Skip to content

Commit

Permalink
[ui] fix UI font for XP users
Browse files Browse the repository at this point in the history
* DIE, XP, DIE!!!!
* Closes #820
  • Loading branch information
pbatard committed Aug 29, 2016
1 parent 5d3be6c commit cc758f5
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 6 deletions.
10 changes: 5 additions & 5 deletions src/rufus.rc
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL
IDD_DIALOG DIALOGEX 12, 12, 242, 376
STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU
EXSTYLE WS_EX_ACCEPTFILES
CAPTION "Rufus 2.11.989"
CAPTION "Rufus 2.11.990"
FONT 8, "Segoe UI Symbol", 400, 0, 0x0
BEGIN
LTEXT "Device",IDS_DEVICE_TXT,9,6,200,8
Expand Down Expand Up @@ -320,8 +320,8 @@ END
//

VS_VERSION_INFO VERSIONINFO
FILEVERSION 2,11,989,0
PRODUCTVERSION 2,11,989,0
FILEVERSION 2,11,990,0
PRODUCTVERSION 2,11,990,0
FILEFLAGSMASK 0x3fL
#ifdef _DEBUG
FILEFLAGS 0x1L
Expand All @@ -338,13 +338,13 @@ BEGIN
BEGIN
VALUE "CompanyName", "Akeo Consulting (http://akeo.ie)"
VALUE "FileDescription", "Rufus"
VALUE "FileVersion", "2.11.989"
VALUE "FileVersion", "2.11.990"
VALUE "InternalName", "Rufus"
VALUE "LegalCopyright", "� 2011-2016 Pete Batard (GPL v3)"
VALUE "LegalTrademarks", "http://www.gnu.org/copyleft/gpl.html"
VALUE "OriginalFilename", "rufus.exe"
VALUE "ProductName", "Rufus"
VALUE "ProductVersion", "2.11.989"
VALUE "ProductVersion", "2.11.990"
END
END
BLOCK "VarFileInfo"
Expand Down
2 changes: 1 addition & 1 deletion src/stdlg.c
Original file line number Diff line number Diff line change
Expand Up @@ -1693,7 +1693,7 @@ LPCDLGTEMPLATE GetDialogTemplate(int Dialog_ID)
// We can't simply zero the characters we don't want, as the size of the font
// string determines the next item lookup. So we must memmove the remaining of
// our buffer. Oh, and those items are DWORD aligned.
if (IsFontAvailable("Segoe UI")) {
if ((nWindowsVersion > WINDOWS_XP) && IsFontAvailable("Segoe UI")) {
// 'Segoe UI Symbol' -> 'Segoe UI'
wBuf[8] = 0;
} else {
Expand Down

18 comments on commit cc758f5

@NSbuilder
Copy link
Contributor

@NSbuilder NSbuilder commented on cc758f5 Aug 29, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe you can make a version that work on XP and then drop the support for it.

@pbatard
Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Which is pretty much what I'm trying to do right now.

@mirh
Copy link

@mirh mirh commented on cc758f5 Oct 3, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, you guys are to harsh :p

@pbatard
Copy link
Owner Author

@pbatard pbatard commented on cc758f5 Oct 3, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

<sigh> I wish people who are still hell bent on using XP on machines, that they are going to connect to the internet, realized HOW MUCH they are likely to be putting both themselves and other users at risk.

It is exceedingly likely that any XP machine that connects to the internet can be easily infected with drive-by exploits (such as ones coming from a malicious ad banner), due to hackers having had ample time to study critical flaws, that apply to ALL versions of Windows, and that have only been fixed in the more recent versions. It doesn't matter if your browser is the latest version of Firefox or Chrome, when these browsers still directly rely on many Windows kernel libraries that may be very easy to breach.

So, I'm sorry to say but thinking that continuing to use XP, in a connected manner, more than 2 years after it has been officially retired is both foolish and a sign that someone doesn't have the slightest concern for others (who may get infected due to XP based botnets being readily available on the internet).

So please grow some consideration for others, and stop pretending that using XP is okay.

@mirh
Copy link

@mirh mirh commented on cc758f5 Oct 3, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not that I had expected to go OT on the comments of a commit.. But 2 years since April 2014 and counting.
Back then with the P4 and the Radeon 7500LE it was the only usable OS, but I can't complain even with my C2D now.

