JRE older installs - Windows - now online - no need for Oracle account

Hi
No, that is the point i am disagreeing with. If Gnu&Linux, Bsd and other
Unix-based OSes were equally vulnerable then we would see a lot more servers
being compromised. Affecting several thousand servers would have a vastly
higher impact then affecting that many desktops wouldn't it? So, why bother
with desktops if servers are just as vulnerable? For the same effort more data
could be collected and more disruption could be caused by aiming at servers. So
why bother with creating malware for desktops at all? When not just target
servers?

Compare with other sorts of crime. Imagine no corporate crime, no fraud, no
scams just about 50%-20% of everyone getting mugged for loose change on the way
home a couple of times a year. It's low hanging fruit but just not worth the
investment of time and effort so people go for bigger targets to get more cash.
Why doesn't this happen with malware? Why not several thousand servers instead
of just desktops?
Regards from
Tom

Good point. It is the pompous A$$ types, ten feet tall and bulletproof,
that annoy me.

Criminals do attack servers. Regularly. And for as long as the internet has been the vehicle for attacks. Some of the successful attacks do get reported. The vulnerability is often a configuration and system-management one, not a defect in operational software.

Do you recall Google reporting a major penetration that had evidently gone on for some time? Do you recall reports of user information, identity, and password information having been stolen from a variety of significant systems.

The kinds of server based compromises tend to be different.

Apparently the most profitable attack on clients these days is for co-opting the clients into zombie armies that can be used in coordinated attacks on vulnerable systems as well as unwitting hosts for phishing attacks and distribution of spam. Because thousands of clients are brought under control in this manner, their botnet services are then hired out to criminals. That is how scale matters at the client level.

- Dennis

Hi
Different OSes have different strengths. I would say that Windows greatest
strength is that it "just works" and gives users freedom from choices such as
which DE they use, which file-browser and so on. It is possible for true
Windows-geeks to change some of those things with some difficulty. It's not the
most stable and secure platform but so what? You can buy anti-virus and add
security and take precautions that mostly work quite well and you can always
take it back to a shop if something really bad happens. Plus when you buy a
machine from a shop it's already installed so you don't have to worry about
geeky stuff. There are a lot of good reasons to use Windows.

Regards from
Tom

What 'bothers' me about this is the smug that do not accept that this is
a real threat to us all. Which was my point. No one is 'bullet proof'.

...

What 'bothers' me about this is the smug that do not accept that this is
a real threat to us all. Which was my point. No one is 'bullet proof'.

Not even kernel.org:

<http://arstechnica.com/open-source/news/2011/09/linux-kernel-archives-host-compromised-by-attacker.ars>
<http://kernel.org/>

So I reckon the best option is to be vigilant in whatever
system/application you use.

We now return you to your friendly LibreOffice user channel...

<snip>

I saw that. Did you see just how long it took to find the attack?

I am smart. I am bulletproof. I am Superman. No longer works today.
Anyone that thinks differently?

...

Yes, of course I did. But also note that it appears that entry may have
been made by a compromised user credential & that were/are being taken.

Imagine how long it would take to find an outdated JRE attack when using
insecure versions of Java? Which is of course the issue in this thread.

Anyway I'm out of this thread as I think that sufficient
warnings/discussion regarding using old versions of JRE have been made.
My recommendation, given the above & all the other warnings by other
contributors in this thead, is to use the latest security patched
versions of whatever application/OS is in use.

IMO anyone that uses software that has known security vulnerabilities
does so at their own risk. If Base users are experiencing speed issues
due to Java versions, file a bug (both on LO bugzilla and with Oracle) -
that is the *only* way that I know of resolving the issue. Hosting old
insecure versions of code isn't (IMO) the answer, and continued
promotion for using such on this list is (again IMO) simply
irresponsible and wrong.

I totally aggree with you. The explicit recommendation to install old Java on
Window machines is careless.

The performance problem affects the combination of databases engines written
in Java (HSQLDB and H2) together with Linux and OOo/LibO Base.
My databases are unusable under Linux with a recent Java version, even when
the HSQLDB backend runs on a Windows machine with a recent Java.
Unusable means minutes of waiting instead of seconds.

Under Windows I see no such problem.

My Linux system has a recent Java version installed. I only point the office
suite to a separate JVM I extracted manually from the packages. No system
wide configuration file nor environment variable points to the old Java
version.
I feel safe with this setup. Admittedly I am no expert in computer security.

________________________________
From: David H. Lipman <DLipman@Verizon.Net>
To: users@global.libreoffice.org
Sent: Fri, 2 September, 2011 18:48:47 Subject: [libreoffice-users] Re: JRE older
installs - Windows - nowonline-
no need for Oracleaccount

<snip />

Luckily Ubuntu is not targeted to the degree that MS Windows is and thus you
have a lesser degree of exploitation.

Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk http://www.pctipp.ch/downloads/dl/35905.asp

Hi
Hmm, not quite the case. Servers would make a far better target than desktops
if the aim of malware is to cause disruption or grab data. Pranks and accidents
are sooo last decade.

However, we still hardly ever hear about servers suffering. If it happens at
all it often gets reported in the mainstream news because it's so rare. So, why
is it so common-place to hear of desktops getting infected instead of servers?

Interestingly it's the market where MS is dominant that has the most trouble
with malware. Most big servers run Gnu&Linux, Bsd or some other Unix-based
platform precisely because stability and security are more important.

http://librenix.com/?inode=21 Even if we just look at desktops we would expect a
platform such as Mac at an
estimated 20% of the market taking 20% of the malware. Yet we have heard of
less than a handful. Again it's so rare that it reaches the mainstream press.

People that want to sound knowledgeable about malware and sound serious about it
use Windows. There is a lot to know! It's good to show-off about how much you
know but always the intel these people have is old because they are always
trying to catch-up with the ingenuity of malware creators. People who are just
serious about stability and security and want to stay ahead of the game tend to
use Gnu&Linux (or Bsd, or even Mac).

You wrote "Servers would make a far better target than desktops..."

Not true. Desktops are targeted as profit centers. Through keyloggers, data stealers,
backdoors, etc, desktops (personal computers) are targeted for profits. That is the goal
of Today's preponderance of malware.

MACDefender is one sample. The motive of the infection is monetary and PII gain.

sent: Saturday, September 03, 2011 3:15 PM

arrived: Sunday, September 04, 2011 07:21 AM