Re: Dealing with ActiveX, other potentially dangerous embeds?
From: mto (nobody_at_dontsendmeanyspam.thanks)
Date: Fri, 29 Aug 2003 21:36:26 -0400
"Marty Ross" <email@example.com> wrote in message
> Of those security-minded folks out there that *DO* choose to use MS/IE,
> do you deal with ActiveX or other potentially dangerous embeds in internet
The general consensus seems to be the same as dealing with ports - if you
don't need it right this minute, shut it off.
As far as using ActiveX I allow just one X-control - the one that has to be
active to use Windows Update. And even then, ActiveX is turned off unless I
am actively updating Windows.
>Does anybody really "trust" the authenticode system?
In a pig's eye. You might recall the incident a couple of years back when
someone managed to make off with a couple of secure server certificates
claiming to be Microsoft - but they weren't.
> Does "certification" really deliver on it's promise (e.g., I don't know
> a GREAT majority of these companies that have supposedly "promised this
> content is safe", <SNIP>
Safe for whom? Safe how? - as in safe it won't break your machine or safe
it won't violate your privacy/use your phone/etc.?
> For that matter -- do y'all place any more trust in Java (or other)
> embedded in web pages?
Of the bunch of them, I trust Java more than any other. (I am a web
the most dangerous. Recently I've even seen malware distributed using an
image tag :(
Innocent till proven guilty may be the rule in court - but not when it comes
to my machine. Trust NOTHING implicitly.
> It seems to me it's plain out mutually exclusive -- **EITHER** I:
> (1) allow myself to trust the universe (or spend a time investigating who
> think I'm talking to for each individual web transaction), accept the real
> risks involved, and enjoy the fruits of sophisticated
> objects (such as streaming media, other interactivity, etc.)
Too many nasties out there to trust - kind of like going to downtown Dodge
on Saturday night without your six-shooter. Investigating websites? You
will never get anything done - and God himself can't guarantee you that who
they say they are is real.
> (2) restict myself totally from all "active" content -- especially the
> potentially more dangerous variety (such as ActiveX), yet remain a
> with respect to participating in much of the neat stuff that's out there,
> much of it served up using these potentially dangerous technologies
Nope, you don't have to withdraw completely - just be selective. Keep your
security settings as high as possible and turn off absolutely everything
unless you need it. (Zone Alarm Pro helps there because you can allow
cookies/scripts/java on a site-by-site basis). When you come across
something you want turn only what you need back on just long enough to
indulge. Get AdAware and Spybot Search & Destroy and use them. Make sure
that you have NO trusted sites.
Alternatively buy a Mac. If I didn't have to replace thousands of dollars
in programming to do so, you can bet your last dime I wouldn't be running