clickjacking
Peter Potamus the Purple Hippo
'could' happening within email, too; therefore, this is
one reason why the devs want to turn off javascript.
http://ha.ckers.org/blog/20081007/clickjacking-details/
--
*IMPORTANT*: Sorry folks, but I cannot provide email
help!!!! Emails to me may become public
Notice: This posting is protected under the Free Speech
Laws, which applies everywhere in the FREE world,
except for some strange reason, not to the mozilla.org
newsgroup servers, where your posting may get you banned.
Peter Potamus & His Magic Flying Balloon:
http://melaman2.com/cartoons/singles/mp3/p-potamus.mp3
http://www.toonopedia.com/potamus.htm
Moz Champion (Dan)
> some interesting stuff. I supposed things like this 'could' happening
> within email, too; therefore, this is one reason why the devs want to
> turn off javascript.
>
> http://ha.ckers.org/blog/20081007/clickjacking-details/
>
Stupidity if you ask me. Read the entries, it can be done without
Javascript as well. So what do the devs want to do about Firefox, shut
it down? Firefox is just as vulnerable to javascript exploits than
Thunderbird (if not more so), but it will be enabled in Firefox and
disabled (so a user can't turn it on even if they wish) in Thunderbird.
Heck, you can get a virus in email via Thunderbird, the devs going to
turn that capability off as well?
Fear of possibilities. Stupidity
Ron Hunter
Actually, you can't get a virus, at least any currently known, in TB
just by reading/displaying, an email. If you should be so unwise at to
actually execute an attachment, yes, you could get a virus, but TB does
what it can to make this difficult, and to warn you.
As for javascript, some go so far as to turn it off in Firefox. I have
had it turned off in email/news since someone put it IN there in the
first place because I see no rational use for it in the email/news
environment.
--
Ron Hunter rphu...@charter.net
Moz Champion (Dan)
I know that, I've said as much dozens of times.
But the developers seem, to me, to think that way.
They are still unable to point to ANY javascript exploits in the wild
that Thunderbird is susceptible to, yet they are disabling javascript.
They are afraid of POSSIBILITIES, nothing concrete at all.
FDR said it best... The only thing we have to fear is fear itself.
Eitan Adler
about:config > javascript.allow.mailnews could enable it.
Moz Champion (Dan)
You havent heard the latest have you.
In the next version available for testing they are DISABLING it
completely AND NOT providing a UI to turn it back on.
they 'promise' this will be a temporary feature - but so was income tax
JM
have left that option in there.
JM
Wait, no. I just looked at about:config and the
javascript.allow.mailnews entry is in there. Did they say this option
would get removed in the final thunderbird 3 release, or are they just
removing the non-about:config option for enabling javascript?
Ron Hunter
> On 17.10.2008 03:10, CET - what odd quirk of fate caused Ron Hunter to
> generate the following:? :
> WMP, RP, QT, HTML, your Computer...
>
> and you *MAY* be safe.....
> but *DO NOT* walk out on to the street:
> - a truck *may be* coming down the road....
> - there *may be* an earthquake
> - there *may be* another 11.9
> - an airplane *may* fall on your head
>
> so
> - always wear a signal-orange safety jacket
> - always keep a beeper *in your hand*
> - always wear a headset, bluetoothed to your cellphone
> - always keep your cellphone dialed-in to the police and rescue services.
>
> you *MAY* need all that, one day, so be warned!
>
> reg
Between the extremes of caution and blissful ignorance, there is some
comfort point, which will be different for everyone. I choose to run
some risks, if they entail compensatory advantages, while avoiding others.
--
Ron Hunter rphu...@charter.net
Jay Garcia
--- Original Message ---
And if you should happen to see Chicken Little wearing a helmet, watch
out!! :-)
--
Jay Garcia - Netscape/Flock Champion
www.ufaq.org
Netscape - Flock - Firefox - Thunderbird - Seamonkey Support
Phillip Jones, C.E.T.
If your on a Standard computer (PC) if you download an executable file
the way PC's are setup The automatically open as soon as you download them.
But on Macintosh computers, They neither accept or use active-X
controls, nor executable files. So it impossible for Mac's to get Virus,
worms or Trogan's through .exe or Active-X. Plus we have the extra
protection of the FreeBSD UNIX code underneath.
I am never going to Mac's are or will be forever, immune. AS soon as we
get a 50/50 share then there will be such for use as well. But because
we have a lower user base. Most Malware writers ignore Mac's They don't
get as good a thrill as Throwing the entire worlds governments in a Panic.
--
------------------------------------------------------------------------
Phillip M. Jones, CET |MEMBER:VPEA (LIFE) ETA-I, NESDA,ISCET, Sterling
616 Liberty Street |Who's Who. PHONE:276-632-5045, FAX:276-632-0868
Martinsville Va 24112 |pjo...@kimbanet.com, ICQ11269732, AIM pjonescet
------------------------------------------------------------------------
If it's "fixed", don't "break it"!
mailto:pjo...@kimbanet.com
<http://www.kimbanet.com/~pjones/default.htm>
<http://www.kimbanet.com/~pjones/90th_Birthday/index.htm>
<http://www.kimbanet.com/~pjones/Fulcher/default.html>
<http://www.kimbanet.com/~pjones/Harris/default.htm>
<http://www.kimbanet.com/~pjones/Jones/default.htm>
Terry R.
C.E.T. pounded out on the keyboard:
Once again Phillip, you're out of touch. This is NOT what happens on a PC.
> But on Macintosh computers, They neither accept or use active-X
> controls, nor executable files. So it impossible for Mac's to get Virus,
> worms or Trogan's through .exe or Active-X. Plus we have the extra
> protection of the FreeBSD UNIX code underneath.
>
It's not impossible to contract a virus/malware on a Mac, just not
through the two you mentioned. If it was impossible, Apple wouldn't be
patching it's software at all. What was the last one, over twenty?
> I am never going to Mac's are or will be forever, immune. AS soon as we
> get a 50/50 share then there will be such for use as well. But because
> we have a lower user base. Most Malware writers ignore Mac's They don't
> get as good a thrill as Throwing the entire worlds governments in a Panic.
>
As much as you'd like to think Mac's are perfect, they aren't. There
isn't a perfect computer or OS. Trust me, I work on enough Mac's to see
the flaws, especially when networked on domains. I don't have any ills
towards Mac's, I just don't think Mac users should get this false
impression that their computer is better than another.
--
Terry R.
Anti-spam measures are included in my email address.
Delete NOSPAM from the email address after clicking Reply.
Phillip Jones, C.E.T.
computer I saw anyone use. applications were updated without the user's
input.
On OSX you can configure software Update to see if there are system
updates. But even if any are found. When Software Update opens it just
list the items. Unless you check items to install the choose Install.
You can also to choose to download only and you can choose later time to
install.
And until the item is actually downloaded and the install begins you
still can cancel the install.
Does PC's now have That ability?
Blinky the Shark
> Fear of possibilities. Stupidity
Next time you cross the street, don't look both ways, since there's no
*certainty* that you will be struck by a truck if you don't -- there's
only a possibility, after all.
--
Blinky
Killing all posts from Google Groups
The Usenet Improvement Project: http://improve-usenet.org
Need a new news feed? http://blinkynet.net/comp/newfeed.html
Eitan Adler
> Moz Champion (Dan) wrote:
>> Fear of possibilities. Stupidity
>
> Next time you cross the street, don't look both ways, since there's no
> *certainty* that you will be struck by a truck if you don't -- there's
> only a possibility, after all.
>
>
something he should - but why enable JS by default when there is little
need for it ?
Ed Mullen
> Unless Things have changed very drastically in PC world. The last
> computer I saw anyone use. applications were updated without the user's
> input.
>
> On OSX you can configure software Update to see if there are system
> updates. But even if any are found. When Software Update opens it just
> list the items. Unless you check items to install the choose Install.
