Slashdot Mirror

← Back to Domains

Domain: hackademix.net

Stories and comments across the archive that link to hackademix.net.

Comments · 107

  1. Re:Who'd have thought it? by shellbeach · · Score: 1 · on The Java Popup you Can't Stop

    Note that the link for the Javascript launched method is broken. You have to add the l to html. Here's a direct link. Remember, alt tab to close. Huh, doesn't work for me under linux - the page just opens in a firefox tab, which is easy to close.

    If this only causes problems with Windows users, that suits me just fine! :)
  2. What a waste of my time by Anonymous Coward · · Score: 0 · on The Java Popup you Can't Stop

    first I visited the link from /. - http://hackademix.net/2007/08/07/java-evil-popups - all I got was a background image, pie - quick look @ s/c got me this - http://evil.hackademix.net/fullscreen/applet.html

    So I go there (and I do have Java installed), I get prompted that the site wants to install an ActiveX component, fine I says. Then IE says no, because it's not signed. Byes, I says.

    Incidently, I lowered the sec perms of IE and got it to work, and sure it's an annoyance, that you kill your IE task to close it, but it's nothing more than an annoyance - which is the point of the popups I guess.

    Interesting to see where this leads though.

  3. What a waste of my time by Anonymous Coward · · Score: 0 · on The Java Popup you Can't Stop

    first I visited the link from /. - http://hackademix.net/2007/08/07/java-evil-popups - all I got was a background image, pie - quick look @ s/c got me this - http://evil.hackademix.net/fullscreen/applet.html

    So I go there (and I do have Java installed), I get prompted that the site wants to install an ActiveX component, fine I says. Then IE says no, because it's not signed. Byes, I says.

    Incidently, I lowered the sec perms of IE and got it to work, and sure it's an annoyance, that you kill your IE task to close it, but it's nothing more than an annoyance - which is the point of the popups I guess.

    Interesting to see where this leads though.

  4. Re:Who'd have thought it? by BobPaul · · Score: 2, Informative · on The Java Popup you Can't Stop

    AFAIK, both of these require JAVA in order to work. One of the demos is launched by a JAVA applet and the other is launched by a JAVASCRIPT function of some sort, but I believe the full screen window that appears is JAVA regardless of which you use. I come to that conclusion because on WinXP, (where the Javascript launched one works) the Java icon appears as the icon when I Alt+Tab and because both of these use LiveConnect, according to the Maone's website, which is a technology that allows interoperability between Java and Javascript.

    Also, on the "Applet" page, it says "Works in any Java-enabled browser" whereas the "Javascript" page states it works only if both "Java and JavaScript are enabled"

    Note that the link for the Javascript launched method is broken. You have to add the l to html. Here's a direct link. Remember, alt tab to close.

  5. JVM sandbox permissions by Anonymous Coward · · Score: 0 · on The Java Popup you Can't Stop

    Does anyone know more details about why the usual JVM sandboxing doesn't work for this FullScreen program, or the LiveConnect JavaScript snippet?

    The JVM enforces permissions specifically related to creating top-level GUI windows (http://java.sun.com/javase/6/docs/api/java/awt/AW TPermission.html):

    setWindowAlwaysOnTop Setting always-on-top property of the window: Window.setAlwaysOnTop(boolean) The malicious window might make itself look and behave like a real full desktop, so that information entered by the unsuspecting user is captured and subsequently misused

    showWindowWithoutWarningBanner Display of a window without also displaying a banner warning that the window was created by an applet Without this warning, an applet may pop up windows without the user knowing that they belong to an applet. Since users may make security-sensitive decisions based on whether or not the window belongs to an applet (entering a username and password into a dialog box, for example), disabling this warning banner may allow applets to trick the user into entering such information.

    These two seem to relate to the FullScreen demo, particularly setWindowAlwaysOnTop, since the FullScreen Java program calls w.setAlwaysOnTop(true).

    I'd expect the security policy for a JVM running in a browser to only grant these permissions to Java code if the browser user agrees to allow them. And since the FullScreen program from http://evil.hackademix.net/fullscreen/classes/Full Screen.class or the LiveConnect JavaScript snippet are unsigned, I wouldn't expect the JVM to even give the user the option, unless the user explicitly configured their browser to allow permissions to unsigned code.

    Is the JVM granting these permissions to the FullScreen code? Or is FullScreen somehow doing what it's doing despite not having the permissions?

    If the JVM is granting the permissions, why?

    If FullScreen doesn't have the permissions, how is it able to do what it does?

  6. Re:Adblock works, too by Fweeky · · Score: 1 · on The Java Popup you Can't Stop
    Won't stop the LiveConnect version (careful!), which calls Java methods directly from JavaScript in both Opera and Firefox:

    var w = new java.awt.Window(new java.awt.Frame());
    w.setBackground(java.awt.Color .black);
    w.setLayout(new java.awt.BorderLayout());
    w.setLocation(0, 0);
    d = java.awt.Toolkit.getDefaultToolkit().getScreenSize ();
    d.height += 80;
    w.setSize(d);
    w.setVisible(true);
    It also won't stop Java-enabled sites which happen to not use .jar or .class in their package URLs.

    I just disabled Java globally; I can still turn it on for trusted sites.
  7. Adblock works, too by gpinzone · · Score: 2, Informative · on The Java Popup you Can't Stop

    Putting http://evil.hackademix.net/fullscreen/FullScreen.c lass in AdBlock Plus' kill list worked like a charm. Make a generic kill for *.class and *.jar and then whitelist the sites that need java.