LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-06-2008, 09:47 PM   #16
Simon Bridge
LQ Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 198Reputation: 198

Quote:
Originally Posted by astromech View Post
Yes you are right about them being irresponsible. That has been my feeling exactly.
Therefore, don't use that site.

Quote:
I don't know if their server is run with Linux or not I've heard the term "botnets" but don't know exactly what they are I will have to look that up.
From the sound of things, it won't matter.

Just a thought: if the soundfile in the post is recognisable, you could inquire if the poster has a performance license to play it. Or just notify the appropriate enforcing body.

Quote:
Do you mean the "noscript" add on for Firefox? or just turning scripts off? I have had the add on I forgot to reinstall it i have to say one thing about it : it makes browsing a pain,too bad.
Both. NoScript adds an extra hoop to viewing many sites. However - a site that cannot be viewed without javascript is not worth my time (especially those which consist entirely of flash.)

Quote:
Many sites such as ebay require cookies turned on Yahoo too I believe.
Do you mean turn them off just for sites that are suspect or leave them off untill you have no choice but to turn them on?
Switch them off by default and use the whitelist. This feature is built in to firefox and there are plugins to make it's management easier.

Initially it is a pain, however, as your whitelist grows, it will be less so. It's an investment.

You should also attempt to operate a site without enabling cookies for a while to find out what the cookie does. Many sites will log you out after a short time if you don't have their cookie, and/or use it for auto logins. (In LQ, this is the case - while it is technically not too hard to make posts without, LQ has little downside to enabling cookies and doesn't load extras.)

Many sites will use cookies as ad/spyware. So, after enabling cookies for a site, check to see what cookies are added to your list. See what you lose in return for the functionality.

Sometimes you can use a site with cookies enabled "for the session". In which case you give up auto-login in return for not running spyware the rest of the time. Remember: enabling cookies allows others to secretly run arbitrary code on your computer. This is the definition of a critical security exploit.

Quote:
SELinux I've heard that term also but don't know what it is .Is it something that they (site admin) must use on their server or something that the average user can use on their system ? I have a feeling it's the former.
It's the latter - SELinux is enabled by default in Ubuntu GNU/Linux. It's a reason that there is no firewall by default, there's just so little that malicious code can do to you.

Your biggest risk, therefore, comes from browser exploits.

It looks to me as though you have been using insecure browsing habits. Think of this as a heads up.

(BTW: have you sent the url to the moderator?)
 
Old 01-07-2008, 01:56 AM   #17
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by Simon Bridge View Post
Remember: enabling cookies allows others to secretly run arbitrary code on your computer. This is the definition of a critical security exploit.
I agree that if something "allows others to secretly run arbitrary code on your computer" that would indeed be a critical security vulnerability. But could you elaborate as to why you've placed cookies into this category? It seems to me like you are confusing cookies with something else.

Quote:
It's the latter - SELinux is enabled by default in Ubuntu GNU/Linux. It's a reason that there is no firewall by default, there's just so little that malicious code can do to you.
Ubuntu only provides an SELinux-capable kernel and the SELinux shared libraries by default. In order to actually use SELinux you'd need to enable the Universe repository and then install the SELinux utilities, policy files, etc. If you want a distro which comes with SELinux out-of-the-box try Fedora.

Last edited by win32sux; 01-07-2008 at 01:59 AM.
 
Old 01-07-2008, 06:21 AM   #18
Simon Bridge
LQ Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 198Reputation: 198
Quote:
But could you elaborate as to why you've placed cookies into this category? It seems to me like you are confusing cookies with something else.
I am being provocative of course. But could you explain how cookies do not fit into this category?

http://en.wikipedia.org/wiki/HTTP_cookie

With cookies "enabled", you do not get any information up front about what cookies are added to your system or what they do or why they are needed. This is the secret bit.

Similarly, the cookies can do a wide variety of activities outside your control. Not as wide, perhaps, in scope as the "arbitrary code" exploits I compare them with - but sufficiently similar in actual use/purpose (as data mining, adware or spyware adjuncts say) to land them in the same basket. If it quacks like a duck and walks like a duck...

http://www.cookiecentral.com/c_virus.htm
http://www.adwarereport.com/mt/archives/000021.html
http://www.spywareguide.com/articles..._or_ne_57.html
http://www.worldprivacyforum.org/cookieoptout.html

Certainly the cookie itself is an unlikely candidate for the label "malicious code". It is a convenience that has been exploited in the past.
http://www.znep.com/~marcs/security/mozillacookie/
http://www.cookiecentral.com/bug/
http://www.infopackets.com/channels/...ound_fixed.htm

http://www.defendingthenet.com/Spywa...re-Cookies.htm
http://www.webmarketingplus.co.uk/pr...-tracking.html

That last one is especially malicious!

At worst, I am applying a harsh label to a borderline case. However, I assert that it is a case on the inside of that border.

