GoHip.com ActiveX Wreaks Havoc

This story popped in several times in the last couple days and it's pretty slow today so I figure it'll be good for a laugh. Apparently GoHip (no relationship to Goku or Gohan) had some sneaky ActiveX that a lot of people installed. Kinda a scary security situation right there. Makes me glad I don't have any of that OL- I mean CO- I mean ActiveX on this box.

Putting ActiveX on your machine is like...

[tpaine]

... bending over and grabbing your ankles in the prison shower.

Tasteless, tacky....

and under UCITA, this business practice would be perfectly legal (and no doubt Amazon will shortly patent it...)! After all there was some form of contractual "consent" through a click through license agreement, from what I understand from the wire article, and of course (changed) terms were actually posted SOMEWHERE on the site. What more could we ask of a potentially UCITA compliant slimeball company??

Morale: Turn Off ActiveX

[jonathansamuel]

The moral of the story is to go to Internet Options --> Security --> Custom Level on your IE browser and turn off ActiveX.

Re:Morale: Turn Off ActiveX

[locust]

The moral of the story is to go to Internet Options --> Security --> Custom Level on your IE browser and turn off ActiveX.

Definately. Even if you set signed component to prompt, a Microsft signed Active X component doesn't ask you if it should install. It d/ls then just installs anyway (see bugtraq). cuartango put up a demo of this.

--locust

Re:Morale: Turn Off ActiveX

[Nothinman]

Actually the problem on BugTraq was that the MS Active Setup program used in WindowsUpdate and things doesn't prompt you before it install MS signed software. You still get prompted before you install ActiveX Controls(assuming you didn't click the always trust button)
--

Re:Morale: Turn Off ActiveX

[quonsar]

The moral of the story is to go to Internet Options --> Security --> Custom Level on your IE browser and turn off ActiveX.

Of course, MacroSuck makes it very painful to do this - EVERY TIME IE encounters a page with ActiveX you will receive a warning that the page may not display correctly - this absolutely drives me wild. IE will let you turn off Java in every form and will never issue a peep about it, but turn off MacroSuck's ActiveX and it will pester you about it forever.

Microsoft sucks, GoHip sucks, I want my internet back, and like someone else said earlier, I want these bastards in the ring with me and my lead-weighted baseball bat.

======
"Rex unto my cleeb, and thou shalt have everlasting blort." - Zorp 3:16

Re:Morale: Turn Off ActiveX

[Garpenlov]

The moral of the story is to go to Internet Options --> Security --> Custom Level on your IE browser and turn off ActiveX

Uh.. no.. The moral of the story is, when your browser pops a window up that says, "Would you like to install Some Piece of Software?" you say No. The article said people "trusted" the software because of Verisign. I'm sorry, but Verisign doesn't ensure that the software is safe. All they do is verify the IDENTITY of the publisher. Then you decide whether or not to trust that publisher.

Re:Morale: Turn Off ActiveX

[sjx]

Just pray... *pray* that no-one signs a virus, worm or trojan with Microsoft's key (*not* impossible).

Then what? Totally blind execution of arbitary code, based on a code-signing algorithm that *ought* to be deprecated, but isn't.

... I really ought to check that turning off ActiveX in the IE browser completely fixes this. It might well not, and damn, if it doesn't, it's time to bugtraq this.

You think you're safe?

[Keelor]

Just because a person doesn't use ActiveX does most definitely not mean that they are invulnerable to this kind of situation. Any time you install a piece of software on your computer, unless you:

1) Read through all of the source of the installer, or

2) Have software that warns you about every change to your system,

there is a chance that the software is editing some part of your computer that it shouldn't. In short, this isn't just a company abusing ActiveX--this is a company abusing basic software practices.

Personally, I call software that changes my outgoing e-mail without my consent a virus...

~=Keelor

Re:You think you're safe?

[Battra]

>2) Have software that warns you about every change to your system.

Is there anything equivalent to tripwire or tcpwrappers for Windows? For *nix based systems, these are indispensible tools to track the integrity of your systems.

At a securty conference I went to about a year ago, everyone was complaining that they were not available for win32 systems. Has that changed since then?

Re:You think you're safe?

[demon]

You certainly have a strong point there - ActiveX isn't the only way of doing it, it just makes it too damned easy - and THAT, my friend, is the main problem with it. It helps to make it too easy for stuff like this to happen. That's why it's a bad idea.

Abuse is bad enough - but someone making it easier for others to abuse you (or your system) is even worse, don't you think?

Re:You think you're safe?

[wcb4]

As much as I hate to admit it (because of who makes it), perhaps one of the best programs I have found to this type of monitoring is Network Associates Uninstaller 5. It detects the launch of 95% of installers, and if it doesn't you can launch it manually.

It snapshots your registry before an install, and when the installation is done, it snapshots it again and stores the differences for you to examine (if you know what you are looking for) and backout of you don't like.

Aside from that wonderful bit of functionality, it actually creates transport files of installed software that can be transported to another machine and then exploded there to duplicate the install. Try doing that with most windows programs

All in all, if you have to use windows, might as well assemble a few tools to make your life easier and more secure. This is definitely a good one, and cheap

Re:You think you're safe?

[mmontour]

Commercial tripwire is available for WinNT, though I haven't used it. www.tripwiresecurity.com

Re:You think you're safe?

[bero-rh]

[can happen to non-AX users] any time you install a piece of software on your computer, unless you read through all the source of the installer or have software that warns you about every change to your system

Software that warns you about every change to your system, such as rpm or dpkg?
Neither of them will overwrite existing files without telling the user.
Guess most of us are safe...

Re:You think you're safe?

[Fat+Lenny]

If there isn't an RPM/DEB/whatever, what am I supposed to do? I downloaded and installed SSH from source not too long ago -- am I supposed to understand every line of C, or should I just hope that it isn't malicious? I haven't read any of the kernel source on my system, nor the source for any of the packages that were installed along with it, either.

If OSS really is for the masses, there will have to be a certain amount of faith and trust in the software provider, especially since everything is installed and compiled by root, which may or may not be someone with the skills to read a novel, much less code.

--

Re:You think you're safe?

[Keelor]

I agree completely. I was trying to make the point that it's entirely unreasonable to expect someone to verify _every_ change made by a program or read _every_ line of code to make sure it's safe. That's why GoHip is going against every decent "code of honor" for programmers--you don't make unauthorized changes to a system, except those necessary to get the basic functionality of your program installed/running. Last I checked, "basic functionality" of a video player didn't include a .sig advertisement.

~=Keelor

Re:You think you're safe?

[Jesus+Christ]

I got moderated down for insulting a whining AC. What is /. coming to?

(My guess is that the AC had mod points.)

I am the Lord.

Re:You think you're safe?

[seanb]

You are correct. Web pages with ActiveX controls are precisely as (in)secure as any software package installed on your computer.

I do not trust the average software package (even one listed on freshmeat.net) enough to istall it without checking up on it first. I do NOT want this done for me just because I visit a website.

To somebody with a Unixish point of view, allowing webpages to automatically install and run undocumented software on a machine which you are running in single user mode feels like a game of Russian Roulette.

Of course, most windows users are used to this kind of thing.

There's no such thing.......

[luckykaa]

...as bad advertising.

Having read abvout what a nasty and insidious thing this company did, I went to their web site to see what they do. Before I hadn't heard of them. I'd be surprised if they didn't get a few more customers from this.

Re:There's no such thing.......

[rgmoore]

...as bad advertising. Having read abvout what a nasty and insidious thing this company did, I went to their web site to see what they do. Before I hadn't heard of them. I'd be surprised if they didn't get a few more customers from this.

Sad, but true. Pretty much the same thing happened to me with the decision about the ditto search engine. I had never heard of the company until someone sued them, but when I went to their site to see what the fuss was about it turned out that they were pretty cool. Now I know were to go if I want to search for jpegs on the net- and it's all because someone sued them and tried to run them out of business.

Re:There's no such thing.......

[Mr.+Slippery]

I'd be surprised if they didn't get a few more customers from this.

I'd be surprised if they don't get their asses sued into total and complete bankruptcy over this, on top of any charges for computer crimes. (Actually, after reading the Wired article, this looks like a one-man operation - replace "they" with "he" in the sentance above.)

ActiveX...

I love the "ActiveX gets put in your system folder and started every time you start your system." That's some good fact checking. I presume they meant to indicate that an ActiveX download could install a back door which would set itself to load everytime you start your PC...

ActiveX is a superb technology for intranets, but it has absolutely no place on the open internet apart from extremely high quality/high credibility sites. Then again despite all the anti-MS rantings that will undoubtably come of this, ActiveX is in a nutshell simply an EXE that can be embedded. There's nothing more insidious about ActiveX than that link of blooblemeisters.com "Download the new management console for your Linux machine here!".

As a sidenote: There's an ad running at the top of my machine for penguin computers showing a giant penguin stepping on the Redmond campas. Are all these companies so bloody insecure and defensive? Really these ads are pathetic. Is there an IS manager out there anywhere who is such a loser he'd buy a machine because the ad shows it stepping on Microsoft? That's uber lame gentlemen, and anyone who is motivated by such things should seek medical help.

Cheers!

Re:ActiveX...

[bero-rh]

ActiveX is a superb technology for intranets

I disagree. A superb technology would be cross-platform so at least everyone can use it.

Is there an IS manager out there anywhere who is such a loser he'd by a machine because the ad shows it stepping on Microsoft?

I don't think so, and I don't think that's what the ad is supposed to do. Banner ads are there to make you click on them to find out more, and I'd think this ad achieves just that.

The stuff that's supposed to make you buy is on the page you're led to.

P.S.: Someone at slashdot.org, please fix up Extrans posting - having to use HTML for everything (or not using formatting at all) is annoying.

Re:ActiveX...

[scrytch]

> A superb technology would be cross-platform so at least everyone can use it.

A little unclear on the concept of intranet are we?

