Slashdot Mirror

http://hackademix.net/2011/12/07/hulk-want-pdfjs/

?

Yes, but at least the adblock author doesn't mess with other software on your computer like the Noscript guy.

http://adblockplus.org/blog/attention-noscript-users

http://hackademix.net/2009/05/04/dear-adblock-plus-and-noscript-users-dear-mozilla-community

I didn't lie, and he secretly disabled other software on users computers.

You might want to bother checking some links before spouting off.

http://adblockplus.org/blog/attention-noscript-users

http://hackademix.net/2009/05/04/dear-adblock-plus-and-noscript-users-dear-mozilla-community/

See my post above, I've used NoScript, I use NotScripts on Chrome now, and I don't miss any functionality.

While an average user might not miss any functionality with NotScripts the overwhelming truth is that there are limitations to what NotScripts can do with the limited Chrome API. Let me list some features I use daily:

• Clickjacking protection
• inline script blocking
• Script Surrogates
• XSS Filtering
• Application Boundary Enforcement
• HTTPS Enforcement
• Secure Cookie Enforcement

I could go on but lets discuss ABE for a moment. Singularly the most awesome part of NoScript. Lets say you allow Facebook.com scripts to run since you have a facebook account. Now lets say you allow slashdot.org scripts to run because you are a masochist. Facebook inclusions will run on slashdot.org because you trust both facebook and slashdot. But not with ABE:
# Facebook XSS
Site .facebook.com .fbcdn.net .facebook.net
Accept from .facebook.com .fbcdn.net .facebook.net
Deny INCLUSION

I could still go on but you get the point right?

No it doesn't....

http://hackademix.net/2010/05/26/google-analytics-opt-out-snake-oil/

Noscript does. And I guess they have to emulate google features to do it cause of the state of the web.

I said that Adblock+ works perfectly well, I did not mention "Google Analytics Opt-out Browser Add-on" which you linked.

No it doesn't....

http://hackademix.net/2010/05/26/google-analytics-opt-out-snake-oil/

Noscript does. And I guess they have to emulate google features to do it cause of the state of the web.

That's why NoScript disables embedded fonts along with other possible attack vectors.

Even on GNU/Linux, font rendering is not to be assumed safe. In particular, freetype was never designed with the idea to parse fonts from various untrusted sources, so security in the font parser has always been secondary up until recently, so there might be many security holes in it lurking. It also had a vulnerability lately, of course it got quickly fixed.

http://hackademix.net/2010/03/24/why-noscript-blocks-web-fonts/

Well you can presumably google the same as I do, I was as my choice of language indicates discussing something I dont have much specific knowledge of. But I will throw a few links out.

Here for example is a bug report related to the issue, opened January 2009, marked 'fixed' Feb 2010, but it was 'fixed' only in after being interpreted extremely narrowly and there are plenty of comments left after that pointing out that it was not fixed at all.

Another link that's a bit dated, this was one of the ones I remember reading during the brief period of time I was trying to use Chrome, before I said screw this pos and went back to firefox. (A POS in it's own right in other ways, granted, but it works.)

And here is another interesting bit of question and answer. I particularly love the answer by Eice: "The reason you don't feel safe without NoScript is because you're used to an insecure browser. Chrome features a multi-process architecture and a strong policy sandbox that resists malware beautifully without needing the user to whitelist all the sites they visit. " - Um no. Not even in the ballpark with that. I am not 'afraid' of what is generally acknowledged as malware, it has nothing to do with that. It has to do with moronic webpages trying to take over my computer in what another idiot commenter called 'a normal browsing experience.' If a 'normal browsing experience' means letting the remote computer take control of my machine and hijacking my pipe to bombard me with sounds and flashing lights and videos and all this other garbage some idiot 'web designer' thinks is attractive, opening popups or worse yet redirecting me away from the page I am trying to read and insistently loading up one I dont want to see instead, and all the other typical ways of wasting my pipe, my processor, my memory, and most importantly my time and focus instead of just settling down and letting me see the content I came to their site to see, then I dont want it. Ever.

