OkcTalk hacked?

[Pete]

We should be good to go now.

So sorry for the problems but we spent a lot of time and money to get things cleaned and fixed and hopefully that's the end of it.

Thanks for your patience!

[Bailey80]

So glad you're back. I need my OkcTalk fix!

[HangryHippo]

Agreed! Thanks for the work, Pete!

[venture]

Thanks Pete, we all appreciate it.

[OUman]

Yep, definitely appreciate the time and money (and effort) being put into the site, thank you Pete.

[RadicalModerate]

My long, long overdue check to Pete will be in the mail on Monday.
(please note that i didn't say is IN the mail . . . =)
I support NPR and PBS and this is far more entertaining and enlightening.
(plus i finally have the IRS and OTC dogs at bay . . . =)

Seriously (not including the fact that the check WILL be in mail) . . .
Did all of the recent site disruption have anything to do with the recently headlined Java7 et.al. flaw (that actually started to be headlined last summer and maybe before that?)

Just curious . . . Plus I can't seem to find the "Java"off button on the new laptop and the trusty ol' Windows 2000 tower is running Java 1.(something)

[Snowman]

Did all of the recent site disruption have anything to do with the recently headlined Java7 et.al. flaw (that actually started to be headlined last summer and maybe before that?)

Just curious . . . Plus I can't seem to find the "Java"off button on the new laptop and the trusty ol' Windows 2000 tower is running Java 1.(something)

In any case I would recommend turning off the Java browser plugin, it has been one of the worst security issues for users for a couple years and currently gives people little benefits. It was never as popular as the Java environments that allows standard applications to run on any operating system and it is rare to see it used on any modern website. Googleing: disable java plugin <broser> (version if IE), should get you get you instructions for it.

[JohnH_in_OKC]

Everyone needs to IMMEDIATEDELY disable Java until its vulnerabilities are fixed or, most likely, say goodbye forever to an outdated, hackable Internet tool.

Yesterday, PC Magazine website published the following article: How to Disable Java How to Disable Java | PCMag.com

Also, the Naked Security website wrote last August 30th: How to turn off Java on your browser - and why you should do it now How to turn off Java on your browser ? and why you should do it now | Naked Security

[Doug Loudenback]

In my tests with Firefox, Chrome and IE Explorer, everything seems to be working OK.

[Doug Loudenback]

I should also have said that I took seriously JohnH_in_OKC's post, and I've read the same elsewhere. A downside to disabling Java is that I notice that posts are not available for editing, else I would have put this follow-up message in the above post but as edited. After Java releases a version that takes care of the security flaw, I'm sure that I'll enable Java again.

[JohnH_in_OKC]

I should also have said that I took seriously JohnH_in_OKC's post, and I've read the same elsewhere. A downside to disabling Java is that I notice that posts are not available for editing, else I would have put this follow-up message in the above post but as edited. After Java releases a version that takes care of the security flaw, I'm sure that I'll enable Java again.

Thanks Doug. I wondered why I wasn't able to edit my posts. That's why the links on my comment #61 on this thread had double links. I suppose I will enable Java again since I like being able to edit my posts to OKCTalk. According to CNET, two hours ago Oracle (around 6:30 pm Sunday 1-13-12) Oracle released an emergency fix. Tonight I'll be updating Java & reactivating it on my browsers. Oracle releases software update to fix Java vulnerability | Security & Privacy - CNET News

Pete - you may want to ask the software company on which you base OKCTalk to see if they can reprogram it in HTML5 without Java. Although it is unwise to think that anything is not hack proof.

[Snowman]

Thanks Doug. I wondered why I wasn't able to edit my posts. That's why the links on my comment #61 on this thread had double links. I suppose I will enable Java again since I like being able to edit my posts to OKCTalk. According to CNET, two hours ago Oracle (around 6:30 pm Sunday 1-13-12) Oracle released an emergency fix. Tonight I'll be updating Java & reactivating it on my browsers. Oracle releases software update to fix Java vulnerability | Security & Privacy - CNET News

Pete - you may want to ask the software company on which you base OKCTalk to see if they can reprogram it in HTML5 without Java. Although it is unwise to think that anything is not hack proof.

I can edit posts without java's plugin on, not being able to edit posts seemed like it was one of the issues when the site was hacked that would not be restored till after the site was loaded from backups and your browser would clear the cashe.

[catch22]

OKCtalk does not use Java. There is a difference between Java and JavaScript. You turned JavaScript off (which is virtually harmless).

Java is an application (a program) while JavaScript is simply script that runs on a page to allow things to be interactive and not static. There is no harm in running JavaScript, every single website uses it and it would make the viewing experience very bland if this forum did not use it.

[Snowman]

Pete - you may want to ask the software company on which you base OKCTalk to see if they can reprogram it in HTML5 without Java. Although it is unwise to think that anything is not hack proof.

Out of curiosity I checked, vBulletin's server side code is written in a language called PHP and their is no java plug-ins running on the client side for at least the common pages.

