Opera 10.10 released

Well said Blue !

 

Car analogies sometimes work, sometimes they don't. Naturally, I use seat belts and have insurance. But I don't consider those things as important as learning to drive safely, because if I drive unsafely enough, neither seat belts nor insurance will save me or anyone who gets in my way when I crash around. When it comes to computer security, I would consider seat belts and insurance to be more analogous to limited user accounts and backups than anything else. And of course, I take backups, and I don't run as admin or root.

I can't really think of what would be a natural car analogy for worrying about malicious parties enabling some features in software installed on your computer. Perhaps it would be something along the lines of installing a limiter on the engine so that even if you got crazy behind the wheel or if the car somehow malfunctioned and the often mentioned pedal got stuck to the metal, you couldn't drive over the highest speed limits in the land. That's not something I would do to my car, because I know I won't feel like speeding myself to death and I aim to keep my car repaired in reasonable working order so that it's very unlikely to malfunction like that. Or perhaps the earlier "thief takes my car and runs down an innocent" would work as an analogy. I wouldn't worry about that either, because I try not to let my car be stolen, and if it is stolen regardless, anything the thief does with it is really not my fault in any way. Of course, that won't make me feel any better if someone gets hurt, but that's life. So, in effect, I am ignoring those things, because I have taken reasonable measures to prevent those things from happening, and there's nothing more that I could do that would protect me or anyone else better without causing intolerably massive inconvenience to me. So, that's one of the usual security vs convenience decisions based on risk analysis. If I was worried enough, I could just sell my car and never drive again, and that would make pretty sure that I wouldn't be sitting behind the wheel during a car accident - and I could sell my computers or disconnect them from all outside networks. But that would be very inconvenient.

Well said, and I agree.

One should remember that installing additional software on a system is always like this: with new software you get new features, but you also get new vulnerabilities and more attack surface, and because of this you need to decide whether you really should be installing that software. Do you need it? Are the risks greater than the benefits the software offers to you? Or is the software so useful that you're willing to accept its vulnerabilities and other security issues? If you are going to install it, then most often measures can be taken to at least partially mitigate the risks involved with the software. ActiveX in IE, for example? You can turn it off in the Internet Zone, if you dislike ActiveX and consider it a great risk. Remote code execution vulnerabilities in a new word processor? Try to remember not to open documents from untrusted sources, and that already saves you from some attacks - but not all.

Secure computing requires a lot of risk analysis and decisions. If you want a system secure in the extreme, one of the first questions should be "Do I even want this system to be able to connect to the great unknown of the Internet?"

Some risks you take, some risks you don't. The choice is always up to you. But whatever you do, obviously it's important in the extreme to not let malicious code or malicious users gain control of the system. And if you can prevent that, then you don't have to worry about what said malicious parties could do with the software that has been installed on your system.

For those who are interested in Opera, weigh the risks and benefits and decide. The risks are reasonably clear, after all: new vulnerabilities are practically certain to be in the Unite code, and it's a web server which are always special cases due to their nature - untrusted remote users can connect to them, by design, and who's to say what those users will try. So, if you are concerned enough about Unite, don't install Opera. If you are confident that you can keep malicious parties from compromising your system or accounts, then simply leave Unite disabled and you don't have to worry about any malicious party enabling it secretly. If you think your system stands a reasonable chance of being compromised, and believe that Unite could be used by the attacker, then you should not install Opera at all, and you should also take measures to lower the chances of your system being compromised.

 

I quote all the post, actually

This is the point. An user can also dont' use the new Opera version with Unite, and to choose another browser. He can also to enable only the port 80 ( and the DNS on 53 ) with the fw to limit " direct " risks from the surfing on the Web.

Then what happens if he is not able or he takes not care to prevent all the kind of existing malwares from to access his system ? As Windchild expained, his system is not protected from many kind of threats: from a downloaded software to a clicked banner, from a hackered web page or site to a whatever malicious code can be hidden in HTML, JPEG images, urls, links...

