"Hacking Windows" doesn't really happen. Windows gets compromised bystupid impatient clicking users

The vast majority of 'Windows hacking' comes from the stupidity
of users, not flaws in the Windows OS.

Granted it's not perfect, but browser security warns you when
it's about to happen. There is no dumber person on the planet
than a Twitter user. If they use a computer to access Twitter
and a page happens to have some malware injected into it, these
idiots will actually believe they have to install software to
acess it and click "Yes" instead of "No".

There are effective Java exploits, but if you're still stupid
enough to be using Java, you deserve to get your ass handed to
you.

On 2016-10-19 7:01 PM, Cornelis Tromp wrote:
The vast majority of 'Windows hacking' comes from the stupidity
of users, not flaws in the Windows OS.

+1

Granted it's not perfect, but browser security warns you when
it's about to happen. There is no dumber person on the planet
than a Twitter user. If they use a computer to access Twitter
and a page happens to have some malware injected into it, these
idiots will actually believe they have to install software to
acess it and click "Yes" instead of "No".

There are effective Java exploits, but if you're still stupid
enough to be using Java, you deserve to get your ass handed to
you.

Agreed.

--
Deplorable Silver Slimer
Islam is a disease
Gab.ai: @silverslimer

On 10/19/16 16:01, Cornelis Tromp so wittily quipped:
The vast majority of 'Windows hacking' comes from the stupidity
of users, not flaws in the Windows OS.

source, please. 'just because you say so' isn't authoritative. Sure,
it sounds great, but I'd like to see those numbers, if you don't mind.


Granted it's not perfect, but browser security warns you when
it's about to happen.

which browser? Intarweb Exploiter? I think not. The total number of
major security flaws that have already been patched by Micro-shaft, many
of which have been SERIOUS flaws [such as privilege elevation], as
evidenced by the MANY patches, is well known and well established.

the main advantage to NON-microsoft operating systems is the open source
peer review. Yes, evil hackers CAN use this fact to FIND
vulnerabilities, but so can security pros, and they have.

As for 'warning you', what is the browser looking for and detecting as
an 'exploit'? I guarantee you that if there's a 0-day
javascript-related (or flash-related, or graphics-related) flaw being
exploited in the wild, you'll get NO warnings other than a possible
browser crash...

"oops, we didn't buffer-check this optional field in the file format" -
that's OFTEN how it happens. then a carefully crafted 0-day is created
that puts executable code into a buffer overrun exploit, and you get NO
warning, except for that ransomware dialog box that insists you need to
pay them to get your files back..


There is no dumber person on the planet than a Twitter user.

except a Hillary Clinton supporter, or a "pull the D lever" voter, or
just about ANYONE who "feels" instead of "thinks". Emotions make bad
decisions - ask anyone with 'beer goggles' on the morning after...



On a related note, a poorly configured router running Linux is ALSO
vulnerable to being cracked, like if you leave the default user/password
as-is AND allow remote admin, for example...

So SOME of what you said up front might be correct, but only if the
default settings are insecure, since [from my experience] the average
'clueless user' doesn't change the defaults.


--
your story is so touching, but it sounds just like a lie
"Straighten up and fly right"

"Cornelis Tromp" wrote

| The vast majority of 'Windows hacking' comes from the stupidity
| of users, not flaws in the Windows OS.
|
Vulnerabilities, such as Flash or IE cross-site scripting
vulnerabilities. That's user-caused only insofar as it's
"stupid" to allow Flash and scripting.

| Granted it's not perfect, but browser security warns you when
| it's about to happen.

Not hardly. And that creates its own problems. I
had an email from someone today who can't download
my software because Smart Screen tells them it's
unrecognized and therefore may be harmful. Security
via total xenophobic protocol. And Smart Screen seems to
require reporting websites to check on their reputation,
as well. So IE as installed spies on you and prevents you
doing much of anything but using large, corporate, online
services. And you can still get compromised because that
kind of security is simply based on user restriction, and
at some point user restriction has to be compromised for
the sake of functionality.

