Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Suspicious Icons on Desktop

Reply
Thread Tools

Suspicious Icons on Desktop

 
 
DRosen
Guest
Posts: n/a
 
      05-01-2006

Sebastian Gottschalk wrote:

> >>> BTW, who would be so stupid and save any cookie permanently?
> >> Perhaps you should read about the purpose of cookies and you
> >> will find an answer to that question.

> >
> > What do you imagine you can accomplish with a permanent cookie that
> > can't be accomplished in a more secure way with only a little more work,
> > by only allowing cookies to exist temporarily?

>
> The purpose of permanent cookies is to _intentionally_ store
> credentials. There's absolutely no need to permanently store any random
> cookie.


There's no valid reason for permanently storing credentials, in fact by
doing so those credentials are invalidated. The whole idea behind
supplying credentials is to verify your identity, and by having them
stored so that they can be used by anyone that validation no longer
exists.

> >> can't install a simple program

>
> I could, but as the program demands file access beyond reasonablity, I
> won't do so. A wonderful 'security program' that needs to break security
> to start operating...


This would not be a cookie problem, but a browser or some problem with
other software. You'd first have to install the program, which isn't
difficult at all. But getting it to run is another story. Not possible
unoless you've compromised something else and managed to take over the
flow of instruction execution and pointed it to the "cookie" you
installed. The exact same thing could be done with a "graphic" file
that's really a renamed executable, or any other file you could get
placed on the machine in a cache or temp directory.

 
Reply With Quote
 
 
 
 
Sebastian Gottschalk
Guest
Posts: n/a
 
      05-01-2006
DRosen wrote:

> There's no valid reason for permanently storing credentials, in fact by
> doing so those credentials are invalidated. The whole idea behind
> supplying credentials is to verify your identity, and by having them
> stored so that they can be used by anyone that validation no longer
> exists.


The cookies are stored in the local user's account profile, so no one
else (except for the admin if the machine isn't yours, but then you're
****ed anyway) can use them.

>>>> can't install a simple program

>> I could, but as the program demands file access beyond reasonablity, I
>> won't do so. A wonderful 'security program' that needs to break security
>> to start operating...

>
> This would not be a cookie problem, but a browser or some problem with
> other software.


This was about intentionally installing a pseudo-legitimate "spyware
scanner" for auditing the user's account. As the user has full read
access to all relevant data, there'd be no need for this program to
demand any additional privileges - but even the installer does! This is
a LUA problem, a big disgrace for a so-called security software.
 
Reply With Quote
 
 
 
 
Jim Watt
Guest
Posts: n/a
 
      05-01-2006
On Mon, 01 May 2006 17:37:12 +0200, Sebastian Gottschalk
<(E-Mail Removed)> wrote:

>The purpose of permanent cookies is to _intentionally_ store
>credentials. There's absolutely no need to permanently store any random
>cookie.


Nonsense.

A cookie is a means of providing state to a web server which is
essentially a stateless environment. Thats what it does, They are
either valid for a session, for a time or permanent.

>>> can't install a simple program

>
>I could, but as the program demands file access beyond reasonablity,


Absolute nonsense.

>I won't do so.


Your choice, its a good program. If you have any complaints take it
up with the authors. I just use it - regularly and successfully.

>A wonderful 'security program' that needs to break security to start operating...


So you say.

>> or write coherent English.

>
>English is not my native language.


That pretty clear. And computers are not your subject either

But when you can't answer questions properly don't post missleading
rubbish that confuses those who ask for help.
--
Jim Watt
http://www.gibnet.com
 
Reply With Quote
 
DRosen
Guest
Posts: n/a
 
      05-01-2006

Jim Watt wrote:
> On Mon, 01 May 2006 17:37:12 +0200, Sebastian Gottschalk
> <(E-Mail Removed)> wrote:
>
> >The purpose of permanent cookies is to _intentionally_ store
> >credentials. There's absolutely no need to permanently store any random
> >cookie.

>
> Nonsense.
>
> A cookie is a means of providing state to a web server which is
> essentially a stateless environment. Thats what it does, They are
> either valid for a session, for a time or permanent.


This is made up rubbish. Cookies and statefulness are about as related
as a stop light is related to the whole of traffic law. Sure that
traffic light is a subset (and stateful), but there's a whole world of
ideas and possibilities that "stateful" doesn't cover.