I still fail to see the qualitative difference between an ActiveX control and a Netscape plugin other than that the latter is more hassle, less efficient, and therefore less peopl are inclined to develop or use them.

Re:ActiveX...

[bero-rh]

Not at all unclear - I wouldn't want to force Windows on anyone in any company that doesn't do M$-specific work, so I wouldn't want to use ActiveX even on an intranet.

A Netscape plugin isn't a perfect way to do something either (same reason - enforcing one browser on everyone; but better, at least Netscape will run on several OSes).

Re:ActiveX...

[Erchie]

Humor? The ad is absolutely geared to the way a lot of Linux enthusiasts think ("Down with Microsoft! I'd let Satan have his way with me if it'd cause MS' stock price to drop!") and it truly is pathetic.

I don't think it's pathetic. And BTW, Microsoft's stock is dropping these days-- or haven't you noticed?

Hallelujah! There is a god, after all!

NOW is when to use a DOS attack!

[chocolatetrumpet]

Just think, we all join together to shut down a lousey site like this... and everyone is happy!

Horray for Pokey!

The REAL Morale

[panda]

The real morale of the story?

Trust nothing. Trust no one on the 'Net. You don't get something for nothing, so stay away from sites that offer anything "free." It's most likely a scam.

READ those agreements before you click on 'Accept.' You'd read a contract before signing it wouldn't you? Under UCITA those click agreements just might become legally binding.

Most of all, don't use IE and don't use Windoze. You don't need ActiveX or any of that other flashy shit to use the WWW.

Disable anything that allows some site to run code on your machine. Use SSH. Use crypto. Encrypt your hard drive. Lose your keys, and then your data is even safe from your own prying eyes.

Be paranoid, be very paranoid.

Install from source, not RPMS. Read every line of code. Make sure you understand what every line of code does in a package before you type "make." Know the code better than its maintainer before you even dream of running it.

Knowledge is power. Forewarned is fore-armed. An ounce of prevention is worth a pound of cure. Pick a cliche, any cliche, and apply it to evey situation.

The truth is...out there.

A couple interesting things...

[ChristianBaekkelund]

A couple interesting things here...

First, in the article, those "fine print software agreements" were discussed...the legal validity of such have been under question for a while now. Due to various legal details, those "click Next to continue installing" agreements are considered by many to be too automatic and do not require enough action on the agreeing party to be legally binding...

Second, I was amused that GoHip.com considers what they do a Browser Enhancement.

Third, ActiveX ever since it's first incarnation has been horribly gigantic a gaping security hole. Anyone even remotely self-respecting computer security-savvy individual would never dream of having ActiveX enabled on their computer. Unfortunately, the average Joe might not know this...hopefully, they will be educated in time.
Here's one (of many) place I definitely like Java a whole lot better...

Fourth, in the end, this really isn't that big of a deal, as it was relatively benign. Hopefully, however, it will educate people as to the dangers of ActiveX, in general. I think David Kroll said it best: "I think it's pretty tacky what they did". Although he and Finjin did get it wrong when they said: "this is the first time a company has used ActiveX to alter personal information on someone's computer." Just see the ActiveX Exploder link mentioned above! I think they'd be more accurate in saying this is the first time it's been done purposefully and on a large scale by a corporation.

Fifth, this reveals an interesting problem with "signing" such programs with things like Verisign. That signature doesn't really mean as much as most people think that is does, as Verisign said: "Verisign spokesman Gray Chapman confirmed that GoHip is certified by Verisign, but stressed that his company was not in the business of passing judgment on the business practice of its client."

Sixth, GoHip.com sounds horribly sketchy. No phone numbers, bouncing e-mail addresses...is anyone surprised?...But finally, I have to admit to being horribly amused at the final quote by one of the "infected" GoHip.com visitors: "I compliment GoHip for a fine marketing effort as I certainly know who they are. I hate them, but I know who they are". In the end, capitalism seems to be all that matters again...

Re:A couple interesting things...

[pnevares]

On one of your links (http://www.gohip.com/remove_br owser_enhancement.html) it sends you to another page to remove GoHip as your IE Search Engine; you have to download a registry update file! Excuse me, but if a company used malicious code to change my e-mail signature (among other things), I'm not letting them modify my registry!

"Of course I trust them!"....NOT!

Pablo Nevares, "the freshmaker".

Re:A couple interesting things...

[Lowther]

"Verisign spokesman Gray Chapman confirmed that GoHip is certified by Verisign, but stressed that his company was not in the business of passing judgment on the business practice of its client."

By certifying GoHip, they are endorsing their business practices. This statement is a cop-out. The credibility of Verisign wil be damaged by the actions of GoHip, unless they take action.

As for 'passing judgement', there is little that needs to be said in judging any organisation who distributes of trojans like this.

Re:A couple interesting things...

[pnevares]

By certifying GoHip, they are endorsing their business practices.

If you believe the above, you probably believe that GoHip's ISP should be dropping their service because of their business practices; and that Network Solutions (or whoever) should revoke GoHip's registration. Both these companies are allowing them to do business in this fasion as well, and are in the above logic losing credibility because they're allowing GoHip to continue.

Pablo Nevares, "the freshmaker".

Re:A couple interesting things...

[MicroBerto]

Sixth, GoHip.com sounds horribly sketchy. No phone numbers, bouncing e-mail addresses...is anyone surprised?

Everyone here is talking about ActiveX and stuff, but I'm just simply PISSED at this company! Wouldn't you just love to get a baseball bat and sock these guys a homerun? That's how I feel about it, I can't explain my frustration with the situation, it just deeply angers me that they'd do this. I am so goddamn sick of stupid assholes like this. Yesterday I was at my friends house for an hour disarming his virus. I've had enough of these kids. I want them in the ring, with my baseball bat.

- Mike Roberto
-- roberto@apk.net
--- AOL IM: MicroBerto

Re:A couple interesting things...

[theCoder]

OK, I know this probably won't be a very popular opinion, but really, a gaping security hole? ActiveX controls are not any more of a security hole than any other executable. That said, you should definitely be wary before downloading and running any ActiveX control, just like you're wary of downloading and running programs. On a Windows 95/98 machine, both can cause a lot of problems (NT is a little more secure, but I'm sure there are ways to mess with it too).

But these security problems are not inherent to ActiveX, and ActiveX is not specifically designed with poor security. ActiveX is a set of COM interfaces that a particular library must implement. Personally, I think COM and interfaces are an excellent idea (in and of themselves -- I'm not refering to a sepecific implementation). COM allows programmers to write libraries that perform a service. And if someone wants to implement that service in a different way, they are free to do so -- they just have to implement the same interface. And because of GUIDs, it's completely distributed -- there's no central authority.

The only thing that COM (and ActiveX) doesn't address is untrusted components. That is a shortcoming, but until that's fixed, it's up to the user to trust or not trust the components that he/she is putting on his/her system.

GoHip is the untrusted source in this article, not COM.

Re:A couple interesting things...

[rlk]

Not really; GoHip's ISP isn't publicly certifying anything about them; they're a common carrier. VeriSign is representing something about GoHip publicly, so I'd say they have a bit more responsibility. If VeriSign wants to certify something that weak, that's fine, but then perhaps VeriSign's not providing as strong a service as they should.

Re:A couple interesting things...

[Imperator]

The nice thing about a .reg file is that it's actually a text file, so you can easily see what it does before you apply it.

Re:A couple interesting things...

[beaquat]

Personally, I dont see anything wrong with Verisign. They ensure that the file you are downloading actually comes from that source, nothing more. An analogy would be secure sites. Just becasue you are on a secure site does not mean that what you are doing/getting isnt bad for you. I think Verisign is a good tool as is. If you try making them have to check out everything they sign, the service will cost more and be used less often.

Re:A couple interesting things...

[sjames]

By certifying GoHip, they are endorsing their business practices.

Nonsense. Verisign is simply verifying that they really are GoHip and the the ActiveWrecks came from them (both of which are true). Verifying who someone is is not an endorsement. Consider picking someone in a police lineup or pointingh them out in court.

MS et. al. have certainly lead the public to a different conclusion in attempting to hide the fact that activeX is a gigantic security problem. (Oh, don't worry about that, they all have to be signed.)

Re:A couple interesting things...

[divec]

The final quote by one of the "infected" GoHip.com visitors [was]: "I compliment GoHip for a fine marketing effort as I certainly know who they are. I hate them, but I know who they are.

I really don't understand people who think just because a company is good at making profit, that the company is working in the consumer interest. The free market is good for consumers because that *sometimes* holds. But it often doesn't.

Should we compliment serial rapists because they have a good evolutionary strategy? Some of their victims will become pregnant, and some of those won't have abortions, so the rapist's genes get passed on. (Obviously I'm not condoning rape, just criticising the reasoning that the GoHip visitor used).

Re:A couple interesting things...

[Imperator]

I suspect that, even if regedit.exe (or regedt32.exe) doesn't allow you to, it would be a fairly trivial program to write. In fact, I bet I could do it with Perl and Win32::Registry in 15 minutes.

Re:A couple interesting things...

[gwalla]

The person was being sarcastic.
---

Re:A couple interesting things...

[lemox]

Or you could just copy your USER.DAT and SYSTEM.DAT and accomplish the same thing with much less effort.

Re:A couple interesting things...

[dillon_rinker]

I have. It works. On Win 95 boxes that wouldn't boot into Windows, I've exported the entire registry to a text file, found problems, made changes, and then reimported the registry file. No problem and very slick.

Re:A couple interesting things...

[aphrael]

Unfortunately, there is an area where ActiveX _is_ a gaping security hole: the registry.

In order for AX controls to work properly, they have to register themselves. Because Windows does not support _selective_ registry access (in which, for example, an AX control would only have direct access to the TYPELIB and CLASSID keys, and would have to be authenticated in order to have access to anything else), that control can then change anything else in the registry.

A better model would seperate out the parts of the registry used by AX controls and grant automagic write access only to them.

