Re: [Bug 19998] The non-appearance of Polygon graphics in LC

classic Classic list List threaded Threaded
25 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Re: [Bug 19998] The non-appearance of Polygon graphics in LC

Richard Gaskin via use-livecode
Well, aren't I glad I don't run an American business. 8-)

I just run an EFL school that is not dependent on computers connected to
the interweb

and do funny things with Sanskrit.

Richmond.

On 12/7/2018 3:54 am, Richard Gaskin via use-livecode wrote:

> Bob Sneidar wrote:
>
> > On Jul 11, 2018, at 13:43 , Richard Gaskin wrote:
> >> When a computer's OS no longer receives critical patches for known
> >> exploits, it's no longer safe to use.
> >
> > I think it depends on what you use it for.
>
> True. If you unplug the power and use it as a doorstop, it's
> completely safe. Anything else involves varying degrees of risk. :)
>
> Running outdated software is one of the leading reasons 80% of
> American businesses have experienced at least one form of hack or
> another.
>
>
> > I have yet to see a MacOS "exploit" that didn't require the end user
> > do something they ought not to do, and/or authenticate an action they
> > didn't initiate. And by exploit, I mean access the OS via network
> > protocol and bypass protections in place to prevent it without user
> > action or intervention.
>
> That's true of most OSes.  But look deeper.  They're rarer, but they
> exist.
>
> And even those that require user action, those actions may seem
> innocuous to many users who do not understand the implications, or can
> use exploits in other software to gain elevated privileges which can
> then be used with exploits requiring admin.
>
> The deeper you look, the murkier things get.
>
> Sometimes even authentication itself becomes vulnerable:
>
>    Passwords are stored in the Mac's Keychain, which typically
>    requires a master login password to access the vault.
>
>    But Wardle has shown that the vulnerability allows an attacker
>    to grab and steal every password in plain-text using an unsigned
>    app downloaded from the internet, without needing that password.
> <https://www.zdnet.com/article/apple-macos-high-sierra-password-vulnerable-to-password-stealing-hack/>
>
>
> And we can't forget everyone's favorite, the Meltdown flaw in Intel
> chips like those in systems that run macOS 10.7:
> <https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-heres-what-intel-apple-microsoft-others-are-doing-about-it/>
>
>
> A partial list of vulnerabilities specific to macOS 10.7.5 is here:
> <https://www.cvedetails.com/vulnerability-list/vendor_id-49/product_id-156/version_id-143035/Apple-Mac-Os-X-10.7.5.html>
>
>
> That list contains only OS vulnerabilities; other searches can turn up
> additional vulnerabilities against the versions of Safari, Apache,
> rsync, and other programs included in the system which have their own
> lengthy lists of known vulnerabilities.  Combining vulnerabilities
> multiplies threats.
>
> Consider which of the 900+ CVEs against Safari may be used in
> combination with other exploits:
> <https://www.cvedetails.com/vulnerability-list/vendor_id-49/product_id-2935/Apple-Safari.html>
>
>
>
> Ultimately, security is a matter of subjective sense of comfort. The
> sort of person who goes into the shopping mall with they keys left in
> their car will probably feel right at home running an OS where the
> only system patches are being delivered by organized crime rings and
> hostile nation state actors.
>
> After all, not every car with the keys left in it gets stolen, so why
> not? ;)
>

_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: [Bug 19998] The non-appearance of Polygon graphics in LC

Richard Gaskin via use-livecode
In reply to this post by Richard Gaskin via use-livecode
Each of these Mac OS exploits require that the end user install something on their computer, or allow it. As far as the doorstop comparison, well that comment is a bit of a red herring now isn't it? Brand new computers with current AV definitions and a completely updated OS involves "some degree of risk".

My point is that if you use a computer in such a way that it performs it's job as it always has, an internal SQL server with no exposure to the internet for example, then all other things being equal, it's not obsolete by a certain definition.

I guess I am saying that what different people mean by obsolete varies depending on the application. A developer who wants to continue using a workstation that no longer runs the current version of LC, but that developer wants the new features of said current version, could be said to be running an obsolete OS. If he doesn't need those new features, the device can be said to be viable.

Bob S

> On Jul 11, 2018, at 17:54 , Richard Gaskin via use-livecode <[hidden email]> wrote:
>
>   But Wardle has shown that the vulnerability allows an attacker
>   to grab and steal every password in plain-text using an unsigned
>   app downloaded from the internet, without needing that password.


