Web Page Safety ?

[Andy R]

There are many features of CF which rely on JavaScript. They include many of the drop down menus, the quick reply box, the WYSIWG post editor, private message system, and the tags that call the ads. This is in NO WAY a security concern.

What does happen from time to time is bad people submit ads to the ad networks which attempt to install malicious software on your computer. This is very limited and in the last decade of running fairly large websites it's happened less then I can count on my two hands. We have a policies in place to protect our members if we are catch wind of issues like that and take every possible precaution to protect our members.

Simply turning off many of the features of the browser is going to effect your internet experience negatively. The best protection you can have is quality virus protection software. I would suggest ESET or Kaspersky so they identify malwares before your computer downloads them.

[colemj]

Quote:

Originally Posted by hellosailor

"The Mac is simply an unpopular computer, compared to the PC, and as such fewer people target attacks looking for it. That does not make it safe, except to say fewer folks are out gunning for you.

Sorry, I misunderstood the above quote to mean that fewer people target attacks at the Mac because it is simply an unpopular computer compared to the PC.

I still don't understand why you think malware authors wouldn't consider 94 million computers (and growing at a high rate) as worthy of harvesting or attacking. Especially since, according to your thesis, the operating system is no more secure than windows (whichever version), which makes writing the malware easy. That would be one stupid thief.

94 million computers in operation, no known viruses in the wild, no known boxes infected with bots or spyware and no known data harvesting. This cannot be because they aren't "popular".

If you want a safer computer, particularly for use on the web, get a mac. If you also need to run windows programs, get a mac.

I don't keep posting on this thread to make a mac vs pc debate, but rather to address the question that came up about whether macs are susceptible to the widespread malware problems plaguing pc's. We own two pc's and two macs, which also run windows on them. I use windows every day along with mac os. The pc's are dedicated to navigation and are never put into possibly compromising environments (public access points, etc). We fearlessly take our macs into those.

Interestingly, windows is safer to run in a virtual machine on a mac. If you do muck the thing up, you simply restore from a snapshot of the system before it was toasted. Takes one minute and poof - all viruses and malware gone and you are back running.

I just bought a PC today with windows 7. It set up the user account as an administrator by default during the initial setup wizard and I never encountered any UAC.

Mark

[hellosailor]

Hi barnie.

"1) it is not Cruisersforum pages that generate the messages, it is your browser, and your browser is probably wrong,"
You are right, technically. It is my browser that is generating the warning messages, but my browser is only generating them because something on a web page--in this case, your web page, is triggering the warning prompt. Please, let's not pick not. Triggering, generating, the bottom line is that the web page being loaded is the reason that the warning is being displayed. Let's focus on the issue not the semantics.

"2) java, javascript, flash, etc., are not malware, unless they are designed to do just that, which is not likely in case of Cruisersforum,"
No one said they were malware. What makes you even say that?? Let's not be coy here, these active technologies (call them what you will) SOMETIMES ARE USED to carry malware, and that risk can be eliminated when the technologies are simply not used. The funny thing is, that when they are blocked, there is usually no loss apparent to the viewer. And simply by using them, and encouraging the viewer to use them, you create a security risk. Or maybe you don't remember, maybe you've never heard, there is malware that gets loaded onto web sites withou the intent, permission, or knowledge of the webmasters? Wasn't there a problem reported a couple of months ago on this forum that way? Or was it on a certain other major sailing forum?

If you are not aware of web sites having these problems...I'd find that incredulous. If you're pretending the issue doesn't exist, I'd call that disingenius. Again, let's focus on the issue.

"3) the stuff is run to make the best use of the medium (the Internet and the digital word), unless proven otherwise."
Ahuh. When you say "best use" define "best". For me as a forum user/viewer, somehow the pages give me the same information when I block all that stuff. So it isn't any "better" for me. Is it better for you? Are you saying, the security of the members' systems is less important than some benefit the forum gains by running...Oh wait a minute, you still haven't said what it is you are running that is triggereing security warnings. You've only implied the warnings are bogus.

And we both know, something has to be triggering them, they don't just happen by themselves. The last folks who told me something like that were in fact outright lying, as the vendor or their site certificate confirmed for me in writing. (Folks said MSIE had a bug, their certificate wasn't invalid. But the certificate issuer stated that it had in fact been revoked and the message was correct.)

