If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Rate Thread | Display Modes |
#1
|
|||
|
|||
"Hacking Windows" doesn't really happen. Windows gets compromised bystupid impatient clicking users
The vast majority of 'Windows hacking' comes from the stupidity
of users, not flaws in the Windows OS. Granted it's not perfect, but browser security warns you when it's about to happen. There is no dumber person on the planet than a Twitter user. If they use a computer to access Twitter and a page happens to have some malware injected into it, these idiots will actually believe they have to install software to acess it and click "Yes" instead of "No". There are effective Java exploits, but if you're still stupid enough to be using Java, you deserve to get your ass handed to you. |
Ads |
#2
|
|||
|
|||
"Hacking Windows" doesn't really happen. Windows gets compromisedby stupid impatient clicking users
On 2016-10-19 7:01 PM, Cornelis Tromp wrote:
The vast majority of 'Windows hacking' comes from the stupidity of users, not flaws in the Windows OS. +1 Granted it's not perfect, but browser security warns you when it's about to happen. There is no dumber person on the planet than a Twitter user. If they use a computer to access Twitter and a page happens to have some malware injected into it, these idiots will actually believe they have to install software to acess it and click "Yes" instead of "No". There are effective Java exploits, but if you're still stupid enough to be using Java, you deserve to get your ass handed to you. Agreed. -- Deplorable Silver Slimer Islam is a disease Gab.ai: @silverslimer |
#3
|
|||
|
|||
"Hacking Windows" doesn't really happen. Windows gets compromisedby stupid impatient clicking users
On 10/19/16 16:01, Cornelis Tromp so wittily quipped:
The vast majority of 'Windows hacking' comes from the stupidity of users, not flaws in the Windows OS. source, please. 'just because you say so' isn't authoritative. Sure, it sounds great, but I'd like to see those numbers, if you don't mind. Granted it's not perfect, but browser security warns you when it's about to happen. which browser? Intarweb Exploiter? I think not. The total number of major security flaws that have already been patched by Micro-shaft, many of which have been SERIOUS flaws [such as privilege elevation], as evidenced by the MANY patches, is well known and well established. the main advantage to NON-microsoft operating systems is the open source peer review. Yes, evil hackers CAN use this fact to FIND vulnerabilities, but so can security pros, and they have. As for 'warning you', what is the browser looking for and detecting as an 'exploit'? I guarantee you that if there's a 0-day javascript-related (or flash-related, or graphics-related) flaw being exploited in the wild, you'll get NO warnings other than a possible browser crash... "oops, we didn't buffer-check this optional field in the file format" - that's OFTEN how it happens. then a carefully crafted 0-day is created that puts executable code into a buffer overrun exploit, and you get NO warning, except for that ransomware dialog box that insists you need to pay them to get your files back.. There is no dumber person on the planet than a Twitter user. except a Hillary Clinton supporter, or a "pull the D lever" voter, or just about ANYONE who "feels" instead of "thinks". Emotions make bad decisions - ask anyone with 'beer goggles' on the morning after... On a related note, a poorly configured router running Linux is ALSO vulnerable to being cracked, like if you leave the default user/password as-is AND allow remote admin, for example... So SOME of what you said up front might be correct, but only if the default settings are insecure, since [from my experience] the average 'clueless user' doesn't change the defaults. -- your story is so touching, but it sounds just like a lie "Straighten up and fly right" |
#4
|
|||
|
|||
"Hacking Windows" doesn't really happen. Windows gets compromised by stupid impatient clicking users
"Cornelis Tromp" wrote
| The vast majority of 'Windows hacking' comes from the stupidity | of users, not flaws in the Windows OS. | Vulnerabilities, such as Flash or IE cross-site scripting vulnerabilities. That's user-caused only insofar as it's "stupid" to allow Flash and scripting. | Granted it's not perfect, but browser security warns you when | it's about to happen. Not hardly. And that creates its own problems. I had an email from someone today who can't download my software because Smart Screen tells them it's unrecognized and therefore may be harmful. Security via total xenophobic protocol. And Smart Screen seems to require reporting websites to check on their reputation, as well. So IE as installed spies on you and prevents you doing much of anything but using large, corporate, online services. And you can still get compromised because that kind of security is simply based on user restriction, and at some point user restriction has to be compromised for the sake of functionality. |
