"If it ain't broke don't fix it" is the typical line item that covers "keep systems up to date" in city government, next to the standard budget allocation, "$0".
> Employees received emails from the city's information technology department instructing them to unplug their computers if they noticed anything suspicious.
Ouch, that sort of communication policy seems ripe for phishing attacks.. "If you see anything suspicious, please report them here https://.."
Different from what? Do you mean it's not necessarily a URL? Or do you mean clicking on it could take you somewhere other than where you would go if you chose "copy url" and manually pasted it into the address bar? (And if the latter, is that true even on a forum like this that makes you post comments as plain text?)
Javascript or no, the href attribute of an <a> tag does not have to be a URL in order for it to be clickable. (Whether or not it will do anything useful is another matter.)
> Or do you mean clicking on it could take you somewhere other than where you would go if you chose "copy url" and manually pasted it into the address bar?
This is possible with Javascript - capture the click event before the browser's <a> tag handling and load any page you want.
> is that true [possible] even on a forum like this that makes you post comments as plain text?
No. /u/mynewtb was talking about clickable hyperlinks where clicking on them takes you to a different place than the tag's href. On sites like HN, where all comments are plain text, there are no hyperlinks in comments. On sites like Reddit, you can use Markdown to add clickable hyperlinks to your comments, but you can't add <script> tags in order to manipulate what clicking the pyperlink does.
In either case, an attacker would have to do XSS in order to change where you go when you click a link.
This attack / trick is entirely feasible within first-party content or third-party content that is allowed to use external Javascript or inline <script> tags (for example, HTML email).
> Based on the screenshot, one security expert WXIA showed it to said that it resembled the message from a variant of Samsam, a family of ransomware that struck a number of hospitals two years ago.
Could this be one of those that exploited a Java de-serialization vulnerability in Java-based application servers a couple of ago as the excerpt says?
Java is an absolute buggy bag full of vulnerabilities, can't believe people/organizations still run this shit.
Sigh - its extremely naive to call "java" the issue. Every language, framework, OS, kernel (and frankly, even hardware) have their vulnerabilities. These types of comments sort of grind my gears.
At which point do we simply say “systems susceptible to most types of malware are unsuitable for critical work”?