Cisco 2008 annual security report::: The invisible hacker.

[kgun]

I found an important Norwegian article with the following translated heading:

Traditional IT security is no longer adequat.

(Translate the article with Google Translate)

Minimum recommended reading if you translate the article, See the story under the headings:

• The report reproduces several cases of spectacular use of fake websites.
• Social network contains multiple hazards.

Some important KW's from the Norwegian article:

• Spear phising.
• Cache (or DNS) poisoning. a technique that gets a DNS server to provide incorrect IP address to a given URL.
• DNS Security Extensions (DNSSEC).

The main message is that invisible threats make

• common sense
• anti virus and
• firewalls

incomplete for your online security.

The use of

• convincing e-post messages urging the user to click on rotten links to give away sensitive information, and
• invisible methods like cross server scripting (XSS) and SQL injections to infect computers by hacking into the webiste's server and leave code that hurt random visitors to the site

has been refined and improved.

Note: The main majority - more than 79 percent - of the sites that infect its visitors are legal services that have been hacked by criminal hackers.

Original source: Cisco 2008 Annual Security Report - Cisco Systems

[MrGamm]

By any chance does the same Norwegian company have investments in quantum cryptography?

I like a scare as much as the next guy. However, the only way I think people are actually going to get a truly secure internet is to either rewire the internet so we each have a dedicated cable connecting everyone to everyone. Either that or we'll have to wait for data teleportation, and even then I have still have my skepticism.

Maybe the answer isn't better security... maybe it's better law enforcement?

thanks for the article

[kgun]

Quote:

Originally Posted by MrGamm

By any chance does the same Norwegian company have investments in quantum cryptography?

64 bits OS's systems are fairly common now. How many bits do quantum cryptography require?

Quote:

Originally Posted by MrGamm

Maybe the answer isn't better security... maybe it's better law enforcement?

I don't agree. There will always be a race between hackers and coders. Some simple steps:

1. Don't surf as an adminstrator.
2. Us a browser like Opera where cross server scripting is (almost) impossible.
3. Set up a firewall around your web server. Read more ...
   

[wige]

Quote:

Originally Posted by kgun

64 bits OS's systems are fairly common now. How many bits do quantum cryptography require?

None, at least in the OS definition. Quantum cryptography is a framework for the transmission of an encryption key between two parties, which reveals any interception of the data, on the theory that in order to view the data, it must be altered, and the final party receiving the data would be able to detect the alteration and know that the transmission had been eavesdropped upon.

However, quantum cryptography has a major drawback - it requires a direct connection between the two parties. Passing data through anything, such as a hub or router, would alter the quantum bits in the same way as eavesdropping, since they have to be read in order to be routed.

[kgun]

(Quantum) cryptography takes the foccus away from the real problems.

Why has nobody answered this Will this make WPW more professional? important question?

Read post #43.

To repeat:
"Opera is indeed the safest browser in the world. You have no way of convincing Opera 8.5 to allow the JavaScript code to access a different server than the one it was loaded from".

Also read about ActiveX objects and security that you mention in your own thread:

Internet Security 2008

By recommending Opera to the surfer, you avoid two main sources of attacks.

• Cross server scripting XSS.
• Infection via IE designed ActiveX controls.

So by deleting private data on logout, WPW could make life easier for the members that use Opera. Now I start my login to WPW by deleting private data (three mouse clicks - is too much in a minimalistic world ).

[wige]

What do you consider "private data" which should be deleted? As it stands, the only private data that a web site can manipulate is your cookies. When you delete private data in your browser, you are actually clearing the cache and stored data, in addition to the cookies.

As far as your two points on opera, the second point would apply to Firefox as well, since only IE processes ActiveX controls. As far as XSS, there is only one level of protection - Opera prevents a script on the visited domain from loading a script from an external domain. This is something that is being incorporated into other browsers as well, and it does not offer protection against the more common injection attacks where an iframe is hidden in the page.

Opera also does not prevent off-domain media from being displayed, which was one of the more common sources of infection during 2008, when external advertisements would be compromised. There are, however, several Firefox addons that will automatically remove external media from the source code before the page is rendered, preventing the download of the external code.

[kgun]

Quote:

Originally Posted by wige

What do you consider "private data" which should be deleted? As it stands, the only private data that a web site can manipulate is your cookies. When you delete private data in your browser, you are actually clearing the cache and stored data, in addition to the cookies.

Cookies are just 'little notes' that your browser keeps about web pages. Contrary to popular belief Cookies are not Programs and cannot contain viruses, they are simply letters and numbers.

When using Opera, I have to delete private data myself. I do not know the exact reason why Opera is different from IE and FF here.

" ... the only private data that a web site can manipulate is your cookies".

That statement may give a false impression that there is no risk visiting a web site or forum.

Quote:

Originally Posted by wige

As far as your two points on opera, the second point would apply to Firefox as well, since only IE processes ActiveX controls. As far as XSS, there is only one level of protection - Opera prevents a script on the visited domain from loading a script from an external domain. This is something that is being incorporated into other browsers as well, and it does not offer protection against the more common injection attacks where an iframe is hidden in the page.

