Seems this package comes with the Opera Unite features.

Thanks for heads up, full changelog is available here:
http://www.opera.com/docs/changelogs/windows/1010/

It seems there is no option for not installing Opera Unite. I detest all these gadgets & frills. :thumbd:

I have the 10.10 update downloaded.
No way I'm installing it with Unite included.

does this release fix the high memory use?..

Opera 10.01 just auto-installed 10.10 on me without my approval, even though I specifically told it never to download or update without notifying me.

I wasn't expecting Unite. This seems inherently insecure, and a gigantic backdoor. I don't want it, and now I'm faced with a difficult situation because it got there automatically.

Does anyone have any idea about the inherent security impact Unite makes to Opera? Is there any way to strip out the Unite component and leave the browser and mail function behind?

-{ Quote: "It seems there is no option for not installing Opera Unite. I detest all these gadgets & frills. :thumbd:" }-

Yes, end of the road for me with Opera. I am sticking to 10.01 and that's it.

3,3 MB of extra crap on the installer, for feature that i will never use.

-{ Quote: "Does anyone have any idea about the inherent security impact Unite makes to Opera? " }-

Well, if you consider that browsers are usually full of holes waiting to be discovered, i certainly wouldn't want a browser with the ability to act as FTP server...

For me it's far superior risk than even p2p. At least in p2p it's a specialized software, one folder is only put on "share" and there is no 3d party plugins that could have a vulnerability of their own and exploit the program.

In Opera, you have widgets, flash, java, shockwave, pdf plugins, torrent plugin. If any of them has a hole, who says that it can't exploit the built in "Opera Unite" and take access over anything?

I really like Opera, but i prefer taking the risk of sticking to an old version, rather than install this 3,3 MB crap.

-{ Quote: "Opera 10.01 just auto-installed 10.10 on me without my approval, even though I specifically told it never to download or update without notifying me. " }-

Heh, that's why i have set my opera to NEVER check for updates... Being paranoid pays off sometimes. ;D

-{ Quote: "does this release fix the high memory use?.." }-

Opera always runs heavy on RAM and adding on the installer 25% more crap, won't help there i imagine. If you mean about memory leaks, try setting to accept all cookies. It's what was causing me huge leak with 10.0. But 10.01 seems better anyway.

-{ Quote: "Opera 10.01 just auto-installed 10.10 on me without my approval, even though I specifically told it never to download or update without notifying me.

I wasn't expecting Unite. This seems inherently insecure, and a gigantic backdoor. I don't want it, and now I'm faced with a difficult situation because it got there automatically.

Does anyone have any idea about the inherent security impact Unite makes to Opera? Is there any way to strip out the Unite component and leave the browser and mail function behind?" }-

Not so fast with your conclusions,just read all the Q/A pages.
Your shared files are in sandbox like environment,other files can't remotely assessed by others !

-{ Quote: "It seems there is no option for not installing Opera Unite. I detest all these gadgets & frills. :thumbd:" }-
Although i don't like it too i see no slowdowns with this new features. Same with their email. If you dont use it you wont even notice its there. Perhaps Opera boots slower with all these things? Anyone know? I only know Opera starting with 9.1 or so.

I installed the new version, but it seems, you have to intentionally setup opera unite for it to work.

So by default, it's not activated. So by the looks of things, I wouldn't worry about installing the new version - just don't activate and setup opera unite (by default it is not setup).

See screenshot:
213849

OT
What skin is that?

I searched for almost an eternity to find a blue coloured one, one that had the active tab in a different colour from the rest. So it was easier to see which tab you're always on.

See here: :)
http://my.opera.com/community/customize/skins/info/?id=8938

213851

Just for your interest, I always remove the fast forward and rewind buttons, only leave forward and back (also remove wand etc).

I seem to always add a 'new tab' button whenever I set this up for others, for those times when you don't want a tab added to the end, but next to the current tab you're on.

Thx looks good :)
I was using this:
http://my.opera.com/community/customize/skins/info/?id=8982
But yours is also nice and easy on the eyes.
I'm always changing skins anyway :)

-{ Quote: "Just for your interest, I always remove the fast forward and rewind buttons, only leave forward and back (also remove wand etc).

I seem to always add a 'new tab' button whenever I set this up for others, for those times when you don't want a tab added to the end, but next to the current tab you're on." }-
Yes i like it minimal too. I have removed the ugly misplaced :) google search box. Never use it. Also dont need the menu bar.

213852

The "JS" button is for fast JavaScript On/Off. Doesn't look very good but its useful.

That looks great. How did you remove the top menu bar and add the google chrome type buttons/options at the far right?

Is it an additional download?

I hope they start to make Opera even more compatible and faster on next versions...

They also have issues with proxies, and refuse or try to fixe them...

But still is my favourite browser...

@ Saraceno

To remove the Menu Bar select "File" and untick "Show Menu Bar". You wll get a new button to the upper left.

For the two buttons at right im using the compact_menu.ini and compact_toolbar.ini from here:
http://my.opera.com/drlaunch/blog/2009/06/05/my-beautiful-beautiful-opera

I just noticed he has a new setup with new .ini files. I didnt tried that yet though...
http://my.opera.com/drlaunch/blog/2009/06/18/compact-setup-new

-{ Quote: "Well, if you consider that browsers are usually full of holes waiting to be discovered, i certainly wouldn't want a browser with the ability to act as FTP server...

For me it's far superior risk than even p2p. At least in p2p it's a specialized software, one folder is only put on "share" and there is no 3d party plugins that could have a vulnerability of their own and exploit the program.

In Opera, you have widgets, flash, java, shockwave, pdf plugins, torrent plugin. If any of them has a hole, who says that it can't exploit the built in "Opera Unite" and take access over anything?

I really like Opera, but i prefer taking the risk of sticking to an old version, rather than install this 3,3 MB crap." }-

I feel completely the same way. Even if the Unite feature is switched off, how long until Malware attacks figure out how to switch it on without approval or user input? Unfortunately, bringing this up on the official Opera forums got me flamed crispier than a shikibob on an overhot grill, so I'm going to assume this feature will never be locked down.

As an aside, 10.01 has a severe security flaw. You may reconsidering using it.

-{ Quote: "I feel completely the same way. Even if the Unite feature is switched off, how long until Malware attacks figure out how to switch it on without approval or user input? Unfortunately, bringing this up on the official Opera forums got me flamed crispier than a shikibob on an overhot grill, so I'm going to assume this feature will never be locked down. " }-

The sad part about Opera, is that once upon a time, they were doing their best to honour their commercial motto "the fastest browser in the planet".

Nowdays, i am afraid they 're not, but on the other hand they seem to have taken the "Nero Syndrome", into happily adding more and more features (as if mail and torrent weren't enough) to a supposed "browser".

Just like with Nero, i don't see me following this trend. Maybe they should apply for "most bloated browser on the planet".

While having the feature "dormant" may not impact browser speed (i don't know), it sure doesn't help trimming RAM and CPU either i suppose. Cause the program has grown bigger.

Of course we both agree about the security risk.

-{ Quote: "
As an aside, 10.01 has a severe security flaw. You may reconsidering using it." }-

Really? Well, i guess i should be reviewing my options sooner than i thought.

Shame... It was my fav browser.

well as usual i'm a tad late to the party, just installed , looks like Opera has added terrific features , speed is fine. I just tired of Firefox as it's becoming a bloated behemoth, love the Opera Unite

-{ Quote: "While having the feature "dormant" may not impact browser speed (i don't know), it sure doesn't help trimming RAM and CPU either i suppose. Cause the program has grown bigger.

Of course we both agree about the security risk." }-

A shame indeed. I was partial to Opera myself for the no-nonsense approach and lightweight appeal. That they keep injecting it with crap just to stay 'competitive' with other browsers and features like Google Wave is just evidence that they've forgotten why they made the browser in the first place.

I can't say I care for their community, either. Apparently suggesting that Opera Unite is a security risk is enough to get you banned. They locked my forum thread over there, because apparently if you turn Opera Unite off, you're magically secure. I'm sure they'll all be in for a shock when the next breach hits.

-{ Quote: "Really? Well, i guess i should be reviewing my options sooner than i thought.

Shame... It was my fav browser." }-

I hate to bring bad news, but I'll link to the findings here. (http://blogs.zdnet.com/security/?p=4990) It seems Opera users now have the choice between insecurity... or insecurity.

-{ Quote: "A shame indeed. I was partial to Opera myself for the no-nonsense approach and lightweight appeal. " }-

Me too. All i want in a browser is to display well sized fonts (i seem to have a problem with that since i use 125% fonts in Win7 and browser tend to go too big or too small (Firefox) , mouse gestures, good speed and not too much configuration. Oh and i love the speed dial!Opera was good in that. IE8 is zooming 125% by default and most webpages look horrible. On 100% the fonts are too small.

-{ Quote: "
That they keep injecting it with crap just to stay 'competitive' with other browsers and features like Google Wave is just evidence that they've forgotten why they made the browser in the first place. " }-

Yes, it's like Nero. "Now we introduce Backup Utility!". Hurray! "Now we introduce to you video conversion utility". Hurray! The problem with that, is that you satisfy those who like such multi-task programs, but you make leave those who wanted " a burning program". Same goes for Opera.

-{ Quote: "

I can't say I care for their community, either. Apparently suggesting that Opera Unite is a security risk is enough to get you banned. They locked my forum thread over there, because apparently if you turn Opera Unite off, you're magically secure. I'm sure they'll all be in for a shock when the next breach hits. " }-

Yes, how naive...

From your link:

"The most serious flaw could allow a malicious attacker to take complete control of a system, Opera said in an advisory."

So that flaw with Opera Unite, would actually give the attacker a ready-to-use server on the victim's PC...

But that isn't going to happen, cause the user will have Unite disabled, right? ROFLMAO! ;D I don't read Opera's forum, but if they think that since the feature is disabled, they are "secure", they live in a very naive world of their own.

I guess the attacker in the above vulnerability will think "Oh, it's not fair to enable Opera Unite and zombify my victim using its own server, he had it disabled!" ;D :wacko:

I will try Firefox in a while, i found there is a speed dial plugin. We 'll see.

The problem with browser vulnerabilities, is that you don't know how back they go. For example, if i use Opera 9.64, is the vulnerability also there? Who knows...

Thanks for the bad news though.

Installed and was running fine until I tried to upload a video to youtube. Reverted to the previous version and was again able to upload.

-{ Quote: "Me too. All i want in a browser is to display well sized fonts (i seem to have a problem with that since i use 125% fonts in Win7 and browser tend to go too big or too small (Firefox) , mouse gestures, good speed and not too much configuration. Oh and i love the speed dial!Opera was good in that. IE8 is zooming 125% by default and most webpages look horrible. On 100% the fonts are too small.
" }-

I like large fonts and clear buttons on the browser,thats why i use AEON BIG theme ,and NOSQUINT 2.0.4 extension set for 125% on firefox.The result is perfect for me.However I use vista so not sure whEther these are compatible with W7?
ellison

I don't particularly fancy Unite, but in Opera's defense (and in defense of realism) with regard to all the talk of Unite security...

-{ Quote: "
Yes, how naive...

From your link:

"The most serious flaw could allow a malicious attacker to take complete control of a system, Opera said in an advisory."

So that flaw with Opera Unite, would actually give the attacker a ready-to-use server on the victim's PC...

But that isn't going to happen, cause the user will have Unite disabled, right? ROFLMAO! ;D I don't read Opera's forum, but if they think that since the feature is disabled, they are "secure", they live in a very naive world of their own.

I guess the attacker in the above vulnerability will think "Oh, it's not fair to enable Opera Unite and zombify my victim using its own server, he had it disabled!" ;D :wacko:" }-


One rather important thing is being ignored here. Apparently the argument is that "malware could enable Opera's Unite feature and this would be very bad." There's a problem with that argument.
1) Where would this malware come from? It can't materialize from thin air, so either the user has to install it himself or the malware has to be installed via a remote code execution exploit, such as the ones that occasionally surface in any web browser. If the user is a fool and installs the malware, then there's nothing Opera or anyone else can do about that. If the malware infects the system via a remote code execution exploit, then we come to the problem with the argument.
2) After the malware has been installed by a remote code execution exploit that allows it to run arbitrary code on the system or by the user willingly giving the malware admin privileges, why on earth would the malware bother to enable Unite when it could do far worse things? You know, things like kernel mode or user mode rootkits depending on the user's privileges, setting up a real server instead of the very primitive Unite that requires Opera to be running to work, installing keyloggers, and so on, ad nauseam.

In short, why would any malware, after it's already infected a system and has the freedom to do anything it pleases, bother to mess with something like Opera Unite that is present on relatively few systems and doesn't offer anything that the malware couldn't do itself, without Unite? I don't think it's exactly very likely that we'll ever see ITW malware that tries to enable Unite for its own ends...


The real security issue with Unite is that it's just more code, and more code means more vulnerabilities. The same problem would exist if Unite wasn't a kind-of web server, but a simple local media player instead.


As far as bloat is concerned, I think it rather depends on one's definition of the word. One might note that Firefox without any extensions takes practically as much hard disk space as Opera, but Firefox has far fewer features than Opera out of the box - no mail client, no BT, no mouse gestures, nothing. Personally, using my definition of the word bloat and my experience with the browsers, Firefox by far is the more bloated browser, being pretty much as large as Opera on the hard disk but having far less features out of the box, and still being slower to start, browse and taking more memory.

-{ Quote: "I like large fonts and clear buttons on the browser,thats why i use AEON BIG theme ,and NOSQUINT 2.0.4 extension set for 125% on firefox.The result is perfect for me.However I use vista so not sure whEther these are compatible with W7?
ellison" }-

Thanks, i may try it, but i just installed FF and didn't like it much. Too much CPU, font size too small (i mean in webpages, not the GUI)...

I installed Opera 10.10 over Shadow Defender. Upgrade installation.


Yeah, Opera Unite is "disabled", huh?

http://img100.imageshack.us/img100/2017/52339325.png

This alert from Windows Firewall comes only when you have server application running. Normal Opera prior to Unite never had this alert. I only have this for Torrent and EMule. So much for disabled.


Then i go to about:config, in webserver section:

http://img685.imageshack.us/img685/4291/12441275.png

Doesn't sound very disabled to me. It's set to even use UPnP to auto-open the router ports. Not to mention the "always on".

These are defaults, nothing touched.

I may go back to Opera 9.64... FF seems too much CPU hungry, although quicker for me, but also the font sizing is horrible and i tried the speed dial plugin and i didn't have a clue how to configure it. You must be a rocket scientist to use that compared to easyness of Opera.

Probably i 'll put Opera 9.64 and hope the vulnerabilities didn't apply there... I 've a friend that was using for years IE 5. He even said that he was feeling more secure because nobody cared to make exploits against such an outdated version. Maybe i should do the same with Opera and bet on 9.64. ;D


This is what i am talking about fonts. When i was in XP, IE was great in that and same as Opera. FF was always weird, i always had to increase font size.

In 7, again using 125% DPI, IE is worse than Opera, for my taste.

Opera: perfect fonts, nice bold on the left column, photo crisp.

http://img692.imageshack.us/img692/5129/33918876.png

Default IE (125% zoom). Seems too stretched, photo blurred from the zoom:
http://img685.imageshack.us/img685/633/70259629.png

IE set at 100%: Fonts too small, photo crisp.
http://img504.imageshack.us/img504/1680/94420416.png


FF at default is more like IE at 100%, only worse.

In XP IE was just like Opera. In 7 it's all messed up...

So i will prolly stay with 9.64

-{ Quote: "Thanks, i may try it, but i just installed FF and didn't like it much. Too much CPU, font size too small (i mean in webpages, not the GUI)...

" }-

No squint will sort the web page font size (and images) for you
https://urandom.ca/nosquint/
Cant help you with the cpu problem though
ellison

-{ Quote: "
One rather important thing is being ignored here. Apparently the argument is that "malware could enable Opera's Unite feature and this would be very bad." There's a problem with that argument.
1) Where would this malware come from? It can't materialize from thin air, so either the user has to install it himself or the malware has to be installed via a remote code execution exploit, such as the ones that occasionally surface in any web browser. " }-

Yes. Mentioned vulnerability previously.

-{ Quote: "
2) After the malware has been installed by a remote code execution exploit that allows it to run arbitrary code on the system or by the user willingly giving the malware admin privileges, why on earth would the malware bother to enable Unite when it could do far worse things? " }-

Because enabling unite would be more sneaky? Because i have Unite enabled without getting an UAC alert even if i have max setting?

-{ Quote: "
You know, things like kernel mode or user mode rootkits depending on the user's privileges, setting up a real server instead of the very primitive Unite that requires Opera to be running to work, installing keyloggers, and so on, ad nauseam. " }-

But, the kernel mode rootkit would have to pass Win7's x64 patchguard and UAC , right?