--Robert West
--Delphi ActiveX R&D

VeriSign

[Sir+Banana]

I think the main problem here is the award of a digital signature to something that obviously is set out to cause anoyment. Personaly I like to power that the ActiveX controls allow, such as the windows update control which checks what updates you need automatically, however unless there is a reliable organisation looking at the controls then it is no longer going to be possible to trust anyone.

What are the requirements for getting a digital signature? Has someone actually tested the control on their system and decided that the changes it makes are suitable or is the process more a foregone conclussion. Companies simply going through the motions to get the signature?

Re:VeriSign

[Stormin]

All the signature means is that it came from the company listed on the certificate, or someone who had access to their private key. Getting the signature involves proving to Verisgn that you are the entity listed.

The process is designed to protect against, say, a hacker breaking into the web server and replacing the ActiveX control with a trojan version. He could do that, but the trojan would not bear the signature.

But it won't prevent someone who works at the company from creating the same trojan and getting it signed.

In a nutshell, it tells you where it came from, not what it is.

Re:VeriSign

[David+Price]

From the PGP FAQ:

"Bear in mind that your signature on a public key certificate does not vouch for the integrity of that person, but only vouches for the integrity (the ownership) of that person's public key. You aren't risking your credibility by signing the public key of a sociopath, if you were completely confident that the key really belonged to him. Other people would accept that key as belonging to him because you signed it (assuming they trust you), but they wouldn't trust that key's owner. Trusting a key is not the same as trusting the key's owner."

This lesson is applicable to any public-key problem. VeriSign isn't to blame here - they did exactly what they were supposed to do.

Re:VeriSign

[ptbrown]

Which begs the question, Would it be feasible to set up an authenticator that also ensures the signed applet won't do anything annoying, unexpected, or subversive to your computer? I imagine companies wishing to benefit from the negative press of others would line up for the chance to say "WE don't invade your privacy like this, and here's the signature that guarantees it."

Re:Goku? Gohan?

[finkployd]

Personally I think Dragonball references are Kahamahilerious :)

Finkployd

Exploits & Corporations - Same holes...

[Spoing]

So, there are more valid reasons to turn off Active-X. Big surprise. The fact that a corporation -- sleezy or not -- does this is no surprise. Staples keeps sending me spam, and they should know better...there's always Office Depot!

On a practical note, here's what I keep telling the people;

1. Turn off these everywhere...

HTML (except the browser)

Java

Java Script

Active-X

VBA or macro features

Anything similar to the above

2. Cookies - Delete it and recreate a new unreadable cookies file.

3. Never open any message unless you...

Know the person sending it

Expect the message

4. Move all mail to a Spam/Suspect/Trash folder automatically if the mail doesn't pass these two rules at a minimum...

It's from a known and trusted person or mailing list

It's addressed to one of your valid mail addresses; it's not from a mailing list

5. Remove all personally identifying comments from programs that have net access (Netcape's Mail Identity page, ...)

6. Don't give out your email address unless it's REALLY NECESSARY.

7. Use different email addresses for different types of mail; business, personal, ....

8. If you have to give out an email address for one-time use, tag it; /. asks, use something like slashdot_yanky@hotmail.com or some such (or better yet, get your own domain and mail server...quite handy!)

The best way to handle this is a firewall with filters. Remember, Procmail For Security and good ipchain rules are your friends!

Re:Exploits & Corporations - Same holes...

[aliebrah]

You're gonna ruin the whole fun of the Internet for those who you tell these rules to. They rule I tell people is to be careful and not do anything they wouldn't do in person. BUT, if anyone follows your instructions they end up with a largely nonfunctional browser, websites that can't customise pages.

Who the hell is going to expect email? I don't expect email from my friends at specific times. When it comes I read it. Simple. I don't call them up to check: "Hey, I have an email from xxx with xxx timestamp, is it yours?".

I think you're going way overboard, why not just disconnect from the net completely. Don't forget to disconnect your fd0 and cdrom or someone could install a exploit.

Re:Exploits & Corporations - Same holes...

[acb]

8. If you have to give out an email address for one-time use, tag it; /. asks, use
something like slashdot_yanky@hotmail.com or some such (or better yet, get your
own domain and mail server...quite handy!)

Or get a SpamCop account, run all your publically-known addresses through that and keep your private address secret. Spam ends up in a web-based in tray, from which you can automatically send complaints to relevant parties at the touch of a button.

I'm not connected with SpamCop's operators; I've been using it for several months now, and so far have seen only about 3 spams make it through (and those were soon dispatched via a URL in the headers). I highly recommend SpamCop.

Re:Exploits & Corporations - Same holes...

[Spoing]

You're gonna ruin the whole fun of the Internet for those who you tell these rules to.

Not necessarily true. If you want to add/comment on a specifc rule, go right ahead. "Rules are for fools to follow, and the wise to use as guides."

Who the hell is going to expect email?

You do. If you get email, it tends to follow a pattern. If you recieved a message about "NEW MONEY MAKING DEAL! $$$" from an email address you use for either chatting with a friend, or as a web site contact only, your expectations will be different.

[rest of rant deleted]

Is this necessary?

Re:Exploits & Corporations - Same holes...

[Mr.+Slippery]

1. Turn off these everywhere...

• HTML (except the browser)
• Java
• Java Script
• Active-X
• VBA or macro features
• Anything similar to the above

I'm with you on all except HTML - so long as we're talking straight HTML sans scripting, objects, or applets, I don't see a danger in rendering simple text markup in e-mail messages.

Also, turning off Javascript turns off style sheets; that may or may not justify leaving it on, depending on your browsing habits. Javascript is, I belive, less of a risk than Java, and orders of magnitude less of a risk than ActiveX.

3. Never open any message unless you...

• Know the person sending it
• Expect the message

Good advice for attachments, but for plain text or HTML formatted (assuming scripting, objects, and applets off) e-mail messages there's no danger. Otherwise you're getting so paranoid that the net becomes useless.

6. Don't give out your email address unless it's REALLY NECESSARY.

Again, I think that's overly paranoid. I want people to be able to reach me: for /.ers to praise or flame my posts, for headhunters to talk to me about job opportunities after reading my resume, for beautiful women to read about me and fall lovingly at my feet (a man can dream, can't he?)

I take a few anti-spam precautions. My address above is given in a spam-proof fashion, and so is the one on my web site (interestingly, it appears that many spambots read only the text of the page and don't parse the contents of a "mailto" URL). When I do get spam, I usually send it to the appropriate postmasters and the account is revoked within hours. And I use slocal (part of MH) to filter incoming mail and autobounce a few rouge domains.(Although now that I'm running my own genuine domain instead of a forwarded virtual one, I can make sendmail do the work.)

Re:Exploits & Corporations - Same holes...

[Whip]

Staples keeps sending me spam, and they should know better...there's always Office Depot!

I'm not certain what Staples has been doing, but Office Depot has to be at least as bad. After ordering from them online, I got put on several of their mailing lists, and could never manage to get myself removed from them (over a course of 6 months) -- Mailing the listserver (per their instructions), their NIC contact, postmaster, their support address, and others, never managed to get me unsubscribed from their list. I ended up procmailing them to /dev/null.

Yuck.

Re:Exploits & Corporations - Same holes...

[chitzu]

>6. Don't give out your email address unless it's REALLY NECESSARY.

Hmmm, that can be a thad unpractical

>7. Use different email addresses for different types of mail; business, personal, ....

Or, get your own domain and mailserver (as sugested) and make the domainname of the company in question into the userpart of the adress you are giving them.

I would tell gohip.com that my email adress is gohip.com@cortex.nl.

procmail is your friend.

Re:Exploits & Corporations - Same holes...

[Mr.+Slippery]

Almost every browser security and privacy exploit has hinged upon JavaScript's unregulated access...

But it's harder to hide a JavaScript attack, since the source is the executable. So these expoits get shaken out pretty quickly.

But for the long term solution..

Why go to the trouble of messing with something where security is broken by design?

The long term solution is to set your bios to boot from A floppy first, put in the RedHat install floppy and the install CD, and your troubles are gone for good. With the Gnome interface that comes with RH 6.1, Windows users will have no trouble coming up to speed.

The only "downside" is that you will be able to tell who is using broken MS software: their apostrophes will be displayed as question marks.

And no, I'm not trying to exclude distros other than RH. It's just the one I am familiar with, and have found very easy to install. So I think it's a good choice for the new user.

Re:But for the long term solution..

[innocent_white_lamb]

The only "downside" is that you will be able to tell who is using broken MS software: their apostrophes will be displayed as question marks. ---------------------------- At risk of sounding stupid, I've noticed this on a lot of web pages and have accepted it as some sort of a bug or incompatibility in the fonts somewhere along the line. What is the real story? Is it a font bug? Or.....

Re:But for the long term solution..

[BitS]

This isn't broken MS Software, this is broken html...... apostrophes are not valid in the charecter set HTML is based on... your supposed to use an HTML entity code to represent the apostrophy, which the browser will display properly... the thing is, MS doesn't try to make up for stupid HTML authors, they let the apostrophy display as a bad HTML item, where as other browsers make up for it.

As much as I hate to defend MS, the problem your talking about is a problem of the HTML, not the browser in this case.

Re:But for the long term solution..

[Erchie]

Yes, I'm sure we all revel in your wishful idealism, but putting Linux on every PC is not a practical solution.

Despite the fact that it may seem perfect to you, many people need drivers that it lacks. And no, they're not going to write them themselves. And why pay for someone to do it, when you already have a working solution? Sorry, it's not a practical move.

Who wants to bet me that this is not one of those infiltrating Microsoft-employed or deadly bound posters I was talking about in my previous post?

Re:Goku? Gohan?

[Ethan]

Moohahaha! There's nothing more satisfying than waking up to Anime references on /. on a Sunday morning. :-) After my Neon Genesis comments to an article about implanting consciousness in a computer received a pathetic +1 Funny, this is some sort of vindication. ;-)

Way to go, CmdrTaco!

