On 01/03/2011 15:09, Anders.Montonen@kapsi.spam.stop.fi.invalid wrote:
> David Brown<david.brown@removethis.hesbynett.no> wrote:
>> pdf's are perfectly safe as long as you use a safe pdf reader, and as
>> long as you disable javascript on the reader. Basically, avoid Acrobat
>> Reader. Any Linux reader (such as evince) is safe, as are all other
>> Windows readers that I know of. Something like Foxit reader is free,
>> safe, and /much/ faster than Acrobat.
>
> Other readers have had their share of vulnerabilities as well (eg. both
> Foxit and Adobe Reader used to silently run executables embedded in PDF
> files, no JavaScript or exploits needed. CVE-2010-1240). PDFs have also
> been used as attack vectors, for instance one iPhone jailbreak was
> accomplished by exploiting a FreeType2 bug via a font embedded in a PDF.
>
> Adobe Reader has by far the worst track record, but claiming you're safe
> just by switching to another reader is disingenuous.
>
Yes, fair enough - you are not entirely safe with other readers. But
you are probably a couple of orders of magnitude safer using Foxit (for
example) than Acrobat Reader. One order is because Foxit simply has
fewer bugs - it's small, and the developers understand it, while Acrobat
Reader has grown into incredible bloatware with far more scope for
problems. You get another big step up because Acrobat Reader is the
most commonly used pdf reader, and it is the one targeted by malware
authors.
Reply by John Devereux●March 1, 20112011-03-01
Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP> writes:
> On 2011-03-01, John Devereux <john@devereux.me.uk> wrote:
>> Paul <paul@pcserviceselectronics.co.uk> writes:
[...]
>>>
>>> A few years ago we had a debate about NXP doing something similar
>>
>
> I remember that very clearly. :-)
>
> At least they didn't mess things up as much as ST have done.
>
>><http://www.nxp.com> fails totally for me with flash + javascript
>> disabled. Just a permanent "loading page..." box.
>>
>> Enabling javascript does seem to let it work.
>>
>
> True, but I never use the main NXP website when I am looking for NXP
> documentation as I use Google to search websites (it's usually much
> quicker than a website's own search function) and Google always seems
> to point directly to the ics.nxp.com website.
>
>> I always use the "ICs" site <http://ics.nxp.com>, this does seem to work
>> well for me,
>>
>
> Agreed. I don't need to have Javascript enabled when browsing pages
> on this website which have been indexed by Google.
>
> For example, I have recently been downloading a range of documentation
> and example code associated with the LPC3131 and have had no problems
> with this.
>
>> I see there is a preview of a new "beta" NXP site - now why do I get
>> that sinking feeling.... ?
>>
>><http://beta.nxp.com/>
>>
>> (Actually it is at least browseable from my quick look)
>>
>
> It's annoying that you have to enable Javascript to browse that website,
> but with NoScript that's not really too much of a concern for me. My real
> objection is when you have to install plugins to browse a site.
>
> BTW, there's one feature on this new NXP website which I really like and
> that is the ability to download all related app notes/user manuals/etc for
> a specific part as a combined zip file in one operation.
That is a feature of the main nxp.com site too, but I don't think it is
on the ICs one.
--
John Devereux
Reply by ●March 1, 20112011-03-01
David Brown <david@westcontrol.removethisbit.com> wrote:
> Data formats in themselves are not the problem, but the programs that
> interpret that data can have security problems.
On 2011-02-25, Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP> wrote:
> On 2011-02-25, NeedCleverHandle <d_s_klein@yahoo.com> wrote:
>>
>> I didn't think it could be THAT bad. I was wrong.
>>
>> By the way, what browser should I use? It doesn't work with FireFox,
>> Chrome, or Internet Explorer.
>>
>
> You need Flash installed to use the ST website now which is something
> I refuse to install for just one website as I do not need it for the rest
> of my online activities.
>
> As well as the fact I've found Flash based websites to be bloated and slow,
> especially when you try browsing them from a mobile internet connection
> which I do a good portion of the time, I also refuse to open my machines
> to a major source of malware (given Flash's security history).
>
That reads as a contradiction. :-) It's using a mobile Internet connection
for a good portion of the time I mean above; I've long given up on Flash
based websites (I don't even need Flash for when I want a video from
Youtube).
There appears to have been a major change behind the scenes with the new
ST website and I wonder if someone realised they are getting massively
whacked in the Google rankings.
When the new ST website was launched, all the links to the device specific
pages were broken and you ended up with page not found errors. Now ST
appears to have resurrected some device specific pages, but because of
st.com's current poor Google ranking, you have to go looking for them.
For example (when using https://encrypted.google.com/ as the search URL),
enter STR711FR2T6 and you will not find any reference to the st.com
website on the few pages.
