clickjacking

classic Classic list List threaded Threaded
166 messages Options
1234 ... 9
Reply | Threaded
Open this post in threaded view
|

clickjacking

Peter Potamus the Purple Hippo
some interesting stuff. I supposed things like this
'could' happening within email, too; therefore, this is
one reason why the devs want to turn off javascript.

http://ha.ckers.org/blog/20081007/clickjacking-details/

--
*IMPORTANT*: Sorry folks, but I cannot provide email
help!!!! Emails to me may become public

Notice: This posting is protected under the Free Speech
Laws, which applies everywhere in the FREE world,
except for some strange reason, not to the mozilla.org
newsgroup servers, where your posting may get you banned.

Peter Potamus & His Magic Flying Balloon:
http://melaman2.com/cartoons/singles/mp3/p-potamus.mp3
http://www.toonopedia.com/potamus.htm
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: clickjacking

Moz Champion (Dan)
Peter Potamus the Purple Hippo wrote:
> some interesting stuff. I supposed things like this 'could' happening
> within email, too; therefore, this is one reason why the devs want to
> turn off javascript.
>
> http://ha.ckers.org/blog/20081007/clickjacking-details/
>


Stupidity if you ask me. Read the entries, it can be done without
Javascript as well.  So what do the devs want to do about Firefox, shut
it down?  Firefox is just as vulnerable to javascript exploits than
Thunderbird (if not more so), but it will be enabled in Firefox and
disabled (so a user can't turn it on even if they wish) in Thunderbird.


Heck, you can get a virus in email via Thunderbird, the devs going to
turn that capability off as well?

Fear of possibilities. Stupidity
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: clickjacking

Ron Hunter
Moz Champion (Dan) wrote:

> Peter Potamus the Purple Hippo wrote:
>> some interesting stuff. I supposed things like this 'could' happening
>> within email, too; therefore, this is one reason why the devs want to
>> turn off javascript.
>>
>> http://ha.ckers.org/blog/20081007/clickjacking-details/
>>
>
>
> Stupidity if you ask me. Read the entries, it can be done without
> Javascript as well.  So what do the devs want to do about Firefox, shut
> it down?  Firefox is just as vulnerable to javascript exploits than
> Thunderbird (if not more so), but it will be enabled in Firefox and
> disabled (so a user can't turn it on even if they wish) in Thunderbird.
>
>
> Heck, you can get a virus in email via Thunderbird, the devs going to
> turn that capability off as well?
>
> Fear of possibilities. Stupidity

Actually, you can't get a virus, at least any currently known, in TB
just by reading/displaying, an email.  If you should be so unwise at to
actually execute an attachment, yes, you could get a virus, but TB does
what it can to make this difficult, and to warn you.
As for javascript, some go so far as to turn it off in Firefox.  I have
had it turned off in email/news since someone put it IN there in the
first place because I see no rational use for it in the email/news
environment.

--
Ron Hunter  [hidden email]
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: clickjacking

squaredancer
On 17.10.2008 03:10, CET - what odd quirk of fate caused  Ron Hunter to
generate the following:? :

> Moz Champion (Dan) wrote:
>  
>> Peter Potamus the Purple Hippo wrote:
>>    
>>> some interesting stuff. I supposed things like this 'could' happening
>>> within email, too; therefore, this is one reason why the devs want to
>>> turn off javascript.
>>>
>>> http://ha.ckers.org/blog/20081007/clickjacking-details/
>>>
>>>      
>> Stupidity if you ask me. Read the entries, it can be done without
>> Javascript as well.  So what do the devs want to do about Firefox, shut
>> it down?  Firefox is just as vulnerable to javascript exploits than
>> Thunderbird (if not more so), but it will be enabled in Firefox and
>> disabled (so a user can't turn it on even if they wish) in Thunderbird.
>>
>>
>> Heck, you can get a virus in email via Thunderbird, the devs going to
>> turn that capability off as well?
>>
>> Fear of possibilities. Stupidity
>>    
>
> Actually, you can't get a virus, at least any currently known, in TB
> just by reading/displaying, an email.  If you should be so unwise at to
> actually execute an attachment, yes, you could get a virus, but TB does
> what it can to make this difficult, and to warn you.
> As for javascript, some go so far as to turn it off in Firefox.  I have
> had it turned off in email/news since someone put it IN there in the
> first place because I see no rational use for it in the email/news
> environment.
>
>  
yepp!  turn OFF Flash, JS, JAVA (don't forget to delete Java Runtime),
WMP, RP, QT, HTML, your Computer...

and you *MAY* be safe.....
but *DO NOT* walk out on to the street:
- a truck *may be* coming down the road....
- there *may be* an earthquake
- there *may be* another 11.9
- an airplane *may* fall on your head

so
- always wear a signal-orange safety jacket
- always keep a beeper *in your hand*
- always wear a headset, bluetoothed to your cellphone
- always keep your cellphone dialed-in to the police and rescue services.

you *MAY* need all that, one day, so be warned!

reg
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: clickjacking

Moz Champion (Dan)
In reply to this post by Ron Hunter
Ron Hunter wrote:

> Moz Champion (Dan) wrote:
>> Peter Potamus the Purple Hippo wrote:
>>> some interesting stuff. I supposed things like this 'could' happening
>>> within email, too; therefore, this is one reason why the devs want to
>>> turn off javascript.
>>>
>>> http://ha.ckers.org/blog/20081007/clickjacking-details/
>>>
>>
>>
>> Stupidity if you ask me. Read the entries, it can be done without
>> Javascript as well.  So what do the devs want to do about Firefox,
>> shut it down?  Firefox is just as vulnerable to javascript exploits
>> than Thunderbird (if not more so), but it will be enabled in Firefox
>> and disabled (so a user can't turn it on even if they wish) in
>> Thunderbird.
>>
>>
>> Heck, you can get a virus in email via Thunderbird, the devs going to
>> turn that capability off as well?
>>
>> Fear of possibilities. Stupidity
>
> Actually, you can't get a virus, at least any currently known, in TB
> just by reading/displaying, an email.  If you should be so unwise at to
> actually execute an attachment, yes, you could get a virus, but TB does
> what it can to make this difficult, and to warn you.
> As for javascript, some go so far as to turn it off in Firefox.  I have
> had it turned off in email/news since someone put it IN there in the
> first place because I see no rational use for it in the email/news
> environment.
>

I know that, I've said as much dozens of times.
But the developers seem, to me, to think that way.

They are still unable to point to ANY javascript exploits in the wild
that Thunderbird is susceptible to, yet they are disabling javascript.
They are afraid of POSSIBILITIES, nothing concrete at all.

FDR said it best... The only thing we have to fear is fear itself.
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: clickjacking

Eitan Adler-2
Moz Champion (Dan) wrote:

> Ron Hunter wrote:
>> Moz Champion (Dan) wrote:
>>> Peter Potamus the Purple Hippo wrote:
>>>> some interesting stuff. I supposed things like this 'could'
>>>> happening within email, too; therefore, this is one reason why the
>>>> devs want to turn off javascript.
>>>>
>>>> http://ha.ckers.org/blog/20081007/clickjacking-details/
>>>>
>>>
>>>
>>> Stupidity if you ask me. Read the entries, it can be done without
>>> Javascript as well.  So what do the devs want to do about Firefox,
>>> shut it down?  Firefox is just as vulnerable to javascript exploits
>>> than Thunderbird (if not more so), but it will be enabled in Firefox
>>> and disabled (so a user can't turn it on even if they wish) in
>>> Thunderbird.
>>>
>>>
>>> Heck, you can get a virus in email via Thunderbird, the devs going to
>>> turn that capability off as well?
>>>
>>> Fear of possibilities. Stupidity
>>
>> Actually, you can't get a virus, at least any currently known, in TB
>> just by reading/displaying, an email.  If you should be so unwise at
>> to actually execute an attachment, yes, you could get a virus, but TB
>> does what it can to make this difficult, and to warn you.
>> As for javascript, some go so far as to turn it off in Firefox.  I
>> have had it turned off in email/news since someone put it IN there in
>> the first place because I see no rational use for it in the email/news
>> environment.
>>
>
> I know that, I've said as much dozens of times.
> But the developers seem, to me, to think that way.
>
> They are still unable to point to ANY javascript exploits in the wild
> that Thunderbird is susceptible to, yet they are disabling javascript.
> They are afraid of POSSIBILITIES, nothing concrete at all.
They disable it by default.  That is good security practice.
about:config > javascript.allow.mailnews could enable it.
>
> FDR said it best... The only thing we have to fear is fear itself.
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: clickjacking

Moz Champion (Dan)
Eitan Adler wrote:

> Moz Champion (Dan) wrote:
>> Ron Hunter wrote:
>>> Moz Champion (Dan) wrote:
>>>> Peter Potamus the Purple Hippo wrote:
>>>>> some interesting stuff. I supposed things like this 'could'
>>>>> happening within email, too; therefore, this is one reason why the
>>>>> devs want to turn off javascript.
>>>>>
>>>>> http://ha.ckers.org/blog/20081007/clickjacking-details/
>>>>>
>>>>
>>>> Stupidity if you ask me. Read the entries, it can be done without
>>>> Javascript as well.  So what do the devs want to do about Firefox,
>>>> shut it down?  Firefox is just as vulnerable to javascript exploits
>>>> than Thunderbird (if not more so), but it will be enabled in Firefox
>>>> and disabled (so a user can't turn it on even if they wish) in
>>>> Thunderbird.
>>>>
>>>>
>>>> Heck, you can get a virus in email via Thunderbird, the devs going to
>>>> turn that capability off as well?
>>>>
>>>> Fear of possibilities. Stupidity
>>> Actually, you can't get a virus, at least any currently known, in TB
>>> just by reading/displaying, an email.  If you should be so unwise at
>>> to actually execute an attachment, yes, you could get a virus, but TB
>>> does what it can to make this difficult, and to warn you.
>>> As for javascript, some go so far as to turn it off in Firefox.  I
>>> have had it turned off in email/news since someone put it IN there in
>>> the first place because I see no rational use for it in the email/news
>>> environment.
>>>
>> I know that, I've said as much dozens of times.
>> But the developers seem, to me, to think that way.
>>
>> They are still unable to point to ANY javascript exploits in the wild
>> that Thunderbird is susceptible to, yet they are disabling javascript.
>> They are afraid of POSSIBILITIES, nothing concrete at all.
> They disable it by default.  That is good security practice.
> about:config > javascript.allow.mailnews could enable it.
>> FDR said it best... The only thing we have to fear is fear itself.