A multilayer defense, mainly but not only - remember security policies and other - using an HIPS and surfing in sandboxed or virtualized mode are the best protection one can have, with or without Opera.

Anyway, it would be not a bad idea if Opera in the next releases would give the choice if to install or not Unite. It also could reassure many common users that love this great browser.

 

With that i agree! They could make two installers, they could make it an option during install, anyway they like it.

Just for the history, a more "pessimistic" view:

Opera Unite could be security risk say researchers

http://news.techworld.com/security/117784/opera-unite-could-be-security-risk-say-researchers/


Also this is an interesting "surgery" performed on Opera by CoU member weaselthatbites

Personally i prefer not trying it, because i don't know how it would affect stability, etc.

But if there's someone who wants to use Opera 10.10 and doesn't want to have Unite , he may try and see... Cause enabling a "disabled" Unite is only a matter of changing one value on operaprefs.ini.


I stay with FF. I actually did a heads on page by page "contest" between the 2 and FF eats both less CPU and RAM. Opera looks better in the speed dial than the FF addon and the mouse gestures of Opera seem to work better, but it's not as much of a difference.

On a side note, Opera now is in alpha and it seems that in the next release, there will be also a "Twitter" widget.

http://my.opera.com/desktopteam/blog/opera-10-20-goes-alpha

It goes the "Nero way" and i am going the other way.

 

Personally, if I was inclined to such surgery, I would just make sure Unite was disabled in the GUI (Tools menu), and then use opera:config to change the Enable Unite User Prefs setting to off. After that, Unite disappears from the GUI. Then you could just delete the whole Opera\Unite folder and the whole 3 megs of Unite's .ua files along with it. Do that, and I would imagine you couldn't easily turn Unite back on again, since those files would be missing. And if you're a limited user, you couldn't add the files back to the Opera folder, either, without admin credentials. If you also used the system fixed preferences file operaprefs_fixed.ini to force Unite disabled by adding Enable Unite=0 under User Prefs, then turning Unite back on should be a great lot of work indeed for the limited user.

I would also appreciate it if Opera gave more options in their installer so one could choose to not install Unite and/or M2 for example at all. Unfortunately, I see no reason to believe they would do it. They've always been of the "internet suite" mentality, and haven't allowed the user to not install features he doesn't want, only to disable such features. But giving them some feedback about it likely would not hurt. I have personally given up on trying, though, since I've been requesting more installation options for about eight years and it hasn't worked.

 

Yes, I'm so glad there is someone who will always come along at just the right time, and pontifically make an interesting debate turn into pablum.

Eice wasn't nice so his posts are no dice and ...blue agrees with windy... & windy returns the favor by agreeing with blue... and everyone agrees with everyone... and seldom is heard a discouraging word, and the skies are not cloudy all day.

In the meantime, Opera is a growing bloat with increasingly unsecure holiness. And so, in the spirit of A versus B, I choose K-meleon.

 

If only k-meleon by default would do a little bit of tweaking to the UI.

I can set it up to be how I want, but by default, not so pretty.

 

It's called reality. If that appears an unseemly intrusion, so be it.

Blue

 

Seat belts save lives. Insurance mitigates the financial consequences of accidents. The critical flaw in your thinking remains that you still believe they're intended to replace safe driving. And blinded by this you ramble on and on about how important prevention is. Dude, we get it. Despite what you may think, I doubt any of us here are idiots who need you to ramble on and on for pages preaching your masses-enlightening sermon - which turns out to be nothing but the blatantly obvious.

What you still don't get is that mitigation strategies matter. This is just a suggestion, but you might want to stop the exercise in hypocrisy and confusion by extolling the politically-correct stance that running unneeded web server software affects security - and then in the very same post turning around and making long-winded arguments how they DON'T affect security and why one shouldn't concern oneself about them.

