Slashdot Mirror
Microsoft Advises to Type in URLs Rather than Click
spacehug writes "In a recent Microsoft Knowledge Base article, they provide 'Steps that you can take to help identify and to help protect yourself from deceptive (spoofed) Web sites and malicious hyperlinks.' These steps include always using SSL/TLS, typing 'JScript commands' in the address bar, and typing in URLs instead of clicking links! I have a suggestion that's not in the Knowledge Base: don't use IE!"
i always knew that those hyperlinks were a bad security problem. Web designer should really avoid those propietary 'href'-tags for security reasons.
I have a suggestion that's not in the Knowledge Base: don't use IE!
Yeah, and I have a solution to prevent malicious programs like IE from running that's not in the Knowledge Base...
Install Linux.
I hear you can buy a copy of it for around $600 somewhere.
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
This is a trust issue, not a technology issue.
I didn't really read the article, but I am pretty sure that one option slipped their mind, whomever wrote it.
:)
:)
use another browser...
There are plenty of options available on the market
If you don't like OSS, for religious, political, or other reasons, one can always Opeara.
Otherwise Mozilla, Firebird, Konqueror, and others come to mind
I say go one step further for ultimate security and telnet to port 80.
Why risk using the Web at all? Just e-mail the webmaster and ask him to fax the webpages to you!
These sigs are more interesting tha
Damn, if only you could have clicked the "reply" link instead of having to type the URL in in manually for security reasons, you could have gotten first post. Curse you, IE!
WARNING: If accidentally read, induce vomiting.
They turn off all the 'automate EVERYTHING' approaches microsoft seem to think are a good idea, then it will become safe again to actually click on the links?
Really. perhaps a few more people should install pegasus email under windows, and download mozilla firebird - the world would really be a slightly better place!
Or is that just too obvious?
PS: What on EARTH is up with IE's css support? is it intentionally designed to be completely broken?
Sigh.
In other news M$ advices all online banking users to walk in to their nearest bank office to secure their online banking...
Eight-hundred-thirty-three-thousand-seven-hundred- eighty-six Steps that you can take to help identify and to help protect yourself from deceptive (spoofed) Web sites and malicious hyperlinks
The point is there's a bug in IE that even with JavaScript turned off people can give the impression that you're going to a different URL than you really are, the worst thing is it also affects the address bar. Be safe, don't use IE
Microsoft Advises to Type in URLs Rather than Click
So now MS is promoting a return to command line interfaces?
90% of my surfing is done with Firebird, either under Windows or Linux. It's fast (on a Pentium IV @ 2.0 GHz), complete and full-featured.
9% is done with Opera 7.23. Mostly at home, since it's still small and light enough for my poor little Pentium machine.
Less than 1% is done with IE, mostly with horribly broken site that only accept it, and I am actively searching for replacement
FWIW, I never use MS Outlook or Outlook Express either. Earlier this week, when MyDoom struck our email servers, a couple of coworkers were infected. I was not.
The moral of the story is that you can't trust Microsoft products.
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
Although this article on the insecurities of IE (or in a more general sense, Windows' URL handling) is fitting for ./, the advice to type URL
into the address bar may be one that we should all take to heart in the
future.
As pointed out here, the advent of multilingual (Unicode) domain names gives rise to a new possibility for attacks: the Homograph attack.
Example: one could replace the o's in http://www.microsoft.com with Greek omicrons, Cyrillic o's or characters from other charsets, as long as they are rendered by our browser as something resembling an "o". The users won't notice the difference, but they might be redirected to another site, even though they visually inspected the URL.
A more serious example: my bank, the Dutch Rabobank, features internet banking. It specifically displays a warning before logging in: Make sure that the address in the address bar starts with https://www.rabobank.nl/, then you are sure you're communicating with us. Now, with a homograph attack, even that might not be certain again: it looks the same, and users are reassured even though reassurance is not due! And it's not limited to using IE or Windows either.
A comment is in order here: we're not that far yet, as most clients require special (non-default) DNS clients to access Unicode domain names. But it might become a big problem in the future.
Are there any people from countries using non-latin domain names that might want to comment on this?
Support a Europe-related section on Slashdot!
But the bug in ie is that i can make any URL look like a 4 letter URL in your status bar.
Let's say M$ user types in URL but on that URL is redirection to faulty URL? The thing is, they can do nothing about it. And nowadays some regular URL has like 30+ characters with all those PHP-Nuke/Puke portal engines and horror CMS engines. SO, M$ crew, create a real browser and stop dragging us/them to a stone age...
Sinisa
http://support.microsoft.com/default.aspx?scid=kb; %5Bln%5D;833786
Need I say more?
I stole this Sig
I try to convince other people of this. Firebird conatains a popup blocker, supports tabbed browsing, is more secure, and has a gestures plugin.
The other people just don't. It's not like they don't know how. These are proper techies. they just make up daft excuses like not trustin free software.
Maybe trust is importatn. You can trust IE after all. You can trust it to be insecure.