Cookies CAN provide state, but they can also hold working snippits of
code, raw data that's entirely stateless, and just about anything a web
browser can know about you or calculate from that information.

Also, cookies don't necessarily have to live for an entire session
either.

RE: Jim's statement concerning cookies and installing programs:
> >>> can't install a simple program

> >
> >I could, but as the program demands file access beyond reasonablity,

>
> Absolute nonsense.


It's entirely possible to store working code in a cookie as data. You
can even read that code back and execute it, or retransmit that code to
the browser and have it executed on the user end assuming the user
allows it.

Executing it outside those guidelines would be another matter.

 
Reply With Quote
 
Sebastian Gottschalk
Guest
Posts: n/a
 
      05-01-2006
DRosen wrote:

> Cookies CAN provide state, but they can also hold working snippits of
> code, raw data that's entirely stateless, and just about anything a web
> browser can know about you or calculate from that information.


All right, but the main purpose is to provide a state beyond session and
domain. And the few useless application from the view of a user are
login states and sometimes configuration data. Anything else can and
should be done without cookies, f.e. per-session-tracking using a
session-id in the URL.

> RE: Jim's statement concerning cookies and installing programs:
>>>>> can't install a simple program
>>> I could, but as the program demands file access beyond reasonablity,

>> Absolute nonsense.

>
> It's entirely possible to store working code in a cookie as data.


This part of the discussion is not related to cookies. It's related to a
certain stupid spyware scanner that has a LUA problem.
 
Reply With Quote
 
Jim Watt
Guest
Posts: n/a
 
      05-01-2006
On 1 May 2006 11:34:44 -0700, "DRosen" <(E-Mail Removed)> wrote:

>
>Jim Watt wrote:
>> On Mon, 01 May 2006 17:37:12 +0200, Sebastian Gottschalk
>> <(E-Mail Removed)> wrote:
>>
>> >The purpose of permanent cookies is to _intentionally_ store
>> >credentials. There's absolutely no need to permanently store any random
>> >cookie.

>>
>> Nonsense.
>>
>> A cookie is a means of providing state to a web server which is
>> essentially a stateless environment. Thats what it does, They are
>> either valid for a session, for a time or permanent.

>
>This is made up rubbish.


No, you just don't understand.

Buy the book 'Cookies' by Simon St Laurent and you might

ISBN 0-07-050498-9

http://www.amazon.com/gp/product/0070504989

available for only $2.24 although it cost me $34.95

Introduction:

The Importance of Maintaining State

Cookies address a major deficiency in the structure of the World
Wide Web.

When the Web first arrived, it seemed like a glorious new way to
communicate. Hypertext Markup Language (HTML) was simple, clean,
and easy to learn.

Setting up a Web server was a minor challenge for a UNIX system
administrator, but creating sites was easy. Hyperlinks gave
developers a new way to connect and organize information cleanly,
without layered menuing systems or difficult lookups.

Documents could cross international boundaries with ease, without
the need for onerous password systems, expensive application
programs, and impossible file directory structures. It was all
amazingly easy, deliberately simplified to the point that the
average high school student could create an extensive site in a
weekend.









Cookies and statefulness are about as related
>as a stop light is related to the whole of traffic law. Sure that
>traffic light is a subset (and stateful), but there's a whole world of
>ideas and possibilities that "stateful" doesn't cover.
>
>Cookies CAN provide state, but they can also hold working snippits of
>code, raw data that's entirely stateless, and just about anything a web
>browser can know about you or calculate from that information.
>
>Also, cookies don't necessarily have to live for an entire session
>either.
>
>RE: Jim's statement concerning cookies and installing programs:
>> >>> can't install a simple program
>> >
>> >I could, but as the program demands file access beyond reasonablity,

>>
>> Absolute nonsense.

>
>It's entirely possible to store working code in a cookie as data. You
>can even read that code back and execute it, or retransmit that code to
>the browser and have it executed on the user end assuming the user
>allows it.
>
>Executing it outside those guidelines would be another matter.