 

Except that I don't at all believe that seat belts are intended to replace safe driving, and so that particular critical flaw exists only in your vivid imagination. I simply believe that it's worth emphasizing safe driving, because prevention is extraordinarily important, more important even than seat belts, which are rather reactive in nature and may save your life only after you're already in trouble, not keep you out of trouble in the first place. And in spite of how obvious it may be, some people are having trouble remembering the special importance of prevention. I meet people like that practically every day: people who are all concentrated on reacting to something unpleasant that happened instead of preventing it from happening. And if you do your best to drive safely and to keep intruders out of your car, you don't have to worry much about someone sneaking into your car to clandestinely cut your seat belts or something.

Obviously mitigation matters, and I've posted about mitigation for various security issues many times. In fact, even in this thread. Actually, in my previous post, I wrote a couple of quick things that I would imagine could help make enabling Unite harder for any malicious party, therefore somewhat mitigating the issue. And not running as root, which is something I always babble about? That's a pretty effective and common mitigation strategy for many issues - keeping malicious parties from getting complete control over the system. If you're seriously claiming that I don't understand the importance of mitigation, then you're simply delightfully silly.

There is no hypocrisy or politically correct stance here. This is just a friendly suggestion: show me where I've claimed that running web server software does not affect security - use the forum quote function, it's quite nice for quoting what others have said - and if you can't find where I clearly said that, then you could kindly consider stopping your babbling about it. And if the best you can find is something that you think "implies" there is no security impact, then perhaps you need to consider the possibility that you're intentionally or accidentally not quite understanding what the words say, and could read them again in proper context.

If you run web server software, it affects your security. Any software you run affects your security, in its own way. Running some text editor obviously has different security impact than running a web server that remote users can connect to. If you have web server software installed but not running, that is vastly different from having the server actually running, however. Keep malicious parties off your system, and malicious parties won't be enabling that web server, and you won't have to worry about that. Obvious, sure, but some people have a natural gift of missing what is obvious and even easy. If you can't keep malicious parties off your system, then you surely have more problems than Unite being turned on, and you need to concern yourself with those problems as well - in fact, especially those problems, since those problems are already out there in droves whereas there does not yet seem to be a great epidemic of malware enabling Unite. Once again, if you don't want web server software, you should not install it - I've said this multiple times, and I'm sure you're smart enough to realize it for yourself. If you really don't want Unite, don't install Opera. If you're not concerned about yourself, but about other users, then advise them not to install Opera either. This shouldn't be very hard. After all, Opera is not difficult to uninstall, and most systems do not come with Opera pre-installed.

I don't see anything hypocritical or confused about being a realist, and keeping things in a practical perspective. The practical perspective would be different if keeping malware off a system was difficult, but it's not difficult. Even many quite ignorant users can be taught how to do it with reasonable success.

 

Claiming to be misunderstood is certainly always a convenient excuse, especially when actually one is understood far better than one would like to be.

Out of curiosity, what, then, is this "proper" context with which to view your string of arguments where you continuously claim it doesn't matter whether Unite is present or not? Please do tell.

 

The good thing to come out of this, and articles focussing on security and new updates to Opera, is hopefully the company understands the importance of having optional downloads. Opera + Unite, and Opera on its own.

I can see why they've done it, hovering around a few per cent of the browser market you've obviously got to try something new, something the facebook and twitter loving users of the world might see value in.

 

Show me where I have claimed it does not matter for security whether Unite is present or not. Use the quote function, please. If you won't or can't do that, maybe that tells people something. I've requested this of you multiple times, but you refuse to do it. That puzzles me, because if I had "continuously" claimed that it doesn't matter at all for your system's security whether Unite is present or not, one might expect it would be easy to just quote even one sentence where I actually claimed that. Certainly it shouldn't take much more of your time than writing about crackpots and convenient excuses and making other such puerile wisecracks.

