I displayed, as a web page, a list of search results created in PHP, from MySQL.
Firefox prevents me looking at the web page's source coding.
Right-click, view source, produces this display:-
"Document Expired "This document is no longer available. "The requested document is not available in Firefox's cache. " As a security precaution, Firefox does not automatically re-request sensitive documents. " Click Try Again to re-request the document from the website."
CTRL-U produces the same message.
The headers are:-
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD> <TITLE>Quick Message - Search Facility</TITLE> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <META HTTP-EQUIV="Content-Style-Type" CONTENT="text/css"> <META NAME="lang" CONTENT="en"> <META NAME="dir" CONTENT="ltr"> <LINK HREF="/u00/u00.css" REL="stylesheet" TYPE="text/css"> <LINK HREF="/u00/z00extra.css" REL="stylesheet" TYPE="text/css"> <LINK HREF="/u00/u00tulpen0.png" REL="icon" TYPE="image/png"> <style> .d {float:left; color:#00a86b; width:120px;} </style> </HEAD>
Removing the DocType makes no difference.
Clicking on the "Try Again" button produces this display:-
<HTML> <HEAD> <TITLE>Quick Message - Search Facility</TITLE> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <META HTTP-EQUIV="Content-Style-Type" CONTENT="text/css"> <META NAME="lang" CONTENT="en"> <META NAME="dir" CONTENT="ltr"> <LINK HREF="/u00/u00.css" REL="stylesheet" TYPE="text/css"> <LINK HREF="/u00/z00extra.css" REL="stylesheet" TYPE="text/css"> <LINK HREF="/u00/u00tulpen0.png" REL="icon" TYPE="image/png"> <style> .d {float:left; color:#00a86b; width:120px;} </style> </HEAD>
<BODY class="body"></BODY></HTML>
A candidate for upstream bugzilla ?
On 06/10/2015 03:56 AM, Always Learning wrote:
I displayed, as a web page, a list of search results created in PHP, from MySQL.
i am still using 24.8.0 and do not have to contend with all the bugs introduced by moz dev and their 'bells and whistles' when they started try to get ahead of gaagle chrome web browser.
you will get better results for your problems it you would post them to the mozilla-support-firefox@lists.mozilla.org which you can join subscribing to list at;
https://lists.mozilla.org/listinfo/support-firefox
A candidate for upstream bugzilla ?
maybe at mozilla.org, but not at centos.org.
On Fri, June 12, 2015 8:28 am, g wrote:
On 06/10/2015 03:56 AM, Always Learning wrote:
I displayed, as a web page, a list of search results created in PHP, from MySQL.
i am still using 24.8.0 and do not have to contend with all the bugs introduced by moz dev and their 'bells and whistles' when they started try to get ahead of gaagle chrome web browser.
you will get better results for your problems it you would post them to the mozilla-support-firefox@lists.mozilla.org which you can join subscribing to list at;
Just for those who are the same upset with Mozilla firefox as I am (for about 6 years I was looking for firefox replacement, - fruitlessly mostly). Someone just recommended me a replacement, which I didn't test long enough yet, but during last two weeks I'm using it, and it behaves (is stable, and has all featured one would expect from the browser today).
Alas, it is not open source, but it is available (as precompiled binaries) for Linux (both rpm abd deb based installers), MacOX, and Windows. I can not use it on my FreeBSD workstation, - sigh (I probably will end up switching from firefox to midori on FreeBSD). When choosing Firefox replacement, I had really strong constraint on my side: "provided the browser is NOT google chrome", as I have my reservations about google chrome which I don't want to go into here.
Mentioning in a hope this may help someone.
Valeri
A candidate for upstream bugzilla ?
maybe at mozilla.org, but not at centos.org.
--
peace out.
-- If Bill Gates got a dime for every time Windows crashes... ...oh, wait. He does. THAT explains it! -- in a world with out fences, who needs gates. --
CentOS GNU/Linux 6.6
tc,hago.
g .
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev wrote:
On Fri, June 12, 2015 8:28 am, g wrote:
On 06/10/2015 03:56 AM, Always Learning wrote:
I displayed, as a web page, a list of search results created in PHP, from MySQL.
i am still using 24.8.0 and do not have to contend with all the bugs introduced by moz dev and their 'bells and whistles' when they started try to get ahead of gaagle chrome web browser.
<snip>
Just for those who are the same upset with Mozilla firefox as I am (for
<snip> Speaking of firefox annoyances, does anyone know of a way to tell firefox to stop telling me that I hadn't started it in a while (when I log on in the morning), and no, I do *not* want it to refresh to its CoolNewLook, whatever that is?
mark
On 06/12/2015 07:28 AM, g wrote:
On 06/10/2015 03:56 AM, Always Learning wrote:
I displayed, as a web page, a list of search results created in PHP, from MySQL.
i am still using 24.8.0 and do not have to contend with all the bugs introduced by moz dev and their 'bells and whistles' when they started try to get ahead of gaagle chrome web browser.
you will get better results for your problems it you would post them to the mozilla-support-firefox@lists.mozilla.org which you can join subscribing to list at;
https://lists.mozilla.org/listinfo/support-firefox
A candidate for upstream bugzilla ?
maybe at mozilla.org, but not at centos.org.
The most offensive problems of using browsers is that they do not tell you nor ask your permission when javascripts spy on your entire storage contents. I had asked a java developer at Sun Microsystems about what Sun means when it says that Java runs in a sandbox? Just what is the sandbox? I also asked if browsers that execute javascripts are retricted to this notion of a sandbox that does not leak out into the rest of the system.
He said the "sandbox" is the entire storage on your computer.
Enough said.
jd1008 wrote:
On 06/12/2015 07:28 AM, g wrote:
On 06/10/2015 03:56 AM, Always Learning wrote:
I displayed, as a web page, a list of search results created in PHP, from MySQL.
i am still using 24.8.0 and do not have to contend with all the bugs introduced by moz dev and their 'bells and whistles' when they started try to get ahead of gaagle chrome web browser.
you will get better results for your problems it you would post them to the mozilla-support-firefox@lists.mozilla.org which you can join subscribing to list at;
https://lists.mozilla.org/listinfo/support-firefox
A candidate for upstream bugzilla ?
maybe at mozilla.org, but not at centos.org.
The most offensive problems of using browsers is that they do not tell you nor ask your permission when javascripts spy on your entire storage contents. I had asked a java developer at Sun Microsystems about what Sun means when it says that Java runs in a sandbox? Just what is the sandbox? I also asked if browsers that execute javascripts are retricted to this notion of a sandbox that does not leak out into the rest of the system.
He said the "sandbox" is the entire storage on your computer.
Enough said.
Please note that java and javascript are two separate languages.... And I have noscript installed everywhere....
mark
On 06/12/2015 11:25 AM, m.roth@5-cent.us wrote:
jd1008 wrote:
On 06/12/2015 07:28 AM, g wrote:
On 06/10/2015 03:56 AM, Always Learning wrote:
I displayed, as a web page, a list of search results created in PHP, from MySQL.
i am still using 24.8.0 and do not have to contend with all the bugs introduced by moz dev and their 'bells and whistles' when they started try to get ahead of gaagle chrome web browser.
you will get better results for your problems it you would post them to the mozilla-support-firefox@lists.mozilla.org which you can join subscribing to list at;
https://lists.mozilla.org/listinfo/support-firefoxA candidate for upstream bugzilla ?
maybe at mozilla.org, but not at centos.org.
