Cross-Site-TRACE

quackking writes "Uh-oh! Looks bad for RFC 2068! Kudos to WhiteHat out of Santa Clara, CA for this one. ALL current web servers comply with this RFC, which means they ALL are vulnerable to this newly named attack - XST - cross-site-trace. When misused, TRACE, part of the HTTP protocol, allows an unauthorized script to be passed to a Web server for execution even if the server is secured against running such scripts. Even devices like web-managed routers are open to this."

Re:He gets the word around..

[Machine9]

I suppose that if your server can take it, there's no better publicity than a /. post huh?

sure beats tel-sell...

Most science fiction

[Amsterdam+Vallon]

Seems to use neither science nor fiction.

I find that most stories I peruse contain such far-out "scientific principles" that the events that occur could never happen anywhere on this planet.

Then again, some parts (even in Doctorow's 0wnz0red series) are simply stolen facts from things that have already happened and been talked about in the news.

I find it ironic that the best new science fiction works are not science and barely contain any fiction.

Re:Most science fiction

[metlin]

I had commented on exactly this in the previous mention of the 0wnz0red series here.

Offlate, good science fiction has become so very rare, more of Sci-fi and SF stuff (as some poster corrected me).

I shall refrain from ranting, but if 0wnz0red is the best of modern science fiction that we can get today, its sad. Incidentally, I remember that Doctorow had mentioned it as just fiction, not science-fiction.

*sigh* Hope springs eternal.

why would i buy?

[bje2]

first off, i remember when slashdot posted his short story "0wnz0red", and i really enjoyed reading it...

secondly, not that i'm saying i'm cheap or anything, but why would i go buy the book, when i just downloaded the pdf for free?

Re:why would i buy?

in any case, as for taking it on holiday, or somewhere else with you...well, it's a "printable pdf", they even advertise it as that on the download page...i can print and take it with me anywhere i want...

That is true, but there is a certain something to be said for buying a bound book instead of making your printer grind out 67 loose pages.

Re:why would i buy?

[fucksl4shd0t]

No, actually I was trolling. :)

I don't know anything about Cory, I just felt that his example was a tad contrived. One thing that has been demonstrated time and time again, especially with people that work in entertainment, is that success corrupts. A band (or an author) that starts out with high ideals frequently drops them later on when they're looking a huge chunk of cash in the face. When a band (or an author) is able to resist the cash and keeps their ideals, it is the EXCEPTION and NOT the rule.

I don't know enough about Cory to even be able to take a guess that I would feel good about taking, but I remain cynical. I'm also cynical that both RedHat and Mandrake will continue to offer free download versions of their OSs. I'm a cynic. :)

Re:why would i buy?

[Robotech_Master]

You might want to say, "Hey, man, right on, kudos!" and support him with some money. (Heck, you don't even have to buy the book to do that; you could probably paypal him a few bucks and say it's pay-back in lieu of buying the book.) Or you might simply like the book enough that you want to have a professional-looking dead-tree version to stick on your shelf, or to lend to someone who doesn't like reading electronically and wouldn't understand being handed a bound printout.

You probably find it hard to conceive of paying for something you could get for free, but not everybody does...not by a long-shot. In fact, as I mentioned in this comment, doing something quite similar has worked wonders for Baen. Blockquoth Jim Baen:

Baen has experienced a mysterious 50% increase in gross dollar sales in the previous year. Also, our "sellthrough" (percentage of books placed in the market that sell to end-point customers) has improved from the rather startling 63% to the truly stunning 74%. I'm tentatively blamiing this on my wacko e-net proclivities. (Insert a Crazy Eddie ad pastiche here)

People who prefer print books but wouldn't otherwise look at Baen's titles in the store are taking free ganders (or even buying the e-versions first!), reading for long enough that they like it, and going out to place an order. Judging from what he says on the linked page and in the introduction to the free e-version of his book, Doctorow seems to be hoping that much the same thing will happen to him...and who's to say that it won't?

BoingBoing is amazing

[TerryAtWork]

When this was a physical magazine, it was one of the most fun, intelligent and readable cyber magazines ever. I bought my copies at the short lived Binary Cafe in Toronto (three computers on dialup to the net...) - and now I can't find them.

