http://ha.ckers.org/blog/20081007/clickjacking-details/
--
*IMPORTANT*: Sorry folks, but I cannot provide email
help!!!! Emails to me may become public
Notice: This posting is protected under the Free Speech
Laws, which applies everywhere in the FREE world,
except for some strange reason, not to the mozilla.org
newsgroup servers, where your posting may get you banned.
Peter Potamus & His Magic Flying Balloon:
http://melaman2.com/cartoons/singles/mp3/p-potamus.mp3
http://www.toonopedia.com/potamus.htm
Stupidity if you ask me. Read the entries, it can be done without
Javascript as well. So what do the devs want to do about Firefox, shut
it down? Firefox is just as vulnerable to javascript exploits than
Thunderbird (if not more so), but it will be enabled in Firefox and
disabled (so a user can't turn it on even if they wish) in Thunderbird.
Heck, you can get a virus in email via Thunderbird, the devs going to
turn that capability off as well?
Fear of possibilities. Stupidity
Actually, you can't get a virus, at least any currently known, in TB
just by reading/displaying, an email. If you should be so unwise at to
actually execute an attachment, yes, you could get a virus, but TB does
what it can to make this difficult, and to warn you.
As for javascript, some go so far as to turn it off in Firefox. I have
had it turned off in email/news since someone put it IN there in the
first place because I see no rational use for it in the email/news
environment.
--
Ron Hunter rphu...@charter.net
I know that, I've said as much dozens of times.
But the developers seem, to me, to think that way.
They are still unable to point to ANY javascript exploits in the wild
that Thunderbird is susceptible to, yet they are disabling javascript.
They are afraid of POSSIBILITIES, nothing concrete at all.
FDR said it best... The only thing we have to fear is fear itself.
You havent heard the latest have you.
In the next version available for testing they are DISABLING it
completely AND NOT providing a UI to turn it back on.
they 'promise' this will be a temporary feature - but so was income tax
Wait, no. I just looked at about:config and the
javascript.allow.mailnews entry is in there. Did they say this option
would get removed in the final thunderbird 3 release, or are they just
removing the non-about:config option for enabling javascript?
Between the extremes of caution and blissful ignorance, there is some
comfort point, which will be different for everyone. I choose to run
some risks, if they entail compensatory advantages, while avoiding others.
--
Ron Hunter rphu...@charter.net
--- Original Message ---
And if you should happen to see Chicken Little wearing a helmet, watch
out!! :-)
--
Jay Garcia - Netscape/Flock Champion
www.ufaq.org
Netscape - Flock - Firefox - Thunderbird - Seamonkey Support
If your on a Standard computer (PC) if you download an executable file
the way PC's are setup The automatically open as soon as you download them.
But on Macintosh computers, They neither accept or use active-X
controls, nor executable files. So it impossible for Mac's to get Virus,
worms or Trogan's through .exe or Active-X. Plus we have the extra
protection of the FreeBSD UNIX code underneath.
I am never going to Mac's are or will be forever, immune. AS soon as we
get a 50/50 share then there will be such for use as well. But because
we have a lower user base. Most Malware writers ignore Mac's They don't
get as good a thrill as Throwing the entire worlds governments in a Panic.
--
------------------------------------------------------------------------
Phillip M. Jones, CET |MEMBER:VPEA (LIFE) ETA-I, NESDA,ISCET, Sterling
616 Liberty Street |Who's Who. PHONE:276-632-5045, FAX:276-632-0868
Martinsville Va 24112 |pjo...@kimbanet.com, ICQ11269732, AIM pjonescet
------------------------------------------------------------------------
If it's "fixed", don't "break it"!
mailto:pjo...@kimbanet.com
<http://www.kimbanet.com/~pjones/default.htm>
<http://www.kimbanet.com/~pjones/90th_Birthday/index.htm>
<http://www.kimbanet.com/~pjones/Fulcher/default.html>
<http://www.kimbanet.com/~pjones/Harris/default.htm>
<http://www.kimbanet.com/~pjones/Jones/default.htm>
Once again Phillip, you're out of touch. This is NOT what happens on a PC.
> But on Macintosh computers, They neither accept or use active-X
> controls, nor executable files. So it impossible for Mac's to get Virus,
> worms or Trogan's through .exe or Active-X. Plus we have the extra
> protection of the FreeBSD UNIX code underneath.
>
It's not impossible to contract a virus/malware on a Mac, just not
through the two you mentioned. If it was impossible, Apple wouldn't be
patching it's software at all. What was the last one, over twenty?
