View Single Post
  #46  
Old May 20th 17, 03:00 PM posted to rec.photo.digital
Diesel
external usenet poster
 
Posts: 346
Default Where I keep my spare cats.

Whisky-dave
Fri, 19
May 2017 10:08:54 GMT in rec.photo.digital, wrote:

[snip]

I don't download vunerable viewers.


How would you know if it was when you downloaded it? The
vulnerability reports tend to come after the fact.


I stick to the ones most used, presently I have 3 browsers
running. firefox, chrome and safari, ech have their own uses or
rather I put them to specific uses.


Those are browsers...Your knowledge of IT leaves a bit to be desired...

As far as the three browsers you just listed, all three of them have
had vulnerabilites and patches issued as a result of the ones
identified. That does *not* mean they've all been identified, yet,
either. Likely pointless to explain why one in particular isn't so
good from a privacy POV.

someone calling themselves
emailed mt this morining with a zip attachment called
5566046.zip do you think I should open that zip if so why ?


The .zip file itself, short of using a vulnerable archiving tool
(and don't bother claiming that doesn't exist, I cited winzip only
because of it's popularity and it's had several issues) poses no
threat whatsoever to you. It's ONLY a file container with
compression. It's the contents within that matters. I tried to
explain that to you previously, but, you wouldn't listen.

So, in my professional opinion, I think you should let an adult from
your I.T dept help you out. You don't seem capable of making sound
decisions on your own.

You think the Mac is immune?


far more imune than PC's no mac as far as I know has been infected
by the lastest worm that afect the NHS and another 200,000 odd
users.


The latest worm is a win32 PE executable. Your mac, without
additional work on your end cannot execute the program. It wasn't
written for your mac. So, your example, is a bad one.

That does *not* mean malware written specifically to take advantage
of mac users doesn't exist. infact, it does. But, Mac doesn't have
the userbase that Windows systems do. Rather, it's a niche market
for malware authors interest. Hospitals don't routinely use Macs.

They're overpriced and incapable of competing against a PC with the
same level of money dumped into it. They do good (ie: struggle) to
compete with an inexpensive PC these days.

If one should put the cash a typical mac costs into a PC clone, the
mac doesn't stand a chance. Macs used to specialize in graphics
design, and photography work; but, the newer video cards and
software available for the PC made the mac unable to realistically
compete there either. At best, it's become a level playing field
now.

Macs used to have the schools in the US on essential lockdown, but,
that's changed too. Now adays, kids are sent home with Windows based
laptops on lease from the school, typically budget Dells (in this
area)

In fact, Pixar (Now Disneys company) uses PC clones to do the
animated 'movies' you see these days. Not macs.

That's what you get for choosing to remain closed and proprietary.
Left behind.

The poster of the link isn't the one who creates the scripts
dropbox uses, so what does trusting the poster have to do with my
question?


everything. Just like lending someone yuor car, computer or
anything else.


I fail to see the comparison. So again, I'll ask, since the user you
trust has no control over any of the scripts dropbox uses, what
difference does it make if you know the person or not?


ROFL! It indicates NOTHING of the sort.


Yes it does it's why banks use it.


Your assumption isn't that accurate. Banks exchange sensitive
information with you. The site interacts with you. It's in your best
interest to have the comms encrypted and be sure you're actually on
the banks own domain. HTTPS tries to cover that for you. I write
tries because, well, various certs have been forged before rendering
the domain assurance null and void.

My site does NOT interact with you, offers a program that was always
free and has been discontinued for years now. there's no incentive
or reason otherwise to deal with paying for a cert and encrypting
the data. So again, you might want to review the HTTPS link I
provided you previously from slashdot if you actually want the
technical specifics on it. I suspect, though, you could care less.
As, it's likely beyond your limited understanding. After all, you
think a .zip file by itself, is dangerous.


http://www.helpwithpcs.com/jargon/http.htm
What is HTTPS?
HTTPS is a secure adaptation of HTTP which you will find in
common use on secure areas when visiting websites.


exactly.


As I told you, My domain has no secure areas for you to visit.
There's no valid reason for me to use HTTPS. Do you need to research
what a 'secure area' is?


As I told you, previously, there are no secure areas on the
bughunter site. It doesn't host a forum, it offers you, the
visitor, NO INTERACTION. No scripts, no pictures (Unless you want
to click the link pointing to the jpeg of my deceased red long
hair persian)


and I have even less intrest in your sex life.


https://en.wikipedia.org/wiki/Persian_%28cat%29

So you have the maturity level of a small child then?

It's a plain jane html site


I thought yuo disabled HTML emails.