> You can also to choose to download only and you can choose later time to
> install.
>
> And until the item is actually downloaded and the install begins you
> still can cancel the install.
>
> Does PC's now have That ability?
>
I have always had the ability to specify how Windows Updates happen.
You can disable it, choose to be notified first, or allow it to
automatically update. Same with application software.
The problem is with apps writers. They assume users are idiots and
enable auto updates by default. It's the first thing I change when I
install a new app.
What runs on any of my Windows systems does what I want it to do, how I
want it to happen.
--
Ed Mullen
http://edmullen.net
A politician is a man who approaches every problem with an open mouth. -
Adlai Stevenson
Peter Potamus the Purple Hippo
> The problem is with apps writers. They assume users are idiots
that sounds like a recent discussion within the TB dev
ng. They assumed the users are stupid, eventhough they
tried to denied it.
Jay Garcia
--- Original Message ---
Yes, things have changed drastically since the Vic-20 was released. :-)
> On OSX you can configure software Update to see if there are system
> updates. But even if any are found. When Software Update opens it just
> list the items. Unless you check items to install the choose Install.
> You can also to choose to download only and you can choose later time to
> install.
>
> And until the item is actually downloaded and the install begins you
> still can cancel the install.
>
> Does PC's now have That ability?
>
--
Ron Hunter
> Office, Not OpenOffice, Not Firefox (2 or 3), Not Thunderbird (2 or 3), Not
> Quicken, Not various games, _Nothing_.
>
> I keep the OS and applications updated, but, on _my_ schedule.
>
> You Mac guys must be getting your PC information from the Republican National
> Committee :-P
>
>
No, they are getting it from Apple advertising. Compared to that, the
RNC and Obama's campaign are models of truth and accuracy.
I believe Google does some automatic updating, no matter HOW many times
I turn off Googleupdate, and delete the darn thing! My firewall warns
me, and one of these days I am going to tell it NO, permanently, but
then Google will probably punish me....
Oh No! I think I hear the black helicopters!
--
Ron Hunter rphu...@charter.net
JM
What is that?
Phillip Jones, C.E.T.
Who said it should be on by default . It never has been on by default
even back in the days of Communicator. But there has always been a
preference to allow it if the user desire so. Now there is a distinct
possibility it will be ripped out of Thunderbird. and it will affect
SeaMonkey as well. Because SM uses the same setup for Mail and news as
Thunderbird.
Phillip Jones, C.E.T.
> Phillip Jones, C.E.T. wrote:
>> Unless Things have changed very drastically in PC world. The last
>> computer I saw anyone use. applications were updated without the
>> user's input.
>>
>> On OSX you can configure software Update to see if there are system
>> updates. But even if any are found. When Software Update opens it just
>> list the items. Unless you check items to install the choose Install.
>> You can also to choose to download only and you can choose later time
>> to install.
>>
>> And until the item is actually downloaded and the install begins you
>> still can cancel the install.
>>
>> Does PC's now have That ability?
>>
>
> I have always had the ability to specify how Windows Updates happen. You
> can disable it, choose to be notified first, or allow it to
> automatically update. Same with application software.
>
> The problem is with apps writers. They assume users are idiots and
> enable auto updates by default. It's the first thing I change when I
> install a new app.
>
> What runs on any of my Windows systems does what I want it to do, how I
> want it to happen.
>
software which is covered under software update. You have to click on a
check mark then click okay to start and update. and even then you have
to use Username and password before it will allow the install. This
using user name and password to allow install even extends to xpi and
Jar files for themes and extensions in Mozilla products. you have to
allow the install. The Mac OS is not near as lax or relaxed in allowing
installation.
Phillip Jones, C.E.T.
> On 19.10.2008 06:39, CET - what odd quirk of fate caused Peter Potamus
> the Purple Hippo to generate the following:? :
>> Ed Mullen wrote:
>>
>>
>>> The problem is with apps writers. They assume users are idiots
>>
>> that sounds like a recent discussion within the TB dev ng. They
>>
>>
> hmmmm - aren't we then?? If not, why are we just humble users, instead
> of devs??
>
> reg
There is a difference between being educated to design code and Those
using applications. Neither is stupid. In my time I expect I knew how to
fix a computer, better than any software developer. I've been retired so
long I'd be afraid to try. I knew/know electronics. But I'd hate to see
myself attempt to rebuild a Car engine. or an auto mechanic attempt to
repair a power Supply in a Computer.
Neither is stupid just have different types of education.
I though, have seen when I worked in a School system People That had
Ph.D's and knew the subject they got the Ph.D in very well. But
otherwise had difficulty chewing gum and walking at the same time. They
had education sense, but no common sense. Then again I've also seen
Ph.D's that had both and did wear their education on their sleeve. They
just used it as needed
Phillip Jones, C.E.T.
> Date: 10/18/2008 3:29 PM, Author: Phillip Jones, C.E.T. Wrote:
> Not MS Office, Not OpenOffice, Not Firefox (2 or 3), Not Thunderbird (2
> or 3), Not Quicken, Not various games, _Nothing_.
>
> I keep the OS and applications updated, but, on _my_ schedule.
>
> You Mac guys must be getting your PC information from the Republican
> National Committee :-P
>
>
updated without user input, and you'd hear suspicious HD activity and
look and find strange new files added that were not their before.
Glad to hear of the improvements.
Moz Champion (Dan)
> On 10/17/2008 5:42 PM, JM wrote:
>> On 10/17/2008 3:12 PM, Moz Champion (Dan) wrote:
>>>>> But the developers seem, to me, to think that way.
>>>>>
>>>>> They are still unable to point to ANY javascript exploits in the wild
>>>>> that Thunderbird is susceptible to, yet they are disabling javascript.
>>>>> They are afraid of POSSIBILITIES, nothing concrete at all.
>>>> They disable it by default. That is good security practice.
>>>> about:config > javascript.allow.mailnews could enable it.
>>>>> FDR said it best... The only thing we have to fear is fear itself.
>>>
>>>
>>> You havent heard the latest have you.
>>>
>>> In the next version available for testing they are DISABLING it
>>> completely AND NOT providing a UI to turn it back on.
>> Yeah, I just installed Thunderbird 3 alpha 3 and saw that. They should
>> have left that option in there.
>
> Wait, no. I just looked at about:config and the
> javascript.allow.mailnews entry is in there. Did they say this option
> would get removed in the final thunderbird 3 release, or are they just
> removing the non-about:config option for enabling javascript?
>
>>>
>>> they 'promise' this will be a temporary feature - but so was income tax
>>
>
the developers said that it would be disabled in the next release, at a
level where users COULD NOT turn it back on. They also said this was a
'temporary' situation - but have not stated When they would turn it back on.
Moz Champion (Dan)
> Moz Champion (Dan) wrote:
>> Fear of possibilities. Stupidity
>
> Next time you cross the street, don't look both ways, since there's no
> *certainty* that you will be struck by a truck if you don't -- there's
> only a possibility, after all.
>
>
But the devs aren't (in the case of javascript) not asking you to look
both ways, they are BANNIING crossing the street!
Yep. two ways of fixing things, let the user decide for themselves, or
impose a situation by the developers which REMOVES all user choice.
I am not talking about taking precautions, I am talking about complete
REMOVAL of a capability because it COULD BE dangerous.
To use YOUR allegory
The Devs ARE banning crossing the street, completely, even if you wanted
to, because it MIGHT be dangerous. Although there has never been a truck
down that road previously
A User doesn't have a choice at all. No matter how careful they are, how
many precautions they take (or don't) the developers, in their infinate
wisdom, have completely taken the ability to cross the street away.
What are they going to do about this 'clickjacking'? Ban mouse clicks?
After all, it COULD be dangerous, so the user can't be allowed to decide
if what they want to do is worth the risk, so the developers will take
that ability away from them completely.