> I am never going to Mac's are or will be forever, immune. AS soon as we
> get a 50/50 share then there will be such for use as well. But because
> we have a lower user base. Most Malware writers ignore Mac's They don't
> get as good a thrill as Throwing the entire worlds governments in a Panic.
>
As much as you'd like to think Mac's are perfect, they aren't. There
isn't a perfect computer or OS. Trust me, I work on enough Mac's to see
the flaws, especially when networked on domains. I don't have any ills
towards Mac's, I just don't think Mac users should get this false
impression that their computer is better than another.
--
Terry R.
Anti-spam measures are included in my email address.
Delete NOSPAM from the email address after clicking Reply.
On OSX you can configure software Update to see if there are system
updates. But even if any are found. When Software Update opens it just
list the items. Unless you check items to install the choose Install.
You can also to choose to download only and you can choose later time to
install.
And until the item is actually downloaded and the install begins you
still can cancel the install.
Does PC's now have That ability?
Next time you cross the street, don't look both ways, since there's no
*certainty* that you will be struck by a truck if you don't -- there's
only a possibility, after all.
--
Blinky
Killing all posts from Google Groups
The Usenet Improvement Project: http://improve-usenet.org
Need a new news feed? http://blinkynet.net/comp/newfeed.html
I have always had the ability to specify how Windows Updates happen.
You can disable it, choose to be notified first, or allow it to
automatically update. Same with application software.
The problem is with apps writers. They assume users are idiots and
enable auto updates by default. It's the first thing I change when I
install a new app.
What runs on any of my Windows systems does what I want it to do, how I
want it to happen.
--
Ed Mullen
http://edmullen.net
A politician is a man who approaches every problem with an open mouth. -
Adlai Stevenson
> The problem is with apps writers. They assume users are idiots
that sounds like a recent discussion within the TB dev
ng. They assumed the users are stupid, eventhough they
tried to denied it.
--- Original Message ---
Yes, things have changed drastically since the Vic-20 was released. :-)
> On OSX you can configure software Update to see if there are system
> updates. But even if any are found. When Software Update opens it just
> list the items. Unless you check items to install the choose Install.
> You can also to choose to download only and you can choose later time to
> install.
>
> And until the item is actually downloaded and the install begins you
> still can cancel the install.
>
> Does PC's now have That ability?
>
--
I believe Google does some automatic updating, no matter HOW many times
I turn off Googleupdate, and delete the darn thing! My firewall warns
me, and one of these days I am going to tell it NO, permanently, but
then Google will probably punish me....
Oh No! I think I hear the black helicopters!
--
Ron Hunter rphu...@charter.net
What is that?
Who said it should be on by default . It never has been on by default
even back in the days of Communicator. But there has always been a
preference to allow it if the user desire so. Now there is a distinct
possibility it will be ripped out of Thunderbird. and it will affect
SeaMonkey as well. Because SM uses the same setup for Mail and news as
Thunderbird.
There is a difference between being educated to design code and Those
using applications. Neither is stupid. In my time I expect I knew how to
fix a computer, better than any software developer. I've been retired so
long I'd be afraid to try. I knew/know electronics. But I'd hate to see
myself attempt to rebuild a Car engine. or an auto mechanic attempt to
repair a power Supply in a Computer.
Neither is stupid just have different types of education.
I though, have seen when I worked in a School system People That had
Ph.D's and knew the subject they got the Ph.D in very well. But
otherwise had difficulty chewing gum and walking at the same time. They
had education sense, but no common sense. Then again I've also seen
Ph.D's that had both and did wear their education on their sleeve. They
just used it as needed
Glad to hear of the improvements.
the developers said that it would be disabled in the next release, at a
level where users COULD NOT turn it back on. They also said this was a
'temporary' situation - but have not stated When they would turn it back on.
But the devs aren't (in the case of javascript) not asking you to look
both ways, they are BANNIING crossing the street!
Yep. two ways of fixing things, let the user decide for themselves, or
impose a situation by the developers which REMOVES all user choice.
I am not talking about taking precautions, I am talking about complete
REMOVAL of a capability because it COULD BE dangerous.
To use YOUR allegory
The Devs ARE banning crossing the street, completely, even if you wanted
to, because it MIGHT be dangerous. Although there has never been a truck
down that road previously
A User doesn't have a choice at all. No matter how careful they are, how
many precautions they take (or don't) the developers, in their infinate
wisdom, have completely taken the ability to cross the street away.
What are they going to do about this 'clickjacking'? Ban mouse clicks?
After all, it COULD be dangerous, so the user can't be allowed to decide
if what they want to do is worth the risk, so the developers will take
that ability away from them completely.