Have you tried to hide an iFrame in a page with

• IE
• FF
• Opera?

I got some on my forum, and I am quite sure that the visitor did not use Opera.

Quote:

Originally Posted by wige

Opera also does not prevent off-domain media from being displayed, which was one of the more common sources of infection during 2008, when external advertisements would be compromised. There are, however, several Firefox addons that will automatically remove external media from the source code before the page is rendered, preventing the download of the external code.

Wige, with all due respect, it is rediculous to rely on a third party plugin / toolbar for browser security related tasks.

To repeat:

Quote:

Originally Posted by kgun

Note: The main majority - more than 79 percent - of the sites that infect its visitors are legal services that have been hacked by criminal hackers.

Relying on a third party plugin would fundamentally break Opera's overall security principle.

Don't rely on any website.

The main reason why my son switched to Opera, was because it was so easy to block unwanted ads. The main reason why my daughter and her family switched to Opera, was because their computer was constantly infected. Since they started to use Opera about 1/2 year ago, they have had no infection.

Final question: Wich web browser do you regard in order of priority to be:

1. Most secure?
2. Best for people with disabilities?
3. Having most inbuild functionality?

My only bad experience with Opera are some Flash movie pages. Can that be security related?

With my january 2009 experience, I will go this far:

A serious computer dealer will have the Opera browser preinstalled as the default browser on the Pc's (s)he sells. That may help more inexperienced internet surfers than (s)he can dream about. At least it is my experience, and I have been in the IT business since 1977 and surfed the web from the beginning.

Note: I am in no other way related to the Norwegian company, Opera than living in the same country.

[wige]

Quote:

Originally Posted by kgun

Cookies are just 'little notes' that your browser keeps about web pages. Contrary to popular belief Cookies are not Programs and cannot contain viruses, they are simply letters and numbers.

When using Opera, I have to delete private data myself. I do not know the exact reason why Opera is different from IE and FF here.

" ... the only private data that a web site can manipulate is your cookies".

That statement may give a false impression that there is no risk visiting a web site or forum.

True. To clarify, the only thing on your computer that a web site is supposed to be able to modify is the cookie data. Any of the other elements that a browser considers "private data" is supposed to be handled by the user, not the site.

Quote:

Have you tried to hide an iFrame in a page with

• IE
• FF
• Opera?

I got some on my forum, and I am quite sure that the visitor did not use Opera.

Yes. In fact, when testing a site which was compromised by injecting third party scripting, Opera did not provide any additional protection compared to IE or Firefox. The XSS protection advertised by Opera is not a comprehensive solution, rather it is a solution to address one particular issue. In fact, if attackers specifically targeted Opera they could bypass this protection entirely by using an embedded iframe.

Quote:

Wige, with all due respect, it is rediculous to rely on a third party plugin / toolbar for browser security related tasks.

To repeat:

Relying on a third party plugin would fundamentally break Opera's overall security principle.

Don't rely on any website.

You can't rely on websites. They can be hacked.
You can't rely on browsers alone. They contain vulnerabilities just waiting to be discovered.
You can't rely on addons. They operate at a different security layer, and can include their own issues.

However, a careful combination of elements can provide the highest level of security.

Quote:

The main reason why my son switched to Opera, was because it was so easy to block unwanted ads. The main reason why my daughter and her family switched to Opera, was because their computer was constantly infected. Since they started to use Opera about 1/2 year ago, they have had no infection.

Final question: Wich web browser do you regard in order of priority to be:

1. Most secure?
2. Best for people with disabilities?
3. Having most inbuild functionality?

1. Most secure? Firefox > Opera > Chrome > Internet Explorer
2. Don't know
3. Opera does come with a lot of stuff, but how much would I actually use?

[kgun]

Quote:

Originally Posted by wige

True. To clarify, the only thing on your computer that a web site is supposed to be able to modify is the cookie data. Any of the other elements that a browser considers "private data" is supposed to be handled by the user, not the site.

I note your styling and wording. So you agree with my own thoughts on the subject. Do we know enough?

Example: Why can you drag an URL in FF to the desktop, but not in Opera? My son and I agree that it is security related, but we don't know Opera's (default - I write default since I don't know whether it can be changed with opera:config) reason for disallowing it.

I stand by my original statement, that private data should be cleared when you leave a site or you should be given a choice like you are given when logging out of LinkedIn.

Quote:

Originally Posted by wige

Yes. In fact, when testing a site which was compromised by injecting third party scripting, Opera did not provide any additional protection compared to IE or Firefox. The XSS protection advertised by Opera is not a comprehensive solution, rather it is a solution to address one particular issue. In fact, if attackers specifically targeted Opera they could bypass this protection entirely by using an embedded iframe.

Ok, I can not control that test. The only requirement I have is that you can, on request, supply your test data, so your results can be reproduced. It is also interesting which version of Opera you used. It has been used as an argument against the Opera browser that it is updated so often. In my opinion that is an advantage, especially on security related issues. In that Cisco report it is also stated that hackers have increased their lead on "security coders".

