security breached by NaughtyRobot -Reply

Thomas Dowling tdowling at ohiolink.edu
Tue Mar 4 08:06:45 EST 1997


> I just completed a 4-day system administrator's course on Internet
> security issues. The bottom line is that there are many easy ways
> for hackers and/or crackers to compromise your system. One of the
> many lessons learned from the course is that you have to turn 
> off JAVA/JAVASCRIPT/COOKIE support on your browser. You should also
be
> aware of which web sites you visit. An example of what can happen to
> your workstation is found at:
>   http://www.waste.org/crash
> Don't accept any cookies. I checked out the [CRASH BUTTON] on my test
> machine and yes, it crashed my workstation.
> 
> Slavko Manojlovich
> Memorial University Of Newfoundland

Yes, but...

The page you cite has actually been around for a couple of years; the
author states at the beginning that he hasn't worked on it since the
summer of 1995, and it makes no use at all of Java or JavaScript,  and
doesn't write any cookies AFAICS.  Instead, it's a really big, ugly
HTML document with tons of tables, inline images, multiple nestings of
tags, deliberately screwed up tags, etc. designed to make your browser
thrash so badly that it crashes and/or brings down your system.  

By the way, although it did get Lynx 2.7 to dump core ("HTML: ******
Maximum nesting of 800 tags exceeded!"), Opera 2.12 running under
Windows 95 opened the crash document with no problems, twice.

None of this is to deny the known and as-yet unknown risks in running
Java, JavaScript, VBScript, ActiveX, et al., or in accepting Cookies,
or in installing plug-ins from the net, or in installing shrink-wrapped
software purchased direct from reputable companies.  But this document
has more to do with the design limitations of the software we use than
with gaping holes waiting to be exploited by nefarious crackers.

Thomas Dowling
Ohio Library and Information Network
tdowling at ohiolink.edu


More information about the Web4lib mailing list