 |  | 
nil
Java Geek
join:2000-11-27
Host:
Webmasters and Dev..
Forum Feature Requ..
| Re: An IE Browser is EVEN exploitible on DSL Repor Well.. it really doesn't..
As I explained in that thread.. dslr security is based on more than just the cookie so ability to execute arbitrary javascript isn't exactly a huge security hole.
--
Life is too short to be boring
[text was edited by author 2003-07-26 13:39:47] | |
| | | 
Sarick
It's Only Logical
Premium
join:2003-06-03
USA
 ·FrontierNet Intern..
| Re: An IE Browser is EVEN exploitible on DSL Repor said by nil  :
Well.. it really doesn't..
As I explained in that thread.. dslr security is based on more than just the cookie so ability to execute arbitrary javascript isn't exactly a huge security hole.
No recheck the topic. A lot of new stuff got added. | |
| | | |
nil
Java Geek
join:2000-11-27
Host:
Webmasters and Dev..
Forum Feature Requ..
| Re: An IE Browser is EVEN exploitible on DSL Repor JavaScript is client side.. hence all the various little tricks you can do with it only work for the person viewing the site.. so yes.. someone could insert an iframe that will display contents of /prof.. but guess whose you will view? Your own.. and you can't view someone elses..
--
Life is too short to be boring | |
| | | | | | | | | | |
nil
Java Geek
join:2000-11-27 | Re: An IE Browser is EVEN exploitible on DSL Repor Okay, sure, why not.. There's one way to about it.. See my new post in the other thread.
--
Life is too short to be boring | |
| | | | | | | 
Marilla
I Am My Own Arbiter
Premium
join:2002-12-06
Belpre, OH
| Re: An IE Browser is EVEN exploitible on DSL Repor I'm VERY busy this weekend, and as I noted in the thread, I've not used Javascript for much other than form validation and simply redirection of the browser... but when I get time, I'll work on a 'proof of concept' post in the forum you linked, NIL.
And btw, thank you for taking time out for this.. I, too, am very interested in the outcome since I run my own custom forum system myself; I thought I had taken care of a lot of malicious possible uses before... but we'll see
Perhaps someone will get to a 'proof of concept' before I do.. we'll just see. | |
| 
nightdesigns
Gone missing, back soon
Premium
join:2002-05-31
AZ
 ·Cox HSI
| Am i safe, probably not. Let's see, i'm firewalled, antivirus (updated and scanned weekly) adsubtract, spamcop, and run adaware every now and then, and netscape, i NEVER use IE. Am i safe from a hit, probably not. I just consider these tools of the trade of the internet world these days. They're mostly there to help me retain my sanity. | |
| | 
bear73
Metnav... Fly The Unfriendly Skies
Premium
join:2001-06-09
Grand Forks Afb, ND
·Midcontinent Commu..
| Re: Am i safe, probably not. if you want to strip out IE from your system, take a look at IEradicator here. The folks there originally built their tools (avail. free) to remove IE from Win9x. I have used it quite a bit on W98SE. It has helped with stability on my wife's machine.
--
If ya gotta go, Go with a SMILE! | |
| 
metalfury
@swbell.ne
| CHOOSE YOUR WEAPONS!! * Opera »www.opera.com - screamin' fast HTML rendering!! Pop-up blocker, tabbed browsing, mouse gestures (do stuff just by moving the mouse and holding Ctrl or left button, whatever), keyboard browsing (no mouse, no prob). It does have rather annoying bugs, though. Printing correctly from Opera is an exercise in tweaking. Some username/password sites won't work at all (»sbc.yahoo.com comes to mind). To learn more, go to usenet group opera.general (NOT rec.opera, unless Bizet's Carmen is your cup of tea).
* SlimBrowser »www.flashpeak.com - for pages that only render correctly in IE. It's all I use at work, since our intranet sites were all built using Front Page. Same features as Opera, but only as fast as IE. Oh yeah, it has Groups, where you click on a group in the list (like a bookmark, to open a set of browser tabs. Geez, if only I could convince Operations to include this baby in the ghost image...
I've tried many other IE-based browsers suchs as CrazyBrowser, iTrix, Avant Browser (nice, but no go on NT4, shit!), MyIE2, but this is by far the best.