And I find quite hard for random hackers to exploit my kernel simply by browsing wikipedia or working on my Access docs. Indeed, there's no weird network or cpu activity, and even Avira never reported anything (fantastic what proper behaviours can do).
...
Said this anyway, this should have no connection with whether a program can or should support it.
If somehow something breaks, you aren't even expected to fix it (I mean, if it isn't so incredibly trivial like this). But really, I can't understand this like "fuck it even if somebody find the time to fix it" attitude.

@pbatard
Copy link
Owner Author

@pbatard pbatard commented on cc758f5 Oct 3, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this should have no connection with whether a program can or should support it

It should, when people very foolishly persist on putting both themselves and others at risk by placing their fingers in their ears and pretending that "proper behaviour" is enough to ward off critical kernel and DLL vulnerabilities. It's just like drink driving, really - yes, the chances are you''ll be able get home safe tonight, even if you've drunk too much, but, through the irresponsible behaviour of thinking you can just drink and drive, you have greatly increased the likelihood that something really bad is going to happen to you or, worse, somebody else. Thus, just like friends don't let other friends drive drunk (which may very well piss them off but is for their own good), friends don't let other friends use XP, in a connected fashion more than 2 years after it has ceased to receive critical updates. This is the precise reason why you will find many vehement voices that tell you to stop using XP. Using an OS where critical flaws haven't been patched for years IS just that risky.

Also, unless you are a security specialist, analysing every single network frame that goes in and out of your connected XP machine, there is no way you can claim that your machine isn't infected. Apart from ransomware, the purpose of most malware these days is to not do anything that may bring suspicion to users, whilst at the same time leaving the door open for the malicious people or malicious activities. There exist way too many zero days to believe that an up to date antivirus, running on an unpatched machine with an OS that wasn't really designed with security in mind, is enough to protect it.

@mirh
Copy link

@mirh mirh commented on cc758f5 Oct 3, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should

Security risks even nothing to do with feasibility of support. Or to whatever effort you need to accomplish it.

when people very foolishly persist on putting both themselves and others at risk by placing their fingers in their ears and pretending that "proper behaviour" is enough to ward off critical kernel and DLL vulnerabilities.

You have to reach these components beforehand. There is where the proper behavior thing matters so much.

It's just like drink driving, really - yes, the chances are you''ll be able get home safe tonight, even if you've drunk too much, but, through the irresponsible behaviour of thinking you can just drink and drive, you have greatly increased the likelihood that something really bad is going to happen to you or, worse, somebody else.

Tbh I don't understand why you talk about likelihood, then fail to assess such increment (because I mean drinking too much is quite of a random statement)

Also, unless you are a security specialist, analysing every single network frame that goes in and out of your connected XP machine, there is no way you can claim that your machine isn't infected.

I'm not claiming that. Simply, it works as expected.

There exist way too many zero days to believe that an up to date antivirus, running on an unpatched machine with an OS that wasn't really designed with security in mind, is enough to protect it.

Yes, but for god's sake, it's like you were suggesting malware could leech the kernel remotely, as if that was exposed on the net.

@pbatard
Copy link
Owner Author

@pbatard pbatard commented on cc758f5 Oct 3, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security risks even nothing to do with feasibility of support.

It does when I see it as my duty, as an experienced software developer producing an application that may be used by people running XP, to tell these users that they should stop using an insecure OS, that puts both themselves and others at risk. I get that, as an XP user, you may not like that message (you're really not the first one there and I do get a lot of flak from consistently berating XP users), but just like I wouldn't keep silent if I saw that you had a few too many drinks and were planning to drive, I'm not gonna keep silent when someone is trying to defend their use of a connected XP machine as something benign. There is NOTHING benign about it when you are putting people at risk, and you will definitely find me repeating the same message over and over as long as I am under the impression that you still don't understand the risks you are facing from using XP in a connected fashion.

Simply, it works as expected.

I'm sorry, but, again, short of being a security expert, you cannot claim that. All you can claim is that you think that your computer works as expected, which may be very different from the actual state of things, especially as the goal of most malware is to make users think that their computer does work as expected, even after it has been infected. If your computer is part of a botnet (which is a very common use of infected machines these days), you won't be able to notice it unless you carefully monitor the network, as it only needs to send a few packets to the unfortunate target of the DDoS attack every few seconds, or more, to still be effective. During that time, you may be surfing Wikipedia or altering your Access DB, and won't notice a thing. There won't even be a spike of activity on your CPU.

