Fedora Security and the Uverse 3800HGV-B router

JD jd1008 at gmail.com
Sat Jul 2 23:45:06 UTC 2011 

On 07/02/2011 01:07 PM, Craig White wrote:
> On Fri, 2011-07-01 at 21:14 -0700, JD wrote:
>
>> You are right.
>> It turns out it does it via the intruder which the whole
>> world was deceived by Sun that it only plays in a sandbox
>> and has no access to anything outside that sandbox: Javascript.
> ----
> what does javascript have to do with Sun? It is not java. It doesn't
> share anything at all with java except the name which was an unfortunate
> choice.
> ----
>> So I used noscript to disable scripts from 192.168.1.254
>> and access to my drive went away.
>>
>> When will the linux community wake up and shout out loud:
>> Kill JavaScript from all browsers and all network servers
>> and network clients.
> ----
> turn off javascript and the Internet is almost unusable. I think you
> were close when you realized that your 'router' is likely an attack
> vector because many of the retail/home intended routers are known to
> have been compromised.
> ----
>> It is THE trojan horse hiding in plain site and can access
>> EVERYTHING on your system that YOU have access to and
>> send it back to whatever destination the javascript was
>> written to send it to.
>>
>> Common people! JAVASCRIPT being executed by your
>> browser on  your system is a HUGE WIDE OPEN SECURITY HOLE!!!
> ----
> http://en.wikipedia.org/wiki/Javascript
>
>    Sandbox implementation errors
>
>    Web browsers are capable of running JavaScript outside
>    of the sandbox, with the privileges necessary to, for
>    example, create or delete files. Of course, such privileges
>    aren't meant to be granted to code from the web.
>
> What you have demonstrated is one of the many reasons not to run GUI as
> root but you only saw the files/folders that you could see with a tool
> like nautilus or dolphin with exactly the same privileges so I guess I
> can't understand your hysterics.
>
> If noscript gives you peace of mind, then use it.
>
> Craig
>
>
Why do you resort to name calling?
It is not hysterics.
A javascript sent by we site can, if written
to do so, open your files and upload them to
some remote site; and you call this hysterics?
Something is wrong with your thinking to resort
to name calling.
I think user's awareness, that javascripts are indeed
invasive and a great threat to privacy, needs to be
raised. Most users are unaware of this threat.

More information about the users mailing list