Check your Windows 10 block settings

| Run in a VM under . | But, aren't you trading one "walled garden" for another | in the process? How much are you willing to pay | (in lack of convenience) for that? |

I'm not. As far as I'm concerned, VMs are for the birds, except maybe for fulltime software testing.

| E.g., none of my machines talks to the outside world | (save this one).... | We do our banking and online purchases on an "immutable" laptop;

That sounds like a well planned solution, but it wouldn't work for me. Too much hassle. Most things I do involve going online. Even if I'm editing a photo or writing software, it's not unusual to want to look something up. I don't want multiple machines any more than I want VMs.

With banking, I just don't do it online. I take the approach of operating safely when online and avoiding banking, shopping, etc. Those things simply can't be made safe. Even with a read-only laptop you still risk things like man-in-the-middle attacks in your connection to the bank.

VM's are an excellent way of supporting multiple machine configurations without trying to cram everything into a single physical machine. In hindsight, I wish I had implemented each of my workstations as a *set* of VM's instead of trying to get several dozen large apps to "play well" together.

I also use VM's to support legacy OS's without having to worry about finding a "vintage" driver that will work on

Very little hassle. If you want to save something, you save it to a thumb drive (we save copies of statements to a thumb drive as a matter of course -- so they are available even if a computer crashes OR we have to leave the house in an emergency -- and can't bother grabbing a computer to drag along our financial records!). Or, you set up a "persistent" portion of the disk (e.g., a "D:") that you can use for that purpose.

The point is, no "software" (or settings governing its operation) ever gets changed on the machine.

In the future, I'll install Flash on that machine for those few times SWMBO "needs" to view some Flash presentation (yet don't want to risk supercookies)

I simply could not operate with fewer machines -- let alone the redundancy issue. I have far too many (big) apps that would be tedious to get -- and KEEP -- to play together well. And, too much risked "repair time" when/if something got munged.

And, no way I want to multiboot Solaris, FreeBSD/NetBSD and Windows and *hope* the machine stays in a consistent state.

Then you limit yourself to the range of banks (and other institutions) with which you can operate. And, your choices will diminish, over time.

"Operating safely" is almost impossible. Too many drive-by attacks -- even on big "well known" sites. Hence the approach of getting the machine into a known, safe state and ensuring that it can't be changed from that state.

| > With banking, I just don't do it online. I take | > the approach of operating safely when online | > and avoiding banking, shopping, etc. Those things | > simply can't be made safe. Even with a read-only | > laptop you still risk things like man-in-the-middle | > attacks in your connection to the bank. | | Then you limit yourself to the range of banks (and other | institutions) with which you can operate. And, your choices | will diminish, over time. |

I pay $1/month for a paper statement. I doubt very much that I won't be able to get a statement any time soon. Even if they didn't mail it, one can go into any bank for a printout as desired. Doing risky things online because I *might* have to someday is not a good reason to me.

| "Operating safely" is almost impossible. Too many drive-by | attacks -- even on big "well known" sites. Hence the approach | of getting the machine into a known, safe state and ensuring that | it can't be changed from that state.

You sound like you know what you're doing, so I wouldn't be inclined to tell you that you should change, but my way also works. Nearly all possible online attacks require javascript. Most of those also use secondary vulnerabilities, such as iframes or Flash. I rarely enable script online. When I do, I do it in Firefox with NoScript, to limit the exposure. I don't have AV or malware hunter software. And I've never had a malware problem of any kind.

I wouldn't recommend that approach to everyone. People who don't want to learn the basics and do want to access the Internet as "consumers", with extensive functionality to shop, play games, bank, Facebook, etc will need AV. But my way, understanding the risks and disabling script, is far safer than the person with all the latest patches and AV, but who enables script online. There's simply no way to make that safe.

Not for decades.

Buy real estate? Purchase a "big ticket item" (e.g., car, expensive piece

All cash.

Actually unless it's a narcotic it's easy to get a prescription using an assumed name!

But not identifiable as to name, address, etc.

All quite spoofable as well.

Easy enough to cycle through anonmyous pre-paid cell phones if needed. Same with email addresses.