Again, I have not said that it doesn't matter for your system's security whether Unite is present or not. What I have said over and over again is that if you allow malicious parties to compromise your system to the extent that they can enable Unite or are able to change other settings without your permission, then you have serious problems in any case, even if Unite is not installed. This is clearly not saying that Unite does not matter. It's saying that if you remove Unite, you still have problems if your system is compromised - you don't have the problem of malware enabling Unite already installed on your system, but all other problems remain as big as ever. So, removing Unite, while improving your security, does not remove all the other problems that you still need to tackle. If Unite is installed, malicious parties could use it, if they so desire. But if Unite is not installed, malicious parties can still use any other things on the system, if they so desire, or install whatever they want the same way the original malware was installed, or using other methods such as BITS. Knowing this, I suggest that the main problem to worry about is the compromise itself, preventing it from happening, instead of concentrating on settings the malicious party could change once it has gained access to your system or what features it could enable. I feel this way simply because if we go the route that we assume the system is already compromised or can easily be compromised and start worrying what software pre-installed on the system could be used for evil, we end up in a situation where most likely large amounts of software that we have a legit need for has features that could be used for malicious activity, from deleting your files to uploading some of the more sensitive information to the attacker's server. We most likely can't remove all of that software without making the system largely useless to us. And even if we could, that would still leave the system compromised. Therefore, another solution must be found. The obvious solution is working to prevent malicious parties from compromising the system, so that they can't use pre-installed software for malicious activity. Making a system reasonably secure against compromise, I submit, is easier than removing any and all such software from the system that could be used maliciously if the system was compromised.

Another thing that I've constantly said is that more code, new code, means more vulnerabilities, new vulnerabilities. Therefore, do not install software you do not need. If you do not need a web server and don't want it, don't install a web server, even as a part of some browser. If you can't go without this browser that comes with a web server built into it, but can make reasonably sure your system won't be compromised by malicious parties, then you need not worry much about said parties enabling the web server, because they won't have enough access to your system to enable it. You will have other things more worth worrying about, like keeping all the software patched. On the other hand, if you can't make your system reasonably secure against compromise, then you're likely to end up in trouble in any case, whether or not you have Unite installed. You can remove Unite in such a case, and that would indeed make a difference, as it would prevent the attacker from enabling Unite already pre-installed on your system - unfortunately it would not prevent the attacker from installing Unite himself if he was so inclined.

So, that proper context you wanted to know of? The context is exactly this: if your system is compromised, whether or not Unite is installed is not the big issue - the big issue is the actual compromise. It doesn't make that much sense to worry about Unite being enabled by attackers, when there are easy and reasonably effective solutions to the issue: 1) Remove Opera, and Unite won't be on your system unless someone else installs it after gaining access. That should solve the problem, no? 2) If you can't remove Opera, then make reasonably sure that malicious parties can't gain access to the system, and chances are they won't enable Unite, since they don't have access. This is pretty good, too, and what I suggest for those who love Opera as a browser. Those people can also try to hack Unite out: opera:config / User Prefs / disable the Enable Unite setting, or you can put that in the system fixed ini file to apply it to all users at once. You can delete Unite's .ua files. That should make enabling Unite at least a bit more difficult, I would imagine.

What is not a solution is: 3) Blame people who point out these painfully obvious options as solutions to your problem with Unite for being crackpots and politically correct hypocrite ignoramuses.

But hey, life is all about choice. Your choice. I don't believe a smart poster such as yourself would honestly have a problem understanding all this. It's more likely, I suspect, to be a case of wanting to be confrontational, which is something your consistently rude choice of words implies.

Let me put it this way: I would be extremely surprised if Opera gave in and released an installer without Unite, or modified their current "all-in-one" installers with an option not to install Unite at all. They are pretty set in their ways, Opera, I mean.

 

If you dont like bloat then don't look at the new 10.20 alpha. They are now focussing on the widgets.
http://my.opera.com/desktopteam/blog/opera-10-20-goes-alpha
Would be nice to have a Opera Lite without all this. I dont need their e-mail, unite and widgets.

 

Oh, really? So even though you claim that you're of the stand that Unite matters for security purposes and that mitigation is important, you ramble on for pages and pages and paaaaaaages arguing against people who're saying exactly that as well?