You havent heard the latest have you.

In the next version available for testing they are DISABLING it
completely AND NOT providing a UI to turn it back on.

they 'promise' this will be a temporary feature - but so was income tax
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: clickjacking

JM-43
On 10/17/2008 3:12 PM, Moz Champion (Dan) wrote:

> Eitan Adler wrote:
>> Moz Champion (Dan) wrote:
>>> Ron Hunter wrote:
>>>> Moz Champion (Dan) wrote:
>>>>> Peter Potamus the Purple Hippo wrote:
>>>>>> some interesting stuff. I supposed things like this 'could'
>>>>>> happening within email, too; therefore, this is one reason why the
>>>>>> devs want to turn off javascript.
>>>>>>
>>>>>> http://ha.ckers.org/blog/20081007/clickjacking-details/
>>>>>>
>>>>>
>>>>> Stupidity if you ask me. Read the entries, it can be done without
>>>>> Javascript as well. So what do the devs want to do about Firefox,
>>>>> shut it down? Firefox is just as vulnerable to javascript exploits
>>>>> than Thunderbird (if not more so), but it will be enabled in Firefox
>>>>> and disabled (so a user can't turn it on even if they wish) in
>>>>> Thunderbird.
>>>>>
>>>>>
>>>>> Heck, you can get a virus in email via Thunderbird, the devs going to
>>>>> turn that capability off as well?
>>>>>
>>>>> Fear of possibilities. Stupidity
>>>> Actually, you can't get a virus, at least any currently known, in TB
>>>> just by reading/displaying, an email. If you should be so unwise at
>>>> to actually execute an attachment, yes, you could get a virus, but TB
>>>> does what it can to make this difficult, and to warn you.
>>>> As for javascript, some go so far as to turn it off in Firefox. I
>>>> have had it turned off in email/news since someone put it IN there in
>>>> the first place because I see no rational use for it in the email/news
>>>> environment.
>>>>
>>> I know that, I've said as much dozens of times.
>>> But the developers seem, to me, to think that way.
>>>
>>> They are still unable to point to ANY javascript exploits in the wild
>>> that Thunderbird is susceptible to, yet they are disabling javascript.
>>> They are afraid of POSSIBILITIES, nothing concrete at all.
>> They disable it by default. That is good security practice.
>> about:config > javascript.allow.mailnews could enable it.
>>> FDR said it best... The only thing we have to fear is fear itself.
>
>
> You havent heard the latest have you.
>
> In the next version available for testing they are DISABLING it
> completely AND NOT providing a UI to turn it back on.
Yeah, I just installed Thunderbird 3 alpha 3 and saw that. They should
have left that option in there.
>
> they 'promise' this will be a temporary feature - but so was income tax

_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: clickjacking

JM-43
On 10/17/2008 5:42 PM, JM wrote:

> On 10/17/2008 3:12 PM, Moz Champion (Dan) wrote:
>> Eitan Adler wrote:
>>> Moz Champion (Dan) wrote:
>>>> Ron Hunter wrote:
>>>>> Moz Champion (Dan) wrote:
>>>>>> Peter Potamus the Purple Hippo wrote:
>>>>>>> some interesting stuff. I supposed things like this 'could'
>>>>>>> happening within email, too; therefore, this is one reason why the
>>>>>>> devs want to turn off javascript.
>>>>>>>
>>>>>>> http://ha.ckers.org/blog/20081007/clickjacking-details/
>>>>>>>
>>>>>>
>>>>>> Stupidity if you ask me. Read the entries, it can be done without
>>>>>> Javascript as well. So what do the devs want to do about Firefox,
>>>>>> shut it down? Firefox is just as vulnerable to javascript exploits
>>>>>> than Thunderbird (if not more so), but it will be enabled in Firefox
>>>>>> and disabled (so a user can't turn it on even if they wish) in
>>>>>> Thunderbird.
>>>>>>
>>>>>>
>>>>>> Heck, you can get a virus in email via Thunderbird, the devs going to
>>>>>> turn that capability off as well?
>>>>>>
>>>>>> Fear of possibilities. Stupidity
>>>>> Actually, you can't get a virus, at least any currently known, in TB
>>>>> just by reading/displaying, an email. If you should be so unwise at
>>>>> to actually execute an attachment, yes, you could get a virus, but TB
>>>>> does what it can to make this difficult, and to warn you.
>>>>> As for javascript, some go so far as to turn it off in Firefox. I
>>>>> have had it turned off in email/news since someone put it IN there in
>>>>> the first place because I see no rational use for it in the email/news
>>>>> environment.
>>>>>
>>>> I know that, I've said as much dozens of times.
>>>> But the developers seem, to me, to think that way.
>>>>
>>>> They are still unable to point to ANY javascript exploits in the wild
>>>> that Thunderbird is susceptible to, yet they are disabling javascript.
>>>> They are afraid of POSSIBILITIES, nothing concrete at all.
>>> They disable it by default. That is good security practice.
>>> about:config > javascript.allow.mailnews could enable it.
>>>> FDR said it best... The only thing we have to fear is fear itself.
>>
>>
>> You havent heard the latest have you.
>>
>> In the next version available for testing they are DISABLING it
>> completely AND NOT providing a UI to turn it back on.
> Yeah, I just installed Thunderbird 3 alpha 3 and saw that. They should
> have left that option in there.