Another Reasson Active X is a Bad Idea

[Carnage4Life]

There I was thinking that ActiveX was a bad idea simply because of the dozen or so exploits I have seen announced ZDNet over the past few months (visit the Windows Update site sometime and count all the IE 5.0 patches).

Actually I'm lying, the real reason ActiveX is a bad idea is that it gives waaaay too much power to in-browser apps. Why would I want a plug in I download from a website (not an application or .exe mind you) have the ability to modify system files on my machine? At least Java browser apps work in a security sandbox and cannot affect system files.

Re:Another Reasson Active X is a Bad Idea

[Whip]

Actually I'm lying, the real reason ActiveX is a bad idea is that it gives waaaay too much power to in-browser apps. Why would I want a plug in I download from a website (not an application or .exe mind you) have the ability to modify system files on my machine? At least Java browser apps work in a security sandbox and cannot affect system files.

But the power that ActiveX has is really no different than the power that any other plugin for any other browser has. Anyone that's ever downloaded a plugin for Netscape has put themselves in exactly the same danger that someone downloading an ActiveX control has put themselves in.

That's the thing that I don't get about people who complain about ActiveX -- In reality, downloading an ActiveX control is basically exactly the same as downloading a plugin, but incredibly more convenient.

I suppose the main problem will be people just clicking 'OK' when the 'Install ActiveX control?' dialog box pops up, no matter what site they're on -- But if that same site popped up a window saying "You need a plugin to view this site, click here to download," don't you think the exact same thing would happen? Is there a real difference?

Re:Another Reasson Active X is a Bad Idea

[Gregg+M]

Try reading this
"The basic security issue is that Microsoft has the power to freely run code in our systems," Cuartango said ... I want to be warned. Microsoft software will bypass this security configuration setting."

Plugins don't allow other plugins to run code on your machine.

Microsoft's Active Setup control essentially circumvents the user approval process, granting over-arching permission to all subsequent ActiveX controls coming from a site during installation. Unlike normal controls, the installer program starts without prompting the user for permission.

Re:Another Reasson Active X is a Bad Idea

[jetson123]

Making something "incredibly more convenient" can be a security flaw (and in the case of ActiveX definitely is).

In the process of downloading a browser plugin, you get a lot more information about the plugin and a lot more opportunity to find out more about it. That's a security feature. And that's why plug-ins are much less evil than ActiveX.

Of course, proper sandboxing, as in Java and Tcl, is the best answer.

I was livid when I found out...

[dcjames]

I run a dual boot system here ( Linux / Win95 ) since I have some occasional guests that are a little afraid of Linux yet. I was absolutely incensed when I found out they had run across GoHip, and it had mucked with my system. I fired off a complaint to every one of their upstream providers, and the computer crime section of the FBI. As far as I was concerned, GoHip had run an exploit on my system, cracked it, and performed unathorized and hostile modifications to my files.
There is no longer a web browser available under Win 95 on my system. My guest will just have to overcome their "fear of flying" and surf under an OS that I can lock down.

Re:Goku? Gohan?

[Alex+Belits]

Told ya -- Evangelion (Neon Genesis Evangelion) just mentioned one comment below.

why disabling Active-X won't work

[Marvin_OScribbley]

There are just too many sites out there that use this stuff. Sure Javascript, Java, Active-X, etc. all have security issues. But every time I go disabling any of them guess what happens? My wife goes to use the computer and tries to bring up Playsite, or Uproar, Sony Play Station (etc etc), and what happens? Nothing works! Then she gets mad and I have to re-enable all that stuff.

The only real solution I see for myself personally is to simply have a separate computer for browsing the net. Computer are cheap these days, and how much resources does a computer need to browse the net? Since nothing important is kept on the net browsing computer these security issues don't really matter much to me. And having to reboot periodically isn't a problem either, since all the real work is being done on a more powerful machine else.

It makes for a lot less stress too. Heck if I did all the things some people advocate whenever a story like this comes up I'd be a paranoid cave-dwelling hermit! ;-)

cookies

[/]

Cookies - Delete it and recreate a new unreadable cookies file.

Well, since you're posting on slashdot as a logged in user, you're obviously hypocritical on this one. Why not instead tell them to run something like junkbusters that'll actually let them control what cookies they want instead of just blindly and across-the-board killing them all?

Re:cookies

[Spoing]

Well, since you're posting on slashdot as a logged in user, you're obviously hypocritical on this one.

I am? That's kinda harsh.

The advice I give to others isn't detailed -- most people won't follow that. To handle /., you can either login each time or login with cookies enabled, save the necessary /. cookie, and then make the file read only.

Why not instead tell them to run something like junkbusters that'll actually let them control what cookies they want instead of just blindly and across-the-board killing them all?

I use Junkbuster. Handy tool. Most people won't go through the hassles...however minor.

Re:cookies

[Jesus+Christ]

Well, since you're posting on slashdot as a logged in user, you're obviously hypocritical on this one.

Actually, you don't need cookies to post under a registered name. You can type in your name and password and hit "Submit". Without cookies. (If you hit "Preview", you'll have to type them in again before you post.)

You only need cookies on Slashdot if:

• you want /. to remember who you are from post to post (for convenience) OR
• you want your comments.pl and front page to be customized

Why not instead tell them to run something like junkbusters that'll actually let them control what cookies they want instead of just blindly and across-the-board killing them all?

Because I'd rather turn cookies on when I really do need them, instead of keeping them on all the time and having some third-party app prompt me every two seconds.

I only turn cookies on when I'm using a shopping cart. Cookies on, buy goods, cookies off. Very quick and easy. . .

. . .in Netscape, obviously. MSIE users have a tougher time, becasue IE5 hides the cookie settings in a slow "Security level" dialog. Sometimes I think that MS made that dialog slow just to discourage people that switch their settings a lot. <flamebait>But then I remember that all M$ software sucks, so I should stop being paranoid.</flamebait>

(Just kidding. Not all MS softare sucks. Notepad is pretty nice. ;-)

I am impressed, however, that Junkbusters offers the source.

I am the Lord.

Re:cookies

[Bazzargh]

Cookies are not meant to be persistent across browser sessions, only within one. (see RFC 2109, cookies are described as 'short lived' and the author says 'the default behaviour is to discard the cookie when the user agent exits'). Cookies dont kill people, netscape and IE kill people.

Lynx Does It Right - there is no cookies file, and it warns you about promiscuous cookies.

I am currently logged in using a cookie, and posting this message - in Lynx. :o)

Re:cookies

[mcrandello]

""To handle /., you can either login each time or login with cookies enabled, save the necessary /. cookie, and then make the file read only.""

That's the best way to do it with netscape in Windows. Just leave cookies enabled and set cookies.txt R/O. What happens is you will be able to use yahoo mail type sites while in the same session but your roomate won't be able to snoop your emails after you close the browser. Most sites won't give you those stupid "you must have cookies" messages as well. Beats the hell out of "prompt before accepting"...


mcrandello@my-deja.com
rschaar{at}pegasus.cc.ucf.edu if it's important.

Re:cookies

[Grey]

Why not instead tell them to run something like junkbusters that'll actually let them control what cookies they want instead of just blindly and across-the-board killing them all?

Why not just use and edit the cokies file? For netscape it is dirt simple. Then `chmod 400 cookies`. Of course the later only works on real operating systems, but if you use junk it is your own problem.

Not to say that UN*X is the only OS but any usefull OS these days should have the the concept of a user, per user prefernces and file permisions. I just don't the read only permisions for any other OS.

funny how no one mentions...

[AshleyB]

that GoHip tells you exactly EXACTLY what they are going to do with your computer in its download agreement, but these people are 'too busy' to read it and 'feel they shoudln't have to'!

I don't see GoHip forcing people to their website and forcing them to download this stuff. Yet another example of personal responsibility taking a vacation within the walls of slashdot.

Re:funny how no one mentions...

[Chompster]

I haven't seen how their licencing routine works.. and I bet you haven't either.. but chances are its quite inconspicous..

So What?

If its like i think it is, and it has those lines in there after the legalese its akin to false advertising. Most people don't read the fine print on the ads on TV, and thats what this is probably like.

Re:funny how no one mentions...

[chipuni]

Their licensing is actually fairly specific (though it is at the end of the license.)

By installing the "Free Video Update"browser enhancement you understand and agree that the following changes will be made to your World Wide Web program: Your DEFAULT LINK to your Home page will take you to GoHip! Your SEARCH DEFAULT will take you to the GoHip! search. A BOOKMARK feature will be added to your file. This feature will add additional BOOKMARKS to your directory. Your SIGNATURE LINE on all of your outbound e-mails will be modified to promote the GoHip! Free Video Update, making your e-mail recipients eligible for free video.

Very sleazy business practice, in my opinion, but they -did- tell you. Another good reason to read through licensing agreements.

AKA "adam & eve channel" + Contact Info

[BoLean]

Here is their info from the WhoIS registry. Also the USPTO registration.

Registrant:
Alchemy Communications (GOHIP-DOM)
9610 DeSoto Ave.
Chatsworth, CA 91311
US

Domain Name: GOHIP.COM

Administrative Contact, Technical Contact, Zone Contact:
Administrator, DNS (JH334) dnsadmin@ALCHEMY.NET
Alchemy Communications
9610 Desoto Ave
Chatsworth, CA 91311

(818) 718-0366 ext. 402 (FAX) (818) 700-2835

Record last updated on 14-May-1998.
Record created on 14-May-1998.
Database last updated on 26-Feb-2000 12:35:37 EST.

Domain servers in listed order:

NS1.ALCHEMYFX.COM 209.132.221.21
NS2.ALCHEMYFX.COM 209.132.221.22

About Alchemy, GoHip's host/ Parent Company

:Alchemy Communications
1200 West 7th Street, Suite L1-100
The Garland Building
Los Angeles, CA 90017
TEL: 213-596-3000
FAX: 213-596-3004
Email: goldensales@alchemy.net

PTO Trademark Registration for GOHip
Word Mark GOHIP!
Owner Name (APPLICANT) GoHip, Inc.
Owner Address 8306 Wilshire Boulevard, #54 Beverly Hills CALIFORNIA 90211 CORPORATION CALIFORNIA

New MS motto...

