
Have you learned nothing from the NSA?
You need the haystack to find the needle.
If the Target hack – along with all its predecessors – taught us anything, it's that the database isn't the vulnerability. It's the data that's the problem. If you're collecting data, you're a target. That means you have to ask yourself, “do I need this?” Yet in spite of frequent demonstrations that a determined attacker will …
NSA know where some needles are, and the potential victims whose names are on them, but cannot notify the persons whose names are on , because to do so would alert the outside world that the NSA have been conducting illegal surveillance. (e.g. Boston Marathon bombings)
The needle is only there when they observe it consciously, before that, the needles' waveform is spread out over all possible haystacks.
Sorry, couldn't resist. Mine is the one with the original manuscript "Towards a Quantum Mechanical Interpretation of Homeopathy" in the pocket
My thought exactly. If it's a desktop application, there's nothing especially strange about it being able to access all of your files, given that desktop OSes simply don't have the same permission model that mobiles have. Chances are that Chrome just shows that warning on any .exe you download - I don't even see how it could possibly know what permissions the program requires. On Windows, pretty much the only choice is whether to require administrator or not, but even that is not something that can be easily learned without trying to run the app.
Running a browser in a slim VM might be the safest general approach.
Under Linux there is also the option of having apparmor sandbox the browser and limit reading and writing, though that profile (e.g. firefox) is off by default on Ubuntu. I don't know why that is, probably so users don't see Firefox, etc, crash and burn without warning when they try to save or upload from anywhere other than the Downloads directory.
As a SQL Server admin I'm tired of seeing third-party applications that ask for an 'sa' level login, but when pushed they can't honestly definitely say exactly WHY. Or the Windows service account that needs to be a local admin, with the same justification: "we always configure it that way".
Lazy and/or time constrained developers!
Ugh... We had one software vendor tell us to disable DEP both on client machines AND a server to solve an issue with their software crashing in certain cases. I told them I wasn't turning off a security feature that had (at the time) been around for over 7 years.
Although it was actually pleasing to hear them suggest something other than "reinstall the software", which was their usual fix.
Obviously, the patriarchy has fiendishly discovered that the hoi poloi can never unite to demand international brotherhood and justice if they are kept busy looking for the sixth screw that the instructions say are needed to complete assembly!
"Honey!? Did you see another packet of hardware when we unpacked the bookcase?"
"Moreover, the warning wasn't raised by the kitchen planning tool. The Register only spotted it because Chrome raised the dialog. No such warning appeared when we accessed the same site on Firefox, for example."
The warning is raised because it is trying to install a Chrome Extension. All Chrome Extensions must declare the permissions they wish to use (or optionally use). Lazy developers request them all because they can't be bothered to look at the docs and see which ones are required by the API they are using.
If it tries to install a Firefox Add-on, it will ask if you want to install it. Firefox does not have a permission model for Add-ons. Firefox Add-ons are run as trusted code. It's all JavaScript so if you're a developer you can always download the XPI, unzip it, and see what it does. I know that's not much help to those who are not Firefox Add-on developers. The downside to Chrome is they can put all of their extension code into NaCl so you can't tell what they are doing with the permissions they've requested (well, you could find a disasembler and work it out).
Neither browser by design allows JavaScript from a website to access anything on your computer (there are flaws that do though). In either case you will be warned before you install an Extension/Add-on.
For the record, I am a Add-on/Extension developer and I don't find the entire model of these extensions to be entirely satisfactory. I wish all of the browsers had much better/finer access control, but there will also always be bugs that allow the permissions to fail. If you can't live with the state of things, don't install extensions or get a VBox/VMWare image that you can browse with and always roll back to the last good snapshot.
"It's probable that the developer created the app with the widest possible permissions so it worked easily in the lab, and never went back and changed them to something appropriate for the Internet: I accept that."
lazy lazy lazy lazy lazy lazy lazy lazy lazy lazy lazy lazy lazy lazy lazy !!!!!!
and dangerous
and amateur
The amout of software i've had to carefully recreate the conditions of the develoipers bedroom in order to get it to work! usually bought by govt depts, schools or colleges
also software designed for businesses that seems oblivious to the idea of a "roaming profile", or that the user may not have admin rights
I'm afraid I've known enough people in the industry to treat seriously the idea that this could be a malicious slurp. "Sure," some greasy manager says, "let's try to grab as much as we can. When we've built a good customer base we'll leverage that and sell out."
It's not evil -- it's just a complete lack of respect and a willingness to throw everybody else under the bus because it's about getting on, innit?
"If the Target hack – along with all its predecessors – taught us anything, it's that the database isn't the vulnerability. It's the data that's the problem"
No, the lesson is don't connect your POS terminals to the Internet and don't run your POS infrastructure without a full irrevocable auditing system in place.
|The internet is no place for critical infrastructure|
"The debate topic I propose here can therefore be restated as calling out, “Hypocrisy!” on the claim that the Internet is a critical infrastructure either drectly or by transitive closeure with the applications that run on or over it"
My router has several domain and port blocks, my Firefox is heavily secured using several plugins, and I use the SRWare Iron build of Chrome. I tend to run intrusive stuff on a separate browser, even a browser in a Virtual Box OS VM, to stop leakage.
Don't trust anyone fully until they prove they can be trusted, and never keep personal details where they can be hovered up!