Looking both ways before you cross the street, can remove a LOT of the
danger from errant trucks, but it never does completely eliminate it.
There is always the possibilty that you could get hit by a truck. The
question is NOT do you look both ways, but (as the devs seem to see it)
can you be ALLOWED to cross the road in any case!
That's the difference. Heck, turniing OFF javascript completely (so a
user cannot re-enable it) is like saying that since downloads CAN be
dangerous, you won't be able to do it in Thunderbird anymore. No more
of this 'asking' everytime you want to download an .exe file or such,
the program won't let you download anything at all!
Moz Champion (Dan)
That's what the developers are doing in the next release of Thunderbird.
They are taking the ability to turn on Javascript completely away.
This is not a 'default deny' - they are turning JS off in such a manner
that even if a user wants to turn the abilty back on, they can't. Period.
So it's NOT a 'default deny' it is a COMPLETE and TOTAL elimination of
the possibility.
A 'default deny' would be much preferable to what the developers are
planniing.
Jay Garcia
--- Original Message ---
Been running Windows here since the very first release and related
applications. Nothing here auto-updates by itself, NEVER! The only thing
here that auto-updates is Kapersky AV and that is because I chose it
that way.
Jay Garcia
--- Original Message ---
>> Yes, things have changed drastically since the Vic-20 was released. :-)
>
> What is that?
That was a computer that preceded the Commodore-64. And I had a PET
before that.
Jay Garcia
--- Original Message ---
> On mac platform there is no such thing as an Auto update. even system
> software which is covered under software update. You have to click on a
> check mark then click okay to start and update. and even then you have
> to use Username and password before it will allow the install. This
> using user name and password to allow install even extends to xpi and
> Jar files for themes and extensions in Mozilla products. you have to
> allow the install. The Mac OS is not near as lax or relaxed in allowing
> installation.
Phillip, you're proving quite well that you don't know PC's and/or
Windows applications, etc. I have NEVER had to use a user/pass to
install a Jar, Extension or Theme in ANY browser/mail app that I use or
have used.
BJ
> They assume users are idiots and enable auto updates by default.
No doubt that's part of the reason these guys build in auto updates.
But I think another reason, just as stupid, BTW, is a marketing ploy. I
mean, those novice users think that auto-updating is pretty slick, hence
they think the software design is "secure" (when it's actually just the
opposite).
As an example, I would point to all the hype that Microsoft puts out
about the autoupdate feature. They even "recommend" it. And when a
novice sees "recommended" by a 500 pound gorilla, they think that "must"
be the way to go.
I have those Windoze updates set to notify only, and then I look on a
few forums for news that the update is buggy (and there have been a
few), and I wait until MS comes out with a stable revision.
Don't misunderstand . . . I DO think that Windoze needs security patches
(obviously). Zero-day exploits aside (and they are arguable anyway),
there's nothing wrong with waiting a few days . . . and you can reduce
the risk by keeping to Best Security Practices.
> What runs on any of my Windows systems does what I want it to do, how I
> want it to happen.
Me too. The McAfee Site advisor version 2.8 was a good example of a
major vendor NOT allowing users that option. When it first came out a
few months ago (I think they've fixed it now), McAfee had the update
pushing out stealthily, WITHOUT the users knowledge . . . until you
noticed that the SA icon was not in the usual spot and checked the
version . . . and found out that you had been upgraded.
The previous version was 2.6. For users that then went back to 2.6
(which was a lot more stable and didn't take up so much screen real
estate with an entire toolbar for the icon only), the 2.8 upgrade got
pushed out again all over. The only way to stop that infuriating
nonsense was with a HIPS.
Anyway, a reputed vendor (McAfee) was using spyware tactics (installing
without user "authorization") as far as I'm concerned. I was using SA
until then, but I got so infuriated with that tactic that I switched to WOT.
Like you, I don't like things doing stuff "automagically?.
Since this has gotten WAY off topic from clickjacking, I've titled it so.
--
BJ
Anti-spam measures are included in my email address.
Delete all the NOSPAMs from the email address after clicking Reply.
BJ
> The default should be on the side
> of safety and let the user decide what level of automation to keep or
> disable.
As long as, like you said, the user can . . . DECIDE. Some software
doesn't present that option, like the GoogleUpdater, and the once buggy
McAfee Site Advisor version 2.8 (see my previous post in this thread).
BJ
> Next time you cross the street, don't look both ways, since there's no
> *certainty* that you will be struck by a truck if you don't -- there's
> only a possibility, after all.
I think the guy was talking about the PROBABILITY of an infection occurring.
While the PROBABILITY of getting hit by a truck is high if you don't
look both ways, I don't think the probability of getting an infection is
as high (though certainly there's still a risk) in the circumstances
that he described.
BTW . . . OT here . . . I've been wondering how to get ahold of you via
email. I went to your web page and saw your description of the
Northridge Earthquake of 1994 and also your discussion of the Arizona
Memorial, and those are two things we have very much in common. But I
didn't see an email contact for you there . . . and here on the NG it's
not valid, of course, and I didn't want to post "Hey Blinky, How do I .
. .?" here, so if you have the inclination email me at rbjamieATgmailDOTcom.
Eitan Adler
> Eitan Adler wrote:
>> Blinky the Shark wrote:
>>> Moz Champion (Dan) wrote:
>>>> Fear of possibilities. Stupidity
>>> Next time you cross the street, don't look both ways, since there's no
>>> *certainty* that you will be struck by a truck if you don't -- there's
>>> only a possibility, after all.
>>>
>>>
>> Basic security procedure: default deny. If a user wants to allow
>> something he should - but why enable JS by default when there is little
>> need for it ?
>
> Who said it should be on by default . It never has been on by default
> even back in the days of Communicator. But there has always been a
> preference to allow it if the user desire so. Now there is a distinct
> possibility it will be ripped out of Thunderbird.
Terry R.
> On 19.10.2008 13:19, Phillip Jones, C.E.T. wrote:
>
> --- Original Message ---
>
>> On mac platform there is no such thing as an Auto update. even system
>> software which is covered under software update. You have to click on a
>> check mark then click okay to start and update. and even then you have
>> to use Username and password before it will allow the install. This
>> using user name and password to allow install even extends to xpi and
>> Jar files for themes and extensions in Mozilla products. you have to
>> allow the install. The Mac OS is not near as lax or relaxed in allowing
>> installation.
>
> Phillip, you're proving quite well that you don't know PC's and/or
> Windows applications, etc. I have NEVER had to use a user/pass to
> install a Jar, Extension or Theme in ANY browser/mail app that I use or
> have used.
>
He was referring to Mac's... ;-)
--
Terry R.
Anti-spam measures are included in my email address.
Delete NOSPAM from the email address after clicking Reply.
JM
on? Also, why are they disabling it? I've never needed javascript in my
email, but I haven't seen a really good reason to get rid of it.
JM
JM
thunderbird 3.
Dennis
Kapersky doesn't appear to have a free version, I don't do 30 day
trial versions. I have never purchased anti-virus software. I don't
need nor use anti-virus software but some of my friends and relatives
do. I used to use Grisoft AVG, the free version, for them but now use
the free version of AVAST. None of my friends or relatives have ever
been infected when either Grisoft AVG or AVAST was installed.
Dennis
Jay Garcia
--- Original Message ---
> The date and time was 10/19/2008 1:00 PM, and on a whim, Jay Garcia
> pounded out on the keyboard:
>
>> On 19.10.2008 13:19, Phillip Jones, C.E.T. wrote:
>>
>> --- Original Message ---
>>
>>> On mac platform there is no such thing as an Auto update. even system
>>> software which is covered under software update. You have to click on a
>>> check mark then click okay to start and update. and even then you have
>>> to use Username and password before it will allow the install. This
>>> using user name and password to allow install even extends to xpi and
>>> Jar files for themes and extensions in Mozilla products. you have to
>>> allow the install. The Mac OS is not near as lax or relaxed in allowing
>>> installation.