Wait, no. I just looked at about:config and the
javascript.allow.mailnews entry is in there. Did they say this option
would get removed in the final thunderbird 3 release, or are they just
removing the non-about:config option for enabling javascript?

>>
>> they 'promise' this will be a temporary feature - but so was income tax
>

_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: clickjacking

Ron Hunter
In reply to this post by squaredancer
squaredancer wrote:

> On 17.10.2008 03:10, CET - what odd quirk of fate caused  Ron Hunter to
> generate the following:? :
>> Moz Champion (Dan) wrote:
>>  
>>> Peter Potamus the Purple Hippo wrote:
>>>    
>>>> some interesting stuff. I supposed things like this 'could' happening
>>>> within email, too; therefore, this is one reason why the devs want to
>>>> turn off javascript.
>>>>
>>>> http://ha.ckers.org/blog/20081007/clickjacking-details/
>>>>
>>>>      
>>> Stupidity if you ask me. Read the entries, it can be done without
>>> Javascript as well.  So what do the devs want to do about Firefox, shut
>>> it down?  Firefox is just as vulnerable to javascript exploits than
>>> Thunderbird (if not more so), but it will be enabled in Firefox and
>>> disabled (so a user can't turn it on even if they wish) in Thunderbird.
>>>
>>>
>>> Heck, you can get a virus in email via Thunderbird, the devs going to
>>> turn that capability off as well?
>>>
>>> Fear of possibilities. Stupidity
>>>    
>> Actually, you can't get a virus, at least any currently known, in TB
>> just by reading/displaying, an email.  If you should be so unwise at to
>> actually execute an attachment, yes, you could get a virus, but TB does
>> what it can to make this difficult, and to warn you.
>> As for javascript, some go so far as to turn it off in Firefox.  I have
>> had it turned off in email/news since someone put it IN there in the
>> first place because I see no rational use for it in the email/news
>> environment.
>>
>>  
> yepp!  turn OFF Flash, JS, JAVA (don't forget to delete Java Runtime),
> WMP, RP, QT, HTML, your Computer...
>
> and you *MAY* be safe.....
> but *DO NOT* walk out on to the street:
> - a truck *may be* coming down the road....
> - there *may be* an earthquake
> - there *may be* another 11.9
> - an airplane *may* fall on your head
>
> so
> - always wear a signal-orange safety jacket
> - always keep a beeper *in your hand*
> - always wear a headset, bluetoothed to your cellphone
> - always keep your cellphone dialed-in to the police and rescue services.
>
> you *MAY* need all that, one day, so be warned!
>
> reg

Between the extremes of caution and blissful ignorance, there is some
comfort point, which will be different for everyone.  I choose to run
some risks, if they entail compensatory advantages, while avoiding others.


--
Ron Hunter  [hidden email]
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: clickjacking

squaredancer
On 18.10.2008 10:02, CET - what odd quirk of fate caused  Ron Hunter to
generate the following:? :

> squaredancer wrote:
>  
>> On 17.10.2008 03:10, CET - what odd quirk of fate caused  Ron Hunter to
>> generate the following:? :
>>    
>>> Moz Champion (Dan) wrote:
>>>  
>>>      
>>>> Peter Potamus the Purple Hippo wrote:
>>>>    
>>>>        
>>>>> some interesting stuff. I supposed things like this 'could' happening
>>>>> within email, too; therefore, this is one reason why the devs want to
>>>>> turn off javascript.
>>>>>
>>>>> http://ha.ckers.org/blog/20081007/clickjacking-details/
>>>>>
>>>>>      
>>>>>          
>>>> Stupidity if you ask me. Read the entries, it can be done without
>>>> Javascript as well.  So what do the devs want to do about Firefox, shut
>>>> it down?  Firefox is just as vulnerable to javascript exploits than
>>>> Thunderbird (if not more so), but it will be enabled in Firefox and
>>>> disabled (so a user can't turn it on even if they wish) in Thunderbird.
>>>>
>>>>
>>>> Heck, you can get a virus in email via Thunderbird, the devs going to
>>>> turn that capability off as well?
>>>>
>>>> Fear of possibilities. Stupidity
>>>>    
>>>>        
>>> Actually, you can't get a virus, at least any currently known, in TB
>>> just by reading/displaying, an email.  If you should be so unwise at to
>>> actually execute an attachment, yes, you could get a virus, but TB does
>>> what it can to make this difficult, and to warn you.
>>> As for javascript, some go so far as to turn it off in Firefox.  I have
>>> had it turned off in email/news since someone put it IN there in the
>>> first place because I see no rational use for it in the email/news
>>> environment.
>>>
>>>  
>>>      
>> yepp!  turn OFF Flash, JS, JAVA (don't forget to delete Java Runtime),
>> WMP, RP, QT, HTML, your Computer...
>>
>> and you *MAY* be safe.....
>> but *DO NOT* walk out on to the street:
>> - a truck *may be* coming down the road....
>> - there *may be* an earthquake
>> - there *may be* another 11.9
>> - an airplane *may* fall on your head
>>
>> so
>> - always wear a signal-orange safety jacket
>> - always keep a beeper *in your hand*
>> - always wear a headset, bluetoothed to your cellphone
>> - always keep your cellphone dialed-in to the police and rescue services.
>>
>> you *MAY* need all that, one day, so be warned!
>>
>> reg
>>    
>
> Between the extremes of caution and blissful ignorance, there is some
> comfort point, which will be different for everyone.  I choose to run
> some risks, if they entail compensatory advantages, while avoiding others.
>
>
>  
*lol*  just accentuating paranoia somewhat!

