Re: [NF] Clarification on web security

Author: Joe Yoder

Posted: 2014-07-30 at 13:59:41

I should have been more specific about my question. I am not challenging

the assumption that one needs to eliminate XP. My client is a small

non-profit who relies on donated machines when they are available. The

plan at this point is to use Terminal Services Sessions with Wyse thin

clients and do all processing on the server. This allows me to maintain

one OS and permits swapping Wyse terminals between users at will. The

point at which this scheme breaks down is when a vendor insists that they

will only accept connections from a browser runnng on Windows 7 or Windows

8. It is my impression that Windows 7 is a subset of Server 2008 and

Windows 8 is a subset of Server 2012. I suspect that web programmers need

to keep this in mind when they write code to accept or reject a connection

based on browser and OS combination.

What I set out to do was find who or what controls what browser and

operating system configurations are accepted for connection by the GFS.com

site. The GFS technical people seem to have an inflated understanding of

the role of the SSL certificate. Ultimately I need to help them correct

that understanding. I suspect that inspection of their site code by

someone who knows web programming would reveal what their criteria is. I

have done very little with web programming. Can someone point me to a good

starting point for this issue?

Thanks,

Joe

On Wed, Jul 30, 2014 at 12:23 PM, Ken Dibble <krdibble@stny.rr.com> wrote:

>

> This is happening today, every day. Even if you refuse to believe it.

>>

>

> All of which is equally applicable to every other Windows OS, and is a

> greater threat because there are more of them in use today, in toto, than

> there are of XP. People don't patch Vista or Win 7 or Win 8 either. They

> don't patch IE on those OSes, and idiots keep writing new web-based

> software that won't work on more secure browsers. They don't keep their

> anti-malware software up to date on those new OSes either. Nothing has

> magically changed about this going from Win XP to a newer OS.

>

> MS OS security is not "improving" as a whole; they just continue to fix

> what they can identify as broken as a result of demo or real attacks. Every

> day somebody figures out a new way to attack a new OS, and then that has to

> be fixed. The newer the OS, the more people are trying to attack it.

> Relatively fewer people are figuring out new attacks for old OSes. How many

> people do you think are working on new ways to attack Windows 2000 today?

> How many people will be working on new ways to attack Windows XP in 2

> years, as compared to today?

>

> Anything can be hacked; any security can be broken (just ask the NSA);

> nothing is safe. That is true today, and it will be true five, ten, and

> twenty years from now, for Windows and any other OS. The fact that some OS

> designs are harder to crack than others is irrelevant. If the motivation to

> crack it is high enough, it will be cracked. There is no magic design "fix"

> that entirely removes the danger. It can't be done.

>

> Today the bad guys aren't script kiddies goofing around to impress their

> friends. They are organized criminals, rogue governments, and terrorist

> organizations. They are principally looking to steal money, and

> secondarily, to develop options to damage or destroy critical IT

> infrastructure. Malware development costs them money, and they play the

> percentages. If a "hack" doesn't offer those opportunities in a big way,

> they don't spend time on it.

>

> Older OSes are safer from current malware development than newer OSes,

> because the motivation to break newer OSes is much greater, because it is

> more remunerative in those two ways, than the motivation to attack older

> OSes. This isn't rocket science; it's common sense.

>

> And the extent to which people do not keep their OS, browser, and

> anti-malware software up to date does not vary between OSes. So this source

> of problems is constant; it is not greater for XP than for 8.1. And there

> is more Vista, 7, and 8.1 combined running today than XP. Again, common

> sense.

>

> Last time we had this discussion, I cited overwhelming evidence from the

> web that Android phones are the biggest target for current malware. I don't

> remember what the percentage was then, but as of January of this year, it

> was 99%:

>

> http://www.v3.co.uk/v3-uk/news/2323418/android-and-java-

> top-security-targets-for-malware-and-hacks

>

> Java applications are also strong targets according to this article, but

> that's not OS-dependent.

>

>

> Ken Dibble

> www.stic-cil.org

>

[excessive quoting removed by server]

_______________________________________________

Post Messages to: ProFox@leafe.com

Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox

OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech

Searchable Archive: http://leafe.com/archives/search/profox

This message: http://leafe.com/archives/byMID/profox/CABQeDnWnh7c6Ty6wpBJ0Uz3vKveE7RuWXfTe-zjKzR=kaqmJGA@mail.gmail.com

** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.

©2014 Joe Yoder