| Well, I'm not concerned beyond what I can reasonably control.
| And most people are aware of these "privacy issues."
| Mayanaya presumes everybody who uses Win10 is a dope.
| Anyway, that's my impression. Could be wrong.
Most people are not aware of these issues. That's the
point. It's none of my business if you don't mind Windows
calling home with your data, but that's not what you said.
You said any such concern was BS. So who's calling who
Another aspect, for me, is frustration with where things
are going. Not because I hate MS but because I love
Windows. I got into computers late - 1998. To me it seemed
that Windows was like a fun car. Macs were an overpriced
car with the hood welded shut and limited tools. And Linux
was like a do-it-yourself car kit. At the time, most of the
software was for Windows. Microsoft encouraged people
to learn Windows and provided tools at all levels. I taught
myself Windows programming, made some money and had
a lot of fun. I've written software for myself, which would
be a much bigger challenge on Apple or Linux. But since
Win2000/ME I've watched as the system gradually gets
locked down and turned into interactive cable TV. In the
car analogy, what's happening is that they're ceasing the
sales of cars and trying to replace existing cars with taxis.
It's approaching a time when the only software that people
will be able to write for Windows will be phone/tablet
style trinket apps. So-called universal (Metro) apps. Not
being able to control one's own data is part of the transition,
just as there's little option to control what Apple collects
on an iPhone because there's no control over the iPhone
It's not only Microsoft, by any means. Apple, Facebook,
Microsoft, Amazon and Google are all trying to grab the
whole pie. All except Facebook are approaching it with
multiple devices, apps, social connections and shopping.
They're each trying to suck in as many customers as
possible to a new version of the AOL walled garden. The
special tragedy with Windows is that it has been, and
can be, so much more. Google is thoroughly corrupt.
Apple has always controlled their devotees. Amazon is
trying for a total retail monopoly, accessed in large part
through Kindles and phones, and will undoubtedly
jack up their prices if they ever achieve it. Only Microsoft,
until relatively recently, wasn't trying to own their customers.
They were simply selling good tools. Most of their customers
have been business and those customers demanded computers
as functional tools for which they can write custom,
All I want is a decent computer that I control myself.
I'd be less bothered by people who choose shopping TV,
frankly, if a straight computer was also still an easy option.
But that's becoming an increasingly complex challenge.
The AOL walled garden is not an offering. It's a sneaky
strategy. The complexity of settings and actions required
just to prevent Win7 being overwritten by Win10 is a good
Even Ubuntu Linux has stooped to ads and spyware:
Remember when AOL was the thing? I was using a
friend's Mac at the time. New to computers, I'd heard
about the famous Internet but couldn't seem to find it.
I just kept going in circles between AOL chat groups,
credit card offers, games, shopping.... I asked a friend
in tech support: Where is this famous Internet? He
had to guide me through the steps to sneak out the
back door of AOLs obnoxious arcade and onto the
open Web, where I was actually free to visit any
Run <whateverOS> in a VM under <whateverOTHERos>.
But, aren't you trading one "walled garden" for another
in the process? How much are you willing to pay
(in lack of convenience) for that?
E.g., none of my machines talks to the outside world
(save this one). This means I don't have to worry about
"security flaws", proprietary/private data leaking out,
hostile interactions (even failed actions can be costly;
But, it also means that when I want to send/receive email,
I must get my *ss out of one chair and find my way to
*this* chair. When I want to upgrade the MS machines,
I must "manually" download those updates -- then sneakernet
them over to the appropriate machines.
I can't video conference with clients -- OTOH, I *can't*
video conference with clients! :> And, never have to worry
about whether the lens cap is on the camera, or not!
When doing research, if I find an interesting object, I can't
just query my reference archive to see if I already *have*
a copy of the item; instead, I have to jot down the name
of the item and move to another "internal" machine to
perform that check. Then, come back, here, to actually
*get* the item (if I don't already have it) and, once again,
sneakernet it back to insert it into the archive.
We do our banking and online purchases on an "immutable" laptop;
one that essentially has a "write protected" hard disk. So, never
any fear of a "persistent" infection. But, that means we can't
(easily) *save* anything on that machine, either!
So, my machines *are* (and will remain) "under my control".