Nope.

Since everything is funneled through a foreign-based VPN service that keeps not records there is nothing for them to disclose.

Banks rarely, casinos never. Large reflective sunglasses and broad-brimmed hats go a long ways to dealing with CCTV systems.

Fresnel lens over the plate takes car of that. If sufficiently motivated so does having the car registered to an out-of-state entity.

You would be wrong.

If in your name the deed is recorded. You eliminate many, but not all traces.

Some banks will not allow you in dressed like that.

Is the plate visible to the eye? I know some states are making thing like that illegal so the speed cameras can get you. As long as the police can easily see your plate you may never get caught though.

The point isn't going deep underground, if that's what I was after I would not be here. The point is not forking over information carte blanche during the course of normal day-to-day life. Of course there is some paper and/or electronic trail to be found, but it is spotty, particularly compared to someone who pays for everything via credit or debit card and goes out and details it all on Facetube or whatever.

Actually for me paying cash and staying out of debt is mostly due to having been brought up by parents who lived through the Great Depression of the 1930s. Preserving a modicum of privacy in an increasingly intrusive environment is a beneficial side effect.

Haven't had a problem, but they know me at my bank anyway. (Small community bank, been a customer there for decades.) It helps being old, of course, wearing cataract-style sunglasses doesn't raise many eyebrows for people my age - might not be the case for a 20-something!

A proper fresnel lens or louvered covering will look fine straight on but will obscure the plate from a steep angle. Probably illegal (in many jurisdictions any plate cover is) but poorly enforced as long as the plate is properly visible to the cop just behind or ahead of you.

Here's one, there are others, and some homebrew solutions:

There would probably also be active solutions possible that would work in a similar manner to those using infrared LEDs to foil facial recognition systems.

For myself, I'm in a rural area where plate cameras and scanners are not much of a concern - yet.

You're lucky. I've closed accounts when each notified me that they wanted $8.95/month to mail me a single sheet of paper with 1, 2 or, at most, *3* transactions on it! Note that one of the banks was 1500 miles from here -- so its not a "local phenomenon".

Do you own any securities? Do any "trading"?

If you look at the history of vulnerabilities, you'd realize that's not the case. Buffer overflow exploits are still common -- despite EVERYONE knowing about this sort of potential problem (yet continuing to write NEW code that has the same flaws).

Are *all* inbound ports on your machine closed? Have a look at "Shield's Up":

Do you "NAT" your connections? Use a STATEFUL firewall?

Ever download/open a PDF? Open a JPG? Maybe a video (MP4)? Or, perhaps, music (MP3)?

I.e., any piece of code that can be coerced into "processing" foreign data represents an attack surface. In the past, JPG's have been used to inject malware, malformed URL's

We don't run AV, here as it takes to big a hit on the machine's performance, requires constant updates (sometimes *introducing* bugs/false positives in the process), etc.

We practice "safe computing" -- much to SWMBO's dismay (as she isn't allowed to view much of the cruft her friends send to her as "funny links"). Periodically, I take the machine down and mount the disk as a sercondary drive so I can scan it with a current AV release -- just for peace of mind ("Nothing found so we've been well behaved")

Of course, the machine is only useful to a hacker as a point from which to possibly launch another attack -- there's nothing *here* worth stealing or "snooping"!

Having NoScript block all domains, here, means I often have to take several attempts to view a site -- successively enabling more and more domains until the site "appears" to work. Some sites are very deliberate in refusing to work without Jscript enabled. Some refuse to work without Flash.

Each of these represents an inconvenience to me. But, as most of the sites that I am interested in are highly technical, I can put up with these occasional inconveniences.

How come? Online shopping is easy and convenient, they can data mine about me but I block all the spams, junk mails. I don't even see any of them. I use card paying in full when I get the bill. I pay the bill on line as well. On small business we have all the payment is done by CC. Lots of points is being collected plus points I collected when I was working which pay for our travels like going to see our grand son in Victoria Island. Been long time since I paid for air line ticket with paper money. Oh, I book flight online too, LOL! At our store cash sale amount is less than 10% of total sales in any day.