Doesn't it seem kind of, oh I don't know, just a little bit strange for you to continuously rebut people who are advocating the positions you're supposedly standing for? Isn't it a wee lil' bit funny that people who are voicing opinions that you purportedly agree with can't do it without pages' worth of opposition from you? And you get all hot and flustered and accuse people of being rude and confrontational when, surprise surprise, you get pointed out as a hypocrite grandstanding for political correctness. Oh dear.

I'm sorry that it offends you, but I'm the kind of person who calls a spade a spade.

 

So in other words, you couldn't quote where I said Unite doesn't matter for security. Thank you.

What I've been arguing is quite simple: 1) Secure your system so it isn't compromised, and you don't have much cause for worrying over anything that has compromised your system enabling Unite secretly. 2) If you either think you can't protect your system from compromise or think that you can but still would prefer to do away with Unite for reasons of security, then simply uninstall Opera and Unite will not be on the system to be secretly enabled by malware.

I haven't been arguing against these things. I've been arguing for them. What I've been arguing against is the idea that malware enabling Unite that has been pre-installed on your system is somehow a large issue or an issue difficult to solve. It's neither. You can make it a non-issue by uninstalling Opera. You can make it a non-issue by not letting malware gain control of your system.

I'm not so much offended as amused. And as far as hot and flustered, I'm not the one who's been typing in all caps and editing their posts to remove insults they felt compelled to use. But hey, that is all about perspective, too. Maybe in someone's eyes, that kind of stuff is calm and rational and calling spade a spade, instead of being, I don't know, hot and flustered.

 

In other words - focus on prevention, and don't worry about mitigation.

And why is that? Because once you get infected the bad guys can do all sorts of things regardless of whether Unite is present or not. Hence Unite doesn't matter.

Would you care to deny that those were what you've been tirelessly exhorting? That mitigation doesn't matter, that Unite doesn't matter?

It may be a bit disingenuous of you to try to disown your previous arguments simply because I can't be bothered scouring your yawn-inducing pages of boredom looking for the specific words you're asking for. I may have skipped over those whole chunks of utter irrelevance, and you may try to play the "I'm being misunderstood!" card, but that doesn't necessarily mean I didn't grasp the crux of your argument.

And I daresay you'll find that nobody has expressed those ideas to necessitate your to jumping out and correcting them. Perhaps in your zeal to preach your sermon you've been imagining things when people were expressing perfectly legitimate concerns, and having created this objective for yourself promptly used it as your excuse to launch into lengthy lectures expounding the blatantly obvious.

You're right; this is amusing. At this point, it would seem that I've been wasting time on a quixotic crusader campaigning vigorously against his fictitious foes.

 

No. There was a #2 that you didn't quote, and that's quite important, really. Context, and all. Focus on prevention as a priority, and worry about mitigation after you've taken reasonable measures to prevent problems. It's not an either-or choice. You can both attempt to prevent problems and mitigate their unwanted effects. And you should. You don't have to choose one over the other. But, it may be useful for you to spend some more effort on prevention than on mitigation, seeing how prevention can prevent a problem from occurring at all, when it works. Personally, I certainly prioritize preventing problems over mitigating them. It's a little like how I would treat my family as compared to how I treat my co-workers. I value both, but I spend more of my time on my family, because I value my family more. After taking measures in prevention, you may even realize that you are pleased with the current state of your security, and need not take any particular measure to mitigate, say, Unite being enabled secretly. If you realize you're still not pleased, then it's a good time to get working on those mitigating measures. This should not be too complex to grasp.

Oh, Unite matters. The obvious problem is, many other things matter, too. And once you've taken care of your issues with Unite, you still have those other things to worry about. Therefore I find it reasonably smart to not worry too much about Unite, when it's easy to uninstall Opera and Unite along with it, and when there are many other unpleasant things that an attacker could do after compromising your system that removing Unite would not address. Deal with your issues with Unite - such as by uninstalling it - and then get back to the big issue of preventing malicious parties from compromising your system. That is to say, if you've got to worry, worry more about the big issues, and deal quickly with the small ones that can be quickly solved (uninstalling Opera doesn't take much time).

