On 2020-08-28, Mayayana  wrote:
> "gareth evans"  wrote
>
>| Is it true that the RPi4 is susceptible to these
>| security attacks but that no previous versions are?
>
>   Simple rule: If you allow javascript or other executable
> code online, you're a sitting duck. If you also store private
> data on your computer, use credit cards online, bank
> online, etc, you're a sitting duck with something to lose.
>
>   That might seem extreme or paranoid, but it's just the
> facts. People want to believe computers can be made
> safe. Executable code cannot be made safe. And these
> days we're going in the opposite direction, toward the
> cloud model of computing based on corporate systems,
> where the network is considered safe while your family
> or housemates or co-workers are considered to be risks.
>
>   When you combine the corporate security model with
> SOHo usage you get crazy risk.

There is a solution that significantly decreases risk when
allowing JavaScript in a web browser:

    Run the browser from a different (browser-only) user account
    that has very strictly controlled access to files owned by
    your normal account.

It takes a little bit of scripting to make it work.  For one
thing, you need to give the browser-only account XAUTHORITY in
order to be able to display the browser.

If you use any applications (like a GUI email client/MUA) you'll
need to do something if you want cross-application links to
continue to work, but I don't do that, so I don't know solutions.

Also, you will need to set permissions on your directories and
files to block the browser-only account access to your
files--except maybe one or only a few directories that can act as
couriers between the accounts.

For extra points, I have read Usenet posts from someone who has a
separate browser account for each of his bank(s) and for each
other sensitive website.

--
Robert Riches
spamtrap42@jacob21819.net
(Yes, that is one of my email addresses.)

--- SoupGate-Win32 v1.05