So, really, it's the same as claiming that you think you're not drunk enough to drive, when you haven't taken a breathalyser test to prove it. Maybe you are right, but if the only evidence you can provide is your own judgement, it is tenuous at best, especially as, just like it is common knowledge that alcohol impairs the ability to drive, it is also common knowledge that unpatched kernels and libraries impair the ability of an OS to be secure, and therefore, if your judgement is wrong, the consequences could be disastrous.

Yes, but for god's sake, it's like you were suggesting malware could leech the kernel remotely, as if that was exposed on the net.

Yes, that's precisely what I am suggesting.

This is called a drive-by infection (and I believe there's a competition every year where people try to break into up-to-date versions of modern OSes and browsers to see if they can manage a drive by infection... usually with a worrying level of success). If you have a solid zero day (e.g. a Javascript browser exploit), and combine it with an unpatched OS, it may only take someone surfing a web site that displays an ad that you control (or even a server that you managed to compromise), to infect that person's computer. This becomes all the more easier if the browser uses plugins that rely on out of date or unpatched libraries to display content (since plugins rarely do the data processing all by themselves, but do use multiple OS libraries), and you know how some of the libraries being used have critical vulnerabilities, due to having studied the patches pushed by the OS manufacturer in the more recent versions of their OS.

Logically then, the longer an OS remains unpatched, the easier it becomes to perform such an attack. Thus, the chances of being able to ward off attacks such as these is not is not really on the XP user side as time goes by, which is precisely why people should really look into migrating to a more modern OS, which doesn't have to be Windows — if all you need is Access and Wikipedia, any modern Linux distro with OpenOffice, should actually be a very decent replacement for XP...

@mirh
Copy link

@mirh mirh commented on cc758f5 Oct 3, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It does when I see it as my duty, as an experienced software developer producing an application that may be used by people running XP

Aside of dumb liberalist arguments about this not being "your business"... It's not like there couldn't be people still using it offline and all (for as much they may be few, but that's the point if any)

(you're really not the first one there and I do get a lot of flak from consistently berating XP users)

I dunno about your past experience, but I hope you are getting the message I'm not advocating about you nursing the OS forever. Just don't.. I guess recommend people to go fuck themselves?

I'm sorry, but, again, short of being a security expert, you cannot claim that.

We can enter into the philosophical realm then, and I might say the same applies to you too.
Then you would reply that "probabilities" are way lower, and then I'd suggest you to check back what statistics say.

So, really, it's the same as claiming that you think you're not drunk enough to drive

Seriously, I dunno where you live, but here nobody is that dumb not to know it in the first place.
Lying to oneself then is another matter.

This is called a drive-by infection

Drive-by download perhaps?

If you have a solid zero day (e.g. a Javascript browser exploit), and combine it with an unpatched OS, it may only take someone surfing a web site that displays an ad that you control (or even a server that you managed to compromise), to infect that person's computer.

Yes, but you see, aside of me not using that computer to surf warez (which is just to say bad ad networks aren't REAAAALY that common), that's not the FUBAR-level kind of craziness I was talking in my "remotely leech kernel" hypothesis.

which doesn't have to be Windows — if all you need is Access and Wikipedia, any modern Linux distro with OpenOffice, should actually be a very decent replacement for XP...

I'm glad for you help.. But no, really, even Access 97 seems to offer more features then latest libreoffice.
And unfortunately wine is still not on par (for as much patches to fix all the few remaining bugs aren't really any special and could be pushed at any moment afaik).

But besides, with a Radeon 7500LE that's really the most that could offer an acceptable experience.
I have a shiny new geforce 7300GS now, but still I'd like you to see my points.

@pbatard
Copy link
Owner Author

@pbatard pbatard commented on cc758f5 Oct 3, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not like there couldn't be people still using it offline

Which I addressed every step of the way by making sure to always mention "connected" in the posts above. I have no issue with offline use of XP, and thought I made that fairly explicit.

Just don't.. I guess recommend people to go fuck themselves?

