Compuiters hacked via online forum?

Quote:

Originally Posted by astromech Yes you are right about them being irresponsible. That has been my feeling exactly.

Therefore, don't use that site.

Quote:

I don't know if their server is run with Linux or not I've heard the term "botnets" but don't know exactly what they are I will have to look that up.

From the sound of things, it won't matter.

Just a thought: if the soundfile in the post is recognisable, you could inquire if the poster has a performance license to play it. Or just notify the appropriate enforcing body.

Quote:

Do you mean the "noscript" add on for Firefox? or just turning scripts off? I have had the add on I forgot to reinstall it i have to say one thing about it : it makes browsing a pain,too bad.

Both. NoScript adds an extra hoop to viewing many sites. However - a site that cannot be viewed without javascript is not worth my time (especially those which consist entirely of flash.)

Quote:

Many sites such as ebay require cookies turned on Yahoo too I believe. Do you mean turn them off just for sites that are suspect or leave them off untill you have no choice but to turn them on?

Switch them off by default and use the whitelist. This feature is built in to firefox and there are plugins to make it's management easier.

Initially it is a pain, however, as your whitelist grows, it will be less so. It's an investment.

You should also attempt to operate a site without enabling cookies for a while to find out what the cookie does. Many sites will log you out after a short time if you don't have their cookie, and/or use it for auto logins. (In LQ, this is the case - while it is technically not too hard to make posts without, LQ has little downside to enabling cookies and doesn't load extras.)

Many sites will use cookies as ad/spyware. So, after enabling cookies for a site, check to see what cookies are added to your list. See what you lose in return for the functionality.

Sometimes you can use a site with cookies enabled "for the session". In which case you give up auto-login in return for not running spyware the rest of the time. Remember: enabling cookies allows others to secretly run arbitrary code on your computer. This is the definition of a critical security exploit.

Quote:

SELinux I've heard that term also but don't know what it is .Is it something that they (site admin) must use on their server or something that the average user can use on their system ? I have a feeling it's the former.

It's the latter - SELinux is enabled by default in Ubuntu GNU/Linux. It's a reason that there is no firewall by default, there's just so little that malicious code can do to you.

Your biggest risk, therefore, comes from browser exploits.

It looks to me as though you have been using insecure browsing habits. Think of this as a heads up.

(BTW: have you sent the url to the moderator?)

Quote:

Originally Posted by Simon Bridge Remember: enabling cookies allows others to secretly run arbitrary code on your computer. This is the definition of a critical security exploit.

I agree that if something "allows others to secretly run arbitrary code on your computer" that would indeed be a critical security vulnerability. But could you elaborate as to why you've placed cookies into this category? It seems to me like you are confusing cookies with something else.

Quote:

It's the latter - SELinux is enabled by default in Ubuntu GNU/Linux. It's a reason that there is no firewall by default, there's just so little that malicious code can do to you.

Ubuntu only provides an SELinux-capable kernel and the SELinux shared libraries by default. In order to actually use SELinux you'd need to enable the Universe repository and then install the SELinux utilities, policy files, etc. If you want a distro which comes with SELinux out-of-the-box try Fedora.

Quote:

But could you elaborate as to why you've placed cookies into this category? It seems to me like you are confusing cookies with something else.

I am being provocative of course. But could you explain how cookies do not fit into this category?

http://en.wikipedia.org/wiki/HTTP_cookie

With cookies "enabled", you do not get any information up front about what cookies are added to your system or what they do or why they are needed. This is the secret bit.

Similarly, the cookies can do a wide variety of activities outside your control. Not as wide, perhaps, in scope as the "arbitrary code" exploits I compare them with - but sufficiently similar in actual use/purpose (as data mining, adware or spyware adjuncts say) to land them in the same basket. If it quacks like a duck and walks like a duck...

http://www.cookiecentral.com/c_virus.htm
http://www.adwarereport.com/mt/archives/000021.html
http://www.spywareguide.com/articles..._or_ne_57.html
http://www.worldprivacyforum.org/cookieoptout.html

Certainly the cookie itself is an unlikely candidate for the label "malicious code". It is a convenience that has been exploited in the past.
http://www.znep.com/~marcs/security/mozillacookie/
http://www.cookiecentral.com/bug/
http://www.infopackets.com/channels/...ound_fixed.htm

http://www.defendingthenet.com/Spywa...re-Cookies.htm
http://www.webmarketingplus.co.uk/pr...-tracking.html

That last one is especially malicious!

At worst, I am applying a harsh label to a borderline case. However, I assert that it is a case on the inside of that border.

What I find odd is that, with the large number of advertising cookies I used to get, I still ended up targeted for viagra and nigerian finance deals. If these cookies were so good, I should have got more relevant advertising surely?


http://everything2.com/index.pl?node_id=863898

Quote:

Originally Posted by Simon Bridge I am being provocative of course. But could you explain how cookies do not fit into this category? http://en.wikipedia.org/wiki/HTTP_cookie With cookies "enabled", you do not get any information up front about what cookies are added to your system or what they do or why they are needed. This is the secret bit. Similarly, the cookies can do a wide variety of activities outside your control. Not as wide, perhaps, in scope as the "arbitrary code" exploits I compare them with - but sufficiently similar in actual use/purpose (as data mining, adware or spyware adjuncts say) to land them in the same basket. If it quacks like a duck and walks like a duck... http://www.cookiecentral.com/c_virus.htm http://www.adwarereport.com/mt/archives/000021.html http://www.spywareguide.com/articles..._or_ne_57.html http://www.worldprivacyforum.org/cookieoptout.html Certainly the cookie itself is an unlikely candidate for the label "malicious code". It is a convenience that has been exploited in the past. http://www.znep.com/~marcs/security/mozillacookie/ http://www.cookiecentral.com/bug/ http://www.infopackets.com/channels/...ound_fixed.htm http://www.defendingthenet.com/Spywa...re-Cookies.htm http://www.webmarketingplus.co.uk/pr...-tracking.html That last one is especially malicious! At worst, I am applying a harsh label to a borderline case. However, I assert that it is a case on the inside of that border. What I find odd is that, with the large number of advertising cookies I used to get, I still ended up targeted for viagra and nigerian finance deals. If these cookies were so good, I should have got more relevant advertising surely? http://everything2.com/index.pl?node_id=863898

Thank you for all the help .I have been very busy lately and have had to reinstall more than once so I had forgotten the "good browsing habits " lately but it's not like I never had them .

I don't do links .Especially those that have a description like:

"That last one is especially malicious! "

Quote:

Originally Posted by Simon Bridge I am being provocative of course. But could you explain how cookies do not fit into this category?

Sure. For starters, they are non-executable text files. That tells you right there off-the-bat that in order for them to be used to gain arbitrary code execution abilities, something would have to be terribly wrong with the browser - and I do mean TERRIBLY. Cookies are very controversial when it comes to privacy concerns, but to go from there to "allows others to secretly run arbitrary code on your computer" is a huge leap, and quite far from the truth IMHO.

Quote:

http://en.wikipedia.org/wiki/HTTP_cookie With cookies "enabled", you do not get any information up front about what cookies are added to your system or what they do or why they are needed. This is the secret bit. Similarly, the cookies can do a wide variety of activities outside your control. Not as wide, perhaps, in scope as the "arbitrary code" exploits I compare them with - but sufficiently similar in actual use/purpose (as data mining, adware or spyware adjuncts say) to land them in the same basket. If it quacks like a duck and walks like a duck...

Thing is, if the duck is arbitrary code execution, then it definitely does NOT quack like a duck.

Quote:

http://www.cookiecentral.com/c_virus.htm http://www.adwarereport.com/mt/archives/000021.html http://www.spywareguide.com/articles..._or_ne_57.html http://www.worldprivacyforum.org/cookieoptout.html Certainly the cookie itself is an unlikely candidate for the label "malicious code". It is a convenience that has been exploited in the past. http://www.znep.com/~marcs/security/mozillacookie/ http://www.cookiecentral.com/bug/ http://www.infopackets.com/channels/...ound_fixed.htm http://www.defendingthenet.com/Spywa...re-Cookies.htm http://www.webmarketingplus.co.uk/pr...-tracking.html

I looked at every single link you posted and did not find anything that would indicate a risk of arbitrary code execution. In fact, several of those links actually highlight how common it is for anti-spyware vendors to use FUD about cookies in order to make their products seems more powerful.

Quote:

That last one is especially malicious!

Right, but that's JavaScript. The possibilities are almost limitless when you are allowing complete strangers to execute code on your box. Apples and oranges.

Quote:

At worst, I am applying a harsh label to a borderline case. However, I assert that it is a case on the inside of that border.

I think you are mistaken, but I am an open-minded person and would actually like to be shown why you are NOT mistaken. So far you've only illustrated the ubiquitous privacy issues surrounding cookies (which AFAIK nobody disputes). I don't think you've used a "harsh label", I think you've used a "wrong label".

Quote:

What I find odd is that, with the large number of advertising cookies I used to get, I still ended up targeted for viagra and nigerian finance deals. If these cookies were so good, I should have got more relevant advertising surely?

Perhaps, but there are way too many variables involved in figuring that out.