Lighthouse 64 5.14.2 Beta 4

For talk and support relating specifically to Puppy derivatives
Message
Author
gcmartin

flash-java in LH64

#226 Post by gcmartin »

Understood
example needed? Here is an example of the java exploit being used against a linux computer. It doesnt matter that the exploit was originally discovered on windows... since its a java exploit it works across every version of Java that wasnt properly patched.
But, if you are suggesting that this exploit is being used against someone of us in LH64, I disagree. (As someone who has been in OS development and systems operations for the past 40 years!)

Were you attacked by this vulnerabilty? I hope is is not something to just raise a fear-level.

Sorry, as having been involve with DB, system, application and site security over the past years and the teams I have worked with in planning and deployment, I find the concerns raised here about JAVA and FLASH as ill placed.

This distro has NOT reported data loss or users being to attacked because JAVA (for OFFICE) or FLASH (for browsers) have been exploited to the detriment of community use.

Unless you are showing that it has, we should continue to support and push forward LH64 functionality versus raising fears to limit its flexibility. Limiting flexibility does NOT promote user acceptablilty for 64bit systems with all of the RAM that accompany these PCs.

But, should you or anyone want to share how to limit it after you begin its use, I would welcome and applaud the info.

Here to help

User avatar
James C
Posts: 6618
Joined: Thu 26 Mar 2009, 05:12
Location: Kentucky

#227 Post by James C »

http://krebsonsecurity.com/2012/08/secu ... -released/

If you don’t need Java, uninstall it from your system. This program is extremely buggy, and Oracle tends to take its time with security updates, behaving as if it didn’t have hundreds of millions of individual users. If you decide later that you do need Java, you can always reinstall the program. If you still want to keep Java, but only need it for specific Web sites, you can still dramatically reduce the risk from Java attacks just by disabling the plugin in your Web browser. In this case, I would suggest updating to the latest version and then adopting a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site that requires it.
If you plan to keep Java on your system, update it now. The exploit being used in the wild now has been shown to work against Windows, Mac and Linux systems running Java 7 Update versions 1 through 6.

Jasper

#228 Post by Jasper »

Hi,

My personal concern relates to malware set to "explode" at a future date e.g. 1st January 2013 when all my current backups would be likely to be corrupted and full recovery might be difficult or impossible. Is there any protection for Puppy users?

Secondly, Windows users frequently use an active anti-virus-malware protection program whereas Puppy users rarely have active guards. Can any active av program provide protection against, for example, some java exploits?

My regards

Jasper

#229 Post by Jasper »

Hi again,

With my 1024 pixel width, the display of text on page 16 of this thread is far wider than that.

With Opera I have it set to word wrap, but if anyone could explain how to achieve word wrap in SeaMonkey, Firefox and/or any other browser that might be a help to some of us.

My regards

User avatar
Q5sys
Posts: 1105
Joined: Thu 11 Dec 2008, 19:49
Contact:

Re: flash-java in LH64

#230 Post by Q5sys »

gcmartin wrote:But, if you are suggesting that this exploit is being used against someone of us in LH64, I disagree. (As someone who has been in OS development and systems operations for the past 40 years!)

Were you attacked by this vulnerabilty? I hope is is not something to just raise a fear-level.

Sorry, as having been involve with DB, system, application and site security over the past years and the teams I have worked with in planning and deployment, I find the concerns raised here about JAVA and FLASH as ill placed.

This distro has NOT reported data loss or users being to attacked because JAVA (for OFFICE) or FLASH (for browsers) have been exploited to the detriment of community use.

Unless you are showing that it has, we should continue to support and push forward LH64 functionality versus raising fears to limit its flexibility. Limiting flexibility does NOT promote user acceptablilty for 64bit systems with all of the RAM that accompany these PCs.

But, should you or anyone want to share how to limit it after you begin its use, I would welcome and applaud the info.

Here to help
It seems that the basis of your agrument is that, since we are unaware of anyone using LHP getting attacked by this vulnerability (in java); we should not worry about it or be proactive.
A) We have no way of knowning if someone HAS been hit by this exploit or not, because not everyone who has Downloaded or used LHP is on this forum and actively reporting all their issues.
B) Even if we knew as an empirical fact that not a single user of LHP was hit by this exploit, it shouldnt matter. Just because something has not happened yet, does not mean that it wont.
Pretty much every security expert on the planet has said that certain programs which are known to be buggy should only be used when needed. This is, in fact, common sense. The same reason we dont have apache software running on our home computers. Yea it could give us some benefits for sharing files on our own local network, but the problems it introduces FAR outweigh the benefits.

