Check your Windows 10 block settings

Page 5 of 5  
| Well, I'm not concerned beyond what I can reasonably control. | And most people are aware of these "privacy issues." | Mayanaya presumes everybody who uses Win10 is a dope. | Anyway, that's my impression. Could be wrong.
Most people are not aware of these issues. That's the point. It's none of my business if you don't mind Windows calling home with your data, but that's not what you said. You said any such concern was BS. So who's calling who a dope?
Another aspect, for me, is frustration with where things are going. Not because I hate MS but because I love Windows. I got into computers late - 1998. To me it seemed that Windows was like a fun car. Macs were an overpriced car with the hood welded shut and limited tools. And Linux was like a do-it-yourself car kit. At the time, most of the software was for Windows. Microsoft encouraged people to learn Windows and provided tools at all levels. I taught myself Windows programming, made some money and had a lot of fun. I've written software for myself, which would be a much bigger challenge on Apple or Linux. But since Win2000/ME I've watched as the system gradually gets locked down and turned into interactive cable TV. In the car analogy, what's happening is that they're ceasing the sales of cars and trying to replace existing cars with taxis. It's approaching a time when the only software that people will be able to write for Windows will be phone/tablet style trinket apps. So-called universal (Metro) apps. Not being able to control one's own data is part of the transition, just as there's little option to control what Apple collects on an iPhone because there's no control over the iPhone OS.
It's not only Microsoft, by any means. Apple, Facebook, Microsoft, Amazon and Google are all trying to grab the whole pie. All except Facebook are approaching it with multiple devices, apps, social connections and shopping. They're each trying to suck in as many customers as possible to a new version of the AOL walled garden. The special tragedy with Windows is that it has been, and can be, so much more. Google is thoroughly corrupt. Apple has always controlled their devotees. Amazon is trying for a total retail monopoly, accessed in large part through Kindles and phones, and will undoubtedly jack up their prices if they ever achieve it. Only Microsoft, until relatively recently, wasn't trying to own their customers. They were simply selling good tools. Most of their customers have been business and those customers demanded computers as functional tools for which they can write custom, inhouse software.
All I want is a decent computer that I control myself. I'd be less bothered by people who choose shopping TV, frankly, if a straight computer was also still an easy option. But that's becoming an increasingly complex challenge. The AOL walled garden is not an offering. It's a sneaky strategy. The complexity of settings and actions required just to prevent Win7 being overwritten by Win10 is a good example. Even Ubuntu Linux has stooped to ads and spyware:
https://www.fsf.org/blogs/rms/ubuntu-spyware-what-to-do
Remember when AOL was the thing? I was using a friend's Mac at the time. New to computers, I'd heard about the famous Internet but couldn't seem to find it. I just kept going in circles between AOL chat groups, credit card offers, games, shopping.... I asked a friend in tech support: Where is this famous Internet? He had to guide me through the steps to sneak out the back door of AOLs obnoxious arcade and onto the open Web, where I was actually free to visit any website. :)
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 10/17/2015 7:57 PM, Mayayana wrote:

Run <whateverOS> in a VM under <whateverOTHERos>. But, aren't you trading one "walled garden" for another in the process? How much are you willing to pay (in lack of convenience) for that?
E.g., none of my machines talks to the outside world (save this one). This means I don't have to worry about "security flaws", proprietary/private data leaking out, hostile interactions (even failed actions can be costly; e.g., DoS).
But, it also means that when I want to send/receive email, I must get my *ss out of one chair and find my way to *this* chair. When I want to upgrade the MS machines, I must "manually" download those updates -- then sneakernet them over to the appropriate machines.
I can't video conference with clients -- OTOH, I *can't* video conference with clients! :> And, never have to worry about whether the lens cap is on the camera, or not!
When doing research, if I find an interesting object, I can't just query my reference archive to see if I already *have* a copy of the item; instead, I have to jot down the name of the item and move to another "internal" machine to perform that check. Then, come back, here, to actually *get* the item (if I don't already have it) and, once again, sneakernet it back to insert it into the archive.
We do our banking and online purchases on an "immutable" laptop; one that essentially has a "write protected" hard disk. So, never any fear of a "persistent" infection. But, that means we can't (easily) *save* anything on that machine, either!
So, my machines *are* (and will remain) "under my control". It's just that I now *have* to control them! :-/
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
| Run <whateverOS> in a VM under <whateverOTHERos>. | But, aren't you trading one "walled garden" for another | in the process? How much are you willing to pay | (in lack of convenience) for that? |
I'm not. As far as I'm concerned, VMs are for the birds, except maybe for fulltime software testing.
| E.g., none of my machines talks to the outside world | (save this one).... | We do our banking and online purchases on an "immutable" laptop;
That sounds like a well planned solution, but it wouldn't work for me. Too much hassle. Most things I do involve going online. Even if I'm editing a photo or writing software, it's not unusual to want to look something up. I don't want multiple machines any more than I want VMs.
With banking, I just don't do it online. I take the approach of operating safely when online and avoiding banking, shopping, etc. Those things simply can't be made safe. Even with a read-only laptop you still risk things like man-in-the-middle attacks in your connection to the bank.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 10/18/2015 7:39 AM, Mayayana wrote:

