Re:How to prevent this from affecting you
on
MyDoom Strikes Again
·
· Score: 2, Insightful
Actually, one other thing you really need to do is to turn off all plugins, Java, JavaScript, downloading of images that are not embedded, etc., and be very leary of sending "confirmations of receipt."
You should secure your e-mail client even more than your web browser.
How to prevent this from affecting you
on
MyDoom Strikes Again
·
· Score: 2, Informative
Don't open attachments from unknown sources
Virus scan all attachments before opening
Don't open attachments from unknown sources
Don't use mail programs that ignore the MIME information (read: Outlook and Outlook Express)
Don't open attachments from unknown sources
There is no number 6, unless you're in The Village
I nearly choked on my coffee when I read that... not sprayed it on my monitor... choked. I'm still trying to get my brain to recover from the sheer concept of it. The image was not pretty.
As for why Tiger Beat? Who knows, maybe someone found him sexy back then... or thought of him as some kind of yuppie geek who was on the rise.
Unless you log in as root or run the stuff from a shell that's been su'ed to root, this is unlikely to happen, unless you've gone and chown'ed the whole system to some other user and then run those programs as that user.
Of course, if you normally log in as root or run web browsers, etc, as root, you deserve what happens to you.
Actually, it will take time for someone else to develop something better, then for Microsoft to use its "embrace and extend" thing. Microsoft doesn't innovate. It copies someone else's products, buys companies that develop new products, or has things bought for it.
As examples:
DOS was bought for them by IBM
SQLServer's T-SQL engine was developed by Sybase
IE is their version of Netscape
Windows is their version of a reverse-engineered Mac
They tried to steal Java from Sun, but Sun caught them and took them to court over it... so Microsoft creates J++,.NET, and other stuff like that... AFTER seeing what others have done.
Basically, Microsoft hasn't created anything new. They haven't innovated. They've created a dependency, however, by doing some of the best marketing ever seen.
You could potentially beef up security a little bit if you require people to use the GPG key portion. Anyone who distributes stuff on-line, would have to get stuff certified by a key provider. The key providers would distribute their keys via either a CD mailed to you or via https download. Any system that would be using LSB would then have to mandate that a package pass the digital signature(s).
It's not much, but it's a start. Any one item you do is not going to guarantee anything, but it will lessen the chance that it's something insecure.
Besides, if you're patching your production boxes directly from some download site without first testing the affects of patches on your systems, you deserve what happens to you.
One thing you should never do from any e-mail address you want to keep readable is post to Usenet. Get yourself a couple of free e-mail addresses from Yahoo, hotmail, gmail, or any other service like that and use it as a "spam trap." Any time you post to Usenet or any open web forum that does not obscure your e-mail address, use that one as your return address. Keep the address you want usable off of these places, and the address farmers won't be able to harvest yours. Be absolutely certain that your friends know not to give out your hidden address.
Yes, I know everyone's going to say "Firefox and Thunderbird"... so I won't bother repeating those things.
What I will emphasize is locking down cookies on your system. Set them so that only the originating site can store them. Lock down ActiveX controls entirely. No ActiveX controls should be run without your permission, even if they're "signed." Be sure to set browser preferences to send "nobody@nowhere.co.us" or something like that as your anonymous ftp password.
Report spam to SpamCop (www.spamcop.net). It may not do much in the short term, but it will help get some of these originating sites into the blacklist, and might even get the customer terminated.
Doing all of this won't eliminate spam from your inbox. Short of not getting on the internet, nothing will. It will, however, greatly reduce it.
It was Microsoft's marketing department that got them the proliferation they have now. It had less to do with their developers. Besides, didn't Gates admit to having learned a lot about how to program by reading people's trash?
When you can market a stale piece of beef jerky as if it was a filet mignon, you get market penetration.
I think IBM learned this lesson the hard way when they barely did anything with Warp 3. If they would've been smart, they would've had the SDK out for various companies to develop software to go along with the release, then they would've done a real advertising campaign. Warp 3 beat Win95 to market, was generally more stable, had the kinds of things business users wanted, etc. The primary problems were a lack of software and a lack of marketing prowess.