Yes, I would care to deny it, and just did. Mitigation matters, Unite matters. Obviously. All software matters. But, there's always the big picture. Removing Unite removes one problem - attacks against or using Unite that has been pre-installed on the system - and leaves you with tons of other problems. So just deal with Unite quickly, since you can, and then get to dealing with those other problems that perhaps cannot be dealt with simply by uninstalling one piece of software. Like malware infections in general. Preventing those may take more work than clicking the Uninstall button, but would also offer greater improvements to your security, so why not start right away, now that you've had time to deal with Unite? A car analogy? Big problem - small problem. Thieves got inside your car and just got the engine running and are free to do what they please - system compromised. Thieves get out just to break the driver's side window - Unite being enabled by malware after system compromise. Sure, neither is nice. But you've got to admit that even if you could prevent them from breaking the window, you would still have some pretty big issues to deal with, so the window can hardly be priority number 1.

Or it may be that you're too quick to make wisecracks and too lazy to read what has been written. I'm not disowning any of my arguments. You're just pretty much setting up some straw men in place of what I've actually stated, and then getting up on a high horse about how those arguments of mine that you just fabricated are soooooo silly and below any intelligent reader.

I didn't jump in to correct anyone in particular. I saw a discussion on Unite and its security impact, and stated my thoughts on it, in short, pretty much: "Obviously to take advantage of Unite the attacker has to gain access to your system. If he does, there are many more things to worry about than just Unite being enabled. There's not too much chance we'll see widespread malware enabling Unite secretly. Therefore, not too much reason to worry about Unite in particular. It's an issue quickly solved - just delete it if you don't want it. The big problem is allowing your system to be compromised in the first place. Worry about that, and when you've dealt with that problem, the problem of Unite being abused by attackers will become practically a non-issue, since it probably will not be easy to enable Unite without compromising the system."

Now, when I joined this forum, I didn't see any forum rules that dictate that
1. you must never post what is obvious to some people (if there was a universal rule like this, there wouldn't be many posts in most Windows security forums) and
2. even if it concerns the subject of the thread, you must never post anything that isn't a direct reply to an argument or statement by another poster.
If I had seen rules like that, I wouldn't have bothered to mention that malware enabling Unite isn't a big reason to worry for someone with enough brains (and not much is required) to keep the malware out in the first place. There are people reading threads here who aren't posting in them. Some of them may even occasionally benefit from someone stating the obvious, whether the obvious is some OS' non-immunity to malware or something like this subject here.

Well, I didn't think you'd bother to write all of that, complete with quixotic hypocrite crusaders and all, if it didn't amuse you in some way. I surely wouldn't. But as far as being quixotic is concerned, I do think that prevention is pretty practical, certainly much more practical than removing all software that could be used maliciously by someone who has gained access to your system. And I don't think any time that was spent being amused could be time wasted.

 

Well if that's the direction that Opera is going, I won't be holding my breath for a "slim" version.
That's the end of Opera for me.
There are a lot of alternatives that aren't bloated.

 

The last few versions of Opera have slowed down my browsing considerably.
So no worries here whether or not unite is a security risk as I've decided to give Firefox another go and so far its been a lot faster with no problems loading some sites as Opera was having problems quite often. Maybe Opera will release a version in the future that works well here again, with the option to do a custom install would be nice.

 

Some things i don't get with Opera. Javascript is slow compared to Firefox. I dont need it often but the times i need JS its a pain. Also gmail is/was always slow with Opera. They could make improvements in this area... But nothing. Seems to me Opera is always trying to be "that" exotic browser for advanced users.

 

No slowdown here with the latest build,its just a bit faster.
I like the way Opera is essentially a '' pluginless '' browser.
In my days with FF all these plugins brought FF to a crawl,its not my hobby to fiddle with these things,i just want info fast and straight from the Web.

 

I know people are comparing FF and Opera, but for those interested that want a quick browser, the following guy makes a lean portable google chrome version, probably quickest browser I've tried:

http://planet-chrome.de/

 

There is also Chrome Plus that's linked in a previous thread.
It's similar to SRware Iron.