-{ Quote: "
In short, why would any malware, after it's already infected a system and has the freedom to do anything it pleases, bother to mess with something like Opera Unite that is present on relatively few systems and doesn't offer anything that the malware couldn't do itself, without Unite? I don't think it's exactly very likely that we'll ever see ITW malware that tries to enable Unite for its own ends..." }-

Because i just installed Opera 10.10 and Unite was asking from Win7 firewall server rights, which if i were "joe Doe" i would happily grant, laying the way for the exploit.

I don't think ITW malware would try to make different things, including taking advantage of my Utorrent, but you know how they say that p2p for example are a risk.

The issue here is. Utorrent, i want it, so it's an accepted risk. A local server i don't want it, so why run the risk, based on the probability that most likely i won't encounter a malware that will try to take advantage?

It's the same reasoning with fixing most of browser vulnerabilities, including the one in 10.01. Is there a proven malware ITW for that vulnerability? No, it's a POC. So why fix it? Because if it doesn't remain a POC, you let your users vulnerable.


-{ Quote: "
As far as bloat is concerned, I think it rather depends on one's definition of the word. One might note that Firefox without any extensions takes practically as much hard disk space as Opera, but Firefox has far fewer features than Opera out of the box - no mail client, no BT, no mouse gestures, nothing. Personally, using my definition of the word bloat and my experience with the browsers, Firefox by far is the more bloated browser, being pretty much as large as Opera on the hard disk but having far less features out of the box, and still being slower to start, browse and taking more memory." }-

Well, to FF's defence, on my PC is notably faster than Opera. For me bloat is adding features that are 1) not related to the main purpose of the program , 2) are not needed. For me , FF may be more inefficient in the way that is coded and thus eats more CPU (i don't care about disk space). I don't consider that bloat. It's "heavy". I consider bloat making for example a registry cleaner and then adding defragmenter, system optimizer, calendar, password manager, etc.

-{ Quote: "No squint will sort the web page font size (and images) for you
https://urandom.ca/nosquint/
Cant help you with the cpu problem though
ellison" }-

Well, since i m still at Shadow Defender, i may as well try that too. Thanks.

-{ Quote: "No squint will sort the web page font size (and images) for you
https://urandom.ca/nosquint/
Cant help you with the cpu problem though
ellison" }-

Dear Ellison, you saved me! This NoSquint is awesome! Basically i 've set no zoom for photos, 120% for text and it's pretty close to Opera. The rendering isn't always identical , after all they have different engine, but it feels very "natural". Actually Wilders' is the most "strange" site till now. All fonts seem "bigger" than normal. But, i guess one gets used to it.

This and "mouse gestures" could be all i need. I am not fond of too many addons.


A question. Once you install Firefox plugins (addons) from the web, is the a way to save them for an offline installation for the future?

-{ Quote: "Because enabling unite would be more sneaky? Because i have Unite enabled without getting an UAC alert even if i have max setting?" }-

It wouldn't be very sneaky at all. Especially not when the user could easily see that Unite is enabled in the menus and a possible software firewall may ask for server rights for Unite and other such things. Now, obviously the malware could try to hide these things by for example killing the firewall and manipulating Opera's GUI, but that would require doing things much worse than enabling Unite, which begs the question why they would bother with Unite when they could just install a real server that would also work better, be easier to hide and would not depend on Opera running on the system. (What if the user uninstalls Opera? There goes malware's server? More importantly, what if the user does not have Opera installed, like most internet users don't?) Quite frankly, it don't make any sense for malware to go enabling Unite if it already has that kind of system access. If it has that kind of access, it can do anything it pleases without Unite.

-{ Quote: "But, the kernel mode rootkit would have to pass Win7's x64 patchguard and UAC , right?" }-

It's not exactly difficult to bypass UAC. Or PatchGuard. They're not security boundaries. UAC is for limited user compatibility, and PatchGuard for stability. They are not very effective as security features. People that do rely on them as security features are likely to be disappointed sooner or later.

And whereas x64 driver signing requirement can make kernel rootkits more difficult to install, a kernel rootkit is not required to do things that are much worse for the user than somehow abusing Opera Unite. You can keylog without kernel mode rootkits, you can hide things without kernel mode rootkits, you can set up a server without kernel mode rootkits, without UAC ever uttering a word...

-{ Quote: "Because i just installed Opera 10.10 and Unite was asking from Win7 firewall server rights, which if i were "joe Doe" i would happily grant, laying the way for the exploit.

I don't think ITW malware would try to make different things, including taking advantage of my Utorrent, but you know how they say that p2p for example are a risk. " }-

If you grant server rights to Unite, it's no different than granting server rights to any other software. You open a port, and expose the app holding that port open and listening to traffic to possible attacks. That's how it always goes.

As for P2P being a risk, it's that because of the sharing of files of questionable content (many are malware infected), adding yet another potentially vulnerable software on the system, and opening up ports. It's not considered a risk because some malware might enable a P2P program that you've installed but are not using yet. If malware could do that, it could already do far worse things. Aren't we concerned that malware could use Windows disk tools to format our hard drives? I'm not, because to do that, the malware would have to get access to the system, and at that point, it doesn't need Windows' own tools to format the drive.

-{ Quote: "The issue here is. Utorrent, i want it, so it's an accepted risk. A local server i don't want it, so why run the risk, based on the probability that most likely i won't encounter a malware that will try to take advantage?

It's the same reasoning with fixing most of browser vulnerabilities, including the one in 10.01. Is there a proven malware ITW for that vulnerability? No, it's a POC. So why fix it? Because if it doesn't remain a POC, you let your users vulnerable." }-

I'm not saying you should run the risk. If you don't like Unite, don't use it. I don't use software that I don't like, neither should anyone else (unless they have a really good reason, like being forced to do so). Any fans of Opera that hate Unite should send feedback to Opera devs if they really care about the subject so strongly. I'm only saying that malware turning on Unite isn't exactly something worth worrying about. If you've got malware on your system that has enough access to turn on Unite, you have far bigger problems than just Unite. Like rootkits, keylogging, and basically everything.

Fixing vulnerabilities is a rather different case. Those are coding mistakes - something is working in a way it was never supposed to work, and this is causing a security weakness. In Unite's case, there is no vulnerability that has yet been discovered. Unite exists in Opera by design, and can be turned on by design.

-{ Quote: "A question. Once you install Firefox plugins (addons) from the web, is the a way to save them for an offline installation for the future?" }-
Yes with another addon :D called FEBE.
https://addons.mozilla.org/de/firefox/addon/2109

Unite is off by default:

-{ Quote: "It wouldn't be very sneaky at all. Especially not when the user could easily see that Unite is enabled in the menus and a possible software firewall may ask for server rights for Unite and other such things. " }-

But upon installation it already is enabled and already asked for server rights! A not so suspicious user would reply "Yes" to the Win7 firewall prompt, since he was just installing Opera, Opera was giving prompt, why not allow it!
As for the menus, i see nothing different than my previous Opera version by looking the interface, yet it tried to get server rights.

-{ Quote: "
Now, obviously the malware could try to hide these things by for example killing the firewall and manipulating Opera's GUI, but that would require doing things much worse than enabling Unite, which begs the question why they would bother with Unite when they could just install a real server that would also work better, be easier to hide and would not depend on Opera running on the system. " }-

No, you are "Bob", not techie, and you already gave firewall server rights when you first installed Opera. The malware has already server rights. BTW, firewall alert is an issue with your hypothetical kernel malware too. Only it may raise more suspicion.

-{ Quote: "
(What if the user uninstalls Opera? There goes malware's server? More importantly, what if the user does not have Opera installed, like most internet users don't?) Quite frankly, it don't make any sense for malware to go enabling Unite if it already has that kind of system access. If it has that kind of access, it can do anything it pleases without Unite. " }-

The "attacker" could use unite as a more sneaky road and since he has complete control over the PC, he can then proceed to plan B if something goes wrong with Opera? What if the user doesn't have Opera? He isn't vulnerable... I guess with the mentality "what if the user doesn't have Opera", no vulnerabilities that have ITW exploit should ever be fixed...

-{ Quote: "
It's not exactly difficult to bypass UAC. Or PatchGuard. They're not security boundaries. UAC is for limited user compatibility, and PatchGuard for stability. They are not very effective as security features. People that do rely on them as security features are likely to be disappointed sooner or later. " }-

The question isn't whether it is difficult. It is whether it is easier to use a ready server, rather than trying to bypass the UAC and Patchguard. Or rather, why bypass UAC and patchguard when as first option you can have to use what's already there...

-{ Quote: "
And whereas x64 driver signing requirement can make kernel rootkits more difficult to install, a kernel rootkit is not required to do things that are much worse for the user than somehow abusing Opera Unite. You can keylog without kernel mode rootkits, you can hide things without kernel mode rootkits, you can set up a server without kernel mode rootkits, without UAC ever uttering a word...
" }-

The question again is, why try to bypass the driver signing, to avoid to the infamous "compatibility mode", when you can use unite without having to bypass anything?

-{ Quote: "
If you grant server rights to Unite, it's no different than granting server rights to any other software. You open a port, and expose the app holding that port open and listening to traffic to possible attacks. That's how it always goes. " }-

1) Unite , actually Opera, asks for server rights immediately. A "normal" user, will grant them. He just installed Opera, why not!

2) Having a webserver running is not just like any other software that can act as server. It is much easier to exploit the Unite , for which "joe doe" already gave probably access when he installed , because it's a webserver, than to exploit for example Torrent. Because in that case, you will have to make a specific exploit for Torrent.

-{ Quote: "
As for P2P being a risk, it's that because of the sharing of files of questionable content (many are malware infected), adding yet another potentially vulnerable software on the system, and opening up ports. It's not considered a risk because some malware might enable a P2P program that you've installed but are not using yet. If malware could do that, it could already do far worse things. " }-

It's not just what you download. There also "trojanised" versions of p2p programs as well as remotely exploitable vulnerabilities of the p2p software itself, which is why in all p2p comunities is always adviced to update your client regularly.

Quick example here:

http://marc.info/?l=bugtraq&m=113838669027765&w=2

http://torrentfreak.com/soulseek-p2p-application-vulnerable-to-remote-takeover-090530/

-{ Quote: "
Aren't we concerned that malware could use Windows disk tools to format our hard drives? I'm not, because to do that, the malware would have to get access to the system, and at that point, it doesn't need Windows' own tools to format the drive. " }-

I am concerned in general about risks. I don't say "Since this risk is bigger, i shouldn't worry about lesser ones". That's my mentality. Since i don't have use for a webserver, why have it "onboard"? Isn't that adding yet another risk?


-{ Quote: "
I'm not saying you should run the risk. If you don't like Unite, don't use it. I don't use software that I don't like, neither should anyone else (unless they have a really good reason, like being forced to do so). " }-

It's what i intend to do. The problem is that it's part of Opera, so i can't use Opera either...

-{ Quote: "
Any fans of Opera that hate Unite should send feedback to Opera devs if they really care about the subject so strongly. I'm only saying that malware turning on Unite isn't exactly something worth worrying about. If you've got malware on your system that has enough access to turn on Unite, you have far bigger problems than just Unite. Like rootkits, keylogging, and basically everything. " }-

If they have some easy to find email , i will be happy to mail the devs.

I think a malware actually needs less access to turn on unite , than to bypass the signed drivers of Win7x64 and UAC. That's what worries me. And since it's a possibility, why leave it... I mean, i 've used p2p always. It's a risk. When i read about a vulnerability, i make sure i have the newest fixed version. You could say "How probable is that someone makes a malware to exploit remotely your p2p client?" Very low. But, the devs fix it, because very low isn't zero. I think that's in general why browsers fix vulnerabilities even if there is no ITW malware.

-{ Quote: "
Fixing vulnerabilities is a rather different case. Those are coding mistakes - something is working in a way it was never supposed to work, and this is causing a security weakness. In Unite's case, there is no vulnerability that has yet been discovered. Unite exists in Opera by design, and can be turned on by design." }-

Is there ever, any vulnerability in any software and specially browsers, before it gets discovered? :P All code in a browser, exists there by design. The problem is when the code is "bad", allowing vulnerability, not whether it's was there by design. I mean, i don't understand that.

If a vulnerability on Unite exists, say, being exploited remotely , will it matter if Unite was there by design??? What will matter is that it is exploitable!

Anyway, No Squid is nice, but fonts in Wilder's are way too big, i will put back 9.64.

-{ Quote: "Yes with another addon :D called FEBE.
https://addons.mozilla.org/de/firefox/addon/2109" }-

Hmm, this was what made me leave FF for Opera in the first place. Why don't they put some basic features by default? Like mouse gestures...

It's always "another addon"...


-{ Quote: "Unite is off by default:" }-

Off by default, but asks for server rights on Win7 firewall and on about:config shows always on? That's a non configured server maybe. But doesn't sound completely off.

Anyway, i m not going to use it.

My concern with Unite isn't as much about security as bloat.
It's a tool that I don't want or need.

-{ Quote: "

A question. Once you install Firefox plugins (addons) from the web, is the a way to save them for an offline installation for the future?" }-

This one is excellent
http://mozbackup.jasnapaka.com/
You can choose whether to back up addons, cookies, bookmarks etc
A fine utility :thumb:

-{ Quote: "This one is excellent
http://mozbackup.jasnapaka.com/
You can choose whether to back up addons, cookies, bookmarks etc
A fine utility :thumb:" }-

Thanks, but unless i figure out something else about the fonts, i will go back to Opera 9.64. Text at 120% with no squid, works perfectly for most sites. But in Wilders' things are desperate.

With Opera:

http://img522.imageshack.us/img522/7469/84730835.png

With FF:

http://img688.imageshack.us/img688/4696/74258722.png

I guess i could use "per site" settings, but i hate even the idea of that. I ll see if i can find something in actual type of fonts used that is different.

-{ Quote: "Unfortunately, bringing this up on the official Opera forums got me flamed crispier than a shikibob on an overhot grill" }-That is always the case at the Opera forum. It is heavily populated by fan-boys. Ergo, anyone with a discouraging word is flamed &/or exiled very quickly.

-{ Quote: "As an aside, 10.01 has a severe security flaw. You may reconsidering using it." }-So I'm in trouble if I stay with 10.01, & I'm stuck with unwanted bloat if I move to 10.10. Oh well... back to K-meleon.

-{ Quote: "But upon installation it already is enabled and already asked for server rights! A not so suspicious user would reply "Yes" to the Win7 firewall prompt, since he was just installing Opera, Opera was giving prompt, why not allow it!
As for the menus, i see nothing different than my previous Opera version by looking the interface, yet it tried to get server rights." }-

Wait, I'm a tad confused here. You're clearly saying that malware could enable Unite without the user knowing it, but apparently you're also saying that Unite is enabled upon installation? ... How can malware secretly enable Unite if it's already enabled by default? ??? Either Unite is enabled by default and malware can't sneakily enable it (because it's already enabled), or it's not enabled by default and malware could enable it, but probably won't, since that wouldn't be very useful for anything.

As far as the menus are concerned, 10.10 has a new entry in the Tools menu "Opera Unite Server" that did not exist before, and that says whether Unite is enabled or not. There's also a new Panel that does the same and more.

-{ Quote: "No, you are "Bob", not techie, and you already gave firewall server rights when you first installed Opera. The malware has already server rights. BTW, firewall alert is an issue with your hypothetical kernel malware too. Only it may raise more suspicion." }-

No, malware doesn't have server rights. Opera does. Opera is not the malware, and the malware has to come from somewhere and infect the system before it can do anything at all to Opera. If you get your system infected with malware, it does not need Opera to do what it wants. Sure, it could use Opera for traffic, or it could use IE, Firefox, or any of dozens of Windows' own executables. Or it could just use its own functionality or third party software that does it much better than Opera's unite.

As for firewall alerts being an issue for kernel malware, the answer is simply no. Any malware that has gotten in the kernel can easily bypass a software firewall without the firewall ever seeing the traffic or warning the user about it.

-{ Quote: "The "attacker" could use unite as a more sneaky road and since he has complete control over the PC, he can then proceed to plan B if something goes wrong with Opera? What if the user doesn't have Opera? He isn't vulnerable... I guess with the mentality "what if the user doesn't have Opera", no vulnerabilities that have ITW exploit should ever be fixed..." }-

Except that Unite is not a more sneaky road, especially not for a malware that has complete control over the PC. You do realize, do you not, that if you've got complete control of the PC, you can setup a kernel or user mode rootkit hiding a real heavy duty web server software of your choice on the system? Or malware could use Windows' own BITS service to sneak data out. That would be a million times more sneaky than playing with Unite.

You're completely missing the point here. All vulnerabilities should be fixed. But what we're talking about here is not a vulnerability. It's a very odd scenario where a malware that already has complete control over a system uses Opera Unite for some incomprehensible reason, even when it has far better options. Realize that if you got infected by malware, and it got full control over the system, then even if you don't have Opera or Unite on the system, the malware can still set up a file server if it wants to. Unite, like any piece of code, potentially has security issues. But those issues aren't "malware could maybe enable this feature, even though there's absolutely no reason to when it could do the same things better without enabling this feature".

