This is not really an Open Source diary, but rather a response to the script attack that several diarists have been having trouble with. So no conversion/evangelism/etc. on Linux/Open Source, just a bit of advice on how to stay safe using the Firefox browser. If you want to chip in with info on IE (I don't Windows that well these days), Safari, Camino, then you are more than welcome to do so in the comments.
The first thing you want to do is to download Firefox from this site and then once it is installed go to the section marked preferences on the menu bar (in OS X) under the word Firefox. Windows users please chip in where this is located.
Once you have opened up the preferences, you need to check the box located on the tab marked 'security', 'warn me when sites try to install add-ons'; you can also take extra precautions by going either to the Firefox website and getting add-ons, or under Tools, clicking add-ons, which will take you to the same site.
Alternately, you can go directly to the site: noscript.net and install the noscript add-on for Firefox. This will require you to logout of Dkos, and restart Firefox.
Once you done this, and are back on the site (or before you log in, just to be extra safe) is to go back to the preferences, and under the tab privacy, uncheck the box 'remember what sites I have visited for (X) days, 'remember what I enter in forms and search bar', and 'remember what I've downloaded'. Uncheck them all.
Still in the same section, you'll see a box marked 'accept cookies', which is generally OK to keep checked, and a drop down menu that lists how long to keep them; the default is 'until they expire', which you should change to 'until I close Firefox'.
Below this is a box marked 'always clear my private data when I close Firefox, which you want to check, and then hit the box to the right of it marked 'settings', (which brings up another window), in which you should check all the data (passwords, cookies, history, etc) to be cleared, each and every time you quit Firefox.
Still in preferences, click the tab marked 'security' and uncheck the box marked 'remember passwords for sites'; yeah, it's a bit of hassle to enter your username and password each and everytime you login to Dkos, but this is just to be extra safe, right?
Now you can log back into Dkos, but oops, you need to first adjust the add-on 'noscript'; at the bottom of your browser bar, you can adjust this by clicking options, which will allow you to choose which sites you allow to load data/scripts/etc.; I choose to allow Dkos and blogads, though if you want to allow only Dkos, then that is okey-dokey, too.
You are now script safe, and can log back into Dkos. If you need me to add a bit on how to make Firefox for Linux safe, or Konqueror for Linux, then I will append; let me know in comments. If I have overlooked anything, please let me know, and I will edit.
Update In Windows/Firefox, the relevant security portion is found under 'options' (thanks GooseRock!)
The below all relate to Internet Explorer 6/7
New: From the commenter/diarist 'I'
Internet Explorer 7. (3+ / 0-)
Recommended by:
Miss Blue, fareast, Dreaming of Better Days
Hit the Alt key on your keyboard. (For some reason, Microsoft decided to hide the menu bar by default in IE7. Hitting Alt makes it reappear.)
Click Tools, then Internet Options.
Click the Security tab.
Click the Custom Level button.
In the Security Settings window, scroll down to the section with the header Scripting.
For each option under here, select Prompt. Click OK, then click OK again. After doing this, you will be prompted to allow scripts on a case-by-case basis, similar to how NoScript does it.
Newer: From Hunter's diary, commenter/diarist Heartland Liberal
How to secure IE6 and IE7 (2+ / 0-)
Recommended by:
Spathiphyllum, fareast
If you are using Microsoft browser, you CAN make it more secure with effort. It is sometimes a little trouble when you want to trust a new site, but a little trouble is worth more to me than a trojaned, rooted, or otherwise hacked computer.
Under Tools->Internet Options go to the Security tab.
Select the public Internet zone, the globe icon in the left hand side of the window showing the different zones.
You can do one of two things.
1. Pick the 'High' predefined security level
or
2. Click on custom, and walk through and basically disable everything under Active controls and active scripting (javscript) especially. I won't go into every option here, but I disable just about everything except file downloads, but definitely disable eveything that has to do with controls, scripting, putting stuff on the desktop, etc.
Now go to your Trusted sites zone by selecting that icon in the sites categories window on the security tab.
Click the 'Sites' button below and to the right of the sites icons window.
UNCHECK the "Require server verification (https)." You want to do this because you want to start adding to this list all the sites you CHOOSE to trust, whether they are https:// secured or not, and that is going to be the majority.
To trust a whole site, e.g. dailykos, just enter the root two portions of the domain, e.g.:
dailykos.com
and add to the list. When you exit then return you will see that this has been saved as:
*.dailykos.com
meaning any additional third level name attached as part of that root domain will be trusted, as well as all dailykos.com pages.
Within the trusted sites security settings you should go through and tweak what you want to allow. This is where you can allow active controls and active script (javascript) and other features which allow execution of components on your machine.
Note that since the malware link in this incident was at a site that would NOT be in your trusted sites zone, execution of the exploit would have been prevented. The script should not have been executed, as you were trusting dailykos.com, not the site you were referred to.
Now this means some sites may come up blank the first time you visit them. Embedded sites, e.g. where video is embedded and hosted on other than already truseted sites, will not work until you trust the other sites.
I have even had to view source to figure out all the redirections to make things work. With Microsoft live.com and hotmail and other sites, this is a royal pain in the rear.
But it does make for a safer browsing experience. In essence, you choose which sites are allowed certain actions, and you run a safer PC.
Newerer: From commenter/diarist IndySteve (also from Hunter's diary)
On Internet Explorer 7.0, make sure you have... (4+ / 0-)
Recommended by:
fareast
medium high security settings at least. Go to tools, internet options and choose security tab. Then set it for medium high. This will disable scripts and/or call for prompting which allows you to deny. I hope this will prevent the problem, but I'm not absolutely sure. DKOS should check out what works on all browsers and post.
Newererest: From one of those who spearheaded the attack on this nasty script, YetiMonk, comes this bit of advice:
hover (1+ / 0-)
Recommended by:
Temmoku
your cursor over the link without clicking and it should tell you the web address in the status area at the very bottom of your browser window.
Update: The forensic diary by rerutled. Thanks rerutled!
Where it all started: Diary by JR. Thanks JR!
Hunter's seminal response. Thanks Hunter!
And ZOMG! The Rec List! Thanks so much!
Cheers!