It's just that I now *have* to control them! :-/
| Run <whateverOS> in a VM under <whateverOTHERos>.
| But, aren't you trading one "walled garden" for another
| in the process? How much are you willing to pay
| (in lack of convenience) for that?
I'm not. As far as I'm concerned, VMs are for the
birds, except maybe for fulltime software testing.
| E.g., none of my machines talks to the outside world
| (save this one)....
| We do our banking and online purchases on an "immutable" laptop;
That sounds like a well planned solution, but
it wouldn't work for me. Too much hassle. Most
things I do involve going online. Even if I'm editing
a photo or writing software, it's not unusual to
want to look something up. I don't want multiple
machines any more than I want VMs.
With banking, I just don't do it online. I take
the approach of operating safely when online
and avoiding banking, shopping, etc. Those things
simply can't be made safe. Even with a read-only
laptop you still risk things like man-in-the-middle
attacks in your connection to the bank.
VM's are an excellent way of supporting multiple machine
configurations without trying to cram everything into a
single physical machine. In hindsight, I wish I had
implemented each of my workstations as a *set* of VM's
instead of trying to get several dozen large apps to
"play well" together.
I also use VM's to support legacy OS's without having to
worry about finding a "vintage" driver that will work on
Very little hassle. If you want to save something, you
save it to a thumb drive (we save copies of statements
to a thumb drive as a matter of course -- so they are
available even if a computer crashes OR we have to leave
the house in an emergency -- and can't bother grabbing
a computer to drag along our financial records!).
Or, you set up a "persistent" portion of the disk
(e.g., a "D:") that you can use for that purpose.
The point is, no "software" (or settings governing its
operation) ever gets changed on the machine.
In the future, I'll install Flash on that machine for
those few times SWMBO "needs" to view some Flash
presentation (yet don't want to risk supercookies)
I simply could not operate with fewer machines -- let
alone the redundancy issue. I have far too many (big)
apps that would be tedious to get -- and KEEP -- to
play together well. And, too much risked "repair time"
when/if something got munged.
And, no way I want to multiboot Solaris, FreeBSD/NetBSD
and Windows and *hope* the machine stays in a consistent
Then you limit yourself to the range of banks (and other
institutions) with which you can operate. And, your choices
will diminish, over time.
[I've had to close several accounts in recent years when they
changed the terms to effectively push me to access my statements,
etc. "on line"]
"Operating safely" is almost impossible. Too many drive-by
attacks -- even on big "well known" sites. Hence the approach
of getting the machine into a known, safe state and ensuring that
it can't be changed from that state.
| > With banking, I just don't do it online. I take
| > the approach of operating safely when online
| > and avoiding banking, shopping, etc. Those things
| > simply can't be made safe. Even with a read-only
| > laptop you still risk things like man-in-the-middle
| > attacks in your connection to the bank.
| Then you limit yourself to the range of banks (and other
| institutions) with which you can operate. And, your choices
| will diminish, over time.
I pay $1/month for a paper statement. I doubt
very much that I won't be able to get a statement
any time soon. Even if they didn't mail it, one can
go into any bank for a printout as desired. Doing risky
things online because I *might* have to someday is
not a good reason to me.
| "Operating safely" is almost impossible. Too many drive-by
| attacks -- even on big "well known" sites. Hence the approach
| of getting the machine into a known, safe state and ensuring that
| it can't be changed from that state.
You sound like you know what you're doing, so I
wouldn't be inclined to tell you that you should change,
but my way also works. Nearly all possible online attacks
vulnerabilities, such as iframes or Flash. I rarely enable
script online. When I do, I do it in Firefox with NoScript,
to limit the exposure. I don't have AV or malware
hunter software. And I've never had a malware problem
of any kind.
I wouldn't recommend that approach to everyone.
People who don't want to learn the basics and do
want to access the Internet as "consumers", with
extensive functionality to shop, play games, bank,
Facebook, etc will need AV. But my way, understanding
the risks and disabling script, is far safer than the
person with all the latest patches and AV, but who
enables script online. There's simply no way to make
You're lucky. I've closed accounts when each notified me that
they wanted $8.95/month to mail me a single sheet of paper
with 1, 2 or, at most, *3* transactions on it! Note that
one of the banks was 1500 miles from here -- so its not
a "local phenomenon".