-{ Quote: "The question isn't whether it is difficult. It is whether it is easier to use a ready server, rather than trying to bypass the UAC and Patchguard. Or rather, why bypass UAC and patchguard when as first option you can have to use what's already there... " }-

You don't need to bypass UAC or PatchGuard to run a file server. The malware can do that without PatchGuard or UAC doing anything. Malware can also perform keylogging without UAC or PatchGuard doing anything. Malware can delete user files without UAC or PatchGuard doing anything. And so on, ad nauseam. You need to do some reading on UAC and PatchGuard to understand what they do and what their limitations are. They prevent only a very select few things and can't hold up against an attack by someone who knows about them.

And it is easier for a malware to use its own component for serving files, because Unite is very primitive, unlikely to be present (most people don't use Opera) and dependent on Opera. Unite is simply a poor choice for malware purposes.

-{ Quote: "The question again is, why try to bypass the driver signing, to avoid to the infamous "compatibility mode", when you can use unite without having to bypass anything?" }-

You don't have to try to bypass anything, because you can run a file server without bypassing anything, UAC, PatchGuard, or without using Unite. That's why I'm saying that it's pointless to consider malware possibly enabling Unite as a threat.

-{ Quote: "
2) Having a webserver running is not just like any other software that can act as server. It is much easier to exploit the Unite , for which "joe doe" already gave probably access when he installed , because it's a webserver, than to exploit for example Torrent. Because in that case, you will have to make a specific exploit for Torrent." }-

A server is a server. If you run a web server, then you open yourself up to the vulnerabilities in that web server software. If you run a torrent application, you open yourself up to the vulnerabilities in that torrent application. Whatever server software you're going to exploit, you're going to have to make a specific exploit for that software or at least any server software it shares the same vulnerability with (that can happen). Of course, different server programs in different configurations carry different risk. If you're doing a one-time direct file transfer with some IM program and opening a random port for that for one single other IP for about five minutes, that's quite a bit different than keeping Apache running for 24/7 serving a complex web site where users can upload content.

-{ Quote: "It's not just what you download. There also "trojanised" versions of p2p programs as well as remotely exploitable vulnerabilities of the p2p software itself, which is why in all p2p comunities is always adviced to update your client regularly." }-

I don't recall saying it's just what you download. I'll just quote myself: "As for P2P being a risk, it's that because of the sharing of files of questionable content (many are malware infected), adding yet another potentially vulnerable software on the system, and opening up ports."

As far as trojanized version of P2P programs are concerned, I don't consider that a risk of P2P, I consider it a risk of using software from untrusted sources. You can just as easily create trojanized browsers, email clients, or text editors as you can P2P applications.

-{ Quote: "I am concerned in general about risks. I don't say "Since this risk is bigger, i shouldn't worry about lesser ones". That's my mentality. Since i don't have use for a webserver, why have it "onboard"? Isn't that adding yet another risk? " }-

My mentality is "Understand the risks, and don't worry about those things that are not risks." It is pointless to worry about malware that already has full access to your system enabling some features in software you've already installed. You should worry about the malware that has full system access. Stop the malware, and you stop the problem. If you start thinking about what malware could do when it's got full system access, then you're in a hopeless situation if you intend to solve the problem by removing features from installed software so that malware can't enable them. The reasons are obvious: 1) the very operating system itself has tons of features that malware could use if it wanted and you can't even delete those features or uninstall them in any way, 2) if malware has full access, it can just install anything it likes, so if it really wants to play with Unite, it'll just download it from the net if you don't have it installed and even if Unite comes in a separate installer. In short, if you let your system be infected with malware, then it's game over, and it doesn't matter at all what software you have installed or haven't. The malware can do what it wants. Unless your head or some security software or feature can prevent it from infecting the system.

If you don't want a webserver, don't install one. That is certainly wise. The less software you have on the system, the less vulnerabilities you have on the system. This can cut down on the number of vulnerabilities that could be exploited to infect the system in the first place. If the problem is that your favourite browser has a webserver that you don't want, then there is no other solution than deciding whether you like the browser more than you dislike the webserver. At least, that's how it is unless you can convince the makers of the browser to stop including Unite.

-{ Quote: "If they have some easy to find email , i will be happy to mail the devs." }-

They certainly have developer blogs, and there's an Opera forum. http://my.opera.com/desktopteam/blog/ I would imagine that an email address should be easier to find than writing long posts on message boards would be. :)

-{ Quote: "I think a malware actually needs less access to turn on unite , than to bypass the signed drivers of Win7x64 and UAC. That's what worries me. And since it's a possibility, why leave it... I mean, i 've used p2p always. It's a risk. When i read about a vulnerability, i make sure i have the newest fixed version. You could say "How probable is that someone makes a malware to exploit remotely your p2p client?" Very low. But, the devs fix it, because very low isn't zero. I think that's in general why browsers fix vulnerabilities even if there is no ITW malware." }-

Things that malware can do on your system without doing anything to bypass UAC, PatchGuard or driver signing, or even requiring admin privileges:
- hide files and processes and anything with a user mode rootkit
- keylog passwords and other sensitive data and send them to the attacker
- destroy or steal any file the user has write access to, like the user's profile folders
- set up a spam bot, DDoS bot or a web server
- use the computer as a proxy server for shady activities
- redirect your web traffic to malicious or obscene pages (for example, by loading a malicious DLL into your browsers to do this)
- or malware could hope you have Opera 10.10 installed and secretly enable Unite, and be really, really evil... ;D

I repeat, malware can do all of this, and more, without UAC or PatchGuard ever doing anything to stop it or to inform the user. This is why Unite being enabled by some malware isn't a problem. If malware has enough access to enable Unite (which, by the way, requires you to have an account at Opera or it won't work) it has enough access to do things a million times worse without Unite.

It's not about probabilities. It's about logic. If your system is already compromised, the issue is not that the malware could use your installed software for malicious purposes. The issue is that your system is compromised by malware. Fix the real problem.

-{ Quote: "Is there ever, any vulnerability in any software and specially browsers, before it gets discovered? :P All code in a browser, exists there by design. The problem is when the code is "bad", allowing vulnerability, not whether it's was there by design. I mean, i don't understand that.

If a vulnerability on Unite exists, say, being exploited remotely , will it matter if Unite was there by design??? What will matter is that it is exploitable!" }-

All vulnerabilities exist before being discovered. How could they be discovered if they did not exist? :) The problem is that you don't know what vulnerabilities do exist, if any. If you knew, then they would be already discovered and known to you.

Whether something is by design or not is critically important. Unite exists by design, and can be enabled by design. But if Unite had a vulnerability that for example allows anyone who connects to a Unite file sharing service to execute arbitrary code on the system, that is not by design - unless the developers made it intentionally as a secret backdoor. The "by design" thing is important because it dictates the response to any perceived issue with the software. If Unite has some vulnerability that is exploitable, then that vulnerability will be fixed when discovered, if possible, because Unite was not designed to work that way, the vulnerability was created by a coding mistake, not by intentional design. On the other hand, if Unite was not in Opera by design, but somehow got in accidentally, then they'd just fix any vulnerabilities by removing Unite entirely, since it's not there by design.

The point here: Unite is not a vulnerability. It's a piece of software that most likely has vulnerabilities. What we are discussing here is not a vulnerability that has been discovered. It is a very contrived scenario where a malware that already owns the system starts playing with Unite when it could do the same thing better without playing with Unite.

When and if real vulnerabilities in Unite are found, those are security issues. But the ability for malware to enable Unite after malware has owned the system is not a security issue.

Long post, but perhaps it hammers in the point. ;D

-{ Quote: "How can malware secretly enable Unite if it's already enabled by default? ??? Either Unite is enabled by default and malware can't sneakily enable it (because it's already enabled), or it's not enabled by default and malware could enable it, but probably won't, since that wouldn't be very useful for anything." }-
You know, how about actually USING Opera, and then come and try to engage in debate? That courtesy would save people the trouble of having to correct the most basic of mistakes with your statements, such as not knowing that Opera asks for server rights regardless of whether Unite is enabled or not.

And why would Opera Unite be "not very useful for anything" to a hacker? You have the potential of transforming the attacked machine into a web server. I don't know if there's anything more useful to a hacker than that.

I didn't bother to read the rest of your post, which was irrelevant drivel. The simple fact is that Unite introduces an extra - and VERY powerful - mechanism for malware to take advantage of, lowering the bar for a successful attack and elevating the potential severity of the payload. How the hell is that a good thing?

I took the plunge and read Windchild's post. ;) It was good reading. :thumb:

What I took from it, if people are worried what malware will do once it has infected a system, and if it will use Opera Unite for malicious purposes... people should be more worried about the malware being on the system in the first place and what it could do by itself (without the aid of what it will do with Opera Unite).

Also there are far better ways for malware to cause damage to a user's system or extract information from a user (keylogging - using windows services), than for malware to rely on Opera Unite to do its dirty work (in a browser which has almost an insignificant small market share).

Also any problems will most likely be rectified by developers. I understand the concerns by users here, but nothing has actually happened to any users, so for the time being, I wouldn't worry (there is more chance of Windows posing a security risk than Opera).

-{ Quote: "You know, how about actually USING Opera, and then come and try to engage in debate? That courtesy would save people the trouble of having to correct the most basic of mistakes with your statements, such as not knowing that Opera asks for server rights regardless of whether Unite is enabled or not." }-

I have used Opera (yes, also 10.10), and I do know that Opera asks for server rights whether Unite is enabled or not. But then, it also asks for server rights when you use the built in BT client, and that ain't Unite's doing. I did not claim otherwise. What I did claim is that you can't have it both ways: you can't secretly enable something that is already enabled, or the other way 'round. By default, Unite is not enabled, and I sure don't know of any way to remotely enable it. Do you? If a malware running locally enables it, that's one thing - but that malware could just as easily start a real web server instead of silly Unite.

-{ Quote: "And why would Opera Unite be "not very useful for anything" to a hacker? You have the potential of transforming the attacked machine into a web server. I don't know if there's anything more useful to a hacker than that." }-

Because Unite is a pretty primitive thing, because most people don't use Opera, and because using Unite to transform the attacked machine into a web server in your control most likely requires the attacker to have the kind of system access that would allow him to do the very same thing and worse things without using Unite. If you believe I'm wrong about this, please do explain the mistake in my thinking.

-{ Quote: "I didn't bother to read the rest of your post, which was irrelevant drivel. The simple fact is that Unite introduces an extra - and VERY powerful - mechanism for malware to take advantage of, lowering the bar for a successful attack and elevating the potential severity of the payload. How the hell is that a good thing?" }-

I have not said that Unite is a good thing, have I. Please feel free to quote where I said so, if you think I did. As I remember it, I said that I don't fancy Unite, and that it, like any software, is likely to have vulnerabilities of its own. My point in this thread has been that malware or a human attacker can't just magically jump on the system and enable Unite. It has to get access to the system first, exploiting either user stupidity or a software vulnerability. Either way, it's highly likely that a successful exploit of either will give the attacker system access that allows for doing far worse things than enabling Unite. Therefore, I don't see how malware enabling Unite on a system is a threat or security issue. If malware has that kind of access, what's stopping it from downloading and installing a better, more effective server software and hiding that with rootkit? Which, by the way, is something that attackers have already been doing for a long while, without Unite.

I don't think I like Unite much more than you do, and it's not something I would use. But I try to maintain some level of realism. Unite can be an issue because more code means more vulnerabilities. But malware enabling it in secret really isn't something you should spend your days worrying about. It might be wiser to stop the malware from getting on your system in the first place.

-{ Quote: "@ Saraceno

To remove the Menu Bar select "File" and untick "Show Menu Bar". You wll get a new button to the upper left.

For the two buttons at right im using the compact_menu.ini and compact_toolbar.ini from here:
http://my.opera.com/drlaunch/blog/2009/06/05/my-beautiful-beautiful-opera

I just noticed he has a new setup with new .ini files. I didnt tried that yet though...
http://my.opera.com/drlaunch/blog/2009/06/18/compact-setup-new" }-

:thumb: I'll give these a go.

-{ Quote: "I like large fonts and clear buttons on the browser,thats why i use AEON BIG theme ,and NOSQUINT 2.0.4 extension set for 125% on firefox.The result is perfect for me.However I use vista so not sure whEther these are compatible with W7?
ellison" }-

Thanks for the tip on the firefox theme. I know a few people that have always wanted a large theme, and Aeon Big Theme would work along with nosquint. Good stuff. :)

-{ Quote: "I have used Opera (yes, also 10.10), and I do know that Opera asks for server rights whether Unite is enabled or not. But then, it also asks for server rights when you use the built in BT client, and that ain't Unite's doing. I did not claim otherwise." }-
Wrong again. Unite-enabled builds automatically request server rights upon startup.

-{ Quote: "If a malware running locally enables it, that's one thing - but that malware could just as easily start a real web server instead of silly Unite." }-
"Just as easily"? Oh, come on. Which is easier: writing your own web server while trying to keep the code compact, or simply turning on and configuring one that is already there?

-{ Quote: "because most people don't use Opera" }-
Security via obscurity is a broken model. It does nothing but provide you with a false sense of security, and that's the best-case scenario.

-{ Quote: "and because using Unite to transform the attacked machine into a web server in your control most likely requires the attacker to have the kind of system access that would allow him to do the very same thing and worse things without using Unite." }-
It's also easier because there's already a web server - produced by a legitimate company, and most likely trusted by the user - installed on the target computer

-{ Quote: "My point in this thread has been that malware or a human attacker can't just magically jump on the system and enable Unite. It has to get access to the system first, exploiting either user stupidity or a software vulnerability." }-
Which is irrelevant in this thread because everyone already knows that. We're not idiots who need to listen to you rambling on and on for pages stating the obvious. People don't like Unite not because they're paranoid and worried about the sky falling on their heads or monsters popping out of thin air, they don't like Unite because of the legitimate and inherent security risks of having web server software installed on their PCs. And to that you have (as of yet) nothing useful to say.

-{ Quote: "Wrong again. Unite-enabled builds automatically request server rights upon startup." }-

I really do fail to see where I was wrong about that. Perhaps you ought to read my post again. I did not say anything about whether Unite will cause server rights to be requested on browser startup or at some other point in time. But if you're interested in that, sure, in my experience Opera's BT asks for server rights only at the point in time when you actually try to use that feature, whereas Unite seems to ask either 1) on browser startup or 2) if you turn Discover Local Opera Unite Users off, less predictably and sometimes not at all if you don't leave the browser running for hours. I don't see what this has to do with whether Unite is enabled by default or not, though. Asking for server rights does not equal Unite's web server being enabled and serving your files for the whole wide interweb.

-{ Quote: ""Just as easily"? Oh, come on. Which is easier: writing your own web server while trying to keep the code compact, or simply turning on and configuring one that is already there?" }-

They don't have to write their own web server. Unite is not quite the only web server software in the world, and the bad guys could use one of those that aren't Unite, like they've been doing so far. The problem with using Unite instead of your own or borrowed server code is that Unite won't be on all systems, even on most systems. So, yeah, "just as easily", in the sense that Unite is a weaker solution (less stable, requires Opera that isn't present on most systems, poorer performance, and so on) and that if you've got local access to enable Unite, you've got access to run a different web server that doesn't need Opera. Wait, scratch that. Actually, it's easier to set up a server that isn't Unite for your malicious purposes, since code that does this already exists, but so far I haven't seen code designed to use Unite for malicious activity out there to be borrowed and therefore you'd have to waste time writing it yourself.

But sure, if we go for a really contrived scenario where someone knows that you're running Opera and writes a malware specifically for you that does nothing but secretly enable Unite, then that can be done in pretty compact code. Doesn't make much sense, though. If they can convince you to run their malware, why not make it a better malware. You won't even have to code it yourself, so it'll save your time and give you better control over the target system... But I guess, if you just want to be silly, you could use Unite.

-{ Quote: "Security via obscurity is a broken model. It does nothing but provide you with a false sense of security, and that's the best-case scenario." }-

Obscurity can add security, without requiring that the entire security model is based on obscurity. Running a server on a non-standard port will prevent some automated attacks for example and therefore have a positive security impact, but it would be insanity to rely only on the non-standard port for security. Obscurity can serve a useful purpose in a security policy, as long as it's not the whole policy. In Opera's case, the attacker would be somewhat strange if they were interested in owning systems to use as web servers, but only decided to attack those with a relatively rare browser that ships with a built-in disabled web server. Especially when it's quite possible that the average Opera user is more of a computer hobbyist than the average IE user for example, and could be a harder target in addition to being a rarer one.

-{ Quote: "It's also easier because there's already a web server - produced by a legitimate company, and most likely trusted by the user - installed on the target computer" }-

And still, to turn it on, it requires the kind of local access that also allows you to set up a server without Opera, and also hide that server, so the user doesn't have to trust the browser with the right to act as a server (some users wouldn't do that, you know). Doesn't sound easier to me.