>>
>> Phillip, you're proving quite well that you don't know PC's and/or
>> Windows applications, etc. I have NEVER had to use a user/pass to
>> install a Jar, Extension or Theme in ANY browser/mail app that I use or
>> have used.
>>
>
> He was referring to Mac's... ;-)
>
Hmm, ok, then he doesn't know those either then. My brother, a licensed
Apple developer said so .. :-)
Jay Garcia
--- Original Message ---
Being a support oriented giver/user, I believe in paying for tech
support for such important things as an AV application. FREE versions
are worth what you pay for 'em ... for some apps, not all.
Moz Champion (Dan)
yes, that means that NO ONE will be able to turn it back on. You would
have to hack the code to enable it.
That's my question! Why the developers see a need to disable it
completely in Thunderbird, yet leave it enabled by default in Firefox.
They 'claim' it's because of 'yet to be done' threats and so forth.
Ron Hunter
I allow my firewall program to update automatically, but it notifies me
that it had done so, and that is ONLY the parameter files, not the
actual program modules. MS Update I allow to download, but NOT to
update. I refuse to allow my computers to be rebooted without my
permission.
--
Ron Hunter rphu...@charter.net
Ron Hunter
> On 19.10.2008 13:19, Phillip Jones, C.E.T. wrote:
>
> --- Original Message ---
>
>> On mac platform there is no such thing as an Auto update. even system
>> software which is covered under software update. You have to click on a
>> check mark then click okay to start and update. and even then you have
>> to use Username and password before it will allow the install. This
>> using user name and password to allow install even extends to xpi and
>> Jar files for themes and extensions in Mozilla products. you have to
>> allow the install. The Mac OS is not near as lax or relaxed in allowing
>> installation.
>
> Phillip, you're proving quite well that you don't know PC's and/or
> Windows applications, etc. I have NEVER had to use a user/pass to
> install a Jar, Extension or Theme in ANY browser/mail app that I use or
> have used.
>
excessive, and should be at the user's option. I would HATE it.
--
Ron Hunter rphu...@charter.net
Ron Hunter
> prevent them when I install new software, however, I don't necessarily consider
> them "evil". In my ex-wife's case, without automatic updating she would have 4
> year old virus definitions and 120 un-applied Windows critical updates.
> Different attitudes and experience levels deserve appropriate options. The
> automation to keep or disable.
>
>
wife's machine set to 'download only', and on mine, even that is shut
off. Only the firewall updates automatically, and that only the
parameter files.
If you can't trust your firewall company, you might as well turn off the
computer and use if for a doorstop.
--
Ron Hunter rphu...@charter.net
Ron Hunter
> G. R. Woodring wrote:
>> The default should be on the side
>> of safety and let the user decide what level of automation to keep or
>> disable.
>
> As long as, like you said, the user can . . . DECIDE. Some software
> doesn't present that option, like the GoogleUpdater, and the once buggy
> McAfee Site Advisor version 2.8 (see my previous post in this thread).
>
internet. Also, I downloaded and installed a new version of Google
Chrome, and was appalled at the fact that it doesn't give ANY indication
that it has run, or done ANYTHING, but the program was updated. This is
totally unacceptable!
--
Ron Hunter rphu...@charter.net
Ron Hunter
I don't use an AV program. My firewall provides basic protection
against viruses via attachments, and I, and my wife, are very cautious
about what we open. After paying for Norton for about 3 years, while it
found not one virus, I ditched it. The best AV program is that 3 pounds
of neural tissue in your head.
--
Ron Hunter rphu...@charter.net
Ron Hunter
I understand the objection, and feel that it is rather an olympian
decision, but I can't get very excited about doing away with a feature I
have never had turned on, and wouldn't use. I can only conclude that
they feel it is much too dangerous for the utility it adds, given that
most users never turn it on.
--
Ron Hunter rphu...@charter.net
Jay Garcia
--- Original Message ---
The decision was made to disable it for testing other modules in the
beta. The decision to DISable it permanently has not been made.
Jay Garcia
--- Original Message ---
Kaspersky does a lot more than just email, it scans web sites prior to
opening as well, also does spyware too.
Terry R.
> On 19.10.2008 16:23, Terry R. wrote:
>
> --- Original Message ---
>
>> The date and time was 10/19/2008 1:00 PM, and on a whim, Jay Garcia
>> pounded out on the keyboard:
>>
>>> On 19.10.2008 13:19, Phillip Jones, C.E.T. wrote:
>>>
>>> --- Original Message ---
>>>
>>>> On mac platform there is no such thing as an Auto update. even system
>>>> software which is covered under software update. You have to click on a
>>>> check mark then click okay to start and update. and even then you have
>>>> to use Username and password before it will allow the install. This
>>>> using user name and password to allow install even extends to xpi and
>>>> Jar files for themes and extensions in Mozilla products. you have to
>>>> allow the install. The Mac OS is not near as lax or relaxed in allowing
>>>> installation.
>>> Phillip, you're proving quite well that you don't know PC's and/or
>>> Windows applications, etc. I have NEVER had to use a user/pass to
>>> install a Jar, Extension or Theme in ANY browser/mail app that I use or
>>> have used.
>>>
>> He was referring to Mac's... ;-)
>>
>
> Hmm, ok, then he doesn't know those either then. My brother, a licensed
> Apple developer said so .. :-)
>
I don't know, whenever I install anything on a Mac, the process Phillip
describes is what I have to do. You can't install anything without
entering a user/password of someone with Admin rights. He may be a dev,
but I think he may have misunderstood what you were describing. Similar
to what MS tried to do with Vista...
JM
terminate connections that a program has made to the internet, without
terminating the actual internet connection. However, they removed this
option from version 8 so I switched back to version 7. And the firewall
is very easy to use and is the best I have seen.
Ed Mullen
Even if they ultimately remove js from TB they can't possibly do it in
FF: There are too many Web sites out there that depend (rightly or
wrong-headedly) on js for full functionality.
--
Ed Mullen
http://edmullen.net
A musicologist is a man who can read music but can't hear it. - Sir
Thomas Beecham (1879 - 1961)
Ed Mullen
The simple answer is to stop using the Google toolbar and Chrome.
--
Ed Mullen
http://edmullen.net
I was on a chat last night and I thought: "I must have Asperger's or I
wouldn't be sitting here arguing with a monitor!"
Ed Mullen
If most users never turn it on, where's the threat/problem? The devs
are over-reacting. And not very intelligently to boot.
--
Ed Mullen
http://edmullen.net
Violence is the last refuge of the incompetent. - Isaac Asimov
Terry R.
> On 19.10.2008 18:37, CET - what odd quirk of fate caused G. R. Woodring
> to generate the following:? :
>> Date: 10/19/2008 12:03 PM, Author: JM Wrote:
>>
>>> On 10/19/2008 8:01 AM, Jay Garcia wrote:
>>>
>>>> On 18.10.2008 14:29, Phillip Jones, C.E.T. wrote:
>>>>
>>>> --- Original Message ---
>>>>
>>>>
>>>>> Terry R. wrote:
>>>>>
>>>>>> The date and time was 10/18/2008 8:57 AM, and on a whim, Phillip Jones,
>>>>>> C.E.T. pounded out on the keyboard:
>>>>>>
>>>>>>
>>>>>>> Ron Hunter wrote:
>>>>>>>
>>>>>>>> Moz Champion (Dan) wrote:
>>>>>>>>
>>>>>>>>> Peter Potamus the Purple Hippo wrote:
>>>>>>>>>
>>>>>>>>>> some interesting stuff. I supposed things like this 'could'
>>>>>>>>>> happening within email, too; therefore, this is one reason why the
>>>>>>>>>> devs want to turn off javascript.