You seem to be confused on basic terminology as well. If I'm using
words that are confusing to you, just specify which ones and I'll
try to dumb this down further for you. I feel sorry for your I.T
department.

There's nothing it's going to 'run' inside your browser.


says who ?


Well, since I wrote the sites html in notepad, and, it's my site,
I'm saying so. You do realize you could literally download the sites
index file and load it in your favorite text editor/viewer, without
rendering a single line in your browser, right? Well, in your case,
you probably don't know that. But, I digress. You can (well,
probably not you), but someone with actual technical knowledge
could.

I don't need that knowlege and I very much doubt you could teach
it anyway.


LOL! The individual I tried to warn you about would disagree with
you. I'm infamous as a former blackhat. I've got quite the
reputation that he enjoys reminding me of at times. Some of my
'work' was written about in Rolling Stone magazine. So, doubt all
you like.

As presently, you're spreading FUD. You're probably okay with
that, but, it is annoying for those of us who know better.


You know better by telling peole to download zip files because no
harmn can come of it. ?


A .zip file by itself is harmless. You actually run a better risk of
something nasty coming from a pdf...

it will never go away while the ignorant download things without
any thought.


What part of, downloading something doesn't automatically result in
an 'infection' is too complicated for you to understand?

which is why I donlt trust starngers offering zips.


I understand. You're a bit of a technological idiot, and, you think
a .zip file by itself if you download it can infect you. Ignorance
is a curable condition, but, what you suffer from, there's just no
cure. You can't fix stupid.

But you can't post a text file or a PDF of such things only a zip.


A PDF actually presents more of a danger to you. I could slip you a
mickey with a pdf file much easier than I could a zip file. The PDF
can contain code that you wouldn't know was there, until your PDF
viewer of choice executed it for you (pending your pdf viewer is
exploitable, and, it most likely is) And, by then, it's too late.

http://www.esecurityplanet.com/secur...em-3932511.htm
In early 2010, PDF exploits were by far the most common malware
tactic, representing more than 47 percent of all Q1 infections
tracked by Kaspersky Labs. By mid-year, PDF exploits had fallen to
30 percent, overtaken by Java. However, PDF remains the world's
second most popular target.

1. Low-hanging fruit: One of the biggest reasons that PDF
exploits blossomed in 2009 was Adobe Reader's ubiquity. According to
Kaspersky researcher Roul Schouwenberg, hardening techniques like
Data Execution Prevention (DEP) and Address Space Layout
Randomization (ASLR) had been rolled into Windows, making OS
exploits less attractive. Malware writers searching for more fertile
fields seized upon PDF as a wildly popular monoculture ripe for
attack. Just about every desktop has a PDF reader installed --
usually Adobe Reader or Acrobat. This enormous pool of potential
victims translates into a financially lucrative attack target worthy
of investment in malware development.


2. Push-button exploits: In reality, as malware kits that
exploited PDF vulnerabilities became readily available, little
effort or expense was actually needed to tap this opportunity.
According to M86 Security Labs, malware kits such as LuckySploit,
CrimePack, and Fragus can be purchased for as little as $100 -- and
commonly top out around $1,000. This trend started with MPack but
really ramped up in 2008; today, most new malware kits include Adobe
Flash, Java classes and PDF-based exploits. Those kits made it
trivial to create obfuscated automated attacks that leveraged Adobe
Reader's many well-known code vulnerabilities.

3. Large attack surface: PDF is an industry standard portable
document format, implemented by many free and commercial programs.
But Adobe's Reader and Acrobat products are driven by an extremely
large and complex code base which includes numerous proprietary
extensions. This translates into functionality and flexibility --
characteristics that have made PDF a "universal language" for
document exchange. But it also means an extremely large attack
surface that has proven difficult for Adobe and anti-malware vendors
to defend. One example: Adobe Reader supports embedded Javascript
objects -- yet another foothold that malware writers can use to gain
traction.

4. Slow moving mitigation: According to a Microsoft Security
Intelligence Report, three Adobe Reader vulnerabilities -- patched
in May 2008, November 2008 and March 2009 -- accounted for more than
46 percent of all browser-based attacks. Vulnerabilities such as
these were so widely exploited because, until mid-2010, Adobe did
not have an auto-update infrastructure. Soon after an updater was
released, PDF exploits began to decline. However, they did not
disappear because 1) users must opt into auto-updates, and 2)
updates are only checked for the installed version. Thus, users
still running Adobe Reader 7.0 or 8.0 may think they are current,
having enabled auto-update and installed all available patches. But
they should really be moving to Reader X to avoid exploits that
succeed only against older versions.