-{ Quote: "Which is irrelevant in this thread because everyone already knows that. We're not idiots who need to listen to you rambling on and on for pages stating the obvious. People don't like Unite not because they're paranoid and worried about the sky falling on their heads or monsters popping out of thin air, they don't like Unite because of the legitimate and inherent security risks of having web server software installed on their PCs. And to that you have (as of yet) nothing useful to say." }-

It seemed to me that everyone did not understand that to enable Unite, malware has to have local access that allows it to do even nastier things, which would make worrying about Unite being enabled a rather weird way to pass one's time.

I'm not saying that people should just love Unite or that they should not dislike it. I'm saying that you can dislike it all you want, but at least dislike it for the right reasons (more code generally equals more vulnerabilities and Unite is more code, and any server is a risk in itself). Don't dislike it because someone might get malware on your system and then use it to turn on Unite. If you're going to worry about that, you should start worrying about stuff like Windows' own file sharing, BITS, Remote Desktop... If malware can access your system so easily, it can turn all that stuff on with the config of its choice, and Opera isn't required. :)

A few older articles:

Opera CEO Claims Unite is Secure, But That's Not Its Real Problem - 7 July 2009
http://www.readwriteweb.com/archives/opera_ceo_claims_unite_is_secure_but_thats_not_its_problem.php

How secure is Opera Unite? - 16 June 2009
http://www.betanews.com/article/How-secure-is-Opera-Unite/1245176152

And something more 'extreme'.

Pwning Opera Unite with Inferno’s Eleven
http://securethoughts.com/2009/08/pwning-opera-unite-with-infernos-eleven/

And then this in news - new version more secure than previous versions - 24 November 2009:

"Opera has fixed three potentially nasty security vulnerabilities with the release of a major new version of its web browser software."
http://www.theregister.co.uk/2009/11/24/opera_revamp/

-{ Quote: "I really do fail to see where I was wrong about that. Perhaps you ought to read my post again. Asking for server rights does not equal Unite's web server being enabled and serving your files for the whole wide interweb." }-
No. But given how Opera prompts for server rights multiple times for multiple purposes, it means that, if and when Unite is hijacked for malicious purposes, Opera will likely already have server rights.

-{ Quote: "They don't have to write their own web server. Unite is not quite the only web server software in the world, and the bad guys could use one of those that aren't Unite, like they've been doing so far." }-
Of course they could. Which is why home users don't usually install web server software on their PCs.

-{ Quote: "The problem with using Unite instead of your own or borrowed server code is that Unite won't be on all systems, even on most systems." }-
In regions like Russia and Europe, Opera has a very considerable user base.

-{ Quote: "If they can convince you to run their malware, why not make it a better malware. You won't even have to code it yourself, so it'll save your time and give you better control over the target system... But I guess, if you just want to be silly, you could use Unite." }-
Claims like "you won't even have to code it yourself" only reveal your lack of knowledge about malware creation. Any RAT created in such a manner wouldn't survive for long or at all, if the user is running any half-decent antivirus. Hijacking Unite, on the other hand, gives the attacker unlimited access even if the trojan is detected and removed at a later date.

-{ Quote: "In Opera's case, the attacker would be somewhat strange if they were interested in owning systems to use as web servers, but only decided to attack those with a relatively rare browser that ships with a built-in disabled web server." }-
Depending on where you live, Opera may not be that rare. And the mistaken belief that it is isn't going to protect you.

-{ Quote: "And still, to turn it on, it requires the kind of local access that also allows you to set up a server without Opera, and also hide that server, so the user doesn't have to trust the browser with the right to act as a server (some users wouldn't do that, you know). Doesn't sound easier to me." }-
Yes, it requires the same rights. But you're getting confused, and trying to suggest that requiring the same rights is synonymous to the same amount of difficulty.

-{ Quote: "I'm not saying that people should just love Unite or that they should not dislike it. I'm saying that you can dislike it all you want, but at least dislike it for the right reasons." }-
Until you learn to stop propagating untruths about how running web server software on your PC makes no difference as far as security is concerned, and stop pretending that it doesn't make attacks easier (which IS a right reason), I see no reason to believe this claim of yours.

-{ Quote: "Yes, end of the road for me with Opera. I am sticking to 10.01 and that's it.

3,3 MB of extra crap on the installer, for feature that i will never use.



Well, if you consider that browsers are usually full of holes waiting to be discovered, i certainly wouldn't want a browser with the ability to act as FTP server...

For me it's far superior risk than even p2p. At least in p2p it's a specialized software, one folder is only put on "share" and there is no 3d party plugins that could have a vulnerability of their own and exploit the program.

In Opera, you have widgets, flash, java, shockwave, pdf plugins, torrent plugin. If any of them has a hole, who says that it can't exploit the built in "Opera Unite" and take access over anything?

I really like Opera, but i prefer taking the risk of sticking to an old version, rather than install this 3,3 MB crap." }-


Firstly its not an ftp server, its all based on html. Secondly by defauly Unite is not enabled, because you have to go out of your way sign up for an opera account or if you have one you need to sign in with it and THEN you even need to set up which apps you want it to function with.

Widgets in my opinion are useless, they are worthless toys, and if you dont use them then dont worry about them.

I have used opera for years now. I was a devout firefox user but they lost my interest and now opera is the THE only browser that has everything i need. This new version with unite is an amazing revolution. For the people who take the time to set it up and enable it, it makes some things very easy like sharing files and keeping in contact.

The original thing that turned me onto opera was the fact that you can sort your bookmarks by a number of ways, AND it even remembers that sorting and even keeps that sorting in your bookmarks menu. Something which firefox stopped doing.

So all in all another fantastic Opera browser. (its fast as hell also)

-{ Quote: "No. But given how Opera prompts for server rights multiple times for multiple purposes, it means that, if and when Unite is hijacked for malicious purposes, Opera will likely already have server rights." }-

Sure, Opera likely will have server rights if the user is willing to give them. That still leaves the attacker the problem of getting the malware in the system, and once that has been successful, they don't need Unite for doing what they want to do. Which is exactly the reason why I don't think malware enabling Unite is a problem. The problem is the malware running in your system. Even if you don't have Opera and Unite installed, what's stopping the malware from just getting out there and downloading whatever server software it wants and installing that, even Unite?

-{ Quote: "Of course they could. Which is why home users don't usually install web server software on their PCs." }-

I don't think home users choose not to install web server software on their PCs because bad guys could use that server software for malicious activity. Home users don't install servers because they don't have use for them. In any case, I was pointing out that if a malware author wants to make a server out of the machine they just owned, they can just have the malware download and install any server software they want - something they coded for themselves, something that was made by someone else, or even Opera's Unite.

-{ Quote: "
In regions like Russia and Europe, Opera has a very considerable user base." }-

I live in Europe, by the way, fairly close to Russia. In the Europe that I have seen, Russia included for good measure, Opera isn't exactly the most common browser you'll see folks use. I'm sure it's more common than in the Americas, but still not IE. Shame, though, since Opera has some pretty cool features out of the box (and I'm not referring to Unite here).

-{ Quote: "Claims like "you won't even have to code it yourself" only reveal your lack of knowledge about malware creation. Any RAT created in such a manner wouldn't survive for long or at all, if the user is running any half-decent antivirus. Hijacking Unite, on the other hand, gives the attacker unlimited access even if the trojan is detected and removed at a later date." }-

You can easily create a piece of malware obfuscated enough that none of the most common free or paid AVs detect it with current definitions, and you can do this without writing any actual code yourself, which is exactly the point. And if you don't know this, then you either haven't ever bothered to try, or have tried but just didn't know what you were doing. And any smart attacker would not mass spam their malware everywhere so that every AV will get their hands on it the first day. Once the AVs start adding definitions for your little kit, just scramble it again and repeat, for profit, and own some more systems while AVs are waiting to find a sample of your latest mix.

As for malware that hijacks Unite getting unlimited access even if the trojan is detected and removed later, I'll just say this: mIRC bots. If malware starts to abuse Unite on a large scale like mIRC has been abused, AV houses could easily add Potentially-Unwanted-Software / Hacktool definitions for Opera, so that Opera itself could be detected, or for a less harsh approach they could simply attempt to detect whether Unite is enabled and report that. Do note that mIRC is a legit piece of software that has been around for long, and still some AVs choose to detect it as a potential issue. And the malware authors can't exactly obfuscate Unite, if they're relying it to be already present on their target systems. And what about Windows file sharing features? What if malware feels like turning that stuff on with unlimited access for the attacker? Most people have Windows, but most don't have Opera. Guess which might be the better choice for the attacker to use. Windows file sharing also doesn't require Opera to be on all the time for the attacker to be able to connect to his newly owned victim...

In short, using Unite would not provide any unlimited access or immunity from AV detection for the attackers, and you can easily avoid detection by many AVs without creating new code yourself.

-{ Quote: "Depending on where you live, Opera may not be that rare. And the mistaken belief that it is isn't going to protect you." }-

I don't have any mistaken belief that Opera will protect me. My belief is that if malware can infect your system, you've got problems far bigger than said malware trying to enable disabled-by-default features in a minority market share web browser. But anyone is completely free to disagree with me, and to worry about malware enabling such features.

-{ Quote: "Yes, it requires the same rights. But you're getting confused, and trying to suggest that requiring the same rights is synonymous to the same amount of difficulty." }-

Well, yes, I am indeed suggesting that it requires the same rights, and that is usually my main concern - what kind of access is required to do something. Perhaps I could have chosen my words better. Thanks for pointing that out. Wouldn't be the first time I've chosen my words less than optimally and surely won't be the last. ;D The required rights are pretty important, because if you give malware that kind of rights, then there's no reason why the malware would need to use Unite to run a server on your system or to do numerous other nasty things.

As for difficulty, I maintain that to enable Unite maliciously and to actually get it to work, you'd have to write some code of your own, because at this point there isn't such code floating around. But if you want to do the job better, there's lots of code that allows for that, without using Unite and requiring Opera to be present. And you don't even have to use third party server software. If you just want to "share" the victim's files, there's always this thing called Windows as I previously mentioned.

-{ Quote: "Until you learn to stop propagating untruths about how running web server software on your PC makes no difference as far as security is concerned, and stop pretending that it doesn't make attacks easier (which IS a right reason), I see no reason to believe this claim of yours." }-

Yes, now, I do think that running server software makes a difference. And I certainly don't try to pretend that it has no effect on security and doesn't make any attacks easier. If something I said gave that impression, then I am honestly sorry, and rightly deserve to be called a dotard and given a couple of good slaps and/or verbal trashings. But, at least I apparently wasn't pretending all the time, since I just said this:

-{ Quote: "I'm not saying that people should just love Unite or that they should not dislike it. I'm saying that you can dislike it all you want, but at least dislike it for the right reasons (more code generally equals more vulnerabilities and Unite is more code, and any server is a risk in itself)." }-

Servers aside, I think it's important to keep it in mind that more code in general equals more vulnerabilities. It doesn't have to be server code, it can be a media player or support for additional image formats or anything (including, ironically, security features).

But, I think I've said all I have to say here.

Great thread and for interest sake, thought I'd give this browser a go. So far, I have setup TCP allowed Outbound to ports 80, 443, 1935 & 554 in Win 7's built-in fw and have not enable Unite server. Also setup Publisher rule in AppLocker for Opera.exe. It seems like a fast browser as usual, though no perceptible difference over IE8. As for malware maybe being written to target the Unite server or whatever other built-in Opera functionality, I won't lose sleep over it. The Malware does have to get on to the machine first and run.

-{ Quote: "I have the 10.10 update downloaded.
No way I'm installing it with Unite included." }-

Where is Unite enabled by default??

To me there's an issue with Unite serving as 'Fertile Ground' beyond anything else. Opera's 10.01 had a GLARING javascript flaw that allowed remote code execution... One that had been known and fixed in other browsers for months (see link previously in this thread). If you've completely disabled Unite, that's all fine and good, but how long will it be until Opera runs afoul of another huge security flaw that allows remote code execution? Then it's pretty much a moot point because the switch comes right back on, and the server is running for the bad guys. I'm not saying that Unite causes the initial intrusion, mind you:

Firefox, Chrom, Safari, and IE are all just as vulnerable. But now the bad guys are thinking about which platform to hit, and for Opera they'll get a free freakin' webserver with every compromise. It doesn't matter what your settings are. Opera's a juicy target now, more exploitable in terms of what you can do after the fact, and a larger target.

That's to say nothing of the fact that Unite also provides the bad guys with another new venue for social engineering. Stuff that's hosted through these new Webservers looks like it's coming from Opera's trusted sources. That means Opera's Fraud Protection and Javascript site-preference mitigation techniques are useless against Unite Attacks. Phishing and malware hits can propagate much more easily through Unite because of this, if I'm thinking right.

So, will Unite open a backdoor? Maybe, but right now it looks like turning it off will suffice. But will it latch a gigantic neon sign to the browser saying "HACK ME!!!"? You bet it will.

-{ Quote: "Where is Unite enabled by default??" }-

Go into opera:config and take a look at the list. Under "Web Server" The following options are default enabled:

UPnP Enabled
UPnP Service Discovery Enabled
Webserver Always On
Webserver Used

Under "User Prefs" the option "Enable Unite" is also on by default.

These options were also on after I right-click removed Unite from the tools pane. People on the official Opera forums have claimed that the new version of Opera opens a few ports whenever it launches, regardless of options set.

-{ Quote: "

Go into opera:config and take a look at the list. Under "Web Server" The following options are default enabled:

UPnP Enabled
UPnP Service Discovery Enabled
Webserver Always On
Webserver Used

Under "User Prefs" the option "Enable Unite" is also on by default. " }-

Thank you for the info Carbonyl!

-{ Quote: "People on the official Opera forums have claimed that the new version of Opera opens a few ports whenever it launches, regardless of options set." }-

Maybe they're right. Opening Opera two separate times (different Process id's each time) and running netstat shows local ports opened by opera, with UPnP (port 1900) in both cases. However, there are no "Listening" states or "Established" states in either case. BTW, the other foreign address port 80 was held by jusched.exe.

-{ Quote: "...it's quite possible that the average Opera user is more of a computer hobbyist than the average IE user for example" }-Many of those folks who post on IE's forum (http://social.answers.microsoft.com/Forums/en-US/InternetExplorer/threads) seem more technically adept, & MUCH more civil, than many of those who post on Opera's forum.

-{ Quote: "I'm not saying that people should just love Unite or that they should not dislike it. I'm saying that you can dislike it all you want, but at least dislike it for the right reasons (more code generally equals more vulnerabilities and Unite is more code, and any server is a risk in itself)." }-Well said... finally!

-{ Quote: "Sure, Opera likely will have server rights if the user is willing to give them. That still leaves the attacker the problem of getting the malware in the system, and once that has been successful, they don't need Unite for doing what they want to do." }-
No, they don't expressly NEED it. But a web server being installed and granted permission to listen for incoming network requests certainly makes their life a hell lot easier. Which is the whole fricking point that you continue to ignore.

-{ Quote: "Even if you don't have Opera and Unite installed, what's stopping the malware from just getting out there and downloading whatever server software it wants and installing that, even Unite?" }-
Nothing. Except that server software would show up on a firewall prompt as an unfamiliar program requesting server rights, not as a program the user knows he/she installed his/herself. There's also a lot of problems involved with downloaders. Their servers are actively hunted by vigilantes, antivirus vendors, ISPs, and law enforcement personnel. Bandwidth is a problem for them, if they need to upload large files. And if the RATs leech legitimate server software (Apache, IIS, etc) off their respective vendors' servers, those connections could be detected and blocked. Having the end user install the web server software itself eliminates all those logistics issues, and makes the bad guys' lives easier.

-{ Quote: "I don't think home users choose not to install web server software on their PCs because bad guys could use that server software for malicious activity. Home users don't install servers because they don't have use for them." }-
Exactly. And they're safer as a side effect of it. Unite changes that.

-{ Quote: "I live in Europe, by the way, fairly close to Russia. In the Europe that I have seen, Russia included for good measure, Opera isn't exactly the most common browser you'll see folks use." }-
http://gs.statcounter.com/#browser-RU-monthly-200810-200911-bar

-{ Quote: "You can easily create a piece of malware obfuscated enough that none of the most common free or paid AVs detect it with current definitions, and you can do this without writing any actual code yourself, which is exactly the point." }-
Then your definition of "writing" differs from mine.

-{ Quote: "If malware starts to abuse Unite on a large scale like mIRC has been abused, AV houses could easily add Potentially-Unwanted-Software / Hacktool definitions for Opera, so that Opera itself could be detected, or for a less harsh approach they could simply attempt to detect whether Unite is enabled and report that." }-
I think I speak on the behalf of all antivirus vendors as well when I say I'm very glad indeed that someone with such *ahem* "creative" ideas like you isn't working for them. And even if such a measure is necessary, it's just more evidence that Unite is more of a threat than you try to make it out to be.

