(Topic ID: 145690)


By maxwell

4 years ago

Topic Stats

  • 307 posts
  • 71 Pinsiders participating
  • Latest reply 4 years ago by Wolfmarsh
  • Topic is favorited by 8 Pinsiders


Topic Gallery

There have been 23 images uploaded to this topic. (View topic image gallery).


You're currently viewing posts by Pinsider pinchroma.
Click here to go back to viewing the entire thread.

#10 4 years ago
Quoted from vid1900:

As far as I can tell, Java is only used to install malware on computers .

This is ridiculous advise that no one should follow. Every single trading institution, bank, and most governmental municipalities use Java applets on their pages as do tons of cots software. What you need to be cognizant of is WHAT site you are on and whether or not the Java app is properly signed by which company and if the signing matches the company domain.

Sticking your head in the sand isn't a valid method of security. At all.

You might as well go remove:

Adobe reader,
Chrome plugin execution,
Firefox plugin execution,
Etc. as they all have identical if not more attack vectors.

Java at least provides not one, not two, but 3 confirmation requests before running an application and denies by default if the app isn't at least running a valid SSL certificate.

If you don't know what you are running, Java or not isn't going to fix that.

#13 4 years ago
Quoted from vid1900:

Even your other favorite security risk, Adobe Flash, will soon be no longer.
People are generally not computer experts and will make mistakes like typing in the wrong url.
Normal people: Make sure you kill off Java- Virtual Virus Machine. (if some porno website says you need the Java plug-in, go to xhamster.com instead.....)

Completely incorrect. Please don't speak authoritatively. "Normal" people can read. You aren't giving people enough credit. Java isn't the largest purveyor of viruses. Far far far from it.

Also since Windows 7 and the proper implementation of UAC (which I'm sure you disabled too) aside from the massive amounts of warnings and big red X's you get from an unsigned app and the fact it won't even execute on an improper url, UAC prevents browser based file execution unless you explicitly allow it with yet another massive prompt. So basically what you are telling people is don't cross the street at all in lieu of just watching for the "don't walk" sign.

Living in a bubble isn't a valid mechanism for security especially since the number of vectors for entry ahead of Java are in the hundreds. The amount of sites that use Java validly are in the hundreds of thousands whereas the number using it maliciously is probably 1% of that. Maybe you just browse some sketchy material?

If you are apt to take Vids advice I recommend you go back to using a piece of slate, hammer, and chisel because that's the only way you will be able to communicate without fear .

#65 4 years ago

So many clueless people its shocking. Java is just one of MANY MANY vessels and not even a predominant one for the proliferation of malware.

Using java requires MULTIPLE affirmative user interactions to be able to do ANYTHING. More so than any other mechanism.

I guess the old adage is correct. You can make something idiot proof (multiple alerts), and god will go and invent a better idiot.

Tremendous HUGE RED X's that say "DO NOT PROCEED" and people still click proceed and you guys somehow think that's java's fault? Comical at best. Sad is more like it.

P.S. as much as google is trying to crush npapi which is probably a good thing, their approach is horrible and has caused monumental institutional outages. Just about EVERY browser integration uses it. For example, those of you that use Citrix to connect to work. No NPAPI, no Citrix. Citrix has to rewrite their plugin for a new architecture specifically to work in Chrome now that npapi is disabled.

#67 4 years ago
Quoted from ForceFlow:

You don't always get alerts and warnings. The reason why Java is such a high security risk is that it can easily be exploited and that there are new zero-day exploits always being discovered and used for months (or years) before they are eventually patched.

Actually you do. CVE-2015-2590. The user is still prompted to accept the runtime and thus provide permission for the exploit to execute. The absolute first component in the javasec library is the infallible call for approval to run any app that hasn't explicitly be put on the "safe" list by the user. Items can only be put on the safe list by MANUALLY putting it there typing the URL by hand, it can't be put there by an accidental click.

One other thing to note is CVE-2015-2590 is the first zero day vulnerability found in java in 3 years prior to its discovery. Ask your favorite browser how many they have had in that same timeframe?


ZOMG Android users, stop using your phones.

The old saying that eternal vigilance is the price of liberty should be copied to the internet world to say:

Eternal vigilance is the price of technology. If you can't trust your own eyes not to do what you are being told not to do then there is no hope for you anyway.

#69 4 years ago
Quoted from vid1900:

You keep looking more and more foolish the harder you try to defend your reckless position.
Do you think that Maxwell clicked to give his permission 3 times to install that virus? Really???
In your mind, it's always best to blame the victim than to accept that Java installed a virus on this poor man's computer.
You are a sad man.
Chrome got rid of of Java 6 months ago.
No giant outcry.
The web did not break.
Everyone still did their banking, Black Friday sales, watched lol cat videos.
Yep 41% of web surfers are no longer using Java and most did not even know it.
Again, check here and make sure that you DO NOT have Java installed:

Head in the fucking sand approach. Smart. You might as well shut your machine down and vtoc your drives as your approach is to simply remove 1% of the attack vectors against the user and some how lull them into a false sense of security.

