Summary:
>From a total of five responses and the conversation prompting this survey,
these were the totals and their splits:
Three direct replies, one infered from a previous conversation on the
matter, and another from a local company deep into the e-commerce movement
all block and or do not use active content. <total 5>
One reply was interesting, only allowing java and java-script. And, due
to the fact that most threats are directed wowards M$ systems, has unix
boxes to the desktop to reduce risk. <total 1>
A couple of us here though, made reference to cients and companies we are
aware of that let it all pass, for various reasons:
- They can't justify the hassle this causes to end users.
- They don't have the functionality in their firewalls.
- They don't know it can be done.
The threat<s> remain, and many ignore it, and tons more write to it. The
job posting are full of requests for asp and java/java-script developers.
How often do we hear of a malicious website that has been wiping out hard
drives and rebooting those that surf there into a reinstall and loss of
data on any kind of large scale? And how quickly could such a happening
be traced back to the offending site so it gets blackholed? Imagine the
harm that might be done if a very popular website was redirected to
another truely such nasty site and it started taking down machines left
and right. Imaine a highly visable, popular site <compromised> that
injects a bit of nasty replicating code, that takes a bit of time before
it's full payload is unleashed <the moris worm like nasty>, striking
machine after machine and company after company... The potential has
been there for such a happening for sometime, but, I've yet to actually
see anything pop up about a realtime exploit of such magnitude.
Why have no such attacks been launched:
a) fear of being caught?
b) some 'ethical' code of least harm done?
c) even with all the pieces in place the web defacement crowd
have been too clueless to put the pieces together?
I personally suspect a) here... others have tended to think more along the
lines of option "c", some have postulated b even...
Considering:
The cult status that exists surrounding say Kevin Mitnick and others like
him over time. And the vast numbers of young newbies to the world of
computing that are 'sucked into' the 'darkside<TM>' of the Internet...(*)
...that cyber terrorism has taken on a new face, with the recent blackmail
attempt made concerning stolen credit card information...
...that a youths defense about threats made to students already brutalized
via the Columbine incident are based on 'fantasy role playing'...(**)
What might be the reaction and legal fallout of such matters as concerns
Internet access, systems security, etc...?
Can a person steal a few hunderd thousand credit card numbers, try and
blackmale the company they were stoen from for a few hunderd thousand
dollars, then when caught claim it was only a fantasy role playing game to
them?
Will we see someone make such a claim in the near future based upon a
website hack like something outlined above?
Are active content pages and scripting ever going to be safe and 'secure'?
~~~~~~~~~
* Is it just the 'excitement', the thrill one imagines, of having distant
control of processes that draws people to computing as we know it today,
meaning mostly the 'Internet'? Why do so many then turn from the thrill
of that first telnet/rlogin session to seeking a 'fix' more potent, by
becoming some l33t cracker, rather then drift to better pursuits? Is this
some drive for 'instant fame'?
** It's interesting to note how much role playing fantasy games played a
role in the popularity of the local and not-so-local BBS's. Some are
still quite popular, especially those that are now also attached, somehow
to the Internet. It's also perhaps interesting to note how much the
Internet has in ways, mirrors many of the 'cyber-social' conventions of
many of those old BBS' <or is that vice versa?>.
Thanks,
Ron DuFresne
On Tue, 18 Jan 2000, R. DuFresne wrote:
>
> Okay, here's the issue:
>
> There are many advisories and announcements have been made about the
> potential abuse of java, java-script, active-x, vb-scripts, and well,
> pretty much any active content in the major web browsers and across the
> HTML protocol.
>
> Never minding the minimal active exploitation actually being observed;
>
> While we know that most experts and consultants in the field will advise
> that active content be either blocked at the border, and/or turned off in
> the browser<s>, how many corporate gateway admins are actually blocking
> this as many advise? How are corporations dealing with this e-commerce
> wise, and/or as regards business partners?
>
> Thanks,
>
>
> Ron DuFresne
>
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior consultant: darkstar.sysinfo.com
http://darkstar.sysinfo.com
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart
testing, only testing, and damn good at it too!
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:03:21 PDT