Chunky by FelipeFS
Chunky by FelipeFS
GPWiki.org
It is currently Fri Aug 29, 2014 4:03 pm

All times are UTC




Post new topic Reply to topic  [ 13 posts ] 
Author Message
PostPosted: Tue Jan 15, 2013 9:33 pm 
Bibliotherapist
User avatar

Joined: Wed Nov 03, 2004 1:28 pm
Posts: 7109
Location: Wilts, Englandshire
Even with two new versions in two months, Oracle are failing to secure Java. Unless you have a compelling requirement for Java in your browser, turn those browser plug-ins off today.
http://www.theregister.co.uk/2013/01/15 ... _browsers/
http://www.infoworld.com/t/web-browsers ... ers-210882
http://www.telegraph.co.uk/technology/n ... -Java.html
I only use Java in a browser for the Web Admin of GPWiki. That's getting binned in favour of more SHH command line-fu.

_________________
10 PRINT "Bad Monkey ";
20 GOTO 10


Top
 Profile  
 
PostPosted: Wed Jan 16, 2013 6:02 pm 
BANNED

Joined: Sun Jun 24, 2012 12:49 am
Posts: 504
Keep spreading the word! :thumbs


Top
 Profile  
 
PostPosted: Sat Jan 19, 2013 8:10 am 
Bibliotherapist
User avatar

Joined: Wed Nov 03, 2004 1:28 pm
Posts: 7109
Location: Wilts, Englandshire
Looks like JRE1.7u11 has been broken after less than a week.
http://www.infoworld.com/d/security/res ... -11-211150
I haven't even finished testing my roll out of the u11 patch and it's already compromised. :rolleyes

_________________
10 PRINT "Bad Monkey ";
20 GOTO 10


Top
 Profile  
 
PostPosted: Sat Jan 19, 2013 8:57 am 
Prime Example
User avatar

Joined: Wed Jun 20, 2012 4:03 am
Posts: 39
Well, lets not overreact, just go back to java 1.6, there is no reason at all for running java 1.7 and 1.6 is not affected by the security issues.

I wonder why this java thing makes such big waves, while everyone still uses adobe flash and adobe reader which have such security issues all the time and were actively used by hackers to do real bad stuff that affected the whole internets security, like hacking certificate authorities by sending them 'funny must see flash videos'.

BTW: There are 2 big security things that i just can recommend for everyone:

A) When just browsing the web, i use lynx over a ssh connection, for reading mail, mutt over ssh... If you'll do this too, you already have eliminated most of the security issues (unfortunately there are sites, like forums ;-) , that aren't really fun to use with lynx, or elinks, or w3m)

B) Use QuickJava and if you need flash flashblock extensions if you run firefox, that way you can leave stuff that is known for security issues - like java, flash, silverlight - off until you really need it

_________________
My projects: Gamvas Web - html5 canvas game framework| sge2d - C/C++ 2D SDL game framework


Top
 Profile  
 
PostPosted: Sat Jan 19, 2013 10:45 am 
Bibliotherapist
User avatar

Joined: Wed Nov 03, 2004 1:28 pm
Posts: 7109
Location: Wilts, Englandshire
I've been packaging and deploying Adobe patches too. Reader and Flash have both had two updates in the last month or so. Thing is, they roll out without too much drama. Java on the other hand is a complete pain.

Interesting comment about 1.6. At work we base our updates on guidance from a range of CERTs and 1.6 has been a no-no for a good while. While it isn't vulnerable to the sandbox exploit, it has had plenty of other issues and goes out of support next month. We have apps that depend on specific older versions and it's a big risk to support those.

I guess the biggest thing for me is that 99% of the malware our protection system has caught recently has been Java based. Quite a bit of has been 0-day stuff and all of it has been delivered in a drive-by manner from compromised sites. I'm looking at whitelisting the sites that NEED the browser plugin. So far the list is quite short.

_________________
10 PRINT "Bad Monkey ";
20 GOTO 10


Top
 Profile  
 
PostPosted: Sat Jan 19, 2013 11:16 am 
Prime Example
User avatar

Joined: Wed Jun 20, 2012 4:03 am
Posts: 39
What was before does not matter, at the moment, if you need java, 1.6 is the best choice. Working as a security specialist for - i think the biggest, but at least one of the biggest - technology companies in Germany, i can not really confirm your 99% java based malware, but i guess thats a matter of what customers you deal with. Anyway, flash is and was the bigger security issue out there, and i think it will remain to be, until it's gone, which is hopefully soon.

