Re: [OT] was, Re: DAMNED Re: Fedora Security and the Uverse 3800HGV-B router
Marko Vojinovic wrote: > So my advice to you is to just drop the subject. If you don't trust > javascript yourself, you are welcome to disable it or use no-script. > But please don't try to convince the whole world that there is a > major security hole in it, because there isn't, and people will > start labelling you as a troll if you continue to pursue this beyond > its realistic relevance. I think that dropping this is the best advice. Further posts in this thread should be held dfor moderation (and likely will not be sent on to the list quickly, if at all). Hopefully folks can find a better way to spend the weekend. :) -- ToddOpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~ Never take life seriously. Nobody gets out alive anyway. pgpvpyWGjKvYU.pgp Description: PGP signature -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: DAMNED Re: Fedora Security and the Uverse 3800HGV-B router
JD writes: At the very least, javascript should be blocked just because it is invasive! And you were told, several times, how to block javascript. Have you already blocked Javascript from being executed in your browser, as I and others have told you to do? pgpd7JpP03Szk.pgp Description: PGP signature -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
On Sat, 2011-07-02 at 16:45 -0700, JD wrote: > On 07/02/2011 01:07 PM, Craig White wrote: > > On Fri, 2011-07-01 at 21:14 -0700, JD wrote: > > > >> You are right. > >> It turns out it does it via the intruder which the whole > >> world was deceived by Sun that it only plays in a sandbox > >> and has no access to anything outside that sandbox: Javascript. > > > > what does javascript have to do with Sun? It is not java. It doesn't > > share anything at all with java except the name which was an unfortunate > > choice. > > > >> So I used noscript to disable scripts from 192.168.1.254 > >> and access to my drive went away. > >> > >> When will the linux community wake up and shout out loud: > >> Kill JavaScript from all browsers and all network servers > >> and network clients. > > > > turn off javascript and the Internet is almost unusable. I think you > > were close when you realized that your 'router' is likely an attack > > vector because many of the retail/home intended routers are known to > > have been compromised. > > > >> It is THE trojan horse hiding in plain site and can access > >> EVERYTHING on your system that YOU have access to and > >> send it back to whatever destination the javascript was > >> written to send it to. > >> > >> Common people! JAVASCRIPT being executed by your > >> browser on your system is a HUGE WIDE OPEN SECURITY HOLE!!! > > > > http://en.wikipedia.org/wiki/Javascript > > > >Sandbox implementation errors > > > >Web browsers are capable of running JavaScript outside > >of the sandbox, with the privileges necessary to, for > >example, create or delete files. Of course, such privileges > >aren't meant to be granted to code from the web. > > > > What you have demonstrated is one of the many reasons not to run GUI as > > root but you only saw the files/folders that you could see with a tool > > like nautilus or dolphin with exactly the same privileges so I guess I > > can't understand your hysterics. > > > > If noscript gives you peace of mind, then use it. > > > > Craig > > > > > Why do you resort to name calling? > It is not hysterics. > A javascript sent by we site can, if written > to do so, open your files and upload them to > some remote site; and you call this hysterics? > Something is wrong with your thinking to resort > to name calling. > I think user's awareness, that javascripts are indeed > invasive and a great threat to privacy, needs to be > raised. Most users are unaware of this threat. I'm probably wasting my time here but nowhere did I resort to anything even remotely close to name calling. I wonder if you confused my one entry into this thread with others or simply have a comprehension problem. The post I responded to... > It is THE trojan horse hiding in plain site and can access > EVERYTHING on your system that YOU have access to and > send it back to whatever destination the javascript was > written to send it to. > > Common people! JAVASCRIPT being executed by your > browser on your system is a HUGE WIDE OPEN SECURITY HOLE!!! if that isn't hysterics, then I don't know what is. The sky is not falling. Craig Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: [OT] was, Re: DAMNED Re: Fedora Security and the Uverse 3800HGV-B router
On Sunday 03 July 2011 06:40:21 JD wrote: > Well, javascript is known to be "craftable" to do evil. > I am sure you have already seen the links I sent. You know, I can provide you with a whole bunch of links on the net about people being abducted by aliens and experimented on. Does that mean that I should take alien abductions as a fact of life? Or does it mean that a bunch of links from the net does not make a good argument in a discussion? Links on the Internet are usually provided for *reference* purposes of their contents --- they should be opened, examined, and their content judged critically, before proceeding in any (serious) discussion. Sheer existence and number of links itself proves nothing, and does not serve any good to a discussion. Just do a google-search on "proof of Riemann hypothesis" --- there are millions of links it provides, but not a single one of them contains the actual proof of the famous Riemann's problem. Several people have opened the links you provided, and figured that they refer to eight-year-old comments about javascript bugs from 1997 or so. Due to their age, these problems (and consequently the links themselves) are dismissed from the discussion as invalid --- because those problems are non-existent today. So my advice to you is to just drop the subject. If you don't trust javascript yourself, you are welcome to disable it or use no-script. But please don't try to convince the whole world that there is a major security hole in it, because there isn't, and people will start labelling you as a troll if you continue to pursue this beyond its realistic relevance. HTH. ;-) Best, :-) Marko -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
On 07/03/2011 01:45 AM, JD wrote: > On 07/02/2011 01:07 PM, Craig White wrote: >> On Fri, 2011-07-01 at 21:14 -0700, JD wrote: >> >>> You are right. >>> It turns out it does it via the intruder which the whole >>> world was deceived by Sun that it only plays in a sandbox >>> and has no access to anything outside that sandbox: Javascript. >> >> what does javascript have to do with Sun? It is not java. It doesn't >> share anything at all with java except the name which was an unfortunate >> choice. >> >>> So I used noscript to disable scripts from 192.168.1.254 >>> and access to my drive went away. >>> >>> When will the linux community wake up and shout out loud: >>> Kill JavaScript from all browsers and all network servers >>> and network clients. >> >> turn off javascript and the Internet is almost unusable. I think you >> were close when you realized that your 'router' is likely an attack >> vector because many of the retail/home intended routers are known to >> have been compromised. >> >>> It is THE trojan horse hiding in plain site and can access >>> EVERYTHING on your system that YOU have access to and >>> send it back to whatever destination the javascript was >>> written to send it to. >>> >>> Common people! JAVASCRIPT being executed by your >>> browser on your system is a HUGE WIDE OPEN SECURITY HOLE!!! >> >> http://en.wikipedia.org/wiki/Javascript >> >>Sandbox implementation errors >> >>Web browsers are capable of running JavaScript outside >>of the sandbox, with the privileges necessary to, for >>example, create or delete files. Of course, such privileges >>aren't meant to be granted to code from the web. >> >> What you have demonstrated is one of the many reasons not to run GUI as >> root but you only saw the files/folders that you could see with a tool >> like nautilus or dolphin with exactly the same privileges so I guess I >> can't understand your hysterics. >> >> If noscript gives you peace of mind, then use it. >> >> Craig >> >> > Why do you resort to name calling? > It is not hysterics. > A javascript sent by we site can, if written > to do so, open your files and upload them to > some remote site; and you call this hysterics? > Something is wrong with your thinking to resort > to name calling. > I think user's awareness, that javascripts are indeed > invasive and a great threat to privacy, needs to be > raised. Most users are unaware of this threat. > JD, if this was so blatantly easy, don't you think more people would be doing it? Even more so, don't you think implementers (say, Mozilla) would (and do) work around it? -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
On 02/07/11 05:14, JD wrote: > You are right. > It turns out it does it via the intruder which the whole > world was deceived by Sun Javascript, Sun? that it only plays in a sandbox > and has no access to anything outside that sandbox: Javascript. I have js enabled on all web boxes, no leaks here. -- Regards, Frank Murphy UTF_8 Encoded Friend of fedoraproject.org -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: DAMNED Re: Fedora Security and the Uverse 3800HGV-B router
Am 03.07.2011 05:32, schrieb JD: > At the very least, javascript should be blocked just because > it is invasive! your probem is that everybody can see how you started this discussion which showed that you are a technical noob and so you can not be qualified for rants like "When will the linux community wake up and shout out loud: Kill JavaScript from all browsers and all network servers and network clients." so why do you not shut up and realize that the whole world is laughing at you more and more after each posting in this thread? so decide FOR YOU THAT YOU will not use JS a leave the wolrd in peace Original-Nachricht ---- Betreff: Fedora Security and the Uverse 3800HGV-B router Datum: Fri, 01 Jul 2011 20:45:53 -0700 Von: JD Antwort an: Community support for Fedora users An: Community support for Fedora users I am writing this message with the hope that someone on this list has this uverse router.' When I use Firefox to browse to this router (192.168.1.254), it displays the "Home" machines connected to the network. For each machine it displays: a tv icon, it's name, and a link named "Access FIles" and another link named "Device Details". If I click on any machine's "Acess FIles" link, it displays my Fedora's / directory completely. I have no ftp daemon running. I have no apache running. In fact I do not have ANY internet server running. So how in blazes is the router able to display my entire system's files? If I aim my browser at my own IP address, I get Unable to connect Firefox can't establish a connection to the server at 192.168.1.201. So how is the router doing it? This is a very disconcerting security hole and I have not been able to nail it down to any daemon running on my Fedora. Thanks for your insights. JD signature.asc Description: OpenPGP digital signature -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: [OT] was, Re: DAMNED Re: Fedora Security and the Uverse 3800HGV-B router
On 07/02/2011 10:13 PM, Joe Zeff wrote: > On 07/02/2011 09:40 PM, JD wrote: >> Actually, no. >> I mean drugs that will kill you even when you take them >> as Rx'ed! >> I am sure you have heard the TV/Radio ads for some drugs?? >> Many state that death is a possible side effect > Not to pick a nit, but if you take a drug, such as penicillin, and don't > know you're allergic to it, the results can go from hives through > anaphylectic shock all the way to death, no matter how "safe" the drug's > supposed to be. Why do they sell drugs like that? Well, there are lots > of reasons, none of them evil. Generally speaking,the chance of a fatal > effect is low, and the probability of benefit is so high that it's been > decided that the minor risk is worth it for enough people. It's a > judgement call based on the fact that if you reject any treatment where > death is possible you reject just about all of medicine. Well, javascript is known to be "craftable" to do evil. I am sure you have already seen the links I sent. But at least in the case of the patient taking penicillin, it is taken knowingly and with some information of it's contents, as per his physician, and with exact dosage and frequency of ingestion...etc. In the case of javascript malware, the user does not even know that javascript is came in and made his day! -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
[OT] was, Re: DAMNED Re: Fedora Security and the Uverse 3800HGV-B router