I'm curious how you interpret this as my message when:

  1. I did fix the very XP specific bug we are commenting on, even as I didn't think I had to. Isn't that the exact opposite of telling XP users to go fuck themselves? Somehow I get the impression that you just read the commit message (and subsequent comments), and just jumped on the outrage bandwagon ("How dare they tell me that I shouldn't be using XP?") while completely missing the full picture. The bug was not dismissed, but fixed, and the comments simply reflect the annoyance at trying to make an effort to still try to help people like you, who should have migrated away from XP a long time ago.
  2. I am merely advocating for people to stop using XP, as it is an unsafe OS to use and there exist alternatives, including free ones.
  3. Microsoft dropped support for XP more than 2 years ago, which means that you can hardly expect Windows developers not to follow suit too.

Then you would reply that "probabilities" are way lower, and then I'd suggest you to check back what statistics say.

If you want to deny the common sense that, no matter how careful you think you are, an OS where critical vulnerabilities remain unpatched is by definition an unsafe OS, and therefore that the probability of getting infected is quite significant compared to a modern supported OS, fine by me. But I don't think you'll find many people swayed by trying to use a pseudo philosophical argument in an attempt to dismiss that your impression of your OS being in a "working state" might very well be just an impression and hardly reflect the actual state of things. And precisely because of unpatched critical flaws, my saying that your OS may very well be compromised without your knowledge does have a lot more weight than you saying that if that was the case, you would immediately notice it, as was your argument. But you can still try deluding yourself into thinking that you are as safe in the long run when using XP, as you would using a more modern OS, despite logic being squarely against you.

So, again, all I have been saying is that by using XP in a connected fashion, you are putting yourself and other at risks, regardless of whether you (want to) believe that you are actually safe. The safety of an unpatched OS is less than the safety of a patched OS, and in a connected world, it does have negative consequences, period.

here nobody is that dumb not to know it in the first place.

Which is precisely the kind of stupidity I am trying to make you realize using XP in a connected fashion equates to in 2016. If you are smart enough to realize that drinking and driving is bad, you should be smart enough to realize that using an unpatched OS to surf the internet is bad, no matter how safe your other behaviours are - it's like trying to take the road with tyres that you know are worn out - it doesn't matter how good of a driver you think you are when you are putting both yourself and other at risk from trying to dismiss a dangerous behaviour as something that should be acceptable.

Drive-by download perhaps?

Nope, drive-by infection, without download, which can come from javascript running on malicious ads for instance. No need to click or download anything, or even browse a disreputable site, if they subscribe to an ad network that doesn't vet ads carefully enough. I even went to the trouble of explaining what I had in mind. Javascript can be a very efficient as an attack vector, but there are others too.

@mirh
Copy link

@mirh mirh commented on cc758f5 Oct 4, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did fix the very XP specific bug we are commenting on, even as I didn't think I had to. Isn't that the exact opposite of telling XP users to go fuck themselves?

I wasn't talking about your behavior, but your thinking. I totally appreciate your work (for as much I'm not even using XP at this point)
I can hardly expect Windows developers to follow microsoft in dropping it then, but

an OS where critical vulnerabilities remain unpatched is by definition an unsafe OS, and therefore that the probability of getting infected is quite significant compared to a modern supported OS, fine by me.

I'm not denying that. I'm not saying it's not "unsafer".
I'm saying it isn't so much not still to make sense someway.

But of course if we fail to quantify the unsafeness (and see if we are past the "decency bar" or not), we are going nowhere.

But I don't think you'll find many people swayed by trying to use a pseudo philosophical argument in an attempt to dismiss that your impression of your OS being in a "working state" might very well be just an impression and hardly reflect the actual state of things.

It's statistics. Bayesian specifically. No sorcery.

So, again, all I have been saying is that by using XP in a connected fashion, you are putting yourself and other at risks, regardless of whether you (want to) believe that you are actually safe.

Risks, sure. But I hope you know the difference between that word and raw danger (and then we are back into what I said above)

If you are smart enough to realize that drinking and driving is bad, you should be smart enough to realize that using an unpatched OS to surf the internet is bad

Driving and surfing the net are two completely unrelated situations.
If a point is a "driver being smart", that has nothing to do with whatever alcohol do to your brain in the first place.

Nope, drive-by infection, without download, which can come from javascript running on malicious ads for instance.

Oh, I got it. Yes, I saw in the past some cases of stupid ads opening hijacking the page..
Still, probabilities to hit these, multiplied for chances of zero-days browser bugs are quite slim for a normal user if you ask me.

@pbatard
Copy link
Owner Author

@pbatard pbatard commented on cc758f5 Oct 4, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But of course if we fail to quantify the unsafeness (and see if we are past the "decency bar" or not), we are going nowhere.