"With this attitude I can imagine you do not use ..."
Let me understand your point here. You are saying that your own security is as sophisticated as Googles? Because, even they have been hacked. But if I had to take a gamble on whether you or they were hacked (by someone loading malware, or by an advertiser inadvertently carrying malware) one any given day, I'd bet they were less likely to be hacked, and they'd have a faster response to purge it.
I'd also bet that some of those sites you mention actually need some of those technologies to function, where this one apparently doesn't need them at all.
Facebook? No, I don't need that at all. So I've missed all their security problems, and they'd have a number of them. But you're still ignoring the issue. It's as if I've asked you if you were selling cocaine, and your reply is "Well Neil Armstrong doesn't sell cocaine." So what? What other sites do is irrelevant to what this one does. Or didn't your mama ever ask you "And if everyone else jumped off the Empire State Building, would you do that too?"

"In normal situation (with the firewall up and anti-vir ticking) it is very, very difficult to get any harm."
Yeah, and this is the first time in the entire history of the PC that I've been penetrated by such nasty malware. The moon was in Aquarius and the tide was really low and my guard dog was off having puppies.
Irrelevant.

"But I do agree with you that some of Adobe stuff is crap "
Which only goes to make the point: Big company, lots of resources, big budget, lots of programmers, and they STILL MANAGE TO CREATE SECURITY PROBLEMS.

So, how about responding on point and telling us what active technologies you are using, and why they are essential for you? Or us?
And if they are not essential, how about dropping them?

[mintyspilot]

Macs have been infected - usually through Safari. MacBook/Safari Hacked in 10 Seconds

Many security penetrations, including cross-site scripting attacks, rely on Javascript to impart information such as session cookie names to the attacker who can than log on to the server's session using your validated credentials. This allows the server (in our case CF) to be hacked.

Where the various operating systems differ when the PC is hacked, is the amount of damage that can be inflicted during a client-side attack. With Linux (and possibly the Mac) the damage is limited to the user's account. On Windows it tends to compromise the whole machine unless you are using a limited user account.

It is the responsibility of the website to do what it can to prevent attacks since many attacks exploit coding vulnerabilities. Javascript may allow the attack to be launched, but it is up to the website to ensure that the cross-site scripting attack fails by ensuring that all user input to the website is correctly sanitised. When web servers are compromised they are usually used to distribute supposedly innocuous stuff to PCs browsing the website and then infecting them.

By all means protect your PC, but websites have their part to play as well. It takes two to tango.

[Factor]

Forget the whole MAc PC security debate - buy a mac just for the ability to run GPS NAV X

[hellosailor]

Apple security updates

Products Affected

Mac OS X Server 10.4, Mac OS X 10.4, Product Security, Mac OS X Server 10.5, Mac OS X 10.5, Mac OS X 10.6, Mac OS X Server 10.6 , AirPort, Apple TV, iPhone, iPhoto, iPod touch, QuickTime 7, Safari

For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.
Important: This document describes updates and releases for January 19, 2010 and later, such as Security Update 2010-001. For information about earlier security updates, see these documents:

• Apple security updates (15-Jan-2008 to 03-Dec-2009)
• Apple security updates (25-Jan-2005 to 21-Dec-2007)
• Apple security updates (03-Oct-2003 to 11-Jan-2005)
• Apple security updates (August, 2003 and earlier)

"The only good computer, is a dead computer". [Will Rogers]

[colemj]

I'm not arguing that macos doesn't need security updates, and none of my posts on this subject say that. My thesis is that you are much safer using it than windows. And that the argument that macs aren't targeted because they aren't popular is silly and simply not supported by logic or evidence. They aren't successfully targeted - and there is an architectural and fundamental reason for that.

Again: 94 million computers in operation, no known viruses in the wild, no known boxes infected with bots or spyware and no known data harvesting.

If you want better computing safety than windows, particularly on the web, get a mac.

Mark

[osirissail]

Wow, this has turned into a pseudo "anchors" type thread. I will the last person the tout Windows "anything" - but I use it and beat my computer frequently with my fist as a result. The reason for using it is that Windows has always been an "open" system and as a result the number and variety of applications dwarfs the Apple by huge magnitudes of orders.
- - As to attacks by the various forms of Malware, Apple is just more proactive in finding and resolving the attacks as "Hellosailor" showed a snippet above. Computer malware in any Google search will outline that the attacks towards Apple stuff is less attractive due to their installed market share along with many other factors. If Apple grows to anywhere near the Microsoft installed market undoubtedly the attention of malware makers will significantly shift towards the Apple market. Then the whole picture will change.
- - But for the present Apple computers are less attractive to malware makers and that along makes the system more attractive to users who do not need some of the MS written applications. It is just like cruising to various little countries and the security issues. If only a few cruisers visit a location over a long time the locals think of us as novelties and leave us alone - but - when hundreds and hundreds of cruisers start stopping and visiting, the local's attitude shifts toward seeing us as revenue sources and security problems escalate dramatically.

[colemj]

I run all my windows navigation, airmail, gribs, quicken and other programs within a virtual machine on my mac. It is safer to use windows this way (or at least much easier to recover from malware).

