Re: Temporary Ban On Links In Posts To SRI
- From: Hajj Abujamal <muslims@xxxxxxxxxxxxxxxxx>
- Date: Thu, 19 Jul 2007 11:21:11 -0500
Salaam!
Abdelkarim Benoît Evans wrote:
Best practices in this case means that people must be prudent and
understand that there is a risk (although very low) when clicking
on a link.
The risk increases significantly when the site (or newsgroup) in
question is associated with a party under systematic attack. SRI is
associated, oddly enough, with muslims and Islam, and has been under
continuous attack since its inception. So the "risk (although very
low)" in the general case does not apply to SRI. Here, the risk of
malicious links is high.
They must seek information about their computer platform and
implement the security measures recommended. They must be sure to
install EVERY operating system security update and every application
security update.
This is the very thing that corporate information managers have
been unable to accomplish among employees who are somewhat computer
literate in order to hold their jobs. Were you familiar with the
discussions taking place in the IT security community, you would know
that even the professional IT managers are unable to keep up with
"EVERY operating system security update and every application security
update" even with machines that are restricted to only applications
installed by the IT managers.
The collective view of security professionals is that in order to
be effective, responsibility for stopping spam, stopping identity
theft, stopping worms, viruses, trojans, and the other security
threats that flood the Web must start at the gateway portal under the
control of the ISPs that are used by the crackers and criminals. ISP
operators claim that doing this would be cost prohibitive, and
legislators maintain that doing it piecemeal, country by country, is
doomed to failure as the criminals move from place to place.
What is certain is that only those end-users who keep track of
their antivirus and firewall protections, know how to maintain their
machines with effective security applications (most of the security
applications available on the consumer market are not effective), and
diligently monitor their internet access, can hope to keep their
machines, their personal information on their machines, their eMail
accounts, and their other internet accesses secure. Historically,
this has been a small percentage of end-users.
The US Computer Emergency Readiness Team ...
Along with SANS, Bruce Schneier, Steve Gibson, and various other
people and agencies outside of and within government, are fighting an
uphill battle in government, military, and business, and are spending
billions of dollars a year without diminishing the threats to machines
run by professionals. Consumer internet security has been an add-on
since the inauguration of the Web, and the "protections" built in to
recent operating systems are minimally effective against only a narrow
spectrum of attacks.
Microsoft systems, which dominate the consumer internet, have been
designed from their early beginnings to make computers accessible to
other computers, not to make them inaccessible, and this is a primary
business interest for Microsoft's main market. Consumers generally
are not aware of what their machines are doing, have little
appreciation for the magnitude of the threat against their machines,
and are generally either unwilling or unable to shoulder the expense
involved in making their machines relatively secure, whether in time
or money.
SRI's readers cannot be assumed to be more technically proficient
than the rest of the consumer market, and can readily be assumed to be
less technically proficient in this respect than the corporate IT
managers and security professionals. The burden for protecting the
readers falls on the operators of SRI, some of whom do have the
necessary technical understanding of what constitutes an avoidable threat.
Another more recently uncovered risk is one that makes it possible
for code to be embedded in a Web site page and to be automatically
executed on the Web surfers computer when he or she clicks on a
link that opens that page.
Windows Metafiles are graphics files that contain executable code
processed by successive versions of Windows. Rather than display a
map of pixels to display an image, .wmf files tell Windows how to draw
a picture. It was discovered over a year ago that each successive
version of Windows contained a carefully protected escape sequence
that would execute machine code in the .wmf file that would run
independently of the graphic interpreter, providing a carefully
protected "back door" into any Windows machine that received, in an
eMail, a specially crafted .wmf file. This appears to some in the
security community to be compliance with the Computer Assistance to
Law Enforcement Act ("CALEA"), which requires all hardware and
software vendors, Internet Service Providers, and telecommunications
providers at all levels, to provide a means of access for legally
authorized computer intrusion for investigative purposes.
Much more recently, vulnerabilities have been disclosed in a
number of applications that display other kinds of graphics ~
including Adobe Flash files, .jpg files, .png files, .gif files, and
others ~ that allow such files to contain executable code that will
run in the end-user's machine without any action by the user beyond
downloading a web page containing the graphic.
So your information is a little out of date: the danger does not
lie simply with "code ... embedded in a Web site page." Viewing a
graphic can breach your machine.
Generally, such code can only be installed by the Web master
of the site and not by an outsider (unless the Web Master has
made his Web server available to strangers).
This has never been the case. Web sites have been "cracked" from
the very beginning of the Web, initially by well-meaning "white hats"
whose purpose was to alert the webmasters of vulnerabilities, and more
lately by criminals looking for those sites maintained by webmasters
who didn't listen. There are plenty of them.
This risk is found in a number of "cross site scripting (XSS)
vulnerabilities. Although real, the actual risk level for the
typical Web surfer is quite low.
Cross-site scripting vulnerabilities have been known for years,
and the risk from them today is relatively low. These are not the
vulnerabilities inspiring a ban on links in posts at SRI, they were a
very narrow attack and easily defended.
Cert has an extensive vulnerability database that you could consult.
Usually, I would simply give you the link here ...
You needn't provide me with any link, I've been professionally
involved in Internet security and privacy for seven years.
As far as clicking on hyperlinks is concerned, that technique is
a BASIC characteristic of the Web and without it, the Web as we
know it would not exist.
Hyperlinks, whether embedded or clickable, distinguish HTML
(HyperText Markup Language) and the Web from Usenet, which predates
HTML and does not share the vulnerabilities introduced by HTML,
Javascript, and other bells and whistles that comprise "the Web as we
know it." SRI is a Usenet newsgroup, it is not a Website, and HTML
code in posts has never been allowed here. Current news and mail
clients turn urls into clickable links whether they are embedded in
HTML pages or not, hence the ban. It is an extension of the
historical ban on HTML code in posts.
On balance, the inconvenience of prohibiting clickable URL links far
outweighs the increased security that such a prohibition may bring.
That is a matter of opinion, and fortunately for the readers of
SRI, some opinions are better informed than others.
There is a difference between prudence and paranoia. Sadly
the SRI moderators seem to have opted for the latter.
Being paranoid doesn't mean they aren't out to get you. Prudence
takes this into account, particularly regarding a newsgroup that
remains under attack.
Regarding dangerous links, ONE got through to the readers of this
forum before the ban on HTML code in posts was extended to include a
ban on text that would become live links in user's machines.
That's because those RESPONSIBLE for SRI keep up with internet
privacy and security issues, they don't have to spend two weeks to do
some homework to come up with a contending post that sounds knowledgeable.
was-salaam,
abujamal
--
astaghfirullahal-ladhee laa ilaha illa
howal-hayyul-qayyoom wa 'atoobu 'ilaihi
Rejoice, muslims, in martyrdom without fighting,
a Mercy for us. Be like the better son of Adam.
.
- References:
- Temporary Ban On Links In Posts To SRI
- From: Fariduddien
- Re: Temporary Ban On Links In Posts To SRI
- From: Abdelkarim Benoît Evans
- Re: Temporary Ban On Links In Posts To SRI
- From: Hajj Abujamal
- Re: Temporary Ban On Links In Posts To SRI
- From: Abdelkarim Benoît Evans
- Temporary Ban On Links In Posts To SRI
- Prev by Date: Re: Human rightsm in Islam
- Next by Date: Re: Islamic tactics in France
- Previous by thread: Re: Temporary Ban On Links In Posts To SRI
- Next by thread: Re: Temporary Ban On Links In Posts To SRI
- Index(es):
Relevant Pages
|