On 20/10/2016 18:52, Mayayana wrote:
"Cornelis Tromp" wrote

| The vast majority of 'Windows hacking' comes from the stupidity
| of users, not flaws in the Windows OS.
|
Vulnerabilities, such as Flash or IE cross-site scripting
vulnerabilities. That's user-caused only insofar as it's
"stupid" to allow Flash and scripting.

| Granted it's not perfect, but browser security warns you when
| it's about to happen.

Not hardly. And that creates its own problems. I
had an email from someone today who can't download
my software because Smart Screen tells them it's
unrecognized and therefore may be harmful. Security
via total xenophobic protocol. And Smart Screen seems to
require reporting websites to check on their reputation,
as well. So IE as installed spies on you and prevents you
doing much of anything but using large, corporate, online
services. And you can still get compromised because that
kind of security is simply based on user restriction, and
at some point user restriction has to be compromised for
the sake of functionality.

What kind of software do you write, Mayayana?

Do you have a web site available for readers here to review?

"David B." wrote

| What kind of software do you write, Mayayana?
|
| Do you have a web site available for readers here to review?

You've asked me that at least once before. Apparently
you didn't find anything interesting at my site.

"Cornelis Tromp" wrote

| The vast majority of 'Windows hacking' comes from the stupidity
| of users, not flaws in the Windows OS.
|

A very interesting and apropos article at The
Register this week, for anyone interested in the
actual facts about online Windows security,
regarding the recent DNC hack:

http://www.theregister.co.uk/2016/10..._six_zerodays/

There's a PDF linked from there that describes the
hacks in great detail. The group doing it seems
to be a very talented, well funded bunch of Russians.
Almost a military operation, targetting the DNC but also
eastern European political targets.

It amazes me that people use
crappy webmail like GMail for anything more than
party invitations and RSVPs, but much of the hacking
depended on people having GMail accounts.... and
most of the people did! I wouldn't be surprised if I
could reach the Pope via .


The article/PDF linked above describes the use of 6
0-day exploits, as well as numerous vulnerabilities
that have been patched, mainly in MS Office, Flash
and Java. You thought people have to be stupid to
be using Java. But what about MS Office and Flash?
They're both major problems and always have been.
Most people are not getting drive-by infected because
of Java. The typical scenario is a browser with Flash
and script enabled.

The initial attacks in this case were via email -- either
rigged attachments or bitly shortened links that needed
to be clicked on. (Yet another example of why no
one should ever used link shortening services or
click on such links.) Those attacks exploited 8
vulnerabilities. One in Acrobat Reader, one in Flash
and 6 in MS Office. Two of the latter were 0-day
(unknown and unpatched at the time).

Once people clicked links there were 12 exploits
used at the destination webpage. Of those 12, 2
bugs were in IE8, one in IE11, one in all versions of
IE since v3 (!), 2 in Firefox, 2 in Java, 3 in Flash and
one Mac bug. Two Flash and one Java bug were
0-day.
The browser bugs almost certainly would have
required script enabled. Non-script browser
vulnerabilities are extremely rare.

One of the 0-day bugs used was in Windows itself:
https://technet.microsoft.com/library/security/ms15-051
(Now patched, but wasn't at the time it was used.)

What all of that means is that the average person
who goes online and allows script is a sitting duck.
The risk is greatly amplified by MS Office, Java and
especially by using Adobe products -- Flash or Acrobat
Reader. (By one account, 8 of the top ten exploits in
2015 were Flash. The other two were IE and Silverlight.
https://www.recordedfuture.com/top-v...bilities-2015/
)

That situation is getting worse because there's
now big money in it, which attracts skilled coders.
Look up NSO Group to find info about companies
that actually develop and sell 0-days to companies
and governments. They're described as an "Israeli
cyberweapons arms manufacturer" by Bruce Schneier.