Do you own any securities? Do any "trading"?
If you look at the history of vulnerabilities, you'd realize that's
not the case. Buffer overflow exploits are still common -- despite
EVERYONE knowing about this sort of potential problem (yet
continuing to write NEW code that has the same flaws).
Are *all* inbound ports on your machine closed?
Have a look at "Shield's Up": <https://www.grc.com
Do you "NAT" your connections? Use a STATEFUL firewall?
Ever download/open a PDF?
Open a JPG?
Maybe a video (MP4)?
Or, perhaps, music (MP3)?
I.e., any piece of code that can be coerced into "processing"
foreign data represents an attack surface. In the past, JPG's
have been used to inject malware, malformed URL's
We don't run AV, here as it takes to big a hit on the machine's
performance, requires constant updates (sometimes *introducing*
bugs/false positives in the process), etc.
We practice "safe computing" -- much to SWMBO's dismay (as she
isn't allowed to view much of the cruft her friends send to her
as "funny links"). Periodically, I take the machine down and
mount the disk as a sercondary drive so I can scan it with a
current AV release -- just for peace of mind ("Nothing found
so we've been well behaved")
Of course, the machine is only useful to a hacker as a point from
which to possibly launch another attack -- there's nothing *here*
worth stealing or "snooping"!
Having NoScript block all domains, here, means I often
have to take several attempts to view a site -- successively
enabling more and more domains until the site "appears"
to work. Some sites are very deliberate in refusing to work
without Jscript enabled. Some refuse to work without Flash.
Each of these represents an inconvenience to me. But, as most
of the sites that I am interested in are highly technical,
I can put up with these occasional inconveniences.
| > I pay $1/month for a paper statement. I doubt
| You're lucky. I've closed accounts when each notified me that
| they wanted $8.95/month to mail me a single sheet of paper
| with 1, 2 or, at most, *3* transactions on it! Note that
| one of the banks was 1500 miles from here -- so its not
| a "local phenomenon".
TD Bank. And they're open on Sundays, too. :)
I'm not sure I even want to know why you have
numerous bank accouts on the other side
of the country. :)
| Do you own any securities? Do any "trading"?
No. I'm not a gambler. Frankly I think straight gambling
on the stock market should be illegal, with something
like a 90 day minimum period that stocks would have
to be held and no option for buying options, which
are merely bets. Then people would be investing in
companies rather than just a big, glorified gambling hall.
| > You sound like you know what you're doing, so I
| > wouldn't be inclined to tell you that you should change,
| > but my way also works. Nearly all possible online attacks
| If you look at the history of vulnerabilities, you'd realize that's
| not the case. Buffer overflow exploits are still common -- despite
| EVERYONE knowing about this sort of potential problem (yet
| continuing to write NEW code that has the same flaws).
Buffer overflows require executable code. The point is
to go back to what the Web was meant to be: A resource
that can be accessed. Not remote software.
However you look at it, nearly all risks online require script.
It's true that there has been at least one issue with JPGs.
That was actually a vulnerability in gdiplus.dll, the
Windows extended graphics library. There was also once
an issue with EMF files. It's not impossible to face a
vulnerability with script disabled, but it's *very* unlikely.
With script enabled, on the other hand, you're a sitting
PDF exploits, as well as Flash, are also script issues.
The MP4 bug you link to is a Flash problem. Likewise,
the MP3 bug you linked to is with script in iTunes. What
you're talking about is all executable code. The point is
to get executable code out of the browser. Don't use
Adobe crap at all. Don't enable script. Don't install Java.
Don't run videos and music in browser plugins like Flash.
Don't enable script in your PDF viewer.
(For me this is easy. I don't like things moving on webpages
while I'm trying to read. If I want to see a video I'll
download it, so I can save a copy, and play it in VLC. If
I can't download it I can't be bothered. I'm not going to
sit around "watching TV" on my monitor.)
| Having NoScript block all domains, here, means I often
| have to take several attempts to view a site -- successively
| enabling more and more domains until the site "appears"
| to work. Some sites are very deliberate in refusing to work
| without Jscript enabled. Some refuse to work without Flash.