Simply because "I can't get burned IF I never go into the 'malware-in-general kitchen'" period (& yes, even sandboxing's been KNOWN to have been broken thru in the past by malwares (think chroot JAILS as an example thereof)):

So, what's better here (& even better if added in with sandboxie + other "layered-security"/"defense-in-depth" methods in my p.s.s. section below)? THIS IS:

My custom HOSTS file currently protects me vs. 1,571,476+++ (& growing every 15 minutes) KNOWN bad sites/servers/hosts-domains that are KNOWN to be either maliciously scripted, or serving up malware-in-general, plus spamming/phishing sources as well as botnet C&C servers.

HOW/WHY/WHEN/WHERE? Read on!

(Do use 0.0.0.0 on most OS, but Windows 2000/XP/Server 2003 can use a smaller one, in plain 0 as a blocking "IP Address" even (thus, smaller HOSTS files result, & their entries are parsed FASTER that way, line by line, w/ no "loopback operation" occurring @ all, due to "blackhole routing", & NO "ABE warning" problems, noted here -> http://hackademix.net/2009/07/01/abe-warnings-everywhere-omg/ either))

20++ ADVANTAGES OF HOSTS FILES OVER DNS SERVERS &/or ADBLOCK ALONE for added "layered"/"defense-in-depth" security:

1.) HOSTS files are useable for all these purposes because they are present on all Operating Systems that have a BSD based IP stack (even ANDROID) and do adblocking for ANY webbrowser, email program, etc. (any webbound program).

2.) Adblock blocks ads in only 1-2 browser family, but not all (Disclaimer: Opera now has an AdBlock addon (now that Opera has addons above widgets), but I am not certain the same people make it as they do for FF or Chrome etc.).

3.) Adblock doesn't protect email programs external to FF, Hosts files do. THIS IS GOOD VS. SPAM MAIL or MAILS THAT BEAR MALICIOUS SCRIPT, or, THAT POINT TO MALICIOUS SCRIPT VIA URLS etc.

4.) Adblock won't get you to your favorite sites if a DNS server goes down or is DNS-poisoned, hosts will (this leads to points 5-7 next below).

5.) Adblock doesn't allow you to hardcode in your favorite websites into it so you don't make DNS server calls and so you can avoid tracking by DNS request logs, hosts do (DNS servers are also being abused by the Chinese lately and by the Kaminsky flaw -> http://www.networkworld.com/news/2008/082908-kaminsky-flaw-prompts-dns-server.html for years now). Hosts protect against those problems via hardcodes of your fav sites (you should verify against the TLD that does nothing but cache IPAddress-to-domainname/hostname resolutions via NSLOOKUP, PINGS, &/or WHOIS though, regularly, so you have the correct IP & it's current)).

* NOW - Some folks MAY think that putting an IP address alone into your browser's address bar will be enough, so why bother with HOSTS, right? WRONG - Putting IP address in your browser won't always work IS WHY. Some IP adresses host several domains & need the site name to give you the right page you're after is why. So for some sites only the HOSTS file option will work!

6.) Hosts files don't eat up CPU cycles like AdBlock does while it parses a webpages' content, nor as much as a DNS server does while it runs. HOSTS file are merely a FILTER for the kernel mode/PnP TCP/IP subsystem, which runs FAR FASTER & MORE EFFICIENTLY than any ring 3/rpl3/usermode app can.

7.) HOSTS files will allow you to get to sites you like, via hardcoding your favs into a HOSTS file, FAR faster than DNS servers can by FAR (by saving the roundtrip inquiry time to a DNS server & back to you).