* Avast! »www.avast.com - anti-virus, with regular updates, just like Norton, but FREE. Note: the software will ask you to register, and you have 60 days to evaluate the product, blah, blah, blah... but registration is free. Concerned about privacy? Fake all the info except your e-mail, since that's where you'll get the reg code. They accept free web mail too.
* Ad-aware 6 »www.lavasoft.com - no comments required. The stick by which all pop-up blockers are measured.
* SpywareBlaster »www.wilderssecurity.net/spywareblaster.html - just found this out yesterday, and it's AWESOME. The software disables certain ActiveX controls that spyware software commonly use to install themselves. Kiss shit like Xupiter godbye. It also has a "system restore" kind of thing, so if anything ever falls through the cracks, you can always restore your settings. Last but not least, it has a Flash blocker (since 99% of Flash movies are ads or useless crap), which disabling and enabling is far simpler than uninstalling the Flash plug-in. They say their spyware database is constantly being updated, but only time will tell. The last update was dated 7/18.
I think I'm well prepared. If you have a better solution, let the discussion begin!! | |
| |
nil
Java Geek
join:2000-11-27 | Re: CHOOSE YOUR WEAPONS!! Opera is pretty strict about html and javascript.. I found the sites that don't work well in it are the ones not adhering to standards.
--
Life is too short to be boring | |
| | | 
Techie2000
In Vertigo
Premium
join:2001-12-05
clubs: | Re: CHOOSE YOUR WEAPONS!! Yeah. I like Opera, although the latest 7.20 Beta 1 is a bit unstable and renders the forums kinda funky... | |
| | | 
jerho
join:2000-07-06
Salix, IA
| said by nil :
Opera is pretty strict about html and javascript.. I found the sites that don't work well in it are the ones not adhering to standards.
opera pretty much bites
doesn't work with many sites and really not worth paying for
I've been trying it for a while and not worth the time
sorta like linix
unless you hate microsoft that much | |
| | 
Kambriel
join:2001-02-10
Sanford, FL
·RoadRunner Cable
| You are recommending AdAware? About six months ago, AdAware used to be the stick that others were measured by until a few watchdogs discovered that AdAware removed some sites from their list after receiving funding from these adware/spyware companies and allegedly still do so. Many former AdAware fans have moved on to Spybot Search & Destroy. Personally, I haven't looked back since Spybot found about eight items that AdAware left behind and this was before I even updated my Spybot defs to the then current version.
And so far, no one has mentioned a well stocked hosts file. I can't live without mine. It may not block pop-up windows, but it sure blocks the content.
[text was edited by author 2003-07-26 14:27:48] | |
| | | 
hhawkman
Premium
join:2001-02-08
Port Hueneme, CA
·RoadRunner Cable
| Re: CHOOSE YOUR WEAPONS!! said by Kambriel :
And so far, no one has mentioned a well stocked hosts file. I can't live without mine. It may not block pop-up windows, but it sure blocks the content.
That is a damn good tool, but by no means the answer. Taking things like doubleclick for example, they add or change server names on almost a daily basis. to keep them all in check is almost a 24 hr/day job. By the time you add all the sites you want to block, the HOSTS file gets so large that basic surfing slows to a crawl as every link is checked against the "list", and it won't help direct IP links.
I have had good results by using a PAC file like is available at:»www.schooner.com/~loverso/no-ads/
Instead of tracking each "doubleclick" server, it will allow you to use wildcards, and even block whole IP ranges. | |
| | | | 
jlv
Cantankerous - Can't take errors
join:2001-11-02
Southborough, MA | Re: CHOOSE YOUR WEAPONS!! Thanks for the positive comment on no-ads!
A hosts file doesn't come close to the capabilities of a PAC file, which lets you block URLs by pattern matching. | |
| | | | | FauxReal
join:2001-12-11
00000 | Re: CHOOSE YOUR WEAPONS!! Would you like to explain what a PAC file is and how the everyday net browser can apply it? | |
| | | | | |
jlv
Cantankerous - Can't take errors
join:2001-11-02
Southborough, MA
| PAC files & no-ads.pac said by FauxReal :
Would you like to explain what a PAC file is and how the everyday net browser can apply it?
See my note at »www.schooner.com/~loverso/no-ads/#howwork or read on...
Basically, a Proxy Auto Config file is supposed to be used to allow you to select an HTTP proxy based upon the URL you are visiting. It allows you to apply some JavaScript code against the URL.