#5
|
|||
|
|||
"Hacking Windows" doesn't really happen. Windows gets compromisedby stupid impatient clicking users
On 20/10/2016 18:52, Mayayana wrote:
"Cornelis Tromp" wrote | The vast majority of 'Windows hacking' comes from the stupidity | of users, not flaws in the Windows OS. | Vulnerabilities, such as Flash or IE cross-site scripting vulnerabilities. That's user-caused only insofar as it's "stupid" to allow Flash and scripting. | Granted it's not perfect, but browser security warns you when | it's about to happen. Not hardly. And that creates its own problems. I had an email from someone today who can't download my software because Smart Screen tells them it's unrecognized and therefore may be harmful. Security via total xenophobic protocol. And Smart Screen seems to require reporting websites to check on their reputation, as well. So IE as installed spies on you and prevents you doing much of anything but using large, corporate, online services. And you can still get compromised because that kind of security is simply based on user restriction, and at some point user restriction has to be compromised for the sake of functionality. What kind of software do you write, Mayayana? Do you have a web site available for readers here to review? |
#6
|
|||
|
|||
"Hacking Windows" doesn't really happen. Windows gets compromised by stupid impatient clicking users
"David B." wrote
| What kind of software do you write, Mayayana? | | Do you have a web site available for readers here to review? You've asked me that at least once before. Apparently you didn't find anything interesting at my site. |
#7
|
|||
|
|||
"Hacking Windows" doesn't really happen. Windows gets compromised by stupid impatient clicking users
"Cornelis Tromp" wrote
| The vast majority of 'Windows hacking' comes from the stupidity | of users, not flaws in the Windows OS. | A very interesting and apropos article at The Register this week, for anyone interested in the actual facts about online Windows security, regarding the recent DNC hack: http://www.theregister.co.uk/2016/10..._six_zerodays/ There's a PDF linked from there that describes the hacks in great detail. The group doing it seems to be a very talented, well funded bunch of Russians. Almost a military operation, targetting the DNC but also eastern European political targets. It amazes me that people use crappy webmail like GMail for anything more than party invitations and RSVPs, but much of the hacking depended on people having GMail accounts.... and most of the people did! I wouldn't be surprised if I could reach the Pope via . The article/PDF linked above describes the use of 6 0-day exploits, as well as numerous vulnerabilities that have been patched, mainly in MS Office, Flash and Java. You thought people have to be stupid to be using Java. But what about MS Office and Flash? They're both major problems and always have been. Most people are not getting drive-by infected because of Java. The typical scenario is a browser with Flash and script enabled. The initial attacks in this case were via email -- either rigged attachments or bitly shortened links that needed to be clicked on. (Yet another example of why no one should ever used link shortening services or click on such links.) Those attacks exploited 8 vulnerabilities. One in Acrobat Reader, one in Flash and 6 in MS Office. Two of the latter were 0-day (unknown and unpatched at the time). Once people clicked links there were 12 exploits used at the destination webpage. Of those 12, 2 bugs were in IE8, one in IE11, one in all versions of IE since v3 (!), 2 in Firefox, 2 in Java, 3 in Flash and one Mac bug. Two Flash and one Java bug were 0-day. The browser bugs almost certainly would have required script enabled. Non-script browser vulnerabilities are extremely rare. One of the 0-day bugs used was in Windows itself: https://technet.microsoft.com/library/security/ms15-051 (Now patched, but wasn't at the time it was used.) What all of that means is that the average person who goes online and allows script is a sitting duck. The risk is greatly amplified by MS Office, Java and especially by using Adobe products -- Flash or Acrobat Reader. (By one account, 8 of the top ten exploits in 2015 were Flash. The other two were IE and Silverlight. https://www.recordedfuture.com/top-v...bilities-2015/ ) That situation is getting