>>>>>>>>>>
>>>>>>>>>> http://ha.ckers.org/blog/20081007/clickjacking-details/
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> Stupidity if you ask me. Read the entries, it can be done without
>>>>>>>>> Javascript as well. So what do the devs want to do about Firefox,
>>>>>>>>> shut it down? Firefox is just as vulnerable to javascript exploits
>>>>>>>>> than Thunderbird (if not more so), but it will be enabled in Firefox
>>>>>>>>> and disabled (so a user can't turn it on even if they wish) in
>>>>>>>>> Thunderbird.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Heck, you can get a virus in email via Thunderbird, the devs going
>>>>>>>>> to turn that capability off as well?
>>>>>>>>>
>>>>>>>>> Fear of possibilities. Stupidity
>>>>>>>>>
>>>>>>>> Actually, you can't get a virus, at least any currently known, in TB
>>>>>>>> just by reading/displaying, an email. If you should be so unwise at
>>>>>>>> to actually execute an attachment, yes, you could get a virus, but TB
>>>>>>>> does what it can to make this difficult, and to warn you.
>>>>>>>> As for javascript, some go so far as to turn it off in Firefox. I
>>>>>>>> have had it turned off in email/news since someone put it IN there in
>>>>>>>> the first place because I see no rational use for it in the
>>>>>>>> email/news environment.
>>>>>>>>
>>>>>>>>
>>>> Yes, things have changed drastically since the Vic-20 was released. :-)
>>>>
>>> What is that?
>>>
>>>
>> Think Commodore 64, TRS-80, TI-99, Atari 5600; in other words from the days when
>> the IBM PC-Jr was the ultimate in home/small business systems :-)
>>
>
> and..... those were the days when a programmer (now politely called a
> "dev") lost his job if his code brought up a "Fatal error - Application
> terminated"
>
> "Division by Zero" was the worst one in my trade (survey - mathematics)
> Now-a-days they simply say "User error - please file a Bug-Report"
>
> reg
>
> <<snipped>>
>
Ah, "Divide by zero". I remember that one. That explained a lot,
didn't it?
Jay Garcia
--- Original Message ---
KAV is only on version 6.0 something and has no network monitor that I
know of.
Jay Garcia
--- Original Message ---
He's the only one that ever uses it so I guess that's why, dunno.
Jay Garcia
--- Original Message ---
> On 19.10.2008 18:37, CET - what odd quirk of fate caused G. R. Woodring
> to generate the following:? :
>> Date: 10/19/2008 12:03 PM, Author: JM Wrote:
>>
>>> On 10/19/2008 8:01 AM, Jay Garcia wrote:
>>>
>>>> On 18.10.2008 14:29, Phillip Jones, C.E.T. wrote:
>>>>
>>>> --- Original Message ---
>>>>
>>>>
>>>> Yes, things have changed drastically since the Vic-20 was released. :-)
>>>>
>>> What is that?
>>>
>>>
>>
>> Think Commodore 64, TRS-80, TI-99, Atari 5600; in other words from the days when
>> the IBM PC-Jr was the ultimate in home/small business systems :-)
>>
>
> and..... those were the days when a programmer (now politely called a
> "dev") lost his job if his code brought up a "Fatal error - Application
> terminated"
>
> "Division by Zero" was the worst one in my trade (survey - mathematics)
> Now-a-days they simply say "User error - please file a Bug-Report"
>
> reg
>
> <<snipped>>
>
A programmer is a developer but a developer is not necessarily a
programmer ... me for instance, I had a hand in developing TheBat but
never programmed a single line.
JM
Phillip Jones, C.E.T.
> On 19.10.2008 13:19, Phillip Jones, C.E.T. wrote:
>
> --- Original Message ---
>
>> software which is covered under software update. You have to click on a
>> check mark then click okay to start and update. and even then you have
>> to use Username and password before it will allow the install. This
>> using user name and password to allow install even extends to xpi and
>> Jar files for themes and extensions in Mozilla products. you have to
>> allow the install. The Mac OS is not near as lax or relaxed in allowing
>> installation.
>
> Phillip, you're proving quite well that you don't know PC's and/or
> Windows applications, etc. I have NEVER had to use a user/pass to
> install a Jar, Extension or Theme in ANY browser/mail app that I use or
> have used.
>
extension or theme in TB.SM, or FF you are about to install unknown code
which could damage your computer>. ??
I get it all the time when installing the likes of QuoteColors,
UserAgent switcher, SkyPilot Classic, Toy Factory and others. I know
they are okay so I click on them to Install.
On system software software update Polls apple to see if there are any
new updates. If there are I am presented with a list. I but click a
check box beside what I want to install then must read and click okay
after viewing a License screen and help screen The I have type type in
my user name and password for my computer in order to start install.
all other applications or Utilities from a .dmg or .pkg file has much
the sme screens I must type in user name and password of computer before
I can install anything.
If you don't have to do this on any of your PC's then The Windows PC's
indeed must be very lax in security.
--
------------------------------------------------------------------------
Phillip M. Jones, CET |MEMBER:VPEA (LIFE) ETA-I, NESDA,ISCET, Sterling
616 Liberty Street |Who's Who. PHONE:276-632-5045, FAX:276-632-0868
Martinsville Va 24112 |pjo...@kimbanet.com, ICQ11269732, AIM pjonescet
------------------------------------------------------------------------
If it's "fixed", don't "break it"!
mailto:pjo...@kimbanet.com
<http://www.kimbanet.com/~pjones/default.htm>
<http://www.kimbanet.com/~pjones/90th_Birthday/index.htm>
<http://www.kimbanet.com/~pjones/Fulcher/default.html>
<http://www.kimbanet.com/~pjones/Harris/default.htm>
<http://www.kimbanet.com/~pjones/Jones/default.htm>
Phillip Jones, C.E.T.
> Phillip Jones, C.E.T. wrote:
>> Eitan Adler wrote:
>>>> Moz Champion (Dan) wrote:
>>>> Next time you cross the street, don't look both ways, since there's no
>>>> *certainty* that you will be struck by a truck if you don't -- there's
>>>> only a possibility, after all.
>>>>
>>>>
>>> Basic security procedure: default deny. If a user wants to allow
>>> something he should - but why enable JS by default when there is little
>>> need for it ?
>> even back in the days of Communicator. But there has always been a
>> preference to allow it if the user desire so. Now there is a distinct
>> possibility it will be ripped out of Thunderbird.
> Ah, I was not aware of this. What bugzilla report is this being debated at?
> and it will affect
>> SeaMonkey as well. Because SM uses the same setup for Mail and news as
>> Thunderbird.
>>
Go to the developer.Thunderbird news group and read up Thread that was
started about JS in Thunderbird 3 by one of the folks here.
read all the comments. There are at least two or three folks there that
would like to see it ripped completely out.
Phillip Jones, C.E.T.
> The date and time was 10/19/2008 1:00 PM, and on a whim, Jay Garcia
>
>>
>> --- Original Message ---
>>
>>> On mac platform there is no such thing as an Auto update. even
>>> system software which is covered under software update. You have to
>>> click on a check mark then click okay to start and update. and even
>>> then you have to use Username and password before it will allow the
>>> install. This using user name and password to allow install even
>>> extends to xpi and Jar files for themes and extensions in Mozilla
>>> products. you have to allow the install. The Mac OS is not near as
>>> lax or relaxed in allowing installation.
>>
>> Phillip, you're proving quite well that you don't know PC's and/or
>> Windows applications, etc. I have NEVER had to use a user/pass to
>> install a Jar, Extension or Theme in ANY browser/mail app that I use or
>> have used.
>>
>
>
and you have to use Username and password of the computer to install any
updates, even utilities and application delivered by .dmg (disk image)
and .pkg (package) files. and on the Jar and xpi files as related to
TB,FF, SM you get a warning you are about to install code which damage
your computer.
