Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Sun 19 Nov 2017, 20:48
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Firefox addons sandboxing
Post new topic   Reply to topic View previous topic :: View next topic
Page 2 of 2 [22 Posts]   Goto page: Previous 1, 2
Author Message
Moat


Joined: 16 Jul 2013
Posts: 766
Location: Mid-mitten, USA

PostPosted: Fri 28 Jul 2017, 13:51    Post subject:  

"...it makes browsing the web a bearable experience."

+2. Browsing without such addons these days is damn near impossible, it seems. Senseless and maddening out-of-control, page-imbedded adware that brings my hardware to it's knees!!

Me, I can't find the need to worry much about these kind of FUD reports - the level of risk is "proof in the pudding" as they say, and I know of no one - personally or otherwise - that has been pwnd by such "discovered" vulnerabilities. As far as I have been able to suss, any OS and it's application's code is literally filled with innumerable potential vulnerabilities - it's the nature of complex code. The real issue is if these vulnerabilities are actually being exploited in the wild, in the real world, and which ones they are, in particular.

But what I see is generally nada.

An example is the latest Chromium release - they've reported 40 vulnerabilities fixed since the last release, just 7 weeks earlier. How many of us have actually been effected by those 40?? Or ran across someone who has (without specifically searching for examples, BTW...)?? And how many (dozens? hundreds? thousands?) still exist... or are being added as development continues?

Meh. Wink

And of course Mozilla/Firefox jumps right in touting these examples as powerful reasons to support it's (terrible!) decision to dump it's old addon API/support - for which it's user and dev community is up in arms about. How lame! Rolling Eyes When the truth is, it's pretty damn rare, and not really much of an issue at all, as far as what I've observed. Again, just FUD - IMHO.

Bob
Back to top
View user's profile Send private message 
belham2

Joined: 15 Aug 2016
Posts: 1301

PostPosted: Fri 28 Jul 2017, 16:00    Post subject:  

The ostrich syndrome is strong and powerful here, especially the over-prevalent belief that NIMBY exists.

In the past 15 years, over 42 million bank account fin'l information has been misapproriated around the world (various estimates, despite banks worldwide still trying to quite this stuff, is in the neighborhood of nearly $20 billion (not million or hundreds of millions) but 20 effing billion lost over the past years since this fin'l attacks stuff started in earnest. In the U.S. alone, the latest figures out of banking circles is the number has crested 13 million in total.

3 of the top 4 banking viruses (Zbot a.k.a Zeus, Carberp, Spyeye & the bastard Citadel) of the past several years all, as one of their infection routes, came in through the browser. If you don't think that crooks aren't looking at the numerous holes in the worldwide browser add-on ecosystem, and how the blind, ostrich-like trust that browser users put into these add-ons, them whatever happens almost becomes deserved to that user given the level of knowledge about what is actually happening in the wild. "I didn't know...." is no longer going to be tolerated, nor should it.

In fact, I personally know both Citicorp and JPMorgan are entertaining ideas that if a person's fin'l info gets pwned through the browser, and they upon inverstigation definitely determine it was the browser as the vector, and Citi/JPM find that the browser used is/was loaded with 3rd party add-ons, they are going to fight that person/customer in court in terms of liability. It already happened to a small business person (a woman) in Michigan. She lost over $5 million.

Please do yourself a favor, allow yourself to feel just a little hesitation and/or alarm and do the necessary legwor (research) to find out what is going on.

Something seems lost in these overall comments, because there is no disagreement that for general browsing these add-ons are sometimes a must because of the wild-west mentality of javascript on many websites. But when it comes to sensitive info of any kind on your part, for you, your family, on the worldwide web, stay as far away from browser add-ons and furthermore, when accessing sensitive info stay away the general OS system you cruise the web with when using these add-ons (and whatever else you do). Just go pristine, always, and whatever you do.

In other words, increase your "digital entropy" (hopefully, it is understood what this means).
Back to top
View user's profile Send private message 
Moat


Joined: 16 Jul 2013
Posts: 766
Location: Mid-mitten, USA

PostPosted: Fri 28 Jul 2017, 19:16    Post subject:  

belham2 wrote:
Please do yourself a favor, allow yourself to feel just a little hesitation and/or alarm and do the necessary legwor (research) to find out what is going on.


I'm plenty well aware that this stuff is going on, Belham2... no question, there. It's downright frightening if you focus on it ( Shocked !!!). But in the bigger picture of that knowledge, mixed with my own, long personal observations of it actually happening - actually affecting the lives of those many dozens (hundreds?) of good friends/family around me (the vast majority whom have little-to-no technical knowledge when it comes to computing - and I do tend to rib 'em about it... Smile )... it just simply doesn't happen to any substantially disruptive frequency or degree. Sure - a couple of Yahoo! email accounts hacked, a false credit card charge on rare occasion... that's about it, all I've ever experienced first-hand amongst these folks.

The businesses involved understand this about the "average users", and knows that the responsibility of securing their services cannot reliably rest on the backs of their end-users - thus the existence of a substantial security industry. To a major degree, it's their job... literally.

It's one of those risk vs. rewards things, is all I'm saying. Much like crime, terrorism, accidents while driving, tornadoes and earthquakes - you apply a modicum of knowledge-backed diligence in taking reasonable precautions, and otherwise just get on with things without worrying about it too much.