The most offensive problems of using browsers is that they do not tell you nor ask your permission when javascripts spy on your entire storage contents. I had asked a java developer at Sun Microsystems about what Sun means when it says that Java runs in a sandbox? Just what is the sandbox? I also asked if browsers that execute javascripts are retricted to this notion of a sandbox that does not leak out into the rest of the system.
He said the "sandbox" is the entire storage on your computer.
Enough said.
Please note that java and javascript are two separate languages.... And I have noscript installed everywhere....
mark
Mark, please be aware that noscript has also a whitelist that is not viewable by the user. The whitelist tab does NOT list the hidden white listed entries.
On Sat, Jun 13, 2015 at 12:05:16PM -0600, jd1008 wrote:
Mark, please be aware that noscript has also a whitelist that is not viewable by the user. The whitelist tab does NOT list the hidden white listed entries.
You mean the noscript.mandatory about:config entry? I looked at it on my computer and it wasn't really web sites, just internal chrome URLs like "about:config".
On 06/12/2015 12:18 PM, Jonathan Billings wrote:
On Sat, Jun 13, 2015 at 12:05:16PM -0600, jd1008 wrote:
Mark, please be aware that noscript has also a whitelist that is not viewable by the user. The whitelist tab does NOT list the hidden white listed entries.
You mean the noscript.mandatory about:config entry? I looked at it on my computer and it wasn't really web sites, just internal chrome URLs like "about:config".
No Jonathan. I mean websites whitelisted and not exposed in the whitelist tab.
On Sat, June 13, 2015 1:22 pm, jd1008 wrote:
On 06/12/2015 12:18 PM, Jonathan Billings wrote:
On Sat, Jun 13, 2015 at 12:05:16PM -0600, jd1008 wrote:
Mark, please be aware that noscript has also a whitelist that is not viewable by the user. The whitelist tab does NOT list the hidden white listed entries.
You mean the noscript.mandatory about:config entry? I looked at it on my computer and it wasn't really web sites, just internal chrome URLs like "about:config".
No Jonathan. I mean websites whitelisted and not exposed in the whitelist tab.
Let me guess: google, mozilla, ...
Please, tell me how wrong I am (who are actually whitelisted would be really good to know).
Valeri
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On Fri, 2015-06-12 at 13:27 -0500, Valeri Galtsev wrote:
Please, tell me how wrong I am (who are actually whitelisted would be really good to know).
Everyone knows its the USA government's preferred spy and monitoring sites.
On 06/12/2015 12:27 PM, Valeri Galtsev wrote:
On Sat, June 13, 2015 1:22 pm, jd1008 wrote:
On 06/12/2015 12:18 PM, Jonathan Billings wrote:
On Sat, Jun 13, 2015 at 12:05:16PM -0600, jd1008 wrote:
Mark, please be aware that noscript has also a whitelist that is not viewable by the user. The whitelist tab does NOT list the hidden white listed entries.
You mean the noscript.mandatory about:config entry? I looked at it on my computer and it wasn't really web sites, just internal chrome URLs like "about:config".
No Jonathan. I mean websites whitelisted and not exposed in the whitelist tab.
Let me guess: google, mozilla, ...
Please, tell me how wrong I am (who are actually whitelisted would be really good to know).
I was just using that as an example of damaging javascripts. The current version of noscript no longer tells the number of javascrits that are blocked out of the total (per web site). In the older versions, I would dlete all entries in the visible whitelist, and would visit new websites. It would list some n javascripts blocked out of m scripts. Clicking on 'options' tab on bottom, I would not see the 'allowed' scripts listed.
jd1008 wrote:
On 06/12/2015 12:27 PM, Valeri Galtsev wrote:
On Sat, June 13, 2015 1:22 pm, jd1008 wrote:
On 06/12/2015 12:18 PM, Jonathan Billings wrote:
On Sat, Jun 13, 2015 at 12:05:16PM -0600, jd1008 wrote:
Mark, please be aware that noscript has also a whitelist that is not viewable by the user. The whitelist tab does NOT list the hidden white listed entries.
You mean the noscript.mandatory about:config entry? I looked at it on my computer and it wasn't really web sites, just internal chrome URLs like "about:config".
No Jonathan. I mean websites whitelisted and not exposed in the whitelist tab.
Let me guess: google, mozilla, ...
<snip> This is not completely correct. I just went to my tab on google news, noscript, options, and removed google.content (or whatever it was).
mark
On 06/12/2015 12:46 PM, m.roth@5-cent.us wrote:
jd1008 wrote:
On 06/12/2015 12:27 PM, Valeri Galtsev wrote:
On Sat, June 13, 2015 1:22 pm, jd1008 wrote:
On 06/12/2015 12:18 PM, Jonathan Billings wrote:
On Sat, Jun 13, 2015 at 12:05:16PM -0600, jd1008 wrote:
Mark, please be aware that noscript has also a whitelist that is not viewable by the user. The whitelist tab does NOT list the hidden white listed entries.
You mean the noscript.mandatory about:config entry? I looked at it on my computer and it wasn't really web sites, just internal chrome URLs like "about:config".
No Jonathan. I mean websites whitelisted and not exposed in the whitelist tab.
Let me guess: google, mozilla, ...
<snip> This is not completely correct. I just went to my tab on google news, noscript, options, and removed google.content (or whatever it was).
You did not read my full message. You are using a recent incarnation of noscript which does not enumerate in a temprary line near the status bar about how many scripts are block out of a total.
If you want to continue thinking all is well in noscript land, fine with me.
On Sat, Jun 13, 2015 at 12:38:35PM -0600, jd1008 wrote:
I was just using that as an example of damaging javascripts. The current version of noscript no longer tells the number of javascrits that are blocked out of the total (per web site). In the older versions, I would dlete all entries in the visible whitelist, and would visit new websites. It would list some n javascripts blocked out of m scripts. Clicking on 'options' tab on bottom, I would not see the 'allowed' scripts listed.
So, you're scaring people away from a privacy-enhancing tool with unprovable claims of a hidden whitelist? Which I can't find in the javascript source of the XPI? Also, based on your conversations with someone who worked at a company that hasn't existed since 2009?
I get it, you've got some concerns about the security of the web model. But adjust your tin foil hat, you're picking up Fox News on that thing.
For the record, I use NoScript, Ghostery and uBlock, and am happy with the experience (for the most part).
I also heavily use Firefox profiles, and only use a completely separate profile for certain operations, such as online banking. I've been playing with using the SELinux sandbox program too, but its just too convenient to be able to copy-paste into firefox, which sandbox blocks. I don't use the same profile for Facebook (*sigh*, yeah) and just random browsing. I'm certain that a certain amount of private information leaks out when I'm browsing forums or catching up with the news, but unfortunately, that's the tax you pay when you use the web.
