Douglas A. Tutty wrote:
This is a more general question to an issue that came up in another
thread.
Not to single out Iceweasel but, for example, IIUC, javascript and
flashplayer end up running someone else's code on your computer as you.
What are the security implications of this? What could a malicious
flash or piece of javascript really do you files in your home directory?
What are the security implications of this if you are also a member of
group wheel, adm, or staff?
As for my home directory, of course it has security-sensitve info:
health info, passwords, and other private documents.
Should I have a separate user setup for just running a javascript- and
flash-enabled web browser?
I would, but see below.
I know that any software can have bugs, but I think that software that
has to keep up with features to be useable (e.g. a browser) is more
likely to be at risk of unknown exploits than more feature-stable
net-apps such as mutt, exim, ftp, or rsync.
No doubt about that, though I don't think there's any way to quantify or
even guess the risk, other than by saying 'less is better'.
Unfortunately, cross-platform content also implies cross-platform
malware. We can't just rely on not being Windows users, and I suspect
that all 'technologies' are capable of much more harm than their
inventors intended. We now have PDF malware. The bad guys are just plain
more inventive.
I can do most of what I need with Iceweasel without flash and with
No-Script, and I'm not a member of any useful security groups. I read
secure logs with a sudo-ed mc in a terminal. I'd rate my paranoia as at
least 90% of the theoretical 'pull-all-the-plugs-out' maximum. But then
I've also run various versions of Windows for more than ten years,
mostly without AV, without ever picking up anything unwanted, so it does
help.
There's just no safe way of running other peoples' software on your
machine. Microsoft Update and apt-get are probably as close as you get,
and I wouldn't bet a large amount of money that either is 100% safe. One
day MU will get hacked, and the whole world will collapse.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
