gcmartin wrote:But, if you are suggesting that this exploit is being used against someone of us in LH64, I disagree. (As someone who has been in OS development and systems operations for the past 40 years!)
Were you attacked by this vulnerabilty? I hope is is not something to just raise a fear-level.
Sorry, as having been involve with DB, system, application and site security over the past years and the teams I have worked with in planning and deployment, I find the concerns raised here about JAVA and FLASH as ill placed.
This distro has NOT reported data loss or users being to attacked because JAVA (for OFFICE) or FLASH (for browsers) have been exploited to the detriment of community use.
Unless you are showing that it has, we should continue to support and push forward LH64 functionality versus raising fears to limit its flexibility. Limiting flexibility does NOT promote user acceptablilty for 64bit systems with all of the RAM that accompany these PCs.
But, should you or anyone want to share how to limit it after you begin its use, I would welcome and applaud the info.
Here to help
It seems that the basis of your agrument is that, since we are unaware of anyone using LHP getting attacked by this vulnerability (in java); we should not worry about it or be proactive.
A) We have no way of knowning if someone HAS been hit by this exploit or not, because not everyone who has Downloaded or used LHP is on this forum and actively reporting all their issues.
B) Even if we knew as an empirical fact that not a single user of LHP was hit by this exploit, it shouldnt matter. Just because something has not happened yet, does not mean that it wont.
Pretty much every security expert on the planet has said that certain programs which are known to be buggy should only be used when needed. This is, in fact, common sense. The same reason we dont have apache software running on our home computers. Yea it could give us some benefits for sharing files on our own local network, but the problems it introduces FAR outweigh the benefits.
Yes, Java can do some pretty cool stuff. But what benefit is a java music player? Is it better playing media files over a program coded in C or C++?
If we have a choice between two programs for playing music, one java and one C++ based. It makes more security sense to use the one that's not based on a horribly exploitable code platform. Unless the java based one offers some amazing feature that users simple cant live without... the cost/benefit analysis would tip in the favor of the non java based program.
This isnt about raising fear level. It's about educating people as to the potential risks involved in certain software packages. Fear Mongoring would be saying "NEVER USE JAVA OR YOUR COMPUTER WILL BE HACKED AND YOUR BANK ACCOUNT DRAINED!"
I dont think anyone who is speaking out about java being used is going to that extreme. We are simply saying (in my mind at least), know the risks you have, and use java only when its needed. Java does not need to be running or active on my machine when Im sleeping or out at the store shopping. For anyone to say, Java is great to use, use it all the time, and dont worry about the vast multitude of exploits for it; is doing nothing but promoting ignorance of the risk involved in using java.
Ignorance is NOT bliss. To argue that, since we dont know absolutely that there is a problem, we should act as if there isnt one; is silly. I'm not in any way advocating that we shouldnt use java at all. On the contrary, I have it on my system. But I install/uninstall it as I need it for certain programs. There is no benefit for me having it active when Im not useing it. All java does when not being used is introduce another attack vector into my system.
Thats why I keep Java and Flash as SFS files. I can load them when I need them, and unload them the rest of the time. A simple shell script coulld be written to load the SFS and activate the program I need, and then at program shutdown unload the SFS from memory. I havent done so because I dont consider it a hassle to mount/unmount the SFS if/when I need it.
Jasper wrote:Hi,
My personal concern relates to malware set to "explode" at a future date e.g. 1st January 2013 when all my current backups would be likely to be corrupted and full recovery might be difficult or impossible. Is there any protection for Puppy users?
Secondly, Windows users frequently use an active anti-virus-malware protection program whereas Puppy users rarely have active guards. Can any active av program provide protection against, for example, some java exploits?
My regards
To start off I'll quote the mantra "Backup often, backup early"
Second, you should have your backups stored on removable media somewhere other than attached to your computer.
Malware that is set to "explode" can only work if its lying in memory waiting to initiate. If/When it does it can only affect any storage device attached to your computer. A backup harddrive in your drawer wont be touched. So... if you do get popped, you can reload and go.
One reason I use frugral installs is so I can backup my system (my safe file) as often as I want. If one gets corrupted all I need to do is reinstally my system and copy the backedup safe file to my computer and I'm back in business.
As for A/V malware protection for linux. There are some. I personally use ESET Nod32 for linux. But.... its not free. Ironic you asked this, becuase I was working on packaging up an AV program for LHP this weekend and coming week. I was going to package up ClamAV. I prefer Nod32 becuase of its heuristics that actively scan memory. I find that its far superior to other AV products at detecting unknown virii.
That being said though, AV product cant guarantee protection against application exploits. It may be able to detect some through scanning programs in memory and what changes they are attempting to make, but it cant promise much. Once an exploit is known, usually AV companies do add those definitions into their products.
Jasper wrote:Hi again,
With my 1024 pixel width, the display of text on page 16 of this thread is far wider than that.
With Opera I have it set to word wrap, but if anyone could explain how to achieve word wrap in SeaMonkey, Firefox and/or any other browser that might be a help to some of us.
My regards
I dont know much about that... but this might be what you're looking for:
https://addons.mozilla.org/en-US/firefo ... word-wrap/