Loading ...
Sorry, an error occurred while loading the content.

Re: [midatlanticretro] OT: Evan's Security or Lack thereof

Expand Messages
  • David Riley
    ... Almost no one does that INTENTIONALLY. There are plenty of rogue Java applets lurking in IFRAMEs in poorly-sanitized advertisement blocks all over the web
    Message 1 of 5 , May 15, 2013
    • 0 Attachment
      On May 15, 2013, at 3:21 PM, Dave McGuire <Mcguire@...> wrote:

      > On 05/15/2013 03:14 PM, B. Degnan wrote:
      > >>>> I wonder what actually did happen to Evan's setup.
      > >>>>
      > >>> I've put my two cents in. Web mail hijacking, especially if he uses
      > > Gmail as
      > >>> a frontend, seems like a good possibility, but only if he uses web mail
      > > as a
      > >>> frontend for his personal mail (which I don't know and am not going to
      > > pry).
      > >>
      > >> Yes, I agree here as well.
      > >
      > > I don't agree. Java is very vulnerable, esp if you have not updated this
      > > year.
      >
      > Java, meaning a JVM-based application running on the machine, or a
      > Java Applet running in a web browser? If you mean the latter, yes, most
      > definitely, but nobody does that anymore. The former, no...if that's
      > what you mean, please provide references.

      Almost no one does that INTENTIONALLY. There are plenty of rogue Java applets lurking in IFRAMEs in poorly-sanitized advertisement blocks all over the web (even on "nice" sites, never mind the others), just waiting for someone to drive by with a vulnerable Java distribution. Happens all the damn time, which is why Apple took the (sort of) drastic step of disabling the JVM by default if you haven't run any Java in the last... month? 90 days? Something like that.

      If you're the sort of person who DOES use Java applets regularly (I am, largely because we use GoToMeeting every week at work), then you can't have it disabled by default.

      > Java in that latter context is simply a language (as you know), and
      > in that language, it's possible for n00bs to write bad code with
      > vulnerabilities, just like any other language. But the language
      > *itself* is not the problem, nor is the JVM. (for JVMs released in the
      > last decade, at least!)

      Actually, vulnerable JVMs have been the vector for the more infamous recent Mac malware outbreaks (comparatively small ones to the typical Windows ones, but certainly large enough to attract notice). I wouldn't be surprised if there was an exploitable one distributed to Linux users in the recent past, in which case it's totally fair game. Small attack surface area, though, with generally a somewhat less credulous audience, so I'd be surprised if anyone actually took the time to write a Java exploit for Linux users to suck up their Thunderbird address book. But it could happen.

      > > Cell phone teathering as mentioned in my earlier email is also a
      > > problem if you're near NYC and you have not updated your password from the
      > > original one provided by the cell phone company. It's soooo easy to hack a
      > > cell phone because no one protects them.
      >
      > Your story about Penn Station in your last post totally blew my mind.

      Yeah, that's pretty crazy. I'd be surprised if people were doing that and then selling the address book data, but I wouldn't call it impossible. If you got paid (let's say) a dime an address, that's basically $100 per phone these days.


      - Dave
    • B. Degnan
      Guys - let s take this off line, not on topic for vintage computing. Interesting topic nonetheless. The java problem is with the JDK version you download for
      Message 2 of 5 , May 15, 2013
      • 0 Attachment
        Guys - let's take this off line, not on topic for vintage computing.
        Interesting topic nonetheless. The java problem is with the JDK version
        you download for running java on web pages, and coldfusion, etc. (the one
        that tries to get the ASK tool bar installed along with the update)....
        Oracle issued a fix a few months ago, and a few updates have trickled in
        over the following months. It was pretty scary, in January there were a
        few days when no fix was available.

        http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-189684
        9.html

        Bill
      Your message has been successfully submitted and would be delivered to recipients shortly.