I guess the world should be glad your not an enterprise technologist and especially not one in security.

And yes with 99% of viruses that get installed on user machines they had to take action for it to actually land there. There are very few exploits that RCE occurs just by the visitation of a site and with no additional user action.

Think i'm making that number up? Go visit the qualys site or any other AMAV lab. Users cause their own fate. So in this case it really is a blame the victim. You are taught at every job that uses a computer, don't open or click on anything you aren't 100% sure about.

Sorry but your excuse of lack of common sense is the only foolish and wreckless thing here.

And chrome did NOT remove java btw. They disabled npapi which disabled about 80% of browser plugins and shit did break. TONS of shit.

#73 4 years ago
Quoted from ForceFlow:

Sheesh...why are you so against and getting so riled up about a simple security precaution?

Because it's better to educate than to hide. Far better. Remove something that provides valuable warnings to a user it doesn't prep them for the million other items that will ask them to "allow / run" that will actually cause problems.

You can't disable any/all of that so instead of it being a teaching experience and a good one because it provides 3 (possibly 4) different toll gates you just remove/obfuscate it so the next threat that can't be disabled just pops up in their face.

#80 4 years ago
Quoted from Wolfmarsh:

I invite everyone to read the Microsoft report where they present facts showing that Java was the main vehicle for malware attacks in Q3 2010.
Kaspersky Labs stated 2012 was "the year of Java vulnerabilities". In 2012 Java surpassed even Flash as the most used vehicle to carry out attacks.
Read those, and decide for yourself.

Articles from 5 and 3 years ago which are no longer relevant since the implementation of the jsl library. Can't anyone find anything current? NOPE.

#85 4 years ago
Quoted from SirScott:

Remember this gem from last year:

And now we get this nugget in this thread:

Then in the same previously-mentioned thread we have this one:

Now you are spouting off about why disabling Java is a bad idea?
Methinks that arguing is more your MO instead of actually providing any sort of solid security advice.

Did you actually read what you quoted? I said the same exact thing three times. Maybe the wording was too technical?

#102 4 years ago
Quoted from Aurich:

You mean like the 0-day exploit from July of this year that I posted above that you're conveniently not addressing?
Are you just being stubborn because it's your nature? Or is there something else going on here? I hope JJP's online strategy isn't centered around using a browser-based Java applet or something.

You mean the zero day exploit that is only exploitable if you ACTUALLY accepted the 3 prompts telling you NOT TO accept an unsigned, app from an unknown developer on a site with an invalid certificate?

Yeah that ZERO DAY exploit.

Did you know Aurich that you had to accept the execution of that zero day exploit 3 different (4 if the source is non ssl) times to actually get it to run?


You're absolutely correct. They don't actually understand the technology. But they can google with the best of them

We call people who have no real world experience and rely on search results but can't decipher the underlying problem as "Cloudies".

People who's head is in the clouds with no real world experience. And you're right. I shouldn't care because I don't have to support the outcome of these infections

#115 4 years ago
Quoted from SirScott:

Cue the personal attack on Aurich in 5...4...3...2...

You mean the one where he called me a "needling dick?" That personal attack? Nope. Won't stoop that low. However let's see if anything comes of it. Let's see if the golden boy gets a slap.

#148 4 years ago
Quoted from Astropin:

BTW (since I didn't see it posted) does everyone know how to get rid of those virus warning screens that highjack your browser?
On a Windows computer just open up your task manager and shut down your active browser.....done & done. No phone calls to make and no viruses installed.
On a MAC....I have no idea.....never owned one

Drop to a terminal:


for a in ps -ef |grep -i "safari" |awk 'print $2' ; do kill -9 ${a} ; done

Kills all processes with safari in the name. Replace with chrome or Firefox

#155 4 years ago
Quoted from Astropin:

I hope you're joking.

You're right. I borked the awk print on my phone.

The proper syntax is:

for a in ps -ef |grep -i chrome |awk ' { print $2 }' ; do kill -9 ${a} ; done

Someone asked how to force kill things on a mac. Sometimes the old "Force Quit" from the menu bar does nothing. This is much more effective

*EDIT* Ahh hell nevermind. Pinside formatting is removing some of syntax formatting.

#202 4 years ago
Quoted from JoeJet:

Thats actually Vid's understanding of what Java looks like.


#238 4 years ago

Considering i'm predominantly Linux and MacOS, Windows 10 is much better than 8.x. Not quite as user friendly as 7 but as stable with some elements being much quicker.

