Slashdot Mirror
Microsoft Advises to Type in URLs Rather than Click
spacehug writes "In a recent Microsoft Knowledge Base article, they provide 'Steps that you can take to help identify and to help protect yourself from deceptive (spoofed) Web sites and malicious hyperlinks.' These steps include always using SSL/TLS, typing 'JScript commands' in the address bar, and typing in URLs instead of clicking links! I have a suggestion that's not in the Knowledge Base: don't use IE!"
i always knew that those hyperlinks were a bad security problem. Web designer should really avoid those propietary 'href'-tags for security reasons.
Let's implement features and advise against using them! Pure marketing genius! It's like buying a ferrari but not driving it! Well... it's IE so maybe a bicycle.
Like that you'll at least always see where the link is going before you go there.
"Little does he know, but there is no 'I' in 'Idiot'!"
I have a suggestion that's not in the Knowledge Base: don't use IE!
Yeah, and I have a solution to prevent malicious programs like IE from running that's not in the Knowledge Base...
Install Linux.
I hear you can buy a copy of it for around $600 somewhere.
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
Oops!
isn't konqueror affected by this aswell?
I don't click to a 4 letter URL if I can't even see the full address in the status bar. Damn affiliates too.
1888 Franklin St.
This is a trust issue, not a technology issue.
I didn't really read the article, but I am pretty sure that one option slipped their mind, whomever wrote it.
:)
:)
use another browser...
There are plenty of options available on the market
If you don't like OSS, for religious, political, or other reasons, one can always Opeara.
Otherwise Mozilla, Firebird, Konqueror, and others come to mind
I say go one step further for ultimate security and telnet to port 80.
Why risk using the Web at all? Just e-mail the webmaster and ask him to fax the webpages to you!
These sigs are more interesting tha
Damn, if only you could have clicked the "reply" link instead of having to type the URL in in manually for security reasons, you could have gotten first post. Curse you, IE!
WARNING: If accidentally read, induce vomiting.
They turn off all the 'automate EVERYTHING' approaches microsoft seem to think are a good idea, then it will become safe again to actually click on the links?
Really. perhaps a few more people should install pegasus email under windows, and download mozilla firebird - the world would really be a slightly better place!
Or is that just too obvious?
PS: What on EARTH is up with IE's css support? is it intentionally designed to be completely broken?
Sigh.
In other news M$ advices all online banking users to walk in to their nearest bank office to secure their online banking...
"okay, instead of patching our crap that you paid for, just don't use these featrues. That's right, they're bugs, not features! But we won't patch them for numerous unspecified reasons."
"By the way, you knew it wouldnt be anywhere near secure when you bought it. Remember lovebug? eh? Oh, we're better than linux/bsd/unix/sunos/macos for numerous unspecified reasons."
--an open letter from MS (well, at least they could have the courtesy to tell us directly they're ridiculous)
*sigh* we're all screwed.
Eight-hundred-thirty-three-thousand-seven-hundred- eighty-six Steps that you can take to help identify and to help protect yourself from deceptive (spoofed) Web sites and malicious hyperlinks
Microsoft Advises to Type in URLs Rather than Click
So now MS is promoting a return to command line interfaces?
With these recomendations Linux jumps lightyears ahead in usability ;)
I am pretty sure my grandma would rather click the link in Firebird, than type it herself.
I think the javascript option is also out of the question for her...
Nice workarounds...
90% of my surfing is done with Firebird, either under Windows or Linux. It's fast (on a Pentium IV @ 2.0 GHz), complete and full-featured.
9% is done with Opera 7.23. Mostly at home, since it's still small and light enough for my poor little Pentium machine.
Less than 1% is done with IE, mostly with horribly broken site that only accept it, and I am actively searching for replacement
FWIW, I never use MS Outlook or Outlook Express either. Earlier this week, when MyDoom struck our email servers, a couple of coworkers were infected. I was not.
The moral of the story is that you can't trust Microsoft products.
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
Although this article on the insecurities of IE (or in a more general sense, Windows' URL handling) is fitting for ./, the advice to type URL
into the address bar may be one that we should all take to heart in the
future.
As pointed out here, the advent of multilingual (Unicode) domain names gives rise to a new possibility for attacks: the Homograph attack.
Example: one could replace the o's in http://www.microsoft.com with Greek omicrons, Cyrillic o's or characters from other charsets, as long as they are rendered by our browser as something resembling an "o". The users won't notice the difference, but they might be redirected to another site, even though they visually inspected the URL.
A more serious example: my bank, the Dutch Rabobank, features internet banking. It specifically displays a warning before logging in: Make sure that the address in the address bar starts with https://www.rabobank.nl/, then you are sure you're communicating with us. Now, with a homograph attack, even that might not be certain again: it looks the same, and users are reassured even though reassurance is not due! And it's not limited to using IE or Windows either.
A comment is in order here: we're not that far yet, as most clients require special (non-default) DNS clients to access Unicode domain names. But it might become a big problem in the future.
Are there any people from countries using non-latin domain names that might want to comment on this?
Support a Europe-related section on Slashdot!
I mean, sure, Slashdot readers probably can, but most of us are already using a non-vulnerable browser on a non-vulnerable platform anyway.Joe Sixpack is going to have no fucking clue how to tell if a URL is spoofed or not, nor is he necessarily going to type the URL either.
This is obviously a case of Microsoft being caught red-handed with their pants down around their ankles and trying to cover themselves with Saran Wrap. A pretty transparent cover-up...
The views expressed herein are not necessarily those of anyone, including the poster.
Let's say M$ user types in URL but on that URL is redirection to faulty URL? The thing is, they can do nothing about it. And nowadays some regular URL has like 30+ characters with all those PHP-Nuke/Puke portal engines and horror CMS engines. SO, M$ crew, create a real browser and stop dragging us/them to a stone age...
Sinisa
http://support.microsoft.com/default.aspx?scid=kb; %5Bln%5D;833786
Need I say more?
I stole this Sig
I try to convince other people of this. Firebird conatains a popup blocker, supports tabbed browsing, is more secure, and has a gestures plugin.
The other people just don't. It's not like they don't know how. These are proper techies. they just make up daft excuses like not trustin free software.
Maybe trust is importatn. You can trust IE after all. You can trust it to be insecure.
http://slashdot.org/comments.pl?sid=94638&cid=8116 264
/. :p
damn
Dear Mr Krosoft :
What if he URL is checking for a proper referal when accessing it ?
Why also be shy and just typing an URL when you could perform a complete HTTP/1 session using a (... sorry : THE MS) terminal application ?
Trolling using another account since 2005.
Microsoft advises that it is best to type in your OS, rather than just purchase one off the shelf.
DROS - Open-Source Robot Software
They used to have a 'Comment on this Article' feature which I was about to fill with an angry rant, but they appear to have pulled the feature....
Not only should they fix this immediately, but they have a responsibility to the community that they force their browser on to at least provide them with a browser that is not open to such a simple hack
The only counter argument I can think of for hiding the user/pass syntax before the @ in the first place is to "stop the password being in cleartext on the screen when viewing" and I think we can all see through the pointlessness of that argument.
O Firebird, Firebird, wherefore art thou Firebird?
(Who can) deny thy greatness and refuse thy name;
Or, if they wilt not, be sworn to hell,
As soon there'll no longer be an Internet...
With apologies to the great bard.
Conversion Rate Optimisation French / English consultant
It hasnt made it on slashdot yet, but netcraft is reporting that future versions of IE will no longer be supporting user information in HTTP or HTTPS URLs.
For more information, please see microsoft's advisory. Thats right, type in the URL yourself, it really is at microsoft.com. From now on, any HTTP or HTTPS URL that has an @ sign in it will report "Invalid syntax error".
After months and still no patch for this bug.. they just now announced THIS as their fix, but still no patches. You'd think they'd just prevent parts of their URL bar from disappearing instead of removing features..
Workarounds for this new behavior are listed as:
* Do not include user information in HTTP or HTTPS URLs.
* Instruct users not to include their user information when they type HTTP or HTTPS URLs.
How ingenious. I also find it interesting that they link to the standards they are now breaking under "references".
... and even though I dont use Windows this is a nice step towards better security.
My main issue is this, the knowledge base is huge - there are thousands of articles, therefore although the article is there how many *normal* people actually read it ? The people that need the information the most are those that are less computer literate and the same people that would rather be playing flash games than reading a document on a "geeky computer" website.
It is same with the "oh they should use another browser", at the end of the day they dont really care until they get bitten - and even then they will make the same mistakes again. I personally think that the software update mechanism (where the window pops up if there are updates) is great under OS X. You would have to be really retarded to ignore it.
Maybe Windows and Linux could do with something like this ? I know debian has it's security feed (which I use), but it'd be useful if it alerted me that there were updates. I also remember there being a update manager but maybe it shouldn't allow you to not install the security updates. (Please forgive my lack of knowledge of the recent windows situations WRT updates- I rarely use it so please dont flame back but I would be genuinely interested to know - for the sake of my parents computers)
Anyway, end of post.
chris at darkrock dot co dot uk
http colon slash slash www dot darkrock dot co dot uk
(1) Checkbox to disable "kiosk mode" from EVER happening! (2) Checkbox to disable pop-up windows (or prompt user per pop-up) as opposed to disabling Javascript altogether. (3) Outlook-specific settings for HTML preview so that most features can be turned off for e-mail preview; stop spam from essentially calling home via preview, or playing virus MP3, etc. For example, by default forbid all HTML-formatted e-mail from accessing the Internet and running scripts -- just totally passive HTML. The user, at his or her discretion, can right-click on the body of an e-mail to select further previewing rights for trusted mail. (4) Checkbox to reject URLs that use unicode characters -- just an option; (5) Checkbox to forbid wacky URLs with "obvious" redirection tricks; (6) Option to set the "maximum number of browser windows to open per second". One can set this to a rate slower than one's ALT-F4 pressing rate, to win the battle against run-away pop-ups.
all righty, foolish microsoft idiots, learn to tyep some google group urls
e =U TF-8&oe=UTF-8&group=alt.comp.hardware.overclocking .amd&safe=off&selm=bvckv9%24qpsad%241%40ID-222886. news.uni-berlin.de
x ?I nCC_hdn=true&Catalog=LCID%3D1033%26CDID%3DEN-US-KB %26PRODLISTSRC%3DON&withinResults=&QuerySource=gAS r_Query&Product=msall&Queryc=833786&Query=833786&K eywordType=ALL&maxResults=25&Titles=articleid&numD ays=&InCC=on
http://groups.google.com/groups?dq=&hl=en&lr=&i
or even better type your own knowledgebase urls for sure
http://support.microsoft.com/search/default.asp
jeeebuz, Microsoft! -> get fucking lost !!!
Install Linux
I hear you can buy a copy of it for around $600
I have a copy and I will let you pirate it off me for only $10 s&h.
Don't tell anyone. It'll be "our little secret".
Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
Their reasoning? Security. Judging by the number of times in the past two months they've had overtime to do, and the amount of times they have to send out emails-which-get-deleted-without-further-reading on what not to do with a web browser, I suspect it's the security of their jobs they're trying to protect, but anyway...
So, instead, I sit and shake my head with wonder at all the people, particularly from the Management stream -- although I've seen for myself that engineers aren't immune -- who blindly click links without checking their content, who don't check for SSL, and so on and so forth. And, in two cases, get swindled out of cash because they believed an email supposedly from their bank...
ObRant: Why conceal this kind of knowledgebase article? Microsoft should have it in forty-foot-high letters of fire on their front page. No, more than that; it should be in every freaking news syndication everywhere for every single windows user to see and read, repeatedly, until they get the hint.
Then, and only then, can we honestly say that those who still don't do the "right" thing deserve it.
So, here we go:
www.hotmale.com
---
I'm a dyslexic agnostic with insomnia; I lay awake at night wondering if there really is a dog.
Please correct me if I got my facts wrong.
And to think, that enough people got MikeRoweSoft.com confused with microsoft.com to warrant a security bulletin.
"Protect yourself from email worms by walking to the post office!"
"Protect yourself from p2p worms by buying your music on 8-track tape!"
"Protect yourself from joe-jobs by not using your hotmail address!"
"Protect yourself from internet credit card theft by using dollar bills exclusively!"
"Protect yourself from e-banking snoopers by keeping your savings under the mattress!"
"Protect yourself from spam by disconnecting the internet!"
"For Christ's sake, protect yourself from illegal operations by turning off your computer NOW!
(Oops, this one's not new.)
This is...
O
U
T
R
A
G
E
O
U
S
!
To have meaningful URLs is something useful is a good goal, specially when you can't simply click for a reason or another (i.e. printed url or in a media that dont enable that). But reccomending to not use the basis of the web in a web browser is a clear signal that something is wrong... or the web, or that web browser.
Make sure that the Web site uses Secure Sockets Layer/Transport Layer Security (SSL/TLS) and check the name of the server before you type any sensitive information.
SSL/TLS is typically used to help protect your information as it travels across the Internet by encrypting it. However, it also serves to prove that you are sending data to the correct server. By checking the name on the digital certificate user for SSL/TLS, you can verify the name of the server that provides the page that you are viewing. To do this, verify that the lock icon appears in the lower right corner of the Internet Explorer window.