On 07/02/2011 09:40 PM, JD wrote: > Actually, no. > I mean drugs that will kill you even when you take them > as Rx'ed! > I am sure you have heard the TV/Radio ads for some drugs?? > Many state that death is a possible side effect Not to pick a nit, but if you take a drug, such as penicillin, and don't know you're allergic to it, the results can go from hives through anaphylectic shock all the way to death, no matter how "safe" the drug's supposed to be. Why do they sell drugs like that? Well, there are lots of reasons, none of them evil. Generally speaking,the chance of a fatal effect is low, and the probability of benefit is so high that it's been decided that the minor risk is worth it for enough people. It's a judgement call based on the fact that if you reject any treatment where death is possible you reject just about all of medicine. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: DAMNED Re: Fedora Security and the Uverse 3800HGV-B router
On 07/02/2011 09:21 PM, Ed Greshko wrote: > On 07/03/2011 11:59 AM, JD wrote: >> Taking this offline - >> with noscript, all are blocked by default - no whitelist. >> I temporarily unblock specific sites that I do business with. > OK. > > But just a request, from me at least. Could you make a note somewhere > for yourself that you've disabled javascript on your browser and > thunderbird? Then, if you have problems with either of those in the > future could you make sure you enable it to test? > > There have been many cases on this list were folks have made a > configuration change of one sort or another and then forgot they did > it. I've seen people spend quite a bit of time trying to help them > debug only to find out later the root cause was a forgotten change and > an unintended consequence. > > Thanks > Good point. I will keep that memo on the desktop :) -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: DAMNED Re: Fedora Security and the Uverse 3800HGV-B router
On 07/02/2011 09:12 PM, Joe Zeff wrote: > On 07/02/2011 08:32 PM, JD wrote: >> It is all based on vested interests who stand to profit from something >> that is pushed and marketed as safe. Like so many drug companies >> that pushed and still push drugs with deadly side effects. > You mean like insulin? It can be deadly, you know, if you take too > large a dose, but I'd be in big trouble if I stopped taking it or ran > out. Or penicillin? I don't know about you, but it could easily be > deadly to me! Actually, no. I mean drugs that will kill you even when you take them as Rx'ed! I am sure you have heard the TV/Radio ads for some drugs?? Many state that death is a possible side effect. > Tell me, do you have any evidence at all other than a web page that > hasn't been updated in eight years? Seriously, you need to realize that > argument by repeated assertion isn't going to get you anywhere on this > list because there are too many people on this list who not only know > better, they're ready, willing and able to point out every single little > inaccuracy in your claims. I'm not going to insult you or make rude > suggestions about a tinfoil hat, but I must admit that you are beginning > to sound a tad paranoid. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: DAMNED Re: Fedora Security and the Uverse 3800HGV-B router
On 07/03/2011 11:59 AM, JD wrote: > Taking this offline - > with noscript, all are blocked by default - no whitelist. > I temporarily unblock specific sites that I do business with. OK. But just a request, from me at least. Could you make a note somewhere for yourself that you've disabled javascript on your browser and thunderbird? Then, if you have problems with either of those in the future could you make sure you enable it to test? There have been many cases on this list were folks have made a configuration change of one sort or another and then forgot they did it. I've seen people spend quite a bit of time trying to help them debug only to find out later the root cause was a forgotten change and an unintended consequence. Thanks -- Even if you do learn to speak correct English, whom are you going to speak it to? -- Clarence Darrow -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: DAMNED Re: Fedora Security and the Uverse 3800HGV-B router
On 07/02/2011 08:32 PM, JD wrote: > It is all based on vested interests who stand to profit from something > that is pushed and marketed as safe. Like so many drug companies > that pushed and still push drugs with deadly side effects. You mean like insulin? It can be deadly, you know, if you take too large a dose, but I'd be in big trouble if I stopped taking it or ran out. Or penicillin? I don't know about you, but it could easily be deadly to me! Tell me, do you have any evidence at all other than a web page that hasn't been updated in eight years? Seriously, you need to realize that argument by repeated assertion isn't going to get you anywhere on this list because there are too many people on this list who not only know better, they're ready, willing and able to point out every single little inaccuracy in your claims. I'm not going to insult you or make rude suggestions about a tinfoil hat, but I must admit that you are beginning to sound a tad paranoid. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
On Sunday 03 July 2011 00:39:28 JD wrote: > On 07/02/2011 10:39 AM, Marko Vojinovic wrote: > > On Saturday 02 July 2011 15:50:18 JD wrote: > >> If a javascript can browse all accessible files, what's there > >> to prevent someone from writing a javascript to spawn > >> a process to upload your files? > > > > Permissions system? While the contents of / directory can be listed by > > just about any user on the system, it's a completely different story for > > writing to it. Also, can you browse through home directories of other > > users from the router? I doubt. > > Good question. > The dirs whose owners set to 0700 perms, > I cannot browse. > As I said, the script allows access to files that > the current user, accessing the web, has access to. > So, one's own personal files are at risk, and files of > other users which have permissive perms are at > risk. > As far as writing, the script is running with the user > credentials. Why would it not be able to write to or > delete the user's own files or other users' files which > have permissive perms settings? Umm, no. The javascript itself cannot access your files at all. It can just point your local web browser to show you your local files. It's the browser that is displaying your files, not javascript. Deleting and uploading are out of the question. To prove this, hook up two machines into your router, and try to look at the filesystem of machine A by accessing the router from the browser on machine B. Does it fail? Sure it does, the browser on machine B cannot see the filesystem of machine A, regardless of any router or javascript in between. Try it and see for yourself. You are making fuss over a non-issue. > > Go create a new dummy user on your machine, create somefile.txt in his > > home directory, log in as yourself and try to view the file using the > > router. If you succeed, the permissions on your system are compromised. > > If you don't, then you are fussing over that router more than it's > > worth. In both cases I doubt that javascript has much to do with it. > > As stated above, if the perms are set to... say 0700 on the > user's home dir, then no I cannot browse it by the browser. > > And this is NOT the issue I was raising, so you diverge quiet a bit. > > It is the fact that as javascript sent by web site can indeed > open my files and can upload them to a remote site. But that's not the case. Javascript did nothing of the sort. It is a simple html instruction, like this: Click here to see your local files This can be implemented on any website whatsoever, and of course there is no way any information about your local filesystem can be pulled back to the server providing the link. The link just redirects your browser from that random website to your "filesystem-website", which is actually the virtual website created by your *local* browser to display your *local* files. Javascript is not involved at all here. The fact that the router's website fails to work when you use noscript on it is a question of the design of the router, but I can bet that it does not access your files in any way. Open the browser, point it to the router website, choose "view -> page source" from the menu (I'm talking Firefox here) and post the html source of what it gives you. I could bet that you can find a href anchor there just like the one that I wrote above (or something similar/equivalent). There is nothing more to it, really. And there certainly is no reason to panic over security. If this was a real hole, it would be obvious to people years ago, and certainly fixed by now... There are quite a number of people out there that are way more paranoid than you or me. They would raise the alarm long ago if it were something real. ;-) HTH, :-) Marko -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: DAMNED Re: Fedora Security and the Uverse 3800HGV-B router
On 07/02/2011 08:51 PM, Dave Stevens wrote: > so.have you blocked it? > > d > Taking this offline - with noscript, all are blocked by default - no whitelist. I temporarily unblock specific sites that I do business with. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: DAMNED Re: Fedora Security and the Uverse 3800HGV-B router
On 07/03/2011 11:32 AM, JD wrote: > At the very least, javascript should be blocked just because > it is invasive! That is the conclusion you've reached for yourself based on your knowledge of the subject matter. So, by all means, disable javascript in your browser. Also, you'll need to do it in thunderbird as well. Which I notice you are using. I could not find a check-box for that. So, you'll have to go to Preferences-->Advanced-->General and select "Config Editor". Filter on "javascript" and change the boolean value of javascript.enabled to "false". There are certainly vulnerabilities in any code. Certainly there are implementation bugs. But that isn't limited to javascript. You may want to spend some time at http://web.nvd.nist.gov/view/vuln/search?execution=e2s1 One which may be of particular interest is CVE-2011-2373. The description is Use-after-free vulnerability in Mozilla Firefox before 3.6.18 and 4.x through 4.0.1, Thunderbird before 3.1.11, and SeaMonkey through 2.0.14, when JavaScript is disabled, allows remote attackers to execute arbitrary code via a crafted XUL document. So, be advised that there may be other vulnerabilities when javascript is *disabled*. Maybe it is best to stop using computers all together. :-) :-) -- Even if you do learn to speak correct English, whom are you going to speak it to? -- Clarence Darrow -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: DAMNED Re: Fedora Security and the Uverse 3800HGV-B router
Quoting JD : > On 07/02/2011 06:40 PM, Joe Zeff wrote: >> On 07/02/2011 05:48 PM, JD wrote: >>> I do understand why you are so shrill in defending >>> javascript, and resorting to cussing and name calling. >>> Apparently it is your bread and butter :) >> JD, if one or two people here were insisting that you're wrong, and that >> javascript can't do what you say it's doing, I'd be encouraging you to >> continue as you are. As it is, every single person responding to you is >> insisting that you're wrong and that javascript can't do what you claim. >>I have to say that at this point the odds are that you are, alas, >> wrong. You probably don't agree with me, but the evidence seems to be >> against you. Not only that, you've been asked, more than once, to back >> up your opinion with facts and have failed to do so. At this point, it >> might be best if you accept that you misunderstood what was happening >> and simply consider this discussion to be a learning experience. > Well Joe, people in general will always believe in the faith > that modern priests of the professions preach, weather or > not the people know or understand the details of that faith > or not. > > As I just responded, that at the very least, pushing on the > user code to be executed by the user's machine, without > the user's knowledge that it is being done, and without the > user's knowledge of what is being done, is the very definition > of invasion of privacy, if not the definition of security threat. > As I said, the "troubling history" of javascript security holes > should be enough to lead security and privacy minded people > to reject the assertion that it is safe. > How could anyone judge an intruder into the house as safe > and friendly just on the insistence of the priests of the javascript > say it is so? > > Were not nuclear power plants pushed on us as perfectly safe? > Yet, their promoters insist that they are and that any examples > of disasters of nuclear power plants are only bugs to be worked > out. > And how many times did windows have to be so easily attacked > by the simplest of means, yet MS kept insisting that overall, it > was a safe operating environment? > > It is all based on vested interests who stand to profit from something > that is pushed and marketed as safe. Like so many drug companies > that pushed and still push drugs with deadly side effects. > > At the very least, javascript should be blocked just because > it is > invasive!http://nisearch.com/search/pdf/air+pollution+effects+and+causes+pdf so.have you blocked it? d > > Cheers, > > JD > -- > users mailing list > users@lists.fedoraproject.org > To unsubscribe or change subscription options: > https://admin.fedoraproject.org/mailman/listinfo/users > Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines > -- "It is no measure of health to be well adjusted to a profoundly sick society." Krishnamurti -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: DAMNED Re: Fedora Security and the Uverse 3800HGV-B router
