Thread: Re: WARNING: Roy Schestowitz is spreading virusses on his website, don't go there!!!!!!!!
View Single Post
  #50 (permalink)  
Old 03-15-2008, 08:54 PM
Sebastian G.
Guest
  
Posts: n/a
Default Re: WARNING: Roy Schestowitz is spreading virusses on his website,don't go there!!!!!!!!
Hadron wrote:


>> You're twisting correlation and causality. Only machines using
>> *Internet Explorer* got infected, and since Internet Explorer is
>
> On Windows.


That's not the reason why IE is so trivial to compromise. Running IE on
Linux using Wine, or even running the native IE port on MacOSX results in
the very same vulnerability.

>>> He was told ages ago about this and did NOTHING about it.
>>
>> Not just that it's not him at all, why exactly should be do anything
>> about it. He's not harming any serious visitor, and is getting access
>> to machines for free, and can't be hold responsible (since the users
>> intentionally offered him full access to their machines).
>
> LOL: Now I see you're only trying to make Roy look worse!


No, rather not. See: I have been running a website discussing IE
exploitation. It was encoded in XHTML 1.0 Strict and the server was
correctly serving it a application/xhtml+xml. Now the funny/stupid thing is
that IE doesn't know this MIME type by default (and Microsoft doesn't intend
to simply add it via an update), so IE users get a download dialog instead
of the website.

Someone has been asking me how people should learn about the dangers of IE
when they can't access the website with IE... my response was that they
should simply use a real webbrowser instead of abusing IE as such, and I
don't intend breaking a 100% conformant website just because they don't know
how to differ a webbrowser from an ActiveX Rich Platform Client.

Some other users have been reporting to me that my website contains some
malware. I told them that this is obviously not the case (the exploits are
intentional for education purpose), and if their virus scanners are scanning
their websites they're surfing too, then they have at least a serious
configuration problem and a waste of resources for absolutely no increase of
security (think about script obfuscation or HTTPS).

If someone decides to gain access to every user's system who connects to his
site by simply stepping through the front door by using well documented
functionality, then he may do so. After all, if the users's software
technically doesn't express their intentions, it's their problem.

Reply With Quote