What a fucking joke, does Microsoft actually expect that people who think they can "install the internet" are going to be able to do this? The fact that they think posting security advisories on not clicking "untrusted links" (!) and telling people to manually examine security certificates on their own, instead of just fixing their god-damned software ASAP makes me think they either:
a) they dont have a clue about the "usability" they profess to be so innovative in, or
b) they dont give a shit about their users
I have a suggestion that's not in the Knowledge Base: don't use IE!
That wouldn't really help anything. Crackers will always exploit weaknesses in the programs that used the most. If mozilla were be the most popular browser then it would have the most exploits.
How on EARTH did someone write this KB article without cracking up. Are they for real or what?
I mean, either you continue as usual and get screwed should you hit a malicious link, or use a different browser. Who in their right minds would ACTUALLY follow the steps here. "Hmmm, this link looks suspicious... I'd better manually enter the address". Or copy a piece of JScript code for a more verbose description of the link...
Yeah, right. I can't get over this article - it's nearly like a spoof or something.
I've never had problems with Mozilla Firebird - ever. And it's not even v1.0 yet! I've been using it since November last, every day nearly, at work and home.
-- *~()____) This message will self-destruct in 5 seconds...
In light of this and other issues caused by Microsoft products, the current MyDoom chaos and similar incarnation for instance, is it time legal action should be taken against Microsoft for negligence? Would anyone have a legal leg to stand on if they went up against the might of the army of MS lawyers?
I don't need a compass to tell me which way the wind shines.
And how do they get mr. Sixpack to stop clicking on link an type in the URL, if they can't even get him to stop clicking on suspicious email attachment?
Because we all know that the sixpack family is concerned with security and keep their anti-virus up-to-date, read the latest virus announcement and of cause they keep track on Microsofts security advisories..... Or perhaps NOT.
Telling the avarage user to type in URLs doesn't fix anything. Microsoft trained their users to not care, why do they think they can change that over night?
Can I have my karma now?
So maybe in future we'll see MD5 checksums or fingerprints (or something other, still strong but more easily "visualy comparable") presented in the page along with the link and also UA (user agen a.k.a. broser) will display somewhere the checksum of link the mouse howers upon.
Note: Anybody is free to use this idea as long as he does not patent it and than abuses this patent for extorting money from others who actualy do something (other than employing just some lawyer and maybe also secretary and accountant).
Note: I do not claim I'm the first one to have such idea, but in case I am, that see the previous note.
And final note: Do not be very serious. We should have also some fun while we're alive. :)
hany
I just got the latest issue of a computer magazine I subscribe to, and they had a picture of Microsoft showing a slide explaining how their future security strategy will work and (of course) the positive effects that will come from it. In the center of the slide, there was a quote very similar to this one:
"Make efforts to cause public disclosures about security flaws look bad".
I wonder what they're thinking? So they'll get time to peacefully work on solutions while virus writers spread their work of art?
Beware: In C++, your friends can see your privates!
I think this is because of patent issues. Did you know that BT has a patent on hyperlinks?
Please correct me if I got my facts wrong.
msie.microsoft.com
PS: What on EARTH is up with IE's css support? is it intentionally designed to be completely broken?
IMO yes, it is broken intentionaly, but I did not saw the source code nor question the programers of that software so ... as alredy written: IMO [In My Opinion].
hany
microsoft has the morality and obligation of a drunk driver...
They crash into everything, ruin tons of people's businesses and lives.
I dream of a day, a day when the planet will live without terror and fear of the Microsoft OS.
-p
Why do I have a chill running down my spine about a new patent concerning "Zero click navigating"
-ph
Do you have any suggestion how to deal with web-forms? Especially those using POST method?
Sincerelly yours ...
I'm laughing so hard I can't type. Hang on... OK. This MS article is so wrong I don't even know where to begin... How about here:
The most effective step that you can take to help protect yourself from malicious hyperlinks is not to click them. Rather, type the URL of your intended destination in the address bar yourself.
Is MS going to issue a patch to disable hyperlinks then? If you can't click hyperlinks, doesn't IE cease to meet the definition of a browser? Look at the bright side, finally Netscape has closure.
Now, from the "but it's so easy to use" department:
Make sure that the Web site uses Secure Sockets Layer/Transport Layer Security (SSL/TLS) and check the name of the server before you type any sensitive information. [....] By checking the name on the digital certificate user for SSL/TLS, you can verify the name of the server that provides the page that you are viewing. [...] double-click the lock icon, and then check the name that appears next to Issued to. If the Web site does not use SSL/TLS, do not send any personal or sensitive information to the site. If the name that appears next to Issued to is different from the name of the site that you thought provides the page that you are viewing, close the browser to leave the site.
Huh? Does anyone expect Joe Luser to understand that? Checking the certificate against the stated URL and the IP address supplied by a DNS lookup of that URL seems rather straightforward. Someday, someone ought to invent a machine to do things like that. We could call it a computer. A computer might also be able to display the actual site name an nothing else, rather than allowing it to be spoofed in any way, eliminating the need for such manual babysitting.
From the "but it's so easy to use" department, take two:
In the Address bar, type the following command, and then press ENTER:
javascript:alert("Actual URL address: " + location.protocol + "//" + location.hostname + "/");
I see. We just proved this week that a huge segment of the Windows user base still hasn't learned about attachments. But grandma, who wants to look at the pictures of her grandchildren, is expected to be a Java programmer. There must be some incredible acid floating around Redmond. A complete break from reality, this is.
Because then some bugger would just get you with a few "interesting" terminal escapes, just like the old days.
...
OK, so it's not exactly _likely_
1. Type in www.mozilla.org.
2. Sell your microsoft shares.
3. Profit
They don't usually know what a browser is, let alone that there is more than one browser out there, and when they read stories about viruses and how clicking on things can make your computer infected, they see microsoft as a victim.
As far as they are know, Microsoft is the company that makes the things on their computer, and they know that MS is a really clever company that makes really good programs and that if they find anything wrong with those programs, they don't think that microsoft should have fixed it, or designed it differently like we do, no, they just think that they shouldn't be doing whatever it was they wanted to do that way.
Honestly, I know so many people that don't know the difference between Windows and Office - they think that all computers come with the thing for writing letters and the thing for making spreadsheets and the thing for sending email and the thing for the internet, and any time a new virus comes out, they talk about how horrible those virus writers. I read a letter to pc world magazine just a few months ago where someone was praising microsoft for all the hard work they're doing to defeat the virus writers!
So asking for these sorts of people to 'use a different browser'.... you may as well tell them to please speak in a different language when they come back from lunch because there's a problem with English. Most people wouldn't know where to begin.
But the poor fool only has the four letters 'f', 'p', 'w' and 'o' on his keyboard, you insensitive clod!
Just imagine going to:
a u/
https://ϲоmmоnwealthbank.com.
(may not display properly - whatever, you get the picture)
and getting a perfectly valid ssl session. With entirely the wrong people - but the user would only notice if they looked at the cert.
Of course, you'd have to find a cert registrar dumb or unethical enough to give you a cert for the domain, but with people like Verisign around that can't be hard.
Wanha!
w...w.... w....wanha!!
... This article in the "Knowledge Base".
The same MS advisory page recommends (way down at the bottom for those that don't bother to RTFA):
...
Read E-mail Messages in Plain Text.
By reading e-mail in plain text, you can see the full URL of any hyperlink and examine the address that Internet Explorer will use. The following are some of the characters that may appear in a URL that could lead to a spoofed Web site:
* %00
* %01
* @
Gee, ya think that HTML email is a bad idea..? I wonder how many people even realize that this "IE advisory" applies to Outlook and their email as well?
Nice way to bury that one, guys..
>Maybe the vast majority of them don't have the time and inclination to throw away all their programs and spend months learning to use lame F/OSS stuff that offers half the functionality, and only twice the inconvenience.
????????
So what did swearing off Microsoft entail?
We looked at all the alternatives. We looked at Apple, but that's owned in part by Microsoft. (Editor's note: Microsoft invested $150 million in Apple in 1997.) We just looked around. We looked at Sun's Sun Ray systems. We looked at a lot of things. And it just came back to Linux, and Red Hat in particular, was a good solution.
I know I saved $80,000 right away by going to open source, and each time something like (Windows) XP comes along, I save even more money because I don't have to buy new equipment to run the software.
One of the analysts said it costs $1,250 per person to change over to open source. It wasn't anywhere near that for us.
The other thing is that if you look at productivity. If you put a bunch of stuff on people's desktops they don't need to do their job, chances are they're going to use it. I don't have that problem. If all you need is word processing, that's all you're going to have on your desktop, a word processor. It's not going to have Paint or PowerPoint. I tell you what, our hits to eBay went down greatly when not everybody had a Web browser. For somebody whose job is filling out forms all day, invoicing and exporting, why do they need a Web browser? The idea that if you have 2,000 terminals they all have to have a Web browser, that's crazy. It just creates distractions.
>Here's a novel idea for you: when recommending a solution, how about thinking about what the victim _needs_, rather than just thinking about your religious duty to convert everyone to Linux?
For those of us atheists using linux, how does this fit in?
>This "thinking" stuff is hard.
You're right, it is. I mean, when you do it, you realize that you're wrong, don't you?
Or are you having trouble typing that link into your address bar?
Or perhaps you don't believe successful businessmen when they give you advice?
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
Yes, it's been said before, but it needs saying again.
Yes, anything windows does, Linux *can* do. But some of those things don't work nearly as well, and require a lot more effort.
Yes, the underlying structure of Linux is far superior to windows, but the user interface still needs much, much work.
Yes, Linux (or some OSS OS) will eventually replace windows althogether, but not for a while yet.
In the meantime, let's not be sophomoric about our OS preferences, yes?
NOTICE: This notice will appear at the bottom of all my slashdot posts.
Here's a lesson for Microsoft IE (and others?) in the future: Be consistent and follow the rules, they're there for a reason. Don't assume that the user wants something, do as your told and keep it simple.
Try using a '\' in a url, and IE will automagically assume that you mean a '/' - making broken links generally put out by their broken tools work in their broken browser.
Well, I guess that is some kind of consistency, eh?
I'm not great lover of Microsoft products, except for their mouse, but the idea of not using IE probably won't do much in regard to web site spoofs like this. Unless you have some specifics where the exploit will only affect a MSIE product then you probably need a retraction for your own credibility.
These typically show up as something where the href tag is entirely evil, but the anchor tags are wrapped around a statement like http://www.yourbank.com. My experience has been that these are seen in email spam, but I've never seen this on a web page. I found a very well done one for paypal last week. It was pretty impressive because most of the links on the web mail form were legitimate.
Of course, if everything only sent ASCII email we wouldn't have this problem would we?
The latest version of the actual standards-track URI spec is RFC 2396 (1998-08).
An informational RFC on the meaning of the terms URL and URN in comparison to URI is RFC 3305 (2003-09)
BTW, The old informational RFC on URI's on the WWW is RFC 1630 (1994-06)
Joe Llywelyn Griffith Blakesley
[This post is in the public domain (copyright-free) unless otherwise stated]
installed Mozilla firebird just now and writing this comment using it.
Wow man !!! what a fast browser.
To think of all these useless minutes i wasted waiting for IE to load...
Maybe i should bill microsoft for the unearned hours.
-------- Cluster bombing from B-52s is very, very accurate -- the bombs always hit the ground.
There is nothing about Moz Firebird that's going to make this less of an issue. The fact is that the typical user is going to see http://www.amazon.com@/fakepath/usualAmazoncrap:ru ssianmafia.ru and think it's an Amazon URL.
Quick check: how many of you bought something online and actually checked the lock icon? While shopping during Christmas? When you were under pressure to get something done?
This is a human interface architecture issue, plain and simple. It has nothing to do with IE, nothing to do with SSL or any TLAs and everything to do with the fact that URLs and the web were not designed with security and human interface in mind.
To fix this, we need to transition to a standard way of verifying security. A quick fix to this problem would be to redesign the address bar to actually show the protocol and the host, something along the lines of:
[protocol: http, insecure] [host: www.russianmfia.ru] [user:www.amazon.com] [path:...]
A larger fix would be to transition to a set of protocols and interface standards that establish how a user chooses privacy and security options.
How can they recompile WineX? It's provided in binary form, and a fairly useless source version with the good bits stripped out...
I agree with not making any sudden changes, but I don't agree that installing software (and getting it working) on modern distros is that hard. Commercial Linux games tend to use the Loki installer which is just as simple (IMO) as - say - InstallSheild on Windows.
That, and your parent poster was obviously making a joke... One which has been done many times before, but a joke nevertheless.
[IHBT, IHL, IWTTHAND?]
Hi,
You might really be interested in the "View in IE" extension for Firebird.
For sites where designers don't know a thing about standards (i.e. a page designe for IE), right-click -> "view this page in IE" and you're done.
Microsoft has entered into a contract for an undisclosed amount with Mavis Beacon Co. Also, the next version of its popular web browser will be called Internet Couch-Potato
Desi Noise, Live!
Possible fixes:
1. Display something for EVERY byte in the URL! (this is Microsoft's main problem). The only character that could plausably display as a blank area is the byte with the value 32, and even that could show an underscore or something. If "%0102" is in the url, show the characters '%', "0', etc. And obviously the text "%00" in the url should not cause the rest to disappear. In case you think only Microsoft is stupid, Unix software often displays '\n' characters as breaks making multiple lines, in Mac's Safari this makes those spoof URL's display almost as badly as IE.
