wrong web site...
              > >
              > > Well I have to agree with you there. But people who manage a
              > > network-connected system that poorly will get what they've got coming.
              > > ;) I don't think Evan falls into that category.
              > >
              >
              > I GENERALLY don't fit in to that category.
              >
              > I DO use dictionary words or a known-compromised password for systems
              that
              > are local where compromise is unlikely, or I really don't care if people

              > get in to them/I want them in to it.
              >
              > > -Dave
              > >
              > > --
              > > Dave McGuire, AK4HZ
              > > New Kensington, PA
              > >
              > >
              > > ------------------------------------
              > >
              > > Yahoo! Groups Links
              > >
              > >
              > >
              > >
              >
              > --
              > Cory Smelosky
              > http://gewt.net/ Personal stuff
              > http://gimme-sympathy.org Experiments
              >
              >
              > ------------------------------------
              >
              > Yahoo! Groups Links
              >
              >
              >
            • Brian Schenkenberger, VAXman-
              ... DITTO! -- VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)ORG Well I speak to machines with the voice of humanity.
              Message 6 of 17 , May 15, 2013
              • 0 Attachment
                "B. Degnan" <billdeg@...> writes:

                >Guys please take this thread offline, thnaks.

                DITTO!

                --
                VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)ORG

                Well I speak to machines with the voice of humanity.
              • Wesley Furr
                In doing reading about some of the malware that is out there that I ve run across (we re talking Windows systems here), it has been noted that several of the
                Message 7 of 17 , May 15, 2013
                • 0 Attachment
                  In doing reading about some of the malware that is out there that I've run
                  across (we're talking Windows systems here), it has been noted that several
                  of the serious ones often use Java as an attack vector. I'm honestly not a
                  Java expert...but presumably it summons the java browser plugin and then
                  takes advantage of it that way...and all that takes is to get them to visit
                  a malware-ridden web page.

                  Again, I'm talking about Windows. To update in Windows, you have to
                  actually click the pop-up in the system tray that says "please update
                  me"...and most average users don't pay any attention to things like that.
                  Then after you click on it, you have to say yes, please install the update.
                  Then it disappears for a short time. Then it pops up in the system tray and
                  says "hey, now I'm ready to install that update you just let me download".
                  Then when you click on it (again, if the user does so) it comes up and goes
                  through a typical full install looking process...you know the ones, ok, yes,
                  sure ok, yep, next, yep, ok, whatever...finish. Perhaps easy...but still
                  cumbersome...and far from automatic...which is what it takes for probably
                  90% of the average users out there to actually do an update. Not talking
                  about the knowledgeable folks such as frequent this forum...think about your
                  mother or grandmother for a minute...are they likely to notice and act on
                  that process?

                  Wesley


                  -----Original Message-----

                  Actual external-access security holes IN THE JVM...the JVM which, by the
                  way, doesn't do any network communication unless the program it's running
                  opens a socket...seriously?

                  It amounts to clicking two buttons on any release of Linux less than
                  maybe five years old. It even tells you when updates are needed. I
                  honestly hope I never meet the dolt for whom this is "far from easy".
                • Dave
                  ... You don t. There are three settings:- 1. As you describe 2. Download then prompt. This is what I have on mine. 3. Download and install. Modern windows
                  Message 8 of 17 , May 16, 2013
                  • 0 Attachment
                    On 16/05/2013 02:25, Wesley Furr wrote:
                    > In doing reading about some of the malware that is out there that I've run
                    > across (we're talking Windows systems here), it has been noted that several
                    > of the serious ones often use Java as an attack vector. I'm honestly not a
                    > Java expert...but presumably it summons the java browser plugin and then
                    > takes advantage of it that way...and all that takes is to get them to visit
                    > a malware-ridden web page.
                    >
                    > Again, I'm talking about Windows. To update in Windows, you have to
                    > actually click the pop-up in the system tray that says "please update
                    > me"...and most average users don't pay any attention to things like that.
                    > Then after you click on it, you have to say yes, please install the update.
                    You don't. There are three settings:-

                    1. As you describe
                    2. Download then prompt. This is what I have on mine.
                    3. Download and install. Modern windows systems set this by default. For
                    most "users" this is sensible. Recent versions set this as a default

                    However Java has its own updater which has similar options. These days I
                    run with Java disabled in the browser. It doesn't seem to break much...

                    Dave
                    G4UGM
                  Your message has been successfully submitted and would be delivered to recipients shortly.