I think he's assuming that you wouldn't realize it's compromised. I mean, hey, when I see a file is digitally signed and verified by Verisign I think, yeah, it's probably legitimate. But am I going to rely on that? Nope. Certs get hacked, CA's hand them out too easily, and sites get hacked all of the time.
If you're talking about an exploit on a browser or plug-in like java or flash, that doesn't matter any more than a compromised download. There are measures one can easily put in place to avoid the malicious effects of any one of these or similar, and whether one cares to admit it or not, instinct and common sense can play a huge part in that.
No, I mean a compromised download that you didn't realize was compromised. As in, you go to download the latest Flashplayer and everythign looks fine and you go choose the file and you download it but in fact the site had been hacked and what you just downloaded was a file that only looked like a flash player plugin.
Okay, that's fine, but it perplexes me to some extent that so many, yourself included, talk about this scenario as though it's commonplace, yet I never see it in my own experience. So what gives? Am I just fluking out and not representative of what's apparently happening to most people, or could it be most of this is overhyped?
Purely hypothetical. I don't know of Adobe's site ever being hacked to distribute malware in such a way. Bug legit sites do get hacked often and exploits are shown all the time. http://www.reddit.com/r/pwned http://www.reddit.com/r/xss Plenty of sites have lists like these where exploits are shown or the sites are hacked. Mysql's was posted here I remember, amnesty international is another high profile one. Lots of lower profile ones that us normal users might not run into, but someone will. Not to mention the Sophos report I posted either in this topic or another. I meant to read that today... I think I'll get on that.
"Yeah, "Reset" or "Refresh" or something. It sets the OS back to default but you keep your files/ documents." this is called imaging your system drive
I've only had a brief look, but a lot of those seem "wierd" to me, ones I'd never download from. However, the Garmin.com XSS was of interest to me, because I've installed updates on my GPS sometimes (nothing malicious ever to note ) When I click on it, IE9 comes nicely into play...
Yep, like I said, you likely just haven't come across them because... well you don't go to them! haha And, of course, there are ways to mitigate these attacks. My point was only to show you that there are legitimate sites with vulnerabilities and some of them even get taken advantage of.
I like to think my level of common sense steers me away from them , and even if I venture to them sometimes, I've probably got enough in-built security to avert anything malicious. Failing that, i can instantly, in a calm, cool and collected manner, restore a recent image and all is "good and nice " again. Clearly, there seem to be two prevailing trains of thought on this type of matter; either one is deeply concerned and almost constantly worried that something bad will happen to them because they buy too much into all the FUD circulating around the 'net, or the one who approaches in a calm and confident manner, knowing that very likely nothing bad will happen to them, and if it somehow does, the results will be inconsequential because of their ability to have prepared themselves in such a manner to significantly mitigate the damage that could be done in such an unlikely (for them) event.
Seems to me this whole topic is a never ending circle of pipe dreams... Only an OS that fully controls everything can be secure for everyone. As long as you have choise to use 3rd party software or modify system to your likings.. as long as you have the ABILITY to have root.. you are subject to the problems prevalent today. If you continue to exercise your right to root, and you don't have some form of education, then problems will ensue. No getting around that, only a matter of time in todays networked world. Sul.
The way I see it a user turns off their security when their security bugs them or they no longer trust that security. So if a system doesn't bug the user and a system stays silent and without false positive (or maintains a system that ensure false positive tolerance) there is no reason for the OS to control anything and there should be no situation in which the user is successfully infected.
If they're properly educated, they'll choose the right security, including one they can trust. But I thought you had always maintained that it's the O/S that should be responsible for security??
My point is that any program currently available will either not provide default adequate security or will at some point give the user a reason not to trust it or will simply be too high maintenance/ bug them. I meant in terms of a walled garden approach, which is what I believe Sully was referring to.
Looking a bit further, the official Garmin website Support page -http://www.garmin.com/us/support ...renders no problems as opposed to the one listed in the XSS site list
Don't ask me! I only posted the link that linked to that link =p It's possible that what you saw was that site witht he code in the url bar necessary for the XSS attack. That's what I would assume but I don't have what you put in your URL. Either way, hacked sites happen every day. Sophos puts 80% of malicious sites as being hacked. I have once again forgotted to read that report! I'm going to try to download it now.
That's okay, I believe the XSS occurred, and that, with what little I know about XSS exploits, they redirect one to a different, but similar looking, malicious URL.
Yeah, either a redirect or they had some script running on the page (or would have if IE hadn't stepped in.) My point was to illustrate that all sorts of sites have vulnerabilities. It would not be too insane an idea to believe that a site that you may very well visit and trust could at some point be compromised.
I know a lot of people frown upon YouTube links but in my efforts to to gain some info on it, the following seems to explain XSS very nicely... -http://www.youtube.com/watch?v=foTEOsJuR4c&feature=related
You're welcome! I hope it helps. It sure helped me gain a far better understanding of XSS than what I had I had no idea cookies were involved, and no re-direction, as I had thought, is involved either.
It is not a necessity per se but it may help to improve the state of security. I'd recommend "user education" but to depend solely on it for security is a no-go for me...
If his primary job is working with computers I would say yes. When I go to the doctor I show the doctor where it hurts me and I expect from him to know what is there, I don't expect from him to know the solution for the latest unpatched windows/linux/mac security vulnerability.
Well, yeah. If you're an IT guy or something it's obviously beyond necessary - it's their job requirement. I'm asking whether users need to be educated on security/ computers for them to stay secure or another way to put it is: can a complete novice computer be safe?
Knowledge & wisdom are separate things, & hindsight binoculars are difficult to buy on eBay these days. Seriously though, I think it is through experience that most people develop a security awareness online. I was wise enough not to click on any flash ads in an Eastern European journal site, but not knowledgeable enough to use an adblocker & NoScript when I was burnt by malware on the same site.