On 07/02/2011 06:40 PM, Joe Zeff wrote: > On 07/02/2011 05:48 PM, JD wrote: >> I do understand why you are so shrill in defending >> javascript, and resorting to cussing and name calling. >> Apparently it is your bread and butter :) > JD, if one or two people here were insisting that you're wrong, and that > javascript can't do what you say it's doing, I'd be encouraging you to > continue as you are. As it is, every single person responding to you is > insisting that you're wrong and that javascript can't do what you claim. >I have to say that at this point the odds are that you are, alas, > wrong. You probably don't agree with me, but the evidence seems to be > against you. Not only that, you've been asked, more than once, to back > up your opinion with facts and have failed to do so. At this point, it > might be best if you accept that you misunderstood what was happening > and simply consider this discussion to be a learning experience. Well Joe, people in general will always believe in the faith that modern priests of the professions preach, weather or not the people know or understand the details of that faith or not. As I just responded, that at the very least, pushing on the user code to be executed by the user's machine, without the user's knowledge that it is being done, and without the user's knowledge of what is being done, is the very definition of invasion of privacy, if not the definition of security threat. As I said, the "troubling history" of javascript security holes should be enough to lead security and privacy minded people to reject the assertion that it is safe. How could anyone judge an intruder into the house as safe and friendly just on the insistence of the priests of the javascript say it is so? Were not nuclear power plants pushed on us as perfectly safe? Yet, their promoters insist that they are and that any examples of disasters of nuclear power plants are only bugs to be worked out. And how many times did windows have to be so easily attacked by the simplest of means, yet MS kept insisting that overall, it was a safe operating environment? It is all based on vested interests who stand to profit from something that is pushed and marketed as safe. Like so many drug companies that pushed and still push drugs with deadly side effects. At the very least, javascript should be blocked just because it is invasive! Cheers, JD -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
On 07/02/2011 08:07 PM, JD wrote: > Just as the article mentions. > That "troubling history" of security holes in javascript > is in and of itself a much stronger conviction of wrongdoing > than I have provided. Calling it "bugs" is laughable at best. The page itself says that it was created on 2003/02/23. Can you cite anything more recent? -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
On 07/02/2011 06:35 PM, Reindl Harald wrote: > > Am 03.07.2011 03:31, schrieb JD: > >>> so what will you tell us? >>> that you are a noob and picking some documents you do not understand? >>> everybody here has realized this long ago! >>> >> And you ignore: >> "...JavaScript has a more troubling history of security holes" >> http://www.w3.org/Security/Faq/wwwsf2.html > i ignore nothing > > i understand the difference of faulty implementations / bugs and your > dumb implication "javascript can access my local drive" because you seen > a file:// url from your routers interface without realize that javascript > is not involved there and does only the document.location-call > > security problems in implementations has NOTHING to do with > your braindead rant by starting this thread! > Just the contrary. Security is my main concern. Just as the article mentions. That "troubling history" of security holes in javascript is in and of itself a much stronger conviction of wrongdoing than I have provided. Calling it "bugs" is laughable at best. On just the face of it - browsing to a web site, resulting in code getting pushed to user's machine, executed on user's machine is insecurity itself, no matter how hard the promoters scream and shout that it is safe. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
On 07/03/2011 09:48 AM, Sam Varshavchik wrote: > JD writes: > >> I sent a reply to Ed. Read that one. > > I've read what you wrote. Now, why don't you just solve your problem > turn off Javascript in Firefox, and move on with your life. > > I still wonder how he has convinced himself that somehow he has managed to uncover some great evil by accident when accessing his router. And everybody else in their entire world has either been turning a blind eye or are somehow dismissing it since they may money off of writing javascript and if the truth were known they would be out of jobs. If javascript is as evil as he seems to be finding...then he needs to do much more than turning it off in Firefox. There are many applications and such with embed javascript. So, you could be running bits and pieces of javascript. I may be mistaken, doing this from hazy memory, I think even Thunderbird uses javascript. Indeed if you check /usr/lib/thunderbird-3.1 you'd find it comes with its own copy of libmozjs.so. Who knows what it could be doing with that? :-) :-) -- Even if you do learn to speak correct English, whom are you going to speak it to? -- Clarence Darrow -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
On 7/2/2011 7:28 PM, Tom H wrote: > On Sat, Jul 2, 2011 at 10:18 PM, Mark C. Allman wrote: >> I read a few of the e-mails in this thread and that's all I needed to >> see. I think it's time for the list moderator to step in and call it a >> draw. > A draw?! > > If you ignore the harsh language, the OP's saying "the earth is flat" > no matter how many arguments are put to him/her that it's spherical > and that he's not thinking straight. At this point, the offensive language dwarfs the earth being flat .. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
On Sat, Jul 2, 2011 at 10:18 PM, Mark C. Allman wrote: > > I read a few of the e-mails in this thread and that's all I needed to > see. I think it's time for the list moderator to step in and call it a > draw. A draw?! If you ignore the harsh language, the OP's saying "the earth is flat" no matter how many arguments are put to him/her that it's spherical and that he's not thinking straight. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
On 07/02/2011 06:53 PM, Reindl Harald wrote: > sorry, but i can not resist answer this way to people > who are showing over hours that they are dumb noobs and > believing they have understand the whole world and > all others out there are failing Can you at least resist the temptation to do it in public? If you have to get offensive, do it off-list. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
I read a few of the e-mails in this thread and that's all I needed to see. I think it's time for the list moderator to step in and call it a draw. -- Mark C. Allman, PMP, CSM Allman Professional Consulting, Inc. First Vice-President, Ocean State PMI www.allmanpc.com, 617-947-4263 Follow allmanpc on Twitter View Mark Allman, PMP, CSM's profile on LinkedIn On Sat, 2011-07-02 at 19:00 -0700, Paul Allen Newell wrote: > On 7/2/2011 6:44 PM, Chris wrote: > > Keep the language clean. I hope the moderator is watching > It is time to ask, not hope, that moderator is watching ... this is one > of the uglier dialogues I've seen -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
On 07/03/2011 09:35 AM, Reindl Harald wrote: > > Am 03.07.2011 03:31, schrieb JD: > >>> so what will you tell us? >>> that you are a noob and picking some documents you do not understand? >>> everybody here has realized this long ago! >>> >> And you ignore: >> "...JavaScript has a more troubling history of security holes" >> http://www.w3.org/Security/Faq/wwwsf2.html > i ignore nothing > > i understand the difference of faulty implementations / bugs and your > dumb implication "javascript can access my local drive" because you seen > a file:// url from your routers interface without realize that javascript > is not involved there and does only the document.location-call > > security problems in implementations has NOTHING to do with > your braindead rant by starting this thread! > Not to mention that the documents provided are from 2003 and talking about "history". And that history dates to 1997. What is "Netscape"? -- Even if you do learn to speak correct English, whom are you going to speak it to? -- Clarence Darrow -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
On 7/2/2011 6:44 PM, Chris wrote: > Keep the language clean. I hope the moderator is watching It is time to ask, not hope, that moderator is watching ... this is one of the uglier dialogues I've seen -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
Am 03.07.2011 03:51, schrieb JD: > On 07/02/2011 06:26 PM, Reindl Harald wrote: >> >> Am 03.07.2011 03:23, schrieb JD: >> >>> You missed the import of what I was saying... >>> that a javascript pushed by a website, >>> forced on my browser to execute on my machine >>> is in and of itself a violation of privacy and security. >>> Furthermore, it would be incredibly shortsighted >>> (stating it mildly) to write off such practice as safe >>> by any measure. >>> I sent a reply to Ed. Read that one >> jesus christ open a fucking image if it is manipulated and >> your jpeg-library has a security bug is the same problem >> >> what has this to do with your fucking homerouter and that your borwser >> did you show file:/// and your breath stucked? >> > The more you respond like this > the more you make yourself a candidate > for prosac or the asylum for the terminally > rabid animals. sorry, but i can not resist answer this way to people who are showing over hours that they are dumb noobs and believing they have understand the whole world and all others out there are failing signature.asc Description: OpenPGP digital signature -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
On 07/02/2011 06:26 PM, Reindl Harald wrote: > > Am 03.07.2011 03:23, schrieb JD: > >> You missed the import of what I was saying... >> that a javascript pushed by a website, >> forced on my browser to execute on my machine >> is in and of itself a violation of privacy and security. >> Furthermore, it would be incredibly shortsighted >> (stating it mildly) to write off such practice as safe >> by any measure. >> I sent a reply to Ed. Read that one > jesus christ open a fucking image if it is manipulated and > your jpeg-library has a security bug is the same problem > > what has this to do with your fucking homerouter and that your borwser > did you show file:/// and your breath stucked? > The more you respond like this the more you make yourself a candidate for prosac or the asylum for the terminally rabid animals. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
JD writes: You missed the import of what I was saying... that a javascript pushed by a website, forced on my browser to execute on my machine is in and of itself a violation of privacy and security. Ok, understood. In Firefox, there's a setting to disable Javascript. Switch it off. Problem solved. No web site will be able to execute Javascript on your browser. That's what Javascript is: a script originating from a remote web site, that your browser executes. If you believe that it's a problem you can switch it off very easily. Furthermore, it would be incredibly shortsighted (stating it mildly) to write off such practice as safe by any measure. That's a matter of opinion. You're entitled to it. However, if others disagree with you, and they have no issues with running Javascript code from remote web sites, they're just as entitled to their opinion as you are. And the nice thing about Firefox, and most other browsers, is that everyone is satisfied. Those that do not wish to run Javascript from remote web sites, they can do it very easily. Those that do not see a problem with it, will keep Javascript enabled. I sent a reply to Ed. Read that one. I've read what you wrote. Now, why don't you just solve your problem turn off Javascript in Firefox, and move on with your life. pgpAnLMvmaJgP.pgp Description: PGP signature -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