--
Jim Watt
http://www.gibnet.com
 
Reply With Quote
 
Jim Watt
Guest
Posts: n/a
 
      05-01-2006
On Mon, 01 May 2006 22:33:41 +0200, Sebastian Gottschalk
<(E-Mail Removed)> wrote:

>This part of the discussion is not related to cookies. It's related to a
>certain stupid spyware scanner that has a LUA problem.


I suggest you communicate your thoughts with PCtools so they can help
make their products idiot proof.

For the rest of us it works fine, comes with regular updates and
gets rid of Spyaxe, which is why I bought it.
--
Jim Watt
http://www.gibnet.com
 
Reply With Quote
 
Borked Pseudo Mailed
Guest
Posts: n/a
 
      05-01-2006
Jim Watt wrote:

> On Mon, 01 May 2006 14:29:51 +0200, Sebastian Gottschalk
> <(E-Mail Removed)> wrote:
>
> <garble snipped>
>
>>BTW, who would be so stupid and save any cookie permanently?

>
> Perhaps you should read about the purpose of cookies and you will find
> an answer to that question.


Perhaps YOU should back up your own blathering for a change. Why don't
you start with "Amazon" and see just how fast you get shot to hell.

<LAUGHING>

Comeon Jimmykins, tell the class all about how it's so much BETTER to have
permanent cookies laying around when you can accomplish the same thing by
allowing them temporarily then deleting them. Oh wait..... that means you
have to ***gasp!*** type in things like your user names and stuff, huh?

Go ahead and be a lazy sot. See if anyone but the bad guys really cares.

>
>>>> A good commercial product to do this is Spyware Doctor

>>
>>Hm... this **** doesn't even install. And if beaten to work it only
>>produces a big load of false alarm and technical nonsense.

>
> Ah a 'security expert' who does not understand cookies can't install a
> simple program, or write coherent English.


Who in the HELL said anything about cookies "installing" anything you
illiterate halfwit?

Gottschalk might be a loud mouthed prat whose completely full of ****
about 2/3 of the time, but even though English is obviously a second
language for him he can follow a simple conversation better than you.

Not to mention he has the courage to defend his idiocy rather that
tuck tail and running like a coward when he's smacked in the head with
common sense. Isn't that right Mr "I got a phishing email so the only
POSSIBLE answer is Amazon is OWNED!"?

Whata friggin moron......

 
Reply With Quote
 
zadoc
Guest
Posts: n/a
 
      05-02-2006
On Mon, 01 May 2006 10:14:44 +0200, Jim Watt <(E-Mail Removed)_way>
wrote in <(E-Mail Removed)> :

|>On Mon, 01 May 2006 01:40:24 +0200, Sebastian Gottschalk
|><(E-Mail Removed)> wrote:
|>
|>>Sam wrote:
|>>[compromised system, some pseudo-security software]
|>>
|>>1. Where's the problem? The system was compromised, so it should be
|>>flattened and rebuilt.
|>
|>Nonsense
|>
|>>2. There is no such thing like "tracking cookies" with proper configuration.
|>
|>More nonsense
|>
|>Follow the advice of David Lipman he has a clue.
|>
|>Her computer has aquired some software that pretends to be
|>anti-spyware / a registry 'cleaner' - get rid of it.
|>
|>A good commercial product to do this is Spyware Doctor from
|>
|>http://www.pctools.com/

I have heard some good reports on this product.

On the other hand, I see some difficulties with it, some of which
I would rate as severe difficulties.

Firstly, and most obviously, the "trialware" program claims to
spot many potential difficulties, yet requires "registration" to
download the program and clear those problems.

This is highly, even terminally, illogical, of course! How can
I, in Australia, order the program on the net when one of the
unidentified problem infections might be a keylogger?

Which means that if I download the program and pay for it with
credit card one of the potential problem programs can
automatically steal all of these details?

.....And, of course, identity theft is one of the rapidly
increasing problems on the net.

So the first problem, for me, is how do I know which of the
"problem programs" listed might be a keylogger.


Secondly, although they do list an Australian representative
there is no phone number contact, so cannot order or pay for
"Spyware Doctor" over the phone without making an international
call to the USA.

Thirdly, once call up info on the product, there doesn't seem to
be any way to close down the contact to their website.

Why should this be the case?

Fourthly, although their "network administrator" [---or team---]
invites questions on the product, they apparently require name,
email address, and country.