reg
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: clickjacking

Jay Garcia
In reply to this post by Ron Hunter
On 18.10.2008 03:02, Ron Hunter wrote:

 --- Original Message ---

> squaredancer wrote:
>> On 17.10.2008 03:10, CET - what odd quirk of fate caused  Ron Hunter to
>> generate the following:? :
>>> Moz Champion (Dan) wrote:
>>>  
>>>> Peter Potamus the Purple Hippo wrote:
>>>>    
>>>>> some interesting stuff. I supposed things like this 'could' happening
>>>>> within email, too; therefore, this is one reason why the devs want to
>>>>> turn off javascript.
>>>>>
>>>>> http://ha.ckers.org/blog/20081007/clickjacking-details/
>>>>>
>>>>>      
>>>> Stupidity if you ask me. Read the entries, it can be done without
>>>> Javascript as well.  So what do the devs want to do about Firefox, shut
>>>> it down?  Firefox is just as vulnerable to javascript exploits than
>>>> Thunderbird (if not more so), but it will be enabled in Firefox and
>>>> disabled (so a user can't turn it on even if they wish) in Thunderbird.
>>>>
>>>>
>>>> Heck, you can get a virus in email via Thunderbird, the devs going to
>>>> turn that capability off as well?
>>>>
>>>> Fear of possibilities. Stupidity
>>>>    
>>> Actually, you can't get a virus, at least any currently known, in TB
>>> just by reading/displaying, an email.  If you should be so unwise at to
>>> actually execute an attachment, yes, you could get a virus, but TB does
>>> what it can to make this difficult, and to warn you.
>>> As for javascript, some go so far as to turn it off in Firefox.  I have
>>> had it turned off in email/news since someone put it IN there in the
>>> first place because I see no rational use for it in the email/news
>>> environment.
>>>
>>>  
>> yepp!  turn OFF Flash, JS, JAVA (don't forget to delete Java Runtime),
>> WMP, RP, QT, HTML, your Computer...
>>
>> and you *MAY* be safe.....
>> but *DO NOT* walk out on to the street:
>> - a truck *may be* coming down the road....
>> - there *may be* an earthquake
>> - there *may be* another 11.9
>> - an airplane *may* fall on your head
>>
>> so
>> - always wear a signal-orange safety jacket
>> - always keep a beeper *in your hand*
>> - always wear a headset, bluetoothed to your cellphone
>> - always keep your cellphone dialed-in to the police and rescue services.
>>
>> you *MAY* need all that, one day, so be warned!
>>
>> reg
>
> Between the extremes of caution and blissful ignorance, there is some
> comfort point, which will be different for everyone.  I choose to run
> some risks, if they entail compensatory advantages, while avoiding others.
>
>

And if you should happen to see Chicken Little wearing a helmet, watch
out!! :-)

--
Jay Garcia - Netscape/Flock Champion
www.ufaq.org
Netscape - Flock - Firefox - Thunderbird - Seamonkey Support
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: clickjacking

PhillipJones
In reply to this post by Ron Hunter
Ron Hunter wrote:

> Moz Champion (Dan) wrote:
>> Peter Potamus the Purple Hippo wrote:
>>> some interesting stuff. I supposed things like this 'could' happening
>>> within email, too; therefore, this is one reason why the devs want to
>>> turn off javascript.
>>>
>>> http://ha.ckers.org/blog/20081007/clickjacking-details/
>>>
>>
>>
>> Stupidity if you ask me. Read the entries, it can be done without
>> Javascript as well.  So what do the devs want to do about Firefox,
>> shut it down?  Firefox is just as vulnerable to javascript exploits
>> than Thunderbird (if not more so), but it will be enabled in Firefox
>> and disabled (so a user can't turn it on even if they wish) in
>> Thunderbird.
>>
>>
>> Heck, you can get a virus in email via Thunderbird, the devs going to
>> turn that capability off as well?
>>
>> Fear of possibilities. Stupidity
>
> Actually, you can't get a virus, at least any currently known, in TB
> just by reading/displaying, an email.  If you should be so unwise at to
> actually execute an attachment, yes, you could get a virus, but TB does
> what it can to make this difficult, and to warn you.
> As for javascript, some go so far as to turn it off in Firefox.  I have
> had it turned off in email/news since someone put it IN there in the
> first place because I see no rational use for it in the email/news
> environment.
>

If your on a Standard computer (PC) if you download an executable file
the way PC's are setup The automatically open as soon as you download them.