2. Display all non-ascii characters in a different color. Please ignore the probably loud Politically Correct crowd that will say you are demonstrating anglo-centric bias, those same people kept UTF-8 from being adopted for over 12 years (since it is obviously a bias to have westerners have the shorter characters) and actually hurt i18n far more than the most ignorant midwestern Cobol programmer did.
3. Display as much of the URL that corresponds to a site you have visited before in a different color. Ie similar to showing a visited link a different color in the page, show the preview of the URL with the hostname and leading directory levels colored that match some URL you visited before. Then, assumming you visited your bank once, the fake bank address will be noticable by not being colored.
So what's next then? ....Write your emails in outlook, then print them and mail them in an envelope, all the benefits of outlook with the added security of Physical Delivery (tm)*(new improved feature, Microsoft patent pending).
When you release a list like this, your really already in trouble.. All of those things on that list should by done by default.. At the very least MS should offer a patch on windows update that sets these things by default on.. You wouldn't buy a car and expect to get the brakes fixed weeks after driving it.. MS should fix the brakes by default, and if the user wants their brakes like they originally were, they can set them like that later.. Overall, MS should have just included a standard security level option during install from the start that lets users pick how secure they want their machine by default.. but overall, I guess I cant be too whiney about it, because lindows doesn't have strong security either.. I just wish that all os's designed for startard users would have firewalls installed by default with a drop all from net policy, because that would single handedly have stopped many worms, and obviously the quicker the problem is attacked, the more secure the internet is, because then we dont need to worry about flaws found 5 years later for instance as much
Just check my site at http://kobylkin.com and follow any link. You will see your address bar staying the same, does not matter what site you have landed on.
The JavaScript check from M$ page does not work either.
...a stunned silence fell upon the hall.
i made a similar post to the parent, in a different place in this discussion, which got modded up. so this one should disappear. sorry for saying almost the same thing twice :/ (/me slaps self)
This is my Sig, this is my Gun. One is for Slashdot and one is for Fun.
the seconds link is surely unintentionally pointing to sco's website, let their accesslogs be filles with the wording ;-)
Talking about Bill Gates losing stuff. Has anyone seen recent pictures of him -- he looks really worn and aged, and IMO like he is losing it.
Joe Llywelyn Griffith Blakesley
[This post is in the public domain (copyright-free) unless otherwise stated]
Citigroup sometimes sucks.
you just are more comfortable with the evil that you know.
IE is the worst browser in the history of information age. Mozilla and Firebird is the best browser.
Windoze is the worst written OS in the world.
Goatse trolls on Slashdot taught me not to click hyperlinks LONG before they became a security issue!
There's a Mercedes gap too. I want one and can't afford one, but it's not government's job to do anything about it.
So, any guesses as to why MS is issuing this KB -- which doesn't fit the motto of "enhancing the web-browsing experience" or whatever marketing crap they had -- instead of working on a patch? Maybe the problem is so integrated in Windows that they have no idea how to fix it, short of releasing a new compile of all their .exe's? It's basically a string handling problem, isn't it.
In a Nelson voice, "Haha!" (fingers pointed at dweeby Bill Gates). Thanks for supplying another argument for switching browsers.
What time is it/will be over there? Check with my iPhone app!
On a number of pages opera is less than compliant with the standards (or at least renders differently to both mozilla firebird and IE).
Also some javascript menus dont work properly (e.g. the neverwinter nights pages) that work fine on other browsers.
It looks like the only browser immune to this is Opera.
"Though little-used, the tricky URL form is a recognised Internet standard as documented in various RFC documents. For this reason the developers of other browsers, like Mozilla, don't feel they can simply get rid of it. Instead, the Mozilla developers and a horde of kibitzers have spent almost a year and 156 comments discussing what can be done. Right now that effort has got precisely nowhere and Mozilla users are almost as vulnerable as Internet Exploder users to being hoaxed in this way."
I stole this sig.
The second I saw the headline I realized it was one of those Microsoft-basing days... but wait... just yesterday there was a big discussion about how the CLI is way better than any GUI... so... Microsoft's idea is just a logical conclusion of someone there reading Slashdot =) Just my 2C
http://www.automatiq.se
i'm a braindead single mom with 4.9 kids and i'm told by microsoft to instead of clicking on icons to write by hand urls...
does this actually acomplish anything?
if i get a url like http://www.cnn.com@www.schnits.org/?comments=foo3 or whatever...and this is copy/pasted through manually copying each character with myself... isn't the conclusion of this story the same as if i were to have just clicked on it? microsoft's advice accomplishes absoluteley nothing!
and anyway...99% of the time i'm perfectly content with elinks.
GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
So they're not going to fix the spoofed URL bug then? Well, I guess a KB page is cheaper than paying developers to figure it out!
When I am king, you will be first against the wall.
Oh give me a break. A "trust issue" in the security world means determining the extension of capacities and freedoms based upon predominately social concerns. I can allow a group password to my database, but who should be permitted into the group, etc.
Assuming that a link will take you to where it advertises is a basic expectation on the Web, not an extention of trust. IE apparently is unable to meet that expectation. To treat this as a trust issue is akin to blaming the patient for the doctor's mistake.
I thot OSS and linux zealots liked typing everything in command line style
While I don't keep my computer on for days, I "hybernate" instead of "shutting down", something that essentially dumps my RAM to permanent storage and recovers the whole thing when I boot back up. I've done that for three-four months before noticeable performance effects.
But then again, I run Firebird and Thunderbird and SIM (the best icq/msn oss clone out there) and generally software I trust to work okay. Microsoft is just not good at the web browser/email client game, and perhaps they should just let those go, and partner with someone who can actually write those things and make them good.
IE and Outlook Express have done more damage to Windows' reputation than any of its own bugs.
Really, there's been only one serious XP bug so far. When you compare it to dozens of nightmare linux stories of frying standard hardware. No one being held responsible for those because it's "free software, use it at yor own risk", et cetera.
I fail to see how that's zealotry. If you don't like the problems that you get using Windows, don't use Windows. Very simple. Linux is a really good alternative to using Windows. The various BSDs are good too. And maybe, just maybe, what your customer actually needs *is* Linux! I converted one of my customer's mail servers from a horrible shitty Windows 98 running a very expensive proprietary client to Exim and Courier POP/IMAP running on Debian. It went from struggling with 50 mailboxes to handling around 7,500 over 300 domains, with no additional hardware. To be entirely fair, the machine was fairly powerful but misconfigured before.
Yeppie! Rejoice folk, the day's not far when M$ advocates plain-text email and withdraws HTML from Outlook.
i recently switched to mozilla 1.6, beats the crap outta IE. i also have a FB install in, been having a few issues with flash and java, so i use zilla. MS should go to hell for knowing aout vulnerabilities for weeks without a fix.
Logistical Chaos Officer http://www.slagg.org - LAN Gaming in Sarasota FL,USA
great!!! now i can throw away that stupid ass point and click device.
You need people like me so you can point your fuckin fingers and say, "That's the bad guy." So what that make you? Good?
On Win2k, FreeBSD, and Linux I very much prefer to use Opera. I frequently have to use Mozilla on the BSD and Linux boxes because some web pages don't like to play with Opera. I sometimes have to use Firebird or even MSIE because some web pages don't like to play with Opera, Firebird, Mozilla, or even Netscape 7. On Solaris I use Mozilla and have to go to the Win2k box for some sites. The lack of installer included with Firebird is sort of a nice thing as I don't really like most installers.
Has anybody got any ideas about how to work Slashdot without using any links or buttons etc.
I think not.
http://support.microsoft.com/default.aspx?scid=kb; %5Bln%5D;833786
(The url of the "advise" in question)
Make my day
Hiaaaar!
Regards,
Martin.
Microsoft Coperation today advised users to upgrade their current Internet Explorer web browsers to Carrier Pigeon 1.0. This newly released software package transferes HTML documents safely and securly over the friendly skies.
NOTE: Microsoft is not responsible for packet loss during hunting season, unless it's wabbit season but definatly not duck season!
I know I should probebly read the advisory, but I use mozilla. So how would it help?
~~ Behold the flying cow with a rail gun! ~~
I've had no troubles with mailto: using FB 0.6 (such a slacker, I keep meaning to install 0.7). Perhaps this is due to the mail client? I can't see that making any sense, but stranger things have happened. I use Thuderbird. I would say bigger issues are problems with plug-ins, especially Macromedia stuff, and (as you mentioned) the password manager.
The lack of an installer is what prevents it from becoming truly mainstream.
Where we go "cool, nice features" they... don't.
The other thing is, they always, with unwavering precision and frightening speed, manage to find the pages that it doesn't render properly.
gah, normal people.
the other thing is, that MS have succeeding frighteningly well in making their applications and icons synonymous with the tasks they perform in the minds of so many people. it's been said before, but that blue 'e' sort of IS the internet to so many people, like that 'w' IS the word processor. gah again. sorry for the lack of capital letters in this post.
lolThis is my Sig, this is my Gun. One is for Slashdot and one is for Fun.
It's the right moment to quit using IE. Your computer will be happy :-)
Need I say more, 7.5 Beta is super. Fast as hell, responsive GUI, fast rendering engine (not supports as much as gecko, but good enough). Screw that xul rubbish, too damn slow.
Yes, from the old times (it appears that it hasn't been developed for a few years now). I remember browsing the web with Arachne just before I switched to Linux. I liked the "want some coffee?" messages that would appear in the status bar while rendering.
Come to think of it, I wonder if the graphical console browsers (links2, w3m) have been ported to DOS. A quick search on Google seems to indicate otherwise.
I don't know why DOS fascinates me so. It may be because it fits entirely inside the cache of my CPU...
Please correct me if I got my facts wrong.
Also, if you have any reason to suspect the authenticity of a site, leave it by closing the browser window immediately.
.... ahhheee CTRL-ALT-DEL..... *pant* ..... holding in the power switch now.........*blink*..... man that was too close, I almost got slashdotted....
ahhheee.... CLICK CLICK CLICK CLICK They are going to get me... ALT-F4 ALT-F4
Securityfocus.com ran a story on this.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
browsers should have an option to leave "Referer" flags empty in the HTTP protocol. this would obviously cause some errors when browsing pages that only allow links to themselves, so it would probably have to be something that could easily, and quickly, be switched On/Off if youre getting undesirable behavior.
There's a host of dependencies - and I've had a lot of Opera crashes until I started using statically linked Opera - thus avoiding the *nix take on dll hell...
you guys can all laugh, perhaps if i weren't knee deep in exams i might too. when i read this i only think that it is very very very sad. this is a new low, even for them. who would put up with this? i sincerely hope i never have to use windows again.
tell granny to type this in her address bar:
javascript:alert("Actual URL address: " + location.protocol + "//" + location.hostname + "/");
very sad.
(null)
Yes, those nasty links that take you to different places on the internet. Just stay at MSN.com or microsoft.com and you'll be safe. No need to go anywhere else or use a different browser or operating system...Only Microsoft links are safe...
What da fvck am I suppose to use? bug infested mozilla, or no more developed Konqueror?
The Department of Transportation has issued an advisory stating that automobiles are too dangerous and that everyone should just walk wherever they're going. Planning a trip around the world? Get a new pair of GOOD shoes and some swimming trunks.
I like the (ht/f)tp://user:password@domain if I'm on a computer with only IE. I'll be completely screwed otherwise. Sure "ftp" is on all windows machines, but they we're assuming I have access to "run" or at least a prompt, but that's not always the case. (Libraries, school computers).
The nice part about it is that it's very fast to log in to any FTP with drag and drop uploading and downloading. It exists on every PC windows PC already. It can connect to any port # with the same syntax anywhere (as oppose to prompt based ftpers).
I should point out that the only place this is useful is when accessing an FTP or HTTP site which has anonymous access (doesn't prompt for user/password) but you want to log in with an account.
I think Microsoft's plan to disable username:password in URLs is good.
:-)
Tim Berners-Lee helped write RFC 1738 in December 1994. Being able to put username and password in a URL was great in 1994 but it's not for today's world. If we could nip back and tell Tim, "that's a tiny bit exploitable, you know", he would have said "Oh yes, well spotted!" The whole RFC was written with security in mind. Username and password in the URL is optional anyway; all Microsoft is doing is making it very optional.
Just check my site at http://kobylkin.com and follow any link. You will see your address bar staying the same, does not matter what site you have landed on.
I just did, Firebird 0.71 on XP.
Every URL clearly shows the correct site it's going to in the statusbar when I mouseover.
Yeah you faked it by putting your entire site in a whole-page frameset, but that's cheating - as opposed to showing a major security flaw and violation of the standards (which in this instance Microsoft is clearly admitting but flat out failing to fix).
Visit CryptoGnome in his home.
Microsoft, always on the technology vanguard.
Now I know why I use a MAC and Safari.
In an ideal, standardized world where W3C-specs were followed, and no-one sought to conquer the entire web trough non-standard HTML-extensions and market-dominance...
In such a pretty and ideal place, you wouldn't have to develop different sites for different browsers. You are making yourself the extra work, by supporting none-standards. No sympathy for you, my friend. No sympathy for the devil, indeed.
As a slashdotter I thought you knew that IE is more or less a Win32-only product. And there's a hell lot more to the internet than Win32.