Simply put they know more about me than I know about myself, LOL!

I believe it is some kinda mental case. -----phobia?.

| > I pay $1/month for a paper statement. I doubt | | You're lucky. I've closed accounts when each notified me that | they wanted $8.95/month to mail me a single sheet of paper | with 1, 2 or, at most, *3* transactions on it! Note that | one of the banks was 1500 miles from here -- so its not | a "local phenomenon". |

TD Bank. And they're open on Sundays, too. :) I'm not sure I even want to know why you have numerous bank accouts on the other side of the country. :)

| Do you own any securities? Do any "trading"? |

No. I'm not a gambler. Frankly I think straight gambling on the stock market should be illegal, with something like a 90 day minimum period that stocks would have to be held and no option for buying options, which are merely bets. Then people would be investing in companies rather than just a big, glorified gambling hall.

| > You sound like you know what you're doing, so I | > wouldn't be inclined to tell you that you should change, | > but my way also works. Nearly all possible online attacks | > require javascript. | | If you look at the history of vulnerabilities, you'd realize that's | not the case. Buffer overflow exploits are still common -- despite | EVERYONE knowing about this sort of potential problem (yet | continuing to write NEW code that has the same flaws). |

Buffer overflows require executable code. The point is to go back to what the Web was meant to be: A resource that can be accessed. Not remote software. However you look at it, nearly all risks online require script. It's true that there has been at least one issue with JPGs. That was actually a vulnerability in gdiplus.dll, the Windows extended graphics library. There was also once an issue with EMF files. It's not impossible to face a vulnerability with script disabled, but it's *very* unlikely. With script enabled, on the other hand, you're a sitting duck.

PDF exploits, as well as Flash, are also script issues. The MP4 bug you link to is a Flash problem. Likewise, the MP3 bug you linked to is with script in iTunes. What you're talking about is all executable code. The point is to get executable code out of the browser. Don't use Adobe crap at all. Don't enable script. Don't install Java. Don't run videos and music in browser plugins like Flash. Don't enable script in your PDF viewer. (For me this is easy. I don't like things moving on webpages while I'm trying to read. If I want to see a video I'll download it, so I can save a copy, and play it in VLC. If I can't download it I can't be bothered. I'm not going to sit around "watching TV" on my monitor.)

| Having NoScript block all domains, here, means I often | have to take several attempts to view a site -- successively | enabling more and more domains until the site "appears" | to work. Some sites are very deliberate in refusing to work | without Jscript enabled. Some refuse to work without Flash. |

Yes. I guess it depends a lot on what sites you visit. I have noticed lately that more sites design to break without script. Maybe not all deliberately. The code has gotten to be such a mess that it's hard to tell. I don't use highly interactive sites, so I've never needed Flash. I've never even had it installed. And fortunately it's being phased out.

One of the increasing problems I've seen is kiddie sites hosted by Wix and Squarespace. They get small business people to set up sites for free or cheap. It's all a very simple, drag-drop-and-choose-options kind of operation. People think it's clever that they made their own site. But the pages are actually pseudo-JSON muck that directs the loading of the page from the Wix or Squarespace server. It's completely broken without script. The nasty thing about it is that it breaks because it's using client- side processing to put the page together. PHP and ASP would work just fine server-side, but Wix and Squarespace are cutting corners.

I was looking at a site yesterday by some very talented designers and engineers. Heatherwick.com. Their website is a mess, with the noscript code inside script blocks! These people are award winning designers with big gallery shows, yet they can't build a website with the most basic functionality.

Another one I've noticed recently is Forbes.com. I used to go there sometimes for news. Now there's actually no webpage at all. Their pages are either built from script or hide the content inside script. They're actually, in some cases, embedding the entire HTML string inside script variables! That's so idiotic and wasteful that it can only be a case of trying to make their site break without script.

It's got so bad, and some of the script I see is so bizarre and convoluted, that I recently wrote a tool to sort it out:

It's only for people who are familiar with webpage coding, but I find it can come in handy sometimes.

