[Tfug] Fwd: Re: [Bulk] Re: Thumb drive sizes qygu1y7a

Bexley Hall bexley401 at yahoo.com
Mon Dec 3 23:29:34 MST 2012 

Hi Kramer,

On 12/3/2012 8:04 PM, Kramer Lee wrote:
> I should add that I downloaded nothing from that site (by clicking on
> anything, I knew it was wrong as it loaded, but just going to the site
> was enough).  And I was looking for an ECS motherboard BIOS update
> using a Dell computer and it was the Dell that was reflashed.

If you have java/script enabled, simply going to the page causes
the script on that page (or referenced by that page) to run.

Or, the site exploited a vulnerability in your browser/OS/configuration
that allowed it to inject code for your browser (or, OS) to execute
on it's behalf.  The code could have been targeted to your browser,
your OS or your hardware platform.  The code could even have engaged
in a *dialog* with the server:  "This appears to be a Dell computer;
(by examining "well-known" files, etc.) Please send me any malware
that is suitable for exploitation, here..."

[These are "drive-by" attacks.]

"Bugs"/exploits happen because the developer (or tester) had a
limited imagination (and/or a poor skillset!).  The easiest
way to *break* (hack, compromise, etc.) a piece of software
(or, even a generic "device" -- electronic or otherwise) is to
ask yourself, "What does this thing NOT expect me to do?" -- then
*do* it!  :>  If it is designed well, it will just complain
(or, inconvenience you in some way -- like log you out, etc.).

[We had a computer system at school that was created/written
by the "professor" for this particular class in which he
*used* the system.  "Not ready for prime time"  <grin>  A
favorite pastime was to crash the system late at night (when
there was no "help" available) the evening before homework
was due -- i.e., so you are targeting The Procrastinators.
Volumes were labeled as "small integers":  "0", "1", etc.
"Gee, I wonder what happens if I list the VTOC of '2'?"  Then,
tear off the papertrail (so folks in the room can't easily
figure out *who* caused the problem) and walk away casually.
Listen to hear the DECwriters gradually stop printing as
their individual buffers empty.  Followed by the wails of
those folks who hadn't finished their work yet!  :-/ ]

Conversely, the best way to design robust/reliable devices is
to "assume nothing" and "verify everything"!  *EVERYTHING*!!

This even applies to simple human interactions:
    "Do you have change for a $20?"
Then, hand them a $10 and *hope* they give you change for a 20!
Worst case, you get change for your $10 and are no worse off...
(I've known people who were scammed by a variation of this)

--don

More information about the tfug mailing list