I'm fairly certain that io9.com isn't reading /etc/shadow on my computer.
On Fri, June 12, 2015 2:03 pm, Jonathan Billings wrote:
On Sat, Jun 13, 2015 at 12:38:35PM -0600, jd1008 wrote:
I was just using that as an example of damaging javascripts. The current version of noscript no longer tells the number of javascrits that are blocked out of the total (per web site). In the older versions, I would dlete all entries in the visible whitelist, and would visit new websites. It would list some n javascripts blocked out of m scripts. Clicking on 'options' tab on bottom, I would not see the 'allowed' scripts listed.
So, you're scaring people away from a privacy-enhancing tool with unprovable claims of a hidden whitelist? Which I can't find in the javascript source of the XPI? Also, based on your conversations with someone who worked at a company that hasn't existed since 2009?
I get it, you've got some concerns about the security of the web model. But adjust your tin foil hat, you're picking up Fox News on that thing.
For the record, I use NoScript, Ghostery and uBlock, and am happy with the experience (for the most part).
I also heavily use Firefox profiles, and only use a completely separate profile for certain operations, such as online banking. I've been playing with using the SELinux sandbox program too, but its just too convenient to be able to copy-paste into firefox, which sandbox blocks. I don't use the same profile for Facebook (*sigh*, yeah) and just random browsing. I'm certain that a certain amount of private information leaks out when I'm browsing forums or catching up with the news, but unfortunately, that's the tax you pay when you use the web.
Speaking of privacy... I would recommend people to check out tor project:
they have nice browser (codebase of which is Mozila Firefox, - they didn't find better workhorse yet...). One privacy aspect that wasn't mentioned here is you internet provider being able to see your traffic (destination at least) and analyze that. This is what tor project helps with. But other aspects are also well lit on their website, including what information you disclose yourself (often even not realizing that).
I hope, this helps someone.
Valeri
I'm fairly certain that io9.com isn't reading /etc/shadow on my computer.
-- Jonathan Billings billings@negate.org _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On 06/12/2015 01:35 PM, Valeri Galtsev wrote:
On Fri, June 12, 2015 2:03 pm, Jonathan Billings wrote:
On Sat, Jun 13, 2015 at 12:38:35PM -0600, jd1008 wrote:
I was just using that as an example of damaging javascripts. The current version of noscript no longer tells the number of javascrits that are blocked out of the total (per web site). In the older versions, I would dlete all entries in the visible whitelist, and would visit new websites. It would list some n javascripts blocked out of m scripts. Clicking on 'options' tab on bottom, I would not see the 'allowed' scripts listed.
So, you're scaring people away from a privacy-enhancing tool with unprovable claims of a hidden whitelist? Which I can't find in the javascript source of the XPI? Also, based on your conversations with someone who worked at a company that hasn't existed since 2009?
I get it, you've got some concerns about the security of the web model. But adjust your tin foil hat, you're picking up Fox News on that thing.
For the record, I use NoScript, Ghostery and uBlock, and am happy with the experience (for the most part).
I also heavily use Firefox profiles, and only use a completely separate profile for certain operations, such as online banking. I've been playing with using the SELinux sandbox program too, but its just too convenient to be able to copy-paste into firefox, which sandbox blocks. I don't use the same profile for Facebook (*sigh*, yeah) and just random browsing. I'm certain that a certain amount of private information leaks out when I'm browsing forums or catching up with the news, but unfortunately, that's the tax you pay when you use the web.
Speaking of privacy... I would recommend people to check out tor project:
they have nice browser (codebase of which is Mozila Firefox, - they didn't find better workhorse yet...). One privacy aspect that wasn't mentioned here is you internet provider being able to see your traffic (destination at least) and analyze that. This is what tor project helps with. But other aspects are also well lit on their website, including what information you disclose yourself (often even not realizing that).
I hope, this helps someone.
Valeri
I looked into tor. Too complicated to set up, and I only use hotspots :( Home internet with good speed is way too expensive here.
instead of a fixed IP address.
On 06/12/2015 01:03 PM, Jonathan Billings wrote:
On Sat, Jun 13, 2015 at 12:38:35PM -0600, jd1008 wrote:
I was just using that as an example of damaging javascripts. The current version of noscript no longer tells the number of javascrits that are blocked out of the total (per web site). In the older versions, I would dlete all entries in the visible whitelist, and would visit new websites. It would list some n javascripts blocked out of m scripts. Clicking on 'options' tab on bottom, I would not see the 'allowed' scripts listed.
So, you're scaring people away from a privacy-enhancing tool with unprovable claims of a hidden whitelist? Which I can't find in the javascript source of the XPI? Also, based on your conversations with someone who worked at a company that hasn't existed since 2009?
I get it, you've got some concerns about the security of the web model. But adjust your tin foil hat, you're picking up Fox News on that thing.
For the record, I use NoScript, Ghostery and uBlock, and am happy with the experience (for the most part).
I also heavily use Firefox profiles, and only use a completely separate profile for certain operations, such as online banking. I've been playing with using the SELinux sandbox program too, but its just too convenient to be able to copy-paste into firefox, which sandbox blocks. I don't use the same profile fo Facebook (*sigh*, yeah) and just random browsing. I'm certain that a certain amount of private information leaks out when I'm browsing forums or catching up with the news, but unfortunately, that's the tax you pay when you use the web.
I'm fairly certain that io9.com isn't reading /etc/shadow on my computer.
:) LOL
Enjoy your perception of security and privacy :)
On 06/12/2015 01:27 PM, Valeri Galtsev wrote:
On Sat, June 13, 2015 1:22 pm, jd1008 wrote:
<<<>>>
No Jonathan. I mean websites whitelisted and not exposed in the whitelist tab.
Let me guess: google, mozilla, ...
Please, tell me how wrong I am (who are actually whitelisted would be really good to know).
who? good question.
how? lots of green. and i do not mean the kind with pointed leafs. ;-)
On Sat, Jun 13, 2015 at 12:22:13PM -0600, jd1008 wrote:
No Jonathan. I mean websites whitelisted and not exposed in the whitelist tab.
I'd certainly like to see proof of this claim.
Are you sure you're not thinking about Adblock Plus and its "bribe us and we'll whitelist you" scheme?
On 06/12/2015 12:36 PM, Jonathan Billings wrote:
On Sat, Jun 13, 2015 at 12:22:13PM -0600, jd1008 wrote:
No Jonathan. I mean websites whitelisted and not exposed in the whitelist tab.
I'd certainly like to see proof of this claim.
Are you sure you're not thinking about Adblock Plus and its "bribe us and we'll whitelist you" scheme?
Nop! You can also try adblock edge which circimvents the bribe :) Also, read my reply to Valerie.
