How significant is spyware?

The zlob... oh my... I cleaned a lot of those in the last couple months...

Actually you cant explain to users how to avoid Iframe's ... as only tools automated to perform the job can handle those... they are invisible html statements embedded within a web page... No user decisions can really make the IFrame good or bad only the content of the iframe dictates it's purpose.

 

You miss my point.

The content of the iFrame may dictate all the purposes it wants to, but in this case, the user is enticed to download something. By closing the page with no action, the exploit is effectively nullified.

Again, it doesn't take much to teach people what to look for in scams like this: don't respond to messages to download something you haven't initiated yourself.


----
rich

 

None that I know of, but it's a moot point. All modern browsers worth their salt come with their own inbuilt functions to control/disable JS (yes, even bare-bones, NoScript-less Firefox). In all honesty you could've done it since back in the IE4 days IIRC, but there's just all this buzz and hype about NoScript...

ProSecurity is a Host Intrusion Prevention System. If anything tries to tamper with your browser at the application level, or if your browser tries to do anything to the OS, the answer is presumably yes, assuming you have the proper rules in place and aren't using the very crippled free version. On the other hand, if your browser does something like try to interpret a script or HTML file when you visit a particular website, this is an action that doesn't involve the host, so to speak. You're on your own.

Theoretically, yes.

But we've already moved very far away from spyware here, if that's what you're worried about.

 

Oops sorry my bad!
Yes, in the case of the executable injection via user selection you are right.. However Iframe's are used to do far more nefarious tasks that are mostly unoticed by the users...

 

OK, that's for another thread.

In keeping with how you get spyware, I used iFrame as one way in which people are put into a situation where they are enticed to download something. This where some common sense comes into play.


----
rich

 

You are right about the "Basic" functionality, but from a functional point of view it is more or less a question of All or nothing with the built in functions. Also given the sheer number and scope of scripted content browsers have proved themselves out of sink with much of the capabilities of Noscript... Bar none it is by far the better option in my opinion. If only because of the enhanced visibility it provides.. I whish functionality similar to Firebug would be more integrated within browser as well as it would then eliminate the "invisible" components element.

 

Sometimes I wonder if NoScript is built more on paranoia and hype rather than any real need for it. I've used Firefox since the Phoenix/Firebird days, and switched permanently to Opera 1-2 years back. I've never found the need for NoScript, or to even turn off Javascript at all (save to deal with some annoying crud from incompetent webmasters).

How many times has NoScript stepped in to save the day for you, TBH?

 

Well, I posted a list of Code injection attempts on my site this morning. (Link) The number of scripts the bot was scanning for vulnerability is rather large for a single pass. I only have listed one day! composed of 8 attempts.

Now the problem is that each and everyone of these server based scripts had known vulnerabilities otherwise the hacker would not have wasted his time trying to exploit them... Thus vulnerable scripts being what they are the real target is those browsing.... meaning that a tool such as no script probably would have proven to be the only effective line of defense given one stumbles upon the hacks...

 

(Using Opera since v. 3.6) -- I agree with your points.


----
rich

 

(my emphasis)

I would have to see the hacks before entertaining such an assertion.


----
rich

 

I don't consider buzz and hype an app/add-on that:
- makes the management of site's permissions easier and quicker (two clicks away) than the solutions provided by other browsers.
- has proved to close the window of vulnerability to zero when Quick Time/other plug-ins bugs opened the door for remote code execution in Firefox.
- has proved to be a mitigation for some Firefox vulnerabilities.
- is the only (?) solution against XSS, a threat mostly theoretical at this time, but one that may put you at the risk of identity thief.

Until today, NS has done nothing to protect me. But, neither LUA/SRP, GeSWall, Jetico/Kerio 2, etc have done something to protect me. Using this logic, I could dismantle my "security aparatus" without concerns (I have "naked" machines, BTW).

 

Of course any scripts based on open/start end/close statements would be under controls regardless of the hacks enclosed. As for the hacks themselves once the script is authorized by the user the game's over.

 

Read: attempts. That's like telling someone they absolutely need a software firewall in their PC, just because someone is scanning their router's IP.

By all means feel free. I don't see what's so preposterous about that - if it's not needed, out it goes. Too many people these days base their security setups on what they "must" have, instead of what it actually does for them. FWIW, I've ran "naked" for almost two years once on an admin account with no security patches. Nothing untoward happened, actually, so if that's the case for you as well, I don't see why it's a ridiculous notion that you can scrap the stuff you don't need.

As for NoScript being the only barrier stopping certain Firefox vulnerabilities... may I suggest you consider a more secure browser?

 

Disabling javascript in Opera is quicker with two keystrokes: F12 - j

Or-- I think you can create a toggle button for 1 click.



----
rich

 

I won't believe that until I see the web site with the script.


----
rich

 

Why not? What's there to fear?