8.) AdBlock doesn't let you block out known bad sites or servers that are known to be maliciously scripted, hosts can and many reputable lists for this exist:

GOOD INFORMATIO

(In Mad Max voice from the film, "The Road Warrior") So, how can I show you THAT, and guarantee it on the web, also? Easy: It's called a custom HOSTS file (which will not only give you more of your monthly bandwidth back, but also speed online while surfing webpages, AND MORE SECURITY (if done right adding in known sources of infestation, & yes, sources for that exist online - I list some below)):

My custom HOSTS file currently protects me vs. 1,554,666++ (& growing every 15 minutes) KNOWN bad sites/servers/hosts-domains that are KNOWN to be either maliciously scripted, or serving up malware-in-general, plus spamming/phishing sources as well as botnet C&C servers.

How/Why? Simply by blocking out adbanners mainly (and using "hardcodes" to your fav. sites in the HOSTS file also).

Read on!

( & do use 0.0.0.0 on most OS, but Windows 2000/XP/Server 2003 can use a smaller one, in plain 0 as a blocking "IP Address" even (thus, smaller HOSTS files result, & their entries are parsed FASTER that way, line by line, w/ no "loopback operation" occurring @ all, due to "blackhole routing", & NO "ABE warning" problems, noted here -> http://hackademix.net/2009/07/01/abe-warnings-everywhere-omg/ either))!

20++ ADVANTAGES OF HOSTS FILES OVER DNS SERVERS &/or ADBLOCK ALONE for added "layered"/"defense-in-depth" security:

1.) HOSTS files are useable for all these purposes because they are present on all Operating Systems that have a BSD based IP stack (even ANDROID) and do adblocking for ANY webbrowser, email program, etc. (any webbound program).

2.) Adblock blocks ads in only 1-2 browser family, but not all (Disclaimer: Opera now has an AdBlock addon (now that Opera has addons above widgets), but I am not certain the same people make it as they do for FF or Chrome etc.).

3.) Adblock doesn't protect email programs external to FF, Hosts files do. THIS IS GOOD VS. SPAM MAIL or MAILS THAT BEAR MALICIOUS SCRIPT, or, THAT POINT TO MALICIOUS SCRIPT VIA URLS etc.

4.) Adblock won't get you to your favorite sites if a DNS server goes down or is DNS-poisoned, hosts will (this leads to points 5-7 next below).

5.) Adblock doesn't allow you to hardcode in your favorite websites into it so you don't make DNS server calls and so you can avoid tracking by DNS request logs, hosts do (DNS servers are also being abused by the Chinese lately and by the Kaminsky flaw -> http://www.networkworld.com/news/2008/082908-kaminsky-flaw-prompts-dns-server.html for years now). Hosts protect against those problems via hardcodes of your fav sites (you should verify against the TLD that does nothing but cache IPAddress-to-domainname/hostname resolutions via NSLOOKUP, PINGS, &/or WHOIS though, regularly, so you have the correct IP & it's current)). Some folks MAY think that putting an IP address alone into your browser's address bar will be enough, so why bother with HOSTS, right? WRONG - Putting IP address in your browser wonâ(TM)t always work IS WHY. Some IP adresses host several domains & need the site name to give you the right page you're after is why. So for some sites only the HOSTS file option will work.

6.) Hosts files don't eat up CPU cycles like AdBlock does while it parses a webpages' content, nor as much as a DNS server does while it runs. HOSTS file are merely a FILTER for the kernel mode/PnP TCP/IP subsystem, which runs FAR FASTER & MORE EFFICIENTLY than any ring 3/rpl3/usermode app can.

7.) HOSTS files will allow you to get to sites you like, via hardcoding your favs into a HOSTS file, FAR faster than DNS servers can by FAR (by saving the roundtrip inquiry time to a DNS server & back to you).

8.) AdBlock doesn't let you block out known bad sites or servers that are know

If you want people to be aware of Giorgio Maone's mentality and motivations, you should probably link them to his blog entry on the matter. He goes into great detail.

Here are some snippits:

I screwed up. Big time.

Please let me apologize first, then briefly explain what happened from a slightly different point of view than Wladimir Palantâ(TM)s, then apologize again.