On Sat, 2015-06-13 at 12:40 -0600, jd1008 wrote:
You can also try adblock edge which circimvents the bribe :)
:-(
https://addons.mozilla.org/en-us/firefox/addon/adblock-edge/
**This addon has been discontinued**
On 06/12/2015 02:16 PM, Always Learning wrote:
On Sat, 2015-06-13 at 12:40 -0600, jd1008 wrote:
You can also try adblock edge which circimvents the bribe :)
:-(
https://addons.mozilla.org/en-us/firefox/addon/adblock-edge/
**This addon has been discontinued**
Weird!!!! I just installed it yesterday. See image of my screen at https://www.sendspace.com/file/udk055
* On Fri, 2015-06-12 at 14:43 -0600, jd1008 wrote:
On 06/12/2015 02:16 PM, Always Learning wrote:
On Sat, 2015-06-13 at 12:40 -0600, jd1008 wrote:
You can also try adblock edge which circimvents the bribe :)
:-(
https://addons.mozilla.org/en-us/firefox/addon/adblock-edge/
**This addon has been discontinued**
Weird!!!! I just installed it yesterday. See image of my screen at https://www.sendspace.com/file/udk055
We were not looking at the identical sites. I looked at Mozilla. You looked at sendpace.com
On 06/12/2015 05:51 PM, Always Learning wrote:
*On Fri, 2015-06-12 at 14:43 -0600, jd1008 wrote:
On 06/12/2015 02:16 PM, Always Learning wrote:
On Sat, 2015-06-13 at 12:40 -0600, jd1008 wrote:
You can also try adblock edge which circimvents the bribe :)
:-(
https://addons.mozilla.org/en-us/firefox/addon/adblock-edge/
**This addon has been discontinued**
Weird!!!! I just installed it yesterday. See image of my screen at https://www.sendspace.com/file/udk055
We were not looking at the identical sites. I looked at Mozilla. You looked at sendpace.com
I uploaded my screen image after I clicked on Tools->Add-ons Here is the link https://addons.mozilla.org/en-us/firefox/addon/adblock-edge/
On 6/12/2015 1:16 PM, Always Learning wrote:
On Sat, 2015-06-13 at 12:40 -0600, jd1008 wrote:
You can also try adblock edge which circimvents the bribe:)
:-(
https://addons.mozilla.org/en-us/firefox/addon/adblock-edge/
**This addon has been discontinued**
I switched to uBlock awhile ago.
On 06/13/2015 01:05 PM, jd1008 wrote: <<<>>>
Mark, please be aware that noscript has also a whitelist that is not viewable by the user. The whitelist tab does NOT list the hidden white listed entries.
and you know this how?
i do not really believe there is a 'hidden whitelist'. it is more like there are sites that are used to check on sites you connect to. gaggle is one of them. :-P
something you will/may find interesting, open about:config, enter "Search: whitelist" for info on noscript 'whitelist'. if you enter "Search: noscript", you will see that noscript stores one hell of a lot of info.
see pages;
then <ctrl-f> enter "find: whitelist", read all for more whitelist info.
https://noscript.net/features#xss https://noscript.net/faq#xss
then open noscript options select Advanced -> XSS, be sure both selections are checked.
you should also register here;
https://forums.informaction.com/viewforum.php?f=3
to find out more about noscript and ask about 'hidden whitelist'.
for further protection when surfing, get the 'wot' [web of trust] add-on;
https://addons.mozilla.org/en-US/firefox/addon/wot-safe-browsing-tool/
https://www.mywot.com/ https://www.mywot.com/en/settings/en-US/firefox/20131030/welcome
https://en.wikipedia.org/wiki/WOT_Services
On 06/13/2015 02:02 PM, g wrote:
On 06/13/2015 01:05 PM, jd1008 wrote: <<<>>>
Mark, please be aware that noscript has also a whitelist that is not viewable by the user. The whitelist tab does NOT list the hidden white listed entries.
and you know this how?
i do not really believe there is a 'hidden whitelist'. it is more like there are sites that are used to check on sites you connect to. gaggle is one of them. :-P
something you will/may find interesting, open about:config, enter "Search: whitelist" for info on noscript 'whitelist'. if you enter "Search: noscript", you will see that noscript stores one hell of a lot of info.
see pages;
then <ctrl-f> enter "find: whitelist", read all for more whitelist info.https://noscript.net/features#xss https://noscript.net/faq#xss
then open noscript options select Advanced -> XSS, be sure both selections are checked.you should also register here;
https://forums.informaction.com/viewforum.php?f=3
to find out more about noscript and ask about 'hidden whitelist'.
for further protection when surfing, get the 'wot' [web of trust] add-on;
https://addons.mozilla.org/en-US/firefox/addon/wot-safe-browsing-tool/
https://www.mywot.com/ https://www.mywot.com/en/settings/en-US/firefox/20131030/welcome
Look, I am not trying to discourage anyone from using noscript. I myself do use it. But I do not put my trust in it due to my prior experience with it. If you think it floats your boat, fine with me. No need to beat on this any further.
On Sat, Jun 13, 2015 at 10:55:47AM -0600, jd1008 wrote:
The most offensive problems of using browsers is that they do not tell you nor ask your permission when javascripts spy on your entire storage contents.
Huh? You've been misinformed. Certainly there have been exploits against browsers to bypass the sandbox, but this isn't the default configuration in any browser I know of.
I had asked a java developer at Sun Microsystems about what Sun means when it says that Java runs in a sandbox? Just what is the sandbox? I also asked if browsers that execute javascripts are retricted to this notion of a sandbox that does not leak out into the rest of the system.
He said the "sandbox" is the entire storage on your computer.
Java != JavaScript. It's a common misconception. Perhaps that's why this java developer might have answered the way he did, although I'm fairly certain Java sandboxes can also be restricted (although I'm no Java developer) so they don't have access to the entire storage of your computer. Certainly, simple UNIX permissions prevent both Java and browsers from getting access to the *entire* storage on your computer, unless they're used to exploit some other vulnerability.
If you're concerned about JavaScript, I suggest looking into the NoScript firefox extension.
On 06/12/2015 11:57 AM, Jonathan Billings wrote:
On Sat, Jun 13, 2015 at 10:55:47AM -0600, jd1008 wrote:
The most offensive problems of using browsers is that they do not tell you nor ask your permission when javascripts spy on your entire storage contents.
Huh? You've been misinformed. Certainly there have been exploits against browsers to bypass the sandbox, but this isn't the default configuration in any browser I know of.guration or no,
Configuration or no, the developer told me the bottom line scoop. FF, SM, IE, ....etc, all execute javascripts like obedient slaves.
I had asked a java developer at Sun Microsystems about what Sun means when it says that Java runs in a sandbox? Just what is the sandbox? I also asked if browsers that execute javascripts are retricted to this notion of a sandbox that does not leak out into the rest of the system.
He said the "sandbox" is the entire storage on your computer.
Java != JavaScript. It's a common misconception. Perhaps that's why this java developer might have answered the way he did, although I'm fairly certain Java sandboxes can also be restricted (although I'm norowsers Java developer) so they don't have access to the entire storage of your computer. Certainly, simple UNIX permissions prevent both Java and browsers from getting access to the *entire* storage on your computer, unless they're used to exploit some other vulnerability.
If you're concerned about JavaScript, I suggest looking into the NoScript firefox extension.