-{ Quote: "As for difficulty, I maintain that to enable Unite maliciously and to actually get it to work, you'd have to write some code of your own, because at this point there isn't such code floating around." }-
Yes, that's been such a headache for the malware industry. Oh my goodness, they have to write their own code! It's really such a terrible bother for them, don't you think?

-{ Quote: "But if you want to do the job better, there's lots of code that allows for that, without using Unite and requiring Opera to be present. And you don't even have to use third party server software. If you just want to "share" the victim's files, there's always this thing called Windows as I previously mentioned." }-
Let me get this straight. You think hijacking Unite is more difficult than hijacking Windows file/network sharing? Are you under the assumption that Windows file/network sharing is even anything comparable to Unite's web server functions?

-{ Quote: "Yes, now, I do think that running server software makes a difference. And I certainly don't try to pretend that it has no effect on security and doesn't make any attacks easier." }-
Yes, I'm quite aware of what you claim to be saying. Given your other arguments, however, I see little reason to believe you're telling the truth when you say that. If it makes a difference and has an effect on security, then people should rightfully to be worried about it, which you have regretfully tried to portray as misplaced paranoia.

For anyone that might be interested, i found the proper fonts configuration for Firefox, to show websites 99% as Opera without using No Squint.

In advanced Fonts options, set sizes: 20, 9 , 9.

Only Wilders' doesn't display as Opera from the sites i have tried, but at least it shows "normal". Bolder fonts but normal sized.

Also found a speed dial addon that is actually easy to use. It's called "Fast Dial".

So, all i need is All-In-1 Mouse Gestures, Fast Dial and FEBE or MozBackup.

-{ Quote: "No, they don't expressly NEED it. But a web server being installed and granted permission to listen for incoming network requests certainly makes their life a hell lot easier. Which is the whole fricking point that you continue to ignore." }-

Yeah, they don't need it. They can do the same thing, and worse, without Unite. If they get enough system access. And if they get that much system access, it's a huge problem, whether you have Unite or not. That is my point here. Unite has its own problems - all software has vulnerabilities, and vulnerabilities in server software are their own special case - but malware enabling it secretly isn't one. That requires the level of system access that allows you to do the same thing, and worse, without having to rely on Opera being installed and enabling Unite.

Have you considered that for Unite to work, you need an account at Opera? If the user doesn't intend to run Unite, they won't have such an account, and the attacker is going to have to set up that, too, before they can get their way. Lots of hoops to jump through just to enable something that isn't present on most systems, in a situation where you could do the same things without relying on that thing to be present. And again, I wonder what your stance on for example Windows file sharing is - something that is present on quite a few more machines than Opera.

-{ Quote: "Nothing. Except that server software would show up on a firewall prompt as an unfamiliar program requesting server rights, not as a program the user knows he/she installed his/herself. There's also a lot of problems involved with downloaders. Their servers are actively hunted by vigilantes, antivirus vendors, ISPs, and law enforcement personnel. Bandwidth is a problem for them, if they need to upload large files. And if the RATs leech legitimate server software (Apache, IIS, etc) off their respective vendors' servers, those connections could be detected and blocked. Having the end user install the web server software itself eliminates all those logistics issues, and makes the bad guys' lives easier." }-

The server software would show up on a firewall prompt and this might make the user suspicious. If the user has such a firewall, if the malware didn't just blow the firewall right up with all the system access it has already, and if the user is smart enough to understand what the firewall is alerting about, especially if the malware is smart and attempts to look like a legit process. It doesn't have to call the server part "Malicious Web Server That You Should Not Run.exe". The kind of users who would be most likely to get infected wouldn't be able to tell any difference and would just say yes.

Life for downloader malware may not be easy, but neither is life for any other malware. For this malware that wants to enable your Unite to strike your system, it has to come from somewhere, and that somewhere is likely to be some web site where it will be downloaded from, and for that reason, the issues with downloader malware largely apply to it, too: bandwidth, ISPs closing the server offering malicious files to the web, and so on. In spite of this, the web has enough malicious servers running for the bad guys to do their thing, and they can just as easily be used to serve more than just downloaders (and are).

Having the end user install server software themselves but leaving it disabled isn't really that great, when to enable it you need access to the system that would just as easily allow you to keylog credit card data and passwords, for example.

-{ Quote: "Exactly. And they're safer as a side effect of it. Unite changes that." }-

Problem is, most users still won't have Opera installed, and if malware wants to abuse Unite, it still has to get running on the system, after which it can do evil without Unite. Or it can just install Unite even if the user didn't install it.

-{ Quote: "Then your definition of "writing" differs from mine." }-

Apparently it does. My definition of "writing" is not "using a few automated tools that work without you ever understanding any programming language and without writing a single line of code yourself." One can always disagree, but it doesn't necessarily make much sense.

-{ Quote: "I think I speak on the behalf of all antivirus vendors as well when I say I'm very glad indeed that someone with such *ahem* "creative" ideas like you isn't working for them. And even if such a measure is necessary, it's just more evidence that Unite is more of a threat than you try to make it out to be." }-

It's not my idea. Some of those AV vendors you pretend to be speaking for already detect legit software like mIRC as potential hacktools or unwanted software or "not malware but something we feel like informing you about" simply because malware has taken to using said software for malicious purposes. Kaspersky is one pretty good example. Maybe you should go tell them they're wrong about it, if you have a problem with what they do.

I didn't say that Opera should be detected. I said that if malware ever starts enabling Unite, it could be, just like mIRC is detected now, and that would nullify your "Unite gives unlimited access" argument. I'm saying, they did it before with another legit software, they could do it again with Opera if they think it's worth it. As for what threat Unite poses, it will have vulnerabilities like any software, and since it's a server kind of software, its vulnerabilities can have special impact. Those are valid threats. Malware coming in to enable Unite secretly, isn't, as I see it, due to reasons explained repeatedly in this thread (malware doesn't need Unite to run servers, Unite is not present on most systems, and so on). mIRC is a pretty nice example here, actually. The malware that takes advantage of mIRC is not so stupid as to rely on mIRC already being installed on the target system. Instead, the malware includes its own copy of the mIRC executable and drops that on the system, using that copy for its own malicious activities. Malware could do exactly the same with Unite, even if you did not have Unite installed.

-{ Quote: "Yes, that's been such a headache for the malware industry. Oh my goodness, they have to write their own code! It's really such a terrible bother for them, don't you think?" }-

No, it's not a bother. But it's a fact that writing code yourself is more work than taking ready-to-use code from someone else. If it wasn't, we'd be seeing a lot less people buying ready-to-use exploit kits and malware from their authors. Previously though, you seemed to be of the opinion that enabling Unite saves malware authors from writing their own server code, in spite of Unite not being present on most systems. I wonder why that is an issue for them, if writing their own code is not a bother. Oh, sure, because they need to keep their code compact, and just can't get past all the beautiful AVs and firewalls. You know, just like they are not getting past said AVs and firewalls now, or for that last ten or so years...

-{ Quote: "Let me get this straight. You think hijacking Unite is more difficult than hijacking Windows file/network sharing? Are you under the assumption that Windows file/network sharing is even anything comparable to Unite's web server functions?" }-

I did not say that. Windows has file sharing that you can easily enable if you have complete control of the system. And what do you know, that allows you to share files. It's not Apache, and it's not Unite, but if you want access to the user's files, it will do that. And this is stuff that Joe Average will most likely have installed, which can't be said about Apache or Unite. Unite is obviously comparable to Windows file sharing in that both can be used to allow remote access to files on the system over the network. There are of course large differences, but if an attacker wants access to the user's files, it's not the case that Windows file sharing is useless while Unite is magnificently useful. Windows file sharing has been used by attackers for a long time.

-{ Quote: "Yes, I'm quite aware of what you claim to be saying. Given your other arguments, however, I see little reason to believe you're telling the truth when you say that. If it makes a difference and has an effect on security, then people should rightfully to be worried about it, which you have regretfully tried to portray as misplaced paranoia." }-

So, are you claiming I'm lying in two different directions at once? ;D That is to say, you think I'm first lying about malware enabling Unite not being an issue, and then lying about Unite potentially including vulnerabilities like any software as well as being a server software that makes such vulnerabilities more serious issues? Well, that's... original, at least. Congratulations. :thumb:

I think people should be worried about running a web server on their machine that they don't want to be running. Don't run Unite if you don't like a web server on your machine. Just don't, it's your choice. Obviously web servers have their own security issues. But I do believe it is misplaced paranoia to worry about malware enabling some web server that you have installed but are not running. It is more reasonable to worry about the malware infecting your system in the first place. If you prevent the infection, you prevent also malware enabling that web server. Yes, you could worry about such things if you had nothing better to do. But then you have much more than just Unite to worry about, because it's not only web servers that are useful to malware. A simple web browser can be quite useful, when you hide its window and use the browser that is already approved past the firewall to communicate with your control server. So, after you toss Unite, it's time to worry about whether you should toss browsers, FTP clients, and the operating system itself. My suggestion is to just toss the software you don't need. Don't need or want Unite? Then don't enable it, and if you feel really uncomfortable with it, don't install Opera. That solves your problem with it.

Once more: I'm not saying that Unite is good for security, or that it has no issues. Unite will likely have vulnerabilities, and running a web server always has security implications. What I'm saying is that Unite being enabled by malware is not something to worry about in my opinion. What you should worry about is:
1) running a web server on your system - don't run it if you don't want it.
2) running new code on your system that means also new vulnerabilities - if you don't need the new stuff, consider not running it.
3) running malware on your system - don't do it, or it can do evil things whether you have Unite installed or not.

After you've dealt with all those, you no longer have to worry about whether some malware is going to enable some web server that you installed, because chances are the malware won't be there.

And people might forget, that with users running Avast and other AVs, it would probably take a week or two for AVs to start detecting the malicious file that targeted Opera, if one was actually in circulation.

So most users running an AV would most likely be protected by any such download. It's be blocked/quarantined.

-{ Quote: "Yeah, they don't need it. They can do the same thing, and worse, without Unite. If they get enough system access. And if they get that much system access, it's a huge problem, whether you have Unite or not. That is my point here." }-
Having web server software pre-installed on the PC makes it an even bigger problem, because it lowers the bar for a successful attack. Which is the fact you're continually ignoring.

-{ Quote: "Unite has its own problems - all software has vulnerabilities, and vulnerabilities in server software are their own special case - but malware enabling it secretly isn't one. That requires the level of system access that allows you to do the same thing, and worse, without having to rely on Opera being installed and enabling Unite." }-
So making it easier for hackers to turn your PC into a web server or botnet node isn't a problem?

-{ Quote: "Have you considered that for Unite to work, you need an account at Opera? If the user doesn't intend to run Unite, they won't have such an account, and the attacker is going to have to set up that, too, before they can get their way. Lots of hoops to jump through" }-
Actually, inserting a username and password into Unite is as simple as editing the operaprefs.ini file. I'm sure that's such a big hurdle for hackers.

-{ Quote: "The server software would show up on a firewall prompt and this might make the user suspicious. If the user has such a firewall, if the malware didn't just blow the firewall right up with all the system access it has already" }-
Thanks for agreeing that I'm right. So without Unite, the malware has to nuke the firewall as well to keep user suspicion to a minimum, which is at least one extra step. I think that I speak for quite a lot of people when I say that it's a good thing to make life as difficult for hackers as possible, and some third-party firewalls are not that easily nuked, if they can be at all.

-{ Quote: "Life for downloader malware may not be easy, but neither is life for any other malware. For this malware that wants to enable your Unite to strike your system, it has to come from somewhere, and that somewhere is likely to be some web site where it will be downloaded from, and for that reason, the issues with downloader malware largely apply to it, too: bandwidth, ISPs closing the server offering malicious files to the web, and so on. In spite of this, the web has enough malicious servers running for the bad guys to do their thing, and they can just as easily be used to serve more than just downloaders (and are)." }-
Because the bad guys constantly switch servers. This doesn't work for downloaders because their download URLs need to be coded into the binary itself. If you switch servers, the downloader simply finds nothing to download.

-{ Quote: "Having the end user install server software themselves but leaving it disabled isn't really that great, when to enable it you need access to the system that would just as easily allow you to keylog credit card data and passwords, for example." }-
So you're saying that just because malware can keylog credit card data and passwords, they should also be easily given the ability to upload files on your computer to an attacker as well?

I don't really see why you constantly fail to grasp this very simple concept. Why are you so against the idea of making life difficult for hackers as much as possible?

-{ Quote: "Problem is, most users still won't have Opera installed, and if malware wants to abuse Unite, it still has to get running on the system, after which it can do evil without Unite. Or it can just install Unite even if the user didn't install it." }-
Again, thanks for agreeing that I'm right, and saying that users that don't have Unite installed are more secure.

-{ Quote: "It's not my idea. Some of those AV vendors you pretend to be speaking for already detect legit software like mIRC as potential hacktools or unwanted software or "not malware but something we feel like informing you about" simply because malware has taken to using said software for malicious purposes. Kaspersky is one pretty good example. Maybe you should go tell them they're wrong about it, if you have a problem with what they do." }-
Perhaps you should tell Kaspersky that they should detect Opera as a potential hacktool - guess what, Opera not only has web server software built in, but IRC capabilities too! If you ever get a response from them, please do post it, as I'd dearly love to see it.

-{ Quote: "I didn't say that Opera should be detected. I said that if malware ever starts enabling Unite, it could be, just like mIRC is detected now, and that would nullify your "Unite gives unlimited access" argument." }-
It could. It would also be a pretty stupid idea and very liable to pissing users off. And if it actually happened, it would also prove that I'm right - that Unite is a potential security risk.

-{ Quote: "No, it's not a bother. But it's a fact that writing code yourself is more work than taking ready-to-use code from someone else. If it wasn't, we'd be seeing a lot less people buying ready-to-use exploit kits and malware from their authors." }-
OR MAYBE it's because it's easier for them to modify a trojan produced by those kits, than to write one from scratch themselves. Competent antivirus vendors keep up-to-date with such kits, and the trojans they produce are almost immediately nuked by any good AV product. Only the stupidest hackers or someone who knows nothing about malware would think that the strategy of "buy-kit-and-spread-unmodified-trojan" would work. The kits are used to produce trojans that the hackers modify, not to relieve script kiddies of the work of writing code at all.


-{ Quote: "Previously though, you seemed to be of the opinion that enabling Unite saves malware authors from writing their own server code, in spite of Unite not being present on most systems. I wonder why that is an issue for them, if writing their own code is not a bother." }-
OH, I DON'T KNOW. MAYBE BECAUSE THE DIFFICULTY OF WRITING CODE HAS NOTHING TO DO WITH THE DIFFICULTY OF GETTING THE PROGRAM TO WORK UNNOTICED?

Ugh, I can't believe I need to even explain this. I'd imagine it's trivial for black hats to write code - it's their job. Keeping that code's actions innocuous and undetected from the user, on the other hand, is another matter altogether, and the more hoops a trojan has to jump through, the more likely it will actually get discovered. If a RAT has to download its own server software instead of using one that's pre-installed and trusted by the server, the firewall prompt would be one thing for the user to notice. If it also tries to kill the firewall, that's another thing for the user to notice. The Windows Action Center. Increased CPU and/or network activity taken up by funny processes. And so on and so forth.

-{ Quote: "Oh, sure, because they need to keep their code compact, and just can't get past all the beautiful AVs and firewalls. You know, just like they are not getting past said AVs and firewalls now, or for that last ten or so years..." }-
Yeah, and let's make their work even easier for them!

Best idea I've heard!

-{ Quote: "Windows has file sharing that you can easily enable if you have complete control of the system." }-
With Unite, you don't need anything beyond a limited user account if the user clicks "yes" when Opera throws up a firewall prompt. Which is quite likely, given how often Opera prompts for server rights for how many different purposes, and given how Opera is actually a trusted program the user installed consciously.

But hey, I suppose some people would just LOVE the hackers to have an easier job at doing their mischief...

-{ Quote: "So, are you claiming I'm lying in two different directions at once? ;D That is to say, you think I'm first lying about malware enabling Unite not being an issue, and then lying about Unite potentially including vulnerabilities like any software as well as being a server software that makes such vulnerabilities more serious issues? Well, that's... original, at least. Congratulations. :thumb:" }-
Don't get too far ahead of yourself; you've shown that you're quite capable of confusing yourself. Either that, or this is actually quite an original way of putting words into peoples' mouths.

You can keep on trying to lay claim to the correct and reasonable stand that server software does make a difference in security, but all the while arguing that people shouldn't be worried about Unite and that it doesn't make a difference. Just don't expect me to believe you, because, as the saying goes, you can't really have your cake and eat it too.

