Does mega.co.nz require Javascript to download stuff?
That’s not gonna fly. Javascript is the prime vehicle for distributing malware, and Kim Schmitz has never cared much about legality so I’m not going to hand him the key to my front door.
@toolforger said: Does mega.co.nz require Javascript to download stuff? That's not gonna fly. Javascript is the prime vehicle for distributing malware, and Kim Schmitz has never cared much about legality so I'm not going to hand him the key to my front door.
Lol
- No known JS malware out there
- JS is the backbone of Web 2.0 and 3.0
Sorry if we sounding awkward 
@m41q I downloaded it from mega and uploaded it to my website - hope you don’t mind.
http://www.zero-separation.com/temp/MonkeyBlaster%20-%20source.zip
- Right now, Mega is just another random site that I’d have to be watchful for malware reports. That list is already too long.
- Yeah I know, adding features first and watching zero-day exploits pop up all over the place is THE safest way to design a software infrastructure. I can’t imagine how anybody could be so paranoid as to not want to jump the JS bandwagon :roll: .
@zarch thanks, got the sources.
On a tangent, the first installment of my version of the tutorial is done.
I think I’ll start posting text & code tonight, in a separate thread as requested by @erlend_sh.
@toolforger said: 1) Right now, Mega is just another random site that I'd have to be watchful for malware reports. That list is already too long. 2) Yeah I know, adding features first and watching zero-day exploits pop up all over the place is THE safest way to design a software infrastructure. I can't imagine how anybody could be so paranoid as to not want to jump the JS bandwagon :roll: .
I hope you don’t give your browser root access anyway ^^ You should just get off the internet if you are that afraid. According to newest sources not even HTTPS or any of the big encryption standards is safe. Turning off JS is just silly, what can your browser process access (and JS do) that would make it a “front door”?
(Subthread got moved, moving answer over, please delete this post because I can’t)
@normen said: I hope you don't give your browser root access anyway ^^ [...] According to newest sources not even HTTPS or any of the big encryption standards is safe. Turning off JS is just silly, what can your browser process access (and JS do) that would make it a "front door"?
http://xkcd.com/1200/ is making this point much better than I could.
@normen said: You should just get off the internet if you are that afraid.
Unwanted, not helpful, inconstructive advice.
@normen said: According to newest sources not even HTTPS or any of the big encryption standards is safe.
So since burglars have crowbars, you shouldn’t lock your front door when you leave the house?
@toolforger said: http://xkcd.com/1200/ is making this point much better than I could.Unwanted, not helpful, inconstructive advice.
So since burglars have crowbars, you shouldn’t lock your front door when you leave the house?
So since people could steal your tires, you demount them before going on a road trip? As your walled could be stolen you go get it from home every time you need it at the checkout? And the point I made was not to let your browser have root access. The xkcd comic is about root (in that case direct) access. I am dead serious about not going to the web with a computer if you have actual sensitive data on it.
sensitive data? its like that folder full of pron?? 
@eraslt said: sensitive data? its like that folder full of pron?? :D
xD That’s “sensual data” or “insensitive data” ^^
1 Like
It’s not about sensitive data, it’s about the amount of work to get the machine back to its normal, uninfected state.
JS is the primary vehicle for drive-by malware, so I’m avoiding it, so I have to reinstall less often.
One thing to consider:
Even if only 5% of sites carry malware, there will be one attempt for every 20 sites visited.
That’s not to say that all attempts will succeed - realistically, most will fail if you keep your browser reasonably up-to-date.
Still. Antivirus software etc. will leave 10-20% of malware undetected in typical test scenarios. That means you get a successful break-in every 5-10 visited malware-carrying sites. You do the math.
You’ll probably find that 5% of infected websites is too pessimistic 
… but I have had my share of virus infections around my buddies, and I’m keeping too much important stuff on my machine. Nothing sensitive that must not leak, but lots of stuff that would take time to restore; it would take me a day to get back to working conditions, and weeks of tweaking until everything is back to normal. I don’t want that, simply as that.
@toolforger said: It's not about sensitive data, it's about the amount of work to get the machine back to its normal, uninfected state. JS is the primary vehicle for drive-by malware, so I'm avoiding it, so I have to reinstall less often.One thing to consider:
Even if only 5% of sites carry malware, there will be one attempt for every 20 sites visited.