[SoonerDave]

I'll offer a little more exposition on this, if anyone's interested. If not, just move to your next favorite post

Java and JavaScript are often confused due their unfortunately similar name.

The Java system is an entire "runtime" environment that was part of a notion from about ten years ago that embraced the concept of "write once, run anywhere" software. Some folks run Windows, some run Macs, some run (fill in the blank), meaning that the runtime and hardware environments of each system were unique. If someone wrote Really Cool Software 1.0, they had to write a separate version for each environment they wanted to support. The somewhat Plutonian "ideal plane" concept of Java was/is to create a "runtime engine" or "virtual machine" for those various environments that could translate a single set of instructions written in the same language - Java - on anyone's hardware. Write it, "compile" it into Java code, and distribute it to anyone and run it. That held out the tantalizing notion that if I wrote Really Cool Software in Java, any machine for which a Java "virtual machine" existed could run it.

Reality and idealism don't always mesh well, and such was the case with Java. Hardware differences became more real than many expected, and while successful, Java found more of a home on server-side software (less dependent on complex GUI interfaces and such) rather than user desktops. That's obviously not to say it isn't popular on desktops; it obviously is, but not quite to the extent most Java advocates of that era probably had hoped and envisioned. As Internet use blew up, and Java supported the notion of "applets" (mini-applications), a natural fit emerged that allowed java to be leveraged in that nascent Internet world, provided the Browser created a mechanism to access Java - hence the "plug ins" we see everyone talking about.

JavaSCRIPT, on the other hand (and as was noted by catch22), is a much more scope-limited tool, but is responsible for making web applications much more like "conventional" desktop applications, with a rich user interface experience. Where Java programs are "compiled," and run in a Java Virtual Machine, JavaScript programs are really just scripts that are never compiled, and run within the browser's host "script engine." It doesn't touch Java.

Early HTML-based web apps were crude and clumsy for the user. As HTML evolved, the ability to modify and manage the presentation to the user evolved as well, and "Javascript" was born. All "Javascript" is a scripting engine that, in a somewhat simplified description, allows the browser to interact with the page and customize things like colors, fonts, test values, formats and such. JavaScript is sometimes embedded in HTML script, but more contemporary sites roll it into a set of standard script files that are just pulled down from a server somewhere. Scripting languages live in a very specifically defined "sandbox" of rules that prohibit certain inherently dangerous actions with a user's environment outside the browser, such as launching executables. It certainly isn't to suggest JavaScript is foolproof or malevolence-proof, but the kinds of exploits possible in JavaScript are inherently different from those in Java.

JavaScript has become a vital component of probably 99.99% of contemporary websites. Java was never intended as a browser extension, but evolution of the 'Net rolled it into that position, so here we are. Some games do, in fact, depend on Java rolled into the browser, and I suspect at some point those authors are going to have to contemplate their future. HTML5 is emerging rapidly, and its feature set is targeting precisely the kinds of things that tools like Flash and Java have provided over the last several years, making them less vital and, therefore, less relevant. This kind of stigma on Java may well be the beginning of the end of it on desktops - particularly corporate desktops - where security folks have ever-decreasing tolerance these days for new kinds of insecure software. Juggling the problems Windows has presented over the years has been hassle enough....but that's a post for a different day.

The other tech folks on this thread will obviously recognize where I've simplified and condensed some notions (and even at that there's probably more techspeak in here than I intended) so I hope you'll forgive any such liberties, but I hoped in my own way to convey the difference between the two technologies that often confuses folks in the non-tech world...

Bottom line? On the "abundance of caution" side, its a good idea to disable Java now, and deal with the sites that require it on a case-by-case basis. Some places do, in fact, require it. The majority - but not all - of those sites are going to be game-oriented, so the choice may boil down to how important SuperGame23 is to you. My guess is that this issue will force the hand of those with sufficient resources to retarget their apps away from it, but that won't happen overnight.

Edit: One more bit of info on this - the more I read about this problem, the more I find that it is tied to the mechanism that allows Java applets to run within a browser. It's based on what techies call a "privilege escalation" attack, where Evil Code runs where it was never expected or intended to run, and it focuses (ironically enough) on the security mechanism intended to PREVENT those kinds of things. And that's why there's so much specific media attention (rightfully so) on disabling Java in browsers. This kind of attack would not affect installed Java-based applications (apps that have no interest, tie to, or need for an Internet browser), because they'd never touch that Browser/Applet security mechanism.

[HangryHippo]

Is anyone still receiving the following notice when they try to visit www.okctalk.com?



The other issues I was having appear to have been resolved, but I still get this page when I visit this website in Google Chrome. Anyone know why?

[RadicalModerate]

OKC Talk seems to be running perfectly on this ancient--and relatively slow--computer (Windows 2000 Professional/IE6/Free Avast version). No more Malware popups at every click or anything like that.

I did notice one thing: I poked around on the Control Panel, located the Java (turned out to be Version 6) icon, opened it, poked around on various tabs until I came to something indicating being able to shut off Java on IE and/or Mozilla, and deselected IE. I guess this disabled Java. As far as I can tell, the only thing not showing up on this site, that was accessable before, is that Census Dot Map on one of the threads.