Anyone excusing their IE-support with sheer marketdominance has obviously ridden themselves of all the principles the net was founded on. But I guess that is ok, since most IE-users wouldn't know.
Not Buzzword 2.0 compliant. Please speak english.
Heard a rumor that with the newest windows operating systems coming out, they will not feature internet explorer, unless they provide installation for netscape and other browsers. Was just wonder if this true?
The story originally appeared on a recent Slashdot discussion.
Flamebait!
As a career developer, and computer hobbyist going back to around 1982 I can assure you, I'm no newbie to PC's. For those of you interested, here's why I and many other people use IE.
Plugins; they install seamlessly, and it supports everything out there. No visiting multiple sites to get one plugin to work.
Are popups an issue? No, the free Google Toolbar eliminates those, and offers other positives as well.
Is security an issue? Not really. I've been on the net a LONG time, and have yet to visit a site that's caught me off guard due to an IE exploit.
What about tabbed browsing? Sure, it's nice. I get that via www.myie2.com. It's a wrapper around IE so that I get the benefits of the IE engine, with popup and content filtering tabbed browsing, and many other nice enhancements. It's also free, check it out.
A lot of these same things transfer to the discussion between using Windows and Linux. Can I do MOST of what I want in Linux? Sure. Linux is EXTREMELY versatile and powerful. Can I do them as easily? Nope. If I screw up in Windows, it's either easy to fix immediately afterwords, or after a quick visit to Safe Mode. In Linux, things are MUCH more involved, and often times to get something to work I'm required to edit text files all over the place.
Gaming is where Linux loses me for sure. I like to play First Person Shooters, and although there are a few out that support Linux, a lot don't. I just purchased a new Sound Blaster Audigy 2 ZS. Not only do the games and software it shipped with not work in Linux, but if I boot into PC Linux 2K4 (LiveCD) I get a loud buzzing sound. Hmmm, I don't get that in Windows with or without installing drivers. Beginning to see my point?
Security holes or not, people will use what's easy, convenient, and full featured if they can fine one item that matches each of those pieces of criteria.
I apologize for running on.
My Tech Posts on Twitter
Before sending it to some friends, I've opened the page in Mozilla, just to make sure it's really on Microsoft's server, and not just a joke making use of this vulnerability in IE.
Comment removed based on user account deletion
This just in... Due to a few security issues found in MS's text editor, Word, Microsoft has urged Word users to manually write their documents by hand with paper and pencil just to be safe.
http://preferential.mozdev.org/
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Typing leads to typos. I think Microsoft is simply trying to send some business Verisign's way.
When all you have is an axe, everything looks like a grindstone.
I thought amazon had patented:
"the process for manually entering, via human interface device (keyboard, mouse, voice recognition, etc) a URL into a web browser, so as to increase security."
Didn't they? And as such, wouldn't that mean we'd have to pay royalties each time? That would suck.
Comment removed based on user account deletion
MYIE2 installs a front end for the IE engine that does all of this. It also allows tabbed browsing. It is definitely worth a look.
Note: If the status bar is not enabled, the lock will not appear.
.jpg file to the average Windows home user.
Whoever wrote this KB article needs to send it to their neighbors in WinXP product development. The status bar is disabled by default in Windows Explorer in XP.
Also, Windows still has "hide known file extensions" option checked by default. So something like annavirus.jpg.vbs looks like a
WGET RULE
I know this is offtopic flamebait, but hell it's so likely to be true...
I believe Microsoft intentionally has a slightly broken CSS, so that everything that looks good in IE will look crappy in any standard-compliant browser.
C'mon, it's not that crazy! We all know which mother has the marketshare's here.
It's not like most people even know there are standard's anyway. "People" use FrontPage, or even worse, Word to make webpages these days, remember?
So yes, I believe IEs CSS-support (or the CSS-support in any Microsoft product) to be intentionally broken. To gain marketshare. And that's paranoid me.
Btw, my W3C-validated, visually confirmed (opera, mozilla) good webpages look like shit in IE. And, no I don't bother to make IE-CSS.
Not Buzzword 2.0 compliant. Please speak english.
Bug# anyone?
It the blasted browser wasn't built into the OS.
The number one problem I've had in converting people to Firebird/Opera (I don't care witch personally, just get OFF IE) has been:
But it starts up so much slower than IE
No matter how much I try to explain it to people they just don't get it. It's the old "security v/s convience" problem we've always faced.
If IE wasn't so tightly wound up in Windows it wouldn't have that advantage. Of course we all realize M$ isn't going to undo it and until a viable alternative is available on the desktop for the "unwashed masses" this kind of thing will keep coming back over and over unfortunately.
Rightclick-ThisFrame-ShowOnlyThisFrame.
If all of us who are sick of using Microsoft at work would simply send an email to the person in charge of making decisions about the installed software asking for thier opinion and for advice as to what action should be taken, this would go a long way toward getting them to consider adopting an alternative.
No-one needs to write anti-Microsoft FUD, Microsoft will write it for you!
Read, L
To ask the user not to click on bad URL's is to admit:
1) we (Microsoft) know what a bad url is
2) we (Microsoft) assume that you may know what a bad url is
3) but for the life of us, we (Microsoft) just can't tell IE what a bad URL is
4) we (Microsoft) give up trying to teach IE what a bad URL is
5) hence we (Microsoft) ask you to please take care and avoid bad URL links
Hallowed are the Ori
The bug is not allowing URLs style:
http://fake.host.as.username@the.real.evi
This is perfectly legal and most people will spot it! (well, at least I do.)
The bug is:
http://fake.host.as.username[somespecialchar
where the special character prevents IE from displaying anything after it.
This is NOT the case in other browsers, this is a serious vulnerablity (because no matter how hard you look at the URL bar in IE, you won't see the URL is fake) and this is THE way crackers and spammers exploit the bug!
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Geez, why didn't my better summary make it in? Because I forgot to add a "Microsoft products suck" line and left that for the reader to assume from the clear evidence of MS posting "Don't click on hyperlinks"?
User: *click*
Clippy: It seems that you've just clicked a HYPERLINK! Hyperlinks can be harmful to your computer, it is recommended that you enter the hyperlink to the URL bar instead of clicking it directly. Would you like me to enter the link for you?
User: *reads* blah blah blah blah blah enter the link for me? wow great!
*click* YES!
... rather than patching IE to address this issue they are telling people to manually enter URLs with all the concomitant lossage of session state and such? And they think this is a realistic solution? Ugh. Or did I miss a patch along the lines?
And without being a Microsoft apologist, don't forget that other browsers, included the Sainted Mozilla, were susceptible to varying degrees to the same bug. The difference is that these were patched.
Oh, and the obligatory smartass comment about not using IE: I use Safari on Mac OS X, Konqueror on Linux, and Firebird everywhere else.
If you look at the source, you will see this line, which dectects Opera:
HM_Opera = (navigator.userAgent.indexOf("Opera")!=-1);
If you change it to
HM_Opera = (navigator.userAgent.indexOf("BLAHBLAH")!=-1);
it works because it doesn't detect Opera!
So the site is blocking Opera on purpose!
Perhaps same reason than why mozilla do not do that filtering?
there is this status bar that they want to hide.
...
in every win xp i use, i always have to specify i want the status bar.
also longhorn screenshots show that status bar is hated by microsoft look designers.
the average user should be then informed about:
- "right-click" on the link
- select "copy link address"
- paste in address bar
-
- profit
i think it is not easy to explain.
let the status bar survive!
greetings,
ppp
p.s. i vote for firebird. best on linux and win. but camino on osx.
I wish IE would hurry up and die allready, IE's death is way overdue, Microsoft should just consider IE obsolete and include a mirror of Mozilla browser suite & Phoenix & Firebird alternatives...
Or perhaps you don't believe successful businessmen when they give you advice?
Of course not. If you want his advice on running a business, there is a big chance that he will lead you astray, so that you do not become competition.
His advice on technical stuff will suck too, becuase having a good product has nothing to do with having a good business (ie. they are orthogonal to each other).
Thanks for you info about the frame.
For me Mozilla still shows the same URL when I click away my page.
Mozilla 1.4
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624
Although I agree that what it is not the trick that was described above, the JavaScript test still shows the wrong URL, in IE as well as in Mozilla.
...a stunned silence fell upon the hall.
I know this really isn't a popular opinion around here, but still, it needs to be said.
While it's true Windows isn't really the state of the art platform when it comes to security, it beat's Linux when it comes to a few key issues. Like hardware support.
Yes. I know. Hardware support in Linux isn't that bad, but still you encounter hardware you simply cannot get working under Linux. This isn't exactly a flaw in Linux, but for all hardware that is developed, you can swear the vendor will release Windows-drivers that makes hardware support a non-issue.
And as far as voting with your wallet goes, you really never can tell it's an issue before you try it. This goes for my MP3-player (Creative). I couldn't get it working under any Linux or *BSD platform.
Back to the issue. Running Windows securely really only requires you to configure the system properly. Like disabling all unnecassery services (Universal PnP, Remote assistance, remote registry and so on...), and using none-Microsoft products. Like Mozilla or Opera for web-browsing.
As much as we all love to hate Windows, it can be configured to operate decently. But in the name of "user-friendlyness" it configured to be insecure by default.
And there goes my karma.
Not Buzzword 2.0 compliant. Please speak english.
So don't hand out homographically similar domain names. You're not going to be allowed to keep domains like those anyway due to trademark issues, so they might as well make sure nobody can even get them.
"It's spelled Raymond Luxury Yacht, but it's pronounced Throat Warbler Mangrove."
- Oblig. Python Reference
-kgj
One time, I was talking to my brother-in-law, a preacher, about my home-office (I'm a software engineer).
I told him my goal was for my home computers to become totally free of Microsoft software.
He blinked at me and asked, "You can do that?"
I responded, "Well, you can, but you don't want to get caught, you could get into BIG TROUBLE!"
He has since become more educated on computers (after several rounds with some nasty viruses), and is developing an anti-Microsoft sentiment, too!
dochood
Maybe you missed that little button on Firebird titled "Plug-in FAQ"? I was having a couple of issues with one or two plug-ins and after reading this and following a couple of steps - no problems! Here is the link to the plug-in FAQ. Plus they list all all the OSX known problems so they ARE working on solving them. If there is something missing from their list, bugtraq it to them.
Dream as if you'll live forever.
Live as if you'll die tomorrow.
~Anonymous~
"If I read that whole article my head will explode. Could we just fix the fucking problems please? I have enough to remember already."
:)
Sehr geehrter Toilettenbenutzer!
That is the stupidest comment I have ever read in Slashdot regarding don't use IE cause clicking on a link to a fake site would be an IE issue. I am supprised that Slashdot would allow a stupid display of a pure lack of knowledge to display on there site. Take some schooling and get a grip.
In order to reduce emissions, they advise that everyone push their cars to work.
www.facebook.com/DareDefendOurRights
www.fairtax.org
I own the patent on typing URLs rather than clicking. It's patent number #1010101010, titled, "reading and writing". It covers all aspects of merging the abilities of sight, in order to read, cognitive thought, and the interfacing of the brain with any appendage to create an image representing any means of communication. All those using such methods know who you are and should send me all of your money immediately. Yes, this includes you McBride!!!
oh my, they really are nuts. They can't even write such an article correctly: not only links handling is bogus, but also form posts - you can have this %01 thing in a <form action=...>.
They fail to inform users that they shouldnt push buttons.
Comment removed based on user account deletion
Please upgrade your gullibility filter to version 2.1.
When I am king, you will be first against the wall.
The article says "do not click any links you do not trust" , basically a link to www.fbi.gov on a website you do not trust you type in. no where does it say that you shouldn't click any links.
For an example of this spoofing bug in action, wired put together a lovely example at http://zcat.wired.net.nz/upgrade
This sig is a figment of your imagination.
While risking a lampooning from the Slashdot crowd - I use both IE and Outlook - though I have to admit that as a result of this story I've been tempted to try Firebird again. To be honest, it has improved greatly and I'm now giving it another shot.
Outlook is less easy to replace... I've a target platform of XP, and need to interact with an exchange server. While I hate the clunky configuration, gaping security flaws and slow bloated memory-hogging Outlook, I have to admit that I find Word a very effective productivity tool when writing prose - even though it is a sledgehammer to crack a nut. I only want to send ASCII mail, but I want real-time spelling and grammar checking. When will open source catch up on this front?
Paste this in the address bar instead:
javascript:alert("Are you freaking kidding me, this is what you call a security workaround!\n Oh well, here is the real address: " + location.protocol + "//" + location.hostname + "/");
Pat Buchanan, is that you?
If you can dig out a copy of IE (or if you want to prove your mozilla browser doesn't put you at risk), you can test your browser for the vulnerability.
Hop on over to Jilly's Drive in for pee-in-your-pants wisdom from Microsoft's knowledgebase.
In almost all cases, if the link text in a page was not link text (i.e.: if all the href attributes were removed) it would have the same meaning.
I've seen your "almost all" shrink. Some blog authors write in a style reminiscent of Wikipedia, Everything 2, and the like, whose pages gain some of their meaning from what their words link to. For example, "dumb MF" means one thing, but "dumb MF" means another thing, namely "dumb MF, one example of which is President Bush".
So, this wonderful advice covers favorites how? I suppose they will issue a warning to click on properties of your bookmarks instead of just clicking them, right?