worse because there's now big money in it, which attracts skilled coders. Look up NSO Group to find info about companies that actually develop and sell 0-days to companies and governments. They're described as an "Israeli cyberweapons arms manufacturer" by Bruce Schneier. There's also a lot of website rigging going on. Much of that is done by buying ads that show up at major sites like AOL or NYT, then rigging the ad to install malware. Since the ads are coming from remote locations and there's no oversight of the ad buyers at companies like Google/Doubleclick, it's a very efficient method. There are also lots of corrupted sites running stuff like Wordpress. A Wordpress component or javascript library has a bug. People using those don't know how to code for themselves in the first place, so they don't keep up to date on patches. So their site gets infiltrated. So a normal browser, going to popular websites and doing nothing unusual, can easily be a vulnerable target. All you have to do is enable script. If you also enable 3rd-party files, which nearly everyone does, then you're a much bigger target. Which means that by your definition 99.9% of people online are very stupid. In a sense that's true. They shouldn't be enabling script. But nearly all *interactive* activity online requires script. |
#8
|
|||
|
|||
"Hacking Windows" doesn't really happen. Windows gets compromisedby stupid impatient clicking users
On 10/19/16 16:01, Cornelis Tromp so wittily quipped:
The vast majority of 'Windows hacking' comes from the stupidity of users, not flaws in the Windows OS. except, maybe, THIS??? http://www.theregister.co.uk/2016/10...at ch_parade/ "Microsoft says the graphics device interface vulnerability (CVE-2016-3393) allowed attackers to gain remote code execution and elevation of privilege powers." "hacking group dubbed FruityArmor was exploiting the vulnerability in chained attacks, using a True Type Font to trigger the bug." "The attack saw browser sandboxes broken and higher privileges attained before a second payload executed with the newly-acquired higher access privileges." "Windows 10's efforts to push font processing into a special user mode that restricts privileges did not stop the exploit." A TRUE TYPE FONT was being used. What 'stupid user actions' allows THAT to happen? (nice timing on the article, as it nukes your premise back to the stone age) |
#9
|
|||
|
|||
"Hacking Windows" doesn't really happen. Windows gets compromised by stupid impatient clicking users
"Big Bad Bob" wrote
| A TRUE TYPE FONT was being used. What 'stupid user actions' allows THAT | to happen? | I wouldn't call them stupid, but web fonts have always been a risk and should not be enabled. It's comparable to things like Flash. Unfortunately, embedding fonts has become extremely common, while not long ago it was frowned upon due to both security and webpage bloat. |
#10
|
|||
|
|||
"Hacking Windows" doesn't really happen. Windows gets compromisedby stupid impatient clicking users
On 21/10/2016 14:08, Mayayana wrote:
"David B." wrote | What kind of software do you write, Mayayana? | | Do you have a web site available for readers here to review? You've asked me that at least once before. Apparently you didn't find anything interesting at my site. Hey! I'm sorry. :-( When I'm out boating all summer I sometimes forget computing matters. Please give me a reminder - a link preferably! Cheers :-) |
#11
|
|||
|
|||
"Hacking Windows" doesn't really happen. Windows getscompromised by stupid impatient clicking users
On Thu, 20 Oct 2016 10:00:33 -0700, Big Bad Bob wrote:
On 10/19/16 16:01, Cornelis Tromp so wittily quipped: The vast majority of 'Windows hacking' comes from the stupidity of users, not flaws in the Windows OS. source, please. 'just because you say so' isn't authoritative. Sure, it sounds great, but I'd like to see those numbers, if you don't mind. Granted it's not perfect, but browser security warns you when it's about to happen. which browser? Intarweb Exploiter? I think not. The total number of major security flaws that have already been patched by Micro-shaft, many of which have been SERIOUS flaws [such as privilege elevation], as evidenced by the MANY patches, is well known and well established. the main advantage to NON-microsoft operating systems is the open source peer review. Yes, evil hackers CAN use this fact to FIND vulnerabilities, but so can security pros, and they have. As for 'warning you', what is the browser looking for and detecting as an 'exploit'? I guarantee you that if there's a 0-day javascript-related (or flash-related, or graphics-related) flaw being exploited in the wild, you'll get NO warnings other than a