I find shopping locally using cash to be easy and convenient. It's what I've always done, I'm not particularly going out of my way or changing anything to do it.

They have AN INTEREST in knowing -- you probably *don't*! :>

My MD asks me questions that I'd never think of asking myself.

Similarly, folks thinking of extending credit to me might be interested in how diligently I get annual physicals (i.e., if I don't exercise discipline over my own PHYSICAL HEALTH, I'm probably less likely to exercise discipline over my FISCAL HEALTH!)

Folks always think there has to be some IDENTIFIABLE *reason* for a correlation. Actuaries (and others who make decisions based on probabilities) only care about the fact that a correlation APPEARS to exist -- they don't really care *why* as long as the correlation is statistically reliable!

People who drive white cars tend to have fewer accidents. Is this because white cars are safer? Or, because people who aren't concerned with the color of their car tend to have a more cautious personality? Or, because OTHER drivers can more readily *see* white vehicles (to avoid them)?

I have lived in many places. It is usually more convenient to leave an existing account open until I can get a new account established. And, when they WERE mailing paper statements, there was virtually no cost to me to KEEP those accounts open (most of my accounts have had strict check-writing constraints -- like 3 per month). So, an extra account would let me handle extra transactions, etc.

I know I had to maintain an account in CT for the tax man (consultants' time has sales tax applied so they want someplace to find you to *get* that tax!)

I can't see how anyone would consider the "1 year" time limit to qualify for LONG term gains to really be indicative of "an investment" (vs. a gamble).

Yes -- the code in your browser or "helper applications" that it invokes.

The exploits I mentioned previously don't require any "remote software" to be executed from the 'net. *But*, as each of these non-ASCII-text files requires something to *interpret* their contents (as a photograph, audio clip, video clip, etc.) then those non-ASCII-text files are, essentially, *programs*! They control the behavior of their respective "decoders" when you apply those decoders to those files.

Bugs in those decoders can thus be exploited to compromise the machine on which the decoders are executing. This is because Windows (and virtually all other desktop OS's) applies the full capabilities of the invoking user to any program (e.g., the decoder) running on his/her behalf! There is no way to limit what a particular program can/can't do -- other than HOPING the program itself "behaves well".

A "capability-based" OS doesn't have this inherent limitation. E.g., I can let *you* write a hostile program and install it on my system. But, no matter how hard your program tries, it won't be able to do anything that I haven't explicitly allowed it to do. No need for you to be scribbling in the Registry -- or even *looking* at it; no need for you to be pushing packets out a network connection; no need for you to be installing any files; etc. -- all you need to be able to do is EXACTLY what *I* think you should be able to do (show me the contents of this JPG in a graphic form, etc.)

If I email you a picture BigBoobs.jpg and you open it, then I've enticed you to expose your JPEG decoder to whatever contents that file may contain. Likewise if you visit a web page with a JPEG. If I email you a receipt for a purchase as a PDF, then the act of opening it means your "PDF decoder" has now been tricked into "interpreting" the information embedded in that file (just like a computer interprets a computer program).

The browser *is* executable code! The OS is executable code. The JPG decoder is executable code. The PDF reader is executable code. Anything that *does* anything does it by executing code!

"Vulnerabilities have been discovered in some versions of the popular VLC media player which may allow a cyberattacker to corrupt memory and potentially execute arbitrary code."

Note that it doesn't matter if you run VLC from your browser or download the file and run VLC separately. "Vulnerabilities in VLC allow for remote code execution or denial of service. VLC also has a remote code execution vulnerability in the web interface."

It's like the admonition from my youth regarding unwanted pregnancies: the only SURE contraceptive is ABSTINENCE! I.e., the only sure way to avoid these vulnerabilities is to NOT import anything that you didn't create yourself.

"The only winning move is not to play" -WOPR

Of course. Suit yourself. But IMHO, you're weird in this day and age.

To people my age paying in cash is normal, using credit/debit is the weird thing. I'm certainly not the only one, those cash registers are not being kept in service just for my benefit.

What today's young people think of it is really of no interest to me.