-{ Quote: "Having web server software pre-installed on the PC makes it an even bigger problem, because it lowers the bar for a successful attack. Which is the fact you're continually ignoring." }-

I'm concerned about malware running on the system in the first place. And yes, I am mostly ignoring what pre-installed software malware could use for its evil ends once it already has access to the system. That's because there's a lot of such pre-installed software and it's not practical to remove them all: there's browsers, there's the operating system itself with plenty of features that could be used maliciously, there's simply a lot of stuff. What the user should aim to do is to not let the malware infect the system in the first place. They could also choose to limit attack surface on the system by not installing software they don't need or want. If you don't need web servers, don't install them, even as a part of Opera.

-{ Quote: "So making it easier for hackers to turn your PC into a web server or botnet node isn't a problem?" }-

In a scenario like this where you have Opera installed but Unite is not enabled, in my opinion it's not a problem that malware could jump in to enable it. It's not a problem to me because to do that, the malware would already need to have access to the system. Therefore the problem is malware having system access, not pre-installed software having features that malware could use for its own ends once it is running on the system. But, if you are honestly that concerned about getting malware on your system that would then enable Unite, then surely you should avoid installing Opera. That's certainly what I would recommend for you, or anyone else so concerned about getting malware on their system that could enable features in pre-installed software, like Unite in Opera. Before making that recommendation, I'd just take the opportunity to say that in general it might be a good idea to just try to prevent malware from infecting the system, so it can't enable Unite or do other things that you don't like. It's a little bit important, because even if you remove Opera and therefore stop malware from enabling Unite (unless malware just downloads and installs it on its own instead of hoping you'd do it for them), any malware running on your system could still try to steal your passwords, for example, which is something not everyone necessarily likes that much.

-{ Quote: "Your ignorance with Opera shows again. Inserting a username and password into Unite is as simple as editing the operaprefs.ini file. I'm sure that's such a big hurdle for hackers." }-

I think you have a rather active imagination when it comes to seeing ignorance. Adding credentials to Unite in order to enable it requires you to first open an account with Opera. That's easy, but it's a little extra hoop to jump through - you can't just mass produce credentials out of thin air, you have to actually register accounts with Opera. Then you make your malware use said credentials to enable Unite on the victim's system. If Opera ever realizes this account is being used maliciously, it'll likely be closed, cutting off your unlimited access. You could of course choose to play with IP addresses or custom domain names instead of going through Opera's proxy. But all this stuff is pretty inefficient compared to just installing a server of your choice, instead of hoping the victim has Opera installed.

-{ Quote: "Thanks for agreeing that I'm right. So without Unite, the malware has to nuke the firewall as well to keep user suspicion to a minimum, which is at least one extra step. I think that I speak for quite a lot of people when I say that it's a good thing to make life as difficult for hackers as possible, and some third-party firewalls are not that easily nuked, if they can be at all." }-

You're welcome. Certainly it's a good thing to make life difficult for hackers. But me, I also try to not make my life difficult. I aim to stop the attackers before they're on my systems, and I suggest others to invest in that, too, before they worry about what malware can do once it is on their system and enabling features in pre-installed software.

-{ Quote: "Because the bad guys constantly switch servers. This doesn't work for downloaders because their download URLs need to be coded into the binary itself. If you switch servers, the downloader simply finds nothing to download. Please at least make some attempt to educate yourself regarding these matters before trying to pretend you know anything about them." }-

Sure, bad guys switch servers. And that doesn't prevent downloaders from working. The same source that gives you that gift of the original malware can also immediately give you the server part, if they're not already included in one and the same dropper executable. This is easy. Unless you just don't know how to run that game. Fast-flux DNS is one way to make it easier to keep the servers with the malicious code available to the downloaders. But if you'd like, I could pretend that none of this was possible. I wouldn't want anyone to be so agitated they feel the need to type in all caps.

-{ Quote: "So you're saying that just because malware can keylog credit card data and passwords, they should also be easily given the ability to upload files on your computer to an attacker as well?" }-

No, I'm saying that if you let malware have the kind of access where it can enable Unite, you are already in huge trouble, Unite or no. That, then, suggests that you might want to prevent that situation from occurring, instead of worrying about malware enabling Unite. Don't let the malware infect your system, and it won't keylog anything or enable Unite. Of course, preventing malware infections is not as easy as saying you should prevent them, but if you're going to do something, it's wisest to do the most useful things.

-{ Quote: "I don't really see why you constantly fail to grasp this very simple concept. Why are you so against the idea of making life difficult for hackers as much as possible?" }-

I'm not. I think it's good to make life difficult for attackers. But, I think the attackers will have a much more difficult life if you prevent their malware from running at all, instead of just preventing their malware from enabling Unite.

Again, I'd like to repeat that Unite has its issues. It's new code and that means new vulnerabilities, and it is a web server with all the implications always involved with software that accepts traffic from the outside world. If you don't like either of these things, then it's a really good idea to keep Unite away from your system. Don't install Opera. It doesn't come pre-installed with Windows. If you really like Opera, then I fear there's not much more you can do - if you are not inclined to trying to hack things up yourself - than contact the developers and explain your concerns to them in the hope that they change things. Probably not going to work, though.

-{ Quote: "Again, thanks for agreeing that I'm right, and saying that users that don't have Unite installed are more secure." }-

Sure, users that don't have Unite installed are more secure. I don't think I've ever claimed that Unite was good for security, or that leaving Unite out would not increase security. It's always the case that when you drop some software, you also drop its vulnerabilities and any attacks against that software. Users that don't have software "foo" installed are more secure, by virtue of not suffering from any vulnerabilities in "foo". The less software you have, the less attack surface you have, as far as vulnerabilities in running software on your system are concerned.

-{ Quote: "Perhaps you should tell Kaspersky that they should detect Opera as a potential hacktool - guess what, Opera not only has web server software built in, but IRC capabilities too! If you ever get a response from them, please do post it, as I'd dearly love to see how they dismiss a crackpot like you as politely as they can." }-

Thanks for the personal attack. I hope it cheered you up a little.

Again, it's not my idea that some AVs detect some legit software because they can be used maliciously. Password recovery tools, irc clients, server software, many things are detected by various AVs. And none of that is because of anything I have said. I don't quite see what your issue here is, unless it's just to find opportunities for personal attacks. I'm well aware that Opera includes mail, BitTorrent, and irc features, and even - gasp - a password manager. I am not suggesting that Opera should be detected because of any of that. I quite clearly, at least clearly to anyone who can read and knows English, stated that if Opera's Unite was ever exploited on a large scale like this, AVs could respond to that by adding detections for Opera or Opera preference files that reveal Unite is enabled. Again, if you can read, this is not something that I am suggesting should be done. It's something that AVs could do, if they thought it was worthwhile as a countermeasure to any malware that attempts to enable Unite. It's something very similar to what AVs already do - they already detect legit software used by millions of people, like mIRC, due to malware making use of said software. What about this is "crackpot" the world wonders.

-{ Quote: "It could. It would also be a pretty stupid idea and very liable to pissing users off. And if it actually happened, it would also prove that I'm right - that Unite is a potential security risk." }-

All software is a potential security risk. All software has potential vulnerabilities that could compromise security. Software that makes remote connections is a special case, and server software a very special case, with their own rather serious effects on security. Part of the solution is not running software that you neither need nor want. That way, you at least won't have to worry about those programs being exploited by any attackers.

mIRC users have been getting AVs warning about their software for a long time. Sure, it's not fun. But, it's something that many AVs choose to do in response to malware using legit software for their malicious purposes.

-{ Quote: "OR MAYBE it's because it's easier for them to modify a trojan produced by those kits, than to write one from scratch themselves. Competent antivirus vendors keep up-to-date with such kits, and the trojans they produce are almost immediately nuked by any good AV product. Only the stupidest hackers or someone who knows nothing about malware would think that the strategy of "buy-kit-and-spread-unmodified-trojan" would work. The kits are used to produce trojans that the hackers modify, not to relieve script kiddies of the work of writing code at all." }-

Sure, modification is easier. But modification need not mean new code must be written. It can simply be obfuscation - binders, packers, and all sorts of relatively simple tricks. Many big name AV vendors constantly have trouble detecting even relatively old malware that has been obfuscated without writing any new code. As for the exploit kits I mentioned, they don't produce any trojans, they are just packs of exploits against software vulnerabilities our evil friends can set up on their servers to use against anyone who gets redirected or lured there with a vulnerable system.

-{ Quote: "OH, I DON'T KNOW. MAYBE BECAUSE THE DIFFICULTY OF WRITING CODE HAS NOTHING TO DO WITH THE DIFFICULTY OF GETTING THE PROGRAM TO WORK UNNOTICED?

Ugh, I can't believe I need to even explain this. I'd imagine it's trivial for black hats to write code - it's their job. Keeping that code's actions innocuous and undetected from the user, on the other hand, is another matter altogether, and the more hoops a trojan has to jump through, the more likely it will actually get discovered. If a RAT has to download its own server software instead of using one that's pre-installed and trusted by the server, the firewall prompt would be one thing for the user to notice. If it also tries to kill the firewall, that's another thing for the user to notice. The Windows Action Center. Increased CPU and/or network activity taken up by funny processes. And so on and so forth." }-

Keeping malicious code and its actions undetected from the user is unfortunately easy enough, seeing how many users are infected, without Opera Unite being exploited by the malware. Getting most users to say yes to one firewall prompt, if the user even has a firewall that bothers to ask, is not exactly difficult. As I hope anyone who has ever actually dealt with malware infections on the systems of "Joe Average" type of user would know. Joe Average will do pretty much anything that is asked. And even a simple malware doesn't need to ask much, even if there is a decent software firewall on the system. Once malware is installed, it can hide processes and files and anything it likes with rootkits - if admin rights are not available, user mode rootkits work just fine. The malware author can place limits on how much CPU and network their malware uses, if they feel like it, but most victims won't notice much even if no limits are in place. And if the malware chooses to use Unite for evil, then it'll just be Opera taking unusually large amounts of CPU and slowing down browsing in ways that did not happen before. If the user is the kind smart enough to wonder about such things, they might wonder why Opera is suddenly behaving like that, and investigate. So, it's not as if malware using Unite would somehow make detecting the infection and malicious traffic difficult. It's difficult enough for the Joe Average to typically miss it, but then, Joe Average is likely to miss traffic even from a malware process running plainly visible in task manager, but without any visible windows.

-{ Quote: "For your own sake, please stop saying things like this. It makes you look either incredibly uninformed, or maliciously trying to distort and confuse the issue. I hope that you're neither." }-

Instead of uninformed or malicious, if I got to vote on it, I'd vote for "not as optimistic as Eice" and "concentrated on stopping the malware before it can enable things on your system and molest your files and call your mother names". You seem to be more confident than I am in users' ability to detect abnormal activity in their systems. It might be interesting to know which of us has more experience with the average skill level user. Perhaps you are one of those lucky people who don't have to deal with average users much. Or perhaps you're just naturally more cheerful and optimistic than I am. ;D The reality in which I live is such that malware has been able to infect tons of average users, for years, already when Unite did not exist even as a glint in the milkman's eye, and has been able to hide from the user and AVs effectively enough, by using anything from the simplest tricks to most complex kernel rootkits. Malware authors don't need Unite to get their servers running on systems their malware has infected. That's why I'm rather uninterested in malware possibly enabling Unite.

-{ Quote: "Yeah, and let's make their work even easier for them! Best idea I've heard! Are you sure you're on the right side there, mate?" }-

Pretty sure. I prefer to make their work harder by not letting the malware infect systems in the first place. At which point malware won't be able to enable Unite, even if Unite is there to be enabled - which it shouldn't be, if you don't like it.

-{ Quote: "With Unite, you don't need anything beyond a limited user account if the user clicks "yes" when Opera throws up a firewall prompt. Which is quite likely, given how often Opera prompts for server rights for how many different purposes, and given how Opera is actually a trusted program the user installed consciously." }-

And to set up a server that isn't Unite, you also only need limited user privileges and one "yes" click if a firewall asks you whether you should let "Generic Host Process" to act as a server, or whatever phony names the malware wishes to use. The user might say no. Or they might say yes. Chances are pretty good that if you ask them enough, they'll just say yes. Or if you don't feel like asking for server rights that way, you could have your fake AV warn the user that their system is infected and Windows needs to download anti-malware software to clean it, and then have "Anti-Virus Pro" ask for server rights. Works on frighteningly many people. And you can install the fake AV without admin privileges, or getting any server alerts from firewalls.

-{ Quote: "But hey, I suppose some people would just LOVE the hackers to have an easier job at doing their mischief..." }-

I'm sure that some people would. As far as I know, I'm not one of those people, though. But hey, maybe if sort of hit my head just the right way, I can get my ignorant but evil Mr. Hyde persona going. ;)

-{ Quote: "Don't get too far ahead of yourself; you've shown that you're quite capable of confusing yourself. Either that, or this is actually quite an original way of putting words into peoples' mouths.

You can keep on trying to lay claim to the correct and reasonable stand that server software does make a difference in security, but all the while arguing that people shouldn't be worried about Unite and that it doesn't make a difference. Just don't expect me to believe you, because, as the saying goes, you can't really have your cake and eat it too." }-

I'm sure I'm quite capable of confusing myself, but I don't think you should be the one talking about putting words into people's mouths. ;D You've been saying here in this thread that I have claimed running servers has no security impact, but consistently fail to demonstrate where I've actually said that. Maybe that means something.

Let me say it again: I have never said Unite makes no difference. What I have said quite a few times is that if malware has enough access to enable Unite, it already has enough access to do many other evil things that you probably wouldn't like too much. So, it would be important to prevent malware from getting on the system in the first place. Obvious, sure, but if you do that, then malware won't be enabling Unite, and you don't have to be concerned that it will. I like to think of this as approaching problems the most direct and effective way. For example, I'm not worried about a criminal stealing my car and then using it to run down an innocent kid. Why not? Because I'm concerned about getting my car stolen in the first place, and take measures to make it really quite hard for the criminal to steal it. And if they can't steal it, they can't run down kids with it.

It's obvious you don't like Unite. It may not be obvious to you that I don't like Unite either, and would not recommend Unite.

Finally, sorry for disregarding the edits to your post, but sometimes I just can't help myself when I get called a crackpot. ;)

k wen did this become the thread of essays... u guys are like writing ur memoirs on here.

-{ Quote: "k wen did this become the thread of essays... u guys are like writing ur memoirs on here." }-
LOL.... Brevity is not their strong point.... :)

-{ Quote: "k wen did this become the thread of essays... u guys are like writing ur memoirs on here." }-

Yeah, that tends to happen when I open my mouth. Which leads me to consider that perhaps I should open it less often and with more consideration! ;D

By the way, Eice, while I do have a big mouth, I've got nothing against you. I'm just a pretty opinionated kind of old bore that doesn't mean any harm but sometimes has keyboard fingers faster than they should be. I know Unite has its issues as far as security is concerned, but I'm used to the approach of preventing malware attacks before they gain control of the system. And I am guilty of trying to "brainwash" others to take that approach as well.

So, if I've caused any offense, sorry about that to all of you guys. Not my intention! Sorry for hijacking the thread, too. I originally intended to make just that one post to say that malware needs to have pretty serious system access to enable Unite, and that means trouble in any case, Unite or no. In hindsight, I seem to suck at making just one post in a thread. ;D

-{ Quote: "LOL.... Brevity is not their strong point.... :)" }-

Well, in Eice's defense, he's better at the whole brevity thing than I am, but I guess everyone already knew that. ;D

-{ Quote: "
Where is Unite enabled by default??" }-

I never said it was!
My point is that it would be ideal for Opera to have two downloads- with and without Unite for those of us that don't want the social networking crap.

Or Opera could follow Mozilla's example- separate components like browser, mail client, etc so the user can choose for themselves instead of one bloated program.

-{ Quote: "I never said it was!
My point is that it would be ideal for Opera to have two downloads- with and without Unite for those of us that don't want the social networking crap." }-
Perhaps there should just be modules that you can install or skip in the install process. I'd leave out the email too.

-{ Quote: "Perhaps there should just be modules that you can install or skip in the install process. I'd leave out the email too." }-

You posted while I was editing my last post.;)

-{ Quote: "I never said it was!
" }-

Whoaa, okay, sorry about that, no accusations intended :P It just seemed given the intensity of some of the responses, it was enabled by default. My bad for misinterpreting. Now given the info from Carbonyl, it does look as though it is at least partially enabled in the config settings, so on one hand in the main menu it needs to be enabled but on the other, so much of it already is enabled by default under the hood, which comes off as misleading on Opera's part to me.

-{ Quote: "My point is that it would be ideal for Opera to have two downloads- with and without Unite for those of us that don't want the social networking crap. Or Opera could follow Mozilla's example- separate components like browser, mail client, etc so the user can choose for themselves instead of one bloated program." }-

Yes, I agree with this.

Also, Windchild mentions repeatedly to keep the malware off the system in the first place. Probably this is the easiest and most effective solution. Either that or use a different browser if the user is too spooked by the Unite "feature" in Opera.

-{ Quote: "You posted while I was editing my last post.;)" }-
Yep, looks like we had the same idea. :)

-{ Quote: "Thanks, but unless i figure out something else about the fonts, i will go back to Opera 9.64. Text at 120% with no squid, works perfectly for most sites. But in Wilders' things are desperate.