Once you realize that microsoft renamed everything like "Computer" to "This PC" it becomes easy to find items. Just search out their new names. Otherwise most everything is in the same spot.

#250 4 years ago
Quoted from CaptainNeo:

wait what? you went with an apple product and say your a cheap bastard? That can't even be said in the same sentence. Apple ass rapes you hardcore on prices for all their crap.

That couldn't be further from the truth. Like anything you get what you pay for. I replace a PC based laptop every 24-30 months for either shitting the bed or some other reason. So I've spent over a 5 year span 4-5 grand or almost 1k a year to own them.

My MacBook pros go strong for 5-6 years and cost 2500 to buy thus costing me $500 a year.

Better engineered. Better designed. Better standardized ecosystem. There just isn't any downside to them.

#267 4 years ago
Quoted from CaptainNeo:

thats bullshit to a tee. I don't know what PC products you are buying but I have around 15 computers in this house that get used. and most of them are anywhere from 10-6 years old. I've never had a PC take a shit, except from the laptop I plugged into the TV and a non grounded outlet and fried the motherboard.

HP, Dell, Lenovo. All crap. And I'm talking about laptops not desktops you build. Anything I've built lasts as long as I want it to.

If your newest machine is 6 years old and you stated you are running XP then that confirms what we all already knew. You are one cheap f... XP is no longer supported or patched by Microsoft. Not a good idea to still be running it. But I guess if your machines are a decade + old you need it.

#294 4 years ago
Quoted from Spyderturbo007:

Right.....because Apple manufacturers their own components.
They all buy the same stuff from the same manufacturers, shove it in a different box and throw a different operating system on it.

Wow.. NO. The difference is the design. NONE of their shit is COTS packaged products. None of it. Every single piece/board/etc is designed by them. Of course manufacturing is outsourced. Everyone outsources the manu. But they DON'T outsource the design like other vendors.

Go buy any random motherboard and slap it into a macbook. See how far you get

#297 4 years ago
Quoted from vicjw66:

You must be fun at parties. Have you ever been wrong before n your life, let alone admitted that other point of views might have some merit?

1). I'm a hoot. 2). I'm correct. Apple doesn't use COTS anything like every other vendor. They want things to be seamless and the only way to get that is to design it yourself.

#302 4 years ago
Quoted from beelzeboob:

I've heard Alex is actually a lot of fun at parties. Although I wouldn't know personally, because every time he catches wind that I'm about to show up, he leaves.

LOL. Your timing sucks. I'm ALWAYS at the parties or events. You just show up fashionably late.

#304 4 years ago
Quoted from girloveswaffles:

Or as I call it, the non-pro MacPro (and I have a REAL MacPro in a metal tower). The new Macpro is the bastard grandson of the Cube.

It's awful. I get ivy wanted it to be slick looking and it is but it's usefulness and expandability just isn't there. You can't rely on all external devices.

Promoted items from the Pinside Marketplace
From: $ 9.99
Matt's Basement Arcade
$ 219.99
$ 9.95
Playfield - Toys/Add-ons
€ 3.95
Flipper Parts
$ 6,995.00
Pinball Machine
Gulf Coast Pinball, LLC
From: $ 9.99
Matt's Basement Arcade
$ 159.99
Cabinet - Armor And Blades
Great American Pinball
From: $ 1.00
$ 79.99
Cabinet - Armor And Blades
PinGraffix Pinside Shop
From: $ 9.99
Matt's Basement Arcade
$ 219.99
Lighting - Led
$ 44.00
Cabinet - Other
Pinball Forever
$ 79.99
Cabinet - Armor And Blades
PinGraffix Pinside Shop
$ 24.99
Lighting - Led
Lee's Parts
$ 5,599.00
Pinball Machine
Classic Game Rooms
From: $ 5,799.00
Pinball Machine
Flip N Out Pinball
$ 5,799.00
Pinball Machine
Classic Game Rooms
From: $ 42.00
Cabinet - Shooter Rods
ModFather Pinball Mods
$ 38.75
Playfield - Toys/Add-ons
The MOD Couple
From: $ 18.00
Apparel - Men
Pinside Shop
From: $ 9.00
$ 45.00
Playfield - Toys/Add-ons
$ 55.00
Lighting - Interactive
Rock Custom Pinball
From: $ 11.95
Playfield - Toys/Add-ons

You're currently viewing posts by Pinsider pinchroma.
Click here to go back to viewing the entire thread.

Hey there! Got a moment?

Great to see you're enjoying Pinside! Did you know Pinside is able to run thanks to donations from our visitors? Please donate to Pinside, support the site and get anext to your username to show for it! Donate to Pinside