i hope too and that he kicks off this stupid troll! Am 03.07.2011 03:44, schrieb Chris: > Keep the language clean. I hope the moderator is watching > - Original Message - > From: "Reindl Harald" > To: users@lists.fedoraproject.org > Sent: Saturday, July 2, 2011 9:26:56 PM > Subject: Re: Fedora Security and the Uverse 3800HGV-B router > > > > Am 03.07.2011 03:23, schrieb JD: > >> You missed the import of what I was saying... >> that a javascript pushed by a website, >> forced on my browser to execute on my machine >> is in and of itself a violation of privacy and security. >> Furthermore, it would be incredibly shortsighted >> (stating it mildly) to write off such practice as safe >> by any measure. >> I sent a reply to Ed. Read that one > > jesus christ open a fucking image if it is manipulated and > your jpeg-library has a security bug is the same problem > > what has this to do with your fucking homerouter and that your borwser > did you show file:/// and your breath stucked? > > -- Mit besten Grüßen, Reindl Harald the lounge interactive design GmbH A-1060 Vienna, Hofmühlgasse 17 CTO / software-development / cms-solutions p: +43 (1) 595 3999 33, m: +43 (676) 40 221 40 icq: 154546673, http://www.thelounge.net/ http://www.thelounge.net/signature.asc.what.htm signature.asc Description: OpenPGP digital signature -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
Keep the language clean. I hope the moderator is watching - Original Message - From: "Reindl Harald" To: users@lists.fedoraproject.org Sent: Saturday, July 2, 2011 9:26:56 PM Subject: Re: Fedora Security and the Uverse 3800HGV-B router Am 03.07.2011 03:23, schrieb JD: > You missed the import of what I was saying... > that a javascript pushed by a website, > forced on my browser to execute on my machine > is in and of itself a violation of privacy and security. > Furthermore, it would be incredibly shortsighted > (stating it mildly) to write off such practice as safe > by any measure. > I sent a reply to Ed. Read that one jesus christ open a fucking image if it is manipulated and your jpeg-library has a security bug is the same problem what has this to do with your fucking homerouter and that your borwser did you show file:/// and your breath stucked? -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: DAMNED Re: Fedora Security and the Uverse 3800HGV-B router
On 07/02/2011 05:48 PM, JD wrote: > I do understand why you are so shrill in defending > javascript, and resorting to cussing and name calling. > Apparently it is your bread and butter :) JD, if one or two people here were insisting that you're wrong, and that javascript can't do what you say it's doing, I'd be encouraging you to continue as you are. As it is, every single person responding to you is insisting that you're wrong and that javascript can't do what you claim. I have to say that at this point the odds are that you are, alas, wrong. You probably don't agree with me, but the evidence seems to be against you. Not only that, you've been asked, more than once, to back up your opinion with facts and have failed to do so. At this point, it might be best if you accept that you misunderstood what was happening and simply consider this discussion to be a learning experience. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
Am 03.07.2011 03:31, schrieb JD: >> so what will you tell us? >> that you are a noob and picking some documents you do not understand? >> everybody here has realized this long ago! >> > And you ignore: > "...JavaScript has a more troubling history of security holes" > http://www.w3.org/Security/Faq/wwwsf2.html i ignore nothing i understand the difference of faulty implementations / bugs and your dumb implication "javascript can access my local drive" because you seen a file:// url from your routers interface without realize that javascript is not involved there and does only the document.location-call security problems in implementations has NOTHING to do with your braindead rant by starting this thread! signature.asc Description: OpenPGP digital signature -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
On 07/02/2011 06:25 PM, Reindl Harald wrote: > > Am 03.07.2011 03:18, schrieb JD: > >> Quote: >> /" ...Javascript/ is a client language, but you /can/ combine it whit a >> server language to /delete files/. in PHP you /can/ use unlink() >> function to /delete file/. *...*" >> http://digitarald.de/forums/topic.php?id=110 > and this is the best example why you should be quite! > > in PHP you can delete files FROM THE SERVER > > but javascript does run in the client and so it can do this only > if somebody puts a script on the server which allows delete files > and does not sanitize parameters - but for what whould i need > javascript in this case? to navigate to the url? to delete files > from the server has NOTHING to do with javascript > > so what will you tell us? > that you are a noob and picking some documents you do not understand? > everybody here has realized this long ago! > And you ignore: "...JavaScript has a more troubling history of security holes" http://www.w3.org/Security/Faq/wwwsf2.html -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
Am 03.07.2011 03:23, schrieb JD: > You missed the import of what I was saying... > that a javascript pushed by a website, > forced on my browser to execute on my machine > is in and of itself a violation of privacy and security. > Furthermore, it would be incredibly shortsighted > (stating it mildly) to write off such practice as safe > by any measure. > I sent a reply to Ed. Read that one jesus christ open a fucking image if it is manipulated and your jpeg-library has a security bug is the same problem what has this to do with your fucking homerouter and that your borwser did you show file:/// and your breath stucked? signature.asc Description: OpenPGP digital signature -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
Am 03.07.2011 03:18, schrieb JD: > Quote: > /" ...Javascript/ is a client language, but you /can/ combine it whit a > server language to /delete files/. in PHP you /can/ use unlink() > function to /delete file/. *...*" > http://digitarald.de/forums/topic.php?id=110 and this is the best example why you should be quite! in PHP you can delete files FROM THE SERVER but javascript does run in the client and so it can do this only if somebody puts a script on the server which allows delete files and does not sanitize parameters - but for what whould i need javascript in this case? to navigate to the url? to delete files from the server has NOTHING to do with javascript so what will you tell us? that you are a noob and picking some documents you do not understand? everybody here has realized this long ago! signature.asc Description: OpenPGP digital signature -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
On 07/02/2011 05:42 PM, Sam Varshavchik wrote: > JD writes: > >> On 07/02/2011 02:42 PM, Sam Sharpe wrote: >> > On 2 July 2011 22:20, JD wrote: >> >> On my machine, when I disable javascript, it is unable to display >> my files. >> >> I understand that the browser is supposed to be able to display >> your files >> >> with the file:/// URL. >> >> I just was not expecting my router to issue a javascript to >> >> to access my files. And my concern is that any web site can issue a >> >> javascript to access personal files; and most people are unaware >> of this, >> >> because they are not techies, and do not understand what javascripts >> >> are capable of doing. >> > I don't think you understand. Your browser can access your local >> > files. It is doing so via a file:/// URL. This is not a problem with >> > javascript, this is a feature of your browser. To check this, please >> > type in "file:///" into your browsers address bar manually and you >> > will see that there is no difference in the behaviour. I repeat, this >> > is not a javascript problem and you are getting hysterical over >> > nothing. >> > >> > It is not a security risk because it is showing you the files you have >> > access to on your machine. Javascript has absolutely nothing to do >> > with it apart from sending *you* to the URL. >> > >> When I disabled javascript, the the link in the >> router's page could no longer open >> file:/// > > What you're missing is that a remote server's ability to instruct your > web browser to open the contents of file:/// URL is limited to > precisely that: your web browser opening and displaying the contents > of file:///. The remote server's javascript has no means of accessing > the contents of file:///. Once your web browser opens file:///, the > previous page from the remote server is closed, together with all the > javascript that was in it. > > If file:/// gets opened in a separte window or a tab, as can be done, > the javascript running from another window or tab still has no means > of accessing the contents of another scope, as well. Javascript can > only access resources that originate from the same scope. > > This is a well-understood security model. There have been isolated > instances in the past, where flaws were discovered in some individual > browser's security model that allowed some mechanism for running > Javascript to access content from another scope; occasionally a common > flaw was found that was shared by several browsers. > > Barring your wonderrouter leveraging some hereto unknown security > exploit, all that your wonderrouter is doing is the equivalent of the > HTML that reads > > Y0U h4ve b33n p0wned > > …yawn… > You missed the import of what I was saying... that a javascript pushed by a website, forced on my browser to execute on my machine is in and of itself a violation of privacy and security. Furthermore, it would be incredibly shortsighted (stating it mildly) to write off such practice as safe by any measure. I sent a reply to Ed. Read that one. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
On 07/02/2011 05:34 PM, Ed Greshko wrote: > On 07/03/2011 07:45 AM, JD wrote: >> Why do you resort to name calling? >> It is not hysterics. >> A javascript sent by we site can, if written >> to do so, open your files and upload them to >> some remote site; and you call this hysterics? >> Something is wrong with your thinking to resort >> to name calling. >> I think user's awareness, that javascripts are indeed >> invasive and a great threat to privacy, needs to be >> raised. Most users are unaware of this threat. >> > Let's put it a different way then. > > Turn off javascript in your Browser for a day and see how your Internet > experience is affected. Then consider for a moment your statement that > "javascripts are indeed invasive and a great threat to privacy, needs to > be raised. Most users are unaware of this threat" in relationship to how > long javascript has been in use and how widely it is used as well as > your current level of familiarity with javascript. > > If javascript is as great a threat as you seem to think, then wouldn't > you think there would be a concerted effort to fix the problem? Don't > you think that by now people with much more experience would be raising > the alarms? > > FWIW, I've found that one of the biggest mistakes I've made in the past > is to come to conclusions based on observations when I was ignorant of > the underlying theory/principles/subject. > > If you are interested in learning more, maybe you should start by > picking up a copy of http://oreilly.com/catalog/9780596000486 Thanx Ed. I may not be a javscript expert. But here is a tiny tip of the problem: An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications http://cseweb.ucsd.edu/~lerner/papers/ccs10-jsc.pdf JavaScript Scope and IntenseDebate's Privacy Problems http://www.mavitunasecurity.com/blog/javascript-scope-and-intensedebates-privacy-problems/ "...JavaScript has a more troubling history of security holes" http://www.w3.org/Security/Faq/wwwsf2.html Quote: /" ...Javascript/ is a client language, but you /can/ combine it whit a server language to /delete files/. in PHP you /can/ use unlink() function to /delete file/. *...*" http://digitarald.de/forums/topic.php?id=110 -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: DAMNED Re: Fedora Security and the Uverse 3800HGV-B router