Yes. I guess it depends a lot on what sites you visit. I
have noticed lately that more sites design to break without
script. Maybe not all deliberately. The code has gotten to
be such a mess that it's hard to tell. I don't use highly
interactive sites, so I've never needed Flash. I've never
even had it installed. And fortunately it's being phased out.
One of the increasing problems I've seen is kiddie sites
hosted by Wix and Squarespace. They get small business
people to set up sites for free or cheap. It's all a very
simple, drag-drop-and-choose-options kind of operation.
People think it's clever that they made their own site. But
the pages are actually pseudo-JSON muck that directs
the loading of the page from the Wix or Squarespace
server. It's completely broken without script. The nasty
thing about it is that it breaks because it's using client-
side processing to put the page together. PHP and ASP
would work just fine server-side, but Wix and Squarespace
are cutting corners.
I was looking at a site yesterday by some very talented
designers and engineers. Heatherwick.com. Their website
is a mess, with the noscript code inside script blocks! These
people are award winning designers with big gallery shows,
yet they can't build a website with the most basic
Another one I've noticed recently is Forbes.com. I used
to go there sometimes for news. Now there's actually no
webpage at all. Their pages are either built from script or
hide the content inside script. They're actually, in some cases,
embedding the entire HTML string inside script variables!
That's so idiotic and wasteful that it can only be a case
of trying to make their site break without script.
It's got so bad, and some of the script I see is so bizarre
and convoluted, that I recently wrote a tool to sort it out:
It's only for people who are familiar with webpage coding,
but I find it can come in handy sometimes.
I have lived in many places. It is usually more convenient to
leave an existing account <someplace> open until I can get a
new account <somewhere_else> established. And, when they WERE
mailing paper statements, there was virtually no cost to me to
KEEP those accounts open (most of my accounts have had strict
check-writing constraints -- like 3 per month). So, an extra
account would let me handle extra transactions, etc.
I know I had to maintain an account in CT for the tax man
(consultants' time has sales tax applied so they want someplace
to find you to *get* that tax!)
I can't see how anyone would consider the "1 year" time limit
to qualify for LONG term gains to really be indicative of
"an investment" (vs. a gamble).
Yes -- the code in your browser or "helper applications" that it
The exploits I mentioned previously don't require any
"remote software" to be executed from the 'net. *But*,
as each of these non-ASCII-text files requires something
to *interpret* their contents (as a photograph, audio
clip, video clip, etc.) then those non-ASCII-text files
are, essentially, *programs*! They control the behavior
of their respective "decoders" when you apply those decoders
to those files.
Bugs in those decoders can thus be exploited to compromise
the machine on which the decoders are executing. This is
because Windows (and virtually all other desktop OS's)
applies the full capabilities of the invoking user to
any program (e.g., the decoder) running on his/her behalf!
There is no way to limit what a particular program can/can't
do -- other than HOPING the program itself "behaves well".
A "capability-based" OS doesn't have this inherent limitation.
E.g., I can let *you* write a hostile program and install
it on my system. But, no matter how hard your program tries,
it won't be able to do anything that I haven't explicitly
allowed it to do. No need for you to be scribbling in the
Registry -- or even *looking* at it; no need for you to be
pushing packets out a network connection; no need for
you to be installing any files; etc. -- all you need to be
able to do is EXACTLY what *I* think you should be able to
do (show me the contents of this JPG in a graphic form, etc.)
If I email you a picture BigBoobs.jpg and you open it, then
I've enticed you to expose your JPEG decoder to whatever
contents that file may contain. Likewise if you visit a
web page with a JPEG. If I email you a receipt for a purchase
as a PDF, then the act of opening it means your "PDF decoder"
has now been tricked into "interpreting" the information
embedded in that file (just like a computer interprets a
The browser *is* executable code! The OS is executable code.
The JPG decoder is executable code. The PDF reader is executable
code. Anything that *does* anything does it by executing code!
"Vulnerabilities have been discovered in some versions of the
popular VLC media player which may allow a cyberattacker to
corrupt memory and potentially execute arbitrary code."
Note that it doesn't matter if you run VLC from your browser or
download the file and run VLC separately.
"Vulnerabilities in VLC allow for remote code execution or
denial of service. VLC also has a remote code execution
vulnerability in the web interface."
It's like the admonition from my youth regarding unwanted
pregnancies: the only SURE contraceptive is ABSTINENCE!