Everything is warned against. It makes the user take responsibility for
screwing up his or her computer. Instead of unknowingly the doing so.
Phillip Jones, C.E.T.
> Moz Champion (Dan) wrote:
>> Blinky the Shark wrote:
>>> Moz Champion (Dan) wrote:
>>>> Fear of possibilities. Stupidity
>>>
>>> Next time you cross the street, don't look both ways, since there's
>>> no *certainty* that you will be struck by a truck if you don't --
>>> there's only a possibility, after all.
>>>
>>>
>>
>> both ways, they are BANNIING crossing the street!
>>
>>
>> Yep. two ways of fixing things, let the user decide for themselves, or
>> impose a situation by the developers which REMOVES all user choice.
>>
>> I am not talking about taking precautions, I am talking about complete
>> REMOVAL of a capability because it COULD BE dangerous.
>> To use YOUR allegory
>>
>> The Devs ARE banning crossing the street, completely, even if you
>> wanted to, because it MIGHT be dangerous. Although there has never
>> been a truck down that road previously
>>
>> A User doesn't have a choice at all. No matter how careful they are,
>> how many precautions they take (or don't) the developers, in their
>> infinate wisdom, have completely taken the ability to cross the street
>> away.
>>
>> What are they going to do about this 'clickjacking'? Ban mouse clicks?
>> After all, it COULD be dangerous, so the user can't be allowed to
>> decide if what they want to do is worth the risk, so the developers
>> will take that ability away from them completely.
>>
>>
>> Looking both ways before you cross the street, can remove a LOT of the
>> danger from errant trucks, but it never does completely eliminate it.
>> There is always the possibilty that you could get hit by a truck. The
>> question is NOT do you look both ways, but (as the devs seem to see it)
>> can you be ALLOWED to cross the road in any case!
>>
>> That's the difference. Heck, turniing OFF javascript completely (so a
>> user cannot re-enable it) is like saying that since downloads CAN be
>> dangerous, you won't be able to do it in Thunderbird anymore. No more
>> of this 'asking' everytime you want to download an .exe file or such,
>> the program won't let you download anything at all!
> Maybe someone will make a add-on or plug-in for javascript in
> thunderbird 3.
That would be the only way I'd upgrade to TB3 (or SM2 down the road) if
it was removed
Phillip Jones, C.E.T.
interest enough to have these safeguards.
To Me The way You PC people appear to make it sound. Its Your going down
a steep hill in a heavy Truck and the truck company left the Foot brakes
off at the Manufacturing plant. But you might have a cable operated
emergency Brake.
Phillip Jones, C.E.T.
DVD/CD, or Update or new download from internet; in .dmg, or pkg format
once you click on it to install ask for Username and Password. Its
always been that way since OSX.2.3. OS9 and lower didn't have those
controls anyone could install anything on any computer no username no
password.
I like better this way. It only adds maybe an extra 5 seconds total to
install process.
Phillip Jones, C.E.T.
I've always turned it on even back to the days Netscape 3 and
Communicator 4. Never had any problems with it.
clay
>...
>>
> Yes I was Mac warn against everything having to do with the internet.
> and you have to use Username and password of the computer to install any
> updates, even utilities and application delivered by .dmg (disk image)
> and .pkg (package) files. and on the Jar and xpi files as related to
> TB,FF, SM you get a warning you are about to install code which damage
> your computer.
>
> Everything is warned against. It makes the user take responsibility for
> screwing up his or her computer. Instead of unknowingly the doing so.
>
...If 'Everything' is warned against, the user gets programmed to always
enter username and password. After all, practice makes proficient.
Then something nefarious comes along and user goes into admin mode,
enters username and password, and blamo.
In reality, no safer than clicking on OK.
An example, I deloused a friends PC and had a devil of a time with a
browser hijack. elitebar, iirc.
After trying everything I knew to blast it off the system, I gave up and
rtfm for the hijack. The removal instructions were honest, legit, and
simple.
Go to add and remove programs and uninstall it.
So I did that.
The ubiquitous /Are you sure you don't want to remove this program/ pop
up popped up, I hit yes, restarted, and the dman hijack was still there...
Sneaky bastids!
Larry Gusaas
Not true. I am only asked for Username and Password for that install at
the system level. Installs on the user level don't require usename and
password providing the user has administrative rights.
--
Larry I. Gusaas
Moose Jaw, Saskatchewan Canada
Website: http://larry-gusaas.com
"An artist is never ahead of his time but most people are far behind theirs." - Edgard Varese
Chris Ilias
> That's what the developers are doing in the next release of Thunderbird.
> They are taking the ability to turn on Javascript completely away.
For clarification, JS is only *temporarily* disabled in Alpha 3 (or is
it the next beta?), not any end-user release.
--
Chris Ilias <http://ilias.ca>
List-owner: support-firefox, support-thunderbird, test-multimedia
Jay Garcia
--- Original Message ---
> Jay Garcia wrote:
>> On 19.10.2008 13:19, Phillip Jones, C.E.T. wrote:
>>
>> --- Original Message ---
> You mean to tell me you don't get the warning when installing an
> extension or theme in TB.SM, or FF you are about to install unknown code
> which could damage your computer>. ??
A warning is a lot different than having to enter a user/pass. Yes, I
get warnings.
Moz Champion (Dan)
> On 10/19/08 3:37 PM, _Moz Champion (Dan)_ spoke thusly:
>> That's what the developers are doing in the next release of Thunderbird.
>> They are taking the ability to turn on Javascript completely away.
>
> For clarification, JS is only *temporarily* disabled in Alpha 3 (or is
> it the next beta?), not any end-user release.
Income tax began as a 'temporary' measure in World War One
No word on when (or even IF) JS would be re-enabled.
So who are the devs 'protecting'? Alpha testers?
JoeS
The assumption at the time that it was disabled, was that the next release would be a Beta release.
Some "cold feet" resulted in downgrading the release to another Alpha.
You can read where all this started here:
https://bugzilla.mozilla.org/show_bug.cgi?id=453928
David Ascher immediately filed this bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=453943
You might notice that the bottom line was that the prefs to allow/disallow, might be ignored, as well as the added
CAPS restriction that were added to mailnews years ago.
BZ (the current security czar) really wasn't sure that those added CAPS prefs were even
relevant today.
Well, if the prefs could be ignored. Then fix that *Make the prefs stick*
I have noted that certain CAPS restrictions have been added recently, In a security bug which isn't viewable by the
masses. These seem to be oriented to added prohibitions that would make RSS feeds "safer"
So that re-evaluation of JS seems to be in progress, and my guess would be that the final outcome will be that JS
will work in RSS feeds, maybe in newsgroups, and probably not at all in email.
--
Joe
Chris Ilias
Everyone is entitled to their own predictions; but you're passing on
your predictions as fact, even though you were told that disabling JS
was temporary.
Ed Mullen
Fascinating. Phillip, while that may be the way the Mac OS works for
you, and maybe out of the box, can it be configured so that one doesn't
have to jump though those hoops? It would annoy the crap out of me. It
would be enough for me to abandon the OS.
And, by the way, your statements about how Windows works (and has
worked) indicates you don't know it in depth enough to talk
authoritatively about it.
--
Ed Mullen
http://edmullen.net
Fear has its use but cowardice has none. - Mohandas Gandhi
Moz Champion (Dan)
> On 10/20/08 7:04 PM, _Moz Champion (Dan)_ spoke thusly:
>> Chris Ilias wrote:
>>> On 10/19/08 3:37 PM, _Moz Champion (Dan)_ spoke thusly:
>>>> That's what the developers are doing in the next release of
>>>> Thunderbird.
>>>> They are taking the ability to turn on Javascript completely away.
>>>
>>> For clarification, JS is only *temporarily* disabled in Alpha 3 (or
>>> is it the next beta?), not any end-user release.
>>
>>
>> Income tax began as a 'temporary' measure in World War One
>>
>>
>> No word on when (or even IF) JS would be re-enabled.