Am 03.07.2011 02:48, schrieb JD: > I do understand why you are so shrill in defending > javascript, and resorting to cussing and name calling. > Apparently it is your bread and butter :) no because the world where i develop is living on the serverside there is nothing to defend agianst learning resistent idiots which are not understand that javascript is downloaded by the browser and have no direct connection to the server, running in context of a website no access to file://, no capabilities to read/modify/delete local files and no capability to upload local files wihtout users interaction you have seen a folder-listing in your browser, did not know that file:// exists (even if you use it the whole day), became panic because you have senn something you do not understand and you are not man enough / too stupid to say "i was wrong" so please leave us fuck in peace and buy yourself an aluminium hat signature.asc Description: OpenPGP digital signature -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: DAMNED Re: Fedora Security and the Uverse 3800HGV-B router
On 07/02/2011 05:24 PM, Reindl Harald wrote: > > Am 03.07.2011 02:17, schrieb JD: >> When I knowingly and deliberately browse my files, >> cannot be deemed to be the same as a javascript >> that some web site sends to my computer to be executed >> by the browser to snoop on my files. > why do you not stop talking about things you do not understand > show me the javascript to access any local file or shut up >> Javascripts sent by web sites are a threat to privacy >> and even security > if the browser has bugs yes > but not by design > >> Have you used spawn used in javascript? >> In fact you can spawn multiple threads from a javascript. > you can not start executebales outside javascript > and javascript has by design no capabilitys to send > local files to web without user interaction > >> And just who/what would prevent a javascript >> from examining your cookies? Your browser? :) > yes the browser or who is executing javascript? > you can not access cookies of foreign domains > so what the fuck is your problem? > >> You seem to be a professional ostrich > i am professional web developer and you are a noob ranting about > things you basicaly not understand > >> Bury your head in the sand if you wish >> and say you see no threat in javascripts >> pushed by websites. > if the browser has no bugs there is no one > and that the browser can have bugs is no argument because with > this arguments you must not start any software > >> If your myopia were reality, why would >> people start to take a much harder look at >> javascripts, and try find ways to foil them? > it si a difference that peopole always try find bugs and use them against > users and you foolish rant like "stop integrate javascript in webbrowsers" > I do understand why you are so shrill in defending javascript, and resorting to cussing and name calling. Apparently it is your bread and butter :) -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
Am 03.07.2011 02:42, schrieb Sam Varshavchik: > What you're missing is that a remote server's ability to instruct your web > browser to open the contents of file:/// > URL is limited to precisely that: your web browser opening and displaying the > contents of file:///. The remote > server's javascript has no means of accessing the contents of file:///. Once > your web browser opens file:///, the > previous page from the remote server is closed, together with all the > javascript that was in it. > > If file:/// gets opened in a separte window or a tab, as can be done, the > javascript running from another window or > tab still has no means of accessing the contents of another scope, as well. > Javascript can only access resources > that originate from the same scope. > > This is a well-understood security model. There have been isolated instances > in the past, where flaws were > discovered in some individual browser's security model that allowed some > mechanism for running Javascript to access > content from another scope; occasionally a common flaw was found that was > shared by several browsers. > > Barring your wonderrouter leveraging some hereto unknown security exploit, > all that your wonderrouter is doing is > the equivalent of the HTML that reads > > Y0U h4ve b33n p0wned my conclusion is that JD is one of two types of people: * troll starting useless flamewar * learning resistent idiot without any technical understanding in the worst case both of it signature.asc Description: OpenPGP digital signature -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
Am 03.07.2011 02:36, schrieb JD: > On 07/02/2011 04:46 PM, Reindl Harald wrote: >> Am 03.07.2011 01:39, schrieb JD: >>> As far as writing, the script is running with the user >>> credentials. Why would it not be able to write to or >>> delete the user's own files or other users' files which >>> have permissive perms settings? >> BECAUSE JAVASCRIPT CAN NOT DO THIS >> > Gee - what a great cause for comfort foolish troll > it can open and read the files can it? show me the function to load a local file directly in javascript > but cannot delete them show me the function or shut up > I think where there is a will, there is a javascript way > to delete even - but that is the least of the problem. > It is the fact that javascripts can and do access your > files. it does not foolish idiot you are what you see with the file://-protocol is not really javascript javascript embedded in a web site can not access file:// >>> It is the fact that as javascript sent by web site can indeed >>> open my files and can upload them to a remote site >> IT CAN NOT BECAUSE YOU CAN NOT AUTOMATED SELECT AND SUBMIT UPLOAD-FILES VIA >> JAVASCRIPT > Where there is a will, there is a javascript way to do so. > > I would never put such blind trust as you have done, > in javascript, which more and more people (not very > many yet) are banning altogether. child i do not blindly trust in anything but what you do here is flaming without any technical knowledge and try to suggest javascript has builin access to your filesystem which is simply not true - and that all because you have seen the first time in your poor life a file://-url and not understand anyting behind? signature.asc Description: OpenPGP digital signature -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
JD writes: On 07/02/2011 02:42 PM, Sam Sharpe wrote: > On 2 July 2011 22:20, JD wrote: >> On my machine, when I disable javascript, it is unable to display my files. >> I understand that the browser is supposed to be able to display your files >> with the file:/// URL. >> I just was not expecting my router to issue a javascript to >> to access my files. And my concern is that any web site can issue a >> javascript to access personal files; and most people are unaware of this, >> because they are not techies, and do not understand what javascripts >> are capable of doing. > I don't think you understand. Your browser can access your local > files. It is doing so via a file:/// URL. This is not a problem with > javascript, this is a feature of your browser. To check this, please > type in "file:///" into your browsers address bar manually and you > will see that there is no difference in the behaviour. I repeat, this > is not a javascript problem and you are getting hysterical over > nothing. > > It is not a security risk because it is showing you the files you have > access to on your machine. Javascript has absolutely nothing to do > with it apart from sending *you* to the URL. > When I disabled javascript, the the link in the router's page could no longer open file:/// What you're missing is that a remote server's ability to instruct your web browser to open the contents of file:/// URL is limited to precisely that: your web browser opening and displaying the contents of file:///. The remote server's javascript has no means of accessing the contents of file:///. Once your web browser opens file:///, the previous page from the remote server is closed, together with all the javascript that was in it. If file:/// gets opened in a separte window or a tab, as can be done, the javascript running from another window or tab still has no means of accessing the contents of another scope, as well. Javascript can only access resources that originate from the same scope. This is a well-understood security model. There have been isolated instances in the past, where flaws were discovered in some individual browser's security model that allowed some mechanism for running Javascript to access content from another scope; occasionally a common flaw was found that was shared by several browsers. Barring your wonderrouter leveraging some hereto unknown security exploit, all that your wonderrouter is doing is the equivalent of the HTML that reads Y0U h4ve b33n p0wned …yawn… pgpk3ZIVeYeVj.pgp Description: PGP signature -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
On Sat, Jul 2, 2011 at 7:45 PM, JD wrote: > > A javascript sent by we site can, if written > to do so, open your files and upload them to > some remote site; and you call this hysterics? > Something is wrong with your thinking to resort > to name calling. > I think user's awareness, that javascripts are indeed > invasive and a great threat to privacy, needs to be > raised. Most users are unaware of this threat. Have googled to see whether it's possible to use javascript as you claim it's being used?! As has been suggested previously, the link on your router's linking to display your local files through "file:///..." and there's nothing nefarious or magical about that. Nothing's being uploaded, downloaded, modified, deleted, etc; you're just browsing your local filesystem through Firefox/Chromium/Epiphany/Konqueror/... -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
On 07/02/2011 04:48 PM, Reindl Harald wrote: > > Am 03.07.2011 01:45, schrieb JD: > >> A javascript sent by we site can, if written >> to do so, open your files and upload them to >> some remote site; and you call this hysterics? > yes because you have no plan about what you are speaking > and waht javascriot is allowe and not > > learn basics and do not speak about things you > do not understand in a way somebody could > believe you have any plan > Plan? Why do I need a plan? When I see someone defend something that more and more people are deciding to ban, it raises red flags - like what is YOUR vested interest in defending the idea that javascripts executed by your browser on behalf some web site is a safe practice? -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
On 07/02/2011 04:46 PM, Reindl Harald wrote: > Am 03.07.2011 01:39, schrieb JD: >> As far as writing, the script is running with the user >> credentials. Why would it not be able to write to or >> delete the user's own files or other users' files which >> have permissive perms settings? > BECAUSE JAVASCRIPT CAN NOT DO THIS > Gee - what a great cause for comfort - it can open and read the files, but cannot delete them. I think where there is a will, there is a javascript way to delete even - but that is the least of the problem. It is the fact that javascripts can and do access your files. >> It is the fact that as javascript sent by web site can indeed >> open my files and can upload them to a remote site > IT CAN NOT BECAUSE YOU CAN NOT AUTOMATED SELECT AND SUBMIT UPLOAD-FILES VIA > JAVASCRIPT Where there is a will, there is a javascript way to do so. I would never put such blind trust as you have done, in javascript, which more and more people (not very many yet) are banning altogether. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
On 07/03/2011 07:45 AM, JD wrote: > Why do you resort to name calling? > It is not hysterics. > A javascript sent by we site can, if written > to do so, open your files and upload them to > some remote site; and you call this hysterics? > Something is wrong with your thinking to resort > to name calling. > I think user's awareness, that javascripts are indeed > invasive and a great threat to privacy, needs to be > raised. Most users are unaware of this threat. > Let's put it a different way then. Turn off javascript in your Browser for a day and see how your Internet experience is affected. Then consider for a moment your statement that "javascripts are indeed invasive and a great threat to privacy, needs to be raised. Most users are unaware of this threat" in relationship to how long javascript has been in use and how widely it is used as well as your current level of familiarity with javascript. If javascript is as great a threat as you seem to think, then wouldn't you think there would be a concerted effort to fix the problem? Don't you think that by now people with much more experience would be raising the alarms? FWIW, I've found that one of the biggest mistakes I've made in the past is to come to conclusions based on observations when I was ignorant of the underlying theory/principles/subject. If you are interested in learning more, maybe you should start by picking up a copy of http://oreilly.com/catalog/9780596000486 -- Even if you do learn to speak correct English, whom are you going to speak it to? -- Clarence Darrow -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