I.e., the only sure way to avoid these vulnerabilities is
to NOT import anything that you didn't create yourself.
"The only winning move is not to play"
| The exploits I mentioned previously don't require any
| "remote software" to be executed from the 'net. *But*,
| as each of these non-ASCII-text files requires something
| to *interpret* their contents (as a photograph, audio
| clip, video clip, etc.) then those non-ASCII-text files
| are, essentially, *programs*! They control the behavior
| of their respective "decoders" when you apply those decoders
| to those files.
That's not true. The exploits you listed all
involve a weakness in executable code -- either
Many of those *also* require a binary like Flash.
The rare exception would be something like the
gdiplus.dll bug that could be exploited with JPGs.
(Gdiplus was fairly new at the time.) Data files that
are not interpreted as executable -- whether text
or not -- are almost never a risk because they're
not doing anything. (Again, I'd be interested to
hear if there are any examples besides the one-time
JPG issue, which was many years ago.)
I've never heard of any vulnerability in HTML.
It defines graphical layout. It's not interpreted
as executable code. It's sometimes possible to
crash a browser with faulty HTML, but that's just
a case of "choking" the software. There's no
executable code involved.
| If I email you a receipt for a purchase
| as a PDF, then the act of opening it means your "PDF decoder"
| has now been tricked into "interpreting" the information
| embedded in that file (just like a computer interprets a
| computer program).
You're misusing the word interpet. A computer
doesn't interpret a program. The program itself
accesses the CPU, RAM and disk. Script is text
that's interpreted as executable code, but that
makes it just like a compiled program, in that
the interpreter is a program acting under the
direction of the script. A PDF is not interpreted
as executable code. What the PDF reader gets from
the PDF data is information about text, fonts,
colors and layout. The problems with PDF are due
| The browser *is* executable code! The OS is executable code.
| The JPG decoder is executable code. The PDF reader is executable
| code. Anything that *does* anything does it by executing code!
I don't know how many ways I can explain it.
As I said, I'd be interested to know if you find
any vulnerabilities that do not directly involve
executable code. They're few and far between.
In other words, a browser is, of course, executable
code, but you can't hijack it by telling it to draw
a table with a blue background. A browser is
hijacked by getting it to run executable code --
| > Adobe crap at all. Don't enable script. Don't install Java.
| > Don't run videos and music in browser plugins like Flash.
| > Don't enable script in your PDF viewer.
| > (For me this is easy. I don't like things moving on webpages
| > while I'm trying to read. If I want to see a video I'll
| > download it, so I can save a copy, and play it in VLC. If
| "Vulnerabilities have been discovered in some versions of the
| popular VLC media player which may allow a cyberattacker to
| corrupt memory and potentially execute arbitrary code."
That's interesting. It's good to know about
such things. But I'm not going to lose
any sleep. I'm not using a VLC browser plugin,
and there's very little motive for someone to
put a video on youtube that will attack my
system offline. Especially given that I don't
download wacky cat videos from random posters.
| Note that it doesn't matter if you run VLC from your browser or
| download the file and run VLC separately.
| "Vulnerabilities in VLC allow for remote code execution or
| denial of service. VLC also has a remote code execution
| vulnerability in the web interface."
Remote means remote. If you download a file
and play it in VLC that's not remote execution.
Remote would mean playing it via webpage or
some other way of accessing it from a remote
| It's like the admonition from my youth regarding unwanted
| pregnancies: the only SURE contraceptive is ABSTINENCE!
| I.e., the only sure way to avoid these vulnerabilities is
| to NOT import anything that you didn't create yourself.
I suppose that in the most extreme interpretation
you're right. I've decided that having sex carefully,
with my post-menopausal ladyfriend, is a "risk" I'm
willing to take. Good luck with the inflatables. :)
Then spend some time and find examples that *aren't*.
I have no skin in this game. Exploits will *always* be
in "compiled code" -- that is being tricked into doing
something that it wasn't properly designed to AVOID!
Have oyou ever read the descriptions for the updates windows
pushes? Ever notice how many claim to be to fix a "security
This is the polite way of saying the developer screwed up and
didn't anticipate someone MISUSING the code he wrote. How
does someone misuse code? Ans: they present it with "inputs"
that have been crafted to exploit unexpected patterns in
that data. I.e., violating basic ASSUMPTIONS that the developer
made -- inappropriately.
