Fedora Security and the Uverse 3800HGV-B router
Craig White
craigwhite at azapple.com
Sun Jul 3 11:20:43 UTC 2011
On Sat, 2011-07-02 at 16:45 -0700, JD wrote:
> On 07/02/2011 01:07 PM, Craig White wrote:
> > On Fri, 2011-07-01 at 21:14 -0700, JD wrote:
> >
> >> You are right.
> >> It turns out it does it via the intruder which the whole
> >> world was deceived by Sun that it only plays in a sandbox
> >> and has no access to anything outside that sandbox: Javascript.
> > ----
> > what does javascript have to do with Sun? It is not java. It doesn't
> > share anything at all with java except the name which was an unfortunate
> > choice.
> > ----
> >> So I used noscript to disable scripts from 192.168.1.254
> >> and access to my drive went away.
> >>
> >> When will the linux community wake up and shout out loud:
> >> Kill JavaScript from all browsers and all network servers
> >> and network clients.
> > ----
> > turn off javascript and the Internet is almost unusable. I think you
> > were close when you realized that your 'router' is likely an attack
> > vector because many of the retail/home intended routers are known to
> > have been compromised.
> > ----
> >> It is THE trojan horse hiding in plain site and can access
> >> EVERYTHING on your system that YOU have access to and
> >> send it back to whatever destination the javascript was
> >> written to send it to.
> >>
> >> Common people! JAVASCRIPT being executed by your
> >> browser on your system is a HUGE WIDE OPEN SECURITY HOLE!!!
> > ----
> > http://en.wikipedia.org/wiki/Javascript
> >
> > Sandbox implementation errors
> >
> > Web browsers are capable of running JavaScript outside
> > of the sandbox, with the privileges necessary to, for
> > example, create or delete files. Of course, such privileges
> > aren't meant to be granted to code from the web.
> >
> > What you have demonstrated is one of the many reasons not to run GUI as
> > root but you only saw the files/folders that you could see with a tool
> > like nautilus or dolphin with exactly the same privileges so I guess I
> > can't understand your hysterics.
> >
> > If noscript gives you peace of mind, then use it.
> >
> > Craig
> >
> >
> Why do you resort to name calling?
> It is not hysterics.
> A javascript sent by we site can, if written
> to do so, open your files and upload them to
> some remote site; and you call this hysterics?
> Something is wrong with your thinking to resort
> to name calling.
> I think user's awareness, that javascripts are indeed
> invasive and a great threat to privacy, needs to be
> raised. Most users are unaware of this threat.
----
I'm probably wasting my time here but nowhere did I resort to anything
even remotely close to name calling.
I wonder if you confused my one entry into this thread with others or
simply have a comprehension problem.
The post I responded to...
> It is THE trojan horse hiding in plain site and can access
> EVERYTHING on your system that YOU have access to and
> send it back to whatever destination the javascript was
> written to send it to.
>
> Common people! JAVASCRIPT being executed by your
> browser on your system is a HUGE WIDE OPEN SECURITY HOLE!!!
if that isn't hysterics, then I don't know what is. The sky is not
falling.
Craig
Craig
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the users
mailing list