Uncle Disgusting's well-worn security hat. Again. You know the drill.

Jan. 24th, 2010 10:57 am
hirez: More graf. Same place as the other one. (Riiight)
[personal profile] hirez
Dear Facebook types.

One or other of you has managed to catch The Pox on whatever it is you use to connect to FB.

FB messages containing the subject 'All the best' and (in my case, anyway) a link to www.mmilimetr.republika.pl (don't be a clever-bollocks and follow that unless you're running a unix box and some javascript debugger) are well bogus.

As I regularly point out, your Facebook/LJ/whatever accounts are exactly as secure as the weakest password on your friendslist, l33tspeak passwords are as easy to crack as efforts of the order of 'password69', and you can guarantee that as soon as some grotty PHP-fiddler has your email address and a password, they're going to try it on Paypal.

'Noscript' is a jolly nice bolt-on for Firefox.

FB certainly used to have a password-quality meter.
  • Current Mood: Going pruning
  • Current Location: The Isolation Wing
  • Current Music: Clock DVA
Tags:
  • Add Memory
  • Share This Entry
Threaded | Top-Level Comments Only

Date: 2010-01-24 12:31 pm (UTC)
From: [identity profile] nisaba.livejournal.com
Different passwords on facebook, paypal, and LJ, and thanks to the joys of imap forwarding, different email address on paypal to anywhere else (although it is an old one that might be cached somewhere, but I've removed it from facebook and lj).

I was actually surprised to see that one of the most geeky people at my work seems to have caught the pox, judging from the messages left on her wall. She's the type I'd expect to have a password 27 characters long made up of some obscure acronym that was mentioned once in an early episode in Babylon 5.

Date: 2010-01-24 01:32 pm (UTC)
From: [identity profile] moral-vacuum.livejournal.com
I use similar formatd for my apsswords, and sites that heave strength meters say they're very secure indeed.

Noscript is all very well but it's now stopped me from commenting on FB...

Date: 2010-01-24 01:35 pm (UTC)
From: [identity profile] badnewswade.livejournal.com
bravely resists temptation to follow link

Wgets (http://www.gnu.org/software/wget/) it instead.

Woah! That sort of code you even think twice about debugging in case it infects your brain.

Date: 2010-01-24 01:38 pm (UTC)
From: [identity profile] hirez.livejournal.com
The magic of Noscript is selectively allowing just enough of a site's Hateful Javascript to keep it working.

Date: 2010-01-24 01:48 pm (UTC)
From: [identity profile] hirez.livejournal.com
The sort of people who are immune to that sort of friend-based social engineering are generally paranoid nutcases like JJ Angleton.

I admit I clicked on the link (Hey, trusted source. No doubt it's an interesting website about spanners or steam traction.), killed the browser as soon as the 'We will now perform a free security scan' dialog box arrived and then ran a scan for malware. What can I say? I was asleep.

Date: 2010-01-24 02:01 pm (UTC)
From: [identity profile] badnewswade.livejournal.com
An interesting strategy but one that could lead to disaster - isn't there a danger it will give users a false sense of security while bad guys learn to tunnel through it? Not to mention it killing legitimate applications...

I personally have four modes:

"total bugfart paranoia" (Using Wget for accessing things I KNOW are super-dodgy) - really this is a programming mode

"Shields up" (images, Java & javascript off, used when accessing dodgy stuff or stuff I ain't sure of)

"Shields down" (Images and Javascript on, Java off) - this is my everyday browsing mode.)

"Butt Naked" (Images, Java & java script all turned on, butt-to-the-wind - rarely if ever used)

Date: 2010-01-24 02:26 pm (UTC)
From: [identity profile] bluekieran.livejournal.com
The couple I've seen have all been unconvincing in terms of grammar/phrasing the sender would use, and so a no-brainer.

Date: 2010-01-24 02:29 pm (UTC)
From: [identity profile] moral-vacuum.livejournal.com
But one needs a cetain amount of technical knowledge to be able to fettle it properly.