However, if you enter "STR711FR2T6 site:st.com" into Google, one of the
links is for http://www.st.com/internet/mcu/product/111089.jsp and if you
click on "Design support", you get a nice list of related app notes and
user guides.
This was not available immediately after the website launch because this
is exactly what I tried to do (with this specific part number) to bypass
the Flash based interface.
I have tried with a couple of the Cortex part numbers but I could not
find them this way. I don't know if it's because similar pages do not
exist on the ST website, or if it's because Google has not yet indexed
them.
Simon.
PS: I use the https:// google link above because it bypasses all the
dynamic search results page refreshing Google has started doing.
--
Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
Reply by Jon Kirwan●March 1, 20112011-03-01
On Tue, 01 Mar 2011 07:42:32 +0100, David Brown
<david.brown@removethis.hesbynett.no> wrote:
>On 28/02/11 23:51, Jon Kirwan wrote:
>> On Mon, 28 Feb 2011 14:33:44 -0800, Mark Borgerson
>> <mborgerson@comcast.net> wrote:
>>
>>> In article<d85cf734-cef1-4216-97ea-2e4caba1f752@
>>> 22g2000prx.googlegroups.com>, d_s_klein@yahoo.com says...
>>>>
>>>> On Feb 25, 12:37 pm, Simon Clubley<clubley@remove_me.eisner.decus.org-
>>>> Earth.UFP> wrote:
>>>>> On 2011-02-25, NeedCleverHandle<d_s_kl...@yahoo.com> wrote:
>>>>>
>>>>> As well as the fact I've found Flash based websites to be bloated and slow,
>>>>> especially when you try browsing them from a mobile internet connection
>>>>> which I do a good portion of the time, I also refuse to open my machines
>>>>> to a major source of malware (given Flash's security history).
>>>>>
>>>>
>>>> There are a number of viruses that are installed with flash scripts.
>>>> No sane person would ever require flash to view a web site.
>>>>
>>>> Gee, wouldn't you want your chip vendor to be sane?
>>>>
>>>> RK
>>> There are also viruses that are installed with PDF documents. Does that
>>> mean that we should avoid PDF files from chip vendors? ;-)
>>>
>>> The problem with flash on a web site has nothing to do with virus
>>> vulnerability. I'm convinced that almost any data format can
>>> be used to transmit a virus. The problem with flash is that it
>>> really isn't necessary to provide engineers with appropriate data.
>>>
>>>
>>> Mark Borgerson
>>
>> I can view PDF by tranferring them to the Kindle and mitigate
>> the risk. Now that I mention it, I suppose I could view web
>> pages over a smart cell phone if it supports flash and
>> mitigate the risk there, too. So I suppose there are
>> options.
>>
>
>pdf's are perfectly safe as long as you use a safe pdf reader, and as
>long as you disable javascript on the reader. Basically, avoid Acrobat
>Reader. Any Linux reader (such as evince) is safe, as are all other
>Windows readers that I know of. Something like Foxit reader is free,
>safe, and /much/ faster than Acrobat.
I use Foxit, already. But I also use the Kindle reader a
lot, as well. Very convenient and cheap.
>> But to be honest, I really would like to see web pages
>> designed to work well with Lynx. So that if I choose, I
>> could avoid flash and animations and silverlight and so on
>> and get by just fine in a dos box viewing the web.
>
>Support for Lynx is not going to happen. Next you'll be wanting
>datasheets in txt format, not pdf, and films optimised for viewing ona
>black and white TV. I agree entirely about avoiding flash, etc., -
>except for parts of the site where it is actually useful - but making
>pages Lynx-friendly is an unreasonable request.
Well, I remember well the time when all web pages were text.
If that were the case, today, I could surf quite quickly
given the changes in technology I now have access to -- fiber
80Mb link, 3GHz processors, and so on. I really wouldn't
mind a subset world I could access stripped of the dross. The
ALT attribute for images, for example, would be nice for them
to use and not hard to apply.
>Flashblock will stop the flash and other nonsense, when they are not
>/required/ to view a page.
I block almost everything right now. Old habit. Harder to
get by with that, these days, I admit.
>> I'm not happy being forced into using flash or silverlight to
>> access chip vendor content.
>
>I agree. It's okay to add flash to /enhance/ a site - there are things
>that cannot be done well with HTML (though HTML 5 gives more scope), and
>sometimes flash can be useful - but as an extra, not a requirement.
>
>Silverlight is an abomination and has no place on a website.
Silverlight is Microsoft's .NET 4.0/WPF-light. They will ram
it down our throats over time.
In any case, I'd still like a text window on the internet. I
have NOT enjoyed being dragged along unwillingly. If I want
video to play or other animations and widgets active in my
face, I'd like to make that choice explicitly. I'd like text
access until I say otherwise.