BTW: I attempted to disable Java on my nearly new laptop (Windows 7/IE8?/Free Avast version) but couldn't even find the program anywhere on it. When I did a search for "Java" all it came back with was how to install the program if you wanted it. Is it possible that Java was never installed on it when the unit was set up?

[SoonerDave]

OKC Talk seems to be running perfectly on this ancient--and relatively slow--computer (Windows 2000 Professional/IE6/Free Avast version). No more Malware popups at every click or anything like that.

I did notice one thing: I poked around on the Control Panel, located the Java (turned out to be Version 6) icon, opened it, poked around on various tabs until I came to something indicating being able to shut off Java on IE and/or Mozilla, and deselected IE. I guess this disabled Java. As far as I can tell, the only thing not showing up on this site, that was accessable before, is that Census Dot Map on one of the threads.

BTW: I attempted to disable Java on my nearly new laptop (Windows 7/IE8?/Free Avast version) but couldn't even find the program anywhere on it. When I did a search for "Java" all it came back with was how to install the program if you wanted it. Is it possible that Java was never installed on it when the unit was set up?

Very possible. There's not nearly as much financial incentive for manufacturers to include Java among the bloatware they insist on blasting most retail PC's these days. Some do, some don't, and if you're not seeing a way to enable/disable it, chances are it really isn't there. And the fact that you've had the machine running happily (presumably) for some time and not had any problems tells you just how prevalent Java isn't in reality - at least on the desktop.

[OklahomaNick]

Pete:

I am still getting the same warning from Google Chrome, stating Danger: Malware Ahead.

Only now it is saying OKCTalk contains malware from the website: www.mindyourowngodd***business.net

Just a heads up..

[SoonerDave]

Pete:

I am still getting the same warning from Google Chrome, stating Danger: Malware Ahead.

Only now it is saying OKCTalk contains malware from the website: www.mindyourowngodd***business.net

Just a heads up..

Nick,

That's really not indicative of any current "infection" on OKCTalk. Lemme try to 'splain why....

Chrome tries to be a bit proactive about its malware filtering. Google's servers go out and routinely "test" websites for suspicious activity/payloads/behavior, and builds a "suspect site database" (for lack of a better term) if it thinks something malevolent is being hosted there. Then, when someone tells Chrome to navigate to a site, it runs the URL through that database, and if it finds a "hit", Google will tell Chrome, and Chrome will give you that warning. The warnings I've gotten talk about OKCTalk's having shown up so many times in 90 days. That just means it may take some time for OKCTalk to "clear" Google's test process and work out of its database. You can bypass that warning with a couple of button clicks.

Hope that makes sense.

[HangryHippo]

Is anyone still receiving the following notice when they try to visit www.okctalk.com?



The other issues I was having appear to have been resolved, but I still get this page when I visit this website in Google Chrome. Anyone know why?

SoonerDave, are you getting as well? Do you know what it is or why it's showing up?

[OklahomaNick]

Nick,

That's really not indicative of any current "infection" on OKCTalk. Lemme try to 'splain why....

Chrome tries to be a bit proactive about its malware filtering. Google's servers go out and routinely "test" websites for suspicious activity/payloads/behavior, and builds a "suspect site database" (for lack of a better term) if it thinks something malevolent is being hosted there. Then, when someone tells Chrome to navigate to a site, it runs the URL through that database, and if it finds a "hit", Google will tell Chrome, and Chrome will give you that warning. The warnings I've gotten talk about OKCTalk's having shown up so many times in 90 days. That just means it may take some time for OKCTalk to "clear" Google's test process and work out of its database. You can bypass that warning with a couple of button clicks.

Hope that makes sense.

Thanks for the info. Obviously I bypassed it. I was just letting Pete know that I was still getting those messages.

[SoonerDave]

SoonerDave, are you getting as well? Do you know what it is or why it's showing up?

Only, for me, I"m about 90% sure its because of an old/cached link to the site. During the earlier updates to the site (not the recent one), the ./forums path redirected to a valid page, but it doesn't anymore, so if you have a bookmark/favorite to the site that references it, you now get the "invalid forum" message. There are other possible explanations, so that's why I'm not 100%, but I'm reasonably sure (from the outside looking in) that it isn't related to any malware-related problem here. I've just been too lazy to kill and recreate the bookmark

[Pete]

If you are getting the invalid forum message, please copy and past the URL from your browser.

I suspect it's a cache thing but want to make sure.

[SoonerDave]

If you are getting the invalid forum message, please copy and past the URL from your browser.

I suspect it's a cache thing but want to make sure.

Well, Pete, I dropped and recreated the bookmark, but darned if its not still coming up. So I opened up a fresh browser window, hand-typed the URL, and got it again, so I can tell you that I get the "Invalid forum" from a bookmark that takes me to:

http://okctalk.com/

If I prefix the okctalk.com with "www.", it routes correctly. Hope that helps!

-SoonerDave