Life itself is riddled with countless risks - it'd quickly get downright un-fun and not worth it if one were to even begin an attempt at rigorously addressing 'em all (and given the natural complexity of computers... that's a whole bunch, all by itself!). That's all this ostrich means to say... Razz

BTW, both Firefox and Palemoon have the feature to open an instance of the browser with all extensions disabled (under the "Help" menu)... this particular vulnerability thusly being a complete non-issue.

All IMHO, of course.

Bob
Back to top
View user's profile Send private message 
Moat


Joined: 16 Jul 2013
Posts: 766
Location: Mid-mitten, USA

PostPosted: Fri 28 Jul 2017, 20:32    Post subject:  

belham2 wrote:
It already happened to a small business person (a woman) in Michigan. She lost over $5 million.


p.s. - Any link to info on that? I'd like to read up on it... thanks.

Bob
Back to top
View user's profile Send private message 
rufwoof

Joined: 24 Feb 2014
Posts: 2163

PostPosted: Sat 29 Jul 2017, 09:41    Post subject:  

Moat wrote:
BTW, both Firefox and Palemoon have the feature to open an instance of the browser with all extensions disabled (under the "Help" menu)... this particular vulnerability thusly being a complete non-issue

Never noticed that.

I do like noscript, but only install any extensions in a browser running under a restricted userid (rbash, no su or sudo, contained by folder permissions ...etc) i.e. in effect sandboxed. I would have thought that installing a extension especially within a root account compromises the system, little different to running any other dubious program/thing. For online banking I do use a higher privileged userid and a clean version of the browser with nothing else added in. I like pure Debian (main repositories only) for that type of reason (other than via Debian, only other way in is via the browser or open ports ... and I have nearly all ports turned off (or running under low privileges), along with multiple layers of firewalls (PC, router, cable modem)).

I suspect a lot of bank frauding goes on and likely banks will increasingly look to potentially side-step claims/compensations rather than simply paying up, perhaps by citing insecure or inappropriate (outdated system/browser) usage by the claimants.
Back to top
View user's profile Send private message 
8Geee


Joined: 12 May 2008
Posts: 1252
Location: N.E. USA

PostPosted: Sat 29 Jul 2017, 14:38    Post subject:  

That last paragraph seems very relevant here. Even with paper checks and monthly paper statements, the bank can get hacked, or any storre you might go to gets hacked. Ones own personal security is miniscule compared to a bank or store that retains things electronicly.

Basicly, all it takes is a skimmer at a gas station, or a hack at the local store. And I note the "third-party agreements" with data collection/storage at many large entities, banks included.

No one wants to be responsible for whhat is inherently by design insecure.

JM2% interest
8Geee

_________________
Linux user #498913
Back to top
View user's profile Send private message 
rufwoof

Joined: 24 Feb 2014
Posts: 2163

PostPosted: Sat 29 Jul 2017, 15:57    Post subject:  

Quote:
No one wants to be responsible for what is inherently by design insecure.

From a total outsider perspective here in the UK it seems that the policy is to accept the cost of many small losses (to the bank) for the flexibility and service (revenues) that opens up. i.e. skimmed by brushing past with a scanner or petrol station skimming ..etc. for £100 type amounts taken/claimed ... for the 2% type payment/revenue on all spending/usage.

For larger amounts, such as stock brokerage accounts, my personal experience is that anything over £5K and more often transfers don't go automatically through and you have to start phoning around to complete the transfer. Those accounts also tend to be to/from named/fixed accounts, such that even if my stock brokerage account was hacked into, the only place a transfer of funds can be made to is a fixed other account (at least without having to jump through hoops i.e. direct person to person contact and vetting processes to get that changed).

As you say, individuals are a very small part of the whole and are dwarfed by retail/business banking volumes/revenues. From a criminals perspective its more likely much more viable to walk up/down say Oxford Street with a scanner and capture 100's of card payment transfers for relatively small amounts being taken from each, which the banks tend to individually overlook, than it would be to hack individual PC's. Paths of least resistance, least footprint left. Or, for the high end 'take', target/hack the main servers and strive to eradicate trace-back ... akin to physically robbing a bank i.e. few/far between, much more of evidence left to be traced/caught in return for potential higher one-off rewards.

Much of PC vulnerabilities tends to be more about news of potential exploits being found ... that a hacker 'could' potentially have exploited. A hacker actually exploiting a PC hack however risks high chance of being traced/caught for little reward prospect. Only worth potentially doing from a criminals perspective if they can hack many systems at near the same time and secure a financial benefit from each and run/hide/escape thereafter. Which is still pretty dumb from their perspective when there are easier and potentially less easily traced alternatives such as brush-by skimming. Which has promoted more surveillance/monitoring (cameras and trackers everywhere). Yottabyte centres that perhaps capture real time mobile phone cell identifier, facial recognition, payment card usage, number plate recognition ... etc type activity that can be interrogated by a process of elimination to pin down the most likely 'suspect' very quickly.

For the average person that isn't surrounded by security (risk of family members being kidnapped etc.) the risk of actually being hacked are pretty low (and when so, more likely by geekish kids that gain little/nothing financially from doing so) such that even modest online financial activity protection tends to suffice as a barrier/block and where the risk of loss of data (family pictures ...etc.) are at greater risk. Personal data backups ... irreplaceable/invaluable should be the priority backup. System backups much much less so (relatively easily/quickly replaced if the need so arose).
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 2 of 2 [22 Posts]   Goto page: Previous 1, 2
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0526s ][ Queries: 15 (0.0095s) ][ GZIP on ]