All your browsing history, all cookies ...etc are open books as far as many javascripts are concerned. For example, all browsers execute the javascript called googleusercontent.com
Please read this page: http://www.google.com/safebrowsing/diagnostic?site=googleusercontent.com
Be INFORMED!!
On 06/13/2015 11:11 AM, jd1008 wrote:
All your browsing history, all cookies ...etc are open books as far as many javascripts are concerned.
Javascript can use CSS attributes to see if you've visited a specific URL, which is unfortunate, but that's a long way from saying that your history is an open book. Javascript cannot directly access your history. A script cannot enumerate all of the sites you've visited, it can only test specific, complete URLs.
As far as cookies go, you're even further from the truth. A script can only access cookies whose domain matches the origin of the script.
On 06/12/2015 01:01 PM, Gordon Messmer wrote:
On 06/13/2015 11:11 AM, jd1008 wrote:
All your browsing history, all cookies ...etc are open books as far as many javascripts are concerned.
Javascript can use CSS attributes to see if you've visited a specific URL, which is unfortunate, but that's a long way from saying that your history is an open book. Javascript cannot directly access your history. A script cannot enumerate all of the sites you've visited, it can only test specific, complete URLs.
As far as cookies go, you're even further from the truth. A script can only access cookies whose domain matches the origin of the script.
Why do you make such statements without knowing the intrinsics??? How in tarnation do you explain this: http://www.google.com/safebrowsing/diagnostic?site=googleusercontent.com
Malware is installed where it can be executed. Since that is the case, what makes you think JS cannot access your browsing history??
On 06/13/2015 12:11 PM, jd1008 wrote:
Why do you make such statements without knowing the intrinsics??? How in tarnation do you explain this: http://www.google.com/safebrowsing/diagnostic?site=googleusercontent.com
That site doesn't say anything about Java or Javascript. Or cookies for that matter. You're connecting unrelated things.
There are flaws in software. It's probably safe to say "all software" since we can't really prove otherwise. Browsers are software. Software flaws in browsers may be used to cause the download and execution of malware. That is not, however, an indication that Java or Javascript "allow" access to the filesystem or cookies. They do not. At least, not any more than images do. Several browser bugs have allowed code execution as a result of malformed images. Do you also disable image rendering in your browser? The justification for both is the same: bugs might allow arbitrary execution of code.
Malware is installed where it can be executed. Since that is the case, what makes you think JS cannot access your browsing history??
You're connecting unrelated things.
On 06/12/2015 01:40 PM, Gordon Messmer wrote:
On 06/13/2015 12:11 PM, jd1008 wrote:
Why do you make such statements without knowing the intrinsics??? How in tarnation do you explain this: http://www.google.com/safebrowsing/diagnostic?site=googleusercontent.com
That site doesn't say anything about Java or Javascript. Or cookies for that matter. You're connecting unrelated things.
There are flaws in software. It's probably safe to say "all software" since we can't really prove otherwise. Browsers are software. Software flaws in browsers may be used to cause the download and execution of malware. That is not, however, an indication that Java or Javascript "allow" access to the filesystem or cookies. They do not. At least, not any more than images do. Several browser bugs have allowed code execution as a result of malformed images. Do you also disable image rendering in your browser? The justification for both is the same: bugs might allow arbitrary execution of code.
Malware is installed where it can be executed. Since that is the case, what makes you think JS cannot access your browsing history??
You're connecting unrelated things. _
No!! I am not connecting unrelated things. Noscript shows you the NAME (ostensibly the domain name from which it comes) of the javascript. Many websites and even internet providers push javascripts from other domains.
But, feel free to allow it on all of your browsing.
On Fri, Jun 12, 2015 at 01:50:13PM -0600, jd1008 wrote:
Malware is installed where it can be executed. Since that is the case, what makes you think JS cannot access your browsing history??
You're connecting unrelated things. _
No!! I am not connecting unrelated things. Noscript shows you the NAME (ostensibly the domain name from which it comes) of the javascript. Many websites and even internet providers push javascripts from other domains.
But, feel free to allow it on all of your browsing.
I think this thread has reached the point where we can all agree that it isn't really CentOS related anymore.
I think we're at the point where we're beating a dead horse.
On 6/13/2015 12:11 PM, jd1008 wrote:
How in tarnation do you explain this: http://www.google.com/safebrowsing/diagnostic?site=googleusercontent.com
I see nothing there but a list of the status of that specific domain, which google has analyzed from their spidering activity, there's nothing there related to my web browser status or history or whatall.
so whats your point?
here's what I got from that URL for reference:
Safe Browsing
/Diagnostic page for/googleusercontent.com
*What is the current listing status for googleusercontent.com?*
This site is not currently listed as suspicious.
Part of this site was listed for suspicious activity 370 time(s) over the past 90 days.
*What happened when Google visited this site?*
Of the 4006663 pages we tested on the site over the past 90 days, 3446 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2015-06-12, and the last time suspicious content was found on this site was on 2015-06-12.
Malicious software includes 18440 exploit(s), 12470 trojan(s), 2399 scripting exploit(s).
Malicious software is hosted on 13 domain(s), includingpowerade.com.ar/ http://www.google.com/safebrowsing/diagnostic?site=powerade.com.ar/,douglas.de/ http://www.google.com/safebrowsing/diagnostic?site=douglas.de/,maxtraffic.com/ http://www.google.com/safebrowsing/diagnostic?site=maxtraffic.com/.
This site was hosted on 1 network(s) includingAS15169 (GOOGLE) http://www.google.com/safebrowsing/diagnostic?site=AS:15169.
*Has this site acted as an intermediary resulting in further distribution of malware?*
Over the past 90 days, googleusercontent.com appeared to function as an intermediary for the infection of 9 site(s) includingstartbusinesscoaching.com.au/ http://www.google.com/safebrowsing/diagnostic?site=startbusinesscoaching.com.au/,crpcoutreach.blogspot.com/ http://www.google.com/safebrowsing/diagnostic?site=crpcoutreach.blogspot.com/,businesscoachinstitute.com.au/ http://www.google.com/safebrowsing/diagnostic?site=businesscoachinstitute.com.au/.
*Has this site hosted malware?*
Yes, this site has hosted malicious software over the past 90 days. It infected 1206 domain(s), includingv4download.com/ http://www.google.com/safebrowsing/diagnostic?site=v4download.com/,vfastdownload.com/ http://www.google.com/safebrowsing/diagnostic?site=vfastdownload.com/,downloadmee.com/ http://www.google.com/safebrowsing/diagnostic?site=downloadmee.com/.
*Next steps:*
* Return to the previous page. http://www.google.com/safebrowsing/diagnostic?site=googleusercontent.com# * If you are the owner of this web site, you can request a review of your site using GoogleWebmaster Tools http://www.google.com/webmasters/tools/. More information about the review process is available in Google'sWebmaster Help Center http://www.google.com/support/webmasters/bin/answer.py?answer=45432.
On 06/12/2015 01:01 PM, Gordon Messmer wrote:
On 06/13/2015 11:11 AM, jd1008 wrote:
All your browsing history, all cookies ...etc are open books as far as many javascripts are concerned.