Looking both ways before you cross the street, can remove a LOT of the
danger from errant trucks, but it never does completely eliminate it.
There is always the possibilty that you could get hit by a truck. The
question is NOT do you look both ways, but (as the devs seem to see it)
can you be ALLOWED to cross the road in any case!
That's the difference. Heck, turniing OFF javascript completely (so a
user cannot re-enable it) is like saying that since downloads CAN be
dangerous, you won't be able to do it in Thunderbird anymore. No more
of this 'asking' everytime you want to download an .exe file or such,
the program won't let you download anything at all!
That's what the developers are doing in the next release of Thunderbird.
They are taking the ability to turn on Javascript completely away.
This is not a 'default deny' - they are turning JS off in such a manner
that even if a user wants to turn the abilty back on, they can't. Period.
So it's NOT a 'default deny' it is a COMPLETE and TOTAL elimination of
the possibility.
A 'default deny' would be much preferable to what the developers are
planniing.
--- Original Message ---
Been running Windows here since the very first release and related
applications. Nothing here auto-updates by itself, NEVER! The only thing
here that auto-updates is Kapersky AV and that is because I chose it
that way.
--- Original Message ---
>> Yes, things have changed drastically since the Vic-20 was released. :-)
>
> What is that?
That was a computer that preceded the Commodore-64. And I had a PET
before that.
--- Original Message ---
> On mac platform there is no such thing as an Auto update. even system
> software which is covered under software update. You have to click on a
> check mark then click okay to start and update. and even then you have
> to use Username and password before it will allow the install. This
> using user name and password to allow install even extends to xpi and
> Jar files for themes and extensions in Mozilla products. you have to
> allow the install. The Mac OS is not near as lax or relaxed in allowing
> installation.
Phillip, you're proving quite well that you don't know PC's and/or
Windows applications, etc. I have NEVER had to use a user/pass to
install a Jar, Extension or Theme in ANY browser/mail app that I use or
have used.
> They assume users are idiots and enable auto updates by default.
No doubt that's part of the reason these guys build in auto updates.
But I think another reason, just as stupid, BTW, is a marketing ploy. I
mean, those novice users think that auto-updating is pretty slick, hence
they think the software design is "secure" (when it's actually just the
opposite).
As an example, I would point to all the hype that Microsoft puts out
about the autoupdate feature. They even "recommend" it. And when a
novice sees "recommended" by a 500 pound gorilla, they think that "must"
be the way to go.
I have those Windoze updates set to notify only, and then I look on a
few forums for news that the update is buggy (and there have been a
few), and I wait until MS comes out with a stable revision.
Don't misunderstand . . . I DO think that Windoze needs security patches
(obviously). Zero-day exploits aside (and they are arguable anyway),
there's nothing wrong with waiting a few days . . . and you can reduce
the risk by keeping to Best Security Practices.
> What runs on any of my Windows systems does what I want it to do, how I
> want it to happen.
Me too. The McAfee Site advisor version 2.8 was a good example of a
major vendor NOT allowing users that option. When it first came out a
few months ago (I think they've fixed it now), McAfee had the update
pushing out stealthily, WITHOUT the users knowledge . . . until you
noticed that the SA icon was not in the usual spot and checked the
version . . . and found out that you had been upgraded.
The previous version was 2.6. For users that then went back to 2.6
(which was a lot more stable and didn't take up so much screen real
estate with an entire toolbar for the icon only), the 2.8 upgrade got
pushed out again all over. The only way to stop that infuriating
nonsense was with a HIPS.
Anyway, a reputed vendor (McAfee) was using spyware tactics (installing
without user "authorization") as far as I'm concerned. I was using SA
until then, but I got so infuriated with that tactic that I switched to WOT.
Like you, I don't like things doing stuff "automagically?.
Since this has gotten WAY off topic from clickjacking, I've titled it so.
--
BJ
Anti-spam measures are included in my email address.
Delete all the NOSPAMs from the email address after clicking Reply.
As long as, like you said, the user can . . . DECIDE. Some software
doesn't present that option, like the GoogleUpdater, and the once buggy
McAfee Site Advisor version 2.8 (see my previous post in this thread).
> Next time you cross the street, don't look both ways, since there's no
> *certainty* that you will be struck by a truck if you don't -- there's
> only a possibility, after all.
I think the guy was talking about the PROBABILITY of an infection occurring.
While the PROBABILITY of getting hit by a truck is high if you don't
look both ways, I don't think the probability of getting an infection is
as high (though certainly there's still a risk) in the circumstances
that he described.