But it still doesn't make sense. Some secure sites have a feature that requires a referrer link when you access different pages. If you type in a URL, there is no referrer link, and so in that case, you might not be able to access that site.
On the other hand, I use Opera, and I love it. While it has a little banner that display ads depending on what you're currently surfing (unless you pay 30 bucks for it), I find it in no way to be intrusive. Go try it out.
Here's an example
no, that link is not supposed to do it, the page will show you what it is.
It hasnt made it on slashdot yet, but netcraft is reporting that future versions of IE will no longer be supporting user information in HTTP or HTTPS URLs.
For more information, please see microsoft's advisory. Thats right, type in the URL yourself, it really is at microsoft.com. From now on, any HTTP or HTTPS URL that has an @ sign in it will report "Invalid syntax error".
After months and still no patch for this bug.. they just now announced THIS as their fix, but still no patches. You'd think they'd just prevent parts of their URL bar from disappearing instead of removing features..
Workarounds for this new behavior are listed as:
* Do not include user information in HTTP or HTTPS URLs.
* Instruct users not to include their user information when they type HTTP or HTTPS URLs.
How ingenious. I also find it interesting that they link to the standards they are now breaking under "references".
... and even though I dont use Windows this is a nice step towards better security.
My main issue is this, the knowledge base is huge - there are thousands of articles, therefore although the article is there how many *normal* people actually read it ? The people that need the information the most are those that are less computer literate and the same people that would rather be playing flash games than reading a document on a "geeky computer" website.
It is same with the "oh they should use another browser", at the end of the day they dont really care until they get bitten - and even then they will make the same mistakes again. I personally think that the software update mechanism (where the window pops up if there are updates) is great under OS X. You would have to be really retarded to ignore it.
Maybe Windows and Linux could do with something like this ? I know debian has it's security feed (which I use), but it'd be useful if it alerted me that there were updates. I also remember there being a update manager but maybe it shouldn't allow you to not install the security updates. (Please forgive my lack of knowledge of the recent windows situations WRT updates- I rarely use it so please dont flame back but I would be genuinely interested to know - for the sake of my parents computers)
Anyway, end of post.
chris at darkrock dot co dot uk
http colon slash slash www dot darkrock dot co dot uk
(1) Checkbox to disable "kiosk mode" from EVER happening! (2) Checkbox to disable pop-up windows (or prompt user per pop-up) as opposed to disabling Javascript altogether. (3) Outlook-specific settings for HTML preview so that most features can be turned off for e-mail preview; stop spam from essentially calling home via preview, or playing virus MP3, etc. For example, by default forbid all HTML-formatted e-mail from accessing the Internet and running scripts -- just totally passive HTML. The user, at his or her discretion, can right-click on the body of an e-mail to select further previewing rights for trusted mail. (4) Checkbox to reject URLs that use unicode characters -- just an option; (5) Checkbox to forbid wacky URLs with "obvious" redirection tricks; (6) Option to set the "maximum number of browser windows to open per second". One can set this to a rate slower than one's ALT-F4 pressing rate, to win the battle against run-away pop-ups.
Their reasoning? Security. Judging by the number of times in the past two months they've had overtime to do, and the amount of times they have to send out emails-which-get-deleted-without-further-reading on what not to do with a web browser, I suspect it's the security of their jobs they're trying to protect, but anyway...
So, instead, I sit and shake my head with wonder at all the people, particularly from the Management stream -- although I've seen for myself that engineers aren't immune -- who blindly click links without checking their content, who don't check for SSL, and so on and so forth. And, in two cases, get swindled out of cash because they believed an email supposedly from their bank...
ObRant: Why conceal this kind of knowledgebase article? Microsoft should have it in forty-foot-high letters of fire on their front page. No, more than that; it should be in every freaking news syndication everywhere for every single windows user to see and read, repeatedly, until they get the hint.
Then, and only then, can we honestly say that those who still don't do the "right" thing deserve it.
And to think, that enough people got MikeRoweSoft.com confused with microsoft.com to warrant a security bulletin.
"Protect yourself from email worms by walking to the post office!"
"Protect yourself from p2p worms by buying your music on 8-track tape!"
"Protect yourself from joe-jobs by not using your hotmail address!"
"Protect yourself from internet credit card theft by using dollar bills exclusively!"
"Protect yourself from e-banking snoopers by keeping your savings under the mattress!"
"Protect yourself from spam by disconnecting the internet!"
"For Christ's sake, protect yourself from illegal operations by turning off your computer NOW!
(Oops, this one's not new.)
This is...
O
U
T
R
A
G
E
O
U
S
!
How on EARTH did someone write this KB article without cracking up. Are they for real or what?
I mean, either you continue as usual and get screwed should you hit a malicious link, or use a different browser. Who in their right minds would ACTUALLY follow the steps here. "Hmmm, this link looks suspicious... I'd better manually enter the address". Or copy a piece of JScript code for a more verbose description of the link...
Yeah, right