There's
also a lot of website rigging going on. Much of that is
done by buying ads that show up at major sites like
AOL or NYT, then rigging the ad to install malware.
Since the ads are coming from remote locations and
there's no oversight of the ad buyers at companies like
Google/Doubleclick, it's a very efficient method. There
are also lots of corrupted sites running stuff like
Wordpress. A Wordpress component or javascript
library has a bug. People using those don't know how to
code for themselves in the first place, so they don't
keep up to date on patches. So their site gets infiltrated.
So a normal browser, going to popular websites and
doing nothing unusual, can easily be a vulnerable target.
All you have to do is enable script. If you also enable
3rd-party files, which nearly everyone does, then you're
a much bigger target. Which means that by your
definition 99.9% of people online are very stupid. In
a sense that's true. They shouldn't be enabling script.
But nearly all *interactive* activity online requires script.

On 10/19/16 16:01, Cornelis Tromp so wittily quipped:
The vast majority of 'Windows hacking' comes from the stupidity
of users, not flaws in the Windows OS.

except, maybe, THIS???

http://www.theregister.co.uk/2016/10...at ch_parade/

"Microsoft says the graphics device interface vulnerability
(CVE-2016-3393) allowed attackers to gain remote code execution and
elevation of privilege powers."

"hacking group dubbed FruityArmor was exploiting the vulnerability in
chained attacks, using a True Type Font to trigger the bug."

"The attack saw browser sandboxes broken and higher privileges attained
before a second payload executed with the newly-acquired higher access
privileges."

"Windows 10's efforts to push font processing into a special user mode
that restricts privileges did not stop the exploit."


A TRUE TYPE FONT was being used. What 'stupid user actions' allows THAT
to happen?


(nice timing on the article, as it nukes your premise back to the stone age)

"Big Bad Bob" wrote

| A TRUE TYPE FONT was being used. What 'stupid user actions' allows THAT
| to happen?
|

I wouldn't call them stupid, but web fonts
have always been a risk and should not be
enabled. It's comparable to things like Flash.
Unfortunately, embedding fonts has become
extremely common, while not long ago it was
frowned upon due to both security and
webpage bloat.

On 21/10/2016 14:08, Mayayana wrote:
"David B." wrote

| What kind of software do you write, Mayayana?
|
| Do you have a web site available for readers here to review?

You've asked me that at least once before. Apparently
you didn't find anything interesting at my site.


Hey! I'm sorry. :-(

When I'm out boating all summer I sometimes forget computing matters.

Please give me a reminder - a link preferably!

Cheers :-)

On Thu, 20 Oct 2016 10:00:33 -0700, Big Bad Bob wrote:

On 10/19/16 16:01, Cornelis Tromp so wittily quipped:
The vast majority of 'Windows hacking' comes from the stupidity of
users, not flaws in the Windows OS.

source, please. 'just because you say so' isn't authoritative. Sure,
it sounds great, but I'd like to see those numbers, if you don't mind.


Granted it's not perfect, but browser security warns you when it's
about to happen.

which browser? Intarweb Exploiter? I think not. The total number of
major security flaws that have already been patched by Micro-shaft, many
of which have been SERIOUS flaws [such as privilege elevation], as
evidenced by the MANY patches, is well known and well established.

the main advantage to NON-microsoft operating systems is the open source
peer review. Yes, evil hackers CAN use this fact to FIND
vulnerabilities, but so can security pros, and they have.

As for 'warning you', what is the browser looking for and detecting as
an 'exploit'? I guarantee you that if there's a 0-day
javascript-related (or flash-related, or graphics-related) flaw being
exploited in the wild, you'll get NO warnings other than a possible
browser crash...

"oops, we didn't buffer-check this optional field in the file format" -
that's OFTEN how it happens. then a carefully crafted 0-day is created
that puts executable code into a buffer overrun exploit, and you get NO
warning, except for that ransomware dialog box that insists you need to
pay them to get your files back..


There is no dumber person on the planet than a Twitter user.

except a Hillary Clinton supporter, or a "pull the D lever" voter, or
just about ANYONE who "feels" instead of "thinks". Emotions make bad
decisions - ask anyone with 'beer goggles' on the morning after...



