Stupid ebay/amazon question

puissante puissante at lrc.puissante.com
Fri Jun 30 15:48:01 EDT 2006 

Christopher Schmidt wrote:
> On Thu, Jun 29, 2006 at 11:51:06AM -0400, Fred wrote:
...
>> Even though I'm sure the vulnerability I've heard about long ago has long 
>> since been taken care of, there is never the time to rest and be naive. Some 
>> new codec, Flash module, or anything may have some exploitable vulnerability 
>> in it. And usually you only discover this after the fact, after your system 
>> has been infected.
> 
> And all of this is completely unrelated to the discussion at hand, which
> is a question of whether there is code inside of eBay's HTML,
> Javascript, etc. which external users placing content on eBay's servers
> can exploit to get access to your personal information as known by eBay.

Whoops! The dangers of jumping in on a conversation mid stream without 
reading all the prior posts!

Yes, guilty as charged.

> The fact that persons can steal your data via browser exploits is unrelated 
> to eBay, and the discussion at hand.

But is it not related? Especially if such exploits can be posted to 
Ebay's site? An image with a buffer-overrun exploit can be posted 
anywhere, including Ebay.

Or maybe I'm misunderstanding something...

...
> Don't spread too much anti-IE FUD -- they're not the only people to be
> affected by this kind of crap. 90,000 LiveJournal users had their
> cookies stolen by an external agent at one point due to a choice Firefox
> has made to allow CSS to execute script in the current page context.
> (LiveJournal quickly moved to a different system for URLs, which
> contained the problem, and created and released a CSS Tokenizer which
> removes unsafe content.) 
> 
> Firefox has suffered similar image processing issues to IE with JPG
> processing around-a-bouts the time 1.0 came out. 

Yes, but those are due to bugs and flaws in the software, not the basic 
mechanism like Active-X is. It's like leaving your front door open with 
a sign that says "come in and rob me", rather than the thief having to 
pick your locks to break in.

...
> Firefox, on the other hand, released a security release of their browser
> mere hours after the vulnerability in question was made public
> knowledge. Of course, many users are still running vulnerable versions
> because users never upgrade, but that's no less true of Windows and
> other proprietary software that is patched.
> 
> All it really boils down to is that your computer is only really safe
> it's locked in a safe, disconnected from the internet... and preferably,
> turned off.

All things involves trade offs, of course. And there are some 
"commonsense" (to us, at least) practices that will avoid 99% of the 
problem. That last 1% will require the most effort, but the costs may or 
may not be justified.

-Fred

More information about the gnhlug-discuss mailing list