possible browser crash... "oops, we didn't buffer-check this optional field in the file format" - that's OFTEN how it happens. then a carefully crafted 0-day is created that puts executable code into a buffer overrun exploit, and you get NO warning, except for that ransomware dialog box that insists you need to pay them to get your files back.. There is no dumber person on the planet than a Twitter user. except a Hillary Clinton supporter, or a "pull the D lever" voter, or just about ANYONE who "feels" instead of "thinks". Emotions make bad decisions - ask anyone with 'beer goggles' on the morning after... On a related note, a poorly configured router running Linux is ALSO vulnerable to being cracked, like if you leave the default user/password as-is AND allow remote admin, for example... So SOME of what you said up front might be correct, but only if the default settings are insecure, since [from my experience] the average 'clueless user' doesn't change the defaults. If you're so smart how come you appear to be a Trump supporter. That man is just one big con artist. As to this post, I've said it before and I'll repeat, the best thing anyone can do for their peace of mind regardless of operating system is a combination of image backup and data file backup. A 2TB drive is around $100. Backup software is free, I use Macrium free and FreeFileSync. I intend to play with rsync to see how that works out. |
#12
|
|||
|
|||
"Hacking Windows" doesn't really happen. Windows gets compromisedby stupid impatient clicking users
On 10/22/16 06:26, Dave C so wittily quipped:
If you're so smart how come you appear to be a Trump supporter. That man is just one big con artist. to an *IDIOT*, maybe. However... if *YOU* are so smart, why are you NOT a Trump supporter? Only a *****ING* *MORON* or *SOCIALIST* *****HEAD* or *CRIMINAL* would actually _WANT_ Her Royal Heinous, Mrs. Clinton, Mother of Lies and Empress of Deceitfulness, to actually BECOME the MOST POWERFUL PERSON IN THE WORLD. Seriously? That's *SO* ****ED UP! TRUMP TRUMP TRUMP TRUMP TRUMP TRUMP |
#13
|
|||
|
|||
"Hacking Windows" doesn't really happen. Windows gets compromisedby stupid impatient clicking users
On 10/21/16 11:23, Mayayana so wittily quipped:
"Big Bad Bob" wrote | A TRUE TYPE FONT was being used. What 'stupid user actions' allows THAT | to happen? | I wouldn't call them stupid, but web fonts have always been a risk and should not be enabled. It's comparable to things like Flash. Unfortunately, embedding fonts has become extremely common, while not long ago it was frowned upon due to both security and webpage bloat. AH, I was contrasting "stupid user actions" being the cause, against inadvertent usage of fonts being the cause (for which no 'stupid user action' would be needed). 'My bad' if not clear -- your story is so touching, but it sounds just like a lie "Straighten up and fly right" |
#14
|
|||
|
|||
"Hacking Windows" doesn't really happen. Windows getscompromised by stupid impatient clicking users
On Tue, 25 Oct 2016 14:51:45 -0700
Big Bad Bob wrote: On 10/25/16 14:48, Big Bad Bob so wittily quipped: On 10/22/16 06:26, Dave C so wittily quipped: If you're so smart how come you appear to be a Trump supporter. That man is just one big con artist. to an *IDIOT*, maybe. However... if *YOU* are so smart, why are you NOT a Trump supporter? Only a *****ING* *MORON* or *SOCIALIST* *****HEAD* or *CRIMINAL* would actually _WANT_ Her Royal Heinous, Mrs. Clinton, Mother of Lies and Empress of Deceitfulness, to actually BECOME the MOST POWERFUL PERSON IN THE WORLD. Seriously? That's *SO* ****ED UP! TRUMP TRUMP TRUMP TRUMP TRUMP TRUMP OH, and I forgot to add 'Anti-Christ' to Mrs. Clinton's pedegree... Is this good or bad? -- press any key to continue or any other to quit |
#15
|
|||
|
|||
"Hacking Windows" doesn't really happen. Windows gets compromisedby stupid impatient clicking users
On 10/25/16 14:48, Big Bad Bob so wittily quipped:
On 10/22/16 06:26, Dave C so wittily quipped: If you're so smart how come you appear to be a Trump supporter. That man is just one big con artist. to an *IDIOT*, maybe. However... if *YOU* are so smart, why are you NOT a Trump supporter? Only a *****ING* *MORON* or *SOCIALIST* *****HEAD* or *CRIMINAL* would actually _WANT_ Her Royal Heinous, Mrs. Clinton, Mother of Lies and Empress of Deceitfulness, to actually BECOME the MOST POWERFUL PERSON IN THE WORLD. Seriously? That's *SO* ****ED UP! TRUMP TRUMP TRUMP TRUMP TRUMP TRUMP OH, and I forgot to add 'Anti-Christ' to Mrs. Clinton's pedegree... -- your story is so touching, but it sounds just like a lie "Straighten up and fly right" |
Thread Tools | |
Display Modes | Rate This Thread |
|
|