Yes, Java can do some pretty cool stuff. But what benefit is a java music player? Is it better playing media files over a program coded in C or C++?
If we have a choice between two programs for playing music, one java and one C++ based. It makes more security sense to use the one that's not based on a horribly exploitable code platform. Unless the java based one offers some amazing feature that users simple cant live without... the cost/benefit analysis would tip in the favor of the non java based program.

This isnt about raising fear level. It's about educating people as to the potential risks involved in certain software packages. Fear Mongoring would be saying "NEVER USE JAVA OR YOUR COMPUTER WILL BE HACKED AND YOUR BANK ACCOUNT DRAINED!"
I dont think anyone who is speaking out about java being used is going to that extreme. We are simply saying (in my mind at least), know the risks you have, and use java only when its needed. Java does not need to be running or active on my machine when Im sleeping or out at the store shopping. For anyone to say, Java is great to use, use it all the time, and dont worry about the vast multitude of exploits for it; is doing nothing but promoting ignorance of the risk involved in using java.


Ignorance is NOT bliss. To argue that, since we dont know absolutely that there is a problem, we should act as if there isnt one; is silly. I'm not in any way advocating that we shouldnt use java at all. On the contrary, I have it on my system. But I install/uninstall it as I need it for certain programs. There is no benefit for me having it active when Im not useing it. All java does when not being used is introduce another attack vector into my system.

Thats why I keep Java and Flash as SFS files. I can load them when I need them, and unload them the rest of the time. A simple shell script coulld be written to load the SFS and activate the program I need, and then at program shutdown unload the SFS from memory. I havent done so because I dont consider it a hassle to mount/unmount the SFS if/when I need it.
Jasper wrote:Hi,

My personal concern relates to malware set to "explode" at a future date e.g. 1st January 2013 when all my current backups would be likely to be corrupted and full recovery might be difficult or impossible. Is there any protection for Puppy users?

Secondly, Windows users frequently use an active anti-virus-malware protection program whereas Puppy users rarely have active guards. Can any active av program provide protection against, for example, some java exploits?

My regards
To start off I'll quote the mantra "Backup often, backup early"
Second, you should have your backups stored on removable media somewhere other than attached to your computer.
Malware that is set to "explode" can only work if its lying in memory waiting to initiate. If/When it does it can only affect any storage device attached to your computer. A backup harddrive in your drawer wont be touched. So... if you do get popped, you can reload and go.
One reason I use frugral installs is so I can backup my system (my safe file) as often as I want. If one gets corrupted all I need to do is reinstally my system and copy the backedup safe file to my computer and I'm back in business.

As for A/V malware protection for linux. There are some. I personally use ESET Nod32 for linux. But.... its not free. Ironic you asked this, becuase I was working on packaging up an AV program for LHP this weekend and coming week. I was going to package up ClamAV. I prefer Nod32 becuase of its heuristics that actively scan memory. I find that its far superior to other AV products at detecting unknown virii.
That being said though, AV product cant guarantee protection against application exploits. It may be able to detect some through scanning programs in memory and what changes they are attempting to make, but it cant promise much. Once an exploit is known, usually AV companies do add those definitions into their products.
Jasper wrote:Hi again,

With my 1024 pixel width, the display of text on page 16 of this thread is far wider than that.

With Opera I have it set to word wrap, but if anyone could explain how to achieve word wrap in SeaMonkey, Firefox and/or any other browser that might be a help to some of us.

My regards
I dont know much about that... but this might be what you're looking for:
https://addons.mozilla.org/en-US/firefo ... word-wrap/

Jasper

#231 Post by Jasper »

Hi Q5sys,

Thank you very much for your help, but I am not totally clear and would appreciate clarification.

Say I collect a "tomorrow's time bomb" whilst on line now and I'm using sda1.

In another 30 minutes I do an incremental backup to my 2nd internal drive on sdb1.

It's the "in memory" bit that I don't entirely understand and ask whether I can always recover in this case.