Were I to purchase their product, which does look pretty good on
reports I have heard, I would obviously have to provide actual
name, address, account name, credit card number, expiry date,
etc.

.....But, again logically, if their sample product indicates four
infections, there is no way I am going to provide the above over
the net even on a supposedly "secure" connection, as a keylogger
can provide all of this info _en clair_ [in clear] no matter how
good my security or their security.

Just as clearly as if some stranger were looking over my shoulder
if slowly entered the data.

Fifthly, they don't say what the difference is between the
supposedly "full featured" program and the "lite version".

[Is "lite" supposed to mean "light"? Perhaps have been away from
the US too long. ]

Sixthly, although an Australian dealer is listed, there is no
phone number listed. [Or even a fax or email address, both of
which would be pretty useless for reasons listed above.]

Seventhly, even if decide to take the risks and download the
"full featured" version of the program, will obviously have to
provide actual name, email address, credit card number, expiry
date, and so on.

However, why should I have to provide any other personal details
if can find some local retail outlet? Nearest one who _might_
stock it is around 60 miles up the track.

Seldom deal with them these days, as even when get over there
they apparently not satisfied with my international credit card
details.

Name, card number, expiry date, signature. Which all my credit
cards have.

No address, no phone number, no personal details, no photo, and
so on.

Now if that isn't good enough for them, and it is with most other
retailers, personally or online, why should I bother to deal with
them at all?

For anything??? If they don't trust me, why should I trust
them???

Same seems to apply to "Spy ware Doctor". I don't know what info
they will demand if I order their product, but I don't consider
it any of their damned business to ask for other information.

However, have written an even longer post to their "network
administrator" and/or "sales team.

If anyone on this group is interested, they should feel free to
post messages on the group and we can all discuss such security
risks as companies demanding names and addresses before the
product is even purchased.

All replies to group, please, at least initially.








 
Reply With Quote
 
zadoc
Guest
Posts: n/a
 
      05-02-2006
On Mon, 01 May 2006 23:58:57 +0200, Jim Watt <(E-Mail Removed)_way>
wrote in <(E-Mail Removed)> :

|>On 1 May 2006 11:34:44 -0700, "DRosen" <(E-Mail Removed)> wrote:
|>
|>>
|>>Jim Watt wrote:
|>>> On Mon, 01 May 2006 17:37:12 +0200, Sebastian Gottschalk
|>>> <(E-Mail Removed)> wrote:
|>>>
|>>> >The purpose of permanent cookies is to _intentionally_ store
|>>> >credentials. There's absolutely no need to permanently store any random
|>>> >cookie.
|>>>
|>>> Nonsense.
|>>>
|>>> A cookie is a means of providing state to a web server which is
|>>> essentially a stateless environment. Thats what it does, They are
|>>> either valid for a session, for a time or permanent.
|>>
|>>This is made up rubbish.
|>
|>No, you just don't understand.
|>
|>Buy the book 'Cookies' by Simon St Laurent and you might
|>
|>ISBN 0-07-050498-9
|>
|>http://www.amazon.com/gp/product/0070504989
|>
|>available for only $2.24 although it cost me $34.95
|>
|>Introduction:
|>
|>The Importance of Maintaining State
|>
|>Cookies address a major deficiency in the structure of the World
|>Wide Web.
|>
|>When the Web first arrived, it seemed like a glorious new way to
|>communicate. Hypertext Markup Language (HTML) was simple, clean,
|>and easy to learn.
|>
|>Setting up a Web server was a minor challenge for a UNIX system
|>administrator, but creating sites was easy. Hyperlinks gave
|>developers a new way to connect and organize information cleanly,
|>without layered menuing systems or difficult lookups.
|>
|>Documents could cross international boundaries with ease, without
|>the need for onerous password systems, expensive application
|>programs, and impossible file directory structures. It was all
|>amazingly easy, deliberately simplified to the point that the
|>average high school student could create an extensive site in a
|>weekend.
|>
|>>
|>Cookies and statefulness are about as related
|>>as a stop light is related to the whole of traffic law. Sure that
|>>traffic light is a subset (and stateful), but there's a whole world of
|>>ideas and possibilities that "stateful" doesn't cover.
|>>
|>>Cookies CAN provide state, but they can also hold working snippits of
|>>code, raw data that's entirely stateless, and just about anything a web
|>>browser can know about you or calculate from that information.