Again, the unpopularity of the mac platform is not what is keeping the malware off of it. That has become one of those common "beliefs" brought out by continual repetition without evidence or facts. Neither is Apple's proactivity - Microsoft is actually much more proactive than Apple in issuing security updates. The security picture will not change if the mac suddenly became the most popular computer.

The mac is less attractive to malware writers because it is so much more difficult to write successful malware for it. Is it possible? Yes. Is it economically viable? No. If it was as easy as writing malware for windows, then they would be salivating over an additional 94 million targets (and growing). They would be stupid not to write malware for the mac. You guys seem to be missing this point when sticking to the "popularity" argument, which, while seemingly attractive as an explanation, has no basis in fact.

I have presented the fact that there are no known viruses in the wild, no known boxes infected with bots or spyware and no known data harvesting. Please present the fact showing this is because the platform is unpopular.

The proper analogy to cruisers is that group of macs are like a group of cruisers who are so well prepared and locked down for security that the locals look for easier, more economically feasible, targets.

Probably enough of this debate. I just wanted to make sure that anyone reading this thread has proper data from which to make a decision, rather than just heresy and "common beliefs" formed from unbased repetition.

Mark

[barnakiel]

Quote:

Originally Posted by hellosailor

So, how about responding on point and telling us what active technologies you are using, and why they are essential for you? Or us?

And if they are not essential, how about dropping them?

Hi,

You want "responding on point" then listen to Cruiserforum admins' posts, not mine, mate. I was not asked, thus I was not responding - I was sharing my comments and views on the subject at hand.

Now that you did ask the question. I use:
- html for the content,
- css for the form,
- JS and PHP,
- Flash.

You can forget about dropping JS or PHP. Only the most basic text based web site will do without them. And the most basic text based web sites are not what users want. Form complements content, and form follows function.

Let's not go into the alley of web designers as morons or dire criminals;-). For they are not, and they care about your safety as much, if not more, than you do (also because they understand the safety issues much better than 99% of web site users).

Flash - I would gladly leave it behind if not for the reason that it is so flashy at picture galleries.

BTW Without what you call active technologies, could I be writing this response to you?

Cheers,
barnie, the active, flashy technologist ;-)

[hellosailor]

Mark- "Again: 94 million computers in operation, no known viruses in the wild," Apple themselves disagree with you, explicitly stating there ARE malware in the wild and they ARE being used to attack Macs.http://support.apple.com/kb/HT3662 "When you open a quarantined file, the file quarantine feature will check to see if it may include known malware. If so, a dialog such as this will appear:" Of course some of the AV vendors also claim there are malware on web sites and that they outperform Snow Leopard at catching them, including Sophos Labs who post a video showing SL missing an attack from the USB stick, which they claim to block. All that Apple has done is to bundle an AV type product (or AV type core code) into their OS. You may remember that Microsoft actually did that nearly 20 years ago--way before Apple did--and the Department of Justice told them to remove it because it was "unfair competition" against outside vendors. This was around the time that Caldera was suing them over DR-DOS, and AOL was suing over the integration of the web browser. Microsoft complied to government orders and killed their internal AV product. But, they have also been providing "Microsoft Security Essentials" which is a free anti-malware product for recent versions of Windows (XP and up, IIRC) that's been available for over a year now. One could make the point that this now puts MS on the same ground as Apple, making protection free "in" the OS. Except, MS was expressly banned from including it and Apple hasn't been required to play on the same level field. Yet. And Apple states, they won't comment on security until after it has been addressed. But they do issue updates which do address security flaws, so obviously the flaws exist. Unless, you think all the security vendors are lying, and Apple is also lying because...it makes them look better to say they have both problems AND 100% solutions? (Hey, it could be.)Barnie- "BTW Without what you call active technologies, could I be writing this response to you?" Yup. You could post it in plain text, with HTML3.2 running the page. css is just an excuse for using boilerplate "calls" instead of putting the boilerplate on every page. makes management easier, since you can revise one page instead of revising the fix on every page where it has been placed--but there are s&r tools that can revise a whole web site in one shot. Been there, done that, it works too. You needed JS to reply to me? Funny, I can block it and still see and reply to the pages here. My computer must know something yours doesn't know. Flash? Come on, no one needs Flash to display pictures, there are other ways to do that. Flash got popular because if prevented viewers from saving or printing the pictures, so porn sights could show previews and folks had to come buy them to save them. Then the rest of commercial vendors figured out that was a good way to make extra bucks as well. But here?? Flash? Won't buy you love, as the Beatles said in '64.

[Andy R]

Guys, this thread is not going anywhere productive. I am going to close it so we can all move forward.