User talk:Anonymous31415927

jpegs

You have started to repeat posting this block of text in the discussion on matrix with two diagonals:

>>>I have been removing it for several reasons:

The civilized way of discusing is not to erase what others write, but to make factual arguments. It's nice you finally understand that.

Making factual arguments is certainly a better option than erasing non-factual arguments. But that does not excuse making non-factual arguments. --Rdm (talk) 08:01, 7 March 2022 (UTC)

I am against jpegs on RC website. Really. Not because they are technically dangerous in any way. But because - if they are on an external server - RC cannot be sure that they will not be replaced with one that will show content not accepted by RC.

Ok, that sounds like a valid concern. --Rdm (talk) 08:01, 7 March 2022 (UTC)

>>># The 2004 thing was not the only example of this buffer overflow problem -- it's something that keeps happening, so

Of course, mistakes, errors of various kinds, can be dangerous. Once upon a time (about 1/3 century ago) it was enough to write an e-mail subject string long enough to overflow the buffer and so on. Should we stop using e-mail for this reason?

Your reasoning is that of a driver who completely drunk got into a car with broken brakes, no airbags, no seat belts, and blames a tree by the road for the accident. Well, actually - if that tree wasn't there, it wouldn't be able to break down on that particular tree. Fact!

I think you exaggerate here. Worse, you confuse things I did not say with things I did say, while ignoring what it was that I was saying --Rdm (talk) 08:01, 7 March 2022 (UTC)

If the program is badly written, running on a crap system (without memory protection), the sandbox does not work and the buffer is overwritten by crafted jpeg ... then don't say jpeg is a devil's invention, but just patch the real holes in your system. The jpeg format as such has no scripts, it is not an executable format.

Of course, I did not say any such thing. But "jpeg is an executable format" was never the issue. Instead, the problem is that vulnerable jpeg decoders have been a recurring problem. And, despite this, you were saying that that problem had not been happening. --Rdm (talk) 08:01, 7 March 2022 (UTC)

>>># Suggesting that there's no historical validity to being cautious about image links is the wrong approach, and

A simple question that you probably don't know the answer to: how is a link to an image (jpeg) different from a link to anything else? By demonizing the harmfulness of jpegs, you don't notice the obvious.

Actually, I am quite aware of the harmfulness not only of other links, but of various non-url issues. But that does not mean it's valid to say that the jpeg buffer overflow problems never happened. --Rdm (talk) 08:01, 7 March 2022 (UTC)

>>># There are people who actively go out and try to deal with people taking advantage of buffer overflow problems, which means the problems tend to be relatively rare, so a lack of examples isn't particularly meaningful (especially when you ignore well documented examples of jpeg buffer over problems which are more recent than 2004),

There are all kinds of bad people in this world. However, spreading panic is unnecessary and will not lead to anything. Embedding malware into jpeg? For what? Since attacks can be done more simply and effectively in a thousand other ways?!

Sure, and I have been on the receiving end of some of that. But that doesn't make the jpeg related problems urban legend. --Rdm (talk) 08:01, 7 March 2022 (UTC)

>>># Minimizing external dependencies on a website is generally good practice anyways,

Yes, it is true. See above why I am against externally hosted jpegs.

>>>so being "too cautious" in this context seems like a maybe mediocre but not horrible and maybe even good idea. (Certainly a lot better than some of the other stunts people have been pulling, recently.)

>>>Now, ... it's undoubtedly true that some people somewhere discourage image links because they have been annoyed by porn. But that does not seem relevant here, since that's not the kind of image under discussion.

I have met many times people who said that "jpeg infected their system". 99% of the time it was actually an attack ... while (coincidence) they were viewing pictures that were completely harmless files. 1% are naïve who considered the virus that deleted their files (jpeg files were zero length after the attack) to be a virus that "sits in jpeg". Punny.

Most problems are, indeed, self inflicted. But, not all. And, I have also encountered plenty of people claiming that such things never happen (also, without any evidence). Anyways.. *you* were first suggesting that the jpeg buffer overflow problems had not happened. And then, when I pointed at some evidence to the contrary, you were suggesting that the jpeg buffer overflow problems had not happened since then. And then when I pointed at some evidence to the contrary you ignored that evidence and simply restated that they had not been happening. --Rdm (talk) 08:01, 7 March 2022 (UTC)

In order to infect a computer with jpeg, you need a lot of knowledge, skills and you can do it when the system is vulnerable (ie not updated since 2004).

*Somebody* needs to have knowledge and skills. But programs -- including programs which can trigger bugs in other programs -- can be used by someone other than the person who wrote them. And you know this. --Rdm (talk) 08:01, 7 March 2022 (UTC)

In order to put eg a photo [...] someone does not need any knowledge or special skills. It swallows any system, even with the latest patches.