Am 03.07.2011 02:23, schrieb JD: > When I disabled javascript, the the link in the > router's page could no longer open > file:/// oh what a wonder > I am not saying that THAT script in itself is a terrible > threat. There are far more sophisticated javascripts > than just displaying your files in the browser yesus christ where is the problem that your browser can access your files? as long there are no capabilities that javascript from a website can access local files, upload them without user-restrictions or access cookies of foreign domains where is your fucking problem? signature.asc Description: OpenPGP digital signature -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: DAMNED Re: Fedora Security and the Uverse 3800HGV-B router
Am 03.07.2011 02:17, schrieb JD: > When I knowingly and deliberately browse my files, > cannot be deemed to be the same as a javascript > that some web site sends to my computer to be executed > by the browser to snoop on my files. why do you not stop talking about things you do not understand show me the javascript to access any local file or shut up > Javascripts sent by web sites are a threat to privacy > and even security if the browser has bugs yes but not by design > Have you used spawn used in javascript? > In fact you can spawn multiple threads from a javascript. you can not start executebales outside javascript and javascript has by design no capabilitys to send local files to web without user interaction > And just who/what would prevent a javascript > from examining your cookies? Your browser? :) yes the browser or who is executing javascript? you can not access cookies of foreign domains so what the fuck is your problem? > You seem to be a professional ostrich i am professional web developer and you are a noob ranting about things you basicaly not understand > Bury your head in the sand if you wish > and say you see no threat in javascripts > pushed by websites. if the browser has no bugs there is no one and that the browser can have bugs is no argument because with this arguments you must not start any software > If your myopia were reality, why would > people start to take a much harder look at > javascripts, and try find ways to foil them? it si a difference that peopole always try find bugs and use them against users and you foolish rant like "stop integrate javascript in webbrowsers" signature.asc Description: OpenPGP digital signature -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
On 07/02/2011 02:42 PM, Sam Sharpe wrote: > On 2 July 2011 22:20, JD wrote: >> On my machine, when I disable javascript, it is unable to display my files. >> I understand that the browser is supposed to be able to display your files >> with the file:/// URL. >> I just was not expecting my router to issue a javascript to >> to access my files. And my concern is that any web site can issue a >> javascript to access personal files; and most people are unaware of this, >> because they are not techies, and do not understand what javascripts >> are capable of doing. > I don't think you understand. Your browser can access your local > files. It is doing so via a file:/// URL. This is not a problem with > javascript, this is a feature of your browser. To check this, please > type in "file:///" into your browsers address bar manually and you > will see that there is no difference in the behaviour. I repeat, this > is not a javascript problem and you are getting hysterical over > nothing. > > It is not a security risk because it is showing you the files you have > access to on your machine. Javascript has absolutely nothing to do > with it apart from sending *you* to the URL. > When I disabled javascript, the the link in the router's page could no longer open file:/// I am not saying that THAT script in itself is a terrible threat. There are far more sophisticated javascripts than just displaying your files in the browser. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: DAMNED Re: Fedora Security and the Uverse 3800HGV-B router
On 07/02/2011 01:18 PM, Reindl Harald wrote: > > Am 02.07.2011 16:50, schrieb JD: >> On 07/02/2011 01:32 AM, Reindl Harald wrote: >>> Am 02.07.2011 06:14, schrieb JD: >>> When will the linux community wake up and shout out loud: Kill JavaScript from all browsers and all network servers and network clients >>> never because the community is not dumb >>> why do we not forbid knifes since people are killed with them? >> Not the same issue > sure, because knifes can hurt people > > LOCAL file browsing can not or will you forbid any fileupload per webform > because you also not understand why it is not a sceurity problem that > you can browse local files here? Big difference. When I knowingly and deliberately browse my files, cannot be deemed to be the same as a javascript that some web site sends to my computer to be executed by the browser to snoop on my files. >> Most people are not even aware that their personal >> files are being uploaded > their will be nothing uploaded and you should stop to cry > things like "When will the linux community wake up" until > you have ANY BASICAL knowledge about what you are speaking That is your opinion. Javascripts sent by web sites are a threat to privacy and even security. >> If a javascript can browse all accessible files, what's there >> to prevent someone from writing a javascript to spawn >> a process to upload your files? > damend you can not spawn a process with javascript and > you CAN NOT silently upload files with JS, so please > get some basics or shut up instead making some noobs crazy > which maybe believe your stuff > Have you used spawn used in javascript? In fact you can spawn multiple threads from a javascript. >> A simpler example, how do you think a javascript can >> tell that you have been to some particular site? >> It uploads your cookies. > it can not access cookies from foreign domains damned > learn basics or shut up! And just who/what would prevent a javascript from examining your cookies? Your browser? :) >> I would have hoped that the FOSS communities would have >> raised a big public fuss (pun unintentional) over websites >> sending javascripts at peoples' computers and compromising >> their files > the problem is that the FOSS community has basic knowledges > and you have not - so you make other people which have > also now technical knowledge crazy with your braindead rant You seem to be a professional ostrich. Bury your head in the sand if you wish and say you see no threat in javascripts pushed by websites. If your myopia were reality, why would people start to take a much harder look at javascripts, and try find ways to foil them? -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
dear JD - please stop this idiotic thread javascript has no capability to write or delete local files javascript has no capability to upload files without user-interaction javascript has no capability to read local files directly so what is your problem? signature.asc Description: OpenPGP digital signature -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
Am 03.07.2011 01:45, schrieb JD: > A javascript sent by we site can, if written > to do so, open your files and upload them to > some remote site; and you call this hysterics? yes because you have no plan about what you are speaking and waht javascriot is allowe and not learn basics and do not speak about things you do not understand in a way somebody could believe you have any plan signature.asc Description: OpenPGP digital signature -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
Am 03.07.2011 01:39, schrieb JD: > As far as writing, the script is running with the user > credentials. Why would it not be able to write to or > delete the user's own files or other users' files which > have permissive perms settings? BECAUSE JAVASCRIPT CAN NOT DO THIS > It is the fact that as javascript sent by web site can indeed > open my files and can upload them to a remote site IT CAN NOT BECAUSE YOU CAN NOT AUTOMATED SELECT AND SUBMIT UPLOAD-FILES VIA JAVASCRIPT signature.asc Description: OpenPGP digital signature -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
On 07/02/2011 01:07 PM, Craig White wrote: > On Fri, 2011-07-01 at 21:14 -0700, JD wrote: > >> You are right. >> It turns out it does it via the intruder which the whole >> world was deceived by Sun that it only plays in a sandbox >> and has no access to anything outside that sandbox: Javascript. > > what does javascript have to do with Sun? It is not java. It doesn't > share anything at all with java except the name which was an unfortunate > choice. > >> So I used noscript to disable scripts from 192.168.1.254 >> and access to my drive went away. >> >> When will the linux community wake up and shout out loud: >> Kill JavaScript from all browsers and all network servers >> and network clients. > > turn off javascript and the Internet is almost unusable. I think you > were close when you realized that your 'router' is likely an attack > vector because many of the retail/home intended routers are known to > have been compromised. > >> It is THE trojan horse hiding in plain site and can access >> EVERYTHING on your system that YOU have access to and >> send it back to whatever destination the javascript was >> written to send it to. >> >> Common people! JAVASCRIPT being executed by your >> browser on your system is a HUGE WIDE OPEN SECURITY HOLE!!! > > http://en.wikipedia.org/wiki/Javascript > >Sandbox implementation errors > >Web browsers are capable of running JavaScript outside >of the sandbox, with the privileges necessary to, for >example, create or delete files. Of course, such privileges >aren't meant to be granted to code from the web. > > What you have demonstrated is one of the many reasons not to run GUI as > root but you only saw the files/folders that you could see with a tool > like nautilus or dolphin with exactly the same privileges so I guess I > can't understand your hysterics. > > If noscript gives you peace of mind, then use it. > > Craig > > Why do you resort to name calling? It is not hysterics. A javascript sent by we site can, if written to do so, open your files and upload them to some remote site; and you call this hysterics? Something is wrong with your thinking to resort to name calling. I think user's awareness, that javascripts are indeed invasive and a great threat to privacy, needs to be raised. Most users are unaware of this threat. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
On 07/02/2011 10:39 AM, Marko Vojinovic wrote: > On Saturday 02 July 2011 15:50:18 JD wrote: >> On 07/02/2011 01:32 AM, Reindl Harald wrote: >>> Am 02.07.2011 06:14, schrieb JD: It is THE trojan horse hiding in plain site and can access EVERYTHING on your system that YOU have access to and send it back to whatever destination the javascript was written to send it to. >>> if you would have a little background you would know that >>> as example you can not select and upload files as example >> If a javascript can browse all accessible files, what's there >> to prevent someone from writing a javascript to spawn >> a process to upload your files? > Permissions system? While the contents of / directory can be listed by just > about any user on the system, it's a completely different story for writing to > it. Also, can you browse through home directories of other users from the > router? I doubt. > Good question. The dirs whose owners set to 0700 perms, I cannot browse. As I said, the script allows access to files that the current user, accessing the web, has access to. So, one's own personal files are at risk, and files of other users which have permissive perms are at risk. As far as writing, the script is running with the user credentials. Why would it not be able to write to or delete the user's own files or other users' files which have permissive perms settings? >> A simpler example, how do you think a javascript can >> tell that you have been to some particular site? >> It uploads your cookies. >> Common people! JAVASCRIPT being executed by your browser on your system is a HUGE WIDE OPEN SECURITY HOLE!!! >>> so stop whining and install "noscript" and click not on every link >>> wanting remove javascript from the browsers is polemic and childish >> Yes, I do have noscript. >> And in addition, Firefox gives us the option >> to disable javascript under the tab >> Edit->Preferences->Content >> However, hundreds of millions of people are >> oblivious to this threat. > While I don't particularly like javascript myself, I disagree that it is a > serious security threat. At least on Linux (Windows is a completely different > story). Actually, I found windows unprivileged users are unable to browse other user's directories in C:\documents and settings\UserX for example. I am not sure how a windows user can set the perms of his files dirs to make them visible to others without deliberately setting those files and dirs to be SHARED. On linux, a user exposes his files and dirs by the perms settings. >> If it is not made a public issue, people will not >> become aware of it and continue to be invaded >> and their personal files be compromised. >> And I was not expecting the router to send >> such javascript at me, so I had allowed scripts for it. >> What a surprise that was! > When you see a person dissapear from a magician's box and reappears on the > other side of the stage, are you equally suprised that the magician has > supernatural powers that nobody bothers to investigate? > > Or is it just a simple con? > > Go create a new dummy user on your machine, create somefile.txt in his home > directory, log in as yourself and try to view the file using the router. If > you > succeed, the permissions on your system are compromised. If you don't, then > you are fussing over that router more than it's worth. In both cases I doubt > that javascript has much to do with it. As stated above, if the perms are set to... say 0700 on the user's home dir, then no I cannot browse it by the browser. And this is NOT the issue I was raising, so you diverge quiet a bit. It is the fact that as javascript sent by web site can indeed open my files and can upload them to a remote site. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