The unsafeness quantification pretty much boils down to this: after 2 years of non support from Microsoft it is exceedingly likely that there exist major exploitable critical vulnerabilities in Windows XP that can be exploited through simple drive by due to browsers having to rely on unpatched system libraries. As a software developer with more than 30 years experience, this conclusion is exceedingly obvious, at least to me, especially considering that one of the thing Microsoft did no more than a few weeks after XP support ended, was patch a very critical flaw, even though they weren't supposed to, because they realized they had just uncovered yet another in the long series of critical issues, and used the fact that they still hadn't dismantled their ability to deliver such patches (infrastructure + people) to still provide a patch for it as a last gesture of good will.

But hey, feel free to believe that that last crit vuln was just a poorly timed coincidence and that nothing of the same magnitude has happened to be uncovered by malware people in the 2 and a half years ever since...

However, if you combine the simple facts that:

  1. Drive by exploits do exist (and to this day browsers still have to find new ways of trying to contain them)
  2. Malware authors can and do learn about criticial vulnerabilities of older OSes by looking at patches that are issued for similar more recent OSes
  3. There's only so much that security solution and modern browsers can achieve when the underlying security framework is structurally unsound and unmaintained

Then there is more than enough circumstantial evidence to logically conclude that you, and everybody else who keeps using XP in a connected fashion, is taking a very bad gamble.

Driving and surfing the net are two completely unrelated situations.
If a point is a "driver being smart", that has nothing to do with whatever alcohol do to your brain in the first place.

The point is not drivers being smart. The point is best practices, which dictate that you don't drink and drive, or drive with worn out tyres, or surf the net with an unpatched OS, as any person who decides that one of these best practices shouldn't apply to them is equally idiotic.

Or do you really believe that security experts are going to side with you and say "Well, the best practice of surfing the internet with software, including the OS, that is fully up to date in terms of security patches, is quite overrated, really, and people should be just fine surfing the net using an OS that hasn't been seen security fixes in years..."

There's no such thing as cherry picking only the best practices you like, by trying to pull out a low probability out of your ass ("Still, probabilities to hit these, multiplied for chances of zero-days browser bugs are quite slim for a normal user if you ask me."), when it comes to security.

@mirh
Copy link

@mirh mirh commented on cc758f5 Oct 4, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The unsafeness quantification pretty much boils down to this: after 2 years of non support from Microsoft it is exceedingly likely that there exist major exploitable critical vulnerabilities in Windows XP that can be exploited through simple drive by due to browsers having to rely on unpatched system libraries.

We already agreed kernel suck yesterday.
You continuously overfly this mythical "drive by infection" merits.

was patch a very critical flaw

In Internet Explorer?

The point is best practices, which dictate that you don't drink and drive

If you really want to stress this metaphor so much, we could say then you have this driver that (for whatever reason) still remain capable of discernment and with only reflexes in the shit.
And the (online, yes) use cases I'm telling you are like driving at 10 km/h.

Or do you really believe that security experts are going to side with you and say

You are talking about a use-case I have never considered as sane.

There's no such thing as cherry picking only the best practices you like, by trying to pull out a low probability out of your ass

Still have to hear your probabilities over drive by infections.

@pbatard
Copy link
Owner Author

@pbatard pbatard commented on cc758f5 Oct 4, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You continuously overfly this mythical "drive by infection" merits.

Which is still a more reasonable view than saying that, something which has been demonstrated to be used as an attack vector in the wild, somehow just cannot apply to you.

We can go at this all day, but in the end your argument boils down to "I don't believe there exists a drive by exploit out there that can apply to me and my 2 year+ unpatched version of Windows XP, because, by my own estimate, I'm simply too careful".

Sorry to have to burst your bubble again, but no matter how much you'd like to pretend otherwise, the odds are squarely against you.

In Internet Explorer?

In one of the many systems and subsystems that constitute XP. IE is the one that I used for an example illustrating just how fast after EOL had ended Microsoft found a critical issue that they figured was just too serious not too patch, in the attempt to make you understand that, if Microsoft decided to create an out of band patch for just this one, even though officially support had ended, one can only guess how many critical vulnerabilities have been discovered since then, in IE, kernel, DLLs or other components.

I kind of suspected that you'd latch on the fact that this was IE and would either miss the point, or pretend it shouldn't apply, so no real surprise there...