With Opera:

http://img522.imageshack.us/img522/7469/84730835.png

With FF:

http://img688.imageshack.us/img688/4696/74258722.png

I guess i could use "per site" settings, but i hate even the idea of that. I ll see if i can find something in actual type of fonts used that is different." }-

Im not sure why the firefox rendered page type appears so bold?.Im using widescreen1366x768 resolution .Yours seem compacted in the pic.Heres mine on 120%
http://img267.imageshack.us/img267/8758/20091125181919.png
ellison

-{ Quote: "Im not sure why the firefox rendered page type appears so bold?.Heres mine on 120%
http://img267.imageshack.us/img267/8758/20091125181919.png
ellison" }-

Yours looks fine in deed... I 've no idea why mine was displaying them so ugly. Maybe because i use 125% fonts in Windows somehow the program is "confused"?

Anyway, with the fonts sizes i changed to 20-9-9 (and without no squint), now all is fine:

http://img266.imageshack.us/img266/688/37802832.png

I encounter minor differences compared to Opera, mainly in a few fora. But it definitely looks "normal" now.

-{ Quote: "And yes, I am mostly ignoring what pre-installed software malware could use for its evil ends once it already has access to the system." }-
If willful ignorance is mostly part of your plan, perhaps I should stop wasting my time.

I suppose you must also be the kind of person who never puts on seat belts or buys insurance. After all, your strategy of not getting into an accident in the first place is quite foolproof... isn't it?

-{ Quote: "If willful ignorance is mostly part of your plan, perhaps I should stop wasting my time." }-Perhaps it's time for a view from a dispassionate reader of this thread.....

Either perspective being voiced in this thread has some level of merit, but they weight different aspects of the situation in uniquely different ways.

Personally, I believe Windchild's overall analysis is correct. If a system is experiencing an active compromise, whether or not Opera/Unite is running on your system really is a low priority detail. At some point in the distant future (if market penetration changed significantly), that reality could change. However, at the moment, it is pragmatically lost in the noise.

However, one lesson that should have been well learned over the past decade is that a features/facilities introduced to enrich the user experience in highly automated ways (ActiveX for example) can be subverted. The unintended consequences can take time to emerge, at which point a target rich environment is available. Of course, once these issues are fully developed, it is possible to develop mitigating solutions after the fact. Any approach which facilitates system interconnection can enrich the experience, or be a highway to ruin.

In any event, whether or not to use Opera/Unite is like any other potential security matter - it involves an explicit and personal risk/benefit analysis. Reasonable folks can have very different levels of risk aversion and rather different contexts in which that risk plays out. It's in this context that a perfectly reasonable analysis may still yield a suggested course of action that involves an uncomfortable perception of risk for some.

Tolerance to the risk, and I'd posit that this has not been genuinely established in this discussion of Unite (and at this point it's rather difficult to do as well), is rather distinct from willful ignorance. The simple fact of the matter is that there is a continuum of appropriate approaches which reflect both risk tolerance and risk context.

Blue

Well said Blue ! :thumb:

-{ Quote: "I suppose you must also be the kind of person who never puts on seat belts or buys insurance. After all, your strategy of not getting into an accident in the first place is quite foolproof... isn't it?" }-

Car analogies sometimes work, sometimes they don't. Naturally, I use seat belts and have insurance. But I don't consider those things as important as learning to drive safely, because if I drive unsafely enough, neither seat belts nor insurance will save me or anyone who gets in my way when I crash around. When it comes to computer security, I would consider seat belts and insurance to be more analogous to limited user accounts and backups than anything else. And of course, I take backups, and I don't run as admin or root.

I can't really think of what would be a natural car analogy for worrying about malicious parties enabling some features in software installed on your computer. Perhaps it would be something along the lines of installing a limiter on the engine so that even if you got crazy behind the wheel or if the car somehow malfunctioned and the often mentioned pedal got stuck to the metal, you couldn't drive over the highest speed limits in the land. That's not something I would do to my car, because I know I won't feel like speeding myself to death and I aim to keep my car repaired in reasonable working order so that it's very unlikely to malfunction like that. Or perhaps the earlier "thief takes my car and runs down an innocent" would work as an analogy. I wouldn't worry about that either, because I try not to let my car be stolen, and if it is stolen regardless, anything the thief does with it is really not my fault in any way. Of course, that won't make me feel any better if someone gets hurt, but that's life. So, in effect, I am ignoring those things, because I have taken reasonable measures to prevent those things from happening, and there's nothing more that I could do that would protect me or anyone else better without causing intolerably massive inconvenience to me. So, that's one of the usual security vs convenience decisions based on risk analysis. If I was worried enough, I could just sell my car and never drive again, and that would make pretty sure that I wouldn't be sitting behind the wheel during a car accident - and I could sell my computers or disconnect them from all outside networks. But that would be very inconvenient.


-{ Quote: "Either perspective being voiced in this thread has some level of merit, but they weight different aspects of the situation in uniquely different ways.

If a system is experiencing an active compromise, whether or not Opera/Unite is running on your system really is a low priority detail. At some point in the distant future (if market penetration changed significantly), that reality could change. However, at the moment, it is pragmatically lost in the noise.

However, one lesson that should have been well learned over the past decade is that a features/facilities introduced to enrich the user experience in highly automated ways (ActiveX for example) can be subverted.

In any event, whether or not to use Opera/Unite is like any other potential security matter - it involves an explicit and personal risk/benefit analysis. " }-

Well said, and I agree.

One should remember that installing additional software on a system is always like this: with new software you get new features, but you also get new vulnerabilities and more attack surface, and because of this you need to decide whether you really should be installing that software. Do you need it? Are the risks greater than the benefits the software offers to you? Or is the software so useful that you're willing to accept its vulnerabilities and other security issues? If you are going to install it, then most often measures can be taken to at least partially mitigate the risks involved with the software. ActiveX in IE, for example? You can turn it off in the Internet Zone, if you dislike ActiveX and consider it a great risk. Remote code execution vulnerabilities in a new word processor? Try to remember not to open documents from untrusted sources, and that already saves you from some attacks - but not all.

Secure computing requires a lot of risk analysis and decisions. If you want a system secure in the extreme, one of the first questions should be "Do I even want this system to be able to connect to the great unknown of the Internet?"

Some risks you take, some risks you don't. The choice is always up to you. But whatever you do, obviously it's important in the extreme to not let malicious code or malicious users gain control of the system. And if you can prevent that, then you don't have to worry about what said malicious parties could do with the software that has been installed on your system.

For those who are interested in Opera, weigh the risks and benefits and decide. The risks are reasonably clear, after all: new vulnerabilities are practically certain to be in the Unite code, and it's a web server which are always special cases due to their nature - untrusted remote users can connect to them, by design, and who's to say what those users will try. So, if you are concerned enough about Unite, don't install Opera. If you are confident that you can keep malicious parties from compromising your system or accounts, then simply leave Unite disabled and you don't have to worry about any malicious party enabling it secretly. If you think your system stands a reasonable chance of being compromised, and believe that Unite could be used by the attacker, then you should not install Opera at all, and you should also take measures to lower the chances of your system being compromised.

-{ Quote: "I'm concerned about malware running on the system in the first place. And yes, I am mostly ignoring what pre-installed software malware could use for its evil ends once it already has access to the system. That's because there's a lot of such pre-installed software and it's not practical to remove them all: there's browsers, there's the operating system itself with plenty of features that could be used maliciously, there's simply a lot of stuff. What the user should aim to do is to not let the malware infect the system in the first place. " }-


I quote all the post, actually ;)

-{ Quote: "In a scenario like this where you have Opera installed but Unite is not enabled, in my opinion it's not a problem that malware could jump in to enable it. It's not a problem to me because to do that, the malware would already need to have access to the system. Therefore the problem is malware having system access, not pre-installed software having features that malware could use for its own ends once it is running on the system. But, if you are honestly that concerned about getting malware on your system that would then enable Unite, then surely you should avoid installing Opera. That's certainly what I would recommend for you, or anyone else so concerned about getting malware on their system that could enable features in pre-installed software, like Unite in Opera. Before making that recommendation, I'd just take the opportunity to say that in general it might be a good idea to just try to prevent malware from infecting the system " }-

This is the point. An user can also dont' use the new Opera version with Unite, and to choose another browser. He can also to enable only the port 80 ( and the DNS on 53 ) with the fw to limit " direct " risks from the surfing on the Web.

Then what happens if he is not able or he takes not care to prevent all the kind of existing malwares from to access his system ? As Windchild expained, his system is not protected from many kind of threats: from a downloaded software to a clicked banner, from a hackered web page or site to a whatever malicious code can be hidden in HTML, JPEG images, urls, links...

A multilayer defense, mainly but not only - remember security policies and other - using an HIPS and surfing in sandboxed or virtualized mode are the best protection one can have, with or without Opera.

Anyway, it would be not a bad idea if Opera in the next releases would give the choice if to install or not Unite. It also could reassure many common users that love this great browser.

-{ Quote: "
Anyway, it would be not a bad idea if Opera in the next releases would give the choice if to install or not Unite. It also could reassure many common users that love this great browser.
" }-

With that i agree! They could make two installers, they could make it an option during install, anyway they like it.

Just for the history, a more "pessimistic" view:

Opera Unite could be security risk say researchers

http://news.techworld.com/security/117784/opera-unite-could-be-security-risk-say-researchers/


Also this is an interesting "surgery" performed on Opera by CoU member weaselthatbites

-{ Quote: "
1) Renamed the Unite folder to something else. Its located wherever you install Opera - usually C:\program files\Opera.

2) Click on the Panels button (Or Press Ctrl H to get the history one open).

Click on the Unite panel

Deleted all of the icons there.


Then I went into opera preferences.

opera:config#WebServer|Enable

Note: that link wont actually work...or at least not in opera. You have to type it in manually, as it puts an http sign in it automatically when you use the forum BB Code.


1) Deleted the directory it was pointing to. Webservers.

2) Disabled UnPNP and its discovery.

3) Switched off Webserver always on.etc. " }-


Personally i prefer not trying it, because i don't know how it would affect stability, etc.

But if there's someone who wants to use Opera 10.10 and doesn't want to have Unite , he may try and see... Cause enabling a "disabled" Unite is only a matter of changing one value on operaprefs.ini.


I stay with FF. I actually did a heads on page by page "contest" between the 2 and FF eats both less CPU and RAM. Opera looks better in the speed dial than the FF addon and the mouse gestures of Opera seem to work better, but it's not as much of a difference.

On a side note, Opera now is in alpha and it seems that in the next release, there will be also a "Twitter" widget.

http://my.opera.com/desktopteam/blog/opera-10-20-goes-alpha

It goes the "Nero way" and i am going the other way.

-{ Quote: "With that i agree! They could make two installers, they could make it an option during install, anyway they like it.

Also this is an interesting "surgery" performed on Opera by CoU member weaselthatbites
" }-

Personally, if I was inclined to such surgery, I would just make sure Unite was disabled in the GUI (Tools menu), and then use opera:config to change the Enable Unite User Prefs setting to off. After that, Unite disappears from the GUI. Then you could just delete the whole Opera\Unite folder and the whole 3 megs of Unite's .ua files along with it. Do that, and I would imagine you couldn't easily turn Unite back on again, since those files would be missing. And if you're a limited user, you couldn't add the files back to the Opera folder, either, without admin credentials. If you also used the system fixed preferences file operaprefs_fixed.ini to force Unite disabled by adding Enable Unite=0 under User Prefs, then turning Unite back on should be a great lot of work indeed for the limited user.

I would also appreciate it if Opera gave more options in their installer so one could choose to not install Unite and/or M2 for example at all. Unfortunately, I see no reason to believe they would do it. They've always been of the "internet suite" mentality, and haven't allowed the user to not install features he doesn't want, only to disable such features. But giving them some feedback about it likely would not hurt. I have personally given up on trying, though, since I've been requesting more installation options for about eight years and it hasn't worked. ;D

-{ Quote: "Well said Blue ! :thumb:" }-Yes, I'm so glad there is someone who will always come along at just the right time, and pontifically make an interesting debate turn into pablum. :isay:

Eice wasn't nice so his posts are no dice and ...blue agrees with windy... & windy returns the favor by agreeing with blue... and everyone agrees with everyone... and seldom is heard a discouraging word, and the skies are not cloudy all day.

In the meantime, Opera is a growing bloat with increasingly unsecure holiness. And so, in the spirit of A versus B, I choose K-meleon. :blink:

If only k-meleon by default would do a little bit of tweaking to the UI.

I can set it up to be how I want, but by default, not so pretty. :lurking:

-{ Quote: "Yes, I'm so glad there is someone who will always come along at just the right time, and pontifically make an interesting debate turn into pablum. :isay:" }-It's called reality. If that appears an unseemly intrusion, so be it.

Blue

-{ Quote: "Naturally, I use seat belts and have insurance. But I don't consider those things as important as learning to drive safely, because if I drive unsafely enough, neither seat belts nor insurance will save me or anyone who gets in my way when I crash around." }-
Seat belts save lives. Insurance mitigates the financial consequences of accidents. The critical flaw in your thinking remains that you still believe they're intended to replace safe driving. And blinded by this you ramble on and on about how important prevention is. Dude, we get it. Despite what you may think, I doubt any of us here are idiots who need you to ramble on and on for pages preaching your masses-enlightening sermon - which turns out to be nothing but the blatantly obvious.

What you still don't get is that mitigation strategies matter. This is just a suggestion, but you might want to stop the exercise in hypocrisy and confusion by extolling the politically-correct stance that running unneeded web server software affects security - and then in the very same post turning around and making long-winded arguments how they DON'T affect security and why one shouldn't concern oneself about them.

-{ Quote: "Seat belts save lives. Insurance mitigates the financial consequences of accidents. The critical flaw in your thinking remains that you still believe they're intended to replace safe driving." }-

Except that I don't at all believe that seat belts are intended to replace safe driving, and so that particular critical flaw exists only in your vivid imagination. I simply believe that it's worth emphasizing safe driving, because prevention is extraordinarily important, more important even than seat belts, which are rather reactive in nature and may save your life only after you're already in trouble, not keep you out of trouble in the first place. And in spite of how obvious it may be, some people are having trouble remembering the special importance of prevention. I meet people like that practically every day: people who are all concentrated on reacting to something unpleasant that happened instead of preventing it from happening. And if you do your best to drive safely and to keep intruders out of your car, you don't have to worry much about someone sneaking into your car to clandestinely cut your seat belts or something. ;D

-{ Quote: "What you still don't get is that mitigation strategies matter. This is just a suggestion, but you might want to stop the exercise in hypocrisy and confusion by extolling the politically-correct stance that running unneeded web server software affects security - and then in the very same post turning around and making long-winded arguments how they DON'T affect security and why one shouldn't concern oneself about them." }-

Obviously mitigation matters, and I've posted about mitigation for various security issues many times. In fact, even in this thread. Actually, in my previous post, I wrote a couple of quick things that I would imagine could help make enabling Unite harder for any malicious party, therefore somewhat mitigating the issue. And not running as root, which is something I always babble about? That's a pretty effective and common mitigation strategy for many issues - keeping malicious parties from getting complete control over the system. If you're seriously claiming that I don't understand the importance of mitigation, then you're simply delightfully silly.

There is no hypocrisy or politically correct stance here. This is just a friendly suggestion: show me where I've claimed that running web server software does not affect security - use the forum quote function, it's quite nice for quoting what others have said - and if you can't find where I clearly said that, then you could kindly consider stopping your babbling about it. And if the best you can find is something that you think "implies" there is no security impact, then perhaps you need to consider the possibility that you're intentionally or accidentally not quite understanding what the words say, and could read them again in proper context.

If you run web server software, it affects your security. Any software you run affects your security, in its own way. Running some text editor obviously has different security impact than running a web server that remote users can connect to. If you have web server software installed but not running, that is vastly different from having the server actually running, however. Keep malicious parties off your system, and malicious parties won't be enabling that web server, and you won't have to worry about that. Obvious, sure, but some people have a natural gift of missing what is obvious and even easy. If you can't keep malicious parties off your system, then you surely have more problems than Unite being turned on, and you need to concern yourself with those problems as well - in fact, especially those problems, since those problems are already out there in droves whereas there does not yet seem to be a great epidemic of malware enabling Unite. Once again, if you don't want web server software, you should not install it - I've said this multiple times, and I'm sure you're smart enough to realize it for yourself. If you really don't want Unite, don't install Opera. If you're not concerned about yourself, but about other users, then advise them not to install Opera either. This shouldn't be very hard. After all, Opera is not difficult to uninstall, and most systems do not come with Opera pre-installed.

I don't see anything hypocritical or confused about being a realist, and keeping things in a practical perspective. The practical perspective would be different if keeping malware off a system was difficult, but it's not difficult. Even many quite ignorant users can be taught how to do it with reasonable success.