I didn't even have a firewall until Win2K, but I fell for the hype about Services doing this and that. Well, as I realized later, ports closed are ports closed, whether by a firewall, or within the OS itself.

Granted, it's easier with a firewall, and to be recommended for the public, but you are knowledgeable enough to get along without a firewall if you wanted to.


----
rich

 

Sorry Solcroft but this one makes a poor analogy, Ip scanning is for open ports , while vulnerability scans on server based scripts is incredibly more specific. All you need is the vulnerable revision of the script running on the scanned machine and your are done for... while discovering a visible IP requires substantially more work to crack than it's simple discovery.

Actually I'm sticking my neck out here, but I think lucas is more than likely discounting the fact that he is blocking many scripts using noscript and what he is actually saying is that none of the scripts he actually did allow through caused him grief... this however would not invalidate the defensive capability of the filter...

See with a tool like no script, more than likely the script he didn't allow might have contained hostile content... only he would never have know as the script was blocked so never processed means no knowledge of bad behavior (unless you read the script code of every blocked scripts which is highly unlikely)

 

Rich,
most users where perfectly safe with simple logon credentials until Win2k... Even servers didn't have firewalls...
However try it today... and yell be sorry!

 

http://www.urs2.net/rsj/computing/tests/fw_test/

I've done this several times since, when hearing about new exploits.

----
rich

 

Not much more difficult when you find a vulnerable service running than when you find a "vulnerable revision of the script".

In which case you miss one very important point. For all the hullabaloo over this, it hasn't happened. Even as far as scripts are concerned, the only one to worry about is XSS, while all modern browsers could give a fig for all those other fancy remote code-execution exploits. And even then, with XSS, killing Javascript when entering confidential details settles it. No, really. It's that simple.

So I really wonder why you take so much trouble to go out of your way and trump up theoretical, almost non-existent threats, that we have to bind ourselves hand and foot by disabling Javascript during everyday surfing. Seriously, even Sasser is currently a more realistic threat to worry about than XSS.

 

Well... I wonder why Microsoft did all the work to include a firewall since XP SP2? there are vulnerabilities not scanned for by GRC as there actually are over 65000 ports possible...

Also firewalls provide a buffer between listening applications and the Internet scopes. The firewall acts where the operating system would simply allow the request to be answered and given appropriate credentials the request would be successful...

 

THAT's the one that scares me!

Format my hard drive. Kick me. Beat me. Call me dirty names. Format my hard drive -- those are all minor inconveniences.
But steal my logins (pw's etc) SHRIEK!!!

As to Noscript -- would use of a good http scanner eliminate the need for it?

P.S. Since all of this dialog has made me switch to Firefox+Noscript, how the heck do I turn off all the animation of images?

P.S.S. I sincerely hope that Solcraft convinces me that Noscript isn't all that essential. I want my K-mel back!

 

I only use what I (somewhat) understand and has been "proven in the field". I do my research before using/recommending something. I feel "at home" with rule-based firewalls so I use them, even if I consider outbound control to be of little value against malware. I was sold on GeSWall after I read its documentation and saw tests elsewhere. "Tripwire" systems have been proven to work on various OSes, so I've built my tripwire for XP. It was natural to get interested in LUA/SRP when you use a policy-based sandbox. Since ActiveX became a common way of infection, using third-party browsers was a "common sense solution"
I got interested in NoScript after reading some things about XSS and when I started to know a bit about how web-based exploits work.

I run "naked" too. Machines waiting for incoming packets and no firewall, old/unsupported OSes, various patching levels, no real-time AV/AM, little (if any) hardening, etc. I'm fairly sure that they're clean.
But they're disposable machines, I don't do critical/sensitive things on them. I can't do the same with my main machines, not with my current level of knowledge. My sceptical nature has kept me safe, but I'm curious enough to get myself in trouble sometime.

Opera works well in "old" systems, but I like Firefox too much (extensions, the new FF3, etc) to drop it. Also, I don't consider Opera to be intrinsically more secure than Firefox. If it has any advantage, it's surely minimal at best.

How do you manage per-site permissions? With NS, I can allow some scripts to run and deny the rest. I can control which plug-ins are loaded/called.
In the systems which have Opera installed, I don't bother with disabling JS and such.

There's not much to fear (well, not untill I get involved in stock/bonds trading) but I don't want to deal with malware and waste time with it. I know that this is somewhat irrational (none human can be rational all the time) but I don't want malware at all. I don't buy the hype nor I'm brainwashed by FUD-spreading paranoids, but I have some concerns (some rational, some not so rational)

 

Because it's easier and safer for most people. But not impossible. Hence, my disclaimer.


----
rich

 

I don't. I consider it a waste of time.

I don't either. I just gave the procedure in answer to your statement that FF disables things quicker than other browsers.

EDIT: I do disable JS for some news sites -- they load much quicker on my dialup w/o loading junk.

----
rich