Javascript can use CSS attributes to see if you've visited a specific URL, which is unfortunate, but that's a long way from saying that your history is an open book. Javascript cannot directly access your history. A script cannot enumerate all of the sites you've visited, it can only test specific, complete URLs.
As far as cookies go, you're even further from the truth. A script can only access cookies whose domain matches the origin of the script.
Your final line is not true.
On Sat, Jun 10, 2062 at 01:16:03PM -0600, jd1008 wrote:
On 06/12/2015 01:01 PM, Gordon Messmer wrote:
As far as cookies go, you're even further from the truth. A script can only access cookies whose domain matches the origin of the script.
Your final line is not true.
Its technically true, however, XSS attacks can get around that restriction, which is why you saw so much malware posted on a site like googleusercontent.com. Sites that allow users to upload content are always being used to host malware for XSS attacks. But you still need to be visiting a site with the same domain as the cookie, and load a compromised page. Plus, if you use HttpOnly cookies, you have to go through even more complex XSS exploits to get at the cookie, since they aren't accessible through the DOM model.
But as designed, Cookies are meant only to be used by scripts from the same domain as the one that set the cookie.
On Fri, Jun 12, 2015 at 03:43:11PM -0400, Jonathan Billings wrote:
Its technically true, however, XSS attacks can get around that restriction, which is why you saw so much malware posted on a site like googleusercontent.com. Sites that allow users to upload content are always being used to host malware for XSS attacks. But you still need to be visiting a site with the same domain as the cookie, and load a compromised page. Plus, if you use HttpOnly cookies, you have to go through even more complex XSS exploits to get at the cookie, since they aren't accessible through the DOM model.
I should add that the exploits are constantly being addressed by both Web Browser developers as well as developers of extensions like NoScript. Its an arms race.
On Sat, 2015-06-13 at 12:11 -0600, jd1008 wrote:
For example, all browsers execute the javascript called googleusercontent.com
Please read this page: http://www.google.com/safebrowsing/diagnostic?site=googleusercontent.com
In FF I use Ad Block Plus to block the world's biggest spying operation, Google. Currently 11 Google sites from google-analytics.com to googleusercontent.com
Aware Mozilla get vast millions of USD from Google, now probably exceeding $100m, I don't use snooping and recording 'safe browsing' from Google either.
On Fri, June 12, 2015 3:09 pm, Always Learning wrote:
On Sat, 2015-06-13 at 12:11 -0600, jd1008 wrote:
For example, all browsers execute the javascript called googleusercontent.com
Please read this page: http://www.google.com/safebrowsing/diagnostic?site=googleusercontent.com
In FF I use Ad Block Plus to block the world's biggest spying operation, Google. Currently 11 Google sites from google-analytics.com to googleusercontent.com
Aware Mozilla get vast millions of USD from Google, now probably exceeding $100m, I don't use snooping and recording 'safe browsing' from Google either.
As I already said, guys, do check tor project website:
Valeri
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
Always Learning wrote:
On Sat, 2015-06-13 at 12:11 -0600, jd1008 wrote:
For example, all browsers execute the javascript called googleusercontent.com
Please read this page: http://www.google.com/safebrowsing/diagnostic?site=googleusercontent.com
In FF I use Ad Block Plus to block the world's biggest spying operation, Google. Currently 11 Google sites from google-analytics.com to googleusercontent.com
Aware Mozilla get vast millions of USD from Google, now probably exceeding $100m, I don't use snooping and recording 'safe browsing' from Google either.
Yeah. I never enable google-analytics. When I want to see a website that's got a ton of inclusions, I selectively temporarily enable only what I think I'll need (which of those stupid things has the text? which the pic?), and when you enable disqus, for example, *then* you have to reopen noscript, because only then in disquscdn visible. Annoyances, but... and I never enable the ads.
mark
On Fri, 2015-06-12 at 16:28 -0400, m.roth@5-cent.us wrote:
Yeah. I never enable google-analytics. When I want to see a website that's got a ton of inclusions, I selectively temporarily enable only what I think I'll need (which of those stupid things has the text? which the pic?), and when you enable disqus, for example, *then* you have to reopen noscript, because only then in disquscdn visible. Annoyances, but... and I never enable the ads.
I avoid most advertisements in FF, including those on Ebay, by using Ad Block Plus :-)
On 06/13/2015 09:55 AM, jd1008 wrote:
The most offensive problems of using browsers is that they do not tell you nor ask your permission when javascripts spy on your entire storage contents.
Neither javascript nor Java applets can access the local filesystem. Applets launched by JNLP can do so, but that involves a pop-up that asks the user's permission.
He said the "sandbox" is the entire storage on your computer.
Misunderstandings do happen in natural language.
On 06/12/2015 12:58 PM, Gordon Messmer wrote:
On 06/13/2015 09:55 AM, jd1008 wrote:
The most offensive problems of using browsers is that they do not tell you nor ask your permission when javascripts spy on your entire storage contents.
Neither javascript nor Java applets can access the local filesystem. Applets launched by JNLP can do so, but that involves a pop-up that asks the user's permission.
He said the "sandbox" is the entire storage on your computer.
Misunderstandings do happen in natural language.
NOP!! He stated NO misunderstanding. I think you are simply repeating you have learned NOT by actually knowing the code and implemetation the way the developer of the product knew it. Your info is both dated and part of the marketing blurbs.
Question: 2 marketing execs are talking with each other. Which one of them is lying?
ANS: The one whose lips are moving.
On 06/13/2015 12:07 PM, jd1008 wrote:
I think you are simply repeating you have learned NOT by actually knowing the code and implemetation the way the developer of the product knew it. Your info is both dated and part of the marketing blurbs.
So the published security model of two different Free Software languages is flawed, and no security researchers are publishing that?
On 06/12/2015 01:27 PM, Gordon Messmer wrote:
On 06/13/2015 12:07 PM, jd1008 wrote:
I think you are simply repeating you have learned NOT by actually knowing the code and implemetation the way the developer of the product knew it. Your info is both dated and part of the marketing blurbs.
So the published security model of two different Free Software languages is flawed, and no security researchers are publishing that?
Look, believe what you wish :) Sleep tight. :)
I loose no sleep at all :)
On Sat, 2015-06-13 at 10:55 -0600, jd1008 wrote:
The most offensive problems of using browsers is that they do not tell you nor ask your permission when javascripts spy on your entire storage contents. I had asked a java developer at Sun Microsystems about what Sun means when it says that Java runs in a sandbox? Just what is the sandbox? I also asked if browsers that execute javascripts are retricted to this notion of a sandbox that does not leak out into the rest of the system.
He said the "sandbox" is the entire storage on your computer.
Enough said.
It is my understanding that Java and Javascript are different; that Java is dangerous whilst Javascript is (hopefully) harmless.
On Fri, June 12, 2015 2:56 pm, Always Learning wrote:
On Sat, 2015-06-13 at 10:55 -0600, jd1008 wrote:
The most offensive problems of using browsers is that they do not tell you nor ask your permission when javascripts spy on your entire storage contents. I had asked a java developer at Sun Microsystems about what Sun means when it says that Java runs in a sandbox? Just what is the sandbox? I also asked if browsers that execute javascripts are retricted to this notion of a sandbox that does not leak out into the rest of the system.