>>
>>
>> So who are the devs 'protecting'? Alpha testers?
>
> Everyone is entitled to their own predictions; but you're passing on
> your predictions as fact, even though you were told that disabling JS
> was temporary.
If it is 'temporary' then
Give a time frame on when it will be re-enabled
Or
Give a version on which it will be re-enabled
Or
Give criteria as to when it will be re-enabled
So far, there has been no 'time frame', no version or not even criteria
as to when it would be enabled. Even such as "it would be re-enabled for
release versions" would be welcome. But there is nothing
The biggest problem is (imho) is that the developers cannot (or won't?)
specify exactly WHY they are disabling it in the first place. Other than
some platitudes about it being 'dangerous' and they being 'risk
adverse'. They will not specify exactly WHAT factors they consider
'dangerous' so that when these factors are satisfied, this 'temporary'
measure could be undone.
Why, if it is so dangerous to have javascript in email, does SeaMonkey
come with a setting to enable it? Why is javascript NOT (even
temporarily) disabled in Firefox, or SeaMonkey, or IE, or Opera, or any
other product I am aware of?
If it is so 'dangerous' NOW, that it HAS to be disabled in an alpha
release (which by design is a 'limited' release) - then why is it STILL
enabled in current versions of Thunderbird, Firefox, SeaMonkey, et al.
Are current versions exempt from this 'danger'? or not?
»Q«
"Moz Champion (Dan)" <moz.ch...@sympatico.ca> wrote:
> Chris Ilias wrote:
> > On 10/19/08 3:37 PM, _Moz Champion (Dan)_ spoke thusly:
> >> That's what the developers are doing in the next release of
> >> Thunderbird. They are taking the ability to turn on Javascript
> >> completely away.
> >
> > For clarification, JS is only *temporarily* disabled in Alpha 3 (or
> > is it the next beta?), not any end-user release.
>
> Income tax began as a 'temporary' measure in World War One
In the U.S., there was income tax before WWI, but it doesn't seem
relevant here.
> No word on when (or even IF) JS would be re-enabled.
Are there any bugs with guaranteed will-be-fixed-by dates?
> So who are the devs 'protecting'? Alpha testers?
Yup, alpha testers and nightly testers.
Moz Champion (Dan)
I find it strange that alpha and nightly testers require 'protection'
from these undetermined javascript threats but end users of current
versions of Thunderbird, Firefox, and SeaMonkey do not.
By definition, alpha and nightly versions are 'limited' releases, i.e.
they don't enjoy the popularity of release versions.
So the 100,000 or so (I made that up I have no idea how many alpha
testers there are) are more 'vulnerable' than the millions upon millions
of current users?
How 'effective' is an alpha test going to be, with a feature totally
disabled? Does it give a correct situation in which to 'test' or run the
software? Or will the entire thing have to be redone, once you do
re-enable JS? Any results from the alpha or nightly are, generally
speaking, dubious, simply because they will have to be redone if and
when JS is re-enabled.
What is the value of 'protecting' a limited set of alpha testers from
these 'oh so dangerous' javascript threats (which as of yet are still
unspecified) while not even warning the millions of users of the product
that they are vulnerable?
What is the value of 'protecting' these alpha testers from as yet
unpublished attacks, whilst leaving million upon millions of users
completely open to them?
Ed Mullen
FUD. Fear, Uncertainty, and Doubt.
No way to run a business.
--
Ed Mullen
http://edmullen.net
It's lonely at the top, but you eat better.
»Q«
"Moz Champion (Dan)" <moz.ch...@sympatico.ca> wrote:
> »Q« wrote:
> > On Mon, 20 Oct 2008 19:04:43 -0400
> > "Moz Champion (Dan)" <moz.ch...@sympatico.ca> wrote:
> >
> >> Chris Ilias wrote:
> >>> On 10/19/08 3:37 PM, _Moz Champion (Dan)_ spoke thusly:
> >>>> That's what the developers are doing in the next release of
> >>>> Thunderbird. They are taking the ability to turn on Javascript
> >>>> completely away.
> >>> For clarification, JS is only *temporarily* disabled in Alpha 3
> >>> (or is it the next beta?), not any end-user release.
> >>
> >> Income tax began as a 'temporary' measure in World War One
> >
> > In the U.S., there was income tax before WWI, but it doesn't seem
> > relevant here.
> >
> >> No word on when (or even IF) JS would be re-enabled.
> >
> > Are there any bugs with guaranteed will-be-fixed-by dates?
> >
> >> So who are the devs 'protecting'? Alpha testers?
> >
> > Yup, alpha testers and nightly testers.
>
> I find it strange that alpha and nightly testers require 'protection'
> from these undetermined javascript threats but end users of current
> versions of Thunderbird, Firefox, and SeaMonkey do not.
I can't tell whether the bugs weren't known when the last versions of
Thunderbird and SeaMonkey were released, whether only the extent of
them wasn't known, or whether they just don't affect those versions;
it's not clear to me when the CAPS policies might have stopped working
correctly, and I don't understand the stuff about "quickstubbing" at
all.
AFAICT, Firefox isn't involved.
In any case, it's clear that there won't be any future releases without
the bugs fixed. What's not clear yet is whether they'll be fixed by
removing the "feature" or by making it work as it used to.
Chris Ilias
How about I provide a link to the thread where you were told:
<http://groups.google.com/group/mozilla.dev.apps.thunderbird/browse_frm/thread/35cbc1db347e49c3>.
If you're going to report what devs are doing, back it up with facts,
not your speculation. Let everyone read the link, and let them draw
their own conclusions.
Ron Hunter
> Ron Hunter wrote:
>>> G. R. Woodring wrote:
>>>> The default should be on the side of safety and let the user decide
>>>> what level of automation to keep or disable.
>>> As long as, like you said, the user can . . . DECIDE. Some software
>>> doesn't present that option, like the GoogleUpdater, and the once
>>> buggy McAfee Site Advisor version 2.8 (see my previous post in this
>>> thread).
>>>
>> Well, I finally got around to telling Googleupdater it can't access the
>> internet. Also, I downloaded and installed a new version of Google
>> Chrome, and was appalled at the fact that it doesn't give ANY indication
>> that it has run, or done ANYTHING, but the program was updated. This is
>> totally unacceptable!
>
> The simple answer is to stop using the Google toolbar and Chrome.
>
I NEVER have used a Google toolbar, and it has been years since I even
tried ANY third-party toolbar. I don't really USE Chrome, but I keep it
updated so that I can compare features, and answer questions about it
from some minimal base of usage.
In any case, I DO use GoogleEarth, very often, and find it indispensable.
--
Ron Hunter rphu...@charter.net
Ron Hunter
> On 20.10.2008 02:58, Ron Hunter wrote:
>
> --- Original Message ---
>
>>> Jay Garcia wrote:
>>>>
>>>> --- Original Message ---
>>>>
>>>>>> Date: 10/18/2008 3:29 PM, Author: Phillip Jones, C.E.T. Wrote:
>>>>>>>> The date and time was 10/18/2008 8:57 AM, and on a whim, Phillip
>>>>>>>>
>>>>>>>>> Ron Hunter wrote:
>>>>>>>>>> Moz Champion (Dan) wrote:
and doesn't this entail some substantial delay? Or does it just have a
list it maintains of suspicious, or known malicious, sites?
--
Ron Hunter rphu...@charter.net
Ron Hunter
> terminate connections that a program has made to the internet, without
> terminating the actual internet connection. However, they removed this
> option from version 8 so I switched back to version 7. And the firewall
> is very easy to use and is the best I have seen.
My firewall includes this feature.