By the time they get done issuing workarounds, they will have lost the benefit of the wonderful GUI that they put so much stock in.
AB HOC POSSUM VIDERE DOMUM TUUM
If you're roommate is that unwilling to change browsers when other people suggest, perhaps he's be willing to upgrade when "Microsoft" tells him to.
I've sent that page to a few people now, and the responses are pretty amusing. It redirects IE users to a spoofed MS Update page for Internet Explorer that offers Mozilla for download as the "update" for IE.
Turn off and lock in vault.
-- $G
And the documentation on the attack specificly states that the problem is not related to IE. Way to show an utter lack of knowledge, moron.
As a slashdotter I thought you knew that IE is more or less a Win32-only product.
Apart from the existence of IE-for-Mac, which is a completely separate product with a completely separate codebase, a "Win32-only product" has about 90 percent of your eyeballs.
And there's a hell lot more to the internet than Win32.
Some companies don't feel it profitable to cater to this "hell lot more," which usually amounts to 10 percent or less. Not that I develop IE-only sites or anything; I just find it useful to play devil's advocate in discussions.
Just got this a few minutes ago, it is at least the third one this week.m e%3Dhh:sinUS%01%01%01%01%01%01%01%01%01%01%01%01%0 1%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01% 01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01 %01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%0 1%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01% 01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01 %01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%0 1%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01% 01%01%01%01%01%01%01%01%01%01@visuals.ws/login.htm l
Warning: Ebay login spoof link:
http://signin.ebay.comeBayISAPI.dllSignInssPageNa
which is obviously just http://visuals.ws/login.html
Lets see how good their server is...
Does this apply for forms as well? How could you type in the information and submit it other wise?
Just download the patch from http://security.openwares.org/
m %01%00@malicious_site.c om/malicious.html
Description:
A vulnerability has been identified in Internet Explorer, which can be exploited by malicious people to display a fake URL in the address and status bars.
The vulnerability is caused due to an input validation error, which can be exploited by including the "%01" and "%00" URL encoded representations after the username and right before the "@" character in an URL.
Successful exploitation allows a malicious person to display an arbitrary FQDN (Fully Qualified Domain Name) in the address and status bars, which is different from the actual location of the page.
This can be exploited to trick users into divulging sensitive information or download and execute malware on their systems, because they trust the faked domain in the two bars.
Example displaying only "http://www.trusted_site.com" in the two bars when the real domain is "malicious_site.com":
http://www.trusted_site.co
The vulnerability has been confirmed in version 6.0, and version 5.x is also affected according to Microsoft's knowledge base article.
Solution:
Click on the following link to download and install the IE URL Spoofing Vulnerability Patch.
Download now [http://security.openwares.org/]
What's up with this post? Everytime I click on the link with the replies to the parent post, my VirusScan picks up:
5 F1449EEd01\5F1449EED01 Exploit-URLSpoof.gen
1/30/2004 9:30:00 AM Moved (Clean failed because the file isn't cleanable) PPP\jon C:\Documents and Settings\jon\Application Data\Mozilla\Profiles\default\8wlhftnq.slt\Cache\
What's up with this??
IE has support for a large deal of things I wish were standard.
But IE has a lot of things in it that I wish it didn't have (screwed up box model, improper handling of padding, stupid colored scrollbars, et. al.). And, quite frankly, I'm glad they aren't standard.
However, too many internet bodies can't make decisions and standards are simply corrupted leaving Microsoft to run around generating their own sudo standards.
You know, if only there was some kind of standards body to make standards and such for the web. *cough*W3C*cough*
But you can't be serious about that last statement. There ARE standards. MS just refuses to abide by them. It is to the Internet's detriment and only they stand to gain from it.
As far as web development goes and building high quality, web-based applications (trust me, the backend to all sites I work on are served by one the last servers VA's sold) IE simply offers more flexability, creative applications, and...well, a larger userbase.
Really? IE offers what flexibility? What can you do with IE that you can't do with Mozilla, Opera, Netscape, or Firebird? I can't think of a thing. Sure, you might not be able to use some kind of propietary IE plugin. But there are other, better, and more universal ways of accomplishing anything that a propietary plugin can do.
I suffer wasting time making sure the stripped down version of these sites work in Mozilla.
No my friend. You suffer because you write poorly coded, non-standards compliant web pages. Once again, W3C. Check out the XHTML 1.0, CSS 2, DOM, and other standards.
As Jeffrey Zeldman and others have pointed out, coding to standards and then tweaking for IE is *much* easier than the other way around. If you code to IE first and then try to back port compatability, you end up with a hacked together mess that conforms to no real standards at all. In fact, many Web Design/CSS gurus prefer to preview their pages in Mozilla/Firebird/Netscape/Opera first to ensure that their pages will look right in a standards compliant browser. Only after they do this do they tweak their CSS to make it look right in IE (which has many woeful CSS issues).
Aaron Giuoco
that a multiple charset is being used in the address. The user could click the button and a window could open diagramming the nature of each character in the address. It could be a feature similar to the one used in mozilla-firebird for blocking pop-ups.
Anyway, a "homograph attack" seems fairly easy to prevent. I am sure Mozilla will soon incorporate such a feature.
However, IE has a different problem. It appears the fundamental system used to development IE is not dynamic and reactive enough to protect users from Internet based attacks. This will simply never change as long as the same development system is used. I am not saying that Open Source is the ONLY solution. However, it appears that it is a far better system than the one IE uses.
Sdelat' Ameriku velikoy Snova!
Microsoft tells users they should write their own programs to avoid viruses.
More brilliant point of wisdom to come
While you're verifying all that stuff, remember, there was another security problem and the solution (from MS) was to remove MS from the trusted list. So make sure THEY didn't sign a cert :-)
On Monday this week, because of this very reason, I loaded up Mozilla 1.6 and hid all my IE shortcuts. I tried Mozilla way back when and didn't like it. Man, what a change. How the hell did I live without tabbed browsing before now? Holy shite muslim this browser is a bit beyond decent. I could just go on and on about the feature list those boys have added but DAYUM. Nicely done.
:)
Have you driven a Mozilla lately
There is nothing inherently safe about liberty. That's why so many people died protecting it.
Get another job, you obviously don't know what you are on about.
because everyone is going to want to use a wide vareity of character sets. A smash unicode check box would make a good deal of sence for much of asia, and probably all of north america sans quebec (who are just fucked up anyway.)
Add in an automatic dialoge box that says, "You've decided Unicode is ass! Resolve anyway? Ok Cancel [] Don't ask this again." Almost everyone who's not a goofy european is golden.
Look english won. You can fight it, but really, if you're not Asian, you've all but lost war, what's the point of prolonging the inevitable.
Please stop using Internet Explorer.
There will be some times when you will *need* to use it,
but these times will be far and few, especially as more
people start to understand the problems associated with it.
Internet Explorer:
[*??] Popups:
The new version of IE has a popup blocker. Currently
this functionality is in beta testing, and no one
really knows when this will be released to the
general public.
On the other hand, the two alternative graphical web
browsers whose use I advocate have had Ad Blocking
since time immemorable. The reason?
Microsoft actually benefits from the users web experience
being ruined. Advertising is a big business. And as is
very easy to discern, most users have no idea that you
can remove popups. Even those on 486's with modems,
where a single popup can slow your entire computer down,
and several could possibly cause a crash.
[*] Page resizing:
Are you tired of going to a web site and not being able to
read the tiny text? Or maybe it was too big? Unfortunatly,
most users never take one glance at the options that are
available to them, and I take the responsibility for this,
but you *can* increase and decrease the font size when
browsing with IE.
The catch? You can only go from Smallest, to Largest, giving
you six sizes to choose from. The catch? A number of web
sites use fixed fonts for their web page, due to the various
complexities of designing a document that is intended to be
viewed on a variety of mediums, differing browser versions and
screen resolutions. This affects IE very negativly, because you
then have absolutly no ability to resize the page.
*You have a choice* but you must know that it is available.
Mozilla:
[***] Popups: Upon the receival of the first popup, you will be
prompted to enable or disable popups. You can also
specify which web sites will be allowed to open
popups -- *some* sites require this, such as banking
sites, web mail accounts, etc.
[**] Page resizing: By pressing and holding control and either plus or
minus, you can change the text size from infitessimally
tiny to a character per page, _excluding_ images.
Opera:
[***] Popups: Simply pressing F-12 brings up the quick preferences menu,
where you are able, among a large number of other important
settings, enable or disable popup rejection, choose to have
popups open in the background, or only have popups which you
specifically choose to open.
[***] Page resizing: By pressing either 9, 0, or minus and plus, you can
resize the *entire* web page, including images.
This concludes the short graphical web browser comparision.
I say graphical web browser, because for some tasks graphics
are not needed. Google searching, for instance consists of
reading a bunch of lines of, where color and format play a large
part in helping recognize the differences between results.
If you're interested in facts I'll tell you what they are and I'll give you sources - Chomsky on The Big Idea
Opensoft (http://security.openwares.org/) has a patch for this "bug". You can even test the exploit on their site.
Try to follow these guidelines and go shopping on Amazon.com for instance. "Right.. I'd better type in the address.. it might be malicious. Let's see now.. Oh, here we go! www.amazon.com/exec/obidos/tg/sim-explorer/explore -items/-/0764109669/0/101/1/book%5Fdisplay%5Fon%5F website/purchase/102-6784885-6759312
Good thing I didn't click that link!"
THIS IS THE INTERNET. PLEASE PICK UP YOUR SERIOUS BUSINESS SUIT AT THE FRONT COUNTER.
Wrong. The bug does exist in other browsers, specifically Mozilla. Try it for yourself
then running a W3C CSS and HTML validator and having everything check out 100 percent....why does the site now look so shitty?
Um. Maybe you haven't noticed, but MS in general and IE in particular have a long history of
<South Park Voice>"I am above the law!"</South Park Voice>
kinds of behavior. Need I remind everyone of the Opera "bug" in displaying the MSN homepage that was "fixed" by causing Opera to self-identify as IE? I mean, I'm in full support of you and people like you designing things to be 100% W3C-compliant, but anyone who really expects that 100% W3C site to also be 100% IE-complaint, well...this reminds me of a (supposedly Indian) proverb I once heard. "Women want hot ice". It doesn't say great things about the gender, but my point here is that you've got your W3C (ice) on one hand, and it's supposed to work with IE (hot). Answer? No.
Ladies and gentlemen, this is Chewbacca...
"Linux doesn't exist. Everyone knows Linux is an unlicensed version of Unix"- Kieren O'Shaughnessy
1 - patent patent "url typing instead of a mouse click on hyperlink" as a aparatus for web browsing bla bla.......
2 - Sue Microsoft
3 - Profit!!!
Hmmmm... I've had the toughest time with the following hardware on Windows:
* Several NIC cards (had to buy new ones just to get the driver off the floppy disk in the boxes)
* RocketRAID (horrific story, actually)
* SCSI cards (best high-speed scanner interface, but very tough to get working)
* Sound cards (yes, even certain sound cards)
* Some video cards (but rarely)
All of the above just worked with Linux. Why did I even try Linux? Best hardware diagnostic tool ever invented:
* Load Knoppix
* Reboot
* See if hardware works... It does?
* Conclude it's Windows -- not a hardare problem
* Keep digging for a Windows solution (e.g. download drivers)
Often I have to download drivers using my laptop (which runs Linux) because a hardware upgrade has rendered the client's PC inoperable until I do so.
The truth is, Windows generally supports newer hardware better, as long as you have access to the drivers. Linux generally supports established hardware better than Windows, right out of the box -- YMMV.
Also (speaking of YMMV), MP3s just work on Linux, for me. You need to get a distro! (Try Xandros, Mandrake, SuSE or Lindows.)
As far as security goes... Yes, you can make Windows secure, but you have to:
* Spend much more time at it
* Know more about absolutely non-standard processes (e.g. kerberos & active directory vs LDAP)
* Live with inflexible admin tools (e.g. silly-poor routing capability; horrible CLI support)
* Stuck in front of a GUI (mouse clicks take time!!!)
* When it doesn't work there is no answering "Why?" -- much of the time
For every reason to use Windows there's a reason to use Linux. Can't we all just get along?
Bisides the /. crowd?
People who should read are not going to and will go on clicking clickmeiamavirus.exe for 100th fucking time? Remember, mydoom requires user intervention to launch.
I just received an email the other day, which was worded something like:
Look very closely at that content, and you'll see the subtle exploit in it.
How can John Q. Public or your grandmother be sure of this, without actually viewing and auditing the source of the webpage/email they're receiving? This assumes that some mail readers can actually allow you to view the raw source of the email, to see if it contains any maliscious flaws like this.
If you visit e-qo1d.com in a browser, you'll see the exact exploit it uses. Not to worry, it is relatively safe (unless you are a customer of e-gold.com, and purchase gold online).
This is one example of how these companies are misusing this type of exploit to liquidate people's bank accounts. Nice.
today i converted one more user from ie to firebird! and this funny thing with ie urls just makes it a lot easier! ie is dead meat! :-)
Yep, I've always designed web pages to look good in the current browsers, that W3C stuff is for the birds. Usually I design in gecko based browser, then try it out in IE once I'm done. Usually I try not to go too overboard on CSS, which usually isn't a problem since I code the web pages in vim. :)
I can see Microsoft telling British Telecom:
"We're not paying you any license fees, we'll just have our users MANUALLY TYPE THE URLS"
I like microcars
But then I thought of a third possibility: even though this class of exploits may be fixable in future versions of IE, there are plenty of people who are running older versions of Windows with older versions of IE. Even if Microsoft's commitment to secure computing is genuine, there may simply not be enough manpower to go back and fix every version of IE for any new security fix that comes along.