-{ Quote: "And if the best you can find is something that you think "implies" there is no security impact, then perhaps you need to consider the possibility that you're intentionally or accidentally not quite understanding what the words say, and could read them again in proper context." }-
Claiming to be misunderstood is certainly always a convenient excuse, especially when actually one is understood far better than one would like to be.

Out of curiosity, what, then, is this "proper" context with which to view your string of arguments where you continuously claim it doesn't matter whether Unite is present or not? Please do tell.

The good thing to come out of this, and articles focussing on security and new updates to Opera, is hopefully the company understands the importance of having optional downloads. Opera + Unite, and Opera on its own.

I can see why they've done it, hovering around a few per cent of the browser market you've obviously got to try something new, something the facebook and twitter loving users of the world might see value in.

-{ Quote: "Claiming to be misunderstood is certainly always a convenient excuse, especially when actually one is understood far better than one would like to be.

Out of curiosity, what, then, is this "proper" context with which to view your string of arguments where you continuously claim it doesn't matter whether Unite is present or not? Please do tell." }-

Show me where I have claimed it does not matter for security whether Unite is present or not. Use the quote function, please. If you won't or can't do that, maybe that tells people something. I've requested this of you multiple times, but you refuse to do it. That puzzles me, because if I had "continuously" claimed that it doesn't matter at all for your system's security whether Unite is present or not, one might expect it would be easy to just quote even one sentence where I actually claimed that. Certainly it shouldn't take much more of your time than writing about crackpots and convenient excuses and making other such puerile wisecracks.

Again, I have not said that it doesn't matter for your system's security whether Unite is present or not. What I have said over and over again is that if you allow malicious parties to compromise your system to the extent that they can enable Unite or are able to change other settings without your permission, then you have serious problems in any case, even if Unite is not installed. This is clearly not saying that Unite does not matter. It's saying that if you remove Unite, you still have problems if your system is compromised - you don't have the problem of malware enabling Unite already installed on your system, but all other problems remain as big as ever. So, removing Unite, while improving your security, does not remove all the other problems that you still need to tackle. If Unite is installed, malicious parties could use it, if they so desire. But if Unite is not installed, malicious parties can still use any other things on the system, if they so desire, or install whatever they want the same way the original malware was installed, or using other methods such as BITS. Knowing this, I suggest that the main problem to worry about is the compromise itself, preventing it from happening, instead of concentrating on settings the malicious party could change once it has gained access to your system or what features it could enable. I feel this way simply because if we go the route that we assume the system is already compromised or can easily be compromised and start worrying what software pre-installed on the system could be used for evil, we end up in a situation where most likely large amounts of software that we have a legit need for has features that could be used for malicious activity, from deleting your files to uploading some of the more sensitive information to the attacker's server. We most likely can't remove all of that software without making the system largely useless to us. And even if we could, that would still leave the system compromised. Therefore, another solution must be found. The obvious solution is working to prevent malicious parties from compromising the system, so that they can't use pre-installed software for malicious activity. Making a system reasonably secure against compromise, I submit, is easier than removing any and all such software from the system that could be used maliciously if the system was compromised.

Another thing that I've constantly said is that more code, new code, means more vulnerabilities, new vulnerabilities. Therefore, do not install software you do not need. If you do not need a web server and don't want it, don't install a web server, even as a part of some browser. If you can't go without this browser that comes with a web server built into it, but can make reasonably sure your system won't be compromised by malicious parties, then you need not worry much about said parties enabling the web server, because they won't have enough access to your system to enable it. You will have other things more worth worrying about, like keeping all the software patched. On the other hand, if you can't make your system reasonably secure against compromise, then you're likely to end up in trouble in any case, whether or not you have Unite installed. You can remove Unite in such a case, and that would indeed make a difference, as it would prevent the attacker from enabling Unite already pre-installed on your system - unfortunately it would not prevent the attacker from installing Unite himself if he was so inclined.

So, that proper context you wanted to know of? The context is exactly this: if your system is compromised, whether or not Unite is installed is not the big issue - the big issue is the actual compromise. It doesn't make that much sense to worry about Unite being enabled by attackers, when there are easy and reasonably effective solutions to the issue: 1) Remove Opera, and Unite won't be on your system unless someone else installs it after gaining access. That should solve the problem, no? 2) If you can't remove Opera, then make reasonably sure that malicious parties can't gain access to the system, and chances are they won't enable Unite, since they don't have access. This is pretty good, too, and what I suggest for those who love Opera as a browser. Those people can also try to hack Unite out: opera:config / User Prefs / disable the Enable Unite setting, or you can put that in the system fixed ini file to apply it to all users at once. You can delete Unite's .ua files. That should make enabling Unite at least a bit more difficult, I would imagine.

What is not a solution is: 3) Blame people who point out these painfully obvious options as solutions to your problem with Unite for being crackpots and politically correct hypocrite ignoramuses.

But hey, life is all about choice. Your choice. I don't believe a smart poster such as yourself would honestly have a problem understanding all this. It's more likely, I suspect, to be a case of wanting to be confrontational, which is something your consistently rude choice of words implies.

-{ Quote: "The good thing to come out of this, and articles focussing on security and new updates to Opera, is hopefully the company understands the importance of having optional downloads. Opera + Unite, and Opera on its own.
" }-

Let me put it this way: I would be extremely surprised if Opera gave in and released an installer without Unite, or modified their current "all-in-one" installers with an option not to install Unite at all. They are pretty set in their ways, Opera, I mean.

If you dont like bloat then don't look at the new 10.20 alpha. They are now focussing on the widgets.
http://my.opera.com/desktopteam/blog/opera-10-20-goes-alpha
Would be nice to have a Opera Lite without all this. I dont need their e-mail, unite and widgets.

-{ Quote: "Show me where I have claimed it does not matter for security whether Unite is present or not. Use the quote function, please." }-
Oh, really? So even though you claim that you're of the stand that Unite matters for security purposes and that mitigation is important, you ramble on for pages and pages and paaaaaaages arguing against people who're saying exactly that as well?

Doesn't it seem kind of, oh I don't know, just a little bit strange for you to continuously rebut people who are advocating the positions you're supposedly standing for? Isn't it a wee lil' bit funny that people who are voicing opinions that you purportedly agree with can't do it without pages' worth of opposition from you? And you get all hot and flustered and accuse people of being rude and confrontational when, surprise surprise, you get pointed out as a hypocrite grandstanding for political correctness. Oh dear.

I'm sorry that it offends you, but I'm the kind of person who calls a spade a spade.

-{ Quote: "Oh, really? So even though you claim that you're of the stand that Unite matters for security purposes and that mitigation is important, you ramble on for pages and pages and paaaaaaages arguing against people who're saying exactly that as well?

Doesn't it seem kind of, oh I don't know, just a little bit strange for you to continuously rebut people who are advocating the positions you're supposedly standing for? Isn't it a wee lil' bit funny that people who are voicing opinions that you purportedly agree with can't do it without pages' worth of opposition from you? And you get all hot and flustered and accuse people of being rude and confrontational when, surprise surprise, you get pointed out as a hypocrite grandstanding for political correctness. Oh dear.

I'm sorry that it offends you, but I'm the kind of person who calls a spade a spade." }-

So in other words, you couldn't quote where I said Unite doesn't matter for security. Thank you.

What I've been arguing is quite simple: 1) Secure your system so it isn't compromised, and you don't have much cause for worrying over anything that has compromised your system enabling Unite secretly. 2) If you either think you can't protect your system from compromise or think that you can but still would prefer to do away with Unite for reasons of security, then simply uninstall Opera and Unite will not be on the system to be secretly enabled by malware.

I haven't been arguing against these things. I've been arguing for them. What I've been arguing against is the idea that malware enabling Unite that has been pre-installed on your system is somehow a large issue or an issue difficult to solve. It's neither. You can make it a non-issue by uninstalling Opera. You can make it a non-issue by not letting malware gain control of your system.

I'm not so much offended as amused. And as far as hot and flustered, I'm not the one who's been typing in all caps and editing their posts to remove insults they felt compelled to use. ;D But hey, that is all about perspective, too. Maybe in someone's eyes, that kind of stuff is calm and rational and calling spade a spade, instead of being, I don't know, hot and flustered.

-{ Quote: "What I've been arguing is quite simple: 1) Secure your system so it isn't compromised, and you don't have much cause for worrying over anything that has compromised your system enabling Unite secretly." }-
In other words - focus on prevention, and don't worry about mitigation.

And why is that? Because once you get infected the bad guys can do all sorts of things regardless of whether Unite is present or not. Hence Unite doesn't matter.

Would you care to deny that those were what you've been tirelessly exhorting? That mitigation doesn't matter, that Unite doesn't matter?

It may be a bit disingenuous of you to try to disown your previous arguments simply because I can't be bothered scouring your yawn-inducing pages of boredom looking for the specific words you're asking for. I may have skipped over those whole chunks of utter irrelevance, and you may try to play the "I'm being misunderstood!" card, but that doesn't necessarily mean I didn't grasp the crux of your argument.

-{ Quote: "I haven't been arguing against these things. I've been arguing for them. What I've been arguing against is the idea that malware enabling Unite that has been pre-installed on your system is somehow a large issue or an issue difficult to solve. It's neither." }-
And I daresay you'll find that nobody has expressed those ideas to necessitate your to jumping out and correcting them. Perhaps in your zeal to preach your sermon you've been imagining things when people were expressing perfectly legitimate concerns, and having created this objective for yourself promptly used it as your excuse to launch into lengthy lectures expounding the blatantly obvious.

You're right; this is amusing. At this point, it would seem that I've been wasting time on a quixotic crusader campaigning vigorously against his fictitious foes.

-{ Quote: "In other words - focus on prevention, and don't worry about mitigation." }-

No. There was a #2 that you didn't quote, and that's quite important, really. Context, and all. Focus on prevention as a priority, and worry about mitigation after you've taken reasonable measures to prevent problems. It's not an either-or choice. You can both attempt to prevent problems and mitigate their unwanted effects. And you should. You don't have to choose one over the other. But, it may be useful for you to spend some more effort on prevention than on mitigation, seeing how prevention can prevent a problem from occurring at all, when it works. Personally, I certainly prioritize preventing problems over mitigating them. It's a little like how I would treat my family as compared to how I treat my co-workers. I value both, but I spend more of my time on my family, because I value my family more. After taking measures in prevention, you may even realize that you are pleased with the current state of your security, and need not take any particular measure to mitigate, say, Unite being enabled secretly. If you realize you're still not pleased, then it's a good time to get working on those mitigating measures. This should not be too complex to grasp.

-{ Quote: "And why is that? Because once you get infected the bad guys can do all sorts of things regardless of whether Unite is present or not. Hence Unite doesn't matter." }-

Oh, Unite matters. The obvious problem is, many other things matter, too. And once you've taken care of your issues with Unite, you still have those other things to worry about. Therefore I find it reasonably smart to not worry too much about Unite, when it's easy to uninstall Opera and Unite along with it, and when there are many other unpleasant things that an attacker could do after compromising your system that removing Unite would not address. Deal with your issues with Unite - such as by uninstalling it - and then get back to the big issue of preventing malicious parties from compromising your system. That is to say, if you've got to worry, worry more about the big issues, and deal quickly with the small ones that can be quickly solved (uninstalling Opera doesn't take much time).

-{ Quote: "Would you care to deny that those were what you've been tirelessly exhorting? That mitigation doesn't matter, that Unite doesn't matter?" }-

Yes, I would care to deny it, and just did. Mitigation matters, Unite matters. Obviously. All software matters. But, there's always the big picture. Removing Unite removes one problem - attacks against or using Unite that has been pre-installed on the system - and leaves you with tons of other problems. So just deal with Unite quickly, since you can, and then get to dealing with those other problems that perhaps cannot be dealt with simply by uninstalling one piece of software. Like malware infections in general. Preventing those may take more work than clicking the Uninstall button, but would also offer greater improvements to your security, so why not start right away, now that you've had time to deal with Unite? A car analogy? Big problem - small problem. Thieves got inside your car and just got the engine running and are free to do what they please - system compromised. Thieves get out just to break the driver's side window - Unite being enabled by malware after system compromise. Sure, neither is nice. But you've got to admit that even if you could prevent them from breaking the window, you would still have some pretty big issues to deal with, so the window can hardly be priority number 1.

-{ Quote: "It may be a bit disingenuous of you to try to disown your previous arguments simply because I can't be bothered scouring your yawn-inducing pages of boredom looking for the specific words you're asking for. I may have skipped over those whole chunks of utter irrelevance, and you may try to play the "I'm being misunderstood!" card, but that doesn't necessarily mean I didn't grasp the crux of your argument." }-

Or it may be that you're too quick to make wisecracks and too lazy to read what has been written. I'm not disowning any of my arguments. You're just pretty much setting up some straw men in place of what I've actually stated, and then getting up on a high horse about how those arguments of mine that you just fabricated are soooooo silly and below any intelligent reader. ;D

-{ Quote: "And I daresay you'll find that nobody has expressed those ideas to necessitate your to jumping out and correcting them. Perhaps in your zeal to preach your sermon you've been imagining things when people were expressing perfectly legitimate concerns, and having created this objective for yourself promptly used it as your excuse to launch into lengthy lectures expounding the blatantly obvious." }-

I didn't jump in to correct anyone in particular. I saw a discussion on Unite and its security impact, and stated my thoughts on it, in short, pretty much: "Obviously to take advantage of Unite the attacker has to gain access to your system. If he does, there are many more things to worry about than just Unite being enabled. There's not too much chance we'll see widespread malware enabling Unite secretly. Therefore, not too much reason to worry about Unite in particular. It's an issue quickly solved - just delete it if you don't want it. The big problem is allowing your system to be compromised in the first place. Worry about that, and when you've dealt with that problem, the problem of Unite being abused by attackers will become practically a non-issue, since it probably will not be easy to enable Unite without compromising the system."

Now, when I joined this forum, I didn't see any forum rules that dictate that
1. you must never post what is obvious to some people (if there was a universal rule like this, there wouldn't be many posts in most Windows security forums) and
2. even if it concerns the subject of the thread, you must never post anything that isn't a direct reply to an argument or statement by another poster.
If I had seen rules like that, I wouldn't have bothered to mention that malware enabling Unite isn't a big reason to worry for someone with enough brains (and not much is required) to keep the malware out in the first place. There are people reading threads here who aren't posting in them. Some of them may even occasionally benefit from someone stating the obvious, whether the obvious is some OS' non-immunity to malware or something like this subject here.

-{ Quote: "You're right; this is amusing. At this point, it would seem that I've been wasting time on a quixotic crusader campaigning vigorously against his fictitious foes." }-

Well, I didn't think you'd bother to write all of that, complete with quixotic hypocrite crusaders and all, if it didn't amuse you in some way. I surely wouldn't. ;D But as far as being quixotic is concerned, I do think that prevention is pretty practical, certainly much more practical than removing all software that could be used maliciously by someone who has gained access to your system. And I don't think any time that was spent being amused could be time wasted. ;D

-{ Quote: "If you dont like bloat then don't look at the new 10.20 alpha. They are now focussing on the widgets.
http://my.opera.com/desktopteam/blog/opera-10-20-goes-alpha
Would be nice to have a Opera Lite without all this. I dont need their e-mail, unite and widgets." }-

Well if that's the direction that Opera is going, I won't be holding my breath for a "slim" version.
That's the end of Opera for me.
There are a lot of alternatives that aren't bloated.

The last few versions of Opera have slowed down my browsing considerably.
So no worries here whether or not unite is a security risk as I've decided to give Firefox another go and so far its been a lot faster with no problems loading some sites as Opera was having problems quite often. Maybe Opera will release a version in the future that works well here again, with the option to do a custom install would be nice.

Some things i don't get with Opera. Javascript is slow compared to Firefox. I dont need it often but the times i need JS its a pain. Also gmail is/was always slow with Opera. They could make improvements in this area... But nothing. Seems to me Opera is always trying to be "that" exotic browser for advanced users.

-{ Quote: "Some things i don't get with Opera. Javascript is slow compared to Firefox. I dont need it often but the times i need JS its a pain. Also gmail is/was always slow with Opera. They could make improvements in this area... But nothing. Seems to me Opera is always trying to be "that" exotic browser for advanced users." }-

No slowdown here with the latest build,its just a bit faster.
I like the way Opera is essentially a '' pluginless '' browser.
In my days with FF all these plugins brought FF to a crawl,its not my hobby to fiddle with these things,i just want info fast and straight from the Web.

I know people are comparing FF and Opera, but for those interested that want a quick browser, the following guy makes a lean portable google chrome version, probably quickest browser I've tried:

http://planet-chrome.de/

-{ Quote: "I know people are comparing FF and Opera, but for those interested that want a quick browser, the following guy makes a lean portable google chrome version, probably quickest browser I've tried:

http://planet-chrome.de/" }-


There is also Chrome Plus that's linked in a previous thread.
It's similar to SRware Iron.