5. The race is still on: During the past year, Adobe has taken
significant steps to reduce PDF exploitation. In addition to
auto-updates, Adobe developed an Adobe Reader Protected Mode – a
secure sandbox in which PDFs can be opened for display, handcuffing
malware calls to other applications and using policy to determine
actions that are automatically allowed or blocked. Unfortunately,
users can defeat these protections by clicking "yes." Although users
may now realize that PDFs are used for phishing, many still don't
think of PDFs as harboring malware. And attackers continue to find
new holes to exploit and new ways to evade detection. for example,
return-oriented programming (ROP) and stolen digital certificates
have played roles in recent PDF exploits.

You can click the link if you want to know more about pdf 0wnage.

Atleast with the .zip file, It can't do anything to you until you
unzip and 'run' whatever files are present inside. I'd have to coax
you into running one or more files inside the zip, but, with a pdf,
I'd just need you to 'view' it to give you a gift. And, you seem
stupid enough to do that, based on what you've written.

Ypou can post a link that actual gives information rather than
just a download link, a sign of a scammer if you knew anything
about security or malware yuo should know that these sort of
things are what you don't access in anyway.


You think I know nothing about security and/or malware do you?

The urls below are by no means the full extent of the malicious code
I'm responsible for having authored, but, it *should* put your
assumption that I know nothing about security and/or malware to
rest. If not, well, there's just no helping your ignorance on the
matter. I can fix many things of a technical and electrical nature, but
I can't fix stupid.

https://www.f-secure.com/v-descs/irok.shtml
https://www.f-secure.com/v-descs/toadie.shtml

I specifically included HTTPS links for you, as for some reason, you
think HTTP links are 'unsafe'

It's also worth noting that the irok family was my last series of
viruses, authored nearly two decades ago. I've since put the
knowledge I have to good use in helping keep systems I'm responsible
for secure from such things.

BugHunter (the program hosted on the domain with the same name) was
my attempt to try and make things right for the damage I caused to
people I didn't know. Along with working for Malwarebytes as an
expert malware reseacher.

I *was* a blackhat hacker, but, these days, I'm a grayhat. I still
have a few vices, but none of it's related to authoring malicious
code of ANY kind. Due to my past, I'm always under peer review, as I
told you. It wouldn't benefit me in the least little bit to do
anything nefarious to your system or anyone elses.

Which is why as I explained, numerous times already, the .zip file I
offered poses absolutely NO threat of any kind to you. Another
individual you likely don't know or trust already confirmed what's
inside of it.

My forst computer had 16k of RAM.


That's nice, but, I get the impression you didn't graduate beyond
that of an end user, based on our discussion so far.

On my first webpage I wanted and animated gif and most had 14.4k
modems so I made a gif of 3 flying bats that was less than 1Kb


it's possible some users were 14.4k, but, depending on when they
started surfing the web, they could have been using 28.8k, 33.6k, or
56k

My first online experience was on a 2400baud modem, on the internet,
but, not on the www as it didn't exist yet. I was also a serious BBS
user as well as SysOp...Enough strolling down memory lane though.

As I said, you don't strike me as a tech savvy individual. Mac is
probably well suited for your IT abilities. It holds hands, quite
nicely.

Nowerday a lot of google adds are more than 1/2 meg, I watch HD
trailers on-line, I play a an online game with guite good graphics
all from the browser. I've vie lots of 10MB files of the mariation
surface on-line.


Are you not a good typist either? Or, is something else up here?

Telling people to download zips is stupid, it;s one of the
simpleest things you can do to protect yourself is NOT to download
zips.


Zips are just files that cannot do any harm to you by themselves.
It's the contents when unzipped that determines harm value. The .zip
file itself plays no role in that. To think otherwise, is, well,
just ignorant.

Many programs can be found online in .zips. BugHunter comes as a
..zip file, for example. As do MANY others. It's an industry standard
archive format.

That was the first thought, as T.Rex were the first band I liked
as a child , the first record I brought was by them but can't
remmeber which record.


I'm starting to think that your thought processes are in need of
work, as you confused a cat reference as having something to do with
my sex life...

It's far more likely than me downloading a zip from someone I
don't know.


Downloading a .zip file poses no threat to you or anyone else.
Blindly running scripts you know nothing about, Opening pdf files
can be a security risk to you, mac or not. And, I bet you don't even
think twice about doing it.

http://www.esecurityplanet.com/secur...em-3932511.htm


So if that's what you're hoping for, I'd watch the sky
for that ICMP you're expecting.


I'm hoping for nothing actually. You seem to be one of those
incurably stupid individuals on the internet. I would say I pity
you, but, I'm fresh out.


--
I would like to apologize for not having offended you yet.
Please be patient. I will get to you shortly.