Re: [midatlanticretro] OT: Evan's Security or Lack thereof
- On May 15, 2013, at 3:21 PM, Dave McGuire <Mcguire@...> wrote:
> On 05/15/2013 03:14 PM, B. Degnan wrote:Almost no one does that INTENTIONALLY. There are plenty of rogue Java applets lurking in IFRAMEs in poorly-sanitized advertisement blocks all over the web (even on "nice" sites, never mind the others), just waiting for someone to drive by with a vulnerable Java distribution. Happens all the damn time, which is why Apple took the (sort of) drastic step of disabling the JVM by default if you haven't run any Java in the last... month? 90 days? Something like that.
> >>>> I wonder what actually did happen to Evan's setup.
> >>> I've put my two cents in. Web mail hijacking, especially if he uses
> > Gmail as
> >>> a frontend, seems like a good possibility, but only if he uses web mail
> > as a
> >>> frontend for his personal mail (which I don't know and am not going to
> > pry).
> >> Yes, I agree here as well.
> > I don't agree. Java is very vulnerable, esp if you have not updated this
> > year.
> Java, meaning a JVM-based application running on the machine, or a
> Java Applet running in a web browser? If you mean the latter, yes, most
> definitely, but nobody does that anymore. The former, no...if that's
> what you mean, please provide references.
If you're the sort of person who DOES use Java applets regularly (I am, largely because we use GoToMeeting every week at work), then you can't have it disabled by default.
> Java in that latter context is simply a language (as you know), andActually, vulnerable JVMs have been the vector for the more infamous recent Mac malware outbreaks (comparatively small ones to the typical Windows ones, but certainly large enough to attract notice). I wouldn't be surprised if there was an exploitable one distributed to Linux users in the recent past, in which case it's totally fair game. Small attack surface area, though, with generally a somewhat less credulous audience, so I'd be surprised if anyone actually took the time to write a Java exploit for Linux users to suck up their Thunderbird address book. But it could happen.
> in that language, it's possible for n00bs to write bad code with
> vulnerabilities, just like any other language. But the language
> *itself* is not the problem, nor is the JVM. (for JVMs released in the
> last decade, at least!)
> > Cell phone teathering as mentioned in my earlier email is also aYeah, that's pretty crazy. I'd be surprised if people were doing that and then selling the address book data, but I wouldn't call it impossible. If you got paid (let's say) a dime an address, that's basically $100 per phone these days.
> > problem if you're near NYC and you have not updated your password from the
> > original one provided by the cell phone company. It's soooo easy to hack a
> > cell phone because no one protects them.
> Your story about Penn Station in your last post totally blew my mind.
- Guys - let's take this off line, not on topic for vintage computing.
Interesting topic nonetheless. The java problem is with the JDK version
you download for running java on web pages, and coldfusion, etc. (the one
that tries to get the ASK tool bar installed along with the update)....
Oracle issued a fix a few months ago, and a few updates have trickled in
over the following months. It was pretty scary, in January there were a
few days when no fix was available.