Being realistic, the marketing they need to do is not to the consumers, it's to the OEM vendors. If it wasn't for their marketing department doing that in the first place, we probably wouldn't see quite the level of proliferation of Windows.
Of course, if it wasn't for Jobs holding that lawsuit at the ready all those years ago, Mac would've more likely won the desktop wars.
In this modern day set-up, they have all of these, "If you wish to speak to X, please press N now," menus when you dial in.
That's the set-up I'm referring to. They just change the destination of the call, then give the person in question a new extension, and hide it in the system.
If you're using Firefox, just get the WeatherFox extension. It puts a couple of little icons in the lower right of the browser status bar, and it is entirely based on your ZIP code. Data is obtained from weather.com.
So they change the secretary's extension, route the old one to an immediate voicemail, and that's it.
It doesn't take that long to do.
You would be far better off sending a written letter to the company and/or its board of directors. Of course, one could always contact that company's ISP... O:-)
What I mean to say is that perhaps someone out there with the skills could should at least one example by disassembling some of this malware to show us all exactly what exploits are being used, when, where and how. It would be nice to see evidence that cannot be denied or spun away.
Do that, and you'll have (primarily) Microsoft coming after you wielding some of these recent anti-terrorism laws becasue you'd be exposing the flaws. You'd also only further the demise of things like bugtraq.
If Microsoft had its way, bugtraq would be outlawed. Publishing exploits, bugs, etc, that allow malicious take-overs of computers would be illegal, as would even trying to find them through any means.
I don't know about a lot of people, but I would much rather know when someone finds a vulnerability so that I can actually take active steps to prevent someone else from using it. Good computer security isn't just a matter of making sure the latest patches are installed. The ability to block sites, turn off certain features/capabilities until a patch is released (Remember the PHP file upload bug a couple of years ago? Just turn off file uploads until the patch is done a few hours later.:) ), and just the fact that you've been forewarned all can make a huge difference whether or not malware gets on your system.
You're making an assumption, though. You're assuming that the person writing the page in the first place has created a W3C-compliant page.
There are many problems with IE, one of which is that renders broken html.
It's most problematic when it comes to things like tables. If you fail to close the table, especially when you have nested tables, the page should fail to render. How do I know which table to close, if you only have one table closing tag? How do I know where the still open table ends? The HTML specs state that a <table> requires a </table>, yet IE fails to adhere to this.
Why does IE do this? Because products like FrontPage and Cold Fusion produce broken HTML to begin with.
Good idea... a separate GRE should not run as root. That's just silly, and with the big to-do over security lately, the last thing we want to see is yet another way to try to take over a box.
You've actually got a couple of options:
separate userid for a common gre process (your suggestion); alternatively can run as nobody
one gre process per user, spawned the first time any process that uses the GRE starts, exiting only when no using processes exist
Yes, option 2 uses more memory/process space on a Unix-based system, but it also guarantees that data and pages will not cross user spaces, so that if private data (eg, credit card numbers) are part of the rendered page from a web form or purchase receipt, nobody else can access it.
You'd probably not be surprised to know that at one time, the IE installer did remove Netscape from your computer if it found it... without asking your permission to do so.
Windows Update is also how the Behemoth slips in changes to the whole system that cause third party and open source software to stop working... they just never really tell you EVERYTHING they did, only the stuff to say, "We just patched IE6 for you."
Not for nothing, but anyone who's even mildly security conscious would block ActiveX controls from any site other than their own intranet (ie, whatever's within your firewall).
ActiveXploitations is one of the biggest security holes on any Windows system, and IE has it so firmly embedded, that unless you turn it off, or at the bare minimum disallow any unsigned controls, it's the easiest way for someone to slip malware or spyware into your computer.
Most open source stuff has a patch or correction instructions done within hours of the security hole's discovery.
M$ needs to have a prior announcement, then they do a press release of the bug with the security patch. Meantime, for three or more months, users have unknowingly had their computers exploited.
And the real problem with IE is the two biggest security holes on a Windows-based system: ActiveX Controls and VBScript.