Kind of like Mondo 2000, Wired and National Lampoon (jeez - anyone here remember when those were good?) all rolled into one. Now it's a web site and a HECK of a mail list.

Highly recommended and I'm looking forward to DLing the book. (As soon as the /. effect ends.)

Site holding up well

[karrde]

Supprisingly, while the click to page view is a little slow, the site is holding well under the strain. And my d/l of the book screamed. Someone was ready :)

Started reading the prolouge on the screen, but just decided to print it out. Starting out as a neat story. Although the continued lack of specifics might drive me nuts.

Interesting possibilities...

[Schnapple]

I see lots of interesting possibilities if this "thing" catches on.

It would appear that the publishing industry and the recording industry are similar in that they are difficult to get into and tend to "stiff" new artists/authors. Of course the recording industry is difficult to get into because they're looking for the next 18-24 year old Britney Spears clone and the publishing industry is difficult to get into unless your work has something that will sell (for sci-fi your works these days either have to be attached to a franchise or be militaristic in nature).

The main difference, as far as I can see, is that this author and, say, Bruce Eckel, is that they also publish their works through major book publishers. There's lots of websites wherein you can download the entire CD of a small artist, usually the ones who press their own albums on CD-R. But as soon as these guys sign to a major record label, this practice goes away. How it is that TOR is allowing Doctrow to do this is beyond me. No way would they let Robert Jordan release Wheel of Time 10 this way.

But something occured to me - this is a book that's like 136 pages (though Amazon says the hardcover is 208). And it's being published in hardcover for $22.95. That's more than most DVD's or CD's. You can usually pick it up for less than that, but doesn't that seem a little pricey to anyone else? I know that hardcover first issue books are steep, like $29.95 for Wheel of Time 10, but that's a 700 page book whose target audience is rabid about it. Shouldn't a 136 page hardcover book be a little cheaper?

Even better question - how come no one complains about this? People complain about the price of a lot of things - CD's, DVD's, Movies, etc. but they never complain about the price of books. Of course you can download your music if you really want to, you can wait for the movie to hit DVD, you can download the DivX of the movie/DVD if you can find it, and the DVD is loaded down with extras so you don't feel jipped. Could uneasy accessibility to books in digital form be the reason no one complains about their prices?

And what will this do to the mix? Will authors release their material this way in the future in the hopes that being noticed will land them a book deal so they can sell copies to all of those who want a keepsake of something they read for free? Will this guy sell a ton of copies of this book because he was on a Slashdot story? Will this work on a fiction document (Eckel's works are programming books)?

Can the recording industry learn a thing or two from the publishing industry? Or is it the other way around? And whose cause does it help if the Slashdot community buys a ton of this book?

Re:relation?

[lecca]

Check out http://average.matrix.net/Daily/markR.html if you want to really see whats going on in detail.

Re:relation?

[rchatterjee]

Don't know if this is the reason for the internet slowdown right now but it seems likely, from about a few hours ago I've getting tons of incoming traffic on port 1434 which I believe is the port that MS SQL listens on. So it's probably another exploit on MS sever software.

Opera effected?

[(rypto*]

From the article: users of both Internet Explorer and Netscape are equally at risk to the same vectors of attack.
will it effect Opera browser?

.

Re:Turn Javascript, activex, java off

[djmurdoch]

Sure you stop being able to view many sites, but most of those sites that lock you out when you don't have this stuff on are full of junk anyway.

For the last couple of weeks, IE has been popping up warnings that my security settings may not allow Slashdot to display properly, because I don't have ActiveX scripting enabled. I do allow Slashdot to use Javascript, but don't allow everything it wants to do.

The stupid warnings are really irritating, but the only things I'm losing are the banner ads at the top of the page. I think the offending code is this:

var prs="ads.PointRoll.com/PRServe/?ad=424m20021219174 23&pub=osdn&num="+prInst+"&size=728_90&code=no&red ir="+pr_redir+"&defredir="+pr_redir_def+"&r="+Math .random();

document.write("<scr"+"ipt language='JavaScript' src='http://"+prs+"'></scr"+"ipt>");


Any suggestions on how to get rid of this irritant?