Well, Jim, anyone who is concerned in any way with "security"
issues, is likely to be concerned about "cookies".

Sorry, but, that is just the way it is.

When the Pentium chips 3 & 4 came out it was eventually revealed
that the chips themselves contained a unique and transmissible
security code.

I can see the need for this in some ways, if the supplier of my
current system explains it.

However, just as no one bothered to explain the need [or even
desirability!!] of "cookies", suppliers were very quiet about the
"need" for a unique identifier on a Pentium Chip.

Already had one of my systems ordered when a newspaper article
alerted me to the risk and assured me that Dell had "turned off"
the option on the current issue of their systems.

Personally, was highly upset that they hadn't even mentioned the
point in their advertising.

Called the company, insisted to speak to a senior engineer,
raised hell about unauthorized identification of any poster to a
newsgroup, told him that unless he could assure me that the
option was indeed "off" in all programs then they could cancel
the order and would get another system from another supplier.

From my point of view, the objection is _NOT_ that an individual
computer or individual user can be identified.

That is almost as obvious as balls on a kangaroo.

How long do you think that ISPs maintain records for law
enforcement applications?

My guess would be around seven years.

Do I care? Nope, am not breaking any laws.

What I _DO_ care about is "data mining". What I buy, what books
I read, what programs or electronic bits I order, or anything
that indicates anything about my wife and I. It is simply none
of their damned business.

Especially when just inquiring about their product, as in the
case of

Even something so harmless as ordering tomato juice by the
case....which we don't, incidentally.

When I am interested in a program, I may seek more info on it,
but it irritates the hell out of me if when I ask a question they
demand my actual name and email address, let alone further info
such as postal address, phone number, and so on.

Hell, when I left the US, it was possible to meet someone without
providing a multitude of personal details.

Meeting fellow Americans for the past few years seems to involve
such intimate details as "What do you do for a living?" "How
much money do you make?" "Married or single?" If married, names
and ages of kids. Names and ages of kids pets. What brand of
dog, cat, bird food [etc] they eat.... and so on.

What I find interesting is that only seem to get such questions
from Americans or Germans.

In Australia, people are only interested in your personality,
basically. Not, as in England, which school you attended. Not,
as in the USA how much money you make.

If computer suppliers, program suppliers, etc. had been more "up
front" about the supposed reason for "cookies" or "unique chip
ID" then perhaps some of us wouldn't have minded.

A few years ago, if you, or another visitor, were a personal
guest in my home, or even a visitor, and I was on the phone, you
might have asked that I toss you my wallet so you could see the
latest picture of my [non-existent] cocker spaniel pup.

Or wanted to go out to buy some cigarettes and wanted my keys to
the door, or even a small loan to buy the cigs.

Ten or twenty years ago, maybe. Not today.

Could trust retailers 20 years ago too, but not today.

Things clearer now?

Cheers,







|>>
|>>Also, cookies don't necessarily have to live for an entire session
|>>either.
|>>
|>>RE: Jim's statement concerning cookies and installing programs:
|>>> >>> can't install a simple program
|>>> >
|>>> >I could, but as the program demands file access beyond reasonablity,
|>>>
|>>> Absolute nonsense.
|>>
|>>It's entirely possible to store working code in a cookie as data. You
|>>can even read that code back and execute it, or retransmit that code to
|>>the browser and have it executed on the user end assuming the user
|>>allows it.
|>>
|>>Executing it outside those guidelines would be another matter.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
show desktop icons missing under arrange icons by JoAnna Windows 64bit 15 03-10-2009 08:23 AM
Sometimes Explorer vanishes along with the icons, but the icons come back Desdemona@Verona.com Computer Support 1 12-06-2007 03:17 AM
JTree and those small Icons ahead folder, file etc icons. Richie Williams Java 5 10-25-2007 05:01 PM
Suspicious Firefox 1.0 PR Communications boris Firefox 16 10-18-2004 02:14 PM
? Need help interpreting this suspicious HTML code Alec S. HTML 5 09-11-2004 02:32 AM



Advertisments