On 2 July 2011 22:20, JD wrote: > On my machine, when I disable javascript, it is unable to display my files. > I understand that the browser is supposed to be able to display your files > with the file:/// URL. > I just was not expecting my router to issue a javascript to > to access my files. And my concern is that any web site can issue a > javascript to access personal files; and most people are unaware of this, > because they are not techies, and do not understand what javascripts > are capable of doing. I don't think you understand. Your browser can access your local files. It is doing so via a file:/// URL. This is not a problem with javascript, this is a feature of your browser. To check this, please type in "file:///" into your browsers address bar manually and you will see that there is no difference in the behaviour. I repeat, this is not a javascript problem and you are getting hysterical over nothing. It is not a security risk because it is showing you the files you have access to on your machine. Javascript has absolutely nothing to do with it apart from sending *you* to the URL. -- Sam -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: DAMNED Re: Fedora Security and the Uverse 3800HGV-B router
On 07/02/2011 11:27 PM, Reindl Harald wrote: > > Am 02.07.2011 23:16, schrieb Christopher Svanefalk: > >> Reindl - just a friendly tip: going civil goes a long way. >> >> Cheers, >> >> Chris > sorry, but reading so much bulls**it from OP hurts me > Yea man I'm not trying to be a wiseguy, I'm just saying. I simply think you should maybe try to follow Markos example and try to be a bit gentle when telling the OP he is wrong (because you obviously know what you are talking about). I guess both you and me have been noobs at some point at some place, and at least to me I always responded much more positively to (and learnt more from!) someone telling me in a gentle tone where I was wrong, rather than someone bashing my face in (not saying you are) with it. Anger breeds anger, and eventually what could have been an instructive thread turns into a flamewar :p Cheers, Chris -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: DAMNED Re: Fedora Security and the Uverse 3800HGV-B router
Am 02.07.2011 23:16, schrieb Christopher Svanefalk: > Reindl - just a friendly tip: going civil goes a long way. > > Cheers, > > Chris sorry, but reading so much bulls**it from OP hurts me signature.asc Description: OpenPGP digital signature -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
On 07/02/2011 10:21 AM, Marko Vojinovic wrote: > On Saturday 02 July 2011 17:10:33 JD wrote: >> On 07/02/2011 08:12 AM, Brendan Jones wrote: >>> On 07/02/2011 01:45 PM, JD wrote: So how is the router doing it? This is a very disconcerting security hole and I have not been able to nail it down to any daemon running on my Fedora. >>> Isn't the page just redirecting to file:/// ? >>> >>> You can do the same by typing that into the address bar your browser. >>> If your local ip is (which is the same as file:/// ) you will be >>> able to traverse your root, but no other IP can. >> I tried it. The browser cannot browse to my ip address >> for the simple reason I do not have apache httpd running. >> Read my subsequent posts on this. > You do not need an apache server to see your own files from the browser. I > just > typed > >file://127.0.0.1/ > > into firefox and the files in the root directory appeared no problem. A web > browser is supposed to be able to access your files, in the same way you are > able to do it from the shell prompt. > > Can your router display the files of some other computer connected to it? Or > did you try that just with the one you were sitting at? > > Have you tried browsing through some user's home directory (other than your > own)? Could you read any of those files? > > I don't think there is any security hole there, it's just your own browser > playing tricks on you. Care to provide the html source code for the router's > page that has a link to view the files? The source should tell us how it's > being done. > > HTH, :-) > Marko > The router does not display any files when I try it on other computers. They are windows coputers (win7 and winxp) - not sure why it does not display windows' c:\ contents. On my machine, when I disable javascript, it is unable to display my files. I understand that the browser is supposed to be able to display your files with the file:/// URL. I just was not expecting my router to issue a javascript to to access my files. And my concern is that any web site can issue a javascript to access personal files; and most people are unaware of this, because they are not techies, and do not understand what javascripts are capable of doing. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: DAMNED Re: Fedora Security and the Uverse 3800HGV-B router
On 07/02/2011 10:18 PM, Reindl Harald wrote: > > Am 02.07.2011 16:50, schrieb JD: >> On 07/02/2011 01:32 AM, Reindl Harald wrote: >>> Am 02.07.2011 06:14, schrieb JD: >>> When will the linux community wake up and shout out loud: Kill JavaScript from all browsers and all network servers and network clients >>> never because the community is not dumb >>> why do we not forbid knifes since people are killed with them? >> Not the same issue > sure, because knifes can hurt people > > LOCAL file browsing can not or will you forbid any fileupload per webform > because you also not understand why it is not a sceurity problem that > you can browse local files here? > >> Most people are not even aware that their personal >> files are being uploaded > their will be nothing uploaded and you should stop to cry > things like "When will the linux community wake up" until > you have ANY BASICAL knowledge about what you are speaking > >> If a javascript can browse all accessible files, what's there >> to prevent someone from writing a javascript to spawn >> a process to upload your files? > damend you can not spawn a process with javascript and > you CAN NOT silently upload files with JS, so please > get some basics or shut up instead making some noobs crazy > which maybe believe your stuff > > >> A simpler example, how do you think a javascript can >> tell that you have been to some particular site? >> It uploads your cookies. > it can not access cookies from foreign domains damned > learn basics or shut up! > >> I would have hoped that the FOSS communities would have >> raised a big public fuss (pun unintentional) over websites >> sending javascripts at peoples' computers and compromising >> their files > the problem is that the FOSS community has basic knowledges > and you have not - so you make other people which have > also now technical knowledge crazy with your braindead rant > Reindl - just a friendly tip: going civil goes a long way. Cheers, Chris -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
DAMNED Re: Fedora Security and the Uverse 3800HGV-B router
Am 02.07.2011 16:50, schrieb JD: > On 07/02/2011 01:32 AM, Reindl Harald wrote: >> Am 02.07.2011 06:14, schrieb JD: >> >>> When will the linux community wake up and shout out loud: >>> Kill JavaScript from all browsers and all network servers >>> and network clients >> never because the community is not dumb >> why do we not forbid knifes since people are killed with them? > Not the same issue sure, because knifes can hurt people LOCAL file browsing can not or will you forbid any fileupload per webform because you also not understand why it is not a sceurity problem that you can browse local files here? > Most people are not even aware that their personal > files are being uploaded their will be nothing uploaded and you should stop to cry things like "When will the linux community wake up" until you have ANY BASICAL knowledge about what you are speaking > If a javascript can browse all accessible files, what's there > to prevent someone from writing a javascript to spawn > a process to upload your files? damend you can not spawn a process with javascript and you CAN NOT silently upload files with JS, so please get some basics or shut up instead making some noobs crazy which maybe believe your stuff > A simpler example, how do you think a javascript can > tell that you have been to some particular site? > It uploads your cookies. it can not access cookies from foreign domains damned learn basics or shut up! > I would have hoped that the FOSS communities would have > raised a big public fuss (pun unintentional) over websites > sending javascripts at peoples' computers and compromising > their files the problem is that the FOSS community has basic knowledges and you have not - so you make other people which have also now technical knowledge crazy with your braindead rant signature.asc Description: OpenPGP digital signature -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
On Fri, 2011-07-01 at 21:14 -0700, JD wrote: > You are right. > It turns out it does it via the intruder which the whole > world was deceived by Sun that it only plays in a sandbox > and has no access to anything outside that sandbox: Javascript. what does javascript have to do with Sun? It is not java. It doesn't share anything at all with java except the name which was an unfortunate choice. > > So I used noscript to disable scripts from 192.168.1.254 > and access to my drive went away. > > When will the linux community wake up and shout out loud: > Kill JavaScript from all browsers and all network servers > and network clients. turn off javascript and the Internet is almost unusable. I think you were close when you realized that your 'router' is likely an attack vector because many of the retail/home intended routers are known to have been compromised. > It is THE trojan horse hiding in plain site and can access > EVERYTHING on your system that YOU have access to and > send it back to whatever destination the javascript was > written to send it to. > > Common people! JAVASCRIPT being executed by your > browser on your system is a HUGE WIDE OPEN SECURITY HOLE!!! http://en.wikipedia.org/wiki/Javascript Sandbox implementation errors Web browsers are capable of running JavaScript outside of the sandbox, with the privileges necessary to, for example, create or delete files. Of course, such privileges aren't meant to be granted to code from the web. What you have demonstrated is one of the many reasons not to run GUI as root but you only saw the files/folders that you could see with a tool like nautilus or dolphin with exactly the same privileges so I guess I can't understand your hysterics. If noscript gives you peace of mind, then use it. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