That’s not to say that all attempts will succeed - realistically, most will fail if you keep your browser reasonably up-to-date.
Still. Antivirus software etc. will leave 10-20% of malware undetected in typical test scenarios. That means you get a successful break-in every 5-10 visited malware-carrying sites. You do the math.You’ll probably find that 5% of infected websites is too pessimistic
… but I have had my share of virus infections around my buddies, and I’m keeping too much important stuff on my machine. Nothing sensitive that must not leak, but lots of stuff that would take time to restore; it would take me a day to get back to working conditions, and weeks of tweaking until everything is back to normal. I don’t want that, simply as that.
The Carl Sagan style math here just supports the superstitious undertone that makes me chuckle about disabling JS in the first place. The number one way of infections is… (drumroll) … USB sticks! Also please give at least one example where a JS exploit can gain system access rights beyond that of the browser - if the user doesn’t carelessly execute some executable himself. You seem to ship around that question all the time.
Yeah, “superstitious”… I guess this thread has come to an end.
The most safe way is to use a unusual operating system, if you run a unix for example around 99.9% of all malware is out of the race as the deliverd code is win only. Then use a non default browser and give it no read write acces aside from the tmp/cache download folders and you are quite safe already.
And I must agreew ith normen, if it must be safe, disconnect the computer from any network.
@toolforger said: Yeah, "superstitious"... I guess this thread has come to an end.
Still no answer, I guess its just that your arguments have come to an end. So you turn “superstitious undertone” into an accusation that you are superstitious and gtfo xD
I just want an example where turning off JS avoids malware.
@Empire Phoenix said: http://www.scip.ch/?labs.20091027 (German)
Yeah exactly, doesn’t get beyond the browser.
Yup, but as with any virtual machine the js one can have security fails as well. If you have properly set up your browser it can still steal session keys and cookies and if the browser is shit the saved passwords.
But at the other side a tinfoil hat looks so untrendy.
1 Like
Sensitive data: (adj+noun) (pronounce: Sen-sa-tiv day-ta)
Definition:
Data that cries like a whiny bitch.
@normen said: Still no answer, I guess its just that your arguments have come to an end.
Arguments or no, allegations will not get an answer, no.
Doubly so if “no arguments” is yet another allegations and simply untrue.
@Empire Phoenix said: The most safe way is to use a unusual operating system, if you run a unix for example around 99.9% of all malware is out of the race as the deliverd code is win only. Then use a non default browser and give it no read write acces aside from the tmp/cache download folders and you are quite safe already.And I must agreew ith normen, if it must be safe, disconnect the computer from any network.
As I said, I’m not after NSA-safe computing, that would require an airgapped computer and obviously useless for what we’re doing here.
Putting up absolutes is just a sign of not being interested in real-world arguments, which are often about trade-offs, and this is a case that’s mostly about trade-offs:
- Comfort loss by avoiding JS
- How important is your data to yourself
- How important is your data to others
- How important is the loss of a few days of free time for reinstalling
- How important is confidence in your data (since you usually don’t know to what point in time to roll back)
Different people are going to have different answers to that, all right; the only wrong answer to the situation would be “my answer is right for everyone”.
So just that you sceptics know my personal perspective:
For me, since I’m a “road warrior”, all my professional data is on a single laptop.
There is some mildly relevant customer on it, so some extra care is warranted.
I’m using Linux, so I’m somewhat less vulnerable than most, but today, malware authors target the brower and install plugins, and there, I’m as vulnerable as any Firefox user, so I can’t assume I’m exotic enough to be untargetted.
I have a versioned backup, so nothing REALLY bad can happen, but it would still be more trouble to reinstall the OS and restore my user data, particularly since I wouldn’t know whether the backup is clean or not. Others might have less data to restore and check for integrity - the results of five years of work and use would be hard enough to check, but I have thirty years on this machine; I have data that’s two migrations old that I never got around to reintegrating. I once lost a decade of mail archives - not because of malware but because I couldn’t migrate the mailbox formats, but every reinstall is yet another opportunity to misplace, misformat or otherwise lose data. Data loss is rare, it’s been happening to me once in about ten reinstalls… and from that perspective, every reinstall is one too many.
1 Like