Quote:

Originally Posted by wige

You can't rely on websites. They can be hacked.
You can't rely on browsers alone. They contain vulnerabilities just waiting to be discovered.
You can't rely on addons. They operate at a different security layer, and can include their own issues.

However, a careful combination of elements can provide the highest level of security.

Mostly agree. One thing that has surprised me as a programmer. If I designed an OS, I would,

• Protect the factory settings (and the OS kernel) completely. That means complete intrusion protection of the OS kernel.
• Different levels of protection of the system folder. Only the system administrator has access to the system folder.
• Better protection of the system start up.

I think that is what Microsoft have tried to do, but the result has not impressed me so long. (What has happened to this Abtrusion Security Swedish site? Specialists in abtrusion protection).

Quote:

Originally Posted by wige

1. Most secure? Firefox > Opera > Chrome > Internet Explorer
2. Don't know
3. Opera does come with a lot of stuff, but how much would I actually use?

1. You must know much about browser security when you rate Chrome as more secure than IE 7+. Personally I would be very careful about drawing any firm conclusion about Chrome's security features. The browser is simply to new, but you started the thread Google Chrome Security Vulnerabilities. Something, but IMO opinion, too little, is know after about 6 months life.
   
   I don't buy the statement that FF's privilege based security model is more secure than Opera's (unknown for good reasons? model). Addons like FireBug make FF good for WebMasters, but I would not, as explained above, trust addons / plugins as a security tool for a browser. It is not comparable to personal firewalls and antivirus programs. As far as I know, there is no list of trusted providers for security related addons / plugins for FF. Rather the opposite is true. Addons and plugins for FF flourish and are found all over the internet. So it can not be difficult to write addons and plugins for FF. That it is so easy and there are so many toolbars and plugins for FF rather make me more sceptical to how secure the browser is.
2. If you don't know Opera's view + style menu, you can not know the browser, even at an elementary level. To mee it seems more that you have made up your mind. FF is best. I use all three browsers daily, so I am fairly used to all three.
3. Speed dial, the ability to add your preferred SE to the SE's list and to the speed dial are fuinctionality that I personally like. There are much more. I could turn the question around? How many of FF's plugins and toolbars do I really need?

Christian Darie, Bogdan Brinzarea, Filip Chereches-Tosa and Mihai Buicica (March 2006): "AJAX and PHP. Building Responsive Web Applications" Packt Publishing page 84 tested IE's FF's and Opera's security model when they wrote: Opera is indeed the safest browser in the world. The test is written over a chapter so you can control the results.

[MrGamm]

Well... In case nobody has dropped the bomb yet...

What's with Open Source? And what's with the current perverted attitude which makes people think exposing your security measures to the entire world is a good idea? Why are half a million people installing software for their websites which they have no intention, or capabilities to secure?

http://www.google.ca/search?q=%22hacked+by%22+wordpress
http://www.google.ca/search?q=%22hacked+by%22+joomla
http://www.google.ca/search?q=%22hacked+by%22+phpnuke
http://www.google.ca/search?q=%22hac...%22+oscommerce

Take note that those results are showing in excess of 100,000 results for some. Next month many of those results will be "unhacked" and a fresh crop of results will fill their place.

Another note... I haven't investigated it myself. However, people using oscommerce have told me that their user passwords are not encrypted in the database. If this is true or not I don't really care as i have taken over other websites and had the database contents handed to me in a non-encrypted format.

I realize this doesn't seem like a big deal to many. However... If I wanted to I had the opportunity to try all these passwords and email accounts on any other website I wanted.

For instance... I could have taken the email and password combos and tried them on PayPal, Webmails, ect.

Security is sometimes over hyped in many circumstances and it's the real basic stuff which is the real threat. jmo.

[kgun]

Quote:

Originally Posted by MrGamm

Security is sometimes over hyped in many circumstances and it's the real basic stuff which is the real threat. jmo.

Google:

hacking OR malware cost USA OR "the world"

and variations thereoff.

First hit

Malicious computer misuse such as hacking and virus writing will cost the world economy an astounding $1.6 (£1.05) trillion this year, according to a study released Monday.

[MrGamm]

Quote:

Originally Posted by kgun

Google:
hacking OR malware cost USA OR "the world"

I'm sorry. It was bad choice of words.

I am under the impression that Security Talk is often too complicated for the average user to understand and it dissuades them from taking it seriously.

When I said it is over hyped, I should have used the word "Over complicated"

It's the really really easy stuff which is costing people trillions of dollars. It's a get rich quick or die trying attitude which causes people to overlook security and make them think, "it could never happen to them". It doesn't matter if they download free malware from the web or if they upload a distribution channel for malware in the form of a poorly secured website... jmo...

Well... The internet is not like spending 20 years in a residential area and considering yourself lucky when only one of your neighbors get robbed. On the internet... when your neighbor gets robbed. Your information gets robbed along with it in many instances.

Additionally... I don't need a report from Google to know how bad the problem is. I know it's getting worse. As long as this keeps happening... it will continue to get worse... ( Here's a report from Google... maybe I do need Google... )

http://www.google.com/trends?q=jooml...ate=all&sort=0

What business does joomla and wordpress have handing out software without providing a service to keep thier software secure. What good is releasing a security advisory if 1,000,000,000 website owners don't upgrade the software?

http://technosailor.com/2007/05/24/9...gs-vulnerable/

Open source is a completely irresponsible methodology... jmo...

These are some of my favorites...

http://wordpress.org/development/2007/03/upgrade-212/

http://www.joomla.org/announcements/...available.html

http://www.techcrunch.com/2008/06/11...curity-issues/

I've downloaded both distributions. I think I have even gone so far as to provide my email address and contact information. I have received no security advisories. These two companies are pushing their brand name to the top at the expense of everybody else. Jmo...

Here's a nice report from IBM...
http://ostatic.com/blog/open-source-...ulnerable-list

Open Source by design sounds like a wonderful concept and for all intensive purposes it is. However as a whole community I do not believe we are responsible enough to live up to what it demands. It demands that people upgrade and maintain the software which they do not do. I find it rather upsetting to know that if I wanted to I could download the blue prints for somebodies security system and search the boards for known vulnerabilities and write a script to take out a competitors site. It doesn't upset me because I now have to withhold the temptation, but rather it upsets me that I have witnessed other peoples websites get hacked on a weekly/daily basis because thier competitors are fairly fierce. Either that or they just had too much traffic and the odds were working against them.

I think what most people do not realize is the sheer size of the internet and how long it takes for a hacker to find you. Once a dedicated hacker finds a security exploit they want to exploit they write crawlers which actively seek out websites which they can breach. It's an entirely automated process and the really smart hackers turn other peoples websites into malware websites so they can increase the area of damage exponentially.

I am very suspicious as to just how long it would take for a website installation with a known security vulnerability to be reached by a hacker. I still have old crawlers hitting my websites looking for old phpNuke exploits which amazes me because the software is so old, it says something about the open source security community if the vulnerability still being searched for 5 years after it was patched.

Joomla is only two years old and it has a user base larger than any other open source website software package by far. I can only imagine how many Joomla websites are going to get hacked in the next 5 years to come. Especially considering they are still rolling out critical security vulnerabilities as of this year.

The web is such a large place I think the damage just isn't seen immediately. It's a continual process which just perpetuates itself by having everyone turn a blind eye to where the real problem lays. Responsibility. The Open Source people want to try and tell you that they are "secure" because they release patches quickly, but that's not the issue. The damage has already been done at that point and it becomes a waiting game for the malicious crawlers to get the website owners who have neither the support, know-how or awareness to do something about it. The majority of these open source websites have been installed by contractors or by entirely novice users who have no security responsibilities to the internet community as a whole. This is where open source fails.

Take another look at this statistic. Ask yourself how many Indonesian contractors have the future of your business in mind. In other words. This is the single biggest indicator that the majority of joomla installations will never get upgraded after that first installation.

http://www.google.com/trends?q=jooml...ate=all&sort=0


What truly amazes me is the claim that more eyes looking for security vulnerabilities somehow reduces the total number of exploits. 1,000,000,000 eyes looking for software exploits also immediately translates to 1,000,000,000 hands pumping in an equal amount of new security exploits back into the software.

[wige]

Quote:

Originally Posted by kgun

Example: Why can you drag an URL in FF to the desktop, but not in Opera? My son and I agree that it is security related, but we don't know Opera's (default - I write default since I don't know whether it can be changed with opera:config) reason for disallowing it.

Actually, it is possible (with the default settings) to drag and drop a link onto the desktop, or into Firefox or IE from Opera. However, it is more difficult in Opera because of the gesture system and the way text is highlighted by the mouse. Using Opera 9.63, the difficulty is actually in "grabbing" the link to drag and drop it. You have to click the link and immediately move the mouse downward. Any hesitation will cause the mouse to switch to text-highlighting, and moving the mouse in any other direction triggers the gesture system.

Quote:

I stand by my original statement, that private data should be cleared when you leave a site or you should be given a choice like you are given when logging out of LinkedIn.

Agreed from a technical and security standpoint. Private data is a security threat, because it could be accessed by spyware. However, from a usability standpoint, most users like having that data available and won't delete it. Opera, Chrome and Firefox do, however, provide robust options for clearing that data either upon leaving the site (Opera does at least) or on closing the browser. In addition, Firefox by default encrypts the stored private data.

Quote:

Ok, I can not control that test. The only requirement I have is that you can, on request, supply your test data, so your results can be reproduced. It is also interesting which version of Opera you used. It has been used as an argument against the Opera browser that it is updated so often. In my opinion that is an advantage, especially on security related issues. In that Cisco report it is also stated that hackers have increased their lead on "security coders".

The best proof of concept is to go to wowwiki.com and visit any article linked to on the home page. This site was not used in any attack, but all of the ads that appear on article pages are written into the page by document.write() functions in javascripts called from an external domain. This is the very definition of XSS. If Opera does not block this, I don't see what special protection it offers compared to other browsers.

Quote:

Mostly agree. One thing that has surprised me as a programmer. If I designed an OS, I would,

• Protect the factory settings (and the OS kernel) completely. That means complete intrusion protection of the OS kernel.
• Different levels of protection of the system folder. Only the system administrator has access to the system folder.
• Better protection of the system start up.

I think that is what Microsoft have tried to do, but the result has not impressed me so long. (What has happened to this Abtrusion Security Swedish site? Specialists in abtrusion protection).

I definitely agree with this. However, it is more difficult than it sounds. It is necessary that the kernel be accessible to the user for the purpose of applying security patches. And if the user can access something, a software application can pretend to be the user and do the same thing. This is one of the issues that privilege levels try to address, but this was only added to Windows starting with Vista.

Quote:

1. You must know much about browser security when you rate Chrome as more secure than IE 7+. Personally I would be very careful about drawing any firm conclusion about Chrome's security features. The browser is simply to new, but you started the thread Google Chrome Security Vulnerabilities. Something, but IMO opinion, too little, is know after about 6 months life.
   
   I don't buy the statement that FF's privilege based security model is more secure than Opera's (unknown for good reasons? model). Addons like FireBug make FF good for WebMasters, but I would not, as explained above, trust addons / plugins as a security tool for a browser. It is not comparable to personal firewalls and antivirus programs. As far as I know, there is no list of trusted providers for security related addons / plugins for FF. Rather the opposite is true. Addons and plugins for FF flourish and are found all over the internet. So it can not be difficult to write addons and plugins for FF. That it is so easy and there are so many toolbars and plugins for FF rather make me more sceptical to how secure the browser is.
2. If you don't know Opera's view + style menu, you can not know the browser, even at an elementary level. To mee it seems more that you have made up your mind. FF is best. I use all three browsers daily, so I am fairly used to all three.
3. Speed dial, the ability to add your preferred SE to the SE's list and to the speed dial are fuinctionality that I personally like. There are much more. I could turn the question around? How many of FF's plugins and toolbars do I really need?

Christian Darie, Bogdan Brinzarea, Filip Chereches-Tosa and Mihai Buicica (March 2006): "AJAX and PHP. Building Responsive Web Applications" Packt Publishing page 84 tested IE's FF's and Opera's security model when they wrote: Opera is indeed the safest browser in the world. The test is written over a chapter so you can control the results.

1. Personally, I rate Chrome higher than IE because it has had less vulnerabilities announced in the last month, and because handing your wallet to a mugger is probably more secure than using IE. As far as addons, the Opera addon framework is very similar to that of Firefox, and addons (or Widgets) for Opera actually seem to almost operate outside the sandbox (can't confirm this obviously, but the fact that some include the ability to download files is worrisome) and Opera does not seem to support digitally signed addons the way Firefox does. I would not rate Opera over Firefox purely on the basis of addons. Firefox does use digital signatures to give a way to verify the creater of the addon. Additionally, addons are limited to interacting with the file being loaded into the browser. Opera allows plugins to operate outside the confines of the browser, initiating downloads on their own.

2. Accessibility goes beyond the browser, to interaction with TTS, screen magnifiers and Braille devices. I have not seen many such accessibility devices that list Opera as a supported browser. I have not looked for such devices, so I am not really qualified to rate how any of the browsers compare in this area.

3. Well, I think the question was just the included features. Opera has a lot of niceties, such as the gestures (which can get in the way of certain operations) and speed dial, but other than that it is similar in functionality to most browsers.

[wige]

Quote:

Originally Posted by MrGamm

Well... In case nobody has dropped the bomb yet...

What's with Open Source? And what's with the current perverted attitude which makes people think exposing your security measures to the entire world is a good idea?

I think the second question answers the first. Lets pretend I am a hacker, and I find a vulnerability in MSIE (closed source) and in Firefox (open source). For most hackers, especially the not-for-profit ones, the goal is to become known in the hacker community, building a rep. Finding a vulnerability is a great way to build rep, provided people know about it. For MSIE, the only way to be known is to announce the vulnerability to the world. This means that attackers have a head start on exploiting the problem and can get attack code on the Internet before a patch can be released. With an Open Source application, however, you gain more recognition by also creating a fix for the problem you discover, and you can actually create or contribute to the patching of the vulnerability.

[kgun]

Good answers. Rep point given for great input as usual.

[MrGamm]

Quote:

Originally Posted by wige

For MSIE, the only way to be known is to announce the vulnerability to the world.

So... Open Source is better because people are more inclined to report a vulnerability to an open source vendor. Closed source vendors are the nasty guys who will only accept vulnerability reports if you broadcast it to the world?

That is some very bizarre logic.

Microsoft pushes security releases to the end user which is more than most open source vendors do. If Joomla and Wordpress ( I think wordpress does as of last year ) followed the same mentality I wouldn't have an issue.


Who is more secure? The people who reveal their security flaws to the world? Or the people who keep their security private? It doesn't make a difference if your user base doesn't subscribe to your security updates. The open source community assumes everybody wants to spend their life debugging code, or is even capable of reading it.

I realize that people have an opportunity to find and fix problems with the software. However it does not justify the fact that anyone can download a blue print on how to maliciously attack known software vulnerabilities in installations which have since fallen out of date. jmo...

And what good is building a name for yourself in the open source community? The open source community is by default a faceless army of coders who hide behind a brand name in the end. They don't get paid either, unless they are on the payroll.

[wige]

As far as open source, I read the IBM report, and it just boggles my mind... I am trying to understand what the point of that report is. They are comparing CMS systems (all of which are open source) to server software (half of which are open source) to browsers (most of which are open source) to operating systems (most of which are open source)... They even state they want to find a way to include a PROGRAMMING LANGUAGE in the list, because some of the vulnerable software was coded in that language! Lets look at this on a more consistent basis, comparing things that are in the same category to one another.

Most vulnerable browsers (estimated based on critical advisories, wild attacks, and major patches this year):
1. Internet Explorer (closed source)
2. Mozilla Firefox (open source)

Most vulnerable web server platform, last five years:
1. IIS (closed source)
2. Apache (open source)

Most exploited plugins of 2007-2008:
Flash (closed source)
RealMedia (closed source)
QuickTime (closed source)

You seem to be of the opinion that software being Open Source somehow makes a product more vulnerable than closed source alternatives. I think this somewhat misses the problem.

For example:

Quote:

I still have old crawlers hitting my websites looking for old phpNuke exploits which amazes me because the software is so old, it says something about the open source security community if the vulnerability still being searched for 5 years after it was patched.

How does this say anything about Open Source? My server gets hit with attempts to exploit vulnerabilities from a version of IIS released and patched almost a decade ago. People not updating their software has absolutely nothing to do with the design methodology of the software itself. It only has to do with how dedicated the administrators are to protecting the security of their systems. I get people visiting my web site using IE 5 and Windows 98. Is that a problem with Open Source too?

Quote:

Joomla is only two years old and it has a user base larger than any other open source website software package by far. I can only imagine how many Joomla websites are going to get hacked in the next 5 years to come. Especially considering they are still rolling out critical security vulnerabilities as of this year.

Any web-facing application that is commonly used will come under attack. Being closed-source doesn't make IIS any less vulnerable. Is there any closed source web site software package you can mention that is more secure than it's Open Source alternative?

[wige]

Quote:

Originally Posted by MrGamm

So... Open Source is better because people are more inclined to report a vulnerability to an open source vendor. Closed source vendors are the nasty guys who will only accept vulnerability reports if you broadcast it to the world?

That is some very bizarre logic.

What I was trying to say was that a hacker benefits more from announcing a problem to the world with closed source software, than with open source.

Quote:

Microsoft pushes security releases to the end user which is more than most open source vendors do. If Joomla and Wordpress followed the same mentality I wouldn't have an issue.

But, most open source applications do automatically update. Compare products directly though:

Internet Explorer: Auto updates, on average within 3 weeks of the vulnerability announcement. (closed source)
Mozilla Firefox: Auto updates, on average within 1 week of the vulnerability discovery. (open source)
Apple Safari: Auto updates, but refuses to patch the vulnerability for three months. (closed source)

Windows XP/Vista: Auto updates, on average monthly. (closed source)
Ubuntu Linux: Auto updates, on average 1 week from vulnerability report. (open source)

There is no mechanism for automating the patching of CMS systems. The responsibility for making users aware of the problem, creating a patch, and making it available falls to the maker of the software. And in the end, making sure those patches are applied falls to the user. Do I think those specific providers could do a better job educating users and keeping them informed? Yes. But that failure is not with Open Source, it is with the company's approach to security. And they did release patches very quickly, and the need to update is well known.

On the same note, IE6 has numerous security flaws, and was auto-patched to version 7 by Microsoft. Lots of users, however, still browse the web with IE6. Is that because of a flaw in the closed-source development paradigm?

[MrGamm]

Quote:

You seem to be of the opinion that software being Open Source somehow makes a product more vulnerable than closed source alternatives. I think this somewhat misses the problem.

No... I think that Joomla and Wordpress have been very irresponsible with their software distribution. I think the community as a whole is not responsible enough to secure thier own websites and maintain the security upgrades.

And yes... I do think that open source vendors who are not actively pushing upgrades to their end users are less secure than vendors ( open source or closed source ) who do push security releases to their end users.

Quote:

Yes. But that failure is not with Open Source, it is with the company's approach to security. And they did release patches very quickly, and the need to update is well known.

Agreed to a certain extent. The need to upgrade is not known nor do many people upgrade. Most people have a website sold to them and that where it ends. The majority of the people on this planet are still struggling with photoshop, maybe notepad too. It is a very irresponsible thing the community as a whole has done. And it reflects the Open Source community specifically. jmo...

Quote:

On the same note, IE6 has numerous security flaws, and was auto-patched to version 7 by Microsoft. Lots of users, however, still browse the web with IE6. Is that because of a flaw in the closed-source development paradigm?

Security issues in IE 6 are still being upgraded and fixed.

I don't have to worry about it though. Microsoft sends the upgrade to me. No computer science degree needed.

To be fair however... I have been fairly wrong to group all open source vendors into the same group. I think commercially supported open source projects like RedHat and Suse, or non-profit corporations like FireFox are doing a really good job. I have hunch it's because they use skilled programmers and pay them to eat, while I feel that some of the less non-commercially supported freely available "free-for-all" open source development projects are a disaster. Joomla being the largest offender to date.

Perhaps Drupal stands a chance of changing that? ( if they start pushing upgrades to the end user... then yes... they will fix the problem. )

http://www.downloadsquad.com/2008/09...ported-drupal/


Leaving the end user to fend for themselves is a big mistake. Open Source or Closed Source being irrelevant. jmo...

[kgun]

Quote:

Originally Posted by wige

1. Most secure? Firefox > Opera > Chrome > Internet Explorer

Today when I should log into my bank account using the Opera Browser, I got the following warning:

"This domain uses an old cryptation method that now must be regarded as insecure. Sensitive data can not be sufficiently protected. Do you wish to continue?"

I don't get a similar message using FireFox.

You and I should agree to disagree.

I agree with some programming experts:

Opera is indeed the safest browser in the world. You have no way of convincing Opera 8.5 to allow the JavaScript code to access a different server than the one it was loaded from.

Source: Christian Darie, Bogdan Brinzarea, Filip Chereches-Tosa and Mihai Buicica (March 2006): "AJAX and PHP. Building Responsive Web Applications" Packt Publishing page 84.

Opera requires you to set Content-Type header of a POST request using the SetRequestHeader method. Other browsers don't require it, but it's the safest approach to take to allow for all browsers.

Source: Kevin Yank & Cameron Adams (September 2007): "Simply JavaScript" SitePoint book. Page 311.

FireFox has now been thrown out of the red carpet because of security issues. Nobody has convinced me so long that there is a more secure browser on the planet than Opera.

[MrGamm]

Quote:

Originally Posted by kgun

Nobody has convinced me so long that there is a more secure browser on the planet than Opera.

I am not an expert on Opera security. However it is a very innovative browser company which does offer the end user something different.

"Opera is adding voice control to its browser, enabling users to browse the Web and fill in voice-enabled Web forms by talking to their PC. They can also have the contents of Web sites read back to them."

Opera's browser finds its voice | Tech News on ZDNet

I am not sure if that is still happening... never tried it but it certainly is innovative. Jmo...

There is always the possibility that other vendors have similar products, however when I was looking for the info a few years ago Opera was the only browser that came up.

[kgun]

You find some important Norwegian sites here: DigitalNorway: The digital revolution is transforming the world.

Did you know that the fast SE that is now bought by Microsoft was Norwegian?

This company bMenu cooperates with Fast. Study their product in detail.

I hope that Opera will always stay Norwegian and that they never sell their soul.

As a programmer, you may need this script:

Code:

// ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
// 
// Coded by Travis Beckham
// http://www.squidfingers.com | http://www.podlob.com
// If want to use this code, feel free to do so, but please leave this message intact.
//
// ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
// --- version date: 01/24/03 ---------------------------------------------------------

// ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
// Cross-Browser Functions

var dom = document.getElementById;
var iex = document.all;
var ns4 = document.layers;

function addEvent(event,method){
    this[event] = method;
    if(ns4) this.captureEvents(Event[event.substr(2,event.length).toUpperCase()]);
}
function removeEvent(event){
    this[event] = null;
    if(ns4) this.releaseEvents(Event[event.substr(2,event.length).toUpperCase()]);
}
function getElement(name,nest){
    nest = nest ? "document."+nest+"." : "";
    var el = dom ? document.getElementById(name) : iex ? document.all[name] : ns4 ? eval(nest+"document."+name) : false;
    el.css = ns4 ? el : el.style;
    el.getTop = function(){return parseInt(el.css.top) || 0};
    el.setTop = function(y){el.css.top = ns4 ? y: y+"px"};
    el.getHeight = function(){return ns4 ? el.document.height : el.offsetHeight};
    el.getClipHeight = function(){return ns4 ? el.clip.height : el.offsetHeight};
    el.hideVis = function(){el.css.visibility="hidden"};
    el.showVis = function(){el.css.visibility="visible"};
    el.addEvent = addEvent;
    el.removeEvent = removeEvent;
    return el;
}
function getYMouse(e){
    return iex ? event.clientY : e.pageY;
}

document.addEvent = addEvent;
document.removeEvent = removeEvent;