BTW . . . OT here . . . I've been wondering how to get ahold of you via
email. I went to your web page and saw your description of the
Northridge Earthquake of 1994 and also your discussion of the Arizona
Memorial, and those are two things we have very much in common. But I
didn't see an email contact for you there . . . and here on the NG it's
not valid, of course, and I didn't want to post "Hey Blinky, How do I .
. .?" here, so if you have the inclination email me at rbjamieATgmailDOTcom.
> On 19.10.2008 13:19, Phillip Jones, C.E.T. wrote:
>
> --- Original Message ---
>
>> On mac platform there is no such thing as an Auto update. even system
>> software which is covered under software update. You have to click on a
>> check mark then click okay to start and update. and even then you have
>> to use Username and password before it will allow the install. This
>> using user name and password to allow install even extends to xpi and
>> Jar files for themes and extensions in Mozilla products. you have to
>> allow the install. The Mac OS is not near as lax or relaxed in allowing
>> installation.
>
> Phillip, you're proving quite well that you don't know PC's and/or
> Windows applications, etc. I have NEVER had to use a user/pass to
> install a Jar, Extension or Theme in ANY browser/mail app that I use or
> have used.
>
He was referring to Mac's... ;-)
--
Terry R.
Anti-spam measures are included in my email address.
Delete NOSPAM from the email address after clicking Reply.
Kapersky doesn't appear to have a free version, I don't do 30 day
trial versions. I have never purchased anti-virus software. I don't
need nor use anti-virus software but some of my friends and relatives
do. I used to use Grisoft AVG, the free version, for them but now use
the free version of AVAST. None of my friends or relatives have ever
been infected when either Grisoft AVG or AVAST was installed.
Dennis
--- Original Message ---
> The date and time was 10/19/2008 1:00 PM, and on a whim, Jay Garcia
> pounded out on the keyboard:
>
>> On 19.10.2008 13:19, Phillip Jones, C.E.T. wrote:
>>
>> --- Original Message ---
>>
>>> On mac platform there is no such thing as an Auto update. even system
>>> software which is covered under software update. You have to click on a
>>> check mark then click okay to start and update. and even then you have
>>> to use Username and password before it will allow the install. This
>>> using user name and password to allow install even extends to xpi and
>>> Jar files for themes and extensions in Mozilla products. you have to
>>> allow the install. The Mac OS is not near as lax or relaxed in allowing
>>> installation.
>>
>> Phillip, you're proving quite well that you don't know PC's and/or
>> Windows applications, etc. I have NEVER had to use a user/pass to
>> install a Jar, Extension or Theme in ANY browser/mail app that I use or
>> have used.
>>
>
> He was referring to Mac's... ;-)
>
Hmm, ok, then he doesn't know those either then. My brother, a licensed
Apple developer said so .. :-)
--- Original Message ---
Being a support oriented giver/user, I believe in paying for tech
support for such important things as an AV application. FREE versions
are worth what you pay for 'em ... for some apps, not all.
yes, that means that NO ONE will be able to turn it back on. You would
have to hack the code to enable it.
That's my question! Why the developers see a need to disable it
completely in Thunderbird, yet leave it enabled by default in Firefox.
They 'claim' it's because of 'yet to be done' threats and so forth.
I allow my firewall program to update automatically, but it notifies me
that it had done so, and that is ONLY the parameter files, not the
actual program modules. MS Update I allow to download, but NOT to
update. I refuse to allow my computers to be rebooted without my
permission.
--
Ron Hunter rphu...@charter.net
--
Ron Hunter rphu...@charter.net
--
Ron Hunter rphu...@charter.net
--
Ron Hunter rphu...@charter.net
I don't use an AV program. My firewall provides basic protection
against viruses via attachments, and I, and my wife, are very cautious
about what we open. After paying for Norton for about 3 years, while it
found not one virus, I ditched it. The best AV program is that 3 pounds
of neural tissue in your head.
--
Ron Hunter rphu...@charter.net
I understand the objection, and feel that it is rather an olympian
decision, but I can't get very excited about doing away with a feature I
have never had turned on, and wouldn't use. I can only conclude that
they feel it is much too dangerous for the utility it adds, given that
most users never turn it on.
--
Ron Hunter rphu...@charter.net
--- Original Message ---
The decision was made to disable it for testing other modules in the
beta. The decision to DISable it permanently has not been made.
--- Original Message ---
Kaspersky does a lot more than just email, it scans web sites prior to
opening as well, also does spyware too.