But on Macintosh computers, They neither accept or use active-X
controls, nor executable files. So it impossible for Mac's to get Virus,
worms or Trogan's through .exe or Active-X. Plus we have the extra
protection of the FreeBSD UNIX code underneath.

I am never going to Mac's are or will be forever, immune. AS soon as we
get a 50/50 share then there will be such for use as well. But because
we have a lower user base. Most Malware writers ignore Mac's They don't
get as good a thrill as Throwing the entire worlds governments in a Panic.

--
------------------------------------------------------------------------
Phillip M. Jones, CET   |MEMBER:VPEA (LIFE) ETA-I, NESDA,ISCET, Sterling
616 Liberty Street      |Who's Who. PHONE:276-632-5045, FAX:276-632-0868
Martinsville Va 24112   |[hidden email], ICQ11269732, AIM pjonescet
------------------------------------------------------------------------

If it's "fixed", don't "break it"!

mailto:[hidden email]

<http://www.kimbanet.com/~pjones/default.htm>
<http://www.kimbanet.com/~pjones/90th_Birthday/index.htm>
<http://www.kimbanet.com/~pjones/Fulcher/default.html>
<http://www.kimbanet.com/~pjones/Harris/default.htm>
<http://www.kimbanet.com/~pjones/Jones/default.htm>

<http://www.vpea.org>
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: clickjacking

Terry R.-3
The date and time was 10/18/2008 8:57 AM, and on a whim, Phillip Jones,
C.E.T. pounded out on the keyboard:

> Ron Hunter wrote:
>> Moz Champion (Dan) wrote:
>>> Peter Potamus the Purple Hippo wrote:
>>>> some interesting stuff. I supposed things like this 'could' happening
>>>> within email, too; therefore, this is one reason why the devs want to
>>>> turn off javascript.
>>>>
>>>> http://ha.ckers.org/blog/20081007/clickjacking-details/
>>>>
>>>
>>> Stupidity if you ask me. Read the entries, it can be done without
>>> Javascript as well.  So what do the devs want to do about Firefox,
>>> shut it down?  Firefox is just as vulnerable to javascript exploits
>>> than Thunderbird (if not more so), but it will be enabled in Firefox
>>> and disabled (so a user can't turn it on even if they wish) in
>>> Thunderbird.
>>>
>>>
>>> Heck, you can get a virus in email via Thunderbird, the devs going to
>>> turn that capability off as well?
>>>
>>> Fear of possibilities. Stupidity
>> Actually, you can't get a virus, at least any currently known, in TB
>> just by reading/displaying, an email.  If you should be so unwise at to
>> actually execute an attachment, yes, you could get a virus, but TB does
>> what it can to make this difficult, and to warn you.
>> As for javascript, some go so far as to turn it off in Firefox.  I have
>> had it turned off in email/news since someone put it IN there in the
>> first place because I see no rational use for it in the email/news
>> environment.
>>
>
> If your on a Standard computer (PC) if you download an executable file
> the way PC's are setup The automatically open as soon as you download them.
>

Once again Phillip, you're out of touch.  This is NOT what happens on a PC.

> But on Macintosh computers, They neither accept or use active-X
> controls, nor executable files. So it impossible for Mac's to get Virus,
> worms or Trogan's through .exe or Active-X. Plus we have the extra
> protection of the FreeBSD UNIX code underneath.
>

It's not impossible to contract a virus/malware on a Mac, just not
through the two you mentioned.  If it was impossible, Apple wouldn't be
patching it's software at all.  What was the last one, over twenty?

> I am never going to Mac's are or will be forever, immune. AS soon as we
> get a 50/50 share then there will be such for use as well. But because
> we have a lower user base. Most Malware writers ignore Mac's They don't
> get as good a thrill as Throwing the entire worlds governments in a Panic.
>

As much as you'd like to think Mac's are perfect, they aren't. There
isn't a perfect computer or OS.  Trust me, I work on enough Mac's to see
the flaws, especially when networked on domains.  I don't have any ills
towards Mac's, I just don't think Mac users should get this false
impression that their computer is better than another.