VM's are an excellent way of supporting multiple machine configurations without trying to cram everything into a single physical machine. In hindsight, I wish I had implemented each of my workstations as a *set* of VM's instead of trying to get several dozen large apps to "play well" together.
I also use VM's to support legacy OS's without having to worry about finding a "vintage" driver that will work on *modern* hardware.

Very little hassle. If you want to save something, you save it to a thumb drive (we save copies of statements to a thumb drive as a matter of course -- so they are available even if a computer crashes OR we have to leave the house in an emergency -- and can't bother grabbing a computer to drag along our financial records!). Or, you set up a "persistent" portion of the disk (e.g., a "D:") that you can use for that purpose.
The point is, no "software" (or settings governing its operation) ever gets changed on the machine.
In the future, I'll install Flash on that machine for those few times SWMBO "needs" to view some Flash presentation (yet don't want to risk supercookies)

I simply could not operate with fewer machines -- let alone the redundancy issue. I have far too many (big) apps that would be tedious to get -- and KEEP -- to play together well. And, too much risked "repair time" when/if something got munged.
And, no way I want to multiboot Solaris, FreeBSD/NetBSD and Windows and *hope* the machine stays in a consistent state.

Then you limit yourself to the range of banks (and other institutions) with which you can operate. And, your choices will diminish, over time.
[I've had to close several accounts in recent years when they changed the terms to effectively push me to access my statements, etc. "on line"]
"Operating safely" is almost impossible. Too many drive-by attacks -- even on big "well known" sites. Hence the approach of getting the machine into a known, safe state and ensuring that it can't be changed from that state.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
| > With banking, I just don't do it online. I take | > the approach of operating safely when online | > and avoiding banking, shopping, etc. Those things | > simply can't be made safe. Even with a read-only | > laptop you still risk things like man-in-the-middle | > attacks in your connection to the bank. | | Then you limit yourself to the range of banks (and other | institutions) with which you can operate. And, your choices | will diminish, over time. |
I pay $1/month for a paper statement. I doubt very much that I won't be able to get a statement any time soon. Even if they didn't mail it, one can go into any bank for a printout as desired. Doing risky things online because I *might* have to someday is not a good reason to me.
| "Operating safely" is almost impossible. Too many drive-by | attacks -- even on big "well known" sites. Hence the approach | of getting the machine into a known, safe state and ensuring that | it can't be changed from that state.
You sound like you know what you're doing, so I wouldn't be inclined to tell you that you should change, but my way also works. Nearly all possible online attacks require javascript. Most of those also use secondary vulnerabilities, such as iframes or Flash. I rarely enable script online. When I do, I do it in Firefox with NoScript, to limit the exposure. I don't have AV or malware hunter software. And I've never had a malware problem of any kind.
I wouldn't recommend that approach to everyone. People who don't want to learn the basics and do want to access the Internet as "consumers", with extensive functionality to shop, play games, bank, Facebook, etc will need AV. But my way, understanding the risks and disabling script, is far safer than the person with all the latest patches and AV, but who enables script online. There's simply no way to make that safe.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 10/18/2015 11:38 AM, Mayayana wrote:

You're lucky. I've closed accounts when each notified me that they wanted $8.95/month to mail me a single sheet of paper with 1, 2 or, at most, *3* transactions on it! Note that one of the banks was 1500 miles from here -- so its not a "local phenomenon".

Do you own any securities? Do any "trading"?