My regards

User avatar
Q5sys
Posts: 1105
Joined: Thu 11 Dec 2008, 19:49
Contact:

#232 Post by Q5sys »

Jasper wrote:Hi Q5sys,

Thank you very much for your help, but I am not totally clear and would appreciate clarification.

Say I collect a "tomorrow's time bomb" whilst on line now and I'm using sda1.

In another 30 minutes I do an incremental backup to my 2nd internal drive on sdb1.

It's the "in memory" bit that I don't entirely understand and ask whether I can always recover in this case.

My regards
Ok you get "tomorrow's time bomb" (TTB) using sda1. You backup to sdb1.
You disconnect sdb1 from your computer and put itin your drawer.
TTB on sdb1 cant do anything to the data on sdb1.
TTB is also sitting on sda1 which is on your computer.
But to run TTB needs to be in RAM.

TTB can only 'run' at the given time if its already excecuted and 'in memory' (RAM).
so when the TTB in ram hits the date it then activates. If its not in RAM and is just a file on your computer it cant do anything. The malware itself checks for the time stamp to run. If its dormant on your drive it cant check anything, since nothing will be telling TTB 'hey its the date, do stuff'

Malware works by lying in memory waiting to work. So lets say TTB is in ram... it'll delete your files on sda1 since thats plugged in. the files on sdb1 are ok, since they are disconnected.
You can re-install your system using your sdb1 backup, but you're re-installing TTB as well.
This is why you 'Backup Often'. that way you can go back and find a backup copy of your system BEFORE the infection took place.

Does that explain it to you more clearly?

I always recommend making a backup copy of your system immediately after you install everything. That way you know you have a good clean system as a backup.

Jasper

#233 Post by Jasper »

Hi Q5sys,

Thank you, as an explanation that is clear and what I had expected (though less technically).

Now today I get a 1st January 2013 time bomb - so all my backups made in the rest of this year are "corrupted" and "usefully" unrestorable in entirety.

If I already have and keep an uncorrupted backup it is way out of date, but is there a good chance that I might recover letters, emails, pictures, spreadsheets and any "data" made between today and the end of the year?

My apology if I am being a pain, but, apart from fire damage, this is my main concern (though I never spend time thinking about it as I am careful with my browsing habits and know of no other promising protective measures apart from an occasional av check).

My regards

User avatar
Q5sys
Posts: 1105
Joined: Thu 11 Dec 2008, 19:49
Contact:

#234 Post by Q5sys »

Jasper wrote:Hi Q5sys,

Thank you, as an explanation that is clear and what I had expected (though less technically).

Now today I get a 1st January 2013 time bomb - so all my backups made in the rest of this year are "corrupted" and "usefully" unrestorable in entirety.

If I already have and keep an uncorrupted backup it is way out of date, but is there a good chance that I might recover letters, emails, pictures, spreadsheets and any "data" made between today and the end of the year?

My apology if I am being a pain, but, apart from fire damage, this is my main concern (though I never spend time thinking about it as I am careful with my browsing habits and know of no other promising protective measures apart from an occasional av check).

My regards
Yes if today you got a TTB for Jan 1, 2013, every backup would include it.
However if you're careful you could still extract letters/pictures/etc out of that backup without restoring the malware in that backup.

You could still mount the backup safe file and copy "ONLY" the data you want. However you would want to double check that you didnt get anything extra by checking /initrd/pup_rw before you shut down.

Puppyt
Posts: 907
Joined: Fri 09 May 2008, 23:37
Location: Moorooka, Queensland
Contact:

#235 Post by Puppyt »

Thanks guys for a truly scintillating debate - it's clear that while we won't all go down with any digital Titanic in the immediate future, it is comforting to know that there is a spectrum of choices we can make individually when deciding what level of prevention is better than putative cure.
That's really why I'm with Puppy - anyone here remember wasting a day of their life re-installing a Windows OS, updating all the aniti-virus, root-kits, trojans, firewalls (even if "free"ware - e.g., http://www.techsupportalert.com/pc/security-tools.html)? Sheesh - look at all those innovative ways that data can be modified and extracted without permission - bit like natural selection, and the advent of nasties like H1N1, Hendra, even permutations of the golden oldies of Avian and Spanish 'flu etc... Such a joy to now just replace a corrupted Puppy system quickly and easily with a backed-up save file...
My uni fell briefly to attack recently, although we haven't been fully informed of the details we were in shutdown with no off-campus, off-server exchanges permitted for a day while the system was purged (?) of the digital malaise. (It's a MS system, and supports only closed-source software at hideous expense for licensing.) It was an event that had a lot students commenting with the belief that Linux is more secure - I corrected them to the best of my knowledge, that it is certainly not a "closed system" and there are ways it can be potentially exploited. Great to see that active discussion here show that Puppy is ready to be ahead of the security curve, as/ if/ when the need arises. No wool pulled over the eyes of these sheepdogs...
Search engines for Puppy
[url]http://puppylinux.us/psearch.html[/url]; [url=https://cse.google.com/cse?cx=015995643981050743583%3Aabvzbibgzxo&q=#gsc.tab=0]Google Custom Search[/url]; [url]http://wellminded.net63.net/[/url] others TBA...