Yeah, I know. But still...
Jon
Reply by David Brown●March 1, 20112011-03-01
On 01/03/2011 03:01, NeedCleverHandle wrote:
> On Feb 28, 2:33 pm, Mark Borgerson<mborger...@comcast.net> wrote:
>> In article<d85cf734-cef1-4216-97ea-2e4caba1f752@
>> 22g2000prx.googlegroups.com>, d_s_kl...@yahoo.com says...
>>
>>
>>
>>> On Feb 25, 12:37 pm, Simon Clubley<clubley@remove_me.eisner.decus.org-
>>> Earth.UFP> wrote:
>>>> On 2011-02-25, NeedCleverHandle<d_s_kl...@yahoo.com> wrote:
>>
>>>> As well as the fact I've found Flash based websites to be bloated and slow,
>>>> especially when you try browsing them from a mobile internet connection
>>>> which I do a good portion of the time, I also refuse to open my machines
>>>> to a major source of malware (given Flash's security history).
>>
>>> There are a number of viruses that are installed with flash scripts.
>>> No sane person would ever require flash to view a web site.
>>
>>> Gee, wouldn't you want your chip vendor to be sane?
>>
>>> RK
>>
>> There are also viruses that are installed with PDF documents. Does that
>> mean that we should avoid PDF files from chip vendors? ;-)
>>
>> The problem with flash on a web site has nothing to do with virus
>> vulnerability. I'm convinced that almost any data format can
>> be used to transmit a virus. The problem with flash is that it
>> really isn't necessary to provide engineers with appropriate data.
>>
Data formats in themselves are not the problem, but the programs that
interpret that data can have security problems. Typically you have
specially mal-formed data files combined with bugs in the interpreting
program to cause buffer overflows, stack faults, etc., which results in
the system executing part of the "data" as code. Or you have a file
format that supports some sort of scripting (say, javascript in pdf
files) combined with bugs or sandboxing flaws in the interpreting program.
There are also a number of formats that are considered "data" formats,
but actually can contain code. People thought of "doc" as a data format
until the first MS Word viruses (but remember, the flaw was in MS word -
not the doc format). Microsoft is an expert at this - for example,
their font file format is actually a DLL format, and therefore
executable. I haven't heard of any font-file viruses, but the
infrastructure for them has been supported by MS since Win3.1.
>> Mark Borgerson
>
> Through PDF? Really? Is there an example that will survive
> snopes.com? With PDF one can control the active content. Not so with
> flash.
>
There are many pdf viruses/trojans around. Yes, you can control the
active content by turning off javascript and other active features - but
only a tiny proportion of users do so. You can also use a better pdf
reader - it is only Acrobat Reader that has so many security holes and
vulnerabilities.
> But I think that we are in agreement that the use of flash on the ST
> web site is "wrong".
>
> RK
Reply by David Brown●March 1, 20112011-03-01
On 28/02/11 23:51, Jon Kirwan wrote:
> On Mon, 28 Feb 2011 14:33:44 -0800, Mark Borgerson
> <mborgerson@comcast.net> wrote:
>
>> In article<d85cf734-cef1-4216-97ea-2e4caba1f752@
>> 22g2000prx.googlegroups.com>, d_s_klein@yahoo.com says...
>>>
>>> On Feb 25, 12:37 pm, Simon Clubley<clubley@remove_me.eisner.decus.org-
>>> Earth.UFP> wrote:
>>>> On 2011-02-25, NeedCleverHandle<d_s_kl...@yahoo.com> wrote:
>>>>
>>>> As well as the fact I've found Flash based websites to be bloated and slow,
>>>> especially when you try browsing them from a mobile internet connection
>>>> which I do a good portion of the time, I also refuse to open my machines
>>>> to a major source of malware (given Flash's security history).
>>>>
>>>
>>> There are a number of viruses that are installed with flash scripts.
>>> No sane person would ever require flash to view a web site.
>>>
>>> Gee, wouldn't you want your chip vendor to be sane?
>>>
>>> RK
>> There are also viruses that are installed with PDF documents. Does that
>> mean that we should avoid PDF files from chip vendors? ;-)
>>
>> The problem with flash on a web site has nothing to do with virus
>> vulnerability. I'm convinced that almost any data format can
>> be used to transmit a virus. The problem with flash is that it
>> really isn't necessary to provide engineers with appropriate data.
>>
>>
>> Mark Borgerson
>
> I can view PDF by tranferring them to the Kindle and mitigate
> the risk. Now that I mention it, I suppose I could view web
> pages over a smart cell phone if it supports flash and
> mitigate the risk there, too. So I suppose there are
> options.