If you look at the history of vulnerabilities, you'd realize that's not the case. Buffer overflow exploits are still common -- despite EVERYONE knowing about this sort of potential problem (yet continuing to write NEW code that has the same flaws).
Are *all* inbound ports on your machine closed? Have a look at "Shield's Up": <https://www.grc.com
Do you "NAT" your connections? Use a STATEFUL firewall?
Ever download/open a PDF?     <http://securityxploded.com/pdf_vuln_exploits.php Open a JPG?     <https://www.f-secure.com/v-descs/ms04-028.shtml Maybe a video (MP4)?     <http://www.hacking-tutorial.com/hacking-tutorial/hacking-tutorial-windows-xp-sp3-using-adobe-flash-player-mp4-vulnerability/ Or, perhaps, music (MP3)?     <http://www.gnucitizen.org/blog/backdooring-mp3-files/
I.e., any piece of code that can be coerced into "processing" foreign data represents an attack surface. In the past, JPG's have been used to inject malware, malformed URL's

We don't run AV, here as it takes to big a hit on the machine's performance, requires constant updates (sometimes *introducing* bugs/false positives in the process), etc.
We practice "safe computing" -- much to SWMBO's dismay (as she isn't allowed to view much of the cruft her friends send to her as "funny links"). Periodically, I take the machine down and mount the disk as a sercondary drive so I can scan it with a current AV release -- just for peace of mind ("Nothing found so we've been well behaved")
Of course, the machine is only useful to a hacker as a point from which to possibly launch another attack -- there's nothing *here* worth stealing or "snooping"!

Having NoScript block all domains, here, means I often have to take several attempts to view a site -- successively enabling more and more domains until the site "appears" to work. Some sites are very deliberate in refusing to work without Jscript enabled. Some refuse to work without Flash.
Each of these represents an inconvenience to me. But, as most of the sites that I am interested in are highly technical, I can put up with these occasional inconveniences.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
| > I pay $1/month for a paper statement. I doubt | | You're lucky. I've closed accounts when each notified me that | they wanted $8.95/month to mail me a single sheet of paper | with 1, 2 or, at most, *3* transactions on it! Note that | one of the banks was 1500 miles from here -- so its not | a "local phenomenon". |
TD Bank. And they're open on Sundays, too. :) I'm not sure I even want to know why you have numerous bank accouts on the other side of the country. :)
| Do you own any securities? Do any "trading"? |
No. I'm not a gambler. Frankly I think straight gambling on the stock market should be illegal, with something like a 90 day minimum period that stocks would have to be held and no option for buying options, which are merely bets. Then people would be investing in companies rather than just a big, glorified gambling hall.
| > You sound like you know what you're doing, so I | > wouldn't be inclined to tell you that you should change, | > but my way also works. Nearly all possible online attacks | > require javascript. | | If you look at the history of vulnerabilities, you'd realize that's | not the case. Buffer overflow exploits are still common -- despite | EVERYONE knowing about this sort of potential problem (yet | continuing to write NEW code that has the same flaws). |
Buffer overflows require executable code. The point is to go back to what the Web was meant to be: A resource that can be accessed. Not remote software. However you look at it, nearly all risks online require script. It's true that there has been at least one issue with JPGs. That was actually a vulnerability in gdiplus.dll, the Windows extended graphics library. There was also once an issue with EMF files. It's not impossible to face a vulnerability with script disabled, but it's *very* unlikely. With script enabled, on the other hand, you're a sitting duck.
PDF exploits, as well as Flash, are also script issues. The MP4 bug you link to is a Flash problem. Likewise, the MP3 bug you linked to is with script in iTunes. What you're talking about is all executable code. The point is to get executable code out of the browser. Don't use Adobe crap at all. Don't enable script. Don't install Java. Don't run videos and music in browser plugins like Flash. Don't enable script in your PDF viewer. (For me this is easy. I don't like things moving on webpages while I'm trying to read. If I want to see a video I'll download it, so I can save a copy, and play it in VLC. If I can't download it I can't be bothered. I'm not going to sit around "watching TV" on my monitor.)
| Having NoScript block all domains, here, means I often | have to take several attempts to view a site -- successively | enabling more and more domains until the site "appears" | to work. Some sites are very deliberate in refusing to work | without Jscript enabled. Some refuse to work without Flash. |
Yes. I guess it depends a lot on what sites you visit. I have noticed lately that more sites design to break without script. Maybe not all deliberately. The code has gotten to be such a mess that it's hard to tell. I don't use highly interactive sites, so I've never needed Flash. I've never even had it installed. And fortunately it's being phased out.
One of the increasing problems I've seen is kiddie sites hosted by Wix and Squarespace. They get small business people to set up sites for free or cheap. It's all a very simple, drag-drop-and-choose-options kind of operation. People think it's clever that they made their own site. But the pages are actually pseudo-JSON muck that directs the loading of the page from the Wix or Squarespace server. It's completely broken without script. The nasty thing about it is that it breaks because it's using client- side processing to put the page together. PHP and ASP would work just fine server-side, but Wix and Squarespace are cutting corners.
I was looking at a site yesterday by some very talented designers and engineers. Heatherwick.com. Their website is a mess, with the noscript code inside script blocks! These people are award winning designers with big gallery shows, yet they can't build a website with the most basic functionality.
Another one I've noticed recently is Forbes.com. I used to go there sometimes for news. Now there's actually no webpage at all. Their pages are either built from script or hide the content inside script. They're actually, in some cases, embedding the entire HTML string inside script variables! That's so idiotic and wasteful that it can only be a case of trying to make their site break without script.
It's got so bad, and some of the script I see is so bizarre and convoluted, that I recently wrote a tool to sort it out:
http://www.jsware.net/jsware/scrfiles.php5#jsdeob
It's only for people who are familiar with webpage coding, but I find it can come in handy sometimes.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 10/18/2015 4:13 PM, Mayayana wrote:

I have lived in many places. It is usually more convenient to leave an existing account <someplace> open until I can get a new account <somewhere_else> established. And, when they WERE mailing paper statements, there was virtually no cost to me to KEEP those accounts open (most of my accounts have had strict check-writing constraints -- like 3 per month). So, an extra account would let me handle extra transactions, etc.
I know I had to maintain an account in CT for the tax man (consultants' time has sales tax applied so they want someplace to find you to *get* that tax!)

+42
I can't see how anyone would consider the "1 year" time limit to qualify for LONG term gains to really be indicative of "an investment" (vs. a gamble).

Yes -- the code in your browser or "helper applications" that it invokes.

The exploits I mentioned previously don't require any "remote software" to be executed from the 'net. *But*, as each of these non-ASCII-text files requires something to *interpret* their contents (as a photograph, audio clip, video clip, etc.) then those non-ASCII-text files are, essentially, *programs*! They control the behavior of their respective "decoders" when you apply those decoders to those files.
Bugs in those decoders can thus be exploited to compromise the machine on which the decoders are executing. This is because Windows (and virtually all other desktop OS's) applies the full capabilities of the invoking user to any program (e.g., the decoder) running on his/her behalf! There is no way to limit what a particular program can/can't do -- other than HOPING the program itself "behaves well".
A "capability-based" OS doesn't have this inherent limitation. E.g., I can let *you* write a hostile program and install it on my system. But, no matter how hard your program tries, it won't be able to do anything that I haven't explicitly allowed it to do. No need for you to be scribbling in the Registry -- or even *looking* at it; no need for you to be pushing packets out a network connection; no need for you to be installing any files; etc. -- all you need to be able to do is EXACTLY what *I* think you should be able to do (show me the contents of this JPG in a graphic form, etc.)

If I email you a picture BigBoobs.jpg and you open it, then I've enticed you to expose your JPEG decoder to whatever contents that file may contain. Likewise if you visit a web page with a JPEG. If I email you a receipt for a purchase as a PDF, then the act of opening it means your "PDF decoder" has now been tricked into "interpreting" the information embedded in that file (just like a computer interprets a computer program).

The browser *is* executable code! The OS is executable code. The JPG decoder is executable code. The PDF reader is executable code. Anything that *does* anything does it by executing code!