User avatar
tazoc
Posts: 1157
Joined: Mon 11 Dec 2006, 08:07
Location: Lower Columbia Basin WA US
Contact:

Browsing as spot

#236 Post by tazoc »

I'm no security expert, but I slept in a Holiday Inn! :D

I do recommend running browsers as an unprivileged user, spot (which is the default with Lighthouse64 and Fatdog64.) If you aren't sure which you are running, click Menu -> Setup -> Choose Default Browser.

To update Firefox use Menu -> Internet -> Firefox Update Help.

If you're starting the browser from a terminal,

Code: Select all

firefox-spot #default run as spot
firefox #run as root to install Firefox updates, otherwise don't!

google-chrome-spot
opera-spot
etc.

I'm not suggesting that it is unnecessary to keep JavaRE and Flash updated, rather that running as spot should minimize any security risks because spot cannot alter or remove files not owned by spot.

Also keep in mind that unless you're running multi-session, the LiveCD-R or DVD-R that you installed Lighthouse from is read-only, (and therefore not susceptible to malware for all practical purposes.) So booting from the LiveCD with puppy pfix=ram will give you a clean boot in case you need to restore a backup, access your data or, browse securely with no disk drives mounted.

Hope that helps,
TaZoC
[url=http://www.lhpup.org/][b][size=100]lhpup.org[/size][/b] [img]http://www.lhpup.org/gallery/images/favicon.png[/img][/url] [url=http://www.lhpup.org/release-lhp.htm#602]Lighthouse 64 6.02[/url]

Puppyt
Posts: 907
Joined: Fri 09 May 2008, 23:37
Location: Moorooka, Queensland
Contact:

#237 Post by Puppyt »

Thanks for that info re Spot, TaZoC -
I use the FF add-on "Zotero" copiously for my research, but as I have a habit of installing the incorrect software and totally borking my save file, I now keep my zotero storage files on a separate partition. Resurrection and backup is now a total breeze. However I then ran into problems with not being able to download linked pdfs into the literature repository of my choice - Spot would only let me save to the Downloads directory (under spot), and this means tedious double-movement of files to where I needed them, later. But thanks for pointing out this solution - when I want to use Zotero with minimum hassle (? barring security risks) in LH, I should go to the non-spot FF. This is a better solution to the "Out, dammn'd spot" route I was contemplating, thank you!

Could I ask that you might think of organising the Desktop Settings menu a little clearer? Some applications are global, while others are WM-specific and I don't know which works with what. I find my personal preference for Openbox WM, but I don't like desktop icons except my drive/partition/mount points. So show/hide desktop icons prevents those drive icons appearing. Instead of my usual preference for wbar, I found "Panel" already provided for my favourite apps - but thats XFCE and while I spent a while trying to incorporate it with an autostart script*, had to keep loading it up from the menu on reboots. Eventually I struck on your LXPanel - literally under my nose the whole time - so have a panel2 working to my liking. In short - even though it might involve a 4th-order of menus, might you consider arranging the desktop settings within WM-specific sub-menus?
That, or perhaps some other solution, like being able to edit the startup /autostart script from within PupControl etc., so we might mix'n'match WM features?
Sorry I'm not making a lot of sense, perhaps - up to my neck in exam preparations,
Cheers!


* can't recall the correct term. The script that loads sven etc., on startup of a given WM.