Dan Espen wrote in news:mvs764$4a4$ snipped-for-privacy@dont-email.me:

I hope so.

Much smaller.

One of my fondest aspirations is to live long enough to see the day that Microsoft files for Chapter 7 bankruptcy.

I think it's weird when someone pulls out their Mastercard at a grocery store to pay for a dozen donuts. I really get upset when the charge is refused and they have to hunt up another card that might have a little life in it. For a real fun time get in line behind someone with an EBT card and a pocketful of dead plastic.

| The exploits I mentioned previously don't require any | "remote software" to be executed from the 'net. *But*, | as each of these non-ASCII-text files requires something | to *interpret* their contents (as a photograph, audio | clip, video clip, etc.) then those non-ASCII-text files | are, essentially, *programs*! They control the behavior | of their respective "decoders" when you apply those decoders | to those files. |

That's not true. The exploits you listed all involve a weakness in executable code -- either compiled binaries or script. Most involve javascript. Many of those *also* require a binary like Flash. The rare exception would be something like the gdiplus.dll bug that could be exploited with JPGs. (Gdiplus was fairly new at the time.) Data files that are not interpreted as executable -- whether text or not -- are almost never a risk because they're not doing anything. (Again, I'd be interested to hear if there are any examples besides the one-time JPG issue, which was many years ago.)

I've never heard of any vulnerability in HTML. It defines graphical layout. It's not interpreted as executable code. It's sometimes possible to crash a browser with faulty HTML, but that's just a case of "choking" the software. There's no executable code involved.

| If I email you a receipt for a purchase | as a PDF, then the act of opening it means your "PDF decoder" | has now been tricked into "interpreting" the information | embedded in that file (just like a computer interprets a | computer program). |

You're misusing the word interpet. A computer doesn't interpret a program. The program itself accesses the CPU, RAM and disk. Script is text that's interpreted as executable code, but that makes it just like a compiled program, in that the interpreter is a program acting under the direction of the script. A PDF is not interpreted as executable code. What the PDF reader gets from the PDF data is information about text, fonts, colors and layout. The problems with PDF are due allowing javascript in PDFs to run.

| The browser *is* executable code! The OS is executable code. | The JPG decoder is executable code. The PDF reader is executable | code. Anything that *does* anything does it by executing code! | I don't know how many ways I can explain it. As I said, I'd be interested to know if you find any vulnerabilities that do not directly involve executable code. They're few and far between. In other words, a browser is, of course, executable code, but you can't hijack it by telling it to draw a table with a blue background. A browser is hijacked by getting it to run executable code -- via the javascript "engine" or a faulty plug-in.

| > Adobe crap at all. Don't enable script. Don't install Java. | > Don't run videos and music in browser plugins like Flash. | > Don't enable script in your PDF viewer. | > (For me this is easy. I don't like things moving on webpages | > while I'm trying to read. If I want to see a video I'll | > download it, so I can save a copy, and play it in VLC. If | | | "Vulnerabilities have been discovered in some versions of the | popular VLC media player which may allow a cyberattacker to | corrupt memory and potentially execute arbitrary code." | |

That's interesting. It's good to know about such things. But I'm not going to lose any sleep. I'm not using a VLC browser plugin, and there's very little motive for someone to put a video on youtube that will attack my system offline. Especially given that I don't download wacky cat videos from random posters.

| Note that it doesn't matter if you run VLC from your browser or | download the file and run VLC separately. | "Vulnerabilities in VLC allow for remote code execution or | denial of service. VLC also has a remote code execution | vulnerability in the web interface." |

Remote means remote. If you download a file and play it in VLC that's not remote execution. Remote would mean playing it via webpage or some other way of accessing it from a remote location.

| It's like the admonition from my youth regarding unwanted | pregnancies: the only SURE contraceptive is ABSTINENCE! | I.e., the only sure way to avoid these vulnerabilities is | to NOT import anything that you didn't create yourself.

I suppose that in the most extreme interpretation you're right. I've decided that having sex carefully, with my post-menopausal ladyfriend, is a "risk" I'm willing to take. Good luck with the inflatables. :)