Date: 2010-01-24 02:54 pm (UTC)
From: [identity profile] serpentstar.livejournal.com
Interesting -- so I may need Noscript even if I already have a pretty decent suite that usually blocks access to dodgy sites (F-secure)?

I do have an extraordinarily strong password for PayPal, at least... and the only time I even saw a "free security scan" dialogue box, I did the same as you.

Date: 2010-01-24 04:28 pm (UTC)
From: [identity profile] hirez.livejournal.com
Yes. One can't legislate against stupidity.

Date: 2010-01-24 04:29 pm (UTC)
From: [identity profile] hirez.livejournal.com
Yes. Such is the nature of Internet security.

Date: 2010-01-24 04:34 pm (UTC)
From: [identity profile] hirez.livejournal.com
It's up to the individual. I use it at work because sometimes looking for trouble is part of the job description.

Date: 2010-01-24 11:15 pm (UTC)
From: [identity profile] hirez.livejournal.com
Since I have a reasonably quick computer, I installed VMWare player and an Ubuntu desktop VM. (God Gnome's hateful)

VMWare Unity is rather swish.

Anyway. Installed a Javascript debugger and went looking for trouble. :D

Hurrah for free (FAVO) software.

Date: 2010-01-25 07:17 am (UTC)
From: [identity profile] jendama.livejournal.com
KeePass!

Date: 2010-01-25 12:00 pm (UTC)
From: [identity profile] aoakley.livejournal.com
All browsers should boot up in virgin VMs until the user is competent enough to reconfigure their system not to.

Date: 2010-01-25 12:14 pm (UTC)
From: [identity profile] hirez.livejournal.com
Yes.

There was a Labs project which managed this under XP. I don't know what became of it.

Otherwise, VMWare Unity FTW. (At the expense of having to piss about with another OS, so it's absolutely not for the unskilled. I note that VMWare themselves package a noddy VM that just runs a browser, but it's an aged version of FF.)

Date: 2010-01-25 12:27 pm (UTC)
From: [identity profile] aoakley.livejournal.com
I'm actually going to install a saved-state VM on my dad's Windows PC to do exactly that. Debian + Openbox + Firefox, link the cookies path to somewhere that doesn't get wiped so he doesn't moan too much.

Hopefully that will save me from having to have The Conversation about not browsing for free porn. Especially since his excuse that "one of my students must have sent me an infected file" will expire in September when he becomes fully retired from his professorship.

Date: 2010-01-25 12:29 pm (UTC)
From: [identity profile] aoakley.livejournal.com
By the way, I use VirtualBox since that allows me to "float" virtual application windows (eg. Firefox) outside the VM display, so that the virtual applications look integrated with the host desktop. Our paid-for VMWare at work doesn't allow this without an extra expensive add-on. Do the freebie versions of VMWare allow window detach/float?

Date: 2010-01-25 12:37 pm (UTC)
From: [identity profile] hirez.livejournal.com
Yes. They call it 'unity'. It's rather nice on VMWare Fusion (I have OS X on one screen and a XP VM on the other, for instance) and comes for free in the latest VMWare player.

Dunno how/if it works with a KDE- or console-based distro.

Date: 2010-01-26 01:47 am (UTC)
From: [identity profile] badnewswade.livejournal.com
Oooh - what do you reccomend for a Firefox JavaScript debugger?

Date: 2010-01-26 08:16 am (UTC)
From: [identity profile] hirez.livejournal.com
The chaps at work all use firebug, so I installed that.

Date: 2010-01-26 02:19 pm (UTC)
From: [identity profile] badnewswade.livejournal.com
Cool! Ta...
  • Add Memory
  • Share This Entry
Threaded | Top-Level Comments Only

Profile

hirez: More graf. Same place as the other one. (Default)
Julia Rez
Remarkably.placid.horse

May 2025

S M T W T F S
    123
45678910
11121314151617
18192021222324
2526272829 3031

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Page generated Mar. 22nd, 2026 05:11 pm
Powered by Dreamwidth Studios