"Vulnerabilities have been discovered in some versions of the popular VLC media player which may allow a cyberattacker to corrupt memory and potentially execute arbitrary code." <http://www.saintcorporation.com/cgi-bin/demo_tut.pl?tutorial_name=VLC_vulnerabilities.html
Note that it doesn't matter if you run VLC from your browser or download the file and run VLC separately. "Vulnerabilities in VLC allow for remote code execution or denial of service. VLC also has a remote code execution vulnerability in the web interface."
It's like the admonition from my youth regarding unwanted pregnancies: the only SURE contraceptive is ABSTINENCE! I.e., the only sure way to avoid these vulnerabilities is to NOT import anything that you didn't create yourself.
"The only winning move is not to play" -WOPR
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
| The exploits I mentioned previously don't require any | "remote software" to be executed from the 'net. *But*, | as each of these non-ASCII-text files requires something | to *interpret* their contents (as a photograph, audio | clip, video clip, etc.) then those non-ASCII-text files | are, essentially, *programs*! They control the behavior | of their respective "decoders" when you apply those decoders | to those files. |
That's not true. The exploits you listed all involve a weakness in executable code -- either compiled binaries or script. Most involve javascript. Many of those *also* require a binary like Flash. The rare exception would be something like the gdiplus.dll bug that could be exploited with JPGs. (Gdiplus was fairly new at the time.) Data files that are not interpreted as executable -- whether text or not -- are almost never a risk because they're not doing anything. (Again, I'd be interested to hear if there are any examples besides the one-time JPG issue, which was many years ago.)
I've never heard of any vulnerability in HTML. It defines graphical layout. It's not interpreted as executable code. It's sometimes possible to crash a browser with faulty HTML, but that's just a case of "choking" the software. There's no executable code involved.
| If I email you a receipt for a purchase | as a PDF, then the act of opening it means your "PDF decoder" | has now been tricked into "interpreting" the information | embedded in that file (just like a computer interprets a | computer program). |
You're misusing the word interpet. A computer doesn't interpret a program. The program itself accesses the CPU, RAM and disk. Script is text that's interpreted as executable code, but that makes it just like a compiled program, in that the interpreter is a program acting under the direction of the script. A PDF is not interpreted as executable code. What the PDF reader gets from the PDF data is information about text, fonts, colors and layout. The problems with PDF are due allowing javascript in PDFs to run.
| The browser *is* executable code! The OS is executable code. | The JPG decoder is executable code. The PDF reader is executable | code. Anything that *does* anything does it by executing code! | I don't know how many ways I can explain it. As I said, I'd be interested to know if you find any vulnerabilities that do not directly involve executable code. They're few and far between. In other words, a browser is, of course, executable code, but you can't hijack it by telling it to draw a table with a blue background. A browser is hijacked by getting it to run executable code -- via the javascript "engine" or a faulty plug-in.
| > Adobe crap at all. Don't enable script. Don't install Java. | > Don't run videos and music in browser plugins like Flash. | > Don't enable script in your PDF viewer. | > (For me this is easy. I don't like things moving on webpages | > while I'm trying to read. If I want to see a video I'll | > download it, so I can save a copy, and play it in VLC. If | | <http://www.zdnet.com/article/vlc-vulnerabilities-exposed/ | "Vulnerabilities have been discovered in some versions of the | popular VLC media player which may allow a cyberattacker to | corrupt memory and potentially execute arbitrary code." | <http://www.saintcorporation.com/cgi-bin/demo_tut.pl?tutorial_name=VLC_vulnerabilities.html |
That's interesting. It's good to know about such things. But I'm not going to lose any sleep. I'm not using a VLC browser plugin, and there's very little motive for someone to put a video on youtube that will attack my system offline. Especially given that I don't download wacky cat videos from random posters.
| Note that it doesn't matter if you run VLC from your browser or | download the file and run VLC separately. | "Vulnerabilities in VLC allow for remote code execution or | denial of service. VLC also has a remote code execution | vulnerability in the web interface." |
Remote means remote. If you download a file and play it in VLC that's not remote execution. Remote would mean playing it via webpage or some other way of accessing it from a remote location.
| It's like the admonition from my youth regarding unwanted | pregnancies: the only SURE contraceptive is ABSTINENCE! | I.e., the only sure way to avoid these vulnerabilities is | to NOT import anything that you didn't create yourself.
I suppose that in the most extreme interpretation you're right. I've decided that having sex carefully, with my post-menopausal ladyfriend, is a "risk" I'm willing to take. Good luck with the inflatables. :)
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 10/18/2015 6:52 PM, Mayayana wrote:

Then spend some time and find examples that *aren't*. I have no skin in this game. Exploits will *always* be in "compiled code" -- that is being tricked into doing something that it wasn't properly designed to AVOID!