I received a nastygram from a bank many years ago claiming
that they would have to withhold a portion of my interest
income because I had not provided them with my SSN. Yet,
my SSN was printed right below my name ON THAT LETTER!
Guy who wrote the "code" to decide who should get those letters
assumed "0" (in the corporate database) would indicate "no SSN".
And, I'm sure he tried a test case with a bogus user having a
SSN of "0".
But, he implemented his test in such a way that anyone whose SSN
*began* with '0' would be seen as having *no* SSN on file. Those
of us who had SSN's issued in the Northeast ALL have SSN's
beginning with '0'. Of course, as the bank was in Colorado and
most customers were probably from that area (with SSN's that
reflected that part of the country), it took a while for the
software to stumble on folks (like me) that tickled that bug.
That bug could just as easily have decided to mail me an interest
Sit down with Google and an hour of *your* time and
I'm sure you'll be able to find lots of exploits.
PDF's are a habitual source of vulnerabilities -- largely because
PostScript is a Turing-complete programming language (and
PDF's are based on PS).
Thirty seconds with google: CVE-2014-6332
"The IBM X-Force Research team has identified a significant
data manipulation vulnerability (CVE-2014-6332) with a CVSS
score of 9.3 in every version of Microsoft Windows from
Windows 95 onward"
"The bug can be used by an attacker for drive-by attacks to
reliably run code remotely and take over the user’s machine
— even sidestepping the Enhanced Protected Mode (EPM) sandbox
in IE 11 as well as the highly regarded Enhanced Mitigation
Experience Toolkit (EMET) anti-exploitation tool Microsoft
offers for free."
All input causes a program to alter its behavior. So,
*any* input can conceivable lead to an exploit in an
inadequately designed application.
Passing letters to a program expecting digits can
cause that program to barf. The Y2K bug could
manifest in many ways based on how the date processing
code responded to the "unexpected" '2' in the leftmost
position (I've seen dates displayed as "1 January 19A0")
Passing too many characters to a program expecting a
lesser number can cause it to barf (buffer overrun).
If "barf" results in the contents of some portion
of memory being overwritten, then you can carefully
craft an exploit that puts "specific" values in that
It's a semantic difference with no consequence.
Doesn't the CPU's *hardware* "interpret* the bytes
that are fed to it via it's bus interface unit?
If I write a simulator and feed it the same byte
sequence, it is clearly interpreting the bytes
yet the result is the same.
A program processing input is a PROCESSOR. It is
interpreting the input and REACTING according to
rules that are encoded into its implementation.
Just like a CPU interprets opcodes and REACTS
according to the rules encoded in its implementation.
[You do realize that most CPU's, nowadays, are microcoded?
I.e., there are little PROGRAMS running in response to each
byte fetched. These programs *emulate* the legacy
instructions that we think of as "x86 machine language"]
No. PDF's encapsulate PostScript. Sit down with a PS
manual and WRITE A PROGRAM... IN POSTSCRIPT... to
print the numbers from 5 through 27. Then, write a PROGRAM
to convert any numeric entry to its textual equivalent;
e.g., 123 --> one hundred and twenty three.
Do this with Acroscript disabled!
Better yet, take that "program" and send it to your PostScript
*printer* (which has no concept of Jscript!). You'll find that
it generates the same correct output!
What do you mean, like files that compromise the computer WHEN THE
POWER IS OFF? When the computer is *on*, it is executing code.
The code that it executes was created by a fallible human being.
That developer's ASSUMPTIONS are embodied in the code. Exploits
take advantage of these assumptions to trick the code to do
things that it wouldn't otherwise do -- if presenteed with
CORRECT (expected) INPUT.
Sure! If the part of the browser that parses the HTML to
recognize "blue" figures the only colors that will ever be
specified in an HTML file ("input" to the browser) are
and, as a result, pinches pennies and allocated a buffer
to store the color name and allows that buffer to hold
15 characters (the length of the longest expected color
name -- "pinkpolkadotted"), then I can create a web page
that says "draw a table with a background that has the
The sloppy browser code sees the "color" keyword and then
gobbles up the next "word" -- expecting it to be a color.