Blocking ads via a hosts file means you lose access to all content at that hostname or IP address. Some sites put their ad images on their main server, such as www.example.com/adsales/banner_place.gif. You wouldn't want to add "www.example.com" to your hosts file because then you couldn't get to the rest of the site.
With a PAC (and with my no-ads.pac file), you can do:
if (dnsDomainIs(host, ".example.com")
&& shExpMatch(url, "*/adsales/*"))
*BLOCK* That's close to how no-ads works. *BLOCK* means the PAC returns a non-existent proxy for the ad image URLs, in which case your browser is unable to retrieve these images or iframes. If it can't retrieve them, it can't show them to you. Some browsers get annoyed if pointed at a non-existent proxy, so instead you point them at a proxy that returns either a "not-found" or a transparent 1x1 filler GIF. I call this a black-hole proxy.
But, you don't need to write any code. Just download my no-ads.pac from the link above and follow the directions. | |
| | | | | | | | | | | | | | | | | | FauxReal
join:2001-12-11
00000
| I really do like Ad-Aware from »www.lavasoftusa.com
I also like Sbot Search & Destroy from »security.kolla.de
They seem to catch things the others dont... another great trick is to add the ad/spyware company hostnames to your hosts list redirected to localhost.. there's a good list here: »pgl.yoyo.org/adservers/
Of course it doesnt work when they try to redirect you via IP address instead of hostname. But it does cutdown on the banner ads and popups... and if you happen to be on dialup... it makes browsing a tiny little bit faster. | |
| 
cugino
join:2000-11-27
Brooklyn, NY
| An ounce of vigilance & a pound of paranoia As unpalatable as it is, and as unjust as it may seem to those who genuinely value privacy and security, it takes a great deal of vigilance to ensure your own privacy & security online.
No, I don't begrudge M$ for some of the glaring holes that exist in IE. Ultimately, it's up to each user to manage his/her own security online, just as it's your responsibility to lock your own doors at night. Fortunately, there are plenty of great tools out there to give us some leverage against of the hordes of scumb@gs, script kiddies, and corporate voyeurs who wish to violate us at every turn.
As long as I have a good firewall, virus scanner, Trojan scanner, ad-ware scanner, the ability to disable scripting & cookies in my browser, and an awareness of all the dangers that are potentially out there, I'll take my chances.
Do the aforementioned make me immune to every danger? Of course not, but they do allow me to have at least a modicum of control over my own security, which is all anyone can ask.
--
"90% of the game is half mental" ..Yogi Berra
[text was edited by author 2003-07-26 14:03:19] | |
| 
livininarizona
Premium
join:2001-08-05
Merced, CA
clubs: 
| Most people... are just paranoid, and over-reacting to the effect of "Internet Security" besides submitting REAL personal information (which I hardly ever really have to do) there's nothing the average home user really needs to worry about. Yeah, basic antivirus is good, but multiple firewalls, paying for a proxy server, running through a router just for 1 computer...it's overkill, and a waste of time. Worst case scenario, you have to format your HDD. Get the google toolbar for IE and there's your pop-up blocker. Don't run suspicious Active X controls from a porn site, don't download "webcam viewers", don't download attachments from email you don't know who they are, don't turn automatic DDC sends on IRC..all this should be self-explanatory.
--
_____________________________It's Simple: »technologytalk.tk | |
| |
nil
Java Geek
join:2000-11-27
Host:
Webmasters and Dev..
Forum Feature Requ..
| Re: Most people... Actually.. no.. worst case scenario your computer is hijacked and used to spam or direct ddos attacks.. Think it can't happen? It does all the time..
Having an internet connection and no firewall (especially with windows) is like begging to be hacked.. and contrary to popular belief most hackers are not out to get your information.. they just want to use your bandwidth.. and cover up their tracks by hopping from hacked machine to hacked machine.
--
Life is too short to be boring | |
| | | | | | | | | | |
metalfury
@167.1.x.x | I'm not paranoid, I know what's getting transmitted. The problem is that all this junk slows my machine down, and I HATE pop-ups. | |
| | |
bear73
Metnav... Fly The Unfriendly Skies
Premium
join:2001-06-09
Grand Forks Afb, ND
·Midcontinent Commu..
| Re: I'm safe Have you tested your shields? I'm not familiar with NIS2k3, but if it operates similar to a firewall, then it may be conflicting with NAV. The best practice for defense is a multi-tiered setup. That being you have a NAT box (possibly with some filtering/rejection) then a hardware firewall, then a software firewall on your machine. Each covers the weak areas of the others. And of course SPI is a good thing.
