da2ce7 (OP)
Legendary
Offline
Activity: 1222
Merit: 1016
Live and Let Live
|
|
February 02, 2013, 12:15:41 AM |
|
|
One off NP-Hard.
|
|
|
|
|
The forum strives to allow free discussion of any ideas. All policies are built around this principle. This doesn't mean you can post garbage, though: posts should actually contain ideas, and these ideas should be argued reasonably.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
mjc
|
|
February 02, 2013, 02:07:00 AM |
|
Even the latest version of java is vulnerable. It seems every time they fix another group breaks it. These are just the vulnerabilities which research groups are informing the public about. Now that it has been broken so many times it is better to just stay away. This coming from a long time java developer. I'm more fearful of the vulnerabilities that have not been announced.
|
|
|
|
Phinnaeus Gage
Legendary
Offline
Activity: 1918
Merit: 1570
Bitcoin: An Idea Worth Spending
|
|
February 02, 2013, 02:24:06 AM |
|
If I rid Java, doesn't that not allow me to view aspects of sites that require Java? I've seen many a times phrases like, "you need an earlier version of Java to..."
|
|
|
|
mjc
|
|
February 02, 2013, 02:41:53 AM |
|
If I rid Java, doesn't that not allow me to view aspects of sites that require Java? I've seen many a times phrases like, "you need an earlier version of Java to..."
In short yes. www.us-cert.gov/cas/techalerts/TA13-032A.html (posted 4 hours a go) These warnings have been coming out for the past few months. Attackers have found vulnerabilities that when exploited will allow an attacker to remotely execute on your computer. Every time Oracle fixes one more critical vulnerabilities are found and reported. possible attacks are endless, but loading of trojans, keyloggers, scanners for wallet.dat files are just a few of the threats you are faced with. use at your own risk.
|
|
|
|
debianlinux
|
|
February 02, 2013, 02:52:21 AM |
|
If I rid Java, doesn't that not allow me to view aspects of sites that require Java? I've seen many a times phrases like, "you need an earlier version of Java to..."
Java != Javascript
|
|
|
|
theymos
Administrator
Legendary
Offline
Activity: 5194
Merit: 12977
|
|
February 02, 2013, 02:52:32 AM |
|
Oracle should scrap the Java browser plugin. It's rarely used nowadays anyway.
|
1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
|
|
|
cypherdoc
Legendary
Offline
Activity: 1764
Merit: 1002
|
|
February 02, 2013, 03:02:14 AM |
|
If I rid Java, doesn't that not allow me to view aspects of sites that require Java? I've seen many a times phrases like, "you need an earlier version of Java to..."
Java != Javascript so does this mean that Bitaddress.org, based on Javascript, is still secure?
|
|
|
|
debianlinux
|
|
February 02, 2013, 03:10:49 AM |
|
If I rid Java, doesn't that not allow me to view aspects of sites that require Java? I've seen many a times phrases like, "you need an earlier version of Java to..."
Java != Javascript so does this mean that Bitaddress.org, based on Javascript, is still secure? I am not one to claim anything to be secure. I can say that vulnerabilities that exist in one platform do not inherently exist in the other as the 2 technologies are entirely different. Java is a programming language whereas Javascript is a client side scripting language and the only commonality they share is in name. In fact, Javascript was named such precisely to ride on the popularity of Java.
|
|
|
|
CIYAM
Legendary
Offline
Activity: 1890
Merit: 1078
Ian Knowles - CIYAM Lead Developer
|
|
February 02, 2013, 03:19:00 AM |
|
The actual ISO name is ECMAScript ( http://en.wikipedia.org/wiki/ECMAScript) and as stated by others apart from using the name Java as part of its more commonly known name (a decision likely made by Netscape to try and "cash in" on the success of Sun's Java by renaming what was originally called LiveScript to JavaScript) the two languages have technically nothing more in common then they do with C or C++ (i.e. just some syntactic similarities).
|
|
|
|
cypherdoc
Legendary
Offline
Activity: 1764
Merit: 1002
|
|
February 02, 2013, 03:25:44 AM |
|
let me ask this another way.
does Javascript have any vulnerabilities that we know of that could put bitaddress.org at risk?
|
|
|
|
CIYAM
Legendary
Offline
Activity: 1890
Merit: 1078
Ian Knowles - CIYAM Lead Developer
|
|
February 02, 2013, 03:55:28 AM |
|
let me ask this another way.
Allow me to answer this in another way. If you are wanting to use either bitaddress.org or brainwallet.org (or anything else similar) then the approach that I would recommend is: 1) Buy and old laptop that has no WiFi (or *remove* the WiFi card). 2) Plug up ethernet and modem (depending on how old) sockets so it can't "accidentally" get connected. Use a bootable USB OS that has your preferred .js scripts and .html pages *pre-installed* ( http://susestudio.com/a/kp8B3G/ciyam-safe if interested). Use QR codes to move data between your *offline*and *online* computers (100% *air-gapped* and 0% risk).
|
|
|
|
|
Scrat Acorns
|
|
February 02, 2013, 10:33:43 AM |
|
let me ask this another way.
does Javascript have any vulnerabilities that we know of that could put bitaddress.org at risk?
Javascript's security has nothing to do with bitaddress.org's security. If you are concerned about the latter, you should download the entire page (it's a single html file), verify it with the author's GPG key and always run it locally. As for Javascript's security you have to understand that there are many implementations, basically each browser has their own engine so a possible attack will have to target a specific browser. There have not been any Javascript 0-days that I'm aware of lately, simply because most engines take security seriously and implement sandboxing correctly. Java is just a bloated language that didn't evolve to support the browser client model and maintained by a company that doesn't really give a damn about open source software. You should not be running Java on the browser. If you do, only enable it for websites you trust.
|
|
|
|
jerfelix
|
|
February 02, 2013, 02:05:34 PM |
|
let me ask this another way.
Allow me to answer this in another way. If you are wanting to use either bitaddress.org or brainwallet.org (or anything else similar) then the approach that I would recommend is: 1) Buy and old laptop that has no WiFi (or *remove* the WiFi card). 2) Plug up ethernet and modem (depending on how old) sockets so it can't "accidentally" get connected. Use a bootable USB OS that has your preferred .js scripts and .html pages *pre-installed* ( http://susestudio.com/a/kp8B3G/ciyam-safe if interested). Use QR codes to move data between your *offline*and *online* computers (100% *air-gapped* and 0% risk). I'll add that this is a tremendous amount of paranoia and hassle for the casual user. There are often tradeoffs between Security and usability. Also between Security and Cost. Your answer is akin to "To absolutely protect your belongings, you should purchase an underground bomb shelter with state-of-the-art security systems and an impenetrable vault that requires a 200-digit pass code to enter it." ...Oh, you were only trying to make sure your old futon didn't get stolen from your college dorm room? Well then just lock your door, idiot! Security should scale up with the assets you are trying to protect. Reasonable steps to take when creating a paper wallet (for someone with a small amount of assets), are to use a system with virus protection installed, open bitaddress.org in a "private browsing" window, print your paper wallet, and close the browser immediately afterward.
|
|
|
|
CIYAM
Legendary
Offline
Activity: 1890
Merit: 1078
Ian Knowles - CIYAM Lead Developer
|
|
February 02, 2013, 02:24:52 PM |
|
Your answer is akin to "To absolutely protect your belongings, you should purchase an underground bomb shelter with state-of-the-art security systems and an impenetrable vault that requires a 200-digit pass code to enter it."
Sure - and agreed - but understand that the post I replied to was already OT as the OP was about Java (not JavaScript).
|
|
|
|
debianlinux
|
|
February 02, 2013, 03:14:09 PM |
|
let me ask this another way.
does Javascript have any vulnerabilities that we know of that could put bitaddress.org at risk?
To underscore the answers above, any code can have vulnerabilities that have nothing to do with the selected language but everything to do with the actual coding. That is, the most "secure" language (whatever that means) can be used to code the most insecure website in the world.
|
|
|
|
mjc
|
|
February 02, 2013, 08:47:07 PM |
|
let me ask this another way.
does Javascript have any vulnerabilities that we know of that could put bitaddress.org at risk?
To underscore the answers above, any code can have vulnerabilities that have nothing to do with the selected language but everything to do with the actual coding. That is, the most "secure" language (whatever that means) can be used to code the most insecure website in the world. But when it it is a vulnerability in the Language (or more specifically the JVM) then your code doesn't matter. The issues with the Java are a result of the underlying Java JDK. In most cases when running the malicious code it breaks out of the sandbox and executes arbitrary code of the attackers desire. These attacks are very specific to Java and do not affect JavaScript in a browser. Turn off your java plugin. This means that applets on sites will no longer work. It also means that a malicious applet embedded in a page just waiting for your browser to stop by will not affect your browser. There a fair share of JavaScript vulnerabilities, but that's not the focus of this thread. Right now Java has some Critical vulnerabilities and they are being exploited in the wild. You may think you are only protecting you college sofa, but if leave that door unlocked and then someone sneaks a camera in the room and your girl comes over, what happens on that sofa just got important. My point is that one should consider the most important thing that could be done and protect that. If you are storing a wallet.dat and only have a few coins no problem right? well if i were an attacker I would write an app that tracked all the addresses I had private keys for and as the address accumulates funds wait until it hit a threshold then clean them out. that might not be fore a year or so. So do you need a bunker and vaults? No. But should turn off Java plugin while it is extremely vulnerable and being exploited, YES.
|
|
|
|
kokjo
Legendary
Offline
Activity: 1050
Merit: 1000
You are WRONG!
|
|
February 02, 2013, 08:53:57 PM |
|
here in denmark, the authorities have decided a few years ago that java should be used in the login to our online banking. Yay! im forced to have that shit installed, if i want access to my money online.
|
"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
|
|
|
Gabi
Legendary
Offline
Activity: 1148
Merit: 1008
If you want to walk on water, get out of the boat
|
|
February 02, 2013, 11:06:35 PM |
|
As other people said, java and javascript are TOTALLY DIFFERENT.
|
|
|
|
Insu Dra
|
|
February 02, 2013, 11:14:47 PM |
|
here in denmark, the authorities have decided a few years ago that java should be used in the login to our online banking. Yay! im forced to have that shit installed, if i want access to my money online.
You must burn candles for vm gods
|
"drugs, guns, and gambling for anyone and everyone!"
|
|
|
tvbcof
Legendary
Offline
Activity: 4592
Merit: 1276
|
|
February 03, 2013, 04:01:17 AM |
|
... Use QR codes to move data between your *offline*and *online* computers (100% *air-gapped* and 0% risk). ...
"0% risk". Hmmmm.
|
sig spam anywhere and self-moderated threads on the pol&soc board are for losers.
|
|
|
CIYAM
Legendary
Offline
Activity: 1890
Merit: 1078
Ian Knowles - CIYAM Lead Developer
|
|
February 03, 2013, 04:10:38 AM |
|
"0% risk". Hmmmm.
You see a risk with using QR codes for comms? (I see risk when you use USB like Armory does)
|
|
|
|
justusranvier
Legendary
Offline
Activity: 1400
Merit: 1009
|
|
February 03, 2013, 04:18:36 AM |
|
Unless the programs that read the QR codes provably free from any flaws that could allow a specially-crafted image to trigger an exploit you can't call the risk 0%.
|
|
|
|
CIYAM
Legendary
Offline
Activity: 1890
Merit: 1078
Ian Knowles - CIYAM Lead Developer
|
|
February 03, 2013, 04:21:27 AM |
|
The is getting rather OT but what kind of exploit can you possibly have when we are talking about signing a tx offline (either it is going to be signed or it isn't)?
|
|
|
|
justusranvier
Legendary
Offline
Activity: 1400
Merit: 1009
|
|
February 03, 2013, 04:34:02 AM |
|
The is getting rather OT but what kind of exploit can you possibly have when we are talking about signing a tx offline (either it is going to be signed or it isn't)? The reason you're signing a transaction offline is because you assume it's possible for an attacker to compromise your online computer. In that case you have to assume the attacker can alter the QR code that's being delivered to the offline computer, which means there's a non-zero possibility the attacker can compromise your offline computer as well. Image processing libraries, like any other kind of software that processes arbitrary input, can fail in ways that allow arbitrary code execution. A few years ago it was possible to take over Windows computers if you could convince the user to load a web site containing a malicious JPEG image. There are ways to reduce this risk by auditing code audits, fuzz testing, and other techniques but those don't completely eliminate the risk.
|
|
|
|
Driice
|
|
February 03, 2013, 04:43:46 AM |
|
Just uninstalled java. Thanks for the headsup
|
|
|
|
CIYAM
Legendary
Offline
Activity: 1890
Merit: 1078
Ian Knowles - CIYAM Lead Developer
|
|
February 03, 2013, 04:49:50 AM |
|
The reason you're signing a transaction offline is because you assume it's possible for an attacker to compromise your online computer. In that case you have to assume the attacker can alter the QR code that's being delivered to the offline computer, which means there's a non-zero possibility the attacker can compromise your offline computer as well.
Understand that you can do a "decoderawtransaction" on the "offline computer" before you bother to sign it and create the final QR code (and understand that the particular QR code being used is only big enough to hold a couple of hundred bytes). So unless we are talking about your *offline* computer being compromised then we are not seriously talking about a possible "attack vector" are we (and okay I am happy to change 0% to let's say 0.00001%)?
|
|
|
|
tvbcof
Legendary
Offline
Activity: 4592
Merit: 1276
|
|
February 03, 2013, 09:13:20 AM |
|
"0% risk". Hmmmm.
You see a risk with using QR codes for comms? (I see risk when you use USB like Armory does) Mostly it's just that the term 'zero risk' tends to set off alarm bells in my mind. Generally speaking, TEMPEST and Cold Disk are two risks that I see as non-zero. Particularly if someone knows you have potentially hundreds of thousands of USD's worth of BTC (or anything else) kicking around. I'd be inclined to at least encrypt the HDD by way of making security suggestions.
|
sig spam anywhere and self-moderated threads on the pol&soc board are for losers.
|
|
|
phelix
Legendary
Offline
Activity: 1708
Merit: 1020
|
|
February 03, 2013, 09:52:58 AM |
|
What about deactivating java in the browser? Should that not be enough? I highly recommend noscript.
|
|
|
|
grantbdev
|
|
February 03, 2013, 05:36:07 PM |
|
How at risk am I with OpenJDKs installed for development (no web plug-in) on GNU/Linux?
|
Don't use BIPS!
|
|
|
|