Since it KNOWS the longest (legal) color name is
"pinkpoladotted", it won't be prepared for those extra 40
characters (there are 55 D's in the above example).
So, whatever resides in memory AFTER that buffer that stores
the color will be overwritten with 40 D's (the first 15 D's
will reside in the buffer).
This might have amusing effects. Or, might crash the browser.
I might, instead, have to pass a string of 5000! D's in order
to ensure something much farther away from that color bufer
gets clobbered. But, I can play around all day to see what
gives the results I seek -- I've got the same browser
available on *my* computer and I can actually WATCH to see
what gets clobbered *inside* the browser.
Or a fault in the browser's code itself!
In your last post, you suggested VLC was a way you could *protect*
yourself from browser vulnerabilities. What's your *new* scheme
given that VLC is vulnerable? Are you sure your alternative
won't also have some OTHER vulnerability?
So, I embed the instructions in the video file to do the damage that
I want OFFLINE! Remote exploits are more precious to a hacker
because *he* can then control the actions of your machine -- instead
of embedding those actions unconditionally in the exploit.
[The days of erasing hard disks as an exploit are long gone]
None of the Iranian centrifuges were internet connected...
| Have you ever read the descriptions for the updates windows
| pushes? Ever notice how many claim to be to fix a "security
| This is the polite way of saying the developer screwed up and
| didn't anticipate someone MISUSING the code he wrote. How
| does someone misuse code? Ans: they present it with "inputs"
| that have been crafted to exploit unexpected patterns in
| that data. I.e., violating basic ASSUMPTIONS that the developer
| made -- inappropriately.
That's an interesting point. If you look into the
details of those fixes you'll find, in the vast majority
of cases, that it's like your PDF, MP3 and MP4 issues:
generally focus on that because they're a big
corporation trying to "monetize" the Web. They don't
down ActiveX. IE always depended on ActiveX. MS
just couldn't afford to write the truth: "Warning!
New IE attack! You should disable ActiveX because
ActiveX is dangerous. It was a big mistake. Sorry."
Instead they have a section, way down the page,
titled "workarounds", in which they beat around the bush.
It's obvious to anyone who takes a look. It's common
sense that executable code in webpages can never
go along with security. But nobody wants to hear
that. The website owners want "rich content" and
trackability. The visitors want convenience.
You've brought out a lot of interesting points in this
discussion with your devil's advocate style of discussion,
but I think that at some point that misses the point.
You're making a big deal out of the rare exception.
Almost all the rest is things like Java, or maybe an
occasional MS Office attack that doesn't need script.
The data is online. Cisco put out a report awhile back,
for instance. Anyone can read it for themselves:
0-day browser hacks, used by everyone from the NSA
Script, script and more script. To keep focusing on
the .5% that's not script related, and that is highly
unlikely in the first place, is to skew the facts. (The
VLC player vulnerability is good to know about, but
it's very unlikely to ever be a risk. It's unlikely to ever
even be exploited, because VLC isn't widely distributed.
Even if it were exploited, I don't use it online. (Likewise,
I would never install a PDF browser plugin.) And there's
also context: Exploiting VLC would require that I
download a video from a dubious source.
What makes Adobe's stuff so bad is threefold:
1) Adobe has a bad habit of jacking up functionality
2) Adobe has a long history of trying to create a
proprietary Web by force-installing their plugins.
(Acrobat Reader installs the PDF browser plugin,
with Adobe pretending that PDF is a webpage
3) Adobe has been very successful at flooding the market
in attempts to make their products ubiquitous. Acrobat
Reader is nearly universally installed because they've been
giving it away like grocery store coupons since the 90s.
Flash is also nearly universal.
Those three things have resulted in the vast majority
of people having Flash and Acrobat Reader *and* with
both running in the browser. That's an important distinction.
Their ubiquity, their use of script, and the fact they run
in the browser, all combine to make them the most
common attack targets.
*Not using the most popular brand is one of the best
security measures because it's not a good strategy
for hackers to target software with a limited market.*
| > I've never heard of any vulnerability in HTML.
| Thirty seconds with google: CVE-2014-6332
Another 30 seconds turns up this:
"This vulnerability can be exploited using a specially-crafted web page
utilizing VBscript in Internet Explorer."