I see two classes of people benefitting from this KB article: those who are still running ancient versions of Windows on their old PC's, and those in a corporate environment where the IT department locks down their PC's to use only older, tested versions of Windows (and IE). In either case, even if Microsoft were to provide patches for every version of IE, the chance that the patch would actually be applied is slim.
Of course, the probability of these users actually encountering this KB article in the course of their daily websurfing is also slim, but we'll let that slide for the moment...
You make a number of good points, expecially about the defaults being more of a problem than the underlying architecture.
However, I'd say the days of saying "Windows has better hardware support bar none" has passed, as long as you're using a fairly recent version of the OS. Linux vs. Windows on hardware support requires you look at what category of hardware you're talking about.
Hardware that requires a closed interface a la Winmodems is still the domain of Windows. I love my Net MD Minidisc player, but there's no functional software for writing to Minidisc under Linux without real time recording over an audio cable.
Windows 2000, 2003 server and XP have dropped support for a lot of legacy hardware. Linux wins this one hands down. If it's older it's more likely to run under Linux than Windows.
Uncommon Hardware, such as poorly selling Intel webcam I once owned, tends to limp along under Windows and be ignored under Linux. Of course, most this hardware is uncommon because it sucks, so this is not an issue.
Standards compliant hardware, such as a good RAID card tend to work just as well under either OS, although Windows is far more likely to flake out on you if the hardware came out after the Service Pack running on your computer.
Linux tends to be better at getting network cards up an running out of the box. Same with non RAID IDE controller cards.
These days, USB drives tend to work better under Linux, although mounting and unmounting them can still be a pain.
Overall it's a give and take between the two. Under both systems, it's a pain to get hardware working if it doesn't work out of the box or after a quick driver download. The main difference is Linux requires command line work and compiling for the troublesome hardware, while Windows requires numerous installs and uninstalls of the driver and the hardware.
Linux is less prone to the "Have to uninstall things in just the right order" syndrome Windows is so prone to.
Graphics cards are a different issue. If the manufacturer is good about driver updates and features, they're on par, or Linux is better, but if the manufacturer is bad on updates, dominance is either firmly in the hands of Windows, or it waffles between the two through successive driver updates.
"Live Free or Die." Don't like it? Then keep out of the USA
Ya know, it just hit me.
Everyone here bashes MS for not making super secure software...essentially they are blaming MS that people go out and create these worms and viruses and malicious scritps and what not.
Doesn't anyone understand that even though a flaw exists, it is still WRONG and in most cases ILLEGAL to exploit it?
It is like saying that rape victims are to blame that they got raped beacause they didn't take the necessary precautions to protect themselves. It is a harsh analogy, but it is one in the same.
Given enough time / knowledge anyone can hack into any system. The difference is, it is a little easier to explot Windows and its applications because it is so bloated and huge. That thrown together will everyone who would like to see MS fail, and you get all the previously mentioned viruses and malicios attacks.
Just because MS is a huge profitable heavy handed company, doesn't make any of this right. It is wrong. You think these attacks hurt MS? Pfft! They hurt the innocent businesses (both large and small) that use MS software for whatever reason (the main one being that MS is used everywhere so it is a common platform that everyone can use and understand and communicate with). That is a similar argument that is used in the world today. "Of course the was targeted for attacks...no one likes them because of . blah blah blah." Maybe that is true, but it changes nothing. It diminishes your point.
So go ahead and have your laugh:
"Oh boy! Another worm, another security hole exploited. When will MS learn to make super tight software? Idiots. Look at all those stupid businesses using MS products. One day they'll figure out MS sucks and switch to linux or mac or open source...heh heh heh."
Personally I'll be saddened as a bunch of businesses lose gobs of money as they lose clients, thus hurting the economy.
By creating all this shit you may think you are taking on a just cause, but all you're really doing is hurting innocent victims and commiting illegal, wrong acts. Grow up.
Mod me down, I don't care.
-Mark
Dovie'andi se tovya sagain.
What happened to the borg-gates icon? Are we going soft on the auld enemy?
Left shift 1 for e-mail...
I've been using Opera for a long time on both win and lin, and don't recall it crashing on Linux any more than on Windows; which isn't much really, maybe once every few months, and usually due to other crap I've got running at the same time (though that really shouldn't matter).
Opera is the Cat's Pajamas. They should offer Slashdotters a discount on the ad-free version.
"Would it kill you to put down the toilet seat?" -- Maya Angelou
Send him URLs only using www.hugeurl.com. That should keep him too busy to complain.
T UyYjdhOTc1NzRlNDgmNiZWbXBHWVZZeVNYaFdXR1JPVmxkb1Zs bFVSa3RYUmxsM1lVVk9WazFXY0ZaVmJYaHJWREZhYzFkcVFscG hNWEJvV1d0YVlXTnRUa1ZTYkdSVFpXeGFVVlpxU2pSaE1VcHlU bFpzV0dKSGFHOVVWM04zWlVaYVIxWnNaRTlTTVVwSFZERmFjMk ZXU1hkWGJrNVhZbGhvWVZSV1dtRlhSVEZKWVVaV1RtSkZiM2RX VkVvMFlqRlNjMWRZY0doVFJVcGhXV3hvYjFSR1VuUmxSazVVVW xSV1YxWkhNWGRVYkU1R1UyeGtWMkV5VVhkWlZFcEhZMnN4V1ZW dGVGUlNXRUpXVjFkMFlWTXhWa2RXYms1WFZrWmFXRlp0ZUdGV2 JGcFlZM3BXVjAxVmNGaFdNalYzVmpGS2RGVnFUbGhXYkZZMFZU QmFTMk50U2tkVmJXeFlVakpvTkZacldtcGxSMGwzVFZoT2FWTk ZjR2hWYlhSM1kwWldjMVZyVGs1TlZuQllXVlZrTUZaRk1WZGpS V1JhVmtVMWVsWXdXbUZTYlVZMlVtMUdVMVl4U2sxV2FrSmhXVm RTVjFkdVVtdFNiRXBVVm10YVYwNVdXWGhWYTNCT1ZteGFNRlV5 ZEdGVWJFNUlWV3hrVjAxSFVsUldSVnBoWTJ4YWRWTnRlRmRpYT BwSVZqSjBiMVF5UmtaTlZXeFNZa1p3V0ZWcVRsTlhSbHBJWlVk R1UySkdjSGhXTW5oVFlWWktjbU5GZUZkU2JVNDBWbFJHVDFOR1 RuSmhSM1JUVjBaS1dWWlhlRk5XTVVsNFYydGtXR0pGTlZWWldI QkhaVlpyZDFkc1pGZFNiSEJIV1RCb1MxWnRSbkppZWtKYVRXNW 9VRmw2UmxkamF6bFhWR3hrVjFKV2NGaFdiWFJoWWpKUmVGUllh RmhoTVhCdlZGUktOR0ZHVm5OYVJrNXNZa2Q0VmxWWE5XdFdNVn B6VTI1c1YySllUWGhXYWtaS1pEQTFSVkpzV2s1aWJXaFZWbFJL ZW1WSFVrZFdia3BvVWpKNFZGUlVSa3RVVmxwMFpFWmFUbFpyY0 hwV1YzaHJWbTFLVlZack9WcFdSVFZFVm0xNFZtVkdWbkprUjJo T1ZsZDNNVmRzVm05VE1WcElVMnRrVkdKRlNsZFphMXBXVFZaYW MxZHRSbGhTTVZwSFZHeGtiMkZXVGtaU2FrNVhUVmRTTTFWNlJs WmxWazV5VjIxd1UySkdjRmRYVmxKSFdWZE9jMVp1UmxSaVZHeF FWbTB4VTJWc1pISldiWFJvVWxSR1NsVlhlR0ZXYXpGWFUydDRX bFl6YUV0YVZtUlhVMVpPYzFWdGJGTmhNMEpTVm14a05GWnJOVm RUYkdSVVlrZDRjVlZzVWxkak1XeHpWbFJDVG1KR2NFbFViR2hQ VmpKS1YxZHNaRlZXYkVwb1YxWlZkMlZYUmtaUFYwWlhUVEpvU1 ZaSE1UUlZNVnB6Vm01S2FsSnJXbGRXYTFKQ1RsRTlQUT09
Funny stuff.
http://www.hugeurl.com/?Y2Q4OTZjYjRhMjlkZjY5ODBkY
You want a sig? I can get you a sig... Hell, I can get you a sig by 3 o'clock this afternoon... with nail polish.
Microsoft: Fix your fscking browser!
If you're roommate is that unwilling to change browsers when other people suggest, perhaps he's be willing to upgrade when "Microsoft" tells him to.
Just one question... how does it change the location in the address bar from (http://zcat.wired.net.nz/upgrade/) to (http://msie.microsoft.com)? Yes, I'm using IE.
You want a sig? I can get you a sig... Hell, I can get you a sig by 3 o'clock this afternoon... with nail polish.
You can even test your browser http://security.openwares.org How come these people can fix it but M$ can't
Remember, their solution for ActiveX controls was that you should know whether or not to trust the sender of the control.
For real? Nahh... I mean, seriously?
Does this company actually think everyone has to go back to 1992 because they can't get security right?
My hands cramped up about halfway through typing http://support.microsoft.com/default.aspx?scid=kb; %5Bln%5D;833786 . :)
We've discovered a security problem where computers that receive tcp/ip packets are vulernable to various attacks.
To protect yourself from these attacks, plese type each tcp/ip packet by hand into your editor, print them out and mail them to their destination. When the reply arrives, please type them in by hand to ensure no malicious trojans sneak their way into your tcp/ip stack.
But the "reply" button is not a link! The fact that it simply passes form data to a URL is not known to an IE user -- it's just a magic button that does stuff! "Click here!"
What IS the best way to go w.r.t. browsers on Linux if you want to watch movie previews from, say, i-film or apple? I'm trying to talk a zealot in the lab away from using M$, but he always gets back at me with "ease of use", etc.-blah-blah-blah. Safari on OS X seems to do everything right...
Does Firebird support browser toolbars like Yahoo Companion and eBay?
I use a half-dozen different systems and I like the flexibility of being able to access my bookmarks from any of them. It's nice to be able to bookmark a site on one system, and have access to it from anywhere else.
I'm not locked in to Yahoo Companion... any browser toolbar that does the same thing and is supported by Firebird is acceptable.As for the ebay toolbar, I guess I could do without it. ;)
Let me guess, there's a buffer overflow issue in the way Internet Explorer renders clicks that allows malicious users to take control of my computer. Yipee!
People discover the meaning of life between getting piss drunk and the following hangover.
One valid XHTML+CSS site I built Crashed the machine when viewed on MSIE6.0 on Windows 2000 Professional.
microsoft bashing is for cowards.
It didn't work. (Well, it did in the status bar, but that's easily spoofed in the first place!)
Making me a little annoyed, close the tab, examine the link closely for a typo, retype it correctly if I am *really* interested and putting a small flag next to the sender name in my mental danger/clueless list. No virus, no popups, no hidden tricks. Mozilla rules. :)
No, it is you who are wrong: the bug has been fixed in Mozilla (I tested). Is the latest version of IE still vulnerable?
Quite simply, people should not be using URLs to authenticate a site. I created a Mozilla bug 184881 to try and address this, by making the SSL certificate more obvious. Bug 228524 is one person's attempt at this, effectively removing the URL bar and replacing it with fields identifying the hostname and SSL/TLS identity.
Obviously people who wrote this article advising to type in urls have NO IDEA how bad things are right now. I had a job in phone support for an ISP recently, and it's impossible to get the average user to type a url in the adress bar, because most don't even HAVE an adress bar anymore!
Typical conversation:
me: "Ok, now go to the adress bar and type the following..."
customer: "Go to the what?"
me: "Ok, do you have a web browser open? It's the program you use to view websites."
customer: "I thought I had you guys."
me: "Yes, now click on whatever you use to view our homepage."
customer: "But I just told you I don't have that anymore all I have is this incredifind.com thing."
me: "That's ok, I'll fix that in a minute, just click on it and open it up."
customer: "Ok, I have the incredifind open. Now how do I get to my internet?"
me: "Ok, do have an adress bar at the top?"
customer: "Wait, there's popups in the way now, let me close them."