> On 19.10.2008 16:23, Terry R. wrote:
>
> --- Original Message ---
>
>> The date and time was 10/19/2008 1:00 PM, and on a whim, Jay Garcia
>> pounded out on the keyboard:
>>
>>> On 19.10.2008 13:19, Phillip Jones, C.E.T. wrote:
>>>
>>> --- Original Message ---
>>>
>>>> On mac platform there is no such thing as an Auto update. even system
>>>> software which is covered under software update. You have to click on a
>>>> check mark then click okay to start and update. and even then you have
>>>> to use Username and password before it will allow the install. This
>>>> using user name and password to allow install even extends to xpi and
>>>> Jar files for themes and extensions in Mozilla products. you have to
>>>> allow the install. The Mac OS is not near as lax or relaxed in allowing
>>>> installation.
>>> Phillip, you're proving quite well that you don't know PC's and/or
>>> Windows applications, etc. I have NEVER had to use a user/pass to
>>> install a Jar, Extension or Theme in ANY browser/mail app that I use or
>>> have used.
>>>
>> He was referring to Mac's... ;-)
>>
>
> Hmm, ok, then he doesn't know those either then. My brother, a licensed
> Apple developer said so .. :-)
>
I don't know, whenever I install anything on a Mac, the process Phillip
describes is what I have to do. You can't install anything without
entering a user/password of someone with Admin rights. He may be a dev,
but I think he may have misunderstood what you were describing. Similar
to what MS tried to do with Vista...
Even if they ultimately remove js from TB they can't possibly do it in
FF: There are too many Web sites out there that depend (rightly or
wrong-headedly) on js for full functionality.
--
Ed Mullen
http://edmullen.net
A musicologist is a man who can read music but can't hear it. - Sir
Thomas Beecham (1879 - 1961)
The simple answer is to stop using the Google toolbar and Chrome.
--
Ed Mullen
http://edmullen.net
I was on a chat last night and I thought: "I must have Asperger's or I
wouldn't be sitting here arguing with a monitor!"
If most users never turn it on, where's the threat/problem? The devs
are over-reacting. And not very intelligently to boot.
--
Ed Mullen
http://edmullen.net
Violence is the last refuge of the incompetent. - Isaac Asimov
> On 19.10.2008 18:37, CET - what odd quirk of fate caused G. R. Woodring
> to generate the following:? :
>> Date: 10/19/2008 12:03 PM, Author: JM Wrote:
>>
>>> On 10/19/2008 8:01 AM, Jay Garcia wrote:
>>>
>>>> On 18.10.2008 14:29, Phillip Jones, C.E.T. wrote:
>>>>
>>>> --- Original Message ---
>>>>
>>>>
>>>>> Terry R. wrote:
>>>>>
>>>>>> The date and time was 10/18/2008 8:57 AM, and on a whim, Phillip Jones,
>>>>>> C.E.T. pounded out on the keyboard:
>>>>>>
>>>>>>
>>>>>>> Ron Hunter wrote:
>>>>>>>
>>>>>>>> Moz Champion (Dan) wrote:
>>>>>>>>
>>>>>>>>> Peter Potamus the Purple Hippo wrote:
>>>>>>>>>
>>>>>>>>>> some interesting stuff. I supposed things like this 'could'
>>>>>>>>>> happening within email, too; therefore, this is one reason why the
>>>>>>>>>> devs want to turn off javascript.
>>>>>>>>>>
>>>>>>>>>> http://ha.ckers.org/blog/20081007/clickjacking-details/
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> Stupidity if you ask me. Read the entries, it can be done without
>>>>>>>>> Javascript as well. So what do the devs want to do about Firefox,
>>>>>>>>> shut it down? Firefox is just as vulnerable to javascript exploits
>>>>>>>>> than Thunderbird (if not more so), but it will be enabled in Firefox
>>>>>>>>> and disabled (so a user can't turn it on even if they wish) in
>>>>>>>>> Thunderbird.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Heck, you can get a virus in email via Thunderbird, the devs going
>>>>>>>>> to turn that capability off as well?
>>>>>>>>>
>>>>>>>>> Fear of possibilities. Stupidity
>>>>>>>>>
>>>>>>>> Actually, you can't get a virus, at least any currently known, in TB
>>>>>>>> just by reading/displaying, an email. If you should be so unwise at
>>>>>>>> to actually execute an attachment, yes, you could get a virus, but TB
>>>>>>>> does what it can to make this difficult, and to warn you.
>>>>>>>> As for javascript, some go so far as to turn it off in Firefox. I
>>>>>>>> have had it turned off in email/news since someone put it IN there in
>>>>>>>> the first place because I see no rational use for it in the
>>>>>>>> email/news environment.