... I began tracking EasyList changes and counterreacting. Of course Ares2 didn't stop, nor I did, so we engaged in an escalation through more than 30 EasyList updates (even 4-5 per day) specifically aimed at my sites ... If you've got some familiarity with Adblock Plus filters, you'll notice any standard web technology beyond basic HTML/CSS (scripting, frames, AJAX) was completely disabled.
They got to the point where users could no longer even see the regular links to install NoScript or FlashGot.

If you're describing his actions only as "[abusing his] position for monetary gain", you are spreading a simplistic understanding of the situation. That is virtually misinformation.

If anyone expects to have and share an opinion on this matter they really ought to read his blog post.

As much as I loved NoScript, I uninstalled it the moment the story broke. But After reading Giorgio's apology I was totally convinced that he meant no harm and learned his lesson, so I reinstalled NoScript only a few days later.

Even though the author recognized his mistake, backed out the changes, and apologized profusely in a very public manner you still don't trust him? Harsh man, harsh.
http://hackademix.net/2009/05/04/dear-adblock-plus-and-noscript-users-dear-mozilla-community/
I'd rather not blacklist somebody over a single incident. However, if you happen to know of other instances where he did something sketchy, please let us know.

Bah. Who cares if Maone designs his site so that his ads are shown through adblock? The purpose of adblock is not to block every ad everywhere anyway. Let him have his ad revenue, he certainly deserves it.

The adblock people acted very immaturely when they started the whole debacle and I lost all faith in them. That is why I now only use noscript (most annoying ads are flash or js anyway).

If you want the other side of the story, read http://hackademix.net/2009/05/04/dear-adblock-plus-and-noscript-users-dear-mozilla-community/

Assuming you keep your plugins updated, you are already sending the X-Do-Not-Track header with all of your requests. Since NoScript 2.0.9.x, it can be configured with noscript.DoNotTrack.{enabled, exceptions, forced}, and the default is enabled.

The maintainer of NoScript says:

As stupid as it may sound (why parties who are interested in tracking you would comply?), a mean to clearly express your will of not being tracked is going to be useful, especially when backed by law or industry self-regulation, as explained here. Therefore it seems in the interest of NoScript users and privacy-concerned netizens in general to participate in this effort.

I'm not sure that I agree with the rationale (legislation about HTTP headers? No thank you!), but at least there is one. He also responded to the Firefox proposal.

Assuming you keep your plugins updated, you are already sending the X-Do-Not-Track header with all of your requests. Since NoScript 2.0.9.x, it can be configured with noscript.DoNotTrack.{enabled, exceptions, forced}, and the default is enabled.

The maintainer of NoScript says:

As stupid as it may sound (why parties who are interested in tracking you would comply?), a mean to clearly express your will of not being tracked is going to be useful, especially when backed by law or industry self-regulation, as explained here. Therefore it seems in the interest of NoScript users and privacy-concerned netizens in general to participate in this effort.

I'm not sure that I agree with the rationale (legislation about HTTP headers? No thank you!), but at least there is one. He also responded to the Firefox proposal.

Since you obviously use FlashBlock (and I don’t), can you please tell me whether this still works?

http://hackademix.net/2008/06/08/block-rick/

Funny you should mention NoScript, since that's a plugin that's already been involved in its own scandal. Not as bad as stealing login information but still a breach of the users' trust.

Chromium has limited support for addons. I installed Chromium, and went to look for my favorite addons. It was easy to find imitations, addons that borrowed the name of popular Firefox addons. However, going to DownloadThemAll's site brought me to: No Google Chrome support. The short article talks about Chrome's limitations. The gist of it can be shown in this quote: "While support for some types of extensions was added to Chrome just recently, the extension system in Chrome simply doesn’t cut it. It is only very limited in what you can do."

The end of the article links to Why Chrome has No NoScript. That short post goes on to link to forum posts and bug reports showing why basic addons can't work with Chrome.

This post of NoScript's author Giorgio Maone dates back to one year ago and goes into the details of X-Frame-Options. His point seems to be that if you have JavaScript enabled, there are well-known ways to achieve the same result, unless you use IE (they can be circumvented). If you don't have JS enabled, NoScript on Firefox is already giving you the same degree of protection. Anyway (this is me) adding that level of protection by default on all browsers looks a nice thing to have.

