Bitcoin Forum
November 22, 2017, 01:21:43 PM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 [2]  All
  Print  
Author Topic: Very Important Security Update for Java  (Read 3942 times)
tvbcof
Legendary
*
Offline Offline

Activity: 2324


View Profile
February 03, 2013, 04:01:17 AM
 #21

...
Use QR codes to move data between your *offline*and *online* computers (100% *air-gapped* and 0% risk).
...

"0% risk".  Hmmmm.


1511356903
Hero Member
*
Offline Offline

Posts: 1511356903

View Profile Personal Message (Offline)

Ignore
1511356903
Reply with quote  #2

1511356903
Report to moderator
Join ICO Now Coinlancer is Disrupting the Freelance marketplace!
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1511356903
Hero Member
*
Offline Offline

Posts: 1511356903

View Profile Personal Message (Offline)

Ignore
1511356903
Reply with quote  #2

1511356903
Report to moderator
1511356903
Hero Member
*
Offline Offline

Posts: 1511356903

View Profile Personal Message (Offline)

Ignore
1511356903
Reply with quote  #2

1511356903
Report to moderator
1511356903
Hero Member
*
Offline Offline

Posts: 1511356903

View Profile Personal Message (Offline)

Ignore
1511356903
Reply with quote  #2

1511356903
Report to moderator
CIYAM
Legendary
*
Offline Offline

Activity: 1862


Ian Knowles - CIYAM Lead Developer


View Profile WWW
February 03, 2013, 04:10:38 AM
 #22

"0% risk".  Hmmmm.

You see a risk with using QR codes for comms?
(I see risk when you use USB like Armory does)

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
justusranvier
Legendary
*
Offline Offline

Activity: 1400



View Profile WWW
February 03, 2013, 04:18:36 AM
 #23

Unless the programs that read the QR codes provably free from any flaws that could allow a specially-crafted image to trigger an exploit you can't call the risk 0%.
CIYAM
Legendary
*
Offline Offline

Activity: 1862


Ian Knowles - CIYAM Lead Developer


View Profile WWW
February 03, 2013, 04:21:27 AM
 #24

The is getting rather OT but what kind of exploit can you possibly have when we are talking about signing a tx offline (either it is going to be signed or it isn't)?

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
justusranvier
Legendary
*
Offline Offline

Activity: 1400



View Profile WWW
February 03, 2013, 04:34:02 AM
 #25

The is getting rather OT but what kind of exploit can you possibly have when we are talking about signing a tx offline (either it is going to be signed or it isn't)?
The reason you're signing a transaction offline is because you assume it's possible for an attacker to compromise your online computer. In that case you have to assume the attacker can alter the QR code that's being delivered to the offline computer, which means there's a non-zero possibility the attacker can compromise your offline computer as well.

Image processing libraries, like any other kind of software that processes arbitrary input, can fail in ways that allow arbitrary code execution. A few years ago it was possible to take over Windows computers if you could convince the user to load a web site containing a malicious JPEG image.

There are ways to reduce this risk by auditing code audits, fuzz testing, and other techniques but those don't completely eliminate the risk.
Driice
Full Member
***
Offline Offline

Activity: 122


View Profile
February 03, 2013, 04:43:46 AM
 #26

Just uninstalled java. Thanks for the headsup
CIYAM
Legendary
*
Offline Offline

Activity: 1862


Ian Knowles - CIYAM Lead Developer


View Profile WWW
February 03, 2013, 04:49:50 AM
 #27

The reason you're signing a transaction offline is because you assume it's possible for an attacker to compromise your online computer. In that case you have to assume the attacker can alter the QR code that's being delivered to the offline computer, which means there's a non-zero possibility the attacker can compromise your offline computer as well.

Understand that you can do a "decoderawtransaction" on the "offline computer" before you bother to sign it and create the final QR code (and understand that the particular QR code being used is only big enough to hold a couple of hundred bytes).

So unless we are talking about your *offline* computer being compromised then we are not seriously talking about a possible "attack vector" are we (and okay I am happy to change 0% to let's say 0.00001%)?

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
tvbcof
Legendary
*
Offline Offline

Activity: 2324


View Profile
February 03, 2013, 09:13:20 AM
 #28

"0% risk".  Hmmmm.

You see a risk with using QR codes for comms?
(I see risk when you use USB like Armory does)


Mostly it's just that the term 'zero risk' tends to set off alarm bells in my mind.  Generally speaking, TEMPEST and Cold Disk are two risks that I see as non-zero.  Particularly if someone knows you have potentially hundreds of thousands of USD's worth of BTC (or anything else) kicking around.  I'd be inclined to at least encrypt the HDD by way of making security suggestions.


phelix
Legendary
*
Offline Offline

Activity: 1708


nmc:id/phelix


View Profile
February 03, 2013, 09:52:58 AM
 #29

http://www.esecurityplanet.com/patches/oracle-responds-to-java-security-flaws-with-50-fixes.html

If you are on windows, go to Programs and Features, uninstall all "Java".

If you still need java you can get the latest version from here:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

What about deactivating java in the browser? Should that not be enough?

I highly recommend noscript.


blockchained.com ■ bitcointalk top posts
grantbdev
Sr. Member
****
Offline Offline

Activity: 292



View Profile
February 03, 2013, 05:36:07 PM
 #30

How at risk am I with OpenJDKs installed for development (no web plug-in) on GNU/Linux?

Don't use BIPS!
Pages: « 1 [2]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!