- Forum
- Lounge
- Giving Answers
- Page 2
Giving Answers
Get an internet security AV, I've got McAfee (please don't kill me, I'm not the one that buys it) but it's great because it'll just put a little tick or cross next to every link
In my experience, AV software is just as bad as any virus.
Common sense is the best virus protection.
Common sense is the best virus protection.
Emails are just text. They can't have viruses. Attachments can... but if you run random attachments without knowing what they are then you fail the "common sense" thing I mentioned earlier.
You get viruses one of two ways:
1) You run an executable that's infected
2) You use software which has security holes which blindly (or unknowingly) runs executable code from an outside source.
Either way, it has to be an executable. You can't just get a virus without actually running something.
Keep your browser up to date, don't run random programs off the net, and you'll be fine.
You get viruses one of two ways:
1) You run an executable that's infected
2) You use software which has security holes which blindly (or unknowingly) runs executable code from an outside source.
Either way, it has to be an executable. You can't just get a virus without actually running something.
Keep your browser up to date, don't run random programs off the net, and you'll be fine.
Disch wrote:
It might be a little premature to be stating that outright as fact. It's 100% true for straight ESMTP so you're absolutely right about that. But every major Email client I've seen supports MIME by default, MIME supports HTML and HTML 5 supports XSS. Most of us have been around long enough to see the kind of damage that can be done with that stupid little feature.
| Either way, it has to be an executable. You can't just get a virus without actually running something. |
It might be a little premature to be stating that outright as fact. It's 100% true for straight ESMTP so you're absolutely right about that. But every major Email client I've seen supports MIME by default, MIME supports HTML and HTML 5 supports XSS. Most of us have been around long enough to see the kind of damage that can be done with that stupid little feature.
XSS is known method of breaching security.
I'm a little unsure what you mean by "HTML 5 supports XSS". You're making it sound like it's some kind of feature that's supported by the language.
And even with XSS injection.. could that do anything harmful on your system? I thought that was limited to things like information theft (which AV doesn't really prevent anyway ... or does it?).
I'm a little unsure what you mean by "HTML 5 supports XSS". You're making it sound like it's some kind of feature that's supported by the language.
And even with XSS injection.. could that do anything harmful on your system? I thought that was limited to things like information theft (which AV doesn't really prevent anyway ... or does it?).
Last edited on
I'm not that well versed in what is actually possible. It came up where I work when we started using browsers that actually support HTML 5 because we (the IT department) lost the battle to outright block Java Script on all of the browsers. So now we have to watch out for little things like this and disable them individually. Then we have to pretend to listen to the people complaining about the features we disabled because the pop-up that tells these people that the feature is disabled causes them to feel confused and angry. Then someone else comes in and yells at us to put it back. Then that same person comes in and yells at us when the person we re-enabled feature 'X' for gets infected.
EDIT: To address your concern about it being harmful; in it self it really isn't. The problem is that the XSS feature doesn't care what kind of document is being sent. So if the doc happens to be a script of some sort that can be interpreted and run inside one of those web browser plug-ins we all love so much then it could cause some damage. It's probably all just paranoia on my part, but that comes with the job.
EDIT: To address your concern about it being harmful; in it self it really isn't. The problem is that the XSS feature doesn't care what kind of document is being sent. So if the doc happens to be a script of some sort that can be interpreted and run inside one of those web browser plug-ins we all love so much then it could cause some damage. It's probably all just paranoia on my part, but that comes with the job.
Last edited on
My understanding is that client side scripting (eg: Javascript) is extremely limited in what it can do to the machine simply because it's such an obvious security risk.
So yeah... XSS can be used by a malicious site to inject and run code... but worst case scenario it's only going to be able to inject a client-side script, which isn't going to do any real damage to your machine. Maybe it can try to launch some other executable that can do real damage... but even then every single web app out there will prompt and warn the user before actually running the program.
But I'm not exactly an expert on any of this, so I welcome any corrections to my [mis]understanding.
What I can say from personal experience is that I've been running Windows with no AV for going on 12 years now and can't recall ever having any problems.
Conversely, when I use other people's machines which have AV, they often run like crap, are unresponsive, and/or semi-frequently hang.
My brother was even having performance problems with his computer one time and came to me for advice. The first thing I said was "get rid of your AV". He did and told me his comp immediately started running better.
EDIT:
In a professional environment, though... companies can't risk their IP on their employees having common sense... so in that context AV (and a myriad of other security tools) make sense.
But putting that crap on my personal box? Not on your life.
So yeah... XSS can be used by a malicious site to inject and run code... but worst case scenario it's only going to be able to inject a client-side script, which isn't going to do any real damage to your machine. Maybe it can try to launch some other executable that can do real damage... but even then every single web app out there will prompt and warn the user before actually running the program.
But I'm not exactly an expert on any of this, so I welcome any corrections to my [mis]understanding.
What I can say from personal experience is that I've been running Windows with no AV for going on 12 years now and can't recall ever having any problems.
Conversely, when I use other people's machines which have AV, they often run like crap, are unresponsive, and/or semi-frequently hang.
My brother was even having performance problems with his computer one time and came to me for advice. The first thing I said was "get rid of your AV". He did and told me his comp immediately started running better.
EDIT:
In a professional environment, though... companies can't risk their IP on their employees having common sense... so in that context AV (and a myriad of other security tools) make sense.
But putting that crap on my personal box? Not on your life.