Apparently Giorgio Maone (the guy who maintains NoScript) was one of the people who discovered this hole and told Microsoft about it many months ago. After the Register article, he gave away a few tidbits of information on how this works.

Citation: http://hackademix.net/2009/05/04/dear-adblock-plus-and-noscript-users-dear-mozilla-community/

And there was as much bitch-slapping as ever occurs when any OSS developer does something blindingly stupid. The Internet's huddled masses screamed incoherently at them for a few days, and they realized that they weren't going to get away with it. Many, myself included, vowed to never again let Giorgio Maone's code run on any machine under our control.

He apologized

FlashBlock can be easily circumvented by any attacker.
The only reliable flash-blocking whitelist is NoScript.

The noscript author is an assclown who silently enables ads (And disables noscript) for his own financial advantage.

He admitted his error and has stopped doing this. See this link. The very first line? "I screwed up. Big time."

Any fool can make a mistake. It takes some guts to admit it, correct it, and try to move on especially in public like that. For that reason I do not count myself among the folks who still want to figuratively crucify him.

You gotta keep up, guy. Giorgio explains in detail.

http://hackademix.net/2009/05/04/dear-adblock-plus-and-noscript-users-dear-mozilla-community/

And by "out of date" you mean "it happened two months ago"? http://adblockplus.org/blog/attention-noscript-users http://hackademix.net/2009/05/04/dear-adblock-plus-and-noscript-users-dear-mozilla-community/ Sorry. My forgiveness doesn't come that quickly.

Eh, noscript has become adware in the last year.

This is an out-dated claim: http://hackademix.net/2009/05/04/dear-adblock-plus-and-noscript-users-dear-mozilla-community/ It pertains to an ugly episode for which the NoScript author is rightfully apologetic.

It's a curious phenomenon, how the mind closes once a certain type of conclusion has been reached. This is the phenomenon that lead to the the NoScript/AbBlock war, and it seems entirely unfruitful to emulate exactly the kind of thinking that caused the issue in the first place.

Basically from what I read easylist went above and beyond blocking ads on his website by actually changing the way html on his page was rendered in order to disable all forms of advertisement.

They disabled everything but css and html basically putting his pages back to the early 90s in terms of functionality.

The restrictions were so sever that it became actually impossible to download noscript if you were using easylist because it would remove the download links. This caused the author to have a HOLY CRAP THIS IS BROKEN response so over the course of one night he made a "fix" for it. Only after he had released the fix did he realize how much he had overstepped the bounds of decency.

He issued this apology.
http://hackademix.net/2009/05/04/dear-adblock-plus-and-noscript-users-dear-mozilla-community/

On the surface it seems like NoScript had descended into the point of malware, but take a look into the history of why Giorgio did what he did and you will see that AdBlockPlus (Wladimir) and EasyList (Ares2) weren't entirely innocent in the matter (namely specifically blacklisting NoScript's domains). I notice that Giorgio was quick to apologise for his part, but Wladimir still refuses to apologise for his actions that certainly contributed.

Yes, there needs to be a more trustworthy NoScript, but at the same time there also need to be a more trustworthy AdBlockPlus and more transparency over subscription filtersets like EasyList.

I, personally have taken AdBlockPlus off my system, not because of this debacle, but because one of the updates recently broke my browser. I have found Privoxy much better suited to my needs.

Important update for Adblock Plus users: Version 1.9.2.6 automatically and permanently removes the cotroversial NoScript Development Support Filterset deployed with NoScript 1.9.2.4. I sincerely apologize with ABP users. Even though information about its presence and how to remove it in two clicks was given on the AMO install page, on this site's install page, on the release notes landing page and in the FAQ, not including a prompt asking for explicit permission beforehand from the start has been a very bad omission, and I want all the ABP users who felt betrayed to know how much I'm sorry for that. As a sign of good will and repent, current NoScript 1.9.2.6 completely removes the ABP filterset on startup with no questions asked. Thanks for your patience.

