Thread: Check your Windows 10 block settings
View Single Post
  #59   Report Post  
Posted to alt.home.repair
Don Y[_3_] Don Y[_3_] is offline
external usenet poster
  
Posts: 2,879
Default Check your Windows 10 block settings
On 10/18/2015 4:13 PM, Mayayana wrote:
| I pay $1/month for a paper statement. I doubt
|
| You're lucky. I've closed accounts when each notified me that
| they wanted $8.95/month to mail me a single sheet of paper
| with 1, 2 or, at most, *3* transactions on it! Note that
| one of the banks was 1500 miles from here -- so its not
| a "local phenomenon".

TD Bank. And they're open on Sundays, too.
I'm not sure I even want to know why you have
numerous bank accouts on the other side
of the country.

I have lived in many places. It is usually more convenient to
leave an existing account someplace open until I can get a
new account somewhere_else established. And, when they WERE
mailing paper statements, there was virtually no cost to me to
KEEP those accounts open (most of my accounts have had strict
check-writing constraints -- like 3 per month). So, an extra
account would let me handle extra transactions, etc.

I know I had to maintain an account in CT for the tax man
(consultants' time has sales tax applied so they want someplace
to find you to *get* that tax!)

| Do you own any securities? Do any "trading"?

No. I'm not a gambler. Frankly I think straight gambling
on the stock market should be illegal, with something
like a 90 day minimum period that stocks would have
to be held and no option for buying options, which
are merely bets. Then people would be investing in
companies rather than just a big, glorified gambling hall.

+42

I can't see how anyone would consider the "1 year" time limit
to qualify for LONG term gains to really be indicative of
"an investment" (vs. a gamble).

| You sound like you know what you're doing, so I
| wouldn't be inclined to tell you that you should change,
| but my way also works. Nearly all possible online attacks
| require javascript.
|
| If you look at the history of vulnerabilities, you'd realize that's
| not the case. Buffer overflow exploits are still common -- despite
| EVERYONE knowing about this sort of potential problem (yet
| continuing to write NEW code that has the same flaws).

Buffer overflows require executable code.

Yes -- the code in your browser or "helper applications" that it
invokes.

The point is
to go back to what the Web was meant to be: A resource
that can be accessed. Not remote software.

The exploits I mentioned previously don't require any
"remote software" to be executed from the 'net. *But*,
as each of these non-ASCII-text files requires something
to *interpret* their contents (as a photograph, audio
clip, video clip, etc.) then those non-ASCII-text files
are, essentially, *programs*! They control the behavior
of their respective "decoders" when you apply those decoders
to those files.

Bugs in those decoders can thus be exploited to compromise
the machine on which the decoders are executing. This is
because Windows (and virtually all other desktop OS's)
applies the full capabilities of the invoking user to
any program (e.g., the decoder) running on his/her behalf!
There is no way to limit what a particular program can/can't
do -- other than HOPING the program itself "behaves well".

A "capability-based" OS doesn't have this inherent limitation.
E.g., I can let *you* write a hostile program and install
it on my system. But, no matter how hard your program tries,
it won't be able to do anything that I haven't explicitly
allowed it to do. No need for you to be scribbling in the
Registry -- or even *looking* at it; no need for you to be
pushing packets out a network connection; no need for
you to be installing any files; etc. -- all you need to be
able to do is EXACTLY what *I* think you should be able to
do (show me the contents of this JPG in a graphic form, etc.)

However you look at it, nearly all risks online require script.
It's true that there has been at least one issue with JPGs.
That was actually a vulnerability in gdiplus.dll, the
Windows extended graphics library. There was also once
an issue with EMF files. It's not impossible to face a
vulnerability with script disabled, but it's *very* unlikely.
With script enabled, on the other hand, you're a sitting
duck.

If I email you a picture BigBoobs.jpg and you open it, then
I've enticed you to expose your JPEG decoder to whatever
contents that file may contain. Likewise if you visit a
web page with a JPEG. If I email you a receipt for a purchase
as a PDF, then the act of opening it means your "PDF decoder"
has now been tricked into "interpreting" the information
embedded in that file (just like a computer interprets a
computer program).

PDF exploits, as well as Flash, are also script issues.
The MP4 bug you link to is a Flash problem. Likewise,
the MP3 bug you linked to is with script in iTunes. What
you're talking about is all executable code. The point is
to get executable code out of the browser. Don't use

The browser *is* executable code! The OS is executable code.
The JPG decoder is executable code. The PDF reader is executable
code. Anything that *does* anything does it by executing code!

Adobe crap at all. Don't enable script. Don't install Java.
Don't run videos and music in browser plugins like Flash.
Don't enable script in your PDF viewer.
(For me this is easy. I don't like things moving on webpages
while I'm trying to read. If I want to see a video I'll
download it, so I can save a copy, and play it in VLC. If

http://www.zdnet.com/article/vlc-vulnerabilities-exposed/
"Vulnerabilities have been discovered in some versions of the
popular VLC media player which may allow a cyberattacker to
corrupt memory and potentially execute arbitrary code."
http://www.saintcorporation.com/cgi-bin/demo_tut.pl?tutorial_name=VLC_vulnerabilities.html


Note that it doesn't matter if you run VLC from your browser or
download the file and run VLC separately.
"Vulnerabilities in VLC allow for remote code execution or
denial of service. VLC also has a remote code execution
vulnerability in the web interface."

It's like the admonition from my youth regarding unwanted
pregnancies: the only SURE contraceptive is ABSTINENCE!
I.e., the only sure way to avoid these vulnerabilities is
to NOT import anything that you didn't create yourself.

"The only winning move is not to play"
-WOPR
Reply With QuoteReply With Quote