Nobody ever made such a fuzz about flash security holes, maybe just because there so plenty. Its like with, lets say terrorist attacks, on 9/11 it was big news and the whole world made week long special reports, nowadays every day people get bombed away in Bagdad or so, nobody cares anymore, i think this is the same case here with java vs flash ;-)

_________________
My projects: Gamvas Web - html5 canvas game framework| sge2d - C/C++ 2D SDL game framework


Top
 Profile  
 
PostPosted: Sat Jan 19, 2013 11:01 pm 
BANNED

Joined: Sun Jun 24, 2012 12:49 am
Posts: 504
Opinions up for grabs: Oracle is lame and Java is lame. Oh yeah and PHP, SQL, Javascript, Adobe, the W3C, Google, Microsoft, Apple... Who else? I let my scourge of pie be known!


Top
 Profile  
 
PostPosted: Sun Jan 20, 2013 8:34 am 
Bibliotherapist
User avatar

Joined: Wed Nov 03, 2004 1:28 pm
Posts: 7109
Location: Wilts, Englandshire
I agree, Flash is a problem too. However, you can turn off Flash in most work places and the will be little or no effect, apart from people's break time surfing.

A large part of our work is defence contracts, the systems are heavily locked down and the security requirements are often dictated to us. On the other hand, we also have some education contracts where regular malware infection and downtime are seen as the norm due to the nature of the end user.

My point is, the browser plug-in simply isn't required for most people's day-to-day work. Some internal systems need older 1.6 plugins (and IE6 :x) and the sales guys use WebEx, but they can be white listed. I don't see a need to allow the wider Internet to have the plugin enabled.

_________________
10 PRINT "Bad Monkey ";
20 GOTO 10


Top
 Profile  
 
PostPosted: Sun Jan 20, 2013 5:16 pm 
Prime Example
User avatar

Joined: Wed Jun 20, 2012 4:03 am
Posts: 39
Pieman wrote:
Opinions up for grabs: Oracle is lame and Java is lame. Oh yeah and PHP, SQL, Javascript, Adobe, the W3C, Google, Microsoft, Apple... Who else?


in your totally unrelated list of companies, programming languages, technologies, standards and gremiums, you definately forgot linux :lol

_________________
My projects: Gamvas Web - html5 canvas game framework| sge2d - C/C++ 2D SDL game framework


Top
 Profile  
 
PostPosted: Mon Jan 21, 2013 1:30 am 
Bibliotherapist
User avatar

Joined: Wed Nov 03, 2004 1:28 pm
Posts: 7109
Location: Wilts, Englandshire
And Nintendo, they suck too. :evil

_________________
10 PRINT "Bad Monkey ";
20 GOTO 10


Top
 Profile  
 
PostPosted: Mon Jan 21, 2013 3:23 am 
BANNED

Joined: Sun Jun 24, 2012 12:49 am
Posts: 504
I agree with both of you, but you've got to give Linux a small thumbs up for being free software (as GNU defines it). Unfortunately, GNU thinks they define what free software means, and so again, they're yet another who suck!

Poor UDI. Killed off as a young creature by a man who I would rather find eating pizzas than exceptional standards. Richard Stallman, someday you will pay with proprietary-ness! Site of the crime: http://gnu.org/philosophy/udi.html

There's talk of doors and locks at the end... Yep. That's not free. You totalitarian bastard!!!! WTF!?


Top
 Profile  
 
PostPosted: Fri Jan 25, 2013 12:16 am 
Harmlessness does no harm
User avatar

Joined: Tue Sep 14, 2004 8:37 pm
Posts: 3949
Location: Ferriday, LA, US
Best answer: Everything sucks. Get used to it, Buttercup. :)

_________________
Wear your sorrows with a smile!


Top
 Profile  
 
PostPosted: Fri Jan 25, 2013 3:10 am 
BANNED

Joined: Sun Jun 24, 2012 12:49 am
Posts: 504
I nominate that as the best answer.
Oh, and I see that you also indentify me as a buttercup. My deliciousness is never underestimated. :spin

-Pie Man


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 13 posts ] 

All times are UTC


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
cron

Powered by phpBB® Forum Software © phpBB Group