(01-21-2018, 05:52 PM)hmelton Wrote: From most home computer's point of view the Web Browser is the other major user of your computer and you absolutely must keep the web browser fully patched, but even a fully patched Browser also allows unknown untrustworthy "browser programs" to run, for example Flash and JAVA to name only two of a large number.
All these "browser programs" thanks to these two CPU vulnerabilities have the potential to bypass security and read areas where passwords and other sensitive data is stored.
So I'd recommend finding a web browser that has a Patch for the CPU flaw or failing that find a web browser that is fully patched for other flaws and turn off the browsers capability to download and run most other programs from the internet.
For a home computer with a patched OS layer and a Patched Browser layer it should make it nearly impossible for a program operating in the browser's layer or above to use the CPU flaw even when the BIOS is unpatched.
I'd personally be very careful what I let my Web Browser execute, even after getting a computer without these two CPU flaws.
Really you should have already had your web browsers security levels set very high limiting what can be executed.
I've been running ad blocking and script blocking for YEARS at this point. It makes the internet a much more pleasant place. Except for those sites that practically try to make you let everything run before they'll show you anything, but those are generally not worth sticking around for. I started running ad blockers when the only issue with online advertising was the insistence that it had to be so in your face that you were distracted from the "real" content... not to mention the constant arms race to force open another window and hide it under in order to obscure where you picked up that insane refuses-to-stay-closed advertisement that forces you to completely force-quit the browser to kill it. It's only in the past five to seven years that it's become increasingly used as an infection vector, which has ensured I've dug in my heels in terms of continuing to use it; the advertising market has pretty much shown they don't give a nit about the security, hence they're no longer allowed on my computer.
(01-21-2018, 05:52 PM)hmelton Wrote: I know their has been a large number of advertisement driven websites adding scripts that punish users that stop the loading of all the advertisement programs, but i personally think that websites that do that should be a red flagged telling you to stop visiting that site.
If I can't see anything without killing my ad blocker, either by whitelisting their site, or disabling it entirely (I've seen both demands), I try not to return. Especially places like Forbes that have HAD malware served via their advertisements, and hence showing they're NOT LISTENING. And I'm doubly annoyed when that's the ONLY option presented; I'm a little happier when they present the added option of buying a subscription, which means they're at least doing the thinking of WHY people are running ad blockers, and presenting the other option for those who refuse to whitelist.
(01-21-2018, 05:52 PM)hmelton Wrote: It has been demonstrated many times that advertisements, especially advertisements that use a lot of computing resources are a big vulnerability and it is wise to stay away from sites that demand a large amount of computing resources for advertisement.
Most security writers won't mention this, because it hits a little to close to home and their pay checks.
I've kind of gotten to the point that I don't really think it's a good idea to see advertising as a way to make money. Would the internet become a much smaller place without it? Sure, it would. I'm not sure that's a bad thing given the costs of the requirements of the advertising market.
(01-21-2018, 05:52 PM)hmelton Wrote: The recent round of Bit coin miners using web site advertisement to load a resource hogging bit coin mining program and steal computing resources from hundreds of thousands of web browsers is a good example.
For most people the bit coin miner advertisement was an aggravation because it caused a medium to large slow down in their computers that "run" the advertisement that persisted until the browser had shut down or in the case of Chrome until the computer was rebooted
Cryptocurrency mining is a little better than advertising, but I'd still prefer the option to opt in or buy a subscription anyway. I'd prefer not to run other code on my computer like that, or at least if my computer is being used for mining, and I want it to be my own private mine, thanks.
(01-21-2018, 05:52 PM)hmelton Wrote: I'm fairly paranoid so this "mining" slow down really bothers me because I can't help but worry that all those bit coin mining programs running in the browser and slowing your computer to a crawl as they "dig" for the few remaining bit coins were actually digging for my credit card numbers and bank account info as it passed along my computer's passwords and encryption keys.
That's the other reason I don't want them to run cryptominers. Who knows what else is running alongside it.
"You know how parents tell you everything's going to fine, but you know they're lying to make you feel better? Everything's going to be fine." - The Doctor