It's an IE-specific bug, requiring script. It has nothing
to do with HTML. (No one should *ever* use IE online
in the first place. It's too closely linked into Windows.)
This is what I mean about your devil's advocate
approach. You're trying to find any tiny exception to
the rule. A tiny exception does not negate the rule.
And what you're finding are not even exceptions.
By trying to carry out a good debate you're obscuring
the one critical point: The single best thing you can
measure, even using anti-virus software, comes close
to the protection afforded by disabling script.
As I said previously (and my last comment in this thread),
I have no skin in this game. If you think disabling Jscript
is The Answer to network exploits, I think you're in for a
Would you like me to send you some INFECTED PDF's? Open
them in your EMAIL client -- so your browser isn't even involved.
Then, call me when you get your machine rebooted... ;-)
| Those articles are months old,
Yes. Beginning of July. And still relevant.
| Anyway, I'm not pro or anti MS. It just IS.
| You apparently don't like MS.
Like them? If someone steals your car do you
want them arrested because you don't like them?
"Anti-MS" is just one of the common defenses of
the ostriches. Along with paranoia and tinfoil
hat silliness. All I'm doing is laying out the facts
so that people can decide for themselves. You're
the one who called the facts BS.
I'd be more than happy to wax acidic about
Apple, Google and Facebook if you like. I love
to attack Apple. :) Not because I "don't like"
them but because they're a sleazy company
with an undeserved public image of virtue. Billions
goes into creating the public images of these
companies. No one spends money to show their
The topic here just happens to be Windows 10,
so it's Microsoft's sleaze that I'm pointing out.
| Does anyone know if Microsoft will be offering a paid version of Win10
that doesn't spy on us?
I just came across a very interesting piece that's
The European Union courts have ruled American
mass citizen surveillance illegal in Europe and given
the US gov't and companies until 1/31/16 to come
up with a credible solution or be blocked from storing
private data. I don't know exactly what that implies,
but it sounds promising. Companies like MS, Google,
Apple and Facebook have built their businesses around
spying on people for targetted advertising, while
sharing that data with the US gov't. It's hard to see
how their business model can be maintained if the EU
stick to their guns. Even as this is happening, Microsoft
is threatening to go to court over demands from the
US Justice Dept that they share hotmail data stored
in Ireland. The Justice Dept is trying to claim that the
personal data of Europeans is not personal data at
all but rather is Microsoft's business data, which they
have a right to inspect! MS is apparently at least making
a show of resistance in order to not entirely lose their
credibility in the EU. It seems that the EU and the US
gov't and corporations couldn't be further from an
I'd like to see an expert business analysis of all this.
It's hard to know how it's likely to affect the US market
and American tech spying.
| >Does anyone know if Microsoft will be offering a paid version of Win10
that doesn't spy on us?
| Enterprise version.
Not exactly. I don't know whether they still sell the
so-called Enterprise version as a retail disk or not.
They may. Either way, the only version exempt from
forced updates is the corporate install under a Software
Assurance license. In other words, if you want to
be exempt from the "consumer EULA" you need to
contract with Microsoft. For that you need to be
making a very big order. Even then, it's not clear
how much spying can be stopped. You'd need to
ask some corporate IT people who've had time to
look into it. The only thing I've heard for certain is
that the corporate contract allows IT people to
block automatic updates.
| Let me do some more research.
This seems to cover it:
Enterprise is available as volume license. Even that
includes "telemetry". As I understand it, what they
mean by that is Windows calling home with usage
data. And if you use things like Cortana you're adding
to the spying. It won't work otherwise.
I would think that corporate customers would be
allowed to control contact more, but that doesn't seem
to be the case. There's no indication in what I've
read anywhere that there's any reasonable way to
even stop the auto-updating outside of a coprorate,
multi-license contract, much less the spying.
And the auto-updating is being obscured. Microsoft
have announced that they'll no longer be detailing
what's in an update. So even corporate people who
can control the updates would have to reverse
engineer them to figure out what they are. And what
if a security update is linked to new ads on the Desktop?
It looks like Microsoft have really covered all the
angles on this one. As the saying goes, they gotcha
coming and going. :)
HomeOwnersHub.com is a website for homeowners and building and maintenance pros. It is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.