Rick Astley has done a better job of preventing people from clicking random links than any corporate cyber-security training.
Conversation
Notices
-
Embed this notice
MostlyHarmless (mostlyharmless@thecanadian.social)'s status on Tuesday, 19-Nov-2024 09:16:38 JST 
MostlyHarmless
- mangeurdenuage :gnu: :trisquel: :gondola_head: 🌿 :abeshinzo: :ignucius: and Another Linux Walt Alt like this.
-
Embed this notice
Rich Felker (dalias@hachyderm.io)'s status on Tuesday, 19-Nov-2024 17:22:40 JST 
Rich Felker
@MostlyHarmless The only legitimate corporate anti phishing training is sending rickrolls. No tracking who clicked, no rewards or punishments except the glory of hearing Rick Astley.
Haelwenn /элвэн/ :triskell: likes this. -
Embed this notice
SuperDicq (superdicq@minidisc.tokyo)'s status on Tuesday, 19-Nov-2024 20:22:46 JST 
SuperDicq
@MostlyHarmless@thecanadian.social Work computer gets infected with malwareOh well who cares whatever broI get rickrolledFUCK NEVER AGAIN
-
Embed this notice
翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Wednesday, 20-Nov-2024 19:07:32 JST 
翠星石
@MostlyHarmless Clicking random links won't hurt you if you don't have a browser misconfigured to execute whatever proprietary malware a remote server throws at it. -
Embed this notice
翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Thursday, 21-Nov-2024 16:14:56 JST
翠星石
@lispi314 @MostlyHarmless Sure, but I believe such bugs are almost all of the time only exploitable when JavaScript is leveraged to fetch/load the HTML or CSS in succession to carry out the exploit.
Do you have any examples of past HTML exploits?
I suspect a pure HTML/CSS exploit would require loading like a 100MiB HTML file, which takes like 10 minutes to load over tor (I'm going to cancel the loading instead of waiting 10 minutes) -
Embed this notice
LisPi (lispi314@udongein.xyz)'s status on Thursday, 21-Nov-2024 16:14:57 JST 
LisPi
@Suiseiseki @MostlyHarmless There are the odd exploitable bugs in HTML/CSS parsing and rendering & such, from time to time, unfortunately.
So while not executing arbitrary Javascript code is a good step, it only removes most of the common attack surface, not all of it. -
Embed this notice
翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Thursday, 21-Nov-2024 16:24:10 JST
翠星石
@sicp @MostlyHarmless @lispi314 You can only really achieve XSS via JavaScript, unless you can convince the user to click several links in a specific order. -
Embed this notice
the_daikon_warfare (sicp@freesoftwareextremist.com)'s status on Thursday, 21-Nov-2024 16:24:11 JST 
the_daikon_warfare
@Suiseiseki @lispi314 @MostlyHarmless A lot of the old school XSS exploits target server-side scripts in stuff like PHP or Perl, but the payload would still have be client-side somehow in order to do much. -
Embed this notice
翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Thursday, 21-Nov-2024 19:22:18 JST
翠星石
@lispi314 @MostlyHarmless >CVEs for transport, image renderers & such are present for 2014, 2015 and 2016 that could've been turned into code execution (or demonstrably were).
Tor browser is pretty good, as it can disable dangerous formats to render, for example SVG.
The image renders firefox uses have improved and have undergone fuzz testing I believe.
I wonder if there's an option to disable image rendering... -
Embed this notice
LisPi (lispi314@udongein.xyz)'s status on Thursday, 21-Nov-2024 19:22:19 JST
LisPi
@Suiseiseki @MostlyHarmless It's been a few years since the last (known) instances in Firefox not dependent on Javascript, but CVEs for transport, image renderers & such are present for 2014, 2015 and 2016 that could've been turned into code execution (or demonstrably were).
It's way more common with Javascript and it's the majority of what is being found now. Though whether that's because people stopped looking elsewhere or the codebases truly improved, I couldn't say.
All GNU social JP content and data are available under the