And the (online, yes) use cases I'm telling you are like driving at 10 km/h.

Unless you are a security specialist, you're ill placed to be the judge of what your online behaviour amounts to in terms of safety. Your statement is simply "Trust me, I'm making sure I connect my XP machine in a safe way", which is hardly something one will be willing to take at face value unless you are called Bruce Schneier. Moreover, and this is what most people who are hell bent on saying that connected XP usage is their entitlement, you should also understand that, even if your behaviour was safe, by promoting the idea that people should be able to connect an XP machine to the internet more than 2 years after it has been retired, if they feel like they are taking enough precautions, you are actually encouraging reckless behaviour, which is precisely why I have an issue with people like you.
By publicly trying to advertise that it's your God given right to keep using XP in a connected manner, because "you somehow happen to know what security practices are actually relevant, and using a system with unpatched vulnerabilities, in the connected manner you are using it, isn't one of them", you are encouraging more damage. As a side note, it also never cease to amaze me how every single person I have ever tried to discourage using XP in a connected manner since it was officially retired (and, because Rufus runs on XP there have been quite a few) just happens to be, according to them, one of the most security conscious person you may find, and therefore, immune to any of the dangerous online behaviour that may affect other XP users... Or, in other words, "driving at 10km/h".

You are talking about a use-case I have never considered as sane.

Drive by infections are insane, and/or you're not using any of the plugins that may be installed by default in your browser to view content, unless you have thoroughly vetted it first. Gotcha. Yup, extraordinary how the very people who insist on using an obsolete OS in a connected manner conveniently turn out to be some of the most security conscious in the world. It's so counter intuitive I would never have guessed, hadn't so many of the people concerned insisted that this is actually the case...

As far as I'm concerned, I'll keep pondering about the the Pwn2Own competition of 2014, the year XP was retired, where, for instance, "Google's Chrome Web browser was successfully exploited by with a use-after-free memory flaw that enabled a sandbox bypass.", which is something that I'd venture to say might well have been triggered through a mere Javascript exploit or something similar. Sadly it doesn't say, and of course you're going to argue that, it's just impossible that Javascript in Chrome, or whatever browser you are currently using, could be subject to a similar flaw, since JS drive by exploits, or browser exploits that are tied to relying on unpatched libraries, are simply too insane to even consider as a remote possibility. I guess I'll also just keep insanely hoping that, if the browser I use is ever breached, at least the rest of my up to date OS will hold the fort.

@mirh
Copy link

@mirh mirh commented on cc758f5 Oct 4, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Which is still a more reasonable view than saying that, something which has been demonstrated to be used as an attack vector in the wild, somehow just cannot apply to you.

I'm telling you it's quite improbable. It's enormously different.

by promoting the idea that anybody should be able to connect an XP machine to the internet more than 2 years after it has been retired, if they feel like they are taking enough precautions

Except most of people aren't me, and wouldn't be able to maintain a Pentium 4 usable today?

(and, because Rufus runs on XP there have been quite a few)

To be honest, I see 0 reasons for

just happens to be, according to them, one of the most security conscious person you may find

I wonder who's the moron with no particular "situation" that still use it.

and therefore, immune to any of the dangerous online behaviour that may affect other XP users... Or, in other words, "driving at 10km/h".

Oh, btw.. When you crash with your car, you hardly can't notice it.
On the other hand here we are almost arrived talking about stuxnet-class malware.

Drive by infections are insane, and/or you're not using any of the plugins that may be installed by default in your browser to view content, unless you have thoroughly vetted it first.

Last time I checked, "security experts" were working for big companies that haven't really all that time to waste.

Sadly it doesn't say, and of course you're going to argue that, it's just impossible that Javascript in Chrome, or whatever browser you are currently using, could be subject to a similar flaw, since JS drive by exploits, or browser exploits that are tied to relying on unpatched libraries, are simply too insane to even consider as a remote possibility.

Assuming we aren't still over your carelessness for statistics, for as much I never said it, I guess that.. Yes, under a certain 0.0..% threshold you can't round probabilities.
But again, I feel like you'll never assess how likely is for a reputable site to end up with a shitty ad network?
Or in turn chances for as much as shitty ad network to get powned?
And last, for whoever violate it to inject a malware rather than his own bad ads?

And.. I mean, let's consider zero-days are quite precious to be wasted on such a lame operation.
Oh, and that these is probably going to hit every browser-user, regardless of the OS.
Triggering in turn plenty of AV software and thus aforementioned gurus.

When I'm going to see your rough estimates I'll be happy.

@pbatard
Copy link
Owner Author

@pbatard pbatard commented on cc758f5 Oct 4, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm telling you it's quite improbable. It's enormously different.

No, you're telling what you would conveniently like things to be, whereas we have evidence that drive by exploits exist and are not in the realm of improbability. The yearly Pwn2Own competition demonstrates that.

Curious how your reply makes no mention of the Pwn2Own example I linked to. Security teams demonstrating year over year that, with a little research, drive by exploits are exploitable are hardly something to dismiss as "quite improbable". But sure, it's convenient for your narrative to pretend otherwise, or ask me to come with hundreds of examples of those, which, obviously, I'm not gonna be wasting time on, especially as it should be obvious that the person needing to demonstrate that their usage is not introducing security liability, as you are trying (and failing) to argue, is you.

Except most of people aren't me, and wouldn't be able to maintain a Pentium 4 usable today?

Thank you for proving my point that somehow you're better than the rest, therefore bad things can't happen to you, even when you are advocating that blatant security risks can just be dismissed.

Yes, under a certain 0.0..% threshold you can't round probabilities.

The yearly Pwn2Own competition begs to differ with your readout of probabilities.

Oh, and that these is probably going to hit every browser-user, regardless of the OS.

Once again, missing the point.

  1. When the browser fails, you do want a second line of defence, which XP is unlikely to provide
  2. It's easier to compromise a browser on an OS where libraries and kernel haven't been patched, and you have been able to identify critical vulnerabilities, because the browser does very much interact with these elements to perform its job, even if you try to add sandboxes all over the place.

I feel like you'll never assess how likely is for a reputable site to end up with a shitty ad network?

Unfortunately for you I can. I'm using adsense, which is supposed to be a reputable ad network, yet I am having trouble filtering out the fake download buttons due to google being more interested generating revenue than weeding out dodgy ads (#789). Considering that they let through fake download buttons, which are easy to filter, one has to wonder what a creative person might be able to get away with in a banner...

Cue in your retort on how my site is not reputable (whereas we're discussing what every person using adsense will be facing) or how my example only applies to download buttons, and you're just too smart to ever click on them even by mistake, or ever engage in any kind of risky behaviour without being able to prevent it.

@mirh
Copy link

@mirh mirh commented on cc758f5 Oct 5, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, you're telling what you would conveniently like things to be, whereas we have evidence that drive by exploits exist and are not in the realm of improbability. The yearly Pwn2Own competition demonstrates that.

They are a demonstration of possibility, not probability.

Curious how your reply makes no mention of the Pwn2Own example I linked to.

Cause correct facts don't need any further comment?

Thank you for proving my point that somehow you're better than the rest, therefore bad things can't happen to you, even when you are advocating that blatant security risks can just be dismissed.

If I said you are better than the average would it be false?

  1. When the browser fails, you do want a second line of defence, which XP is unlikely to provide

We are indeed talking about chances for browser to fail, so don't move the goalpost.

  1. It's easier to compromise a browser on an OS where libraries and kernel haven't been patched, and you have been able to identify critical vulnerabilities, because the browser does very much interact with these elements to perform its job, even if you try to add sandboxes all over the place.

I guess it's true, but tbh if I managed to hijack an ad network.. I surely wouldn't waste that opportunity to target some tens of XP users.

Unfortunately for you I can. I'm using adsense, which is supposed to be a reputable ad network, yet I am having trouble filtering out the fake download buttons due to google being more interested generating revenue than weeding out dodgy ads (#789). -

Are you seriously comparing a png image to malicious js code ?

Considering that they let through fake download buttons, which are easy to filter, one has to wonder what a creative person might be able to get away with in a banner...
I see they have some of the best AI algorithms in the world.. Still it's not really they are at fault not to use that.

and you're just too smart to ever click on them even by mistake, or ever engage in any kind of risky behaviour without being able to prevent it.

Could you explain how we passed from talking about javascript to social engineering ?


So, since I'm fucking cut out of commenting I'll edit here the reply for below:

They are a demonstration of risk, which is exactly what you deliberately choose to ignore.

They are a demonstration of danger (=possibility), not risk (=probabilities).