-- Giorgio

Update: More apologies and background facts on author's blog Hackademix.net.

You're wrong, NoScript DOES give protection against this attack. The malicious code comes from the mikeyylolz.uuuq.com, which is not in your NoScript whitelist even if you're using twitter.com with scripts allowed.

Please check http://hackademix.net/2009/04/13/mikeyys-stalkdaily-twitter-worm-vs-noscript/

http://hackademix.net/2009/02/19/more-https-troubles/

IE is NOT the first browser to implement anti-clickjacking tech. Firefox + NoScript has had a non-obtrusive (read:it works with the "globally allow scripts [etc]" option enabled) clickjacking blocker known as ClearClick for quite a while now. It is inaccurate to compare vanilla Firefox with other browsers since Mozilla intended Fx to be used with addons. NoScript is a perfect example.

Problem is with no-script you still have to decide if you trust or not-trust the site and if that level of trust you have is worth what the site is offering.

That slightly over-simplifies the protection that NoScript offers. For example, even when you allow script to run NoScript still provides protection against certain types of XSS, you can use it to force cookies to be exchanged over https for certain domains, it can block some plug-in types (Java, Flash, Silverlight), it features click-jacking protection, and just a couple of days ago it even added protection against attacks on twitter.

So yes, you do have to make that trade-off, but even when you click "allow" you're potentially better off with NoScript installed than without it.

FlashBlock is handy, but not a security tool.

NoScript is likely to protect you anyway

Pleaseread.

You should not depend on FlashBlock for security, because it can be easily circumvented. And, as reported in other comments, FlashBlock does not even work reliably against this very PoC.

This attack has been going on for months... http://hackademix.net/2008/04/26/mass-attack-faq/

As I commented here, SSL and SSP are orthogonal technologies whose correct and joint adoption should be required for any website performing sensitive transactions: the former ensuring integrity and, to a certain extent, identity; the latter defining and guarding application boundaries.

Those websites should encourage their users to adopt a SSP complaint browser, and complaint browsers should educate users to prefer SSP complaint sites with visual clues, just like we're already doing with EV-SSL (and for better reasons in this case, maybe).

On my side, I'm considering to highlight valid SSL + restrictive SSP websites as more reliable candidates for NoScript whitelisting.

SWF and other payload files cannot be uploaded and hosted on the compromised web server as easily as SQL-injecting a script fragment which downloads them from a 3rd party site in full control of the attacker. In this and all the recent mass-infection cases, the 3rd party hosts have been improbable domains Chinese domains likely registered ad hoc (such as wuqing17173.cn, woai117.cn or dota11.cn), and very unlikely to be in your NoScript whitelist, no matter how savage your browsing habits could be.

So in all "real world" scenarios seen so far, this one included, you are protected by NoScript in its default configuration, which blocks 3rd party embeddings even if you're visiting a trusted page.

Then if you want extra protection for the use cases you've listed (i.e. frequent usage of Flash-intensive community driven web sites), you can also configure NoScript to block ALL the embedded objects, with no regard for their origin: you will still be able to temporarily allow them selectively, by clicking on a visual placeholder.

SWF and other payload files cannot be uploaded and hosted on the compromised web server as easily as SQL-injecting a script fragment which downloads them from a 3rd party site in full control of the attacker. In this and all the recent mass-infection cases, the 3rd party hosts have been improbable domains Chinese domains likely registered ad hoc (such as wuqing17173.cn, woai117.cn or dota11.cn), and very unlikely to be in your NoScript whitelist, no matter how savage your browsing habits could be.

So in all "real world" scenarios seen so far, this one included, you are protected by NoScript in its default configuration, which blocks 3rd party embeddings even if you're visiting a trusted page.

Then if you want extra protection for the use cases you've listed (i.e. frequent usage of Flash-intensive community driven web sites), you can also configure NoScript to block ALL the embedded objects, with no regard for their origin: you will still be able to temporarily allow them selectively, by clicking on a visual placeholder.