Last edited on
So 2 ways to look at it... Actual harm to your system can only be done by client side executable, and data theft can be done by anything XD
Speaking about the common sense thing, a lot of people may leave there social media / email accounts signed in on there home PC but I cant see how any huge damage can be caused by this... Okay maybe the email one fair enough because emails are usually the way to reset your passwords after an attack/memory lapse.
If you're stupid enough though to ask your browser to save your bank email and password or something else along those lines then sooner or later you may be shouting at your browser manufacturer for your mistakes. A little common sense can go a long way if used wisely.
The idea about the internet AV is that it (tries to) recognise sites that want to download exe's (or other executable extensions) to your system that could be harmful, or sites that have tracing scripts, cookie sniffing, etc. It's not much but it helps in a world like this.
Speaking about the common sense thing, a lot of people may leave there social media / email accounts signed in on there home PC but I cant see how any huge damage can be caused by this... Okay maybe the email one fair enough because emails are usually the way to reset your passwords after an attack/memory lapse.
If you're stupid enough though to ask your browser to save your bank email and password or something else along those lines then sooner or later you may be shouting at your browser manufacturer for your mistakes. A little common sense can go a long way if used wisely.
The idea about the internet AV is that it (tries to) recognise sites that want to download exe's (or other executable extensions) to your system that could be harmful, or sites that have tracing scripts, cookie sniffing, etc. It's not much but it helps in a world like this.
| So 2 ways to look at it... Actual harm to your system can only be done by client side executable, and data theft can be done by anything XD |
Said that in about 1000 words less than me :)
Javascript can get a pop-up box open for if you want to download that virus, but that's about as far as it can go. You would need to break the browser to get rid of that box.
Javascript can be used to store cookie information though, and that can open up all sorts of issues for identity ( not just the user either, consider if that user is allowed POST/DELETE requests... )
SatsumaBenji said:
So does Google as well as any decent up to date browser (including IE). I side with Disch on this one, I haven't had an AV program on my home PC for years. The amount of overhead and outright downtime it adds to the system is not worth it blocking a few tracking cookies.
| The idea about the internet AV is that it (tries to) recognise sites that want to download exe's (or other executable extensions) to your system that could be harmful, or sites that have tracing scripts, cookie sniffing, etc. |
So does Google as well as any decent up to date browser (including IE). I side with Disch on this one, I haven't had an AV program on my home PC for years. The amount of overhead and outright downtime it adds to the system is not worth it blocking a few tracking cookies.
Fair enough, the only reason I actually keep an AV is because I get a lot of cracked software (please don't kill me) and free unlicensed software which has a lot of potential of being bad for the system because these are executables.
PS. I like how you had to include IE in brackets since nobody considers it a decent browser :D
PS. I like how you had to include IE in brackets since nobody considers it a decent browser :D
| the prince wrote: |
|---|
| @Duoas, Well I personally prefer it when people just explain simply because I commonly get provided virus-infested links. |
From whom? High-post count users on this site? Wikipedia?
If you can't sift the wheat from the chaff when you get answers to your posts, how do you expect to reason about your program's logic?
"I reject your answer because your answer does not come the way I want it (and probably has viruses)."
I use Microsoft Security Essentials and am much happier with it than I ever was with other AVs. I don't do risky stuff anyway, and it has never had a noticeable impact on my (relatively low) system speed, even when I'm playing a video.
closed account (30X1hbRD)
@Duoas, I'm not saying I'd reject the link, I'm simply stating that I personally prefer an explanation over a link. I've had some bad experiences with certain links that I'd researched and had been called safe but turned out to not be.
| prefer an explanation over a link. |
Links typically contain the explanation.
I've posted links before and people have responded asking questions (as though they clearly had not read the page I linked). So I responded by copy/pasting text from the link into a reply and then they seemed to understand.
closed account (G30GNwbp)
| the prince wrote: |
|---|
| I've had some bad experiences with certain links |
You are going to have to get over this ridiculous fear of the net, or you are never going to learn to program. The worst thing that can happen is you might need to reformat, and if you back-up your data it is not that bad.
I have gotten information from a site, misread that information, and destroyed my system. Best thing that ever happen to me.
Last edited on
closed account (30X1hbRD)
@rtd2645, I know, I've had to wipe my computer once also, but thankfully I had lots of back-ups saved so it wasn't too big a deal. I don't have a "ridiculous fear of the net" I just am cautious of certain things. Like I said, I do use the links when provided, I just check to see if the site is safe first.
About posting links, we must keep in mind that sites live and die. And if that linked-to site dies, the link becomes useless.
I don't have such fears for Wikipedia, for example, although an exercise of caution is in order (considering how much they beg for donations nowadays).
Besides, the poster came here for an explanation first, redirection second.
I don't have such fears for Wikipedia, for example, although an exercise of caution is in order (considering how much they beg for donations nowadays).
Besides, the poster came here for an explanation first, redirection second.
| sites live and die |
| exercise of caution is in order (considering how much they beg for donations nowadays). |
*cough*cplusplus.com*cough*
| Besides, the poster came here for an explanation first, redirection second. |
Unfortunately, it is bunkus. User came for an answer to a question.
| Disch wrote: |
|---|
| Links typically contain the explanation. I've posted links before and people have responded asking questions (as though they clearly had not read the page I linked). So I responded by copy/pasting text from the link into a reply and then they seemed to understand. |
I'm not so nice. If OP can't be bothered to click and read a link, why should I take my time to copy/paste link's info for him?
| I'm not so nice. If OP can't be bothered to click and read a link, why should I take my time to copy/paste link's info for him? |
Because he's a beginner and you are not, and this way you can put emphasis on the information he needs. And better, there would be less redirection.