What I find odd is that, with the large number of advertising cookies I used to get, I still ended up targeted for viagra and nigerian finance deals. If these cookies were so good, I should have got more relevant advertising surely?


http://everything2.com/index.pl?node_id=863898
 
Old 01-07-2008, 12:00 PM   #19
astromech
LQ Newbie
 
Registered: Feb 2007
Posts: 12

Original Poster
Rep: Reputation: 0
Smile

Quote:
Originally Posted by Simon Bridge View Post
I am being provocative of course. But could you explain how cookies do not fit into this category?

http://en.wikipedia.org/wiki/HTTP_cookie

With cookies "enabled", you do not get any information up front about what cookies are added to your system or what they do or why they are needed. This is the secret bit.

Similarly, the cookies can do a wide variety of activities outside your control. Not as wide, perhaps, in scope as the "arbitrary code" exploits I compare them with - but sufficiently similar in actual use/purpose (as data mining, adware or spyware adjuncts say) to land them in the same basket. If it quacks like a duck and walks like a duck...

http://www.cookiecentral.com/c_virus.htm
http://www.adwarereport.com/mt/archives/000021.html
http://www.spywareguide.com/articles..._or_ne_57.html
http://www.worldprivacyforum.org/cookieoptout.html

Certainly the cookie itself is an unlikely candidate for the label "malicious code". It is a convenience that has been exploited in the past.
http://www.znep.com/~marcs/security/mozillacookie/
http://www.cookiecentral.com/bug/
http://www.infopackets.com/channels/...ound_fixed.htm

http://www.defendingthenet.com/Spywa...re-Cookies.htm
http://www.webmarketingplus.co.uk/pr...-tracking.html

That last one is especially malicious!

At worst, I am applying a harsh label to a borderline case. However, I assert that it is a case on the inside of that border.

What I find odd is that, with the large number of advertising cookies I used to get, I still ended up targeted for viagra and nigerian finance deals. If these cookies were so good, I should have got more relevant advertising surely?


http://everything2.com/index.pl?node_id=863898

Thank you for all the help .I have been very busy lately and have had to reinstall more than once so I had forgotten the "good browsing habits " lately but it's not like I never had them .

I don't do links .Especially those that have a description like:

"That last one is especially malicious! "
 
Old 01-07-2008, 12:22 PM   #20
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by Simon Bridge View Post
I am being provocative of course. But could you explain how cookies do not fit into this category?
Sure. For starters, they are non-executable text files. That tells you right there off-the-bat that in order for them to be used to gain arbitrary code execution abilities, something would have to be terribly wrong with the browser - and I do mean TERRIBLY. Cookies are very controversial when it comes to privacy concerns, but to go from there to "allows others to secretly run arbitrary code on your computer" is a huge leap, and quite far from the truth IMHO.

Quote:
http://en.wikipedia.org/wiki/HTTP_cookie

With cookies "enabled", you do not get any information up front about what cookies are added to your system or what they do or why they are needed. This is the secret bit.

Similarly, the cookies can do a wide variety of activities outside your control. Not as wide, perhaps, in scope as the "arbitrary code" exploits I compare them with - but sufficiently similar in actual use/purpose (as data mining, adware or spyware adjuncts say) to land them in the same basket. If it quacks like a duck and walks like a duck...
Thing is, if the duck is arbitrary code execution, then it definitely does NOT quack like a duck.

I looked at every single link you posted and did not find anything that would indicate a risk of arbitrary code execution. In fact, several of those links actually highlight how common it is for anti-spyware vendors to use FUD about cookies in order to make their products seems more powerful.

Quote:
That last one is especially malicious!
Right, but that's JavaScript. The possibilities are almost limitless when you are allowing complete strangers to execute code on your box. Apples and oranges.

Quote:
At worst, I am applying a harsh label to a borderline case. However, I assert that it is a case on the inside of that border.
I think you are mistaken, but I am an open-minded person and would actually like to be shown why you are NOT mistaken. So far you've only illustrated the ubiquitous privacy issues surrounding cookies (which AFAIK nobody disputes). I don't think you've used a "harsh label", I think you've used a "wrong label".

Quote:
What I find odd is that, with the large number of advertising cookies I used to get, I still ended up targeted for viagra and nigerian finance deals. If these cookies were so good, I should have got more relevant advertising surely?
Perhaps, but there are way too many variables involved in figuring that out.

Last edited by win32sux; 01-07-2008 at 12:25 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Humour - a guide to online forum posting vharishankar General 2 03-27-2006 06:49 AM
How to watch Online TV or listen to Online radiostations? polemon Linux - Newbie 4 10-07-2005 02:49 PM
Fedora Core Forum site down or hacked? maximalred General 2 01-15-2005 10:07 AM
SuSE Forum Hacked Adler General 26 10-17-2004 03:21 PM
Online Banking / Online Shopping in Linux? JROCK1980 Linux - General 14 02-27-2004 03:46 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:40 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration