Personal Development for Smart People^TM Forums

ixmatus · 12-29-2008, 01:31 AM

I was originally going to post this as a reply post but realized I've seen this issue so many times I decided to make it a thread.

Any and all users that browse the web without a script blocker are basically handing every access right for their computer over to the author of the website they are browsing.

How is this possible? One word: Javascript.

What does it do, why Javascript? While Javascript enables some very cool features on many popular benign websites/web applications, it is also commonly used for malicious/irritating reasons. Javascript is a scripting mechanism providing full access to the resources of the web browser on your computer so fancy effects can be achieved. Again - Javascript executes on your computer!

Isn't it sandboxed to the process that the browser is running in though? Yes and no. There have been many cases in which malicious Javascript can execute commands through bugs in the browser directly on your machine - remove files, install programs, install rootkits, SpyWare, keylog, even grab your browser cache and browser stored passwords.

The solution? Javascript blocking software. NoScript - JavaScript/Java/Flash blocker for a safer Firefox experience! - what is it? - InformAction blocks any/all javascript globally and asks you to 'allow' sites that you trust (so you can use Javascript).

Many times it's just the annoying Javascript that you end up blocking - but it is none-the-less annoying Javascript; worth blocking!

If you aren't using Firefox w/ NoScript (and/or AdBlock Plus) you should!

Apollia · 02-19-2009, 07:58 PM

Hi, I just wanted to thank you for these awesome tips.

Until you posted about it, I didn't realize that JavaScript was quite that dangerous and insecure.

For a long time, I was actually under the impression that Firefox was supposed to be a very safe and secure web browser, until one day I visited a random web page, and without me clicking anything, some kind of suspicious executable file was downloaded and would have executed except for Spybot: Search & Destroy blocking it.

That was quite a while ago, so I'm not sure I'm recalling all those details correctly, but whatever happened, it was rather unsettling. I never really trusted Firefox since. I'm not sure if it was Java, JavaScript or something else that caused that problem, but I think I might have tentatively blamed Java because if I recall correctly, after loading that page, I saw a Java icon in my computer's taskbar.

All of which of course made me afraid to even use Firefox on websites I didn't trust without turning off various things like Java, JavaScript, etc. My solution was to use the Opera web browser, since it allows you to put fast, convenient checkboxes right in your toolbar to easily enable or disable plug-ins, Java and JavaScript, whereas to use Firefox on websites I didn't trust, I had to delve into annoying preferences windows to shut those things off.

Not anymore, though, thanks to you.

Thanks a lot for posting about NoScript and AdBlock Plus, and the dangers of JavaScript. I'm currently using NoScript, and might possibly try AdBlock Plus someday.

Best wishes,
Apollia

ixmatus · 02-19-2009, 09:10 PM

I'm glad someone found it useful! Yes, FireFox is just a strong browser with support for plugins that can make your browsing experience much safer and enjoyable...

magi13 · 02-19-2009, 09:31 PM

i'm experimenting with google chrome. ^,^ try it they have a ghost mode

bbarstow · 02-19-2009, 09:35 PM

I think you have a good suggestion (Use FireFox / Opera instead of Internet Explorer), but I have to strongly disagree with your analysis. Firstly, there are many, many professional, current, safe websites that RELY on JavaScript to work. Examples of this is almost any website using AJAX technologies, many websites that have forms to be filled out (client-side validation), newer web 2.0 websites that use tools like jQuery to dynamically style the website, most of the awesome new stuff we can do on line is all JavaScript based.

I agree with your conclusion, but I feel that you are leading Internet users down the wrong path regarding JavaScript (your post is akin to scare tactics). The problem is truly BAD BROWSING HABITS, and the expectation that computers are there for you to use and do what you need them to. Wait, what? Yeah, just how many of us treat cars like 'I just need gas, and go', people treat computers the same way 'I just need Cable, and go'. (People in America generally don't like reading / learning... just consuming)

So the question is, does prohibition really solve the problem? No, it doesn't. It simply hides the problem... and such as a loud stereo hides the tink-tink-tink of the engine, jS/flash blockers hides the fact that you are (usually) on a **** website to begin with. Learn to use better discretion when browsing the web (like, for example, actually read what the pop up message says before you click 'ok')

Why I'm so against what you posted: JavaScript is a big - fast-growing player in the internet world, and scaring users of it isn't right.

-B

Apollia · 02-20-2009, 02:52 AM

Sorry if recounting my scary experience of unexpectedly almost getting infected with spyware (despite using what is reputed to be an especially safe and secure web browser, Firefox) happened to be scary.

I'll just clarify, I don't consider JavaScript, Java, or plug-ins inherently bad or dangerous. I think they're great, and very useful.

The thing I have a problem with is web browser security holes making incredibly useful tools like JavaScript, Java and plug-ins less safe than they ought to be.

Anyhow, I've been procrastinating too much lately, so, I'm going to take a break from this (and all other) forums. So, if anyone replies to me, please don't be offended by my silence.

Thanks everyone.

Best wishes,
Apollia

bbarstow · 02-20-2009, 02:49 PM

Apollia my comment wasn't really directed at you. The reason why I'm afraid is because my job and ability to eat rely on technologies such as jS...

however you bring up a interesting point. security flaws in browsers. the Internet was NEVER meant to be safe... it was never designed to be, it was designed to be freedom of information exchange (which, in effect security tries to compromise)

The problem isn't with browsers (as much), or jS, it's with the actual design of the internet, and the fact that it's constantly being used for things it was NEVER EVER suppose to be used for (like Internet banking) If it makes you feel any better, they are designing a new Internet where you will give up your freedom to be anonymous, (i.e. you'll basically need a license to be on this new internet), for the trade off that it'll be much, much more secure.

Eric Roosevelt · 02-20-2009, 02:57 PM

It's a bit hard these days surfing the web without JavaScript. My solution to every security problem is to use Linux.

ragtag · 02-21-2009, 05:11 PM

Java applets and ActiveX controls are probably more of a security risk. Also accepting certificates is a security risk most people are not aware of.

I did some work with writing in-house tools for a company using Java applets to get access to the local drive on a computer. Once the user accepts the certificate that pops up the Java applet had the same access to the files on the computer as any other program running on it locally. This means it can actually delete, upload or mess with your files. This, of course, required the user to accept the certificate, but people in general will just click OK on anything that pops up, and not understand the security implications.

On Linux you would be a bit safer in the above example for two reasons. One is proper user rights. The applet would only be able to mess up files owned by the user and read files the user could read, so with correct permissions it couldn't mess up the whole system. Secondly, most exploits on the web are written to attack Windows machines. There are more of them and they are an easier target. So a hack that tries to modify your registry for instance, will not work on Linux or OS X, as there is no registry to modify.

A computer connected to the web is always at some risk of being hacked no matter what, as most software has some bug or other that can be exploited by clever hackers. Though I believe that the weakest link in most computer software is the person sitting in front of the screen. I recently read an article about files that had leaked out through peer-to-peer networks. People running things like LimeWire that don't know what they are doing, and share out their entire drive, or even worse the drive of their companies or government agencies computer.