--
Ron Hunter rphu...@charter.net
Ron Hunter
> Ron Hunter wrote:
>> Moz Champion (Dan) wrote:
>>>> Blinky the Shark wrote:
>>>>> Moz Champion (Dan) wrote:
>>>>> Next time you cross the street, don't look both ways, since there's no
>>>>> *certainty* that you will be struck by a truck if you don't -- there's
>>>>> only a possibility, after all.
>>>>>
>>>>>
>>>> Basic security procedure: default deny. If a user wants to allow
>>>> something he should - but why enable JS by default when there is little
>>>> need for it ?
>>>
>>> They are taking the ability to turn on Javascript completely away.
>>> manner that even if a user wants to turn the abilty back on, they
>>> can't. Period.
>>>
>>> So it's NOT a 'default deny' it is a COMPLETE and TOTAL elimination of
>>> the possibility.
>>>
>>> A 'default deny' would be much preferable to what the developers are
>>> planniing.
>> I understand the objection, and feel that it is rather an olympian
>> decision, but I can't get very excited about doing away with a feature I
>> have never had turned on, and wouldn't use. I can only conclude that
>> they feel it is much too dangerous for the utility it adds, given that
>> most users never turn it on.
>>
>>
>
> If most users never turn it on, where's the threat/problem? The devs
> are over-reacting. And not very intelligently to boot.
>
just want to cut out 'deadwood'. Since they don't feel compelled to
explain their choices, or to consult the userbase concerning those
choices, I guess we will never know.
--
Ron Hunter rphu...@charter.net
Ron Hunter
I would find that rather annoying, but maybe my 'annoyance threshold'
is lower than yours. Grin.
--
Ron Hunter rphu...@charter.net
Ron Hunter
> Moz Champion (Dan) wrote:
>>> Moz Champion (Dan) wrote:
>>>>> On 10/17/2008 5:42 PM, JM wrote:
>>>>>> On 10/17/2008 3:12 PM, Moz Champion (Dan) wrote:
>>>>>>> Eitan Adler wrote:
>>>>>>>>> Ron Hunter wrote:
>>>>>>>>>> Moz Champion (Dan) wrote:
>>>>>>>>> But the developers seem, to me, to think that way.
>>>>>>>>>
>>>>>>>>> They are still unable to point to ANY javascript exploits in the
>>>>>>>>> wild
>>>>>>>>> that Thunderbird is susceptible to, yet they are disabling
>>>>>>>>> javascript.
>>>>>>>>> They are afraid of POSSIBILITIES, nothing concrete at all.
>>>>>>>> They disable it by default. That is good security practice.
>>>>>>>> about:config > javascript.allow.mailnews could enable it.
>>>>>>>>> FDR said it best... The only thing we have to fear is fear itself.
>>>>>>>
>>>>>>> You havent heard the latest have you.
>>>>>>>
>>>>>>> In the next version available for testing they are DISABLING it
>>>>>>> completely AND NOT providing a UI to turn it back on.
>>>>>> Yeah, I just installed Thunderbird 3 alpha 3 and saw that. They should
>>>>>> have left that option in there.
>>>>> Wait, no. I just looked at about:config and the
>>>>> javascript.allow.mailnews entry is in there. Did they say this
>>>>> option would get removed in the final thunderbird 3 release, or are
>>>>> they just removing the non-about:config option for enabling javascript?
>>>>>
>>>>>>> they 'promise' this will be a temporary feature - but so was
>>>>>>> income tax
>>>> the developers said that it would be disabled in the next release, at
>>>> a level where users COULD NOT turn it back on. They also said this
>>>> was a 'temporary' situation - but have not stated When they would
>>>> turn it back on.
>>> Does that mean that a non-user who is good on a computer could turn it
>>> on? Also, why are they disabling it? I've never needed javascript in
>>> my email, but I haven't seen a really good reason to get rid of it.
>>
>> yes, that means that NO ONE will be able to turn it back on. You would
>> have to hack the code to enable it.
>>
>> That's my question! Why the developers see a need to disable it
>> completely in Thunderbird, yet leave it enabled by default in Firefox.
>> They 'claim' it's because of 'yet to be done' threats and so forth.
>
> Even if they ultimately remove js from TB they can't possibly do it in
> FF: There are too many Web sites out there that depend (rightly or
> wrong-headedly) on js for full functionality.
>
A LOT of people seem to run NoScript, so I guess they manage. However,
on the websites I use, it would be a really painful process to approve
each and every use of javascript after installing such an extension,
which is why I haven't done so.
I am as concerned about security as most, but refuse to allow security
concerns to make using my computer a painful, or even unpleasant,
experience, just to prevent some mythical intrusion. I am sure this is
why most Mac users don't worry about viruses. Of course, if someone
ever does create a really ugly virus for the Mac, and distributes it,
the impact will be devastating.
--
Ron Hunter rphu...@charter.net
Ron Hunter
> Jay Garcia wrote:
>> On 19.10.2008 13:19, Phillip Jones, C.E.T. wrote:
>>
>> --- Original Message ---
>>
>>> On mac platform there is no such thing as an Auto update. even system
>>> software which is covered under software update. You have to click on a
>>> check mark then click okay to start and update. and even then you have
>>> to use Username and password before it will allow the install. This
>>> using user name and password to allow install even extends to xpi and
>>> Jar files for themes and extensions in Mozilla products. you have to
>>> allow the install. The Mac OS is not near as lax or relaxed in allowing
>>> installation.
>> Phillip, you're proving quite well that you don't know PC's and/or
>> Windows applications, etc. I have NEVER had to use a user/pass to
>> install a Jar, Extension or Theme in ANY browser/mail app that I use or
>> have used.
>>
> extension or theme in TB.SM, or FF you are about to install unknown code
> which could damage your computer>. ??
>
> UserAgent switcher, SkyPilot Classic, Toy Factory and others. I know
> they are okay so I click on them to Install.
>
> On system software software update Polls apple to see if there are any
> new updates. If there are I am presented with a list. I but click a
> check box beside what I want to install then must read and click okay
> after viewing a License screen and help screen The I have type type in
> my user name and password for my computer in order to start install.
>
> all other applications or Utilities from a .dmg or .pkg file has much
> the sme screens I must type in user name and password of computer before
> I can install anything.
>
> If you don't have to do this on any of your PC's then The Windows PC's
> indeed must be very lax in security.
Does the Mac OS still put up those messages if you are logged on as an
admin, or with admin privileges? If so, that would be rather annoying.
IF not, then it is a convenience to allow authorized persons to apply
updates. And the Windows OS allows many lax security things to happen.
It is not, by design, secure, but is moving toward that, with much
carping from users, to say the least.
--
Ron Hunter rphu...@charter.net
Ron Hunter
> On 10/20/08 7:04 PM, _Moz Champion (Dan)_ spoke thusly:
>> Chris Ilias wrote:
>>> On 10/19/08 3:37 PM, _Moz Champion (Dan)_ spoke thusly:
>>>> That's what the developers are doing in the next release of Thunderbird.
>>>> They are taking the ability to turn on Javascript completely away.
>>> For clarification, JS is only *temporarily* disabled in Alpha 3 (or is
>>> it the next beta?), not any end-user release.
>>
>> Income tax began as a 'temporary' measure in World War One
>>
>>
>> No word on when (or even IF) JS would be re-enabled.
>>
>>
>> So who are the devs 'protecting'? Alpha testers?
>
> Everyone is entitled to their own predictions; but you're passing on
> your predictions as fact, even though you were told that disabling JS
> was temporary.
"Temporary" is a very nebulous term. In 1964 I lived in 'temporary'
barracks that had been built in 1947. Just how long is the TB devs
'temporary'? Do even the devs know? Not that I care one whit whether
or not JS is enabled in TB3, as I never allow it in email, and wouldn't
consider allowing it in newsgroups on a bet. I also don't use RSS,
either in TB OR FF, so that is a non-issue here.
Still, 'temporary' doesn't mean a thing, and most of us understand that.
--
Ron Hunter rphu...@charter.net