--
Terry R.
Anti-spam measures are included in my email address.
Delete NOSPAM from the email address after clicking Reply.
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: clickjacking

squaredancer
In reply to this post by Jay Garcia
On 18.10.2008 15:55, CET - what odd quirk of fate caused  Jay Garcia to
generate the following:? :

> On 18.10.2008 03:02, Ron Hunter wrote:
>
>  --- Original Message ---
>
>  
>> squaredancer wrote:
>>    
>>> On 17.10.2008 03:10, CET - what odd quirk of fate caused  Ron Hunter to
>>> generate the following:? :
>>>      
>>>> Moz Champion (Dan) wrote:
>>>>  
>>>>        
>>>>> Peter Potamus the Purple Hippo wrote:
>>>>>    
>>>>>          
>>>>>> some interesting stuff. I supposed things like this 'could' happening
>>>>>> within email, too; therefore, this is one reason why the devs want to
>>>>>> turn off javascript.
>>>>>>
>>>>>> http://ha.ckers.org/blog/20081007/clickjacking-details/
>>>>>>
>>>>>>      
>>>>>>            
>>>>> Stupidity if you ask me. Read the entries, it can be done without
>>>>> Javascript as well.  So what do the devs want to do about Firefox, shut
>>>>> it down?  Firefox is just as vulnerable to javascript exploits than
>>>>> Thunderbird (if not more so), but it will be enabled in Firefox and
>>>>> disabled (so a user can't turn it on even if they wish) in Thunderbird.
>>>>>
>>>>>
>>>>> Heck, you can get a virus in email via Thunderbird, the devs going to
>>>>> turn that capability off as well?
>>>>>
>>>>> Fear of possibilities. Stupidity
>>>>>    
>>>>>          
>>>> Actually, you can't get a virus, at least any currently known, in TB
>>>> just by reading/displaying, an email.  If you should be so unwise at to
>>>> actually execute an attachment, yes, you could get a virus, but TB does
>>>> what it can to make this difficult, and to warn you.
>>>> As for javascript, some go so far as to turn it off in Firefox.  I have
>>>> had it turned off in email/news since someone put it IN there in the
>>>> first place because I see no rational use for it in the email/news
>>>> environment.
>>>>
>>>>  
>>>>        
>>> yepp!  turn OFF Flash, JS, JAVA (don't forget to delete Java Runtime),
>>> WMP, RP, QT, HTML, your Computer...
>>>
>>> and you *MAY* be safe.....
>>> but *DO NOT* walk out on to the street:
>>> - a truck *may be* coming down the road....
>>> - there *may be* an earthquake
>>> - there *may be* another 11.9
>>> - an airplane *may* fall on your head
>>>
>>> so
>>> - always wear a signal-orange safety jacket
>>> - always keep a beeper *in your hand*
>>> - always wear a headset, bluetoothed to your cellphone
>>> - always keep your cellphone dialed-in to the police and rescue services.
>>>
>>> you *MAY* need all that, one day, so be warned!
>>>
>>> reg
>>>      
>> Between the extremes of caution and blissful ignorance, there is some
>> comfort point, which will be different for everyone.  I choose to run
>> some risks, if they entail compensatory advantages, while avoiding others.
>>
>>
>>    
>
> And if you should happen to see Chicken Little wearing a helmet, watch
> out!! :-)
>
>  
oh!!!!! I forgot the Helmet to go with the safety jacket.... ooopppssss,
sorry folks!

reg
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: clickjacking

PhillipJones
In reply to this post by Terry R.-3
Terry R. wrote:

> The date and time was 10/18/2008 8:57 AM, and on a whim, Phillip Jones,
> C.E.T. pounded out on the keyboard:
>
>> Ron Hunter wrote:
>>> Moz Champion (Dan) wrote:
>>>> Peter Potamus the Purple Hippo wrote:
>>>>> some interesting stuff. I supposed things like this 'could'
>>>>> happening within email, too; therefore, this is one reason why the
>>>>> devs want to turn off javascript.
>>>>>
>>>>> http://ha.ckers.org/blog/20081007/clickjacking-details/
>>>>>
>>>>
>>>> Stupidity if you ask me. Read the entries, it can be done without
>>>> Javascript as well.  So what do the devs want to do about Firefox,
>>>> shut it down?  Firefox is just as vulnerable to javascript exploits
>>>> than Thunderbird (if not more so), but it will be enabled in Firefox
>>>> and disabled (so a user can't turn it on even if they wish) in
>>>> Thunderbird.
>>>>
>>>>
>>>> Heck, you can get a virus in email via Thunderbird, the devs going
>>>> to turn that capability off as well?
>>>>
>>>> Fear of possibilities. Stupidity
>>> Actually, you can't get a virus, at least any currently known, in TB
>>> just by reading/displaying, an email.  If you should be so unwise at
>>> to actually execute an attachment, yes, you could get a virus, but TB
>>> does what it can to make this difficult, and to warn you.
>>> As for javascript, some go so far as to turn it off in Firefox.  I
>>> have had it turned off in email/news since someone put it IN there in
>>> the first place because I see no rational use for it in the
>>> email/news environment.
>>>
>>
>> If your on a Standard computer (PC) if you download an executable file
>> the way PC's are setup The automatically open as soon as you download
>> them.
>>
>
> Once again Phillip, you're out of touch.  This is NOT what happens on a PC.
>
>> But on Macintosh computers, They neither accept or use active-X
>> controls, nor executable files. So it impossible for Mac's to get
>> Virus, worms or Trogan's through .exe or Active-X. Plus we have the
>> extra protection of the FreeBSD UNIX code underneath.
>>
>
> It's not impossible to contract a virus/malware on a Mac, just not
> through the two you mentioned.  If it was impossible, Apple wouldn't be
> patching it's software at all.  What was the last one, over twenty?
>
>> I am never going to Mac's are or will be forever, immune. AS soon as
>> we get a 50/50 share then there will be such for use as well. But
>> because we have a lower user base. Most Malware writers ignore Mac's
>> They don't get as good a thrill as Throwing the entire worlds
>> governments in a Panic.
>>
>
> As much as you'd like to think Mac's are perfect, they aren't. There
> isn't a perfect computer or OS.  Trust me, I work on enough Mac's to see
> the flaws, especially when networked on domains.  I don't have any ills
> towards Mac's, I just don't think Mac users should get this false
> impression that their computer is better than another.
>
Unless Things have changed very drastically in PC world. The last
computer I saw anyone use. applications were updated without the user's
input.