You do realize that it's very hard to listen to someone who uses tautology to prove their point ("I am correct because I am correct"), whereas I seem to be the only one so far who has pointed to verifiable examples to back up my points.

What are you talking about?
I was referring to Pwn2Own, with its facts that are true and all.

I'll also cut short to the rest of your pseudo-philosophical drivel, which is equally short on hard evidence or your additional "points" that are just plain wrong

It's not goddamn philosophy.

(just so you know, ads can and do run Javascript to provide interractive content, including those fake downloads one — those are rarely "just" png, and especially the download ones you saw in the screenshot weren't, as they used JS to respond to mouseover and alternate between multiple images).

How about javascript code is indeed pretty easy to automatically scrutinize?
But that there's no straightforward way for a normal program to discern between perfume ads and a "DOWNLOAD HERE" ones?

So, since this has been going on long enough, allow me to cut this short, by once again, using our good old car analogy: You are still doing nothing but encouraging reckless behaviour by trying to advocate that, under certain circumstances, it is okay to take an unmaintained car, with worn out tyres, onto a busy public road. [...]

Man?
I try to keep points clear. I still have to understand if our problem is about your recognizance of statistics or some possible dumbness of mine in knowing how a button work..
But how in the hell can you think that analogy [full of conditions you say] is simple?

@pbatard
Copy link
Owner Author

@pbatard pbatard commented on cc758f5 Oct 5, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They are a demonstration of possibility, not probability.

Wrong again. They are a demonstration of risk, which is exactly what you deliberately choose to ignore.

Cause correct facts don't need any further comment?

You do realize that it's very hard to listen to someone who uses tautology to prove their point ("I am correct because I am correct"), whereas I seem to be the only one so far who has pointed to verifiable examples to back up my points.

I'll also cut short to the rest of your pseudo-philosophical drivel, which is equally short on hard evidence or your additional "points" that are just plain wrong (just so you know, ads can and do run Javascript to provide interractive content, including those fake downloads one — those are rarely "just" png, and especially the download ones you saw in the screenshot weren't, as they used JS to respond to mouseover and alternate between multiple images).

So, since this has been going on long enough, allow me to cut this short, by once again, using our good old car analogy:

You are still doing nothing but encouraging reckless behaviour by trying to advocate that, under certain circumstances, it is okay to take an unmaintained car, with worn out tyres, onto a busy public road.

Well, let me say this again, it doesn't matter if you're Ayrton Senna ("nobody else drives XP on a P4 like I do"), using a car made entirely of air-bags ("I have the latest antivirus and an up to date browser"), going 10 km/h, and driving up to Fort Knox, you will ALWAYS be driving it under a road network and weather conditions that are beyond your control.

If there happens to be a sudden downpour (and, I have tried to point to you that, as much as you would like it to be otherwise, those are non-theoretical things) or the surface conditions change for any reason (there is a wide range of possibilities for your car traction to be diminished - I only pointed one of many) then even if you are the best driver in the world going 10 km/h, there's a high risk that, with worn out tyres, you will be unable to maintain enough control so as not to swerve outside of your lane onto upcoming traffic, which is something that is not an issue if using a properly maintained car. Therefore, as I have now repeated countless time, it doesn't matter how safe you think (or rather, seeing the argumentative you use, want to believe) your behaviour is, because you are driving your car under conditions that are beyond your control you are not only putting yourself at risk, but, more crucially others, especially on the busy and inherently hostile road network that is the internet.

Furthermore, the best you have been able to put forward to try to dismiss the idea (still haven't seen many hard facts from you) has been something like:
"Your argument is non-receivable, because you don't have statistics to indicate how well Ayrton Senna would do if confronted with a sudden downpour, when doing 10 km/h in an car made entirely out of air-bags". Obviously, if this is your sole idea of how you can declare your behaviour as "safe enough", I think it's clear to say that just like this theoretical Ayrton Senna, we're not going to get anywhere fast.

So allow me to spare you, and everyone else, any more wasted time. Considering that you persist in claiming that engaging in reckless security behaviour, such as using 2-year old obsolete and unpatched OS in a connected manner, is okay under some circumstances, I'm just going to ask you to take these irrational claims elsewhere (by all means, please try security-centered forums — I'm sure they'd like to have some fun), and will be preventing you from making any further posts on this issue tracker from now on.

Please sign in to comment.