Loading ...
Sorry, an error occurred while loading the content.

OT: Evan's Security or Lack thereof

Expand Messages
  • B. Degnan
    ... in ... targets ... applets ... vectors ... Gmail as ... as a ... pry). ... I don t agree. Java is very vulnerable, esp if you have not updated this year.
    Message 1 of 5 , May 15 12:14 PM
    • 0 Attachment
      > >>
      > > I was talking more about vulnerabilities in client machines, especially
      in
      > > terms of vulnerable Flash, Java, etc. which are increasingly popular
      targets
      > > for t3h h4x0rz.
      >
      > I agree, especially Flash. Java, not so much...but then who runs
      applets
      > anymore anyway. For non-applet-based apps, there really aren't any
      vectors
      > for incursion.
      >
      > >> I wonder what actually did happen to Evan's setup.
      > >>
      > > I've put my two cents in. Web mail hijacking, especially if he uses
      Gmail as
      > > a frontend, seems like a good possibility, but only if he uses web mail
      as a
      > > frontend for his personal mail (which I don't know and am not going to
      pry).
      >
      > Yes, I agree here as well.
      >

      I don't agree. Java is very vulnerable, esp if you have not updated this
      year. Cell phone teathering as mentioned in my earlier email is also a
      problem if you're near NYC and you have not updated your password from the
      original one provided by the cell phone company. It's soooo easy to hack a
      cell phone because no one protects them.

      The Free BSD that is the underlying ISP of Evan's email (degnanco.net) has
      no viruses or security issues per scans and logs.

      Bill
    • Dave McGuire
      ... Java, meaning a JVM-based application running on the machine, or a Java Applet running in a web browser? If you mean the latter, yes, most definitely, but
      Message 2 of 5 , May 15 12:21 PM
      • 0 Attachment
        On 05/15/2013 03:14 PM, B. Degnan wrote:
        >>>> I wonder what actually did happen to Evan's setup.
        >>>>
        >>> I've put my two cents in. Web mail hijacking, especially if he uses
        > Gmail as
        >>> a frontend, seems like a good possibility, but only if he uses web mail
        > as a
        >>> frontend for his personal mail (which I don't know and am not going to
        > pry).
        >>
        >> Yes, I agree here as well.
        >
        > I don't agree. Java is very vulnerable, esp if you have not updated this
        > year.

        Java, meaning a JVM-based application running on the machine, or a
        Java Applet running in a web browser? If you mean the latter, yes, most
        definitely, but nobody does that anymore. The former, no...if that's
        what you mean, please provide references.

        Java in that latter context is simply a language (as you know), and
        in that language, it's possible for n00bs to write bad code with
        vulnerabilities, just like any other language. But the language
        *itself* is not the problem, nor is the JVM. (for JVMs released in the
        last decade, at least!)

        > Cell phone teathering as mentioned in my earlier email is also a
        > problem if you're near NYC and you have not updated your password from the
        > original one provided by the cell phone company. It's soooo easy to hack a
        > cell phone because no one protects them.

        Your story about Penn Station in your last post totally blew my mind.

        > The Free BSD that is the underlying ISP of Evan's email (degnanco.net) has
        > no viruses or security issues per scans and logs.

        Excellent.

        -Dave

        --
        Dave McGuire, AK4HZ
        New Kensington, PA
      • Cory Smelosky
        ... I think he s referring to the recent slew of Java exploits. Those were in the JVM itself though, iirc. ... Correct. The language itself is not the
        Message 3 of 5 , May 15 12:29 PM
        • 0 Attachment
          On 15 May 2013, at 15:21, "Dave McGuire" <Mcguire@...> wrote:

          >
          > On 05/15/2013 03:14 PM, B. Degnan wrote:
          >>>>> I wonder what actually did happen to Evan's setup.
          >>>>>
          >>>> I've put my two cents in. Web mail hijacking, especially if he uses
          >> Gmail as
          >>>> a frontend, seems like a good possibility, but only if he uses web mail
          >> as a
          >>>> frontend for his personal mail (which I don't know and am not going to
          >> pry).
          >>>
          >>> Yes, I agree here as well.
          >>
          >> I don't agree. Java is very vulnerable, esp if you have not updated this
          >> year.
          >
          > Java, meaning a JVM-based application running on the machine, or a
          > Java Applet running in a web browser? If you mean the latter, yes, most
          > definitely, but nobody does that anymore. The former, no...if that's
          > what you mean, please provide references.

          I think he's referring to the recent slew of Java exploits. Those were in the JVM itself though, iirc.

          >
          > Java in that latter context is simply a language (as you know), and
          > in that language, it's possible for n00bs to write bad code with
          > vulnerabilities, just like any other language. But the language
          > *itself* is not the problem, nor is the JVM. (for JVMs released in the
          > last decade, at least!)