[kwsNI]

I think Microsoft's motto should be:
Where did our software take you that you didn't want to go today?

kwsNI

Patching Netscape & IE...

[Spoing]

Obviously we can't trust users, crackers, or corporations to keep things safe. If a service is available in the browser or the OS, it will be abused and the user -- who is responsible -- will only get confused when things go wrong. They are to blame for not doing something, but we all know they won't do anything till it's too late.

What's left? Patch the browser using a binary editor or other tools. Here are some things to do to get started. But, what to patch? (I had a list of 6 places to patch, but can't find it on this machine...maybe the one at home.)

To give you an idea, a quick check of main netscape binary (Linux) shows 200+ points where Java Script functions might be patched, let alone Java;

strings netscape | grep "JS_" | wc -l

Re:Goku? Gohan?

[Alex+Belits]

(puts on glasses)
(removes all traces of expresstion from the face)

"I am your father".

Added bonus! GoHip will also gladly send you spam

[CausticPuppy]

Did you see the terms and conditions?

I especially like the part under "E-Mail."
Your acceptance of the "Free Video Update" browser enhancement constitutes your agreement to receive periodic communications from GoHip! and THIRD PARTIES, via e-mail.

So, you have no choice but to let them sell your email address to spammers. In fact, you agree to this when you click "Accept" on the license agreement that nobody reads. This has nothing to do with ActiveX security of course, but it's just more evidence that GoHip is run by criminals.

moderate this, asshole

[Jesus+Christ]

See? I told ya. They couldn't resist the temptation to moderate down my flamebait. That's the kind of maturity that comes with Dragonball territory.

Hey. did I say almost as bad as Pokemon? Actually, the animation is worse. ;-)

I am the Lord.

One more thing

[pnevares]

Anyone notice the "fix" for Netscape?

Netscape currently only allows "per session" modifications to the default search engine. The instructions to edit the preferences are definitely not user-friendly. So, until Netscape allows modifications more easily for the user, you will not be able to modify the default search engine.

Pablo Nevares, "the freshmaker".

Re:One more thing

[sterwill]

It's that hard?

echo 'user_pref("network.search.url", "http://www.google.com/");' >> ~/.netscape/prefs.js

--

Re:One more thing

[Mister+Attack]

Yes, that's nice. But people who were using Linux wouldn't have been affected by the ActiveX control anyway. So it's irrelevant.
--

Automatic protection from operating system?

[mOdQuArK!]

It seems like it has become necessary for the operating system to protect the user from malicious net code - just about everything downloaded from the net should be automatically locked into an operating system-supported "virtual machine" where all resources are released when the user shuts down that connection.

Applications which want to be persistent on a user's machine will have to ask for permission, and if they further want access to certain system resources, they will have to ask the user for permission to hook into those resources (and which resources they are hooking into) - all protected by the operating system.

Of course, this will not protect naive users from social engineering, but the _default_ behavior will be of protection rather than being wide open - and in the case of multi-user systems, then the administrator will be able to control how much access each user will allow the outside net to access system resources.

Re:Automatic protection from operating system?

[mOdQuArK!]

No, that limits the sandbox/virtual machine to a single language - you need operating system support so that people can use whatever tool they want (and be as lousy/malicious programmers as they want) and it won't compromise the security.

Re:Automatic protection from operating system?

[mOdQuArK!]

Right, like you're going to force a malicious hacker to only write code which will run in a JVM? Don't be ridiculous - they're just going to write an ActiveX control or whatever & crack a clueless user's machine like a walnut...

To save most "clueless user"s from most of these attacks, the platform needs to support an virtual machine "jail" BY DEFAULT, and no matter WHAT is executing (including buggy JVMs!) - and make it more difficult for people who don't understand what's going on to allow these processes to escape the jail.

To do all that, with any hope of a "bulletproof" solution, you need support from the operating system. Trying to make every one use a "verifiably-safe platform" is a ridiculous solution.

If you really want to try and fit it into a "verifiably-safe" platform paradigm, then just think of the operating system-provided jail as "lazy" safe-platform verification - you get the indication that the code is not safe WHEN the code tries to escape the jail...

Re:Automatic protection from operating system?

[mOdQuArK!]

That's the point! General purpose operating systems NEED that kind of functionality. The more connected everybody becomes, the greater the need.

Instead of spending effort on promoting an "alternative platform" like JVMs which won't stop anybody who operates outside of that platform, those resources would be much better spent _implementing_ the "proper" operating system support.

Education, Education, Education.

[DoninIN]

The problem, the issue and the greatest need in the internet community is user education. Period. Odds are, that if you're reading slashdot, you know at least enough that you're aware of the security issues involved with something like Active X, but does your mom? Does your sister? Do your customers? What we need to do is lay out a set of safe surfing practices. Practical ones get the average, or even the less than average web user educated enough to follow those practices. Then we'll see these sort of practices decrease, if not actually wither and die. Practical safety procedures, they have to be practical in the sense that we must make sure and offer our grandmothers an alternative to sending you those .exe greeting cards, show them how to point to a URL so you can download elfbowling for yourself, teach them that there are animated greeting cards online that are safe. It is NOT enough to tell them that "that's lame, you don't need to do it" we have to tell them *WHY* and show them a safe alternative.

Re:Goku? Gohan?

[Jesus+Christ]

Nice. ;-) (I was the Gendou at Otakon 99.)

(...well, there were a couple others. But they were only there on Saturday morning. So I win.)

I'll be there again this summer. Unfortunately, the number of Reis is diminishing, so I'll have to start molesting Lains. Lain is the theme this year, so I'm sure to have better luck.

I am the Lord.

If you think this is bad, there is already worse..

[EoRaptor]

While GoHip isn't too great, there is already a company out there called Aureate, who bribe shareware and trial program vendors to install a few files on your system, along with the main program. These files (look for advert.dll) sit around as IE and Netscape plugins, and spy on everything you do, from personal registry information to every url you click on.

I could post a list of exactly which vendors install this thing, but it's too long. (GetRight and Globlascape Cute** probably being the most ocmmon source). If I were you, and using any windows based o/s, I'd look for advert.dll. Deleting it only partially solves the problem, but it's betetr than nothing.

EVANGELION!!!

[mattr]

YAHHH!

Yes another Evangelion fan. Have the two movies been released in the U.S. ? Some excellent computer graphics and risk taking in the film versions.. had a special meaning for lots of psychologically scarred Japanese youths. Female characters are interesting too.

Is there a way to view this page without crashing your computer?

Re:Added bonus! GoHip will also gladly send you sp

[pnevares]

Your acceptance of the "Free Video Update" browser enhancement constitutes your agreement to receive periodic communications from GoHip! and THIRD PARTIES, via e-mail.

And how in the world do they get your e-mail address? Should they add a line in there saying ....and you authorize us to invade your mail client to root out all your e-mail accounts stored therein??

Pablo Nevares, "the freshmaker".

Re:EVANGELION!!! ( Hey, pal, over here... )

[Mongoose]

I got the entire series and the movies on VCD on eBay. I also got the infamous fan dubbed English version. If you want to watch the movies, but don't speak english - you may be out of luck. Ayanami Rei is... hehehe, I want to spoil the movies, but I won't. ;)

Re:offtopic?

[unitron]

I would probably support a moderation of the above as redundant (story says company uses ActiveX to &$%#!& over computer users, poster says having ActiveX on your computer will &$%#!& you over), but I'd really like for the person who considered it off-topic to log off and post as AC (to avoid undoing their moderation) and tell us why they think it so.

Re:Other Moral: ARTFP

[unitron]

Always Read The Fine Print--before you sign anything, whether it's with the flourish of a fountain pen or the click of a mouse. And keep in mind that when someone offers something for free, they mean according to their definition of the word, not yours.

Re:It's MORAL, damnit.

[unitron]

You are correct that what was wanted here was the "moral" of the story, not the "morale", but the definition you should have supplied was for the noun version of moral, not the adjective.

For those few who might not know, the moral (noun) of a story is the point it's supposed to get across. In olden days stories were told to get across the point that one should be a person of "goodness or correctness of character and behavior", that is, that one should be moral (adj.)

Hope this improves everyone's morale.

Details?

[No+Such+Agency]

Where can we get more information on this practice? Is there a link to a more detailed story somewhere? I didn't find advert.dll on my machine, but this still pisses me off (though as long as I don't catch this from Paint Shop Pro I won't be _hopping_ mad...)

Re:Details?

[jflynn]

Here's a link to a story on the Aureate mess a friend sent me.

Re:One more nit to pick

[unitron]

Suggest either "damn it" (formal,two separate words,) or "dammit" (one made-up word, informal, colloquial, vernacular, slightly less vehement type thing).

Re:Bad Advertising

[unitron]

from the story
'..."I compliment GoHip for a fine marketing effort as I certainly know who they are. I hate them, but I know who they are," he said.'

this is mine

[Jesus+Christ]

Didn't mean to post this AC. But, I did. By accident.

Sorry.

I am the Lord.

Idiot that I am...

[ToLu+the+Happy+Furby]

I decided to try this out. Mainly to see if the patch MS posted a few months ago to stop this sort of thing (i.e. ActiveX inserting arbitrary code into your StartUp directory) actually did.

It doesn't. Apparently all it does is stop *unsigned* ActiveX from inserting arbitrary code. Now, while that's certainly an absurdly necessary thing to have done--and it does stop the most major abuses of that ActiveX hole (eg. the Bubbleboy Outlook/OE virus)--I think it's pretty damn ridiculous to assume that any program should be able to stick arbitrary code in my StartUp directory just because it's signed. Or that it should be able to make changes to my registry without asking, as gohip's code does as well. (But don't worry--when you download their program to fix your registry (which does work, BTW), it pops up a cryptic looking dialog box asking if you really truly want to make changes to your registry.)