--
If ya gotta go, Go with a SMILE! | |
| markopoleo
join:2003-04-02
Bonne Terre, MO
·Charter Pipeline
| Its kind of funny. That people think disabling cookies is going to protect privacy. Almost all websites use other programs to track users, get info, etc now-a-days anyways.
Websites can get:
Name of PC
IP address (unless firewall)
OS run
Browser run
Software running
If you are on a network (unless firewall)
And this is all without a cookie.
The best protection besides the basics (antivirus/firewall/spyware removal) is common sense.
Running IE is fine, no matter what browser you use websites can track you. People say "it has tons of security issues" but truth of the matter is, so do other ones, its just because its widely used is it gets so much attention. If other browsers got as popular is IE you would see the same thing.
Its the age-old myth about linux being more secure (distros mind you). Buy mandrake or whatever and download at "least" 80megs of security updates. 
--
If PLC goes mainstream, every other broadband provider will be considered what dialup is today...not broadband. | |
| | 
ravital
Just Another Pesky Independent Nh Voter
Premium
join:2001-07-19
Merrimack, NH
| Re: Its kind of funny. said by markopoleo :
Its the age-old myth about linux being more secure (distros mind you). Buy mandrake or whatever and download at "least" 80megs of security updates.
I don't use Linux yet, so this is just a question: What I've read about it is that in case of an infection, it should be fairly easy (if time-consuming) to just recompile your os from scratch and it will be as clean as on the day it was born. But none of this means it is somehow perfectly immune from infections to begin with. Correct?
I'm seriously considering Mandrake (while it's still legal and before SCO gets their lawyer's paws on them). | |
| | | markopoleo
join:2003-04-02
Bonne Terre, MO
·Charter Pipeline
| Re: Its kind of funny. One advantage of linux is of course it does have better security features, and very few virus infections occur because of this. I fiddle with Mandrake 9.1 and it was nice but felt, well, bloated. The reinstall if you have to will take same if not more time than windows if you muck something up.
Plus there is like 6 diffrent programs to do the same thing, so very confusing remembering all the same programs you use.
Its a nice OS, just to much thrown in one OS imo.
I tryed to opt in to a "basic" install, but if you do that you get tons of errors about missing files. flash back to windows
good luck
--
If PLC goes mainstream, every other broadband provider will be considered what dialup is today...not broadband. | |
| |
What-ever
@ucsd.edu
| >Its the age-old myth about linux being more secure (distros
>mind you). Buy mandrake or whatever and download at >"least" 80megs of security updates.
Now now, that's an oversimplification.
First, the reason why you don't have to download so many security updates for Windows is simply that Windows comes with less software. It's not the core of Linux which is responsible for all of those vulnerabilities, but stand-alone programs. Now, I think that you're basically right, in that there are more vulnerabilities in the default install of most Linux distros than the default install of Windows. However, you can always choose not to install to many programs, or to use a lighter distro which installs less software by default, or remove programs you don't need after you've finished the installation. Remember, a default install of Linux can do a _lot_ more than a default install of Windows. You should be safe getting rid of the half-dozen mp3 players, web browsers, servers, etc. that you're not going to use.
Second, look at the types of vulnerabilities found in Linux software. It's mostly local vulnerabilities, in that a person needs to have at least shell access on your machine to exploit those vulnerabilities. Compare that to all of these recent Windows vulnerabilities where visiting a properly designed webpage can mess you up. There's a big difference in the likelihood of being hurt by that kind of vulnerability. | |
| rradina
join:2000-08-08
Chesterfield, MO
·Charter Pipeline
| Security Threats Overblown In my opinion, security threats are overblown. If you keep your system patched and you're smart when you click a dialog box with OK or Yes, you won't get burned.
Of course keeping your system patched is not simple. You have to keep up on vulnerabilities in every piece of software that you use from Acrobat to Windows.
I'm not advocating anyone remove protection mechanisms from their system. I just think a bit of education goes a long way. If you click yes to a dialog box that claims to make you a millionaire, it probably isn't going to be good for your system.