Actually, when used in a government facility like a government-run library, it has EVERYTHING to do with first amendment rights. They are preventing people from seeing a legitimate point-of-view. It's one thing to filter pornography from machines used by children. It's another thing to filter political content because of someone else's personal feelings when they (re)design their product and sell it as an "objective" solution.
If this were simply a product sold by Symantec and that's the way it was designed, so be it. You and I have the ability to say, "Firetruck you, Symantec. You have your product set to do something I don't like, so I'm not going to buy it."
As a suggestion, please let Symantec know that you are displeased with this decision, and that you no longer intend to purchase their products, unless they either make it configurable to remove these blocks or remove them entirely.
Slashdot Mirror
Actually, one other thing you really need to do is to turn off all plugins, Java, JavaScript, downloading of images that are not embedded, etc., and be very leary of sending "confirmations of receipt."
You should secure your e-mail client even more than your web browser.
I nearly choked on my coffee when I read that... not sprayed it on my monitor... choked. I'm still trying to get my brain to recover from the sheer concept of it. The image was not pretty.
As for why Tiger Beat? Who knows, maybe someone found him sexy back then... or thought of him as some kind of yuppie geek who was on the rise.
Unless you log in as root or run the stuff from a shell that's been su'ed to root, this is unlikely to happen, unless you've gone and chown'ed the whole system to some other user and then run those programs as that user.
Of course, if you normally log in as root or run web browsers, etc, as root, you deserve what happens to you.
As examples:
- DOS was bought for them by IBM
- SQLServer's T-SQL engine was developed by Sybase
- IE is their version of Netscape
- Windows is their version of a reverse-engineered Mac
They tried to steal Java from Sun, but Sun caught them and took them to court over it... so Microsoft creates J++,Basically, Microsoft hasn't created anything new. They haven't innovated. They've created a dependency, however, by doing some of the best marketing ever seen.
You could potentially beef up security a little bit if you require people to use the GPG key portion. Anyone who distributes stuff on-line, would have to get stuff certified by a key provider. The key providers would distribute their keys via either a CD mailed to you or via https download. Any system that would be using LSB would then have to mandate that a package pass the digital signature(s).
It's not much, but it's a start. Any one item you do is not going to guarantee anything, but it will lessen the chance that it's something insecure.
Besides, if you're patching your production boxes directly from some download site without first testing the affects of patches on your systems, you deserve what happens to you.
One thing you should never do from any e-mail address you want to keep readable is post to Usenet. Get yourself a couple of free e-mail addresses from Yahoo, hotmail, gmail, or any other service like that and use it as a "spam trap." Any time you post to Usenet or any open web forum that does not obscure your e-mail address, use that one as your return address. Keep the address you want usable off of these places, and the address farmers won't be able to harvest yours. Be absolutely certain that your friends know not to give out your hidden address.
Yes, I know everyone's going to say "Firefox and Thunderbird"... so I won't bother repeating those things.
What I will emphasize is locking down cookies on your system. Set them so that only the originating site can store them. Lock down ActiveX controls entirely. No ActiveX controls should be run without your permission, even if they're "signed." Be sure to set browser preferences to send "nobody@nowhere.co.us" or something like that as your anonymous ftp password.
Report spam to SpamCop (www.spamcop.net). It may not do much in the short term, but it will help get some of these originating sites into the blacklist, and might even get the customer terminated.
Doing all of this won't eliminate spam from your inbox. Short of not getting on the internet, nothing will. It will, however, greatly reduce it.
It was Microsoft's marketing department that got them the proliferation they have now. It had less to do with their developers. Besides, didn't Gates admit to having learned a lot about how to program by reading people's trash?
When you can market a stale piece of beef jerky as if it was a filet mignon, you get market penetration.
I think IBM learned this lesson the hard way when they barely did anything with Warp 3. If they would've been smart, they would've had the SDK out for various companies to develop software to go along with the release, then they would've done a real advertising campaign. Warp 3 beat Win95 to market, was generally more stable, had the kinds of things business users wanted, etc. The primary problems were a lack of software and a lack of marketing prowess.
Being realistic, the marketing they need to do is not to the consumers, it's to the OEM vendors. If it wasn't for their marketing department doing that in the first place, we probably wouldn't see quite the level of proliferation of Windows.