On Saturday 02 July 2011 15:50:18 JD wrote: > On 07/02/2011 01:32 AM, Reindl Harald wrote: > > Am 02.07.2011 06:14, schrieb JD: > >> It is THE trojan horse hiding in plain site and can access > >> EVERYTHING on your system that YOU have access to and > >> send it back to whatever destination the javascript was > >> written to send it to. > > > > if you would have a little background you would know that > > as example you can not select and upload files as example > > If a javascript can browse all accessible files, what's there > to prevent someone from writing a javascript to spawn > a process to upload your files? Permissions system? While the contents of / directory can be listed by just about any user on the system, it's a completely different story for writing to it. Also, can you browse through home directories of other users from the router? I doubt. > A simpler example, how do you think a javascript can > tell that you have been to some particular site? > It uploads your cookies. > > >> Common people! JAVASCRIPT being executed by your > >> browser on your system is a HUGE WIDE OPEN SECURITY HOLE!!! > > > > so stop whining and install "noscript" and click not on every link > > wanting remove javascript from the browsers is polemic and childish > > Yes, I do have noscript. > And in addition, Firefox gives us the option > to disable javascript under the tab > Edit->Preferences->Content > However, hundreds of millions of people are > oblivious to this threat. While I don't particularly like javascript myself, I disagree that it is a serious security threat. At least on Linux (Windows is a completely different story). > If it is not made a public issue, people will not > become aware of it and continue to be invaded > and their personal files be compromised. > And I was not expecting the router to send > such javascript at me, so I had allowed scripts for it. > What a surprise that was! When you see a person dissapear from a magician's box and reappears on the other side of the stage, are you equally suprised that the magician has supernatural powers that nobody bothers to investigate? Or is it just a simple con? Go create a new dummy user on your machine, create somefile.txt in his home directory, log in as yourself and try to view the file using the router. If you succeed, the permissions on your system are compromised. If you don't, then you are fussing over that router more than it's worth. In both cases I doubt that javascript has much to do with it. HTH, :-) Marko -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
On Saturday 02 July 2011 17:10:33 JD wrote: > On 07/02/2011 08:12 AM, Brendan Jones wrote: > > On 07/02/2011 01:45 PM, JD wrote: > >> So how is the router doing it? > >> This is a very disconcerting security hole and I have not been > >> able to nail it down to any daemon running on my Fedora. > > > > Isn't the page just redirecting to file:/// ? > > > > You can do the same by typing that into the address bar your browser. > > If your local ip is (which is the same as file:/// ) you will be > > able to traverse your root, but no other IP can. > > I tried it. The browser cannot browse to my ip address > for the simple reason I do not have apache httpd running. > Read my subsequent posts on this. You do not need an apache server to see your own files from the browser. I just typed file://127.0.0.1/ into firefox and the files in the root directory appeared no problem. A web browser is supposed to be able to access your files, in the same way you are able to do it from the shell prompt. Can your router display the files of some other computer connected to it? Or did you try that just with the one you were sitting at? Have you tried browsing through some user's home directory (other than your own)? Could you read any of those files? I don't think there is any security hole there, it's just your own browser playing tricks on you. Care to provide the html source code for the router's page that has a link to view the files? The source should tell us how it's being done. HTH, :-) Marko -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
On 07/02/2011 08:12 AM, Brendan Jones wrote: > On 07/02/2011 01:45 PM, JD wrote: >> So how is the router doing it? >> This is a very disconcerting security hole and I have not been >> able to nail it down to any daemon running on my Fedora. >> > Isn't the page just redirecting to file:/// ? > > You can do the same by typing that into the address bar your browser. > If your local ip is (which is the same as file:/// ) you will be > able to traverse your root, but no other IP can. I tried it. The browser cannot browse to my ip address for the simple reason I do not have apache httpd running. Read my subsequent posts on this. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
On 07/02/2011 01:45 PM, JD wrote: > So how is the router doing it? > This is a very disconcerting security hole and I have not been > able to nail it down to any daemon running on my Fedora. > Isn't the page just redirecting to file:/// ? You can do the same by typing that into the address bar your browser. If your local ip is (which is the same as file:/// ) you will be able to traverse your root, but no other IP can. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
On 07/02/2011 05:16 AM, James McKenzie wrote: > On 7/1/11 9:14 PM, JD wrote: >> Common people! JAVASCRIPT being executed by your >> browser on your system is a HUGE WIDE OPEN SECURITY HOLE!!! >> > You do have the option of turning it off, you know. That is one thing > every security expert knows about and disables in a major way. > > James > > Yes, I just replied to Reindl Harald my reasons for making this a public issue. It is, IMHO, a big travesty that it has not been made it into the public awareness sphere. You have heard the MSMs sometimes mention newsclips about computer files theft (recently, by China), and yet theMSMs have never mentioned the biggest facillitator of such theft: javascript. Unfortunately, many if not most websites will not work if javascript is disabled. Try google maps, for example, after you uncheck, in Firefox, Edit->Preferences->Content->Enable Javascript. If you then browse to maps.google.com, you will get a blank map screen. Cheers, JD -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
On 07/02/2011 01:32 AM, Reindl Harald wrote: > Am 02.07.2011 06:14, schrieb JD: > >> When will the linux community wake up and shout out loud: >> Kill JavaScript from all browsers and all network servers >> and network clients > never because the community is not dumb > why do we not forbid knifes since people are killed with them? Not the same issue. Most people are not even aware that their personal files are being uploaded. >> It is THE trojan horse hiding in plain site and can access >> EVERYTHING on your system that YOU have access to and >> send it back to whatever destination the javascript was >> written to send it to. > if you would have a little background you would know that > as example you can not select and upload files as example If a javascript can browse all accessible files, what's there to prevent someone from writing a javascript to spawn a process to upload your files? A simpler example, how do you think a javascript can tell that you have been to some particular site? It uploads your cookies. >> Common people! JAVASCRIPT being executed by your >> browser on your system is a HUGE WIDE OPEN SECURITY HOLE!!! > so stop whining and install "noscript" and click not on every link > wanting remove javascript from the browsers is polemic and childish > Yes, I do have noscript. And in addition, Firefox gives us the option to disable javascript under the tab Edit->Preferences->Content However, hundreds of millions of people are oblivious to this threat. If it is not made a public issue, people will not become aware of it and continue to be invaded and their personal files be compromised. And I was not expecting the router to send such javascript at me, so I had allowed scripts for it. What a surprise that was! I would have hoped that the FOSS communities would have raised a big public fuss (pun unintentional) over websites sending javascripts at peoples' computers and compromising their files. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
On 7/1/11 9:14 PM, JD wrote: > > Common people! JAVASCRIPT being executed by your > browser on your system is a HUGE WIDE OPEN SECURITY HOLE!!! > You do have the option of turning it off, you know. That is one thing every security expert knows about and disables in a major way. James -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
Am 02.07.2011 06:14, schrieb JD: > When will the linux community wake up and shout out loud: > Kill JavaScript from all browsers and all network servers > and network clients never because the community is not dumb why do we not forbid knifes since people are killed with them? > It is THE trojan horse hiding in plain site and can access > EVERYTHING on your system that YOU have access to and > send it back to whatever destination the javascript was > written to send it to. if you would have a little background you would know that as example you can not select and upload files as example > Common people! JAVASCRIPT being executed by your > browser on your system is a HUGE WIDE OPEN SECURITY HOLE!!! so stop whining and install "noscript" and click not on every link wanting remove javascript from the browsers is polemic and childish signature.asc Description: OpenPGP digital signature -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
On 07/01/2011 08:57 PM, john wendel wrote: > On 07/01/2011 08:45 PM, JD wrote: >> I am writing this message with the hope that someone on this >> list has this uverse router.' >> When I use Firefox to browse to this router (192.168.1.254), >> it displays the "Home" machines connected to the network. >> For each machine it displays: >> a tv icon, it's name, and a link named "Access FIles" >> and another link named "Device Details". >> >> If I click on any machine's "Acess FIles" link, it >> displays my Fedora's / directory completely. >> >> I have no ftp daemon running. >> I have no apache running. >> In fact I do not have ANY internet server running. >> >> So how in blazes is the router able to display my >> entire system's files? >> >> If I aim my browser at my own IP address, >> I get >> Unable to connect >> Firefox can't establish a connection to the server at 192.168.1.201. >> >> So how is the router doing it? >> This is a very disconcerting security hole and I have not been >> able to nail it down to any daemon running on my Fedora. >> >> Thanks for your insights. >> >> JD > Your router isn't displaying the files, your browser is, so it doesn't > need a network connection. Though I must admit, I don't know how it's > done. Maybe you should examine the html source. > > John You are right. It turns out it does it via the intruder which the whole world was deceived by Sun that it only plays in a sandbox and has no access to anything outside that sandbox: Javascript. So I used noscript to disable scripts from 192.168.1.254 and access to my drive went away. When will the linux community wake up and shout out loud: Kill JavaScript from all browsers and all network servers and network clients. It is THE trojan horse hiding in plain site and can access EVERYTHING on your system that YOU have access to and send it back to whatever destination the javascript was written to send it to. Common people! JAVASCRIPT being executed by your browser on your system is a HUGE WIDE OPEN SECURITY HOLE!!! -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Fedora Security and the Uverse 3800HGV-B router
On 07/01/2011 08:45 PM, JD wrote: > I am writing this message with the hope that someone on this > list has this uverse router.' > When I use Firefox to browse to this router (192.168.1.254), > it displays the "Home" machines connected to the network. > For each machine it displays: > a tv icon, it's name, and a link named "Access FIles" > and another link named "Device Details". > > If I click on any machine's "Acess FIles" link, it > displays my Fedora's / directory completely. > > I have no ftp daemon running. > I have no apache running. > In fact I do not have ANY internet server running. > > So how in blazes is the router able to display my > entire system's files? > > If I aim my browser at my own IP address, > I get > Unable to connect > Firefox can't establish a connection to the server at 192.168.1.201. > > So how is the router doing it? > This is a very disconcerting security hole and I have not been > able to nail it down to any daemon running on my Fedora. > > Thanks for your insights. > > JD Your router isn't displaying the files, your browser is, so it doesn't need a network connection. Though I must admit, I don't know how it's done. Maybe you should examine the html source. John -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Fedora Security and the Uverse 3800HGV-B router
I am writing this message with the hope that someone on this list has this uverse router.' When I use Firefox to browse to this router (192.168.1.254), it displays the "Home" machines connected to the network. For each machine it displays: a tv icon, it's name, and a link named "Access FIles" and another link named "Device Details". If I click on any machine's "Acess FIles" link, it displays my Fedora's / directory completely. I have no ftp daemon running. I have no apache running. In fact I do not have ANY internet server running. So how in blazes is the router able to display my entire system's files? If I aim my browser at my own IP address, I get Unable to connect Firefox can't establish a connection to the server at 192.168.1.201. So how is the router doing it? This is a very disconcerting security hole and I have not been able to nail it down to any daemon running on my Fedora. Thanks for your insights. JD -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines