UnThreaded | Threaded | Whole Thread (31) | Ignore Thread Prev Thread | Prev | Next | Next Thread
Author: mmrmnhrm Big red star, 1000 posts Old School Fool Add to my Favorite Fools Ignore this person (you won't see their posts anymore) Number: of 189640  
Subject: Re: Yet another Java flaw Date: 10/3/2012 4:19 PM
Post New | Post Reply | Reply Later | Create Poll . Report this Post | Recommend it!
Recommendations: 0
I guess that's a part I don't understand. I can see how running some program on your own computer (whether it's Office or a game or Java) can create a threat to your computer. But how does running a program on a server cause a threat to you when browsing the web?

Initially, it doesn't cause a threat. Let's say the server is running what's called a LAMP stack (short for Linux-Apache-MySQL-PHP), and the admins haven't been very diligent with security patches. On day zero, everything is all fine and dandy, the world is pure and clean, and everything is great. Then on day one, Bad People come and exploit a month old vulnerability in PHP, where it passes invalid arguments to MySQL that cause a buffer overflow and remote code execution bug in Apache, the end result of which is gaining root (superuser) rights to the Linux host. When you're "root" you can do *anything* and the machine will follow you right off the volcano's edge and into the bubbling pool of magma below if you so order it.

So these Bad People decide that rather than just throw a bunch of graffiti on the websites (which, while great for grabbing attention, is counter-productive to their goal of creating a botnet BECAUSE it gets attention), they write a tiny little snippet of JavaScript which embeds itself into the body of every HTML file served, and does nothing more than say "Powered by LAMP." Because JS is such an integral part of the web these days, and since every browser has support for it built-in, even the site admins don't think anything is amiss... it's just there, silently advertising to the Bad People that whatever backdoor they installed is still there. Now a month or two goes by, and the bad guys move to phase two: Taking advantage of their mark's laziness and complacency to begin installing virii/trojans/whatnot on their visitor's machines. What had been a server-side vulnerability just became the end-user's nightmare.

SJK: Yes, incompatibilities existed, and I'm sure you're very proud of being an old graybeard, but I'm not going to get into a forest-for-the-trees argument with you. Nor am I going to get into arguments about interpreters versus virtual machines versus sandboxes versus your need to swoop in here and puff yourself up. Go troll RMS, he likes that sort of thing.
Post New | Post Reply | Reply Later | Create Poll . Report this Post | Recommend it!
Print the post  
UnThreaded | Threaded | Whole Thread (31) | Ignore Thread Prev Thread | Prev | Next | Next Thread

Announcements

Post of the Day:
Berkshire Hathaway

Starting a Small Business
What was Your Dumbest Investment?
Share it with us -- and learn from others' stories of flubs.
When Life Gives You Lemons
We all have had hardships and made poor decisions. The important thing is how we respond and grow. Read the story of a Fool who started from nothing, and looks to gain everything.
Community Home
Speak Your Mind, Start Your Blog, Rate Your Stocks

Community Team Fools - who are those TMF's?
Contact Us
Contact Customer Service and other Fool departments here.
Work for Fools?
Winner of the Washingtonian great places to work, and "#1 Media Company to Work For" (BusinessInsider 2011)! Have access to all of TMF's online and email products for FREE, and be paid for your contributions to TMF! Click the link and start your Fool career.
Advertisement