That's close.

http://hackademix.net/2008/04/26/mass-attack-faq/#comment-7742 has a decent explanation of why this is primarily hitting IIS. SQL injection is common to many platforms, but Microsoft's database driver has some features that made it particularly easy to generalize the exploit. Specifically, prior knowledge of the table layout was apparently unnecessary to create the exploit, meaning that it was easy to hit a large number of websites in a short period of time.

The exploit depends on a chunk of SQL that targets only Microsoft SQL Server. The slashdot "editors" think this is an IIS exploit because they don't know that IIS and MS SQL Server are two different products.

If someone wrote a generic script that targetted MySQL, I'm sure the idiots at Slashdot would post an article about a security hole in PHP.

Well, to quote from the Hackademix FAQ on this issue... "Crackers put together a clever SQL procedure capable of polluting any Microsoft SQL Server database in a generic way, with no need of knowing the specific table and fields layouts. There's no Microsoft-specific vulnerability involved: SQL injections can happpen (and do happen) on LAMP and other web application stacks as well. SQL injections, and therefore these infections, are caused by poor coding practices during web site development. Nonetheless, this mass automated epidemic is due to specific features of Microsoft databases, allowing the exploit code to be generic, rather than tailored for each single web site."

I've been searching around, and can't seem to find any details on what exactly this guy did other than sue Wikipedia. The only thing that I've really been able to gather so far is that he's suing Wikipedia because they "reported a story about his wife being favored by the city administration in public contracts".

From the mangled google translation of TFA, it looks like he's upset because even though someone else has already been convicted in the "Florence Parking" scandal, his wife is still being implicated on the wikipedia article.

What is the "Florence Parking" scandal? Does anyone else know more details about this?

From TFA (Google Translated):

FLORENCE - The mayor of Florence, Leonardo Domenici, and the municipal assessor Graziano Cioni gave mandate to sue for defamation and slander the web encyclopedia Wikipedia.

The accused - The reason is explained in a note, it's because the "voice" of Leonardo Domenici site charge to the first citizen and his junta some measures and decisions, so it says, "have provoked criticism from citizenship "citing in particular" the trust of citizens in the parking company "Florence parking" for the cda are part of the wives of Domenici and Cioni.

The INVESTIGATION - In the note, please note that this "slander." Had already circulated in the past and that in 2004 the Public Prosecutor of the Republic of Florence had opened an investigation which led to a conviction in a trial. The voice but (when reporting this story) has not changed and is still in the form contested by Domenici. Hence the decision to proceed with the lawsuit.

It explains how the exploit works, how developers would/should avoid it and how users could protect themselves: http://hackademix.net/2007/09/26/gmail_csrf/

From what I gather about this exploit (and contrary to what the CNET article has to say about it) this is actually a cross-site reference forgery (CSRF) attack rather than XSS. The attack takes advantage of the fact that a malicious Web site's clients may have persistent GMail cookies in their web browsers: The attacking site directs the victim's web browser, (possibly, but not necessarily) using JavaScript, to make a POST request to GMail which creates a mail filter to copy all messages to an email address under the attacker's control. No JavaScript needs to be injected into GMail itself, so I don't really think it counts as XSS; in fact, the attacker never sees the actual session cookie or recovers the account password. Still, this is a huge threat, especially considering that so many people have their (Facebook|MySpace|AIM|whatever) accounts set up to send their password to their GMail accounts in case the password is "forgotten".

If this is how the attack works, then Firefox's NoScript extension should protect you as long as you don't have the attacking web site whitelisted, even if the CSRF POST vector isn't JavaScript based.

You're absolutely correct in stating that this isn't strictly a GMail problem, but rather a fundamental problem with using the Web as an application platform. In fact, I'd argue that CSRF attacks are an even more deeply rooted and difficult to deal with problem than any type of XSS. My friends might think I'm outdated, but this is why I still use fetchmail and mutt to grab my GMail messages by POP, staying logged out of the GMail web site as much as possible.