Of course, if it wasn't for Jobs holding that lawsuit at the ready all those years ago, Mac would've more likely won the desktop wars.
In this modern day set-up, they have all of these, "If you wish to speak to X, please press N now," menus when you dial in.
That's the set-up I'm referring to. They just change the destination of the call, then give the person in question a new extension, and hide it in the system.
If you're using Firefox, just get the WeatherFox extension. It puts a couple of little icons in the lower right of the browser status bar, and it is entirely based on your ZIP code. Data is obtained from weather.com.
So they change the secretary's extension, route the old one to an immediate voicemail, and that's it.
It doesn't take that long to do.
You would be far better off sending a written letter to the company and/or its board of directors. Of course, one could always contact that company's ISP... O:-)
Do that, and you'll have (primarily) Microsoft coming after you wielding some of these recent anti-terrorism laws becasue you'd be exposing the flaws. You'd also only further the demise of things like bugtraq.
If Microsoft had its way, bugtraq would be outlawed. Publishing exploits, bugs, etc, that allow malicious take-overs of computers would be illegal, as would even trying to find them through any means.
I don't know about a lot of people, but I would much rather know when someone finds a vulnerability so that I can actually take active steps to prevent someone else from using it. Good computer security isn't just a matter of making sure the latest patches are installed. The ability to block sites, turn off certain features/capabilities until a patch is released (Remember the PHP file upload bug a couple of years ago? Just turn off file uploads until the patch is done a few hours later. :) ), and just the fact that you've been forewarned all can make a huge difference whether or not malware gets on your system.
You might want to look at Mozilla's Sunbird.
Yes, it's only version 0.2, but it's a calendar.
There are many problems with IE, one of which is that renders broken html .
It's most problematic when it comes to things like tables. If you fail to close the table, especially when you have nested tables, the page should fail to render. How do I know which table to close, if you only have one table closing tag? How do I know where the still open table ends? The HTML specs state that a <table> requires a </table>, yet IE fails to adhere to this.
Why does IE do this? Because products like FrontPage and Cold Fusion produce broken HTML to begin with.
Umm... you can just copy the contents of the plugins directory into your Firefox set-up. That's what I did, and it works just fine.
You've actually got a couple of options:
Yes, option 2 uses more memory/process space on a Unix-based system, but it also guarantees that data and pages will not cross user spaces, so that if private data (eg, credit card numbers) are part of the rendered page from a web form or purchase receipt, nobody else can access it.
You'd probably not be surprised to know that at one time, the IE installer did remove Netscape from your computer if it found it... without asking your permission to do so.
Windows Update is also how the Behemoth slips in changes to the whole system that cause third party and open source software to stop working... they just never really tell you EVERYTHING they did, only the stuff to say, "We just patched IE6 for you."
Not for nothing, but anyone who's even mildly security conscious would block ActiveX controls from any site other than their own intranet (ie, whatever's within your firewall).
ActiveXploitations is one of the biggest security holes on any Windows system, and IE has it so firmly embedded, that unless you turn it off, or at the bare minimum disallow any unsigned controls, it's the easiest way for someone to slip malware or spyware into your computer.
Most open source stuff has a patch or correction instructions done within hours of the security hole's discovery.
M$ needs to have a prior announcement, then they do a press release of the bug with the security patch. Meantime, for three or more months, users have unknowingly had their computers exploited.
And the real problem with IE is the two biggest security holes on a Windows-based system: ActiveX Controls and VBScript.
Actually, when used in a government facility like a government-run library, it has EVERYTHING to do with first amendment rights. They are preventing people from seeing a legitimate point-of-view. It's one thing to filter pornography from machines used by children. It's another thing to filter political content because of someone else's personal feelings when they (re)design their product and sell it as an "objective" solution.
If this were simply a product sold by Symantec and that's the way it was designed, so be it. You and I have the ability to say, "Firetruck you, Symantec. You have your product set to do something I don't like, so I'm not going to buy it."
As a suggestion, please let Symantec know that you are displeased with this decision, and that you no longer intend to purchase their products, unless they either make it configurable to remove these blocks or remove them entirely.