          Correct. The language itself is not the problem. I do however remember there being quite a few Java exploits in either the JVM or the browser plugin recently.

          I still try to avoid Java though. ;)

          >
          >> Cell phone teathering as mentioned in my earlier email is also a
          >> problem if you're near NYC and you have not updated your password from the
          >> original one provided by the cell phone company. It's soooo easy to hack a
          >> cell phone because no one protects them.
          >
          > Your story about Penn Station in your last post totally blew my mind.
          >
          >> The Free BSD that is the underlying ISP of Evan's email (degnanco.net) has
          >> no viruses or security issues per scans and logs.
          >
          > Excellent.
          >
          > -Dave
          >
          > --
          > Dave McGuire, AK4HZ
          > New Kensington, PA
          >
          >
          > ------------------------------------
          >
          > Yahoo! Groups Links
          >
          >
          >
        • David Riley
          ... Almost no one does that INTENTIONALLY. There are plenty of rogue Java applets lurking in IFRAMEs in poorly-sanitized advertisement blocks all over the web
          Message 4 of 5 , May 15 12:34 PM
          • 0 Attachment
            On May 15, 2013, at 3:21 PM, Dave McGuire <Mcguire@...> wrote:

            > On 05/15/2013 03:14 PM, B. Degnan wrote:
            > >>>> I wonder what actually did happen to Evan's setup.
            > >>>>
            > >>> I've put my two cents in. Web mail hijacking, especially if he uses
            > > Gmail as
            > >>> a frontend, seems like a good possibility, but only if he uses web mail
            > > as a
            > >>> frontend for his personal mail (which I don't know and am not going to
            > > pry).
            > >>
            > >> Yes, I agree here as well.
            > >
            > > I don't agree. Java is very vulnerable, esp if you have not updated this
            > > year.
            >
            > Java, meaning a JVM-based application running on the machine, or a
            > Java Applet running in a web browser? If you mean the latter, yes, most
            > definitely, but nobody does that anymore. The former, no...if that's
            > what you mean, please provide references.

            Almost no one does that INTENTIONALLY. There are plenty of rogue Java applets lurking in IFRAMEs in poorly-sanitized advertisement blocks all over the web (even on "nice" sites, never mind the others), just waiting for someone to drive by with a vulnerable Java distribution. Happens all the damn time, which is why Apple took the (sort of) drastic step of disabling the JVM by default if you haven't run any Java in the last... month? 90 days? Something like that.

            If you're the sort of person who DOES use Java applets regularly (I am, largely because we use GoToMeeting every week at work), then you can't have it disabled by default.

            > Java in that latter context is simply a language (as you know), and
            > in that language, it's possible for n00bs to write bad code with
            > vulnerabilities, just like any other language. But the language
            > *itself* is not the problem, nor is the JVM. (for JVMs released in the
            > last decade, at least!)

            Actually, vulnerable JVMs have been the vector for the more infamous recent Mac malware outbreaks (comparatively small ones to the typical Windows ones, but certainly large enough to attract notice). I wouldn't be surprised if there was an exploitable one distributed to Linux users in the recent past, in which case it's totally fair game. Small attack surface area, though, with generally a somewhat less credulous audience, so I'd be surprised if anyone actually took the time to write a Java exploit for Linux users to suck up their Thunderbird address book. But it could happen.

            > > Cell phone teathering as mentioned in my earlier email is also a
            > > problem if you're near NYC and you have not updated your password from the
            > > original one provided by the cell phone company. It's soooo easy to hack a
            > > cell phone because no one protects them.
            >
            > Your story about Penn Station in your last post totally blew my mind.

            Yeah, that's pretty crazy. I'd be surprised if people were doing that and then selling the address book data, but I wouldn't call it impossible. If you got paid (let's say) a dime an address, that's basically $100 per phone these days.


            - Dave
          • B. Degnan
            Guys - let s take this off line, not on topic for vintage computing. Interesting topic nonetheless. The java problem is with the JDK version you download for
            Message 5 of 5 , May 15 1:08 PM
            • 0 Attachment
              Guys - let's take this off line, not on topic for vintage computing.
              Interesting topic nonetheless. The java problem is with the JDK version
              you download for running java on web pages, and coldfusion, etc. (the one
              that tries to get the ASK tool bar installed along with the update)....
              Oracle issued a fix a few months ago, and a few updates have trickled in
              over the following months. It was pretty scary, in January there were a
              few days when no fix was available.

              http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-189684
              9.html

              Bill
            Your message has been successfully submitted and would be delivered to recipients shortly.