He said the "sandbox" is the entire storage on your computer.
Enough said.
It is my understanding that Java and Javascript are different; that Java is dangerous whilst Javascript is (hopefully) harmless.
Not necessarily. Both of them are an execution of somebody's else code on your computer. One (java) may be considered running with [much] more sophisticated interpreter. Another (javascript) by its nature has to be less sophisticated code, running with different interpreters written independently by each browser vendor (even though they all are javascript interpreters, the differ grossly).
But the bottom line is the same: in both cases you are executing somebody's else code on your computer.
Valeri
-- Regards,
Paul. England, EU. England's place is in the European Union.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On 6/12/2015 1:03 PM, Valeri Galtsev wrote:
But the bottom line is the same: in both cases you are executing somebody's else code on your computer.
your computer is *ALWAYS* executing someone elses code, unless you wrote every line of code in it, including the BIOS and the firmware of all the attached devices.
On Fri, June 12, 2015 3:20 pm, John R Pierce wrote:
On 6/12/2015 1:03 PM, Valeri Galtsev wrote:
But the bottom line is the same: in both cases you are executing somebody's else code on your computer.
your computer is *ALWAYS* executing someone elses code, unless you wrote every line of code in it, including the BIOS and the firmware of all the attached devices.
Indeed. What was never mentioned in this thread is a chain of trust. The level of trust to what you get from your system vendor, software vendors (be they open source or proprietary) may be quite different from the level of trust to what you get when clicking on some web link inside some search page, or on some website (even if you visit the website often).
So, it is all about whom and what do you trust, and to what level can you afford to trust, and whether you are able to track the software code to the code origin.
This all was what I implied when I said that short phrase which may look ridiculously if taken literally - exactly as you pointed out -, but may make sense if you take into account the chains of trust involved.
Valeri
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On 06/12/2015 02:32 PM, Valeri Galtsev wrote:
On Fri, June 12, 2015 3:20 pm, John R Pierce wrote:
On 6/12/2015 1:03 PM, Valeri Galtsev wrote:
But the bottom line is the same: in both cases you are executing somebody's else code on your computer.
your computer is *ALWAYS* executing someone elses code, unless you wrote every line of code in it, including the BIOS and the firmware of all the attached devices.
Indeed. What was never mentioned in this thread is a chain of trust. The level of trust to what you get from your system vendor, software vendors (be they open source or proprietary) may be quite different from the level of trust to what you get when clicking on some web link inside some search page, or on some website (even if you visit the website often).
So, it is all about whom and what do you trust, and to what level can you afford to trust, and whether you are able to track the software code to the code origin.
This all was what I implied when I said that short phrase which may look ridiculously if taken literally - exactly as you pointed out -, but may make sense if you take into account the chains of trust involved.
Valeri
The more you know, the less you trust :) :) Read the article: http://www.kaspersky.com/about/news/virus/2015/equation-group-the-crown-crea...
On Fri, June 12, 2015 3:54 pm, jd1008 wrote:
On 06/12/2015 02:32 PM, Valeri Galtsev wrote:
On Fri, June 12, 2015 3:20 pm, John R Pierce wrote:
On 6/12/2015 1:03 PM, Valeri Galtsev wrote:
But the bottom line is the same: in both cases you are executing somebody's else code on your computer.
your computer is *ALWAYS* executing someone elses code, unless you wrote every line of code in it, including the BIOS and the firmware of all the attached devices.
Indeed. What was never mentioned in this thread is a chain of trust. The level of trust to what you get from your system vendor, software vendors (be they open source or proprietary) may be quite different from the level of trust to what you get when clicking on some web link inside some search page, or on some website (even if you visit the website often).
So, it is all about whom and what do you trust, and to what level can you afford to trust, and whether you are able to track the software code to the code origin.
This all was what I implied when I said that short phrase which may look ridiculously if taken literally - exactly as you pointed out -, but may make sense if you take into account the chains of trust involved.
Valeri
The more you know, the less you trust :) :) Read the article: http://www.kaspersky.com
Please, don't advertize Kaspersky here, especially when we are talking about trust. He is KGB guy (is, not was; the only way they retire from KGB, CIA, MI-5, and others is dead, feet first dead).
Valeri
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On 06/12/2015 03:05 PM, Valeri Galtsev wrote:
On Fri, June 12, 2015 3:54 pm, jd1008 wrote:
On 06/12/2015 02:32 PM, Valeri Galtsev wrote:
On Fri, June 12, 2015 3:20 pm, John R Pierce wrote:
On 6/12/2015 1:03 PM, Valeri Galtsev wrote:
But the bottom line is the same: in both cases you are executing somebody's else code on your computer.
your computer is *ALWAYS* executing someone elses code, unless you wrote every line of code in it, including the BIOS and the firmware of all the attached devices.
Indeed. What was never mentioned in this thread is a chain of trust. The level of trust to what you get from your system vendor, software vendors (be they open source or proprietary) may be quite different from the level of trust to what you get when clicking on some web link inside some search page, or on some website (even if you visit the website often).
So, it is all about whom and what do you trust, and to what level can you afford to trust, and whether you are able to track the software code to the code origin.
This all was what I implied when I said that short phrase which may look ridiculously if taken literally - exactly as you pointed out -, but may make sense if you take into account the chains of trust involved.
Valeri
The more you know, the less you trust :) :) Read the article: http://www.kaspersky.com
Please, don't advertize Kaspersky here, especially when we are talking about trust. He is KGB guy (is, not was; the only way they retire from KGB, CIA, MI-5, and others is dead, feet first dead).
Valeri
I am not advertising, so please do not accuse anyone of this! Just citing evidence that infiltration of spyware and malware is far more sophisticated than anyone knew.
On Fri, June 12, 2015 4:16 pm, jd1008 wrote:
On 06/12/2015 03:05 PM, Valeri Galtsev wrote:
On Fri, June 12, 2015 3:54 pm, jd1008 wrote:
On 06/12/2015 02:32 PM, Valeri Galtsev wrote:
On Fri, June 12, 2015 3:20 pm, John R Pierce wrote:
On 6/12/2015 1:03 PM, Valeri Galtsev wrote:
But the bottom line is the same: in both cases you are executing somebody's else code on your computer.
your computer is *ALWAYS* executing someone elses code, unless you wrote every line of code in it, including the BIOS and the firmware of all the attached devices.
Indeed. What was never mentioned in this thread is a chain of trust. The level of trust to what you get from your system vendor, software vendors (be they open source or proprietary) may be quite different from the level of trust to what you get when clicking on some web link inside some search page, or on some website (even if you visit the website often).
So, it is all about whom and what do you trust, and to what level can you afford to trust, and whether you are able to track the software code to the code origin.
This all was what I implied when I said that short phrase which may look ridiculously if taken literally - exactly as you pointed out -, but may make sense if you take into account the chains of trust involved.