>
pdf's are perfectly safe as long as you use a safe pdf reader, and as
long as you disable javascript on the reader. Basically, avoid Acrobat
Reader. Any Linux reader (such as evince) is safe, as are all other
Windows readers that I know of. Something like Foxit reader is free,
safe, and /much/ faster than Acrobat.
> But to be honest, I really would like to see web pages
> designed to work well with Lynx. So that if I choose, I
> could avoid flash and animations and silverlight and so on
> and get by just fine in a dos box viewing the web.
>
Support for Lynx is not going to happen. Next you'll be wanting
datasheets in txt format, not pdf, and films optimised for viewing ona
black and white TV. I agree entirely about avoiding flash, etc., -
except for parts of the site where it is actually useful - but making
pages Lynx-friendly is an unreasonable request.
Flashblock will stop the flash and other nonsense, when they are not
/required/ to view a page.
> I'm not happy being forced into using flash or silverlight to
> access chip vendor content.
>
I agree. It's okay to add flash to /enhance/ a site - there are things
that cannot be done well with HTML (though HTML 5 gives more scope), and
sometimes flash can be useful - but as an extra, not a requirement.
Silverlight is an abomination and has no place on a website.
> Jon
Reply by Mark Borgerson●February 28, 20112011-02-28
In article <135c30ac-cbc6-4b27-91ae-c00840262314
@o7g2000prn.googlegroups.com>, d_s_klein@yahoo.com says...
>
> On Feb 28, 2:33�pm, Mark Borgerson <mborger...@comcast.net> wrote:
> > In article <d85cf734-cef1-4216-97ea-2e4caba1f752@
> > 22g2000prx.googlegroups.com>, d_s_kl...@yahoo.com says...
> >
> >
> >
> > > On Feb 25, 12:37 pm, Simon Clubley <clubley@remove_me.eisner.decus.org-
> > > Earth.UFP> wrote:
> > > > On 2011-02-25, NeedCleverHandle <d_s_kl...@yahoo.com> wrote:
> >
> > > > As well as the fact I've found Flash based websites to be bloated and slow,
> > > > especially when you try browsing them from a mobile internet connection
> > > > which I do a good portion of the time, I also refuse to open my machines
> > > > to a major source of malware (given Flash's security history).
> >
> > > There are a number of viruses that are installed with flash scripts.
> > > No sane person would ever require flash to view a web site.
> >
> > > Gee, wouldn't you want your chip vendor to be sane?
> >
> > > RK
> >
> > There are also viruses that are installed with PDF documents. �Does that
> > mean that we should avoid PDF files from chip vendors? � ;-)
> >
> > The problem with flash on a web site has nothing to do with virus
> > vulnerability. � I'm convinced that almost any data format can
> > be used to transmit a virus. � The problem with flash is that it
> > really �isn't necessary to provide engineers with appropriate data.
> >
> > Mark Borgerson
>
> Through PDF? Really? Is there an example that will survive
> snopes.com? With PDF one can control the active content. Not so with
> flash.
>
> But I think that we are in agreement that the use of flash on the ST
> web site is "wrong".
>
True.
Mark Borgerson
Reply by NeedCleverHandle●February 28, 20112011-02-28
On Feb 28, 2:33=A0pm, Mark Borgerson <mborger...@comcast.net> wrote:
> In article <d85cf734-cef1-4216-97ea-2e4caba1f752@
> 22g2000prx.googlegroups.com>, d_s_kl...@yahoo.com says...
>
>
>
> > On Feb 25, 12:37 pm, Simon Clubley <clubley@remove_me.eisner.decus.org-
> > Earth.UFP> wrote:
> > > On 2011-02-25, NeedCleverHandle <d_s_kl...@yahoo.com> wrote:
>
> > > As well as the fact I've found Flash based websites to be bloated and=
slow,
> > > especially when you try browsing them from a mobile internet connecti=
on
> > > which I do a good portion of the time, I also refuse to open my machi=
nes
> > > to a major source of malware (given Flash's security history).
>
> > There are a number of viruses that are installed with flash scripts.
> > No sane person would ever require flash to view a web site.
>
> > Gee, wouldn't you want your chip vendor to be sane?
>
> > RK
>
> There are also viruses that are installed with PDF documents. =A0Does tha=
t
> mean that we should avoid PDF files from chip vendors? =A0 ;-)
>
> The problem with flash on a web site has nothing to do with virus
> vulnerability. =A0 I'm convinced that almost any data format can
> be used to transmit a virus. =A0 The problem with flash is that it
> really =A0isn't necessary to provide engineers with appropriate data.
>
> Mark Borgerson
Through PDF? Really? Is there an example that will survive
snopes.com? With PDF one can control the active content. Not so with
flash.
But I think that we are in agreement that the use of flash on the ST
web site is "wrong".
RK