Re: [Ql-Users] Email attachments

2017-01-15 Thread pjwitte 

On 15/01/2017 11:04, Derek Stewart wrote:

<>

If the operating system is in ROM, I donot think this is going to 
work, also there is no or very limited Internet access for the QL 
systems and I do not think hacker will see QDOS/SMSQ/E as a viable 
target. 

May I add this quote to my collection of Famous Last Words, Derek? ;)

Slowly but surely even the "QL" is becoming more connected, and who 
knows what new possibilities might emerge? Networked games over the 
Internet, email, maybe even a browser (using SBASIC as a client-side 
scripting language),.. Then there are all those new digital refugees - 
particularily the "retro-brigade" - swamping our cosy little Forum 
with ideas from the previous millenium, and others too, with 
subversive new ideas like moving pictures, and wotnext.. Terrorists 
could so easily slip through Commisario Vanpeebles' net, masquerading 
as innocent tinkerers! ;)


We live in dangerous times. A little paranoia goes a long way. In my 
estimate of the original question (could some kind of destructive/spy 
code enter the QL world from outside?): Yes, it is theoretically 
possible, and becomes ever more so, but at present it is _highly 
unlikely_. Should ever any such attack occur it would most likely come 
from within the QL community, and that would leave a limited number of 
suspects (one of, who by his own admission, has terrorist tendencies! 
;) However IMHO, anyone considering developing tools or applications 
for the QL environment that use the Internet, should give some thought 
to possible dangers and risks.


Per
___
QL-Users Mailing List

Re: [Ql-Users] Email attachments

2017-01-15 Thread Derek Stewart 


On 15/01/17 09:23, Graeme Gregory wrote:



On Sun, 15 Jan 2017, at 05:47 AM, Daniele Terdina wrote:

Not sure how you come to that conclusion, I used to work on Java and it
goes through a stringent security process.


AFAIK Flash used to be the most vulnerable software (when also taking
user base into account), but since it lost favor Java has been the top or
one of the top for a long time.
See for example:
http://www.csoonline.com/article/2875535/application-security/java-is-the-biggest-vulnerability-for-us-computers.html

[http://core5.staticworld.net/images/article/2014/11/maria-trombly-headshot-closeup-100532712-byline.jpg]

Java is the biggest vulnerability for US computers | CSO
...
www.csoonline.com
Java is the biggest vulnerability for US computers Oracle's Java poses
the single biggest security risk to US desktops, says a new report



If you actually read the article thats because of the huge attack
surface of old unpatched java installations in the world. It is afterall
written by a company selling their auto patching software. Thats like
saying QDOS is really aweful because of a bug you found in the AH ROM
that was subsequently fixed.

If you notice the JAVA NPAPI plugin is pretty much dead now, modern
browsers won't even allow you to load it.

Unfortunately the one thing we have never managed to work out a fix for
in the industry is the wetware that exists between the chair and the
keyboard :-(

But the biggest threat at the end of 2016 was most certainly IoT
devices, at least two massive botnets were formed from them and those
bloody things never get patched.

Graeme
___
QL-Users Mailing List


Hi,

How does the QDOS operating system get a Java Plugin, the only Java 
based system is SMSQmulator, which we have been is secure enough.


If the operating system is in ROM, I donot think this is going to work, 
also there is no or very limited Internet access for the QL systems and 
I do not think hacker will see QDOS/SMSQ/E as a viable target.


Regards,

Derek
___
QL-Users Mailing List

Re: [Ql-Users] Email attachments

2017-01-15 Thread Graeme Gregory 


On Sun, 15 Jan 2017, at 05:47 AM, Daniele Terdina wrote:
> > Not sure how you come to that conclusion, I used to work on Java and it
> > goes through a stringent security process.
> 
> AFAIK Flash used to be the most vulnerable software (when also taking
> user base into account), but since it lost favor Java has been the top or
> one of the top for a long time.
> See for example:
> http://www.csoonline.com/article/2875535/application-security/java-is-the-biggest-vulnerability-for-us-computers.html
> 
> [http://core5.staticworld.net/images/article/2014/11/maria-trombly-headshot-closeup-100532712-byline.jpg]
> 
> Java is the biggest vulnerability for US computers | CSO
> ...
> www.csoonline.com
> Java is the biggest vulnerability for US computers Oracle's Java poses
> the single biggest security risk to US desktops, says a new report
> 

If you actually read the article thats because of the huge attack
surface of old unpatched java installations in the world. It is afterall
written by a company selling their auto patching software. Thats like
saying QDOS is really aweful because of a bug you found in the AH ROM
that was subsequently fixed.

If you notice the JAVA NPAPI plugin is pretty much dead now, modern
browsers won't even allow you to load it.

Unfortunately the one thing we have never managed to work out a fix for
in the industry is the wetware that exists between the chair and the
keyboard :-(

But the biggest threat at the end of 2016 was most certainly IoT
devices, at least two massive botnets were formed from them and those
bloody things never get patched.

Graeme
___
QL-Users Mailing List