>>>>>>>>
>>>>>>>>
>>>> Yes, things have changed drastically since the Vic-20 was released. :-)
>>>>
>>> What is that?
>>>
>>>
>> Think Commodore 64, TRS-80, TI-99, Atari 5600; in other words from the days when
>> the IBM PC-Jr was the ultimate in home/small business systems :-)
>>
>
> and..... those were the days when a programmer (now politely called a
> "dev") lost his job if his code brought up a "Fatal error - Application
> terminated"
>
> "Division by Zero" was the worst one in my trade (survey - mathematics)
> Now-a-days they simply say "User error - please file a Bug-Report"
>
> reg
>
> <<snipped>>
>
Ah, "Divide by zero". I remember that one. That explained a lot,
didn't it?
--- Original Message ---
KAV is only on version 6.0 something and has no network monitor that I
know of.
--- Original Message ---
He's the only one that ever uses it so I guess that's why, dunno.
--- Original Message ---
> On 19.10.2008 18:37, CET - what odd quirk of fate caused G. R. Woodring
> to generate the following:? :
>> Date: 10/19/2008 12:03 PM, Author: JM Wrote:
>>
>>> On 10/19/2008 8:01 AM, Jay Garcia wrote:
>>>
>>>> On 18.10.2008 14:29, Phillip Jones, C.E.T. wrote:
>>>>
>>>> --- Original Message ---
>>>>
>>>>
>>>> Yes, things have changed drastically since the Vic-20 was released. :-)
>>>>
>>> What is that?
>>>
>>>
>>
>> Think Commodore 64, TRS-80, TI-99, Atari 5600; in other words from the days when
>> the IBM PC-Jr was the ultimate in home/small business systems :-)
>>
>
> and..... those were the days when a programmer (now politely called a
> "dev") lost his job if his code brought up a "Fatal error - Application
> terminated"
>
> "Division by Zero" was the worst one in my trade (survey - mathematics)
> Now-a-days they simply say "User error - please file a Bug-Report"
>
> reg
>
> <<snipped>>
>
A programmer is a developer but a developer is not necessarily a
programmer ... me for instance, I had a hand in developing TheBat but
never programmed a single line.
I get it all the time when installing the likes of QuoteColors,
UserAgent switcher, SkyPilot Classic, Toy Factory and others. I know
they are okay so I click on them to Install.
On system software software update Polls apple to see if there are any
new updates. If there are I am presented with a list. I but click a
check box beside what I want to install then must read and click okay
after viewing a License screen and help screen The I have type type in
my user name and password for my computer in order to start install.
all other applications or Utilities from a .dmg or .pkg file has much
the sme screens I must type in user name and password of computer before
I can install anything.
If you don't have to do this on any of your PC's then The Windows PC's
indeed must be very lax in security.
--
------------------------------------------------------------------------
Phillip M. Jones, CET |MEMBER:VPEA (LIFE) ETA-I, NESDA,ISCET, Sterling
616 Liberty Street |Who's Who. PHONE:276-632-5045, FAX:276-632-0868
Martinsville Va 24112 |pjo...@kimbanet.com, ICQ11269732, AIM pjonescet
------------------------------------------------------------------------
If it's "fixed", don't "break it"!
mailto:pjo...@kimbanet.com
<http://www.kimbanet.com/~pjones/default.htm>
<http://www.kimbanet.com/~pjones/90th_Birthday/index.htm>
<http://www.kimbanet.com/~pjones/Fulcher/default.html>
<http://www.kimbanet.com/~pjones/Harris/default.htm>
<http://www.kimbanet.com/~pjones/Jones/default.htm>
Everything is warned against. It makes the user take responsibility for
screwing up his or her computer. Instead of unknowingly the doing so.
That would be the only way I'd upgrade to TB3 (or SM2 down the road) if
it was removed
To Me The way You PC people appear to make it sound. Its Your going down
a steep hill in a heavy Truck and the truck company left the Foot brakes
off at the Manufacturing plant. But you might have a cable operated
emergency Brake.
I like better this way. It only adds maybe an extra 5 seconds total to
install process.
I've always turned it on even back to the days Netscape 3 and
Communicator 4. Never had any problems with it.
...If 'Everything' is warned against, the user gets programmed to always
enter username and password. After all, practice makes proficient.
Then something nefarious comes along and user goes into admin mode,
enters username and password, and blamo.
In reality, no safer than clicking on OK.
An example, I deloused a friends PC and had a devil of a time with a
browser hijack. elitebar, iirc.
After trying everything I knew to blast it off the system, I gave up and
rtfm for the hijack. The removal instructions were honest, legit, and
simple.