Valeri
The more you know, the less you trust :) :) Read the article: http://www.kaspersky.com
Please, don't advertize Kaspersky here, especially when we are talking about trust. He is KGB guy (is, not was; the only way they retire from KGB, CIA, MI-5, and others is dead, feet first dead).
Valeri
I am not advertising, so please do not accuse anyone of this! Just citing evidence that infiltration of spyware and malware is far more sophisticated than anyone knew.
Sorry if it sounded like that: didn't mean it to sound like accusation... I'm not native English speaker, you know ;-)
Valeri
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On 06/12/2015 04:05 PM, Valeri Galtsev wrote:
On Fri, June 12, 2015 4:16 pm, jd1008 wrote:
On 06/12/2015 03:05 PM, Valeri Galtsev wrote:
On Fri, June 12, 2015 3:54 pm, jd1008 wrote:
On 06/12/2015 02:32 PM, Valeri Galtsev wrote:
On Fri, June 12, 2015 3:20 pm, John R Pierce wrote:
On 6/12/2015 1:03 PM, Valeri Galtsev wrote: > But the bottom line is the same: in both cases you are executing > somebody's else code on your computer. your computer is *ALWAYS* executing someone elses code, unless you wrote every line of code in it, including the BIOS and the firmware of all the attached devices.
Indeed. What was never mentioned in this thread is a chain of trust. The level of trust to what you get from your system vendor, software vendors (be they open source or proprietary) may be quite different from the level of trust to what you get when clicking on some web link inside some search page, or on some website (even if you visit the website often).
So, it is all about whom and what do you trust, and to what level can you afford to trust, and whether you are able to track the software code to the code origin.
This all was what I implied when I said that short phrase which may look ridiculously if taken literally - exactly as you pointed out -, but may make sense if you take into account the chains of trust involved.
Valeri
The more you know, the less you trust :) :) Read the article: http://www.kaspersky.com
Please, don't advertize Kaspersky here, especially when we are talking about trust. He is KGB guy (is, not was; the only way they retire from KGB, CIA, MI-5, and others is dead, feet first dead).
Valeri
I am not advertising, so please do not accuse anyone of this! Just citing evidence that infiltration of spyware and malware is far more sophisticated than anyone knew.
Sorry if it sounded like that: didn't mean it to sound like accusation... I'm not native English speaker, you know ;-)
Valeri
Forgiven and forgotten :)
On Fri, 2015-06-12 at 14:54 -0600, jd1008 wrote:
The more you know, the less you trust :) :) Read the article: http://www.kaspersky.com/about/news/virus/2015/equation-group-the-crown-crea...
Seems their concerns relate to Micro$oft Windoze systems. Luckily I use superior Centos :-)
On 06/13/2015 08:54 AM, jd1008 wrote:
The more you know, the less you trust :) :) Read the article: http://www.kaspersky.com/about/news/virus/2015/equation-group-the-crown-crea...
Got love a page that asserts dozens of alarming things with no examples, references or links to further reading, on top of that my understanding is that the principals of this domain are (ex) KGB agents. Incendiary writing designed to create fear and angst.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 6/13/2015 12:15 AM, Rob Kampen wrote:
Got love a page that asserts dozens of alarming things with no examples, references or links to further reading, on top of that my understanding is that the principals of this domain are (ex) KGB agents. Incendiary writing designed to create fear and angst.
standard operating procedures in the (in)Security business.
On Sat, June 13, 2015 10:54 am, John R Pierce wrote:
On 6/13/2015 12:15 AM, Rob Kampen wrote:
Got love a page that asserts dozens of alarming things with no examples, references or links to further reading, on top of that my understanding is that the principals of this domain are (ex) KGB agents.
As I said about these services here (KGB, CIA, MI-6, ...) there is no "ex" for their agents. The only way one retired from these organizations is dead, feet first dead.
Incendiary writing designed to create fear and angst.
standard operating procedures in the (in)Security business.
Precisely!
Valeri
-- john r pierce, recycling bits in santa cruz
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On Jun 12, 2015, at 1:56 PM, Always Learning centos@u64.u22.net wrote:
It is my understanding that Java and Javascript are different;
They’re as different as India and Indiana.
Java is dangerous whilst Javascript is (hopefully) harmless.
That’s a pretty unsophisticated way to look at it.
*Ideally*, Java is quite safe. It was designed with security in mind, and browser Java is much more tightly constrained in terms of what it can do than desktop, server, or embedded/mobile Java.
Yet, there’s been a continuous stream of security updates to Java for the past 20 years, with no reason to believe this will slow down. Why?
The big problem is those four major use scenarios for Java, all handled by one runtime. We keep finding ways for browser Java to do things that should only be possible in one of the other scenarios.
If you trust the source of a Java applet, it’s probably fine to run it. But, I wouldn’t enable Java in the browser if you don’t know for a fact that you need it. Whitelists are probably the best ultimate solution, short of getting rid of Java entirely.
As for JavaScript, there isn’t too much harm you can do with it directly. It doesn’t have all that desktop, enterprise, mobile, and embedded stuff built into it as with Java, so it doesn’t have to try to wall all of that off.
The main point of blocking JavaScript is that it throws a spike strip in the path of many other types of attacks. For instance, a Flash exploit often relies on some JS probing code to run before it can run, so blocking JS provides a second layer of protection while you’re waiting for Adobe to get around to patching the Flash plugin.
There is some minor evil possible directly from JavaScript. Some examples:
* The original popup problem is largely solved, but now it’s resurfacing as main-page takeover ads. Block JS and you generally block these, too.
* A script can probe your surfing history by dynamically generating hyperlinks in a hidden browser DOM, then checking how the browser styled those elements to infer whether you’ve clicked on that URL before. It’s a brute-force kind of thing, so it’s not too serious in practice, but it is a privacy leak.
On Fri, 2015-06-12 at 14:38 -0600, Warren Young wrote:
The main point of blocking JavaScript is that it throws a spike strip in the path of many other types of attacks. For instance, a Flash exploit often relies on some JS probing code to run before it can run, so blocking JS provides a second layer of protection while you’re waiting for Adobe to get around to patching the Flash plugin.
Never had Flash (Macromedia or Adobe) on any computer system - Windoze 3, 95's and 98 (my last) or on Centos. Prefer to miss something requiring Flash. Now FF 38 has HTML5, I can view YouTube for the first time ever. Other European countries official sites seem to use MP4 which FF's mplayer add-on displays.
There is some minor evil possible directly from JavaScript. Some examples:
- A script can probe your surfing history by dynamically generating
hyperlinks in a hidden browser DOM, then checking how the browser styled those elements to infer whether you’ve clicked on that URL before. It’s a brute-force kind of thing, so it’s not too serious in practice, but it is a privacy leak.
History, cookies etc. are deleted every time FF closes. Whilst FF is running they are on a RAM disk.
Thanks for the input.
-
Always Learning -
g -
Gordon Messmer -
jd1008 -
John R Pierce -
Jonathan Billings -
m.roth@5-cent.us -
Rob Kampen -
Valeri Galtsev -
Warren Young