«

Of those security-minded folks out there that *DO* choose to use MS/IE, how
do you deal with ActiveX or other potentially dangerous embeds in internet
media?

Realizing that each time I choose to allow an ActiveX object to run, I'm
giving it complete control to do whatever it wants to my entire system, I've
recently become paranoid: how come there haven't been MAJOR viruses released
via active X objects? Does anybody really "trust" the authenticode system?
Does "certification" really deliver on it's promise (e.g., I don't know who
a GREAT majority of these companies that have supposedly "promised this
content is safe", so I feel it effectively doesn't make a difference whether
objects are certificated or not -- "I push the buttons and I takes my
chances!").

For that matter -- do y'all place any more trust in Java (or other) objects
embedded in web pages?

It seems to me it's plain out mutually exclusive -- **EITHER** I:

(1) allow myself to trust the universe (or spend a time investigating who I
think I'm talking to for each individual web transaction), accept the real
risks involved, and enjoy the fruits of sophisticated ActiveX/Java/whatever
objects (such as streaming media, other interactivity, etc.)

(2) restict myself totally from all "active" content -- especially the
potentially more dangerous variety (such as ActiveX), yet remain a "hermit"
with respect to participating in much of the neat stuff that's out there,
much of it served up using these potentially dangerous technologies

Does anyone share my view on "the state of the art" with regard to security
from viruses and/or hijacking while using the internet, or is there some
middleground where I can be safe *and* enjoy the latest-and-greatest at the
same time?

What sorts of disciplines do y'all follow to honor your own personal
appetite/comfort level?

- Security Newbie

"Marty Ross" <> wrote in message
news:ScO3b.21743$ et...
> Of those security-minded folks out there that *DO* choose to use MS/IE,
how
> do you deal with ActiveX or other potentially dangerous embeds in internet
> media?

The general consensus seems to be the same as dealing with ports - if you
don't need it right this minute, shut it off.

As far as using ActiveX I allow just one X-control - the one that has to be
active to use Windows Update. And even then, ActiveX is turned off unless I
am actively updating Windows.

>Does anybody really "trust" the authenticode system?

In a pig's eye. You might recall the incident a couple of years back when
someone managed to make off with a couple of secure server certificates
claiming to be Microsoft - but they weren't.

> Does "certification" really deliver on it's promise (e.g., I don't know
who
> a GREAT majority of these companies that have supposedly "promised this
> content is safe", <SNIP>

Safe for whom? Safe how? - as in safe it won't break your machine or safe
it won't violate your privacy/use your phone/etc.?

> For that matter -- do y'all place any more trust in Java (or other)
objects
> embedded in web pages?

Of the bunch of them, I trust Java more than any other. (I am a web
developer BTW.) Note, however, that javascript in my opinion can be one of
the most dangerous. Recently I've even seen malware distributed using an
image tag

Innocent till proven guilty may be the rule in court - but not when it comes
to my machine. Trust NOTHING implicitly.

> It seems to me it's plain out mutually exclusive -- **EITHER** I:
>
> (1) allow myself to trust the universe (or spend a time investigating who
I
> think I'm talking to for each individual web transaction), accept the real
> risks involved, and enjoy the fruits of sophisticated
ActiveX/Java/whatever
> objects (such as streaming media, other interactivity, etc.)

Too many nasties out there to trust - kind of like going to downtown Dodge
on Saturday night without your six-shooter. Investigating websites? You
will never get anything done - and God himself can't guarantee you that who
they say they are is real.

> (2) restict myself totally from all "active" content -- especially the
> potentially more dangerous variety (such as ActiveX), yet remain a
"hermit"
> with respect to participating in much of the neat stuff that's out there,
> much of it served up using these potentially dangerous technologies

Nope, you don't have to withdraw completely - just be selective. Keep your
security settings as high as possible and turn off absolutely everything
unless you need it. (Zone Alarm Pro helps there because you can allow
cookies/scripts/java on a site-by-site basis). When you come across
something you want turn only what you need back on just long enough to
indulge. Get AdAware and Spybot Search & Destroy and use them. Make sure
that you have NO trusted sites.

Alternatively buy a Mac. If I didn't have to replace thousands of dollars
in programming to do so, you can bet your last dime I wouldn't be running
Windows anything.

Marty Ross wrote:
> Of those security-minded folks out there that *DO* choose to use MS/IE, how
> do you deal with ActiveX or other potentially dangerous embeds in internet
> media?

ActiveX is filtered out at the firewall proxy. Because of that I can't
activate MS Reader on my PocketPC, so be it. I have acrobat reader on it.

If I had it my way, javascript would all be filtered out as well.

Groetjes
John

"John Veldhuis" <> wrote in message
news:bjhk7a$j290m$...
> Marty Ross wrote:
> > Of those security-minded folks out there that *DO* choose to use MS/IE,
how
> > do you deal with ActiveX or other potentially dangerous embeds in
internet
> > media?
>
> ActiveX is filtered out at the firewall proxy. Because of that I can't
> activate MS Reader on my PocketPC, so be it. I have acrobat reader on it.
>
> If I had it my way, javascript would all be filtered out as well.

Easy enough. Turn off scripting under Tools/Options. Or install Zone Alarm
PRO which will disrupt it on its way in the door from the source. Or both.