Summary: >From a total of five responses and the conversation prompting this survey, these were the totals and their splits: Three direct replies, one infered from a previous conversation on the matter, and another from a local company deep into the e-commerce movement all block and or do not use active content. <total 5> One reply was interesting, only allowing java and java-script. And, due to the fact that most threats are directed wowards M$ systems, has unix boxes to the desktop to reduce risk. <total 1> A couple of us here though, made reference to cients and companies we are aware of that let it all pass, for various reasons: - They can't justify the hassle this causes to end users. - They don't have the functionality in their firewalls. - They don't know it can be done. The threat<s> remain, and many ignore it, and tons more write to it. The job posting are full of requests for asp and java/java-script developers. How often do we hear of a malicious website that has been wiping out hard drives and rebooting those that surf there into a reinstall and loss of data on any kind of large scale? And how quickly could such a happening be traced back to the offending site so it gets blackholed? Imagine the harm that might be done if a very popular website was redirected to another truely such nasty site and it started taking down machines left and right. Imaine a highly visable, popular site <compromised> that injects a bit of nasty replicating code, that takes a bit of time before it's full payload is unleashed <the moris worm like nasty>, striking machine after machine and company after company... The potential has been there for such a happening for sometime, but, I've yet to actually see anything pop up about a realtime exploit of such magnitude. Why have no such attacks been launched: a) fear of being caught? b) some 'ethical' code of least harm done? c) even with all the pieces in place the web defacement crowd have been too clueless to put the pieces together? I personally suspect a) here... others have tended to think more along the lines of option "c", some have postulated b even... Considering: The cult status that exists surrounding say Kevin Mitnick and others like him over time. And the vast numbers of young newbies to the world of computing that are 'sucked into' the 'darkside<TM>' of the Internet...(*) ...that cyber terrorism has taken on a new face, with the recent blackmail attempt made concerning stolen credit card information... ...that a youths defense about threats made to students already brutalized via the Columbine incident are based on 'fantasy role playing'...(**) What might be the reaction and legal fallout of such matters as concerns Internet access, systems security, etc...? Can a person steal a few hunderd thousand credit card numbers, try and blackmale the company they were stoen from for a few hunderd thousand dollars, then when caught claim it was only a fantasy role playing game to them? Will we see someone make such a claim in the near future based upon a website hack like something outlined above? Are active content pages and scripting ever going to be safe and 'secure'? ~~~~~~~~~ * Is it just the 'excitement', the thrill one imagines, of having distant control of processes that draws people to computing as we know it today, meaning mostly the 'Internet'? Why do so many then turn from the thrill of that first telnet/rlogin session to seeking a 'fix' more potent, by becoming some l33t cracker, rather then drift to better pursuits? Is this some drive for 'instant fame'? ** It's interesting to note how much role playing fantasy games played a role in the popularity of the local and not-so-local BBS's. Some are still quite popular, especially those that are now also attached, somehow to the Internet. It's also perhaps interesting to note how much the Internet has in ways, mirrors many of the 'cyber-social' conventions of many of those old BBS' <or is that vice versa?>. Thanks, Ron DuFresne On Tue, 18 Jan 2000, R. DuFresne wrote: > > Okay, here's the issue: > > There are many advisories and announcements have been made about the > potential abuse of java, java-script, active-x, vb-scripts, and well, > pretty much any active content in the major web browsers and across the > HTML protocol. > > Never minding the minimal active exploitation actually being observed; > > While we know that most experts and consultants in the field will advise > that active content be either blocked at the border, and/or turned off in > the browser<s>, how many corporate gateway admins are actually blocking > this as many advise? How are corporations dealing with this e-commerce > wise, and/or as regards business partners? > > Thanks, > > > Ron DuFresne > -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior consultant: darkstar.sysinfo.com http://darkstar.sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too!
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:03:21 PDT