(wait 4 minutes to close popups that spawn other popups)
customer: "Ok I can see, you said adress? I don't see that."
me: "Well we want to type in a web page, so do you see a long white bar at the top?"
customer: "Yeah I have 4, let me just type it in this super search one..."
me: "Umm ok let's not..."
customer: "Ok I'm at ultimatelinks.com, what do I click on now?"
me: "Ok let's forget about that for a minute, what do the white bars at the top say next to them"
customer: "Umm.. searchnow, supersearch, fastsearch, quickfind..."
me: "Do any of them say adress next to them?"
customer: "No."
me: "Ok do you have the word adress anywhere in the gray area up at the top?"
customer: "I have file... edit.."(wait 3 minutes to read entire list)
Now, either the adress bar is there and collapsed, and I spend 5 minutes trying to instruct them how to use the mouse to drag it open, or it's not and I try to go through the view menu and turn it on, and spend 5 minutes trying to figure out which options are removed from their menus by spyware hijacks.
me: "Ok fine, hit ctrl+o, does a little window pop up?"
customer: "Yes, you want me to type it in there?"
me: "Yes do that."
customer: "Ok, I'm there but there's a big popup and I can't close it because it has no X."
me: "Ok can you drag it out of the way?"
customer: "How do I do that?"
me: "Ok try just hitting control and the F4 key at the top of your keyboard, does it go away?"
customer: "Yeah. That's neat, I'll write that down. Wait, another popup came up..."
I'm not kidding, this is in no way an exaggeration or parody. While this is not a real conversation in itself, all these things have occured in similar conversations I had on the phone during support calls. And they seriously expect these people to type in URLs? How about making the browser so malicioius programs can't remove or replace the adress bar first?
Introducing the new Occam Fusion! Now with sqrt(-1) fewer blades!
The fact that Moz does the right thing without putting up an "alert" window is a bug? That's a bit of a stretch, if I'm understanding it right.
The issue with IE isn't that it takes you to the "secret" URL, it's that it allows the true location of the "secret" URL to NOT be displayed because of a formatting error, so what you see in your URL bar may NOT be the URL of the site you're at (it's pushed "down" a line with an %01 character or something).
Safari takes you to the URL just fine, and also shows it to you. This is correct behavior, and it's what I'd expect. I assume Moz does the same, but I haven't used it in a while.
-- http://frobnosticate.com
For a real solution from spoof hell, google proxomitron spoof and read about community written filters using a little known web filter utility called Proxomitron to block annoying popups and ads. And now, thanks to a strong user community, fix spoofing problems. This little gem intercepts http traffic coming into your browser (http proxy) and changes it on the fly before passing it on. The filters are written using regular expressions. And it's even free.
To get up and running, download the utility, get JD's filter set and use the spoof filters found from googling. Don't be scared off by it's god awful colors, they can be changed.
Happy spoof blocking...Secondly, you can get 90% of the effect in any JavaScript-enabled web browser by using a mouseover in the status bar. That's not as bad as spoofing in the URL bar, as IE does, but it would likely fool far more geeks than would care to believe it.
You see, humans have lazy eyes and creative brains. The eye can only focus on a small area (which is why eye tracking allows psychologists to tell what word someone is reading) and yet we think we can see everything all at once. Peripheral vision is very good at detecting motion, which compensates quite well in the natural world. However, when a GUI element changes in a predictable way (e.g. the URL changing in the URL bar), our brains tend to be lazy at fact-checking and just fill in the blanks. Thus, even geeks like myself who use the URL bar extensively won't look when we think we know what's there.
There was an interesting usability study once regarding how often people use the status bar in Office-type programs. During the test, at random intervals, a message showed up in the status bar which said something like "There is a $20 bill on the bottom of your chair. If you see this message, you can take the bill." Not a single one of the test subjects took the money.
--
Friendster has a new direction.
"The most effective step that you can take to help protect yourself from malicious hyperlinks is not to click them."
OK, great - but how do I tell the malicious hyperlinks from the benign ones?
The best part is when you read all the way down to the javascript section. Then copy and paste the second javascript example into the addressbar. Informing you that, yes in fact, this url may be spoofed. :-)
I'm using the version of Mozilla that came STOCK with Red Hat 8.0 (that is, it's an older version). When I hover over the wacky link, I see "http://www.microsoft.com#" (where the '#' is actually a little box outline).
However, when I click the link, what displays in the address bar is "http://www.microsoft.com%01%00@secunia.com/intern et_explorer_address_bar_spoofing_test/".
So the hacker can spoof the status bar. Big fucking deal -- he can do that already with JavaScript. And even if you DO click the link, all you have to do is glance at the address bar to see you've been fooled.
In other words, there's a bug somewhat like the IE bug in my version of Mozilla, but it isn't the same bug, it has different symptoms, and it seems much less dangerous -- a funny little box appears when you hover over the link, this is clue 1, and the address bar shows exactly where you've really gone to, this is clue 2.
in addition to everything you read here, I like Opera because you can customize the ini files. I have my right click context menu able to handle or access a vast majority of my surfing tasks. Mix that with the mouse gestures (which seem more responsive and native than in Moz), and I can browse very quickly. I not only have bookmarks accessable from the right click, but frequent bookmarks (like Slashdot) at a the root level for super quick access. Also.. Sessions are nice.. you can load a session up that launches all your favorite URLs at once.. It's like a "load all these bookmarks" features.. but it also changes your browser as well.(full screen, side panel, etc) Oh.. also, the "notes" feature is really handy once you learn how to use it (think notepad running on the side of the browser and integrated with it). You can copy a piece of code you read on a dev forum into a note and when you click on the note, it will take you back to the URL where you copied it from. You can also double click notes to paste the contents into forms. Handy for things like postal tracking numbers and things like that. All that.. and more! Call now, supplies are limited.
http://images.google.com/imgres?imgurl=internet.ls -la.net/pictures/images/Computer/Microsoft-XP-suck s.jpg&imgrefurl=http://internet.ls-la.net/pictures /Microsoft-XP-sucks.html&hl=en&h=480&w=640&start=6 &prev=/images%3Fq%3Dmicrosoft%2Bsucks%26svnum%3D10 %26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26sa% 3DN
photosMy Photostream
a href="http://www.yahoo.com" onclick="this.href='http://google.com';"
Pointing out the impracticalities of a something they tout as a solution for a vulnerability in their software is hardly MS bashing.
When a passenger of the foot, hooves in sight, tootel the horn trumpet melodiously
For ways to bash Microsoft today I see. Might as well head over the Knowledge Base and collect every possible Windows problem. It'll give you fodder for years to come. Seriously, I can't believe this merits a story.
"I have a suggestion that's not in the Knowledge Base: don't use IE!"
If your the type of person who misstypes www.paypl.com(www.paypal.com) and end up going to a scam site, using Konqueror, Opera, Safari, whatever isn't going to help you not get scammed.
Thats why it's important for those who make those types of mistakes to pay attention to the url, and not what the page looks like. And if your complaining about not having popup blocking well, most AV (Norton, McAffee) programs now include popupblocking. And if the person doesn't have a AV then they probably the person who also doesn't pay attention to their url's and is also the person who needs to learn about these things.
I know you want to be "1337" and all but pick a better example or reason to flame a product thats obviously more used than your favorite browser.
Ave Molech Setting
How about a KB article on why using Window$ itself is a security vulnerability?
$DEITY bless $NATION
Lets simplify all this and go back to character-mode and toss our mouse. That'll fix it all. When was the last time a VT-100 got a virus?
Table-ized A.I.
Graphics cards are a different issue.
Linux driver support for graphic cards are an interesting case. There are cards for which XFree86 support has been abandoned. The S3-Trio64 cards are an example of this. When it gets mentioned people who 'take sides' give the same answer ("get a new graphic card!") that we used to hear exclusively from Windows advocates.
Same as it ever was.
---
When I post a /. message in Mozilla, it often shows a mostly empty screen. Posting works fine in IE. Thus, sometimes one has to use IE.
I was amazed the first time I saw applications opening straight from the browser the first time I saw it ... for like 5 minutes, than I started thinking how easy it was to write a flawed ppe (pcboard anyone remember?) to run format c: /u /s /autotest ...
... ....
... Might be off topic ... I am just continuing my ranting I started in my mother-in-law's kitchen yesterday when I started cursing at idiots flooding my mailbox with worms :)
I'm still amazed by seeing how many people did not learn that lesson when their computer got infected via M$ Outlook or M$ IE running crap upon opening a mail or document.
Sure today sometimes I curse when I receive an attachment on a remote machine into my pine mailer, and I curse when ssh is laggy on my overpriced underdelivered cable-net, and sure I received 341 mails from idiots still using infected crap machines...
But sure I was the only one doing my work quickly and going home early while my collegues were reinstalling their m$ machines because they opened the wrong mail, or clicked the wrong link...
I do not even wanna start saying, use a decent system, with simple tools running in USER mode (!=root)
Why? because no one listens! They are amazed when I say that it's free (as beer and as a bird), and that Mozilla/galeon takes 1 day to get used to.. and that openoffice works so much the same, that my wife did not even notice when I replaced m$office to openoffice on her laptop
Ahm sorry
Remember when MSN was broken for other browsers (namely Opera)? They supplied different browsers with stylesheets that made browser appear display webpages incorrectly.
I always thought that was fishy.
It is quite easy to maintain because it web-based. My bookmarks in Yahoo Companion are locally cached, but the master list is maintained on Yahoo servers.
javascript:open( "http://ftp.mozilla.org/pub/mozilla.org/mozilla/re leases/mozilla1.6/mozilla-win32-1.6-installer.exe" )
Seems to me that all the little "tricks" to safe browsing comes over time. I watch so many people browse through sites and click on crap that I would simply never click on.
The biggest mistake I see people make is not having the status bar visiable. Enable it folks! It serves as a good quick check on the url you are about to be forwarded to.
Don't commies and socialists also use mind-numbing chants? Just goes to show that open sores is really socialism in sheep's clothing.
Boycott Microsoft!
Okay, so I'm joe-blow-home-user and I want to get read a Microsoft KB article... So, instead of clicking the link, I MANUALLY type out:
- .- c-o-m-/-d-e-f-a-u-l-t-.-a-s-p-x-?-s-c-i-d-=-k-b-;- %-5-B-l-n-%-5-D-;-8-3-3-7-8-6
h-t-t-p-:-/-/-s-u-p-p-o-r-t-.-m-i-c-r-o-s-o-f-t
Yeah... that's going to fly.
Any solution that relies upon millions of people changing their behavior is dead on arrival.
Hey, Windows users, there is no such thing as "forward" slash, there is only slash and backslash.
...when they are MicroSerfs holed up on their cubicles coding all the time. I think it's similar to what happens to politicians and civil servants. They lose touch with reality and "normal" people and forget that very few people are keen (or even have the knowledge) to tap out arcane commands and know when to be suspicious about certain situations on the computer. Linux developers have been clueless in this area for a long time--although they are improving where Microsoft has gotten stagnant.
I figured it was best not just to laugh at or complain about the issue--it would be more effective to send my suggestion to MS in response to the KB article. Maybe there's a slim chance they'll take a page from the open-source community and actually LISTEN to constructive suggestions. I like the idea of a pop-up alert, so maybe someone could send MS the suggestion. This is what I submitted:
While I appreciate Microsoft's attempts at keeping its users informed about good security practises, I'm not convinced that the suggestions in Knowledge Base Article 833786 are very effective security measures as they are much too impractical and inconvenient for the end user to carry out. Most users are much too accustomed to clicking on links and would quickly tire of typing URLs and lengthy scripting code in the address toolbar. Should these particular bugs in IE be difficult or impossible to fix, might it not be possible to create a "security toolbar" to show more clearly the SSL/TLS encryption and security status, as well as provide URL verification buttons that automate the process outlined in the article? You could develop that in hours and have it distributed via Windows Update in days...
...one wouldn't be using IE anymore ?
I guess MS would be slightly pissed if this happened, wouldn't they ?
-- stating the obvious since 1972 --
I have no problem with the security measure of typing the URL (although a text cut & paste is faster and gets around the security flaw just as well. (And it's *really* fast in X-windows - one drag to do the select, and one click to do the paste.) What I have a problem with is that nobody in the Windows camp will remember that back when Microsoft first starting doing this stuff we unix-heads *said* it was a bad security idea and that there's no point since cutting & pasting is so trivially easy anyway. Nope. It was "That's lame!", and "get with the times!", and "but just clicking is easier!".
Now they won't remember that there were wiser heads, and that they were right.
Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.
sudo standards
WTF is "sudo"? Something that Phil Collins uses to determine whether or not something is good/bad?
It's pseudo! READ A BOOK!
In Mozilla 1.1 it only spoofs the status bar - URL shows up complete and nonsensical in the location bar. So if there was a patch to fix this, it happened a long, long time ago.
Yes, 1.1. On an ancient clone, no less. A Mac clone.
Thankfully Google Grabed a copy...
Cached copy of standard breaking bug fix
Hey, that's great. What if you're the type of person that clicks links? Did you know that those links could be spoofed? Did you know that is only with IE? Did you know that is what this article is about, not mistyping them? The idea of this was to show that in IE, there is no easy way to be completely safe with web sites, because of all their exploits, and instead of completely fixing them, they just tell you "Type in the URL instead of clicking links, it'll be safer with our shitty browser!" and you are telling people not to switch why?
That's scary.
I've found that a linux boot floppy is a great windows diagnostic JUST for the purpose of identifying the hardware in the machine. Windows is often very obstinate about not even telling you the little bit it *can* discover about hardware if that hardware has no driver or the driver is broken. That's really, really annoying. If a card is plugged into a PCI slot, for example, you don't need to know how to drive the card to just display its ID string it gives you when you scan the bus. And that little piece of information can be invaluable in diagnosing a problem with someone else's computer you didnt' build yourself.
So I like to boot a linux CD just to see the hardware identification strings scrolling by. Even if Linux has no driver for the card, it will usually at least tell you its make and model.
Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.
Do the slashdot editors use MSIE? Or are they just not reading the articles... or what?
There is no such Microsoft KB article. Try it. Find an MSIE browser and enter the URL from the article and you get the spoofed site exploiting the MSIE exploit that MS refuses to fix. Then try it in Mozilla. Mozilla tries to load the actual KB article on the actual Microsoft site and gets an "article not found" whereas Microsoft goes to the subverted URL and displays the fake KB article.
Is everyone stupid or just lazy?
Microsoft just pulled the KB article.
."
Following the link you get "The Knowledge Base (KB) Article You Requested Is Currently Not Available
Non illegemati carborundum est!
Fact:
Link spoofing is possible with every browser.
Fact:
No browser is "completely" safe.
Fact:
People should be cautious with what they do online. Including paying attention to links they click or type in.
Ave Molech Setting
You know, if it's possible to Googlebomb Sco with litigious bastards and Bush with miserable failure, I wonder if we can Google bomb "Internet Explorer Bug" with "Install Mozilla"?
"For a successful technology, honesty must take precedence over public relations for nature cannot be fooled." -Feynman
Money. Or rather, saving it. XHTML+CSS designed websites are faster, and smaller (often in terms of many kilobytes). When you're dealing with a site that gets the volume of traffic that a site like this one gets (quoted at ~20 pages served per SECOND), the bandwidth savings are huge.
While we're on the topic of /. and web standards... Rob and co. really should look into updating. Check out A List Apart for a detailed analysis on how they could feasibly to go about doing this.
But Maaa! Everyone else has a
Or something to that effect. If enough websites did this, people might get a clue.
You can still run the old 3.x XFree86 if you have an older card that's not supported by 4.x, but that won't remain a viable option forever as Gnome and KDE continue to evolve. Eventually, you'll have to have 4.x XFree86 to run most Linux GUI programs. I'm sure this is already the case in many projects.
Many distros let you pick which version of XFree86 you install.
"Live Free or Die." Don't like it? Then keep out of the USA
http://slashdot.org/
I think I'll read this article about microsoft wanting me to type in the url to avoid spoofed websites and malicious hyperlinks
http://support.microsoft.com/default.aspx?scid=kb; %5Bln%5D;833786
I think I'll read what the slashdotters are saying
http://slashdot.org/article.pl?sid=04/01/30/042824 2&mode=thread&tid=113&tid=126&tid=133&tid=172&tid= 186&tid=95
I think I'll, oh f*%k itJeezuz man, where's your brain? If you say stuff like that, they'll be forced to make the ads bigger and more intrusive!
Attention Opera Software:
Please ignore EvanED's comment. He's been taking a lot of pain killers lately (his mouth is sore from always putting his foot in it) and is suffering from dementia. The truth is, we all love the ads and frequently buy items that are advertised in Opera's ad window. Why right now, I'm off to get that college degree that's being advertised as I type.
Jesus God, this is stupid.
Has anyone received any of those "www.e-qo1d.com" fraud emails?
Try clicking the link. It does the standard URL spoofing.
If you select the address and retype it (so long as you don't type a "/" at the end), you will remain at the scammer's website.
So really, when they say "don't click; type the link" they mean:
1) Click the link, so you can find out what the URL is.
2) Open a whole new IE window and retype the link. The IE window you have already opened is poisoned.
There are no trails. There are no trees out here.
It looks like the whole MS Knowledgebase system is down...
I wrote and have bookmarked this one-liner (works in IE and Mozilla):l ength-1);i++)document.links[i].href="view-source:" +document.links[i].href;alert("Done");
javascript:for(i=0;i<=(document.links.
Live wrong, impostor.
Has the article been pulled? It's hard to wade through the /. bullshit, but I'm sure the suggestion was a temporary workaround until they release the patch anounced here. Note to editors. Why didn't this story get psoted, but some lameass MS knowledge base link did. Your bias is completely transparent.
Maybe Microsoft hasn't seen the hellishly-long URL that shows up in my address bar when I log into their hotmail service.
796F75617265616E65726400
Anyone else notice that the knowledge base is down now? Not just this KB, but apparently all of them. Any idea what's going on?
Hey guys!!
I want to build a webpage that lists all sites that uses the URL spoofing thing (in funny way, in a wicked way, etc), just like the one Duckman5 posted here.
So if you know of any, please mail it to me to: aristidesp hat intercable hdot net hdot ve
Replace hat with @, and hdot with ".". Leave your name and say if you want me to tell you on when it's online.
Think of it as a survey.
See you then!!!
I swear I'm going to register one of these days.
This, theyre right, this is the second best toolbar after google. Avalible for IE and moz, but not opera. :(
"Sic Semper Tyrannosaurus Rex."
It was "tub girl" for me... Haven't trusted a hyperlink in the comments section since. My eyes still need scrubbing after all this time. I'm afraid my mind is scarred irreparably.
Fun with Inkwell | www.coo
The biggest problem with browsers and other web-technologies is that they give more control to designers and webmasters, not to the users. Java, ActiveX, Flash, Javascript, CSS, etc. all allow designers and webmasters to determine more precisely what should happen on the user's end. Completely wrong and inacceptable, yet this is exactly what is happening.
It is entirely possible to design a page that would open in an IE window without toolbars, scrollbars and statusbar. Then it is entirely possible to add interactive graphical elements to the sides that would behave exactly like real IE interface elements, only they would be fake. This is wrong. The standards should give limited control to providers of information, while browsers give ultimate control to the users. It is completely wrong that standards allow javascript to intercept mouseclicks and block rightclick menu. It doesn't affect me because I use Opera, which doesn't give a shit about that, but when I click the wheel (button 3), I see that stupid message window that informs me I shouldn't right click on that site. This isn't more than an annoyance, since scrolling still works and rightclicking is not affected at all, but this should never happen in the first place.
Unicode addresses are wrong as well. They are an annoyance to the users. Have you ever seen a user (a visitor, the one who browses the web) request ability to use Unicode in URLs? I've never heard about that. It's some webmasters, who decided they want this stupid-stupid-stupid trick to work (and greedy registrars and their marketdroids) and broke a perfectly good addressing mechanism (I am Russian, but I never ever wanted Cyrillic URLs, even though now they are apparently supported).
Future Wiki -- If you don't think about the future, you cannot have one.
>Considering IE is here to stay
Imagine if Microsoft had that defeatist attitude when they wrote IE to replace the browser everyone was using and knew well - Netscape.
Here's the deal,
Since as we all know that everyone but us is dumb, I propose that The Governement create a 'Computer User' licence, handle it much the same way as a driver's licence.
No computer use prior to turning 16
Apply for a 'learners permit' and hold it for at least 6 months. There is a touch screen test to make sure you have rudementary understanding of a Computer.
After 6 months you can take a test with an instructor wathing you going through most routine computer uses (email, browsing) scoring demerits on everything done wrong. (opening attachements from unknow sources) If you pass, you get a 'New Computer User' licence. You have to use the computer for 1 full year, without incident, and then you can get your full on 'Computer User' licence.
May vary by State/Province.
That's it, easy as pi.
type code instead of clicking the pretty buttons in Visual Studio .NET to write programs.
I mod down pyramid schemes in sigs.
According to the specification, the namespace is still http://www.w3.org/1999/xhtml.
Karma: It's all a bunch of tree-huggin' hippy crap!
I have the same problem with some people at work. The trick is that firebird really does look enough like MSIE to be considered by many windows lamerz to be an upgraded version.
So, all you really have to do is install firebird, then right click on the shortcut, change icon, and point it to the MSIE icon iexplore.exe
So far most of the people at work that would otherwise have bitched about using something "strange and different" haven't clued in... but they are happy that "this new MS upgrade seems good, why would I need anything else"
Don't discount that KB article. I've used site whitelisting (Trusted Sites) since IE4 and website designers are designing for it.
When a site puts all of its servers in the same second-level or third-level domain name (microsoft.com or lpl.mb.ca for instance) you can add the entire domain to Trusted Sites, and get all of that site's functionality without exposing your browser to abuse by scripts on other sites, ie: banner advertisers.
Microsoft forgot to mention that wildcards work in Trusted Sites too. If you turn off "Require HTTPS" you can add "*.microsoft.com" without a specific protocol (like http:// etc).
The only multi-domain example I can think of is Hotmail, and that requires the following entries in Trusted Sites:
*.hotmail.com or *.hotmail.(your ccTLD if valid)
*.passport.com
*.passport.net
When combined with MSN Messenger you need to add:
*.msn.com
That might sound scary, but really, it's not going to break your browser or submit control to The Bill Net.
What equivelant functionality exists for Netscape 7, Opera, etc?
Use Evolution instead of Outlook? Bewa
Should they sue MS for telling people not to use hyperlinks I wonder?
*sigh*
-JB
"I love deadlines. I love the "whooshing" sound they make as they pass by." - Douglas Adams.
Fact:
Link spoofing is possible with every browser.
Prove it.
I'm running Network Associates VirusScan (provided free by the University here), and when I click on the link, it gets "intercepted" by VirusScan. It tells me that this site is a "trojan" which is attempting to fool me!
It still shows the false page, but at least I was warned that what I am looking at is false.
So, even if Microsoft isn't fixing the problem, it appears that some people like Network Associates are attempting to do their part.
Great fun for the 30 minutes I spent on Windows this week.
I won't vouch for mac Opera, but on windows it out performs both ie (what doesn't?) and Mozilla. And while Firebird starts a bit faster (since I usually have 20+ tabs open in Opera which take time to load) it's browsing speed and page retrieval is horribly lacking. And on Linux it dominates the much wider field just as easily.
So yeah, get a real computer.
You're talking about a person who mistypes paypal and then expect them to use IE and type in horrendously long URLs?
"In a recent Microsoft Knowledge Base article, they provide 'Steps that you can take to help identify and to help protect yourself from deceptive (spoofed) Web sites and malicious hyperlinks.'"
f t.com/windows/default.mspx*** **o m/games/default.aspx** .down?)
"However, a malicious user could create a link to a deceptive (spoofed) Web site that displays the address, or URL, to a legitimate Web site in the Status bar, Address bar , and Title bar. This article describes steps that you can take to help mitigate this issue and to help you to identify a deceptive (spoofed) Web site or URL..."
Deceptive?
Spoofed?
Let me name a few,...
http://www.microsoft.com/**
http://www.microso
http://www.sco.com/
http://www.msn.com/**
http://www.microsoft.c
http://slashdot.org/* ( can see my karma go down )
http://www.intel.com/ ( down... down.. down
http://www.linux.org/* ( yep its gone, no one will read this comment )
*I am joking. DUH!
** This is deceptive
***This company will be gone in five years. I CAN GUARANTEE IT!
-"nobody could possibly confuse a large shapeless object stuffed with impact-deadening material with a pillow."
Game Maker Community
>If you want his advice on running a business, there is a big chance that he will lead you astray, so that you do not become competition.
As a business owner myself (why, oh why, do I have to say that over and over?) I can tell you for certain I would have no qualms advising others on how to correctly run a business as long as they are in a different field.
In other words, if you were to ask Ernie how to run your Income Tax Service (for example) better, assuming he thinks similar to me, he would certainly give you good advice, or at least advice that would be relevant to his business.
If you were competition, I wouldn't lie. I'd simply tell you "Sorry, I can't discuss such things." No big deal. No need to anger the competition by lying; that gets you absolutely nowhere (In fact, it can turn a fair competitor into an angry competitor.)
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
Ha Hah Hah Ha Ha Hah Hah Ha Ha Hah Hah Ha Ha Hah Hah Ha Ha Hah Hah Ha Ha Hah Hah Ha Ha Hah Hah Ha Ha Hah Hah Ha Ha Hah Hah Ha Ha Hah Hah Ha Ha Hah Hah Ha Ha Hah Hah Ha Ha Hah Hah Ha Ha Hah Hah Ha Ha Hah Hah Ha Ha Hah Hah Ha Ha Hah Hah Ha Ha Hah Hah Ha Ha Hah Hah Ha Ha Hah Hah Ha Ha Hah Hah Ha Ha Hah Hah Ha Ha Hah Hah Ha Ha Hah Hah Ha Ha Hah Hah Ha Ha Hah Hah Ha Ha Hah Hah Ha !!!!!!!!!! Oooooooh my! That was a good one! I haven't read something this funny in a while. This is Slashdot and not theOnion, right?
...should be 'Insightful', i think.
Where we go "cool, nice features" they... don't.
i see that all the time. if something pops up, like a message saying, "The page you are about to view is encrypted...," or the one that warns you when you submit text, it could be sniffed, people automaticlly think it's an error or a problem. i guess it's conditioning--any time they browse with IE, warning messages can't be good...
bottom line: most users are reluctant to leave what they know, even if it means a better overall experience.
I saw it on Slashdot, it must be true!
Create a .txt file that contains a JS function of choice inside of either a script tag or in a body tag. Opening that file in IE will result in the JS firing as though it were a fully-formatted HTML doc. I'm having a hard time deciding if that's a bug or a feature
Ermmm... Actually, IE has a bug that lets you not be able to even see that the link is being spoofed, the others, if you read the whole URL, let you at least see that.
That's scary.
We used to have a comment on computer system or application designs that relied totally on the stupidity of users for security: "Stupidity does NOT equal Security!".