12-29-2008, 01:31 AM	#1 (permalink)
ixmatus Senior Member Join Date: Oct 2007 Location: Vegas Baby! Posts: 162	I've been hacked! I was originally going to post this as a reply post but realized I've seen this issue so many times I decided to make it a thread. Any and all users that browse the web without a script blocker are basically handing every access right for their computer over to the author of the website they are browsing. How is this possible? One word: Javascript. What does it do, why Javascript? While Javascript enables some very cool features on many popular benign websites/web applications, it is also commonly used for malicious/irritating reasons. Javascript is a scripting mechanism providing full access to the resources of the web browser on your computer so fancy effects can be achieved. Again - Javascript *executes* on your computer! Isn't it sandboxed to the process that the browser is running in though? Yes and no. There have been many cases in which malicious Javascript can execute commands through bugs in the browser directly on your machine - remove files, install programs, install rootkits, SpyWare, keylog, even grab your browser cache and browser stored passwords. The solution? Javascript blocking software. NoScript - JavaScript/Java/Flash blocker for a safer Firefox experience! - what is it? - InformAction blocks any/all javascript globally and asks you to 'allow' sites that you trust (so you can use Javascript). Many times it's just the annoying Javascript that you end up blocking - but it is none-the-less annoying Javascript; worth blocking! If you aren't using Firefox w/ NoScript (and/or AdBlock Plus) you should!

02-19-2009, 07:58 PM	#2 (permalink)
Apollia Senior Member Join Date: Dec 2007 Location: USA Posts: 323	Hi, I just wanted to thank you for these awesome tips. Until you posted about it, I didn't realize that JavaScript was quite that dangerous and insecure. For a long time, I was actually under the impression that Firefox was supposed to be a very safe and secure web browser, until one day I visited a random web page, and without me clicking anything, some kind of suspicious executable file was downloaded and would have executed except for Spybot: Search & Destroy blocking it. That was quite a while ago, so I'm not sure I'm recalling all those details correctly, but whatever happened, it was rather unsettling. I never really trusted Firefox since. I'm not sure if it was Java, JavaScript or something else that caused that problem, but I think I might have tentatively blamed Java because if I recall correctly, after loading that page, I saw a Java icon in my computer's taskbar. All of which of course made me afraid to even use Firefox on websites I didn't trust without turning off various things like Java, JavaScript, etc. My solution was to use the Opera web browser, since it allows you to put fast, convenient checkboxes right in your toolbar to easily enable or disable plug-ins, Java and JavaScript, whereas to use Firefox on websites I didn't trust, I had to delve into annoying preferences windows to shut those things off. Not anymore, though, thanks to you. Thanks a lot for posting about NoScript and AdBlock Plus, and the dangers of JavaScript. I'm currently using NoScript, and might possibly try AdBlock Plus someday. Best wishes, Apollia Last edited by Apollia; 02-19-2009 at 08:08 PM.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
LOLCats hacked	WanderingOak	Technology & Technical Skills	4	12-25-2008 05:54 PM
Sites Hacked - Advice?	Xander756	Technology & Technical Skills	13	08-09-2007 11:53 PM
HACKED: unable to SAFE MODE START	C33	Technology & Technical Skills	7	03-07-2007 04:18 AM

02-19-2009, 09:10 PM	#3 (permalink)
ixmatus Senior Member Join Date: Oct 2007 Location: Vegas Baby! Posts: 162	I'm glad someone found it useful! Yes, FireFox is just a strong browser with support for plugins that can make your browsing experience much safer and enjoyable...

02-19-2009, 09:31 PM	#4 (permalink)
magi13 Family Member Join Date: Dec 2008 Location: Philippines Posts: 1,421	i'm experimenting with google chrome. ^,^ try it they have a ghost mode

02-19-2009, 09:35 PM	#5 (permalink)
bbarstow Junior Member Join Date: Feb 2009 Location: Shelburne Falls, MA Posts: 6	I think you have a good suggestion (Use FireFox / Opera instead of Internet Explorer), but I have to strongly disagree with your analysis. Firstly, there are many, many professional, current, safe websites that RELY on JavaScript to work. Examples of this is almost any website using AJAX technologies, many websites that have forms to be filled out (client-side validation), newer web 2.0 websites that use tools like jQuery to dynamically style the website, most of the awesome new stuff we can do on line is all JavaScript based. I agree with your conclusion, but I feel that you are leading Internet users down the wrong path regarding JavaScript (your post is akin to scare tactics). The problem is truly BAD BROWSING HABITS, and the expectation that computers are there for you to use and do what you need them to. Wait, what? Yeah, just how many of us treat cars like 'I just need gas, and go', people treat computers the same way 'I just need Cable, and go'. (People in America generally don't like reading / learning... just consuming) So the question is, does prohibition really solve the problem? No, it doesn't. It simply hides the problem... and such as a loud stereo hides the tink-tink-tink of the engine, jS/flash blockers hides the fact that you are (usually) on a **** website to begin with. Learn to use better discretion when browsing the web (like, for example, actually read what the pop up message says before you click 'ok') Why I'm so against what you posted: JavaScript is a big - fast-growing player in the internet world, and scaring users of it isn't right. -B

02-20-2009, 02:52 AM	#6 (permalink)
Apollia Senior Member Join Date: Dec 2007 Location: USA Posts: 323	Sorry if recounting my scary experience of unexpectedly almost getting infected with spyware (despite using what is reputed to be an especially safe and secure web browser, Firefox) happened to be scary. I'll just clarify, I don't consider JavaScript, Java, or plug-ins inherently bad or dangerous. I think they're great, and very useful. The thing I have a problem with is web browser security holes making incredibly useful tools like JavaScript, Java and plug-ins less safe than they ought to be. Anyhow, I've been procrastinating too much lately, so, I'm going to take a break from this (and all other) forums. So, if anyone replies to me, please don't be offended by my silence. Thanks everyone. Best wishes, Apollia

02-20-2009, 02:49 PM	#7 (permalink)
bbarstow Junior Member Join Date: Feb 2009 Location: Shelburne Falls, MA Posts: 6	Apollia my comment wasn't really directed at you. The reason why I'm afraid is because my job and ability to eat rely on technologies such as jS... however you bring up a interesting point. security flaws in browsers. the Internet was NEVER meant to be safe... it was never designed to be, it was designed to be freedom of information exchange (which, in effect security tries to compromise) The problem isn't with browsers (as much), or jS, it's with the actual design of the internet, and the fact that it's constantly being used for things it was NEVER EVER suppose to be used for (like Internet banking) If it makes you feel any better, they are designing a new Internet where you will give up your freedom to be anonymous, (i.e. you'll basically need a license to be on this new internet), for the trade off that it'll be much, much more secure.

02-20-2009, 02:57 PM	#8 (permalink)
Eric Roosevelt Senior Member Join Date: Jan 2009 Posts: 708	It's a bit hard these days surfing the web without JavaScript. My solution to every security problem is to use Linux.

02-21-2009, 05:11 PM	#9 (permalink)
ragtag Senior Member Join Date: Nov 2006 Posts: 326	Java applets and ActiveX controls are probably more of a security risk. Also accepting certificates is a security risk most people are not aware of. I did some work with writing in-house tools for a company using Java applets to get access to the local drive on a computer. Once the user accepts the certificate that pops up the Java applet had the same access to the files on the computer as any other program running on it locally. This means it can actually delete, upload or mess with your files. This, of course, required the user to accept the certificate, but people in general will just click OK on anything that pops up, and not understand the security implications. On Linux you would be a bit safer in the above example for two reasons. One is proper user rights. The applet would only be able to mess up files owned by the user and read files the user could read, so with correct permissions it couldn't mess up the whole system. Secondly, most exploits on the web are written to attack Windows machines. There are more of them and they are an easier target. So a hack that tries to modify your registry for instance, will not work on Linux or OS X, as there is no registry to modify. A computer connected to the web is always at some risk of being hacked no matter what, as most software has some bug or other that can be exploited by clever hackers. Though I believe that the weakest link in most computer software is the person sitting in front of the screen. I recently read an article about files that had leaked out through peer-to-peer networks. People running things like LimeWire that don't know what they are doing, and share out their entire drive, or even worse the drive of their companies or government agencies computer.

Personal Development for Smart PeopleTM Forums

Personal Development for Smart People^TM Forums