// ||||||||||||||||||||||||||||||||||||||||||||||||||
// Scroller Class

ScrollObj = function(speed, dragHeight, trackHeight, trackObj, upObj, downObj, dragObj, contentMaskObj, contentObj){
    this.speed = speed;
    this.dragHeight = dragHeight;
    this.trackHeight = trackHeight;
    this.trackObj = getElement(trackObj);
    this.upObj = getElement(upObj);
    this.downObj = getElement(downObj);
    this.dragObj = getElement(dragObj);
    this.contentMaskObj = getElement(contentMaskObj);
    this.contentObj = getElement(contentObj,contentMaskObj);
    this.obj = contentObj+"Object";
    eval(this.obj+"=this");
    
    this.trackTop = this.dragObj.getTop();
    this.trackLength = this.trackHeight-this.dragHeight;
    this.trackBottom = this.trackTop+this.trackLength;
    this.contentMaskHeight = this.contentMaskObj.getClipHeight();
    this.contentHeight = this.contentObj.getHeight();
    this.contentLength = this.contentHeight-this.contentMaskHeight;
    this.scrollLength = this.trackLength/this.contentLength;
    this.scrollTimer = null;
    
    if(this.contentHeight <= this.contentMaskHeight){
        this.dragObj.hideVis();
        this.upObj.hideVis();
        this.downObj.hideVis();
        this.trackObj.hideVis();
        
        
        
    }else{
        var self = this;
        this.trackObj.addEvent("onmousedown", function(e){self.scrollJump(e);return false});
        this.upObj.addEvent("onmousedown", function(){self.scroll(self.speed);return false});
        this.upObj.addEvent("onmouseup", function(){self.stopScroll()});
        this.upObj.addEvent("onmouseout", function(){self.stopScroll()});
        this.downObj.addEvent("onmousedown", function(){self.scroll(-self.speed);return false});
        this.downObj.addEvent("onmouseup", function(){self.stopScroll()});
        this.downObj.addEvent("onmouseout", function(){self.stopScroll()});
        this.dragObj.addEvent("onmousedown", function(e){self.startDrag(e);return false});
        if(iex) this.dragObj.addEvent("ondragstart", function(){return false});
    }
}
ScrollObj.prototype.startDrag = function(e){
    this.dragStartMouse = getYMouse(e);
    this.dragStartOffset = this.dragObj.getTop();
    var self = this;
    document.addEvent("onmousemove", function(e){self.drag(e)});
    document.addEvent("onmouseup", function(){self.stopDrag()});
}
ScrollObj.prototype.stopDrag = function(){
    document.removeEvent("onmousemove");
    document.removeEvent("onmouseup");
}
ScrollObj.prototype.drag = function(e){
    var currentMouse = getYMouse(e);
    var mouseDifference = currentMouse-this.dragStartMouse;
    var dragDistance = this.dragStartOffset+mouseDifference;
    var dragMovement = (dragDistance<this.trackTop) ? this.trackTop : (dragDistance>this.trackBottom) ? this.trackBottom : dragDistance;
    this.dragObj.setTop(dragMovement);
    var contentMovement = -(dragMovement-this.trackTop)*(1/this.scrollLength);
    this.contentObj.setTop(contentMovement);
}
ScrollObj.prototype.scroll = function(speed){
    var contentMovement = this.contentObj.getTop()+speed;
    var dragMovement = this.trackTop-Math.round(this.contentObj.getTop()*(this.trackLength/this.contentLength));
    if(contentMovement > 0){
        contentMovement = 0;
    }else if(contentMovement < -this.contentLength){
        contentMovement = -this.contentLength;
    }
    if(dragMovement < this.trackTop){
        dragMovement = this.trackTop;
    }else if(dragMovement > this.trackBottom){
        dragMovement = this.trackBottom;
    }
    this.contentObj.setTop(contentMovement);
    this.dragObj.setTop(dragMovement);
    this.scrollTimer = window.setTimeout(this.obj+".scroll("+speed+")",25);
}
ScrollObj.prototype.stopScroll = function(){
    if(this.scrollTimer){
        window.clearTimeout(this.scrollTimer);
        this.scrollTimer = null;
    }
}
ScrollObj.prototype.scrollJump = function(e){
    var currentMouse = getYMouse(e);
    var dragDistance = currentMouse-(this.dragHeight/2);
    var dragMovement = (dragDistance<this.trackTop) ? this.trackTop : (dragDistance>this.trackBottom) ? this.trackBottom : dragDistance;
    this.dragObj.setTop(dragMovement);
    var contentMovement = -(dragMovement-this.trackTop)*(1/this.scrollLength);
    this.contentObj.setTop(contentMovement);
}

// ||||||||||||||||||||||||||||||||||||||||||||||||||
// Misc Functions

function fixNetscape4(){
    if(ns4origWidth != window.innerWidth || ns4origHeight != window.innerHeight){
        window.location.reload();
    }    
}
if(document.layers){
    ns4origWidth = window.innerWidth;
    ns4origHeight = window.innerHeight;
    window.onresize = fixNetscape4;
}

// ||||||||||||||||||||||||||||||||||||||||||||||||||

/* window.onload = function(){
    // speed, dragHeight, trackHeight, trackObj, upObj, downObj, dragObj, contentMaskObj, contentObj
    myScroll = new ScrollObj(6,17,376,"track","up","down","drag","masca","continut");

}; */

[kgun]

Competition or security?

EU: Internet Explorer harms competition