Hacker suggests using the Opera browser
Published July 23rd, 2007 1:59 PM EDT By Daniel GoldmanOne of the creators of the MPack infection kit, a tool that allows data thieves and bot masters to take control of victims’ systems and steal personal information, said in an interview with SecurityFocus that using the Opera browser will keep you safe from his hacker tools.
Snippet from the interview:
“Do you feel sorry for the people whose machines are infected by an attack?
Well, I feel that we are just a factory producing ammunition.Anything else you’d like to add?
I would advise you to use the Opera browser with scripts and plug-ins disabled in order not to be caught by the MPack someday.”
Kudos to the Opera security team!
(Hat tip to Pablito)
If you enjoyed this post, then make sure you subscribe to my RSS Feed.
using
Yeah, but how many Opera users routinely run with scripts and plugins disabled by default? :\
using
Yes I know that was a rhetorical question, but less than 1% since you ask :p
- ØØ -
using
Yes, that scripting proviso completely negated the recommendation. You might as well say “Use Opera! But not with a live Internet connection!” It would be about as useful.
using
If having scripting on in Opera leaves me at risk of being caught by MPack, I wouldn’t be giving many kudos to the security team, personally.
using
The most secure way would be surfing through a VM, but I think that’s a bit too paranoid
using
Taking the scripting aside, which no other browser is safe from, Opera is the only recommended browser with scripting disabled. That’s the point I’m making.
using
Just use Opera and Linux and no virus of any kind will ever hit you.
using
I love hackers. They just make Opera that much more appealing…
using
I agree, Alex, Opera+Linux is a deadly combination, but for those of us still needing Windows, at least part of the time…
I guess even with scripting and plugins enabled, Opera still remains the safest choice? I have yet to see Opera do worse than other browsers with unpatched security holes, according to the Stay Secure widget/Secunia…
using
I can’t believe that he is applauding hackers. Is getting attention for Opera that desperate?
using
This is one of those grey-area topics of whether it should be kept quiet. I’m still not sure what I think about the subject: whether I should applaud the interview or not.
using
What it would be useful is you to take the time to learn something about security, then you would probably understand what the recommendation actually means. His saying this because:
1) Not everyone is using the latest version available (not vulnerable to known issues) which means there are versions of Opera vulnerable to scripts exploits . This problem disappears with JS disabled no matter what version is used.
2) Some vulnerabilities are not in Opera itself but on the Plugins (Flash, Quicktime, etc) so even if the user has the latest version of Opera installed he will be still vulnerable due to exploits in old Plugins versions. This is why he recommends disabling Plugins.
3) If there’s an exploit in the wild targeting Opera, disabling JS and Plugins will protect you whereas this is not true for other browsers : for example Firefox needs extensions to provide this functionality and there are other ways to attack it aside from JS and Plugins, mainly the extension mechanism which makes it very hard for the user to protect himself from exploits in the wild.
Finally, I guess you will accept that he knows much more about security than you do and he recommends Opera and not other browsers for a reason, that should make you think.
Please, next time try not to speak about something you clearly don’t understand, thanks.
using
Looks like rseiler (and others) has been owned…
using
Maybe the hacker is saying what he is saying because Opera by default offers by far the quickest way possible to disable these features(javascript & plugins) without needing to go through a dialog to disable them. Plus site preferences allows turning off these features too. Whereas other browsers don’t offer that.
using
The big plus of Opera browser that it is safer than others even with JavaScript on.
But I agree that users that care about security should enable Flash only for sites that depend on this plug-in through per-site preferences in Opera.
using
Wow. What an endorsement.
Not getting into which browser is more secure (or how one would even measure that accurately, ) Disabling scripting, however easy it is to accomplish, is simply not acceptable to the overwhelming majority of web users. Any advice about securing a browser that requires disabling scripting and plugins will not be acted upon by so many users as to be essentially useless. For those in the know enough to work around the problems caused by disabling scripting and plugins, the risk of attack is, for a wide variety of reasons mostly having to do with general web and security savvy, already pretty low.
- A
using
What you are saying is correct, and I agree. But the hacker in question mentioned Opera w/ JS disabled, not Firefox, IE, or Safari. I guess this was the whole point of the mention…
using
Bottom line if you are running Windows you are never going to be 100% safe from this. However, compared to IE and Firefox I do believe Opera is the safest browser out there.
using
Unfortunately in todays Web 2.0 era, disabling scripting will completely cut you off the INTERNET (if you are relying on Web 2.0 for most of your online activity)
using
LOL @ Asa completely ignoring the point just because Firefox has not been mentioned. You can bet that if the guy had mentioned Firefox with the noscript extension enabled, this blog entry would be on Asa’s blog: “Firefox security is even praised by Hackers, we lead the way as always”. Hypocrisy all over the place, this guy is a joke.
using
I have been using Ubuntu and Opera and never had to bother about “online security”. (I am not using my computer to post this comment). For obvious reasons, it makes sense to shift to Linux and Opera (I know the hassles involved with the migration in Windows only world) but then this is a recommendation!
Asa sounds confused for obvious reasons. I hope he removes the wool from his eyes and works on a better alternative to Firefox. I am all for Open Source but would not settle in for something that is clearly a clone of Opera.
using
Mozilla admits Firefox is flawed just like IE:
http://www.computerworld.com.sg/ShowPage.aspx?pagetype=2&articleid=5857&pubid=3&tab=Home&issueid=115
That same day, Asa Dotzler, director of community development, contrasted what he said were the differences between Microsoft and Mozilla on the bug. “We think it’s Firefox’s job to ensure that users are protected from malicious websites when they’re surfing the web in Firefox. Apparently Microsoft doesn’t think the same for IE,” Dotzler said then.
In a public mea culpa, Mozilla Corp.’s chief security officer acknowledged today that Firefox includes the same flaw that the company called a “critical vulnerability” in Internet Explorer during a two-week ruckus over responsibility for a Windows zero-day bug.
How can you take these guys seriously when they refuse to acknowledge a serious security flaw, blame others, and after two weeks they are forced to finally recognize it because it is quite obvious that they screwed it up?.
And this Asa Dotzler guy is giving lessons about security here after all this ****?. This is like **** Cheney giving lessons about honesty…
using
Following the Cheney analogy…
IMPEACH ASA
Jokes aside, Asa needs an anti-troll treatment ASAP, the internet would be a better place if it happened but as they say: Asa, you need to recognize that you have a problem, that’s the first step. We’re all here to help, just ask.
using
@Asa:
“Disabling scripting, however easy it is to accomplish, is simply not acceptable to the overwhelming majority of web users.”
LOL, only because Firefox doesn’t have site-specific settings at default that doesn’t say it’s easy for Opera users to simply disable scripts and plug-ins per default and activate them where needed.
using
By default, IE and Firefox allow to disable javascript globally, however opera offer a multitude of ways to disable javascript, either globally, per site or even a userjs can block scripts.
using
Why not just use Linux and 99.99% of the viruses won’t be able to infect you ? Any modern Linux such as Debian is very similar to Windows XP/VISTA.