Fake parking tickets target Hybrid car owners.

dkit, do you even know what a troll is?

An Internet troll, or simply troll in [ame="http://en.wikipedia.org/wiki/Internet_slang"]Internet slang[/ame], is someone who posts controversial, inflammatory, irrelevant or off-topic messages in an online community, such as an
[ame="http://en.wikipedia.org/wiki/Internet_forum"]online discussion forum[/ame] or [ame="http://en.wikipedia.org/wiki/Chat_room"]chat room[/ame], with the intention of provoking other users into an emotional response.

I didn't see anyone do this but unfortunately someone got emotional.

Calling Prius drivers tree hugging, green skinned, vegetarian, tofu eating, hippies on a Hummer forum is not trollish where it might be to this mob of tree hugging green skinned vegetarian tofu eating hippies on PriusChat.

 

No, dkit was absolutely right, and I apologize. But in my defense, I had no idea that he was the official PriusChat Posting Cop, but I've learned my lesson and will be sure to check with him first before posting anything to make sure the content is appropriate or not.

 

This scam was discussed this week on Buzz Out Loud. Someone pointed out on yesterday's episode that some legit government websites DO require you to download a particular version of JavaScript (or was it Java?) if you don't already have it, so there could be precedent for requiring a download of some kind before being able to view government content.

That said, it's clear that it would be ridiculous for a parking enforcement agency to operate this way. So a bit of healthy skepticism is appropriate always, and (as you say) call the agency if you have questions...

 

Yet another reason to turn all the scripting OFF in your browser,
whatever browser you prefer to run. And to give the legit websites
that say you "must enable it" an EARFUL about security/privacy and
make them stop assuming anything about a particular visitor's
configuration or capabilities and just fix their script-driven
trash so it actually works for everyone.
.
It wouldn't be hard to figure out who owns/hosts the trojan site
and have the providers take it down, unless it's offshore in which
case the relevant government is likely also in on the deal. In many
cases you can't touch the perpetrators, so be proactive and PROTECT
YOURSELF up front.
.
As far as fake tickets, there's a reference about halfway through
this pictorial to the guy who made up the original "SUVs are a pox
upon the landscape" type tickets. Didn't go to a trojan website,
it just went to his where a lot of his other art and activism is
detailed. Someone clearly took off from that idea.
.
_H*

 

Script makes no difference to this exploit; the page directed the user to download and install a program called PictureSearchToolbar.exe. Straightforward social engineering attack. Most viruses and trojans are spread in this fashion - a dangerous, information-gathering or annoying program is delivered purporting to be something else. There's absolutely nothing that an OS vendor can do about this - ultimately an OS needs the capability to install new device drivers, delete files, change configuration settings. You don't need these capabilities all the time, though, which is why it's better to run software as a standard user than as an administrator.

In itself, script can't do anything to your system, unless there's actually a vulnerability in the script engine. However, script can control plugins on the page, if they're marked 'Safe for Scripting' (in IE). Too many components are marked 'safe for scripting' even though no checks were ever done on this, and they were never intended for use on the web. As a result, Microsoft have to periodically provide updated blacklists of controls that IE isn't allowed to load, as they have known issues that weren't anticipated. Internet Explorer 7 blocks plug-ins that haven't run in the browser before, requiring an additional few clicks to run something new, although new add-ons downloaded through IE are automatically approved.

Firefox and Opera are less vulnerable to this problem as they have different plugin models; IE's model is used system-wide so in theory any component registered with the system could be loaded, although there are a couple of checks to ensure that the component is registered as Safe for Initialization, if the web page is trying to pass parameters to it, or as Safe for Scripting if script is trying to control it. Still, there's nothing stopping attackers targetting Firefox with binary add-ons (.xpi), they just don't bother when nearly two-thirds of people still use IE.

If you plan to continue using IE I would strongly recommend getting IE7. It does require at least Windows XP Service Pack 2, but anyone running XP should already have that. If you have an older version of Windows, Microsoft isn't producing updates any more. (Windows 2000 still gets security updates, but only up to July next year.)

Whatever browser you use, and whatever OS: keep it up to date. We developers do make programming mistakes, including many that aren't obvious at first or even tenth glance. Some of our mistakes are benign; some allow attackers the chance to run whatever code they like. In addition, keep any add-ons that you run up-to-date, especially widely-deployed components like Flash Player, QuickTime, RealPlayer, Java.

 

What Mike said, PLUS: Get Avira. Between it and Firefox running Noscript, you'll be about as safe as you can be without actually getting a Mac.