On a related note, a poorly configured router running Linux is ALSO
vulnerable to being cracked, like if you leave the default user/password
as-is AND allow remote admin, for example...

So SOME of what you said up front might be correct, but only if the
default settings are insecure, since [from my experience] the average
'clueless user' doesn't change the defaults.

If you're so smart how come you appear to be a Trump supporter. That man
is just one big con artist.
As to this post, I've said it before and I'll repeat, the best thing
anyone can do for their peace of mind regardless of operating system is a
combination of image backup and data file backup. A 2TB drive is around
$100. Backup software is free, I use Macrium free and FreeFileSync. I
intend to play with rsync to see how that works out.

On 10/22/16 06:26, Dave C so wittily quipped:
If you're so smart how come you appear to be a Trump supporter. That man
is just one big con artist.

to an *IDIOT*, maybe.

However... if *YOU* are so smart, why are you NOT a Trump supporter?

Only a *****ING* *MORON* or *SOCIALIST* *****HEAD* or *CRIMINAL* would
actually _WANT_ Her Royal Heinous, Mrs. Clinton, Mother of Lies and
Empress of Deceitfulness, to actually BECOME the MOST POWERFUL PERSON IN
THE WORLD. Seriously? That's *SO* ****ED UP!

TRUMP TRUMP TRUMP TRUMP TRUMP TRUMP

On 10/21/16 11:23, Mayayana so wittily quipped:
"Big Bad Bob" wrote

| A TRUE TYPE FONT was being used. What 'stupid user actions' allows THAT
| to happen?
|

I wouldn't call them stupid, but web fonts
have always been a risk and should not be
enabled. It's comparable to things like Flash.
Unfortunately, embedding fonts has become
extremely common, while not long ago it was
frowned upon due to both security and
webpage bloat.



AH, I was contrasting "stupid user actions" being the cause, against
inadvertent usage of fonts being the cause (for which no 'stupid user
action' would be needed). 'My bad' if not clear


--
your story is so touching, but it sounds just like a lie
"Straighten up and fly right"

On Tue, 25 Oct 2016 14:51:45 -0700
Big Bad Bob wrote:

On 10/25/16 14:48, Big Bad Bob so wittily quipped:
On 10/22/16 06:26, Dave C so wittily quipped:
If you're so smart how come you appear to be a Trump supporter.
That man is just one big con artist.

to an *IDIOT*, maybe.

However... if *YOU* are so smart, why are you NOT a Trump supporter?

Only a *****ING* *MORON* or *SOCIALIST* *****HEAD* or *CRIMINAL*
would actually _WANT_ Her Royal Heinous, Mrs. Clinton, Mother of
Lies and Empress of Deceitfulness, to actually BECOME the MOST
POWERFUL PERSON IN THE WORLD. Seriously? That's *SO* ****ED UP!

TRUMP TRUMP TRUMP TRUMP TRUMP TRUMP



OH, and I forgot to add 'Anti-Christ' to Mrs. Clinton's pedegree...



Is this good or bad?

--
press any key to continue or any other to quit

On 10/25/16 14:48, Big Bad Bob so wittily quipped:
On 10/22/16 06:26, Dave C so wittily quipped:
If you're so smart how come you appear to be a Trump supporter. That man
is just one big con artist.

to an *IDIOT*, maybe.

However... if *YOU* are so smart, why are you NOT a Trump supporter?

Only a *****ING* *MORON* or *SOCIALIST* *****HEAD* or *CRIMINAL* would
actually _WANT_ Her Royal Heinous, Mrs. Clinton, Mother of Lies and
Empress of Deceitfulness, to actually BECOME the MOST POWERFUL PERSON IN
THE WORLD. Seriously? That's *SO* ****ED UP!

TRUMP TRUMP TRUMP TRUMP TRUMP TRUMP



OH, and I forgot to add 'Anti-Christ' to Mrs. Clinton's pedegree...


--
your story is so touching, but it sounds just like a lie
"Straighten up and fly right"