Go to add and remove programs and uninstall it.
So I did that.
The ubiquitous /Are you sure you don't want to remove this program/ pop
up popped up, I hit yes, restarted, and the dman hijack was still there...
Sneaky bastids!
Not true. I am only asked for Username and Password for that install at
the system level. Installs on the user level don't require usename and
password providing the user has administrative rights.
--
Larry I. Gusaas
Moose Jaw, Saskatchewan Canada
Website: http://larry-gusaas.com
"An artist is never ahead of his time but most people are far behind theirs." - Edgard Varese
For clarification, JS is only *temporarily* disabled in Alpha 3 (or is
it the next beta?), not any end-user release.
--
Chris Ilias <http://ilias.ca>
List-owner: support-firefox, support-thunderbird, test-multimedia
--- Original Message ---
> Jay Garcia wrote:
>> On 19.10.2008 13:19, Phillip Jones, C.E.T. wrote:
>>
>> --- Original Message ---
> You mean to tell me you don't get the warning when installing an
> extension or theme in TB.SM, or FF you are about to install unknown code
> which could damage your computer>. ??
A warning is a lot different than having to enter a user/pass. Yes, I
get warnings.
Income tax began as a 'temporary' measure in World War One
No word on when (or even IF) JS would be re-enabled.
So who are the devs 'protecting'? Alpha testers?
The assumption at the time that it was disabled, was that the next release would be a Beta release.
Some "cold feet" resulted in downgrading the release to another Alpha.
You can read where all this started here:
https://bugzilla.mozilla.org/show_bug.cgi?id=453928
David Ascher immediately filed this bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=453943
You might notice that the bottom line was that the prefs to allow/disallow, might be ignored, as well as the added
CAPS restriction that were added to mailnews years ago.
BZ (the current security czar) really wasn't sure that those added CAPS prefs were even
relevant today.
Well, if the prefs could be ignored. Then fix that *Make the prefs stick*
I have noted that certain CAPS restrictions have been added recently, In a security bug which isn't viewable by the
masses. These seem to be oriented to added prohibitions that would make RSS feeds "safer"
So that re-evaluation of JS seems to be in progress, and my guess would be that the final outcome will be that JS
will work in RSS feeds, maybe in newsgroups, and probably not at all in email.
--
Joe
Everyone is entitled to their own predictions; but you're passing on
your predictions as fact, even though you were told that disabling JS
was temporary.
Fascinating. Phillip, while that may be the way the Mac OS works for
you, and maybe out of the box, can it be configured so that one doesn't
have to jump though those hoops? It would annoy the crap out of me. It
would be enough for me to abandon the OS.
And, by the way, your statements about how Windows works (and has
worked) indicates you don't know it in depth enough to talk
authoritatively about it.
--
Ed Mullen
http://edmullen.net
Fear has its use but cowardice has none. - Mohandas Gandhi
If it is 'temporary' then
Give a time frame on when it will be re-enabled
Or
Give a version on which it will be re-enabled
Or
Give criteria as to when it will be re-enabled
So far, there has been no 'time frame', no version or not even criteria
as to when it would be enabled. Even such as "it would be re-enabled for
release versions" would be welcome. But there is nothing
The biggest problem is (imho) is that the developers cannot (or won't?)
specify exactly WHY they are disabling it in the first place. Other than
some platitudes about it being 'dangerous' and they being 'risk
adverse'. They will not specify exactly WHAT factors they consider
'dangerous' so that when these factors are satisfied, this 'temporary'
measure could be undone.
Why, if it is so dangerous to have javascript in email, does SeaMonkey
come with a setting to enable it? Why is javascript NOT (even
temporarily) disabled in Firefox, or SeaMonkey, or IE, or Opera, or any
other product I am aware of?
If it is so 'dangerous' NOW, that it HAS to be disabled in an alpha
release (which by design is a 'limited' release) - then why is it STILL
enabled in current versions of Thunderbird, Firefox, SeaMonkey, et al.
Are current versions exempt from this 'danger'? or not?
> Chris Ilias wrote:
> > On 10/19/08 3:37 PM, _Moz Champion (Dan)_ spoke thusly:
> >> That's what the developers are doing in the next release of
> >> Thunderbird. They are taking the ability to turn on Javascript
> >> completely away.
> >
> > For clarification, JS is only *temporarily* disabled in Alpha 3 (or
> > is it the next beta?), not any end-user release.
>
> Income tax began as a 'temporary' measure in World War One
In the U.S., there was income tax before WWI, but it doesn't seem
relevant here.
> No word on when (or even IF) JS would be re-enabled.