The sad thing is (flamesuit on) I actually *like* a lot of the ideas behind ActiveX--namely that it might be a good idea to store applets on the client side instead of having to download them every time you visit a web page--and I've seen some pretty nice uses of it. (eg. the dynamic hierarchical news menu on MSNBC. Of course, being ActiveX, don't bother trying to check it out unless you're running IE 4 or 5 on a Windows box--last time I checked, it doesn't even work in IE 4.5 for Mac.)

Unfortunately, its outrageous lack of cross-platform compatability and its moronic-to-criminal lack of safe security privilages have nearly killed off some actually sorta neat technology. Oh well.

Anyways, I hope this incident will point out to some people who've pretended otherwise what a farce "signed" code is. On the web, you don't know who to trust. As anyone who thought about it could have predicted, the danger isn't some 1eet hax0r somehow piggy-backing his trojan onto your connection with some Nice Commercial Website...it's the Verisigned trojan that Nice Commercial Website is asking your permission to install.

Re:Idiot that I am...

[DoninIN]

Active X is one of those good ideas for a world that never came to be. Microsoft didn't get the internet, didn't understand what was coming, what they *saw* coming was a series of competing online services, AOL and MSN etc, where the content would be all produced by massive commercial sites and companies like themselves.(I'm sure there was a plan to make MSN the *only* service) if this world had come to pass Active X would have been merely a bad idea, not an almost criminally stupid one, because then all we would need to protect ourselves from would be the incompetence of a few major vendors, difficult, but possible. Now, if you're going to use windoze/IE+ActiveX you also have to account for the unethical behavior of hundreds of firms + the malice of a few + the overriding incompetence of MS = a situation where only a few skilled users can keep their systems safe, secure and somewhat reliable, the average user, without personal guidance from a skilled professional, is just being thrown to the lions...

Re:Moderator is trolling

[Jesus+Christ]

the moderator is an ass. He couldn't recognize sarcasm if it bit him in the ass.

While that's probably true, I wasn't being sarcastic. ;-)

No, it's true! I have no idea what sarcasm even is! Really!

Oh, I also don't know what what irony means.

I am the Lord.

Re:rouge domains

[unitron]

Did you mean rogue domains or do domains come in different colors these days (or were you referring to "abrasive" domains, or "domains with a jewel-like polish"?)

Sadly...

[jd]

If GoHip were to claim that their software passed through Virginia, or that any instance should be tried in Virginia, they'd win.

The new laws governing shrink-wrap licences not only make this legal, they also make articles like this, pointing out what is happening, -illegal-.

Re:Sadly...

[Wah]

yes, this does make a great example of why UCITA should be slashed, burned, and shat upon.

--

Re:Sadly...

[jd]

What would happen if a Virginian wrote a Melissa-style virus, where it clearly stated in the fine print that opening the attachment was agreeing to any consequences of doing so, agreeing not to tell anyone of the consequences, and agreeing not to disassemble the virus to be able to write anti-virus software?

And that's why we have the omniscient VeriSign...

[SuperKendall]

That's why when I leave my house I leave all my doors and windows wide open with a security camera on each entrance - after all, I can always always figure out who took all my stuff later, right?

Similarily, when I step away from my car I leave the doors unlocked, keys in the ignition, nad the engine running - then I hand a camera and a notepad to some bystander (VeriSign) and ask them to please take a photo and ask for information from anyone that should enter my car.

How much do YOU trust VeriSign to really determine if the people getting certificates are who they say they are? Do you really support a protection racket that demands every company on the planet give them money to present the illusion of security?

I'm not advocating anything apart from a dislike of VeriSign.

Aureate says this is just rumors - how bout proof?

I had not heard of these people before your post, but would like to get more details/PROOF if this is true. Its not that I don't believe you, EoRaptor, and frankly it would not suprise me either...

See this link on Aureate's website, saying this is just "rumors": http://www.aureate.com/privacy/addi tionalq.html.

I can say that from looking around their site, this definately doesn't look like something I'd want if I were running windoze. But does it really do everything you said?

~J

Re:If you think this is bad, there is already wors

[Pfhreakaz0id]

Well, I read some of the stuff and then found advert.dll. Took me a while to get rid of it.... Tried to delete it, can't in use. Tried to use regsrvr32 to unreg it. Couldn't. Rebooted and it was still in use, even though no 'net apps had been launched! Finally booted to a c: prompt and deleted it from there. Geez.
---

Re:It's MORAL, damnit.

[jonathansamuel]

Thanks for the suitable reproof. As the author of the error I am suitably embarassed, but for good purpose.

One wonders whether I used 'reproof' correctly. Methinks it perchance ought to have been 'reprove.' But I know not of what I speak, me being a mere apprentice to newbies in the vineyards of computerdom.

Ironic...

[Draxinusom]

Guess what alert I get when I click on the story link? 'An ActiveX control on this page is not safe. Your current security settings prohibit running unsafe controls on this page. As a result, this page may not display as intended.'

Anyway, Aureal says that the rumors are false, and I for one am inclined to believe them. From what I can see, the programs that install the .dll are ones that display a banner ad in the software itself (I know CuteFTP and GetRight do this). So it seems legit that what they're doing is just targetting those banner ads.

On the other hand, I couldn't delete advert.dll (access denied) until I closed IE, so I wouldn't be surprised if it was tracking some kind of surfing info. Also, I was none too pleased about finding the .dll on my HD and Aureate keys all over my registry even after uninstalling the offending programs.

Re:If you think this is bad, there is already wors

[Gregg+M]

Jerry Pornelle has a letter from Aureate Media about this.

Down in the second letter, the company responsible Aureate Mediab writes back.

ActiveX is most certainly a security hole.

[nickm]

window.external.ImportExportFavorites(0, "c:\\windows\\system\\krnl386.exe");
</script>

When verio unblocks my IP address from their routers, have a look at my fanmail page for the comments of some people whose browser was buggy enough to actually execute this command.
--
I noticed

The morale of the storie

[quonsar]

Thanks for the suitable reproof. As the author of the error I am suitably embarassed, but for good purpose.

One wonders whether I used 'reproof' correctly. Methinks it perchance ought to have been 'reprove.' But I know not of what I speak, me being a mere apprentice to newbies in the vineyards of computerdom.

Go to Preferences|AutoCorrect|Grammar and turn off Anal.

======
"Rex unto my cleeb, and thou shalt have everlasting blort." - Zorp 3:16

Surrender?

[NuclearArchaeologist]

Using a dedicated windoze machine to surf sounds like a good idea, but what are the implications? I do this myself because it's easy. Like you, I'm hoping this reduces the chances of real data being erased, and it's easier for the wife to use the windoze box. It's also easier for me, and I don't have to worry about Nutscrape screwing up my file system. The wife just won't live without her hotmail, which is the only mail she can read at work. But what are we doing? Isn't this a wholsale surrender of the web to Micro$oft?

Sysadmis see that most of their visitors use Microboft and have fewer reasons to object to Microboft only enhancements. It's all some PHB needs to see in conjunction with some BS advert that promises seemles ecomerce with Win2k, blah blah blah.

Why fight it? Surfing is not really that important, I don't have anything to hide, I don't really need those crapy comercial sites that won't work with open standards, who cares if Microboft screws my trash 486, right?

Wrong! Sysadmins need to have direct evidence that Microboft only "enhancements" will keep people off their sites, if the web is to remain open and accesible. Language barriers are a bad enough fragementation, but one that can be overcome. Giving up the web to an insecure opperating system is even worse than fragmentation. Where I've been and how I get there are no one's business but my own. It is really agrivating to think that the sites I visit might be recorded with less effort than recording the books I take out from a public library or the physical places I visit. Sooner or later, someone will write an application that can mount my other hard drives and blow them up too. Even a 386 can be used to break my real machines.

But how to fight this? Your compiler itself can be a Trojan Horse. I don't have the time to chip into Mozilla yet, do you? Sure, I don't visit sites that break my browser, but my wife does.

This isn't about security. It is about PROPERTY.

[Chris+Johnson]

There are lots of comments on how ActiveX can make it easy for a company to take these actions, and how they gloss over the warning that they are taking these actions, but that aside there's one major point nobody seems to be addressing:

What entitles them to take such actions at all?

It might be vaguely arguable that anybody can come into your computer on the slightest pretext of having your consent, and change your homepage to theirs. That is intrusive, it is an imposition, but it is simply what _you_ see when you launch your browser. The most serious damage would be if you had a special homepage, kept no record of it and couldn't find it again: then you'd have suffered a loss due to this company's defacement of your property.

However- changing an _email_ sig? On the one hand this is just a line of text. On the other, it's a piece of text that is how you present yourself to the world, and the safe assumption is that this is a bit of text you intentionally chose to tell the reader something about yourself or what you consider important. In that light, the action this company takes is beyond inexcusable. It is like identity rape: to this company, not only is your computer's data not your property (so it can be freely tampered with for their benefit), but YOUR IDENTITY is not your property. The way you present yourself to others via electronic media is not your property! It is so inconsequential to them that they figure a mere 'sorry!' is all they owe you for hijacking parts of your IDENTITY for their own pleasure.

Again, it's one thing to examine the security implications, and the ways in which ActiveX can be used to build this behavior deeply into the system, making it hard to remove. But when did personal property become so meaningless that a stray click on a web page _allows_ a company to totally butcher your personal data for their own benefit?

Do you have a right to have your data for your homepage untampered with unless you explicitly and knowingly give permission for it to be altered?

If not, do you have a right for all of your writing to be untampered with, for instance if you downloaded some sort of grammar checker only to find that it runs and edits every ASCII file on your system that it can open? Is this a case of 'you should have kept backups' (let's hypothesize that it goes and edits all the backups too) or does this begin to look more like destruction of personal property?