Have oyou ever read the descriptions for the updates windows pushes? Ever notice how many claim to be to fix a "security vulnerability"?
This is the polite way of saying the developer screwed up and didn't anticipate someone MISUSING the code he wrote. How does someone misuse code? Ans: they present it with "inputs" that have been crafted to exploit unexpected patterns in that data. I.e., violating basic ASSUMPTIONS that the developer made -- inappropriately.
I received a nastygram from a bank many years ago claiming that they would have to withhold a portion of my interest income because I had not provided them with my SSN. Yet, my SSN was printed right below my name ON THAT LETTER!
Guy who wrote the "code" to decide who should get those letters assumed "0" (in the corporate database) would indicate "no SSN". And, I'm sure he tried a test case with a bogus user having a SSN of "0".
But, he implemented his test in such a way that anyone whose SSN *began* with '0' would be seen as having *no* SSN on file. Those of us who had SSN's issued in the Northeast ALL have SSN's beginning with '0'. Of course, as the bank was in Colorado and most customers were probably from that area (with SSN's that reflected that part of the country), it took a while for the software to stumble on folks (like me) that tickled that bug.
That bug could just as easily have decided to mail me an interest payment, etc.

Sit down with Google and an hour of *your* time and I'm sure you'll be able to find lots of exploits. PDF's are a habitual source of vulnerabilities -- largely because PostScript is a Turing-complete programming language (and PDF's are based on PS).

Thirty seconds with google: CVE-2014-6332
"The IBM X-Force Research team has identified a significant data manipulation vulnerability (CVE-2014-6332) with a CVSS score of 9.3 in every version of Microsoft Windows from Windows 95 onward"
"The bug can be used by an attacker for drive-by attacks to reliably run code remotely and take over the user’s machine — even sidestepping the Enhanced Protected Mode (EPM) sandbox in IE 11 as well as the highly regarded Enhanced Mitigation Experience Toolkit (EMET) anti-exploitation tool Microsoft offers for free."

All input causes a program to alter its behavior. So, *any* input can conceivable lead to an exploit in an inadequately designed application.
Passing letters to a program expecting digits can cause that program to barf. The Y2K bug could manifest in many ways based on how the date processing code responded to the "unexpected" '2' in the leftmost position (I've seen dates displayed as "1 January 19A0")
Passing too many characters to a program expecting a lesser number can cause it to barf (buffer overrun).
If "barf" results in the contents of some portion of memory being overwritten, then you can carefully craft an exploit that puts "specific" values in that memory

It's a semantic difference with no consequence. Doesn't the CPU's *hardware* "interpret* the bytes that are fed to it via it's bus interface unit? If I write a simulator and feed it the same byte sequence, it is clearly interpreting the bytes yet the result is the same.
A program processing input is a PROCESSOR. It is interpreting the input and REACTING according to rules that are encoded into its implementation. Just like a CPU interprets opcodes and REACTS according to the rules encoded in its implementation.
[You do realize that most CPU's, nowadays, are microcoded? I.e., there are little PROGRAMS running in response to each byte fetched. These programs *emulate* the legacy instructions that we think of as "x86 machine language"]

No. PDF's encapsulate PostScript. Sit down with a PS manual and WRITE A PROGRAM... IN POSTSCRIPT... to print the numbers from 5 through 27. Then, write a PROGRAM to convert any numeric entry to its textual equivalent; e.g., 123 --> one hundred and twenty three.
Do this with Acroscript disabled!
Better yet, take that "program" and send it to your PostScript *printer* (which has no concept of Jscript!). You'll find that it generates the same correct output!

What do you mean, like files that compromise the computer WHEN THE POWER IS OFF? When the computer is *on*, it is executing code. The code that it executes was created by a fallible human being. That developer's ASSUMPTIONS are embodied in the code. Exploits take advantage of these assumptions to trick the code to do things that it wouldn't otherwise do -- if presenteed with CORRECT (expected) INPUT.

Sure! If the part of the browser that parses the HTML to recognize "blue" figures the only colors that will ever be specified in an HTML file ("input" to the browser) are red black chartreuse yellow pinkpolkadotted coffee and, as a result, pinches pennies and allocated a buffer to store the color name and allows that buffer to hold 15 characters (the length of the longest expected color name -- "pinkpolkadotted"), then I can create a web page that says "draw a table with a background that has the color DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD". The sloppy browser code sees the "color" keyword and then gobbles up the next "word" -- expecting it to be a color. Since it KNOWS the longest (legal) color name is "pinkpoladotted", it won't be prepared for those extra 40 characters (there are 55 D's in the above example).
So, whatever resides in memory AFTER that buffer that stores the color will be overwritten with 40 D's (the first 15 D's will reside in the buffer).
This might have amusing effects. Or, might crash the browser. Or...?
I might, instead, have to pass a string of 5000! D's in order to ensure something much farther away from that color bufer gets clobbered. But, I can play around all day to see what gives the results I seek -- I've got the same browser available on *my* computer and I can actually WATCH to see what gets clobbered *inside* the browser.