P.S. Will you be contemplating an LH repo for access from PPM, in future, in addition to the 'Lighthouse Update'?
Search engines for Puppy
[url]http://puppylinux.us/psearch.html[/url]; [url=https://cse.google.com/cse?cx=015995643981050743583%3Aabvzbibgzxo&q=#gsc.tab=0]Google Custom Search[/url]; [url]http://wellminded.net63.net/[/url] others TBA...

User avatar
Q5sys
Posts: 1105
Joined: Thu 11 Dec 2008, 19:49
Contact:

Re: JavaRE-7u7, LibreOffice-3.6.1, get_libreoffice-0.17-L64

#238 Post by Q5sys »

tazoc wrote:JavaRE-7u7-x86_64 - recommended security update

SFS: http://www.lhpup.org/sfs/514-x86_64/?C=M;O=D 31M
or Pet: click Update icon on desktop -> get_updates 44M
http://www.oracle.com/technetwork/java/ ... 63279.html
Ironic since we've been having a discussion on Java exploits. Oracle has released yet another update for JRE. 7u9 was released to fix errors they introduced with their 7u7 update.
Gotta love systemic flaws which patching just creates more issues. :x
I think we're up to like 4 major java updates since August. :(

gcmartin

#239 Post by gcmartin »

Yeah, lets applaud the JAVA community for continually staying on top of things.

Oracle is a very good and has an honest reputation in the IT community over the past 30 years.

As chipsets, processor, and OS advance, it great to see that Open sources efforts stay consistent with advances.

There is a flaw in an augument that was recently posted, but I will not address it here. And, as TaZoC has pointed to, there have been steps taking in Puppyland, specifically, to minimize additional dangers that could be used as a path to exploit a running distro. As such, our community of PUPs and the PUP diversity make this a tremendously exhaustive effort for exploitation for a gain which is so small as it is completely worthless to attempt. And, we also MUST remember that our community is about one-tenth of 1 percent of all PCs in the world running Linux (all versions), Apple, Microsoft, etc.

This means that many measures in and out of this community have been taken as we have some confidence of safe passage as we use our system for any/all local services that comes with PUPs and especially with LH64.

But, again, lets also applaud our community developers for making a safe and easy to understand and use product as has been done for us.

Most, if not all, of us, are not exploited, now.

Here to help
P.S. This discussion really belongs elsewhere in the Puppy forum (and there already exist threads to address "Security" in this forum). Since, we do NOT have a security bug present, this latest discusssion is largely academic.

Maybe we should consider future discussion on security in that existing "Security" thread...maybe, huh?

User avatar
Q5sys
Posts: 1105
Joined: Thu 11 Dec 2008, 19:49
Contact:

#240 Post by Q5sys »

gcmartin wrote:Yeah, lets applaud the JAVA community for continually staying on top of things.

Oracle is a very good and has an honest reputation in the IT community over the past 30 years.

As chipsets, processor, and OS advance, it great to see that Open sources efforts stay consistent with advances.

There is a flaw in an augument that was recently posted, but I will not address it here. And, as TaZoC has pointed to, there have been steps taking in Puppyland, specifically, to minimize additional dangers that could be used as a path to exploit a running distro. As such, our community of PUPs and the PUP diversity make this a tremendously exhaustive effort for exploitation for a gain which is so small as it is completely worthless to attempt. And, we also MUST remember that our community is about one-tenth of 1 percent of all PCs in the world running Linux (all versions), Apple, Microsoft, etc.

This means that many measures in and out of this community have been taken as we have some confidence of safe passage as we use our system for any/all local services that comes with PUPs and especially with LH64.

But, again, lets also applaud our community developers for making a safe and easy to understand and use product as has been done for us.

Most, if not all, of us, are not exploited, now.

Here to help
P.S. This discussion really belongs elsewhere in the Puppy forum (and there already exist threads to address "Security" in this forum). Since, we do NOT have a security bug present, this latest discusssion is largely academic.

Maybe we should consider future discussion on security in that existing "Security" thread...maybe, huh?
I haven no problem discussing things in a security thread, however this discussion has been centered around security within LHP. I see no reason for LHP users to have to search for another thread to read/learn/discuss security issues with LHP. As long as the discussion centers around particular security issues and how they impact LHP or LHP users directly; I dont see why it cant be in this thread. I do agree that general security discussion can be held elsewhere, but from my time on this forum I've noticed that usually doesnt occur, since many of those threads arent followed as much as the individual pupplet threads. C'est la vie, Je suppose.