In my opinion, one of the best ways to try any type of software or browse any potentially dangerous site, if there really are such things, is in a VMWare virtual machine. They have a mode that asks you if you want to persist your changes. If you're carelessly browsing and clicking YES to which you shouldn't, you can shutdown and it asks you if you want to persist the changes. If you say no, everything changed since boot is eliminated. | |
| 
Penguins
Have You Played Atari Today?
join:2001-12-01
Cleveland, OH
| Firebird (aka the new Mozilla) Dump IE and that virus generator it calls an e-mail client.
Get the Firebird 0.6 for web browsing and Thunderbird for e-mail.
»seb.mozdev.org/firebird/
--
Pure magic in 2k of 6502. | |
| | 
Lion7
join:2003-05-08
Here
| Re: Firebird (aka the new Mozilla) said by Penguins :
Dump IE and that virus generator it calls an e-mail client.
Get the Firebird 0.6 for web browsing and Thunderbird for e-mail.
»seb.mozdev.org/firebird/
Thats funny because I have Firebird(latestversion and it sucks compared to IE. I went back to IE because it loads way quicker and doesn't have all the hiccups fireturd and thunderturd has.
--
Subnetting Sucks! | |
| 
MrTangent
join:2001-12-28
Earth
| Cute It's cute watching all the Windows users fall prey to spyware/adware and trojans while they surf the internet and download things.
The best solution is to stop using Windows/IE/Outlook, wouldn't you think? I know I'm a lot happier now that I ditched my Windows boxes.
--
"War Is Peace. Freedom Is Slavery. Ignorance Is Strength" | |
| | BIGHUSKER
join:2002-01-20
Minneapolis, MN
| Re: Cute That's not really an option for most. With SpywareGuard, SpywareBlaster, Spybot Search & Destroy, a patched IE, ZoneAlarm, an external firewall on my NAT router, an anti-virus program, and some common sense, I have no problems.
SpywareGuard kicks ass, as it runs in the background and prevents most all spyware from even being loaded onto your system. | |
| | |
MrTangent
join:2001-12-28
Earth | Re: Cute Don't forget AdAware. I use it on the sole remaining Windows box I keep around for no good reason. I'd highly recommend it, if you haven't used it already.
--
"War Is Peace. Freedom Is Slavery. Ignorance Is Strength" | |
| 
Alcohol
Premium
join:2003-05-26
Somerset, NJ | My security I run spybot and adware daily.
Have zone alarm.
Don't go to any sites that download something on your computer.
Don't download anything through IRC or p2p or even FTP.
Don't upload.
--
| |
| | 
Unit649
I B U, Who U B?
Premium
join:2000-01-22
Stockton, CA
·Comcast
| Re: My security I hope you don't also open emails from people you don't know Those seem to be the cause of a lot of problems also.
--
U ::::Founder, ForeverChat IRC Network:::: »www.foreverchat.net | |
| |
Alcohol
Premium
join:2003-05-26
Somerset, NJ | I open all my emails.
Don't think that would be a problem. Norton Antivirus 2003 can take care of everything
--
| |
| | | 
Transmaster
Don't Blame Me I Voted For Bill and Opus
join:2001-06-20
Cheyenne, WY
·Qwest.net
| Re: My security If you want to do the acid test of your secruity software and have the stomach for it go to your average porno site.
if you can escape all the redirects, popup's, dialers, Trojans, etc,etc,etc......without rebooting then whatever you are using is good stuff.
--
low Brass Rules!
[text was edited by author 2003-07-29 22:22:38] | |
|
nil
Java Geek
join:2000-11-27 |  (topic move) Not Pingable?
System message: moderator action (nil)
--------------------------------
This entire topic was moved to the forum Site Tools
click here to follow it. | |
| gtix
join:2003-06-04
Monterey Park, CA
| Turn off computer now Ever hear the tech support joke about user error?
The one where the tech ask the guy to look at the mirror?
Most of these issues as hard as it is to face is the person behind the monitor. You install spyware or allow it, you DL files with virus in them, you got stupid friends who send you a attachment and you download it. You get the idea. Yes some OS works better then others for this, but if you got someone who can't set it up right, guess what? Same issues. | |
| | | | |
|
|
An IE Browser is EVEN exploitible on DSL Reports
Re: An IE Browser is EVEN exploitible on DSL Repor
·
·