Firewalls: Re: blocking javascript

Firewalls
(January 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: blocking javascript
From:	Steve Gallipeau <Steve @ hon . com>
Organization:	SDG Consulting
Date:	Sun, 19 Jan 1997 14:37:51 -0500
To:	Adam Shostack <adam @ homeport . org>
Cc:	firewalls @ GreatCircle . COM, mccurley @ cs . sandia . gov
References:	<199701191522 . KAA13629 @ homeport . org>
Reply-to:	Steve @ hon . com

Adam,

Your entire arguement is based upon assumption and contradiction.

Adam Shostack wrote:
> 
> "I would advise all to stay away from this site."
> 
>         You're advocating not knowing how broken your web browser/mail
> reader is.  I consider that sticking your head in the sand.  Digicrime
> *clearly* is intended to point out problems with web browsers; why
> else would they say 'Don't click here' all over the place?
> 
I accessed the 'digicrime' site using Netscape 3.0 running on NT 4.0. 
That was the _first_ time my 'broken' browser has crashed.  I didn't
have the time or opportunity to click 'all over the place'..my browser
crashed after my email address was pulled and email sent.  Also, I have
never had difficulties with the Netscape email function and have used it
as my prime source of email for the past 1 1/5 years.  So then, were you
saying that the intention was to show how 'broken' some browsers _may_
be or that they are 'susceptible' to prying code?  All assumptions
aside.
 
> Adam
> 
> Steve wrote:
> | Adam Shostack wrote:
> | >
> | >         Steve, you seem to be advocating sticking your head in the
sand.  Kevin (and his unindicted co-conspirators) have shown that
there are real problems.

Problems with the way browsers are configured or their lack of
protection from errant code or intentional criminal activity?  Which is
it?  This is your arguement Adam so you need to explain what point you
are trying to make here.

>  If those problems bypass your firewall to screw with your browser, >your firewall may need updating.

Who are you addressing here?  I don't recall mentioning a firewall so
you must be expressing your general personal opinion?  You also need to
be a little more specific in regards to what exactly you mean by 'those
problems'.

>  If Kevin can crash your browser, its probably through a memory fault, >which may be exploitable to get access to your machine, which helpfully >tells  the remote site which platform you're using with a Browser: >message  header.

Which is it?  A 'broken' browser or memory fault?  At this point, your
arguement is both contradictory and assumptive.  BTW, info on browser
and platform is freely available to any webmaster by just ckecking the
access logs which every http daemon maintains.  You obviously don't have
much experience in this regard and should not be coming to any
conclusions on Kevin's intentions.  

>
I advise everyone to turn off your security settings, go to
digicrime, and see how well your firewall is protecting you.

Again, which is it?  Leave one's firwall running to see 'if it needs
updating'?  Or turn it off and watch one's 'broken' browser crash?  Or
did you mean someting different by 'security settings'..?  The above
statement appears to be a challenge of sorts..are you speaking for the
the author here?  Or is this more of your advise?
> | >
> | > Adam
> | >
> Steve's original message, re-inserted.
> 
> |>>Ok..nice trick pal.  I would advise all to stay away from this site. I'm sure that it was intended to be very informative but upon entering this site, my email address was extracted and then Netscape 3.0 (which I am using) was hosed!  By hosed I mean None other then the dreaded APPLICATION ERROR which hoses all Netscape open windows including mail, news and the Browser.  Of course if you don't mind your browser being hosed, go ahead and check it out by all means.
> |
You seem to have completely misunderstood my post (above) and what I was
saying.  Let me put it bluntly..the demonstration as intended either had
script errors or was intended to crash ones' browser.  Then again, there
could have been other purposes intended here..note the author has not
yet spoken up though he has been included in this thread..  My intention
was to set off a little alarm that the site may be more then it seemed
or needed a little work.
Just out of curiousity Adam, do you have _any_ experience with websites'
or firewalls?  Any type of position in the computer industry?

> | Adam,
> |
> | Advocate sticking my head in the sand..You lost me on that one.  So you think that the intention of the site was to crash someone's application or system?  Why don't we all wait till we hear from the author before  coming to conclusions on what or why.
> |
Which word didn't you understand?  I think I clearly stated that we
should not assume anything at this point.  Not unless you feel confident
in speaking for the website author.  Speaking of the author, I'd be
curious why he uses an email in NM but his website is registered in NL.
> 
> --
> "It is seldom that liberty of any kind is lost all at once."
>                                                        -Hume

Steve

Follow-Ups:

Re: blocking javascript
From: Adam Shostack <adam @ homeport . org>
Re: blocking javascript
From: Todd Graham Lewis <lists @ reflections . mindspring . com>

References:

Re: blocking javascript
From: Adam Shostack <adam @ homeport . org>

Indexed By Date	Previous:	NetWare firewall From: "Ed Sawicki" <ed @ alcpress . com>
Indexed By Date	Next:	Re: restricting OUTBOUND access From: "Rudy Amid" <rudy @ hcl . com>
Indexed By Thread	Previous:	Re: blocking javascript From: Adam Shostack <adam @ homeport . org>
Indexed By Thread	Next:	Re: blocking javascript From: Todd Graham Lewis <lists @ reflections . mindspring . com>