Also I dont really see this discussion as academic. JRE 7u7 has security flaws in it. JRE7u7 is the most recent available version for LHP users. And currently (until this post) there hasnt been an update available for it. So everyone using LHP, unless they've compiled it themselves, is vunlerable.

To help recitify that I've used Alien's Slackbuild script to build openjre7u9 for everyone.
I'm hoping TazOC will release an offical LHP update to JRE when he's able. But until then, this will work.
http://puppy-linux.org/lhp514/openjre-7 ... 6_64-1.sfs

While I'm at it here is another updated SFS packages.
http://puppy-linux.org/lhp514/vlc-2.0.4-x86_64-1.sfs

If anyone has any issues with these, let me know.
Last edited by Q5sys on Tue 30 Oct 2012, 21:35, edited 1 time in total.

gcmartin

#241 Post by gcmartin »

Thanks @Q5sys

I am not taking issue with what you or anyone is sharing. I respect what all share.

And, I can see some of what you share. But, in truth, you, I and the rest of us should be trying to better understand and address "operational procedures" rather that "presence" for exploitation. In other words, presence does NOT spell exploitation. That is what members are getting from how you are presenting things. Exploitation does not occur as one can dirive from the methods you are sharing. Those conditions for exploitation must be met exactly in order for an exploitation to even begin much less operation for benefit or malice.

And, we also, should address it on the Security thread because what you are sharing is not specific to LH64, but more generally to all PUPs that have JRE offering or presence. I think you see the benefit.

But, I wont pursue JRE from a security flaw position as an exploit is not imminent based upon what I have read. And, as you share, there are steps being taken to keep JRE current as well as safe. This also is being done with so many products in today's arena. And should an potential for exploit be discovered does not make a product totally useless or mean that anyone is being currently exploited. As any security officer understands this. At least I am aware of this.

Please, lets try to understand that. While not ignoring potential harm from anything we use, we can and should pursue benefit in system and subsystem understanding and usage. And, in regards to the deliverable from LH64, we continue to get and use a very reasonably safe environment.

Here to help

User avatar
Q5sys
Posts: 1105
Joined: Thu 11 Dec 2008, 19:49
Contact:

#242 Post by Q5sys »

gcmartin wrote:Thanks @Q5sys

I am not taking issue with what you or anyone is sharing. I respect what all share.

And, I can see some of what you share. But, in truth, you, I and the rest of us should be trying to better understand and address "operational procedures" rather that "presence" for exploitation. In other words, presence does NOT spell exploitation. That is what members are getting from how you are presenting things. Exploitation does not occur as one can dirive from the methods you are sharing. Those conditions for exploitation must be met exactly in order for an exploitation to even begin much less operation for benefit or malice.

And, we also, should address it on the Security thread because what you are sharing is not specific to LH64, but more generally to all PUPs that have JRE offering or presence. I think you see the benefit.

But, I wont pursue JRE from a security flaw position as an exploit is not imminent based upon what I have read. And, as you share, there are steps being taken to keep JRE current as well as safe. This also is being done with so many products in today's arena. And should an potential for exploit be discovered does not make a product totally useless or mean that anyone is being currently exploited. As any security officer understands this. At least I am aware of this.

Please, lets try to understand that. While not ignoring potential harm from anything we use, we can and should pursue benefit in system and subsystem understanding and usage. And, in regards to the deliverable from LH64, we continue to get and use a very reasonably safe environment.

Here to help
According to a study by Symantic, the typical zero-day attack lasts 312 days with some lasting as long as two and a half years.
http://users.ece.cmu.edu/~tdumitra/publ ... ro_day.pdf
This means that exploits have are actively used LONG before they are discovered by researchers. Researchers dont usually discover a flaw first. it's usually research done to try to uncover unknown behavior on systems thats discovered. Through this researchers become aware of the exploit and work to patch it. Most of the time, its an exploit being used that helps bring it to attention, however according to Symantic its not a quick discovery. So we arent magically at risk when a vulnerability becomes known, we've been at risk; we are now aware that we are.
Yes the Java community does well once a vulnerablity comes to light, but the fact that so many vulnerabilities have been found over time; shows that its a very buggy platform. And with exploits existing and being utilitzed long before the community becomes aware of it shows the level of risk the java software has associated with it. Thats the inherient problem in software development when you assume a reactionary philosophy. The developers are always far behind the curve, which sadly puts users even further back. Who suffers the most? The users of course.