Are there any bugs with guaranteed will-be-fixed-by dates?
> So who are the devs 'protecting'? Alpha testers?
Yup, alpha testers and nightly testers.
I find it strange that alpha and nightly testers require 'protection'
from these undetermined javascript threats but end users of current
versions of Thunderbird, Firefox, and SeaMonkey do not.
By definition, alpha and nightly versions are 'limited' releases, i.e.
they don't enjoy the popularity of release versions.
So the 100,000 or so (I made that up I have no idea how many alpha
testers there are) are more 'vulnerable' than the millions upon millions
of current users?
How 'effective' is an alpha test going to be, with a feature totally
disabled? Does it give a correct situation in which to 'test' or run the
software? Or will the entire thing have to be redone, once you do
re-enable JS? Any results from the alpha or nightly are, generally
speaking, dubious, simply because they will have to be redone if and
when JS is re-enabled.
What is the value of 'protecting' a limited set of alpha testers from
these 'oh so dangerous' javascript threats (which as of yet are still
unspecified) while not even warning the millions of users of the product
that they are vulnerable?
What is the value of 'protecting' these alpha testers from as yet
unpublished attacks, whilst leaving million upon millions of users
completely open to them?
FUD. Fear, Uncertainty, and Doubt.
No way to run a business.
--
Ed Mullen
http://edmullen.net
It's lonely at the top, but you eat better.
> »Q« wrote:
> > On Mon, 20 Oct 2008 19:04:43 -0400
> > "Moz Champion (Dan)" <moz.ch...@sympatico.ca> wrote:
> >
> >> Chris Ilias wrote:
> >>> On 10/19/08 3:37 PM, _Moz Champion (Dan)_ spoke thusly:
> >>>> That's what the developers are doing in the next release of
> >>>> Thunderbird. They are taking the ability to turn on Javascript
> >>>> completely away.
> >>> For clarification, JS is only *temporarily* disabled in Alpha 3
> >>> (or is it the next beta?), not any end-user release.
> >>
> >> Income tax began as a 'temporary' measure in World War One
> >
> > In the U.S., there was income tax before WWI, but it doesn't seem
> > relevant here.
> >
> >> No word on when (or even IF) JS would be re-enabled.
> >
> > Are there any bugs with guaranteed will-be-fixed-by dates?
> >
> >> So who are the devs 'protecting'? Alpha testers?
> >
> > Yup, alpha testers and nightly testers.
>
> I find it strange that alpha and nightly testers require 'protection'
> from these undetermined javascript threats but end users of current
> versions of Thunderbird, Firefox, and SeaMonkey do not.
I can't tell whether the bugs weren't known when the last versions of
Thunderbird and SeaMonkey were released, whether only the extent of
them wasn't known, or whether they just don't affect those versions;
it's not clear to me when the CAPS policies might have stopped working
correctly, and I don't understand the stuff about "quickstubbing" at
all.
AFAICT, Firefox isn't involved.
In any case, it's clear that there won't be any future releases without
the bugs fixed. What's not clear yet is whether they'll be fixed by
removing the "feature" or by making it work as it used to.
How about I provide a link to the thread where you were told:
<http://groups.google.com/group/mozilla.dev.apps.thunderbird/browse_frm/thread/35cbc1db347e49c3>.
If you're going to report what devs are doing, back it up with facts,
not your speculation. Let everyone read the link, and let them draw
their own conclusions.
--
Ron Hunter rphu...@charter.net
--
Ron Hunter rphu...@charter.net
My firewall includes this feature.
--
Ron Hunter rphu...@charter.net
--
Ron Hunter rphu...@charter.net
--
Ron Hunter rphu...@charter.net
--
Ron Hunter rphu...@charter.net
Does the Mac OS still put up those messages if you are logged on as an
admin, or with admin privileges? If so, that would be rather annoying.
IF not, then it is a convenience to allow authorized persons to apply
updates. And the Windows OS allows many lax security things to happen.
It is not, by design, secure, but is moving toward that, with much
carping from users, to say the least.
--
Ron Hunter rphu...@charter.net
"Temporary" is a very nebulous term. In 1964 I lived in 'temporary'
barracks that had been built in 1947. Just how long is the TB devs
'temporary'? Do even the devs know? Not that I care one whit whether
or not JS is enabled in TB3, as I never allow it in email, and wouldn't
consider allowing it in newsgroups on a bet. I also don't use RSS,
either in TB OR FF, so that is a non-issue here.
Still, 'temporary' doesn't mean a thing, and most of us understand that.
--
Ron Hunter rphu...@charter.net