more jms impersonators

B5JMS Poster b5jms-owner at shekel.mcl.cs.columbia.edu
Fri May 23 06:16:46 EDT 1997 

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
From: ck at zipcon.net ( )
Date: 21 May 1997 11:56:37 -0400
Lines: 69

E. Gkioulekas (egkioule at u.washington.edu) wrote:
: Unfortunately no-one warned JMS about file attachments, and Microsoft 
: just doesn't get it and it's pushing out crap like ActiveX to the consumers.
: When you visit a web page, ActiveX will download and run binary files with
: no protection at all. If the file wants to bring up a smiley face with
: blinky eyes, it will do that. If the file wants to format your drive it
: will do that too. 

Slightly inaccurate. If you have your security set to "medium" in Internet
Explorer,(Views-Options-Security-Safety Level), a dialog comes up to warn
you of all potential security problems and you can choose whether or not
to download a given ActiveX control. If this is set to "high", your
browser won't download any ActiveX controls and will let you know that
there are controls on the page that it isn't downloading, because you told
it not to.

Or you can simply uncheck "Allow downloading of active content", "Enable
ActiveX controls and plugins", and/or "Run ActiveX scripts" under
View-Options-Security.

So while ActiveX controls can be malicious, you can be protected from them
if you surf over a wide enough variety of places that you think you'll run
into a malicious one and wish to take steps to protect yourself. As usual,
while MS is certainly no saint, they're not completely in the wrong
either.

Additionally, while Java applets don't have nearly the potential for
mischief (since most aren't able to open or delete files), they can be
bloated or poorly written, hanging the browser or just taking an
excruciatingly long time to load. Those can be turned off via
View-Options-Security and unchecking "Enable Java programs".

The only programs that can really do your system damage outside of these
applets are code that can be run, i.e. .EXE or .COM files. Images, text,
or mail messages by themselves do no harm. To be safe, however, never open
or run something from someone you don't know and whose opinion on computer
matters you don't trust.

Lastly, and this is just my opinion with no factual evidence to back it
up, most flaws in Java and ActiveX to date have been found by people
actively looking for such holes and not due to malicious, widespread
attack. The number of people affected by a particular attack are usually
very small; after that, the news about the dangerous flaw/page/control is
usually all over the net (and usually gets a brief mention in the
mainstream news, nowadays). Your chances of accidentally running across
such a control or section of code are very, very small.

So in summary:

	- Don't open binary files from people you don't know.
	- Security options in your browser, (under View-Options in IE),
are your friend. It only takes a moment and if you set it to the max, it
will protect you.
	- ActiveX and similar technology have the potential to do you
harm only to the extent that you trust it. 

The way to round out this thread, IMHO, is if someone with experience with
Netscape and Macs could pipe up with how to enable security on their
browsers/systems and what peculiarities to watch for.


- Chris
	

-- 
Chris Keroack	<*>	The only joy in the world is to begin. 
ck at zipcon.net	<*>				- Cesare Pavese



=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
From: jmsatb5 at aol.com (Jms at B5)
Date: 21 May 1997 18:03:20 -0400
Lines: 22

Re: the Trojan horse...the main fault threre is my own stupidity.  When I
got the email, it said the accompanying file was a .jpg of a Starfury
doned by his 12 year old kid, and could I look at it and send him a note? 
I downloaded the file, double clicked the filename...and just at the
second click saw it was an .exe file and not a .jpg file.  By the time I
reacted, my Windows directory, dos directory, and a couple others were
gone...and then, after spending a week reconstructing my hard drive, when
I could finally do a virus check it showed it'd also dumped one of THOSE
into my system as well which took even *more* time...and there was that
file, saying STAR TREK RULES....

So, finally, I don't/can't download files anymore from fans.  I just can't
take the chance anymore that I might be too tired and just stupid enough
to do the wrong thing with it.  But in any event, it happened a while
back, and for our purposes it's ancient history.


 jms




-***
-*** B5JMS SUBSCRIBERS: Replies to messages go to the list maintainer,
-*** <b5jms-owner at cs.columbia.edu>.  If you want to reply elsewhere, adjust
-*** the "To" field.  The best way to reach JMS is to post to rastb5m, which
-*** can be done by sending email to <b5mod at deepthot.cary.nc.us>.

More information about the B5JMS mailing list