Or a fault in the browser's code itself!

In your last post, you suggested VLC was a way you could *protect* yourself from browser vulnerabilities. What's your *new* scheme given that VLC is vulnerable? Are you sure your alternative won't also have some OTHER vulnerability?

So, I embed the instructions in the video file to do the damage that I want OFFLINE! Remote exploits are more precious to a hacker because *he* can then control the actions of your machine -- instead of embedding those actions unconditionally in the exploit.
[The days of erasing hard disks as an exploit are long gone]
None of the Iranian centrifuges were internet connected...

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
| Have you ever read the descriptions for the updates windows | pushes? Ever notice how many claim to be to fix a "security | vulnerability"? | | This is the polite way of saying the developer screwed up and | didn't anticipate someone MISUSING the code he wrote. How | does someone misuse code? Ans: they present it with "inputs" | that have been crafted to exploit unexpected patterns in | that data. I.e., violating basic ASSUMPTIONS that the developer | made -- inappropriately. |
That's an interesting point. If you look into the details of those fixes you'll find, in the vast majority of cases, that it's like your PDF, MP3 and MP4 issues: The actual hack involves javascript. Microsoft doesn't generally focus on that because they're a big corporation trying to "monetize" the Web. They don't want people disabling javascript. They even play down ActiveX. IE always depended on ActiveX. MS just couldn't afford to write the truth: "Warning! New IE attack! You should disable ActiveX because ActiveX is dangerous. It was a big mistake. Sorry."
Instead they have a section, way down the page, titled "workarounds", in which they beat around the bush.
The javascript issue is like the elephant in the room. It's obvious to anyone who takes a look. It's common sense that executable code in webpages can never go along with security. But nobody wants to hear that. The website owners want "rich content" and trackability. The visitors want convenience.
You've brought out a lot of interesting points in this discussion with your devil's advocate style of discussion, but I think that at some point that misses the point. You're making a big deal out of the rare exception. Javascript is by far the biggest problem. Maybe 90%. Almost all the rest is things like Java, or maybe an occasional MS Office attack that doesn't need script. The data is online. Cisco put out a report awhile back, for instance. Anyone can read it for themselves:
http://www.cisco.com/web/offers/pdfs/cisco-msr-2015.pdf
0-day browser hacks, used by everyone from the NSA to Russian criminals, are also mainly javascript issues. Typically it's javascript running in an iframe. Cross site scripting.
Script, script and more script. To keep focusing on the .5% that's not script related, and that is highly unlikely in the first place, is to skew the facts. (The VLC player vulnerability is good to know about, but it's very unlikely to ever be a risk. It's unlikely to ever even be exploited, because VLC isn't widely distributed. Even if it were exploited, I don't use it online. (Likewise, I would never install a PDF browser plugin.) And there's also context: Exploiting VLC would require that I download a video from a dubious source.
What makes Adobe's stuff so bad is threefold:
1) Adobe has a bad habit of jacking up functionality with javascript at the cost of security.
2) Adobe has a long history of trying to create a proprietary Web by force-installing their plugins. (Acrobat Reader installs the PDF browser plugin, with Adobe pretending that PDF is a webpage format.)
3) Adobe has been very successful at flooding the market in attempts to make their products ubiquitous. Acrobat Reader is nearly universally installed because they've been giving it away like grocery store coupons since the 90s. Flash is also nearly universal.
Those three things have resulted in the vast majority of people having Flash and Acrobat Reader *and* with both running in the browser. That's an important distinction. Their ubiquity, their use of script, and the fact they run in the browser, all combine to make them the most common attack targets.
*Not using the most popular brand is one of the best security measures because it's not a good strategy for hackers to target software with a limited market.*
| > I've never heard of any vulnerability in HTML. | | Thirty seconds with google: CVE-2014-6332 |
Another 30 seconds turns up this:
"This vulnerability can be exploited using a specially-crafted web page utilizing VBscript in Internet Explorer."
https://www.us-cert.gov/ncas/alerts/TA14-318B
It's an IE-specific bug, requiring script. It has nothing to do with HTML. (No one should *ever* use IE online in the first place. It's too closely linked into Windows.)
This is what I mean about your devil's advocate approach. You're trying to find any tiny exception to the rule. A tiny exception does not negate the rule. And what you're finding are not even exceptions. By trying to carry out a good debate you're obscuring the one critical point: The single best thing you can do, by far, is to disable javascript. No other security measure, even using anti-virus software, comes close to the protection afforded by disabling script.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 10/19/2015 7:20 AM, Mayayana wrote:

As I said previously (and my last comment in this thread), I have no skin in this game. If you think disabling Jscript is The Answer to network exploits, I think you're in for a rude awakening!
Would you like me to send you some INFECTED PDF's? Open them in your EMAIL client -- so your browser isn't even involved.
Then, call me when you get your machine rebooted... ;-)
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
| Those articles are months old,
Yes. Beginning of July. And still relevant.
| Anyway, I'm not pro or anti MS. It just IS. | You apparently don't like MS. |
Like them? If someone steals your car do you want them arrested because you don't like them? "Anti-MS" is just one of the common defenses of the ostriches. Along with paranoia and tinfoil hat silliness. All I'm doing is laying out the facts so that people can decide for themselves. You're the one who called the facts BS.
I'd be more than happy to wax acidic about Apple, Google and Facebook if you like. I love to attack Apple. :) Not because I "don't like" them but because they're a sleazy company with an undeserved public image of virtue. Billions goes into creating the public images of these companies. No one spends money to show their dark sides. The topic here just happens to be Windows 10, so it's Microsoft's sleaze that I'm pointing out.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

I hope so.

Much smaller.
One of my fondest aspirations is to live long enough to see the day that Microsoft files for Chapter 7 bankruptcy.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
| Does anyone know if Microsoft will be offering a paid version of Win10 that doesn't spy on us?
I just came across a very interesting piece that's apropos here:
http://www.theregister.co.uk/2015/10/16/data_protection_authorities_set_january_safe_harbor_deadline/
The European Union courts have ruled American mass citizen surveillance illegal in Europe and given the US gov't and companies until 1/31/16 to come up with a credible solution or be blocked from storing private data. I don't know exactly what that implies, but it sounds promising. Companies like MS, Google, Apple and Facebook have built their businesses around spying on people for targetted advertising, while sharing that data with the US gov't. It's hard to see how their business model can be maintained if the EU stick to their guns. Even as this is happening, Microsoft is threatening to go to court over demands from the US Justice Dept that they share hotmail data stored in Ireland. The Justice Dept is trying to claim that the personal data of Europeans is not personal data at all but rather is Microsoft's business data, which they have a right to inspect! MS is apparently at least making a show of resistance in order to not entirely lose their credibility in the EU. It seems that the EU and the US gov't and corporations couldn't be further from an agreement.
I'd like to see an expert business analysis of all this. It's hard to know how it's likely to affect the US market and American tech spying.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Microsoft Bob wrote:

Enterprise version.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
| >Does anyone know if Microsoft will be offering a paid version of Win10 that doesn't spy on us? | | Enterprise version. |
Not exactly. I don't know whether they still sell the so-called Enterprise version as a retail disk or not. They may. Either way, the only version exempt from forced updates is the corporate install under a Software Assurance license. In other words, if you want to be exempt from the "consumer EULA" you need to contract with Microsoft. For that you need to be making a very big order. Even then, it's not clear how much spying can be stopped. You'd need to ask some corporate IT people who've had time to look into it. The only thing I've heard for certain is that the corporate contract allows IT people to block automatic updates.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Mayayana wrote:

Let me do some more research.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
| Let me do some more research. |
This seems to cover it:
https://en.wikipedia.org/wiki/Windows_10_editions
Enterprise is available as volume license. Even that includes "telemetry". As I understand it, what they mean by that is Windows calling home with usage data. And if you use things like Cortana you're adding to the spying. It won't work otherwise.
I would think that corporate customers would be allowed to control contact more, but that doesn't seem to be the case. There's no indication in what I've read anywhere that there's any reasonable way to even stop the auto-updating outside of a coprorate, multi-license contract, much less the spying. And the auto-updating is being obscured. Microsoft have announced that they'll no longer be detailing what's in an update. So even corporate people who can control the updates would have to reverse engineer them to figure out what they are. And what if a security update is linked to new ads on the Desktop?
It looks like Microsoft have really covered all the angles on this one. As the saying goes, they gotcha coming and going. :)
http://www.infoworld.com/article/2995594/microsoft-windows/why-you-should-worry-about-windows-10-cumulative-updates.html
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Site Timeline

Related Threads

    HomeOwnersHub.com is a website for homeowners and building and maintenance pros. It is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.