Along the lines of this article, do you have a right for your email signature to be _your_ choice? Is it allowable for any joker who can get you to click on a clickwrap license to sneak in their own agenda, sigged to your mail as if it was your own agenda, so your friends can assume that you choose to 'push' this product or service? If so, is it then allowable for the clickwrap license to authorise the software to _send_ MLM-like mail to addresses on your mailing list, intentionally assuming your identity for the purposes of marketing, all in the background so the first you know of it is that you lose your ISP account for spamming, or lose friends over what they think you started doing?

It is informative and disturbing that this company already goes _almost_ to that extreme, and not as a joke. Surely the next step is intentional impersonation of a computer user, and marketing emails sent as if they were from that person- all sanctioned by the clickwrap license. It's almost here- just one tiny step from what GoHip is doing. It's so close...

And when that happens, I hope more people understand that this is not a security issue. It's not _about_ whether or not you are willing to psychologically barrier yourself in a concrete bunker, defying anyone's attempts to harm you.

Instead, it's about property rights, or a citizen's rights. It's about whether a regular person should even have to be concerned about these abuses. At the moment, in the computer industry, when you read about abuses like this, the first thought is "Security, so that you can stop people doing this to you, as they will no doubt try to do!". And that tells you something- because you never see anything to the effect of, "Screw security- this action is a crime against the person's property and an abuse of his identity. Click or no click, this is criminal! You're not allowed to hijack a person's identity and use their reputation as a marketing tool while trying hard to not alert them to it, and fighting their efforts to stop it happening!"

Am I off base here? Is it really so much to ask, to suggest that a person's arrangement of computer data is property, or at LEAST that the person's reputation and interactions with others is their property, and there is no intrinsic right to hijack that for profit? Not everything that is _possible_ and _profitable_ is legal. In this case, I can't think of a single thing more clearly property than a person's interaction with others, and their ability to determine how they express themselves. Suppose these same bright sparks at GoHip chose to globally replace the word 'video' with 'video (speaking of which, you have to check out GoHip.com! They're great with video)'? That is absolutely trivial, not so far from what they're doing now, and is absolutely, unarguably identity rape.

Is anybody ready to argue that this is defensible, or is strictly a 'security' issue where you only deserve the freedom you're ready to actively fight for? Does anybody seriously think this is 'opt-out' territory, that it's legitimate or right for any person's self-expression to be hijacked for commercial purposes?

If this goes on, forget watching TV and seeing 'the wrong' huge billboard on ESPN or in Times Square- it will be a world where you cannot even trust your own friends. Any of them could be speaking through a software filter that drastically changes what they say, and they would have no right to argue with this and no recourse except total paranoia. Even then, can you control _all_ the points your message passes through? What good will your security do you when your recipient has inadvertently installed a filter that changes your message _coming_ _in_, so that to their eyes, _you_ are the one saying "video (by the way, GoHip kicks ass!)."

Security is _such_ the wrong perspective to take on this stuff. This is civil liberties territory- and already shockingly close to paranoid fantasy. Yet it's not fantasy- people are _already_ having their identities and personal reputations hijacked by GoHip for marketing purposes, and this is seen as legitimate behavior, nasty but legal to do. How much farther do they have to go before the real issues are obvious?

Re:Idiot moderator

[Erchie]

Man the moderators are getting to be REALLY stupid.

In the past couple of weeks I have noticed that there seems to be an increase in the presence of irrationally pro-Microsoft posters on Slashdot-- at least there seems to be more of them than there have been in the past.

Some of them have actually logged in-- that is, they have not posted as Anonymous Cowards-- probably so they will have the chance of becoming moderators. There are several of those that have logged in who have posted many (more than twenty) times in the past couple of weeks. If you look at their User Info, it is not hard to discern which of them have hard and set bindings to Microsoft, from clues they reveal on their personal websites. I shouldn't wonder that they gain moderator status occasionally.

Can't you just picture Master Gates, or one of his wranglers, ordering the masses of Microsoft minions to "infiltrate" Slashdot and make posts to "defend Microsoft's honor" if they want to keep collecting their paychecks?

All of the evidence seems to indicate that Microsoft is approaching a state of panic these days.

Re: If you have IE, you trust Microsoft

[kevin805]

I wouldn't have a problem with Microsoft Active X components installing automatically no matter what the browser preferences. Unlike every other company in question, I am already running Microsoft software, probably at least 150 megs of it, if I have IE with ActiveX. Does anyone know how to modify IE so that it identifies itself as the Mac version?

Read b4 you click

[bendude]

I never read these "click-wrap" licences - but I do so at my own risk. Mayby everyone shuld take a little more responsibility for themselves.

Re:Idiot moderator

[javi111]

Paranoia is a bad thing... Have a beer.

Wrong. ActiveX is worse.

[DragonHawk]

ActiveX controls are not any more of a security hole than any other executable.

The problem is that many Microsoft programs (such as Windows, MSIE, Office, etc.) blindly trust certain kinds of ActiveX controls, allowing them to install and run, without prompting, even if you have ActiveX "disabled" in MSIE.

Regular programs don't do that.

Re:Wrong. ActiveX is worse.

[TummyX]

The problem is that many Microsoft programs (such as Windows, MSIE, Office, etc.) blindly trust certain kinds of ActiveX controls, allowing them to install and run, without prompting, even if you have ActiveX "disabled" in MSIE.

Uh, presuming it isn't downloading these controls of the internet, why would that be a problem? It's as much a problem as a unix application going out and finding "rm -rf" "ls" etc and using them. Only difference is that ActiveX, based on COM is actually designed for component reuse rather than manually running applications - but it's the same idea. The application is making use of binary data on your system. Windows would kind of be useless if it didn't use ActiveX controls (why do people think ActiveX should be disabled in windows? windows WOULD NOT RUN properly). MSIE usually(depends on settings) warns you of controls, and Office etc don't download controls off the internet, so if they use controls that are on your system (and you have been given permission to) what's the problem? (the "rm -rf" example).

That's what component reuse is about.

BTW, did you know that heaps of Linux apps go and use glibc without asking? heaps of kde ones go and use qtlib too!

Re:Wrong. ActiveX is worse.

[tspilman]

The problem is that many Microsoft programs (such as Windows, MSIE, Office, etc.) blindly trust certain kinds of ActiveX controls, allowing them to install and run, without prompting, even if you have ActiveX "disabled" in MSIE.

Uhhh... i'm not sure what your running, but i've never seen any ActiveX control install itself on it's own. By default it asks the user for permission before installing the ActiveX component. It only installs automatically if you tell it to always trust controls from the author or if you disable the security. Either way you made the choice just like downloading and installing any software. Someone moderate this guy down before he spreads more FUD. =) Tom

ActiveX vs Netscape Plugins

[DragonHawk]

I still fail to see the qualitative difference between an ActiveX control and a Netscape plugin...

How about the fact that a Netscape Plugin cannot download and install itself without your permission?

gohip (no relation...)

[still+on+winblows]

its gokou, like you care...

Why is this an ActiveX security problem?

[Len]

Why is this considered to be a problem with ActiveX security in particular?

Seems to me that installing the GoHip ActiveX is the same as clicking on HAPPY99.EXE. You're running a program that you got in email. Don't do that!
--

Re:Why is this an ActiveX security problem?

[BluSkreen]

It's not an attachment, it installs without the users knowledge.

Re:Why is this an ActiveX security problem?

[TummyX]

Not unless the user has explicitly changed security settings in IE to allow signed & unsigned applets to run automatically without prompting.

Re:Why is this an ActiveX security problem?

[Len]

Not true. (I know, a naive young cow-orker of mine got bitten by GoHip.) It prompts the user with the usual ActiveX certificate dialog. Unless they've lowered their security settings explicitly.
--

Extrans, HTML, Plain-Old-Text (OFF-TOPIC)

[DragonHawk]

Someone at slashdot.org, please fix up Extrans posting - having to use HTML for everything (or not using formatting at all) is annoying.

Apparently (this is guesswork), someone at Slashdot had them switched around by mistake for the longest time, but noticed recently and "fixed" it.

Plain Old Text pre-processes your comment, adding <BR> tags at the end of every line, but otherwise leaving things unchanged. Thus, you can mix text-style fixed formatting with HTML tags, as the tags are still interpreted by the client's browser.

Extrans pre-processes your comment, converting all HTML symbols to their escaped equivalents (e.g., < is converted to &lt;). Thus, you comment will be displayed exactly as you entered it, character for character.

HTML Formatted doesn't do any pre-processing at all, other then to remove some HTML tags Considered Harmful.

Get it? :-)

Use CVS to maintain your Windows partition

[divec]

I have a friend who uses CVS to maintain his Windows partition. (CVS is a program which is normally used to manage large trees of source code and keep track of changes made to them). That way, he can see all the changes an installer makes, and he can just roll the changes back if he doesn't like them.

Use fdisk to maintain your Windows partition

[mdvkng]

Use the delete option.

Re:Use fdisk to maintain your Windows partition

[divec]

Use the delete option

I did that a year ago. It's occasionally irritating not having DOS/Windows, but it's well worth it for the security alone. I think people who are smug about how secure their Linux partition is, but who run windows some of the time, are under a false sense of security. It would be easy to write an ActiveX virus which, say, fiddles with your Linux /etc/passwd file to create a backdoor superuser account.

Certificatesin general.

[mindstrm]

You know.. Verisign did nothing wrong here.. but here's my beef with the way certification is handled these days. The public accepts what it shouldn't. Here's why.

When browser came of age, and security was of great concern, if you recall, the main hubub was about credit card information, and how SSL protected it. In other words, ask joe average internet user what certificates are for, and he'll say 'for encryption, so my credit card doens't get stolen by hackers listening in on the line'. That's what the press implied, and that's how people thought.

Now.. the REAL reason the certificate system works as it does is a bit different. It's not for the encryption, but for the authentication. A properly signed Verisign certificate, presented by CDNow.com is supposed to let you know that CDNow.com *IS* CDNow.com, and not an imposter. It's supposed to let you konw that they are a real business, and that they have proven this, with legal documents, to Verisign. This is why Verisign 'signs' the certificate.
You see, it was never supposed to be about granting encryption priveleges; only about authenticating the merchant.
So. Technically, we think it's kind of necessary to have a Verisign for commercial transactions.. but they rose to power based on the fact that people thought it was necessary JUST FOR ENCRYPTION (and hey.. if you didnt' have a verisign signed cert, browsers would bitch... so in the publics eye, you were not trustworthy if you didn't have their signature).