The fact is the risk exists all the time,its impossible to eliminate all risk. What we must do is learn how to best manage risk. For each person the balance between risk and usability is different. But going back to your original claim with regards to Java, "There is no when we need it, we need it."; that's your personal choice on that balance. You cannot presume that everyone shares your opinion, just as I cant that they agree with mine. However presenting both sides of the debate allows others to choose where their choice lies.


Speaking specifically about the Java exploit, it was in existance and being used for quite a long time before it came to light. So users were at risk using the entire v6 tree of Java, for its entire life. This wasnt something that was just found and patched. It was found long ago and actively being used; but wasnt discovered publicly by security individuals until recently.
Also implimentation of an attack like this does not require much work.
Again speaking of Java, this is why there has been discussion about java.
Read these two if you are curious on it...
http://arstechnica.com/information-tech ... ity-risks/
http://arstechnica.com/information-tech ... ity-risks/

If you want to discuss Java more, please make a java thread somewhere and we can continue.


Lets recap several things though from the last few posts of ours?
1) You stated that an attack on MS or Apple doesnt mean it'll work on linux. -- I showed that false with a simple compromise of a linux system running the same version of java we had available to us.
2) you made the claim that lhp was safe from any attack, and that java,flash couldnt compromised LHP. "Not in the past, not now!" -- Unless you are all knowning, and know every LHPs users experience and system, how can you possibly make this claim with any credibility? Furthermore showing the same version of Java being exploited on a *nix system shows how simple it is to accomplish. Any script kiddie can go download Metasploit and the exploit script and go.
3) you claim: "Those conditions for exploitation must be met exactly in order for an exploitation to even begin much less operation for benefit or malice." -- Automated attacks can scan networks for systems that can be exploited. After systems are discovered, its trivial to turn the preliminary result of a vulnerable system into a useful attack. What could be done once its found? Well, what can be done with a remote shell on a system? Answer: pretty much anything. That's the main benefit from running broswers as spot. Broswerspace now adays is a seperate ecosystem from the OS. Exploits can be created for broswers with no care for the underlying system. Once a remote shell is gained, the game is over.
Lastly, "That is what members are getting from how you are presenting things."
--How exactly are you aware of what members are thinking when they read my comments?

I'm basing my comments on facts that can be verified by anyone. You're comments seem to be based on your personal opinion on things that no human could possibly know (what other people are thinking, and absolute knowledge of whats happened in the past).
Last edited by Q5sys on Wed 31 Oct 2012, 14:38, edited 2 times in total.

Jasper

#243 Post by Jasper »

Hi Q5sys,

I have been using all of your suggested precautions except spot.

As a simple test in Precise 5.4 I have just moved my portable Linux QtWeb browser folder (which holds all QtWeb files and data) inside spot and it works, but I just downloaded a pet and it still went to /root/downloads/ which I had previously specified.

I then moved my spot folder to another location and all seems well, but my question is have I confined any exploits (other than a possible unclean download) to my spot folder?

My regards

Puppyt
Posts: 907
Joined: Fri 09 May 2008, 23:37
Location: Moorooka, Queensland
Contact:

#244 Post by Puppyt »

@meeki - many thanks for your LH64 Dropbox pet, and those details for moving the folder off-save. Works a treat - hope to get around to testing your other offerings soon, ESPECIALLY subsonic, but I'm not joining all the dots lately...

As to my previous posting regarding mix/matching WM features (e.g., XFCE-4 Panel automatically starting up on Openbox bootup), I found what I was needing was to create an .sh script in the /root/Startup folder. At least - that is I think the solution to the problem I was having earlier,
Cheers
Search engines for Puppy
[url]http://puppylinux.us/psearch.html[/url]; [url=https://cse.google.com/cse?cx=015995643981050743583%3Aabvzbibgzxo&q=#gsc.tab=0]Google Custom Search[/url]; [url]http://wellminded.net63.net/[/url] others TBA...

User avatar
meeki
Posts: 122
Joined: Mon 23 Jul 2012, 04:48
Location: Portland OR

#245 Post by meeki »

THE DROPBOX PET IS BUGGED!

it breaks virtualbox

you are warned!

Post Reply