_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: [Bug 19998] The non-appearance of Polygon graphics in LC

Richard Gaskin via use-livecode
In reply to this post by Richard Gaskin via use-livecode
From the keychain exploit article:

"MacOS is designed to be secure by default, and Gatekeeper warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app without explicit approval. We encourage users to download software only from trusted sources like the Mac App Store, and to pay careful attention to security dialogs that macOS presents."

I think that saying this makes the mac inherently insecure is like clicking the link in the email and then complaining that Windows allowed your computer to be hacked.

Bob S

> On Jul 11, 2018, at 17:54 , Richard Gaskin via use-livecode <[hidden email]> wrote:
>
>   But Wardle has shown that the vulnerability allows an attacker
>   to grab and steal every password in plain-text using an unsigned
>   app downloaded from the internet, without needing that password.


_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: OS EOL (was: [Bug 19998] The non-appearance of Polygon graphics in LC)

Richard Gaskin via use-livecode
In reply to this post by Richard Gaskin via use-livecode
Bob Sneidar wrote:

 > Each of these Mac OS exploits require that the end user install
 > something on their computer, or allow it. As far as the doorstop
 > comparison, well that comment is a bit of a red herring now isn't it?
 > Brand new computers with current AV definitions and a completely
 > updated OS involves "some degree of risk".
 >
 > My point is that if you use a computer in such a way that it performs
 > it's job as it always has, an internal SQL server with no exposure to
 > the internet for example, then all other things being equal, it's not
 > obsolete by a certain definition.

How often do computer vendors advertise their network-capable products
as not being fit for use on networks?

I suppose we could slice and dice to come up with all sorts of
definitions.  Here's where I'm coming from:

Somehow this conversation became mistaken for one of brand advocacy.  I
mentioned macOS 10.7.5 only because that's the version Richmond isn't
allowed to upgrade beyond. Those who've been on this list a while have
seen me use the phrase "not safe to use" for any brand of OS that has
reached end-of-life (EOL).

If this has to be about one brand, I think there's an argument to be
made that Apple does a better job in some (but not all) areas of
security.  But they're not a magic pony.  There is no magic pony.  Even
the best software is just imperfect humans making imperfect systems
riddled with flaws waiting to by found by someone with an IQ north of
160 who devotes their life to finding such things.  And they do, new
ones every week.

If the phrases "safe to use" and its corollary "not safe to use" are
uncomfortable, I got nothing for that.  I come across them frequently in
discussions of OS EOL.  Given how many exploits are made possible by
unpatched systems, the more I read on the subject the more I come across
those phrases.

In this context, "obsolete" refers to a product comprised of hardware
and software where the software half of it has reached what the vendor
has determined is "end of life".

True, it's possible to extend the useful life of a computer by limiting
oneself to a much narrower range of tasks than the product was
originally designed for.

Another option is to replace the EOL'd software half of the product with
something that's kept current. Given the cost, ease of updating, and
well-published EOL dates for most distros, Linux makes a logical choice
for that, since it supports a much broader range of hardware than any
other OS.  But even that isn't brand advocacy (if it were I'd be
suggesting that everyone replace their OS before the vendor EOLs it
<g>), but merely pragmatism for those cases where the vendor provides no
upgrade path for the now-EOL'd OS.

But neither of those options, viable as they may be for some users, are
part of the product offering as sold.  Once the software half of a
product no longer has an option to remain current with critical patches,
the product as originally offered is no longer fit to serve the role it
was designed for.  One word commonly used to describe a product beyond
end-of-life is "obsolete".

Knowingly running unpatched systems is kind of a problem.  I don't feel
at all uncomfortable encouraging folks to aim a bit higher than an Oingo
Boingo security policy:

https://www.youtube.com/watch?v=qpjHW4mr6qo

;)

--
  Richard Gaskin
  Fourth World Systems
  Software Design and Development for the Desktop, Mobile, and the Web
  ____________________________________________________________________
  [hidden email]                http://www.FourthWorld.com

_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: OS EOL (was: [Bug 19998] The non-appearance of Polygon graphics in LC)

Richard Gaskin via use-livecode

An older system offline could be useful for many things. People have
used old computers even to get paralyzed people back in the game with
speech. It could also run special projects, education or a kiosk. Be
careful though.

A new system fully patched still could be risky online if people always
trust the status quo and what's popular, without thinking it through.

Some things (like security patches) are popular for very good reasons.
But other things not so much. The powers that be can only protect you to
an extent - and sometimes we need protection from the powers that be. To
survive and thrive, we need independent thinking too.

Best wishes,

Curry Kenworthy

Custom Software Development
LiveCode Training and Consulting
http://livecodeconsulting.com/

_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
12