Fine. For financial transactions, fine. My security and piece of mind comes from knowing that Verisign says this company is real, and I have someone to chase down when they overcharge my card.

Now.. software... Verisign signing software? Why? To prove it came safely from the download site to my HD? WHy do I need a verisign to do that?
IN E-commerce, verisign fills a need.
With downloadable software... like Active-X, where the security model kind of SUCKS, it would make much more sense if that signature implied omsething, like the software provider has guaranteed that this software follows certain guidelines... etc.....

You overlooked a key element

[adamsc]

Regular programs require more work to install. Remember that while the Joe Sixpacks of the world might remember running an install program, they probably won't remember allowing an ActiveX control to run and they'll have no way of knowing that, because they checked the "Always trust $CORP" box six months ago, they just ran arbitrary code a few minutes ago. The problems come when you consider how many people have checked the "Always trust content from Microsoft". As pointed out on BUGTRAQ, this will allow controls from Microsoft to be installed transparently. Bad, but it's not the end of the world, right? Consider that someone could use this to install an older version of a Microsoft control with a known vulnerability. Ooops. Maybe IE6 will fix it.

Re:Goku? Gohan?

[gwalla]

Nice costume. I'm thinking of going as Ohminae Yuu (Spriggan) to the next Anime Expo.
---

Re:Goku? Gohan?

[Cyberllama]

Hey, Shouldn't slashdot have a anime category? Or at least a cartoon category that maybe throws in news about the simpsons and south park. . . Just a thought.

This may be a federal crime

[Animats]

There's a section of Federal law that may apply here.

18 USC 2701. Unlawful access to stored communications
(a) Offense. - Except as provided in subsection (c) of this section whoever - (1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or (2) intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished as provided in subsection (b) of this section.

(b) Punishment. - The punishment for an offense under subsection (a) of this section is -

• (1) if the offense is committed for purposes of commercial advantage, malicious destruction or damage, or private commercial gain - (A) a fine under this title or imprisonment for not more than one year, or both, in the case of a first offense under this subparagraph; and (B) a fine under this title or imprisonment for not more than two years, or both, for any subsequent offense under this subparagraph; and
• (2) a fine under this title or imprisonment for not more than six months, or both, in any other case.

This was probably drafted to protect E-mail services, but now that there's a lot more electronic communication, it has broader applicability. A computer running a web browser is certainly "a facility through which an electronic communication service is provided". And altering the user's selection of a home page fits within the phrase "alters, or prevents authorized access to, a wire or electronic communication". And notice there's an extra penalty when commercial gain is involved, indicating that Congress foresaw the possibility of businesses committing this crime.

The main Federal computer crime act only covers some computers, basically government and bank systems. (Most computer crime prosecutions take place under state laws.) But this one is broader.

Re:One more nail in CaptiveX's coffin

[TummyX]

Well if you don't know what CaptiveX does then don't use it. Just cause it's CaptiveX.OCX rather than CaptiveX.EXE does't make much difference. Both contain binary code.

Well...

[TummyX]

Think of it this way.

ActiveX was around LONG before the web got popular and long before Microsoft even created IE. What was it for? Cross-language (and theoretically cross platform) in process reuse of software components - ones usually with 'windows' or graphical components.

Now most of Microsoft software as itself either been an ActiveX control an ActiveX container, or more usually, both (Word/Excel/IE). You can like embedded Word inside IE, and Excel inside that for example. Or even IE within IE.

When Microsoft created IE, they thought hey, wouldn't it be neat if someone could create a user interface with HTML, and still be able to use the controls/widgets provided by ActiveX. So essentially lots of LANs could have apps that are served using HTML from a webserver. So that's part of the reason why the idea of "zones" came along.
If you've got an application like say winamp that reuses IE as an ActiveX control in it's own mini-webbrowser, and say the folks at
Nullsoft decided they wanted to put some cool ActiveX control they themselves wrote into their mini webbrowsers to make it "do something". Now why should IE warn you of these things? First ofall, if you downloaded and installed Winamp, then the control is already registered and installed on your system, hell it wouldn't be any differnt from winamp using the control directly themselves (making winamp the container) or using IE as an intermediary container so they could add some fancy DHTML decoration around the control.

Microsoft's mistake was trying to push ActiveX as an INTERNET component reuse method. They didn't anticipate the level at which crackers would abuse trust systems. However that said, most people who are willing to just let any ActiveX control from anywhere run, would be the same type of people to run any binary someone emails or gives them.

I think for custom apps and internal applications, ActiveX on IE provides you with quite a powerful platform, with just as much security as any standard app (next to none :P).

Re:If you think this is bad, there is already wors

[Draxinusom]

This page has a reverse engineering of Binary Boy, part of the Aureate network, that shows what the function of advert.dll is. Of course, it might have other malicious functionality as well, but I dunno...

Re:WRITE THE DRIVERS YOURSELF LUSER!

[ClockWerk]

You know a large portion of people couldn't author a driver if their life depended on it. Just a thought.

Re:Also signed Applets / Scripts.

[WackyTJ]

> But the power that ActiveX has is really no
> different than the power that any other plugin
> for any other browser has. Anyone that's ever
> downloaded a plugin for Netscape has put
> themselves in exactly the same danger that
> someone downloading an ActiveX control has put
> themselves in.

Well there are exception, though it has to be said, rare exception. Some plugins are implemented in JAVA (such as the netscape media) these are protected in the same way as normal JAVA applets.

But there is a small flip side. JAVA, and JavaScript can be "signed" and therefore be allowed to access various parts of the system that is not usually accessible to "unsigned" ones. This could result in a similar situation to the problem about malicious ActiveX controls.

However, the signed applet does tell you exactly HOW they are going to access the browser properties (well under Netscape anyway). For example if an applet is about to access the user preferences, a security box would pop up saying " the applet is about to read the user preferences", allowing you to "back out" easily if you get cold feet.

Like everything, a bit of vigilence does pay. Try and read the alerts, and dont nessasarily click "Remember this descision from site x" unless you are absolutly sure about what you are doing.

Re:If you think this is bad, there is already wors

[Raffy]

Conveniently enough, even us Windows users can help ourselves with three minutes of regedit time. Aureate creates it's own key directory (two locations), and it's helpfully named "Aureate."

Deleting the entire key and doing a "Find File" to clean up any other niggling and dangling files seems to do a very good (albeit inelegant) job of rooting this shite out.

Rafe

V^^^^V

Change your security setting

[robwicks]

One of the best features of IE are the zone settings for security. I would love to see Mozilla adopt a similar approach (without the security holes). I set IE to not run any unsigned scripts or apps, and to prompt me on the signed ones. I also don't accept permanent cookies. That's how I do the Internet zone. The restricted zone is reserved for the various ad servers, and I don't allow anything at all there. The trusted zone is what I use to basically allow cookies. I still like to be prompted for all ActiveX controls.

"Logic . . . merely enables one to be wrong with authority"

Re:Added bonus! GoHip will also gladly send you sp

[CausticPuppy]

Well I'm pretty sure you enter it somewhere along the way. Many normal users will just enter their email in the online registration without thinking twice about it (assuming there's an online reg., I didn't really want to find out).
However, it wouldn't be beyond them to root around your system to find it though!

So what is ActiveX?

[Ben+Hutchings]

There seems to be a bit of confusion here about what "ActiveX" means. This isn't very surprising, since "ActiveX" has been used as a marketing term, in the same way that "OLE" used to be.

"ActiveX" now appears to be a blanket term for COM (Component Object Model) technologies. Any COM components can now be described as "ActiveX objects", while "ActiveX controls" are COM components containing classes that can implement part of a GUI. These are quite difficult to write, but are very useful for building larger GUIs. From IE3 onwards, they are the main interface for plug-ins. So if you get Acrobat Reader, that will include an ActiveX control to display PDFs. As we all know, IE also supports automatic download of ActiveX controls - encouraging the wider use of plug-ins, and that's a problem. Disabling ActiveX controls altogether, however, will disable the plug-ins you want. I have downloading and running of ActiveX controls set to "prompt".

The other problem with ActiveX controls in IE is in scripting. Only controls declared as "safe to script" can be controlled by scripts on web pages, but many controls have been mistakenly marked as such when they are not. So scripting should generally be disabled. Unfortunately, a few pages do need it for navigation, so I currently set scripting to "prompt" as well. This gives me a lot of prompts, though. Perhaps there should be a toggle for scripting, or a white-list for sites whose scripts the user trusts.

Re:Added bonus! GoHip will also gladly send you sp

[pnevares]

exactly what i was thinking =)

Pablo Nevares, "the freshmaker".

Re:rouge domains

[Mr.+Slippery]

Did you mean rogue domains or do domains come in different colors these days...

B-) Certainly these domains get me seeing rouge, and may bring a rouge tinge to my face.

...(or were you referring to "abrasive" domains,

Hmm, I think you're on to something there.

Re:If you think this is bad, there is already wors

[dgb2n]

Conveniently enough, advert.dll caused my machine to GPF each time I closed IE 5.01. Do you think Micro$oft listed this in their knowledge base? Nope. Picked it up off usenet by searching deja.com. Sure enough, it was a bear to delete but once it was gone, everything went back to normal (crashing on when its supposed to ;-)

r/

Dave

Re:Another 1337 Jerk

[TummyX]

Um, my point was just to say that there's really no difference between OCX and EXE except the methods of which they are distributed.
OCX ofcourse more commonly comes with apps, but their distribution from websites is a bit of a worry if people don't understand the security model of explorer.

OLE OLE OLE OLE OLE OLE OLE OLE OLE OLE

mm :P