On OSX you can configure software Update to see if there are system
updates. But even if any are found. When Software Update opens it just
list the items. Unless you check items to install the choose Install.
You can also to choose to download only and you can choose later time to
install.

And until the item is actually downloaded and the install begins you
still can cancel the install.

Does PC's now have That ability?

--
------------------------------------------------------------------------
Phillip M. Jones, CET   |MEMBER:VPEA (LIFE) ETA-I, NESDA,ISCET, Sterling
616 Liberty Street      |Who's Who. PHONE:276-632-5045, FAX:276-632-0868
Martinsville Va 24112   |[hidden email], ICQ11269732, AIM pjonescet
------------------------------------------------------------------------

If it's "fixed", don't "break it"!

mailto:[hidden email]

<http://www.kimbanet.com/~pjones/default.htm>
<http://www.kimbanet.com/~pjones/90th_Birthday/index.htm>
<http://www.kimbanet.com/~pjones/Fulcher/default.html>
<http://www.kimbanet.com/~pjones/Harris/default.htm>
<http://www.kimbanet.com/~pjones/Jones/default.htm>

<http://www.vpea.org>
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: clickjacking

Blinky the Shark
In reply to this post by Moz Champion (Dan)
Moz Champion (Dan) wrote:
> Fear of possibilities. Stupidity

Next time you cross the street, don't look both ways, since there's no
*certainty* that you will be struck by a truck if you don't -- there's
only a possibility, after all.


--
Blinky
Killing all posts from Google Groups
The Usenet Improvement Project: http://improve-usenet.org
Need a new news feed?  http://blinkynet.net/comp/newfeed.html
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: clickjacking

Eitan Adler-2
Blinky the Shark wrote:
> Moz Champion (Dan) wrote:
>> Fear of possibilities. Stupidity
>
> Next time you cross the street, don't look both ways, since there's no
> *certainty* that you will be struck by a truck if you don't -- there's
> only a possibility, after all.
>
>
Basic security procedure: default deny.  If a user wants to allow
something he should - but why enable JS by default when there is little
need for it ?
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: clickjacking

Ed Mullen
In reply to this post by PhillipJones
Phillip Jones, C.E.T. wrote:

> Unless Things have changed very drastically in PC world. The last
> computer I saw anyone use. applications were updated without the user's
> input.
>
> On OSX you can configure software Update to see if there are system
> updates. But even if any are found. When Software Update opens it just
> list the items. Unless you check items to install the choose Install.
> You can also to choose to download only and you can choose later time to
> install.
>
> And until the item is actually downloaded and the install begins you
> still can cancel the install.
>
> Does PC's now have That ability?
>

I have always had the ability to specify how Windows Updates happen.
You can disable it, choose to be notified first, or allow it to
automatically update.  Same with application software.

The problem is with apps writers.  They assume users are idiots and
enable auto updates by default.  It's the first thing I change when I
install a new app.

What runs on any of my Windows systems does what I want it to do, how I
want it to happen.

--
Ed Mullen
http://edmullen.net
A politician is a man who approaches every problem with an open mouth. -
Adlai Stevenson
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
Reply | Threaded
Open this post in threaded view
|

Re: clickjacking

Peter Potamus the Purple Hippo
Ed Mullen wrote:

> The problem is with apps writers.  They assume users are idiots

that sounds like a recent discussion within the TB dev
ng.  They assumed the users are stupid, eventhough they
tried to denied it.

--
*IMPORTANT*: Sorry folks, but I cannot provide email
help!!!! Emails to me may become public

Notice: This posting is protected under the Free Speech
Laws, which applies everywhere in the FREE world,
except for some strange reason, not to the mozilla.org
newsgroup servers, where your posting may get you banned.

Peter Potamus & His Magic Flying Balloon:
http://melaman2.com/cartoons/singles/mp3/p-potamus.mp3
http://www.toonopedia.com/potamus.htm
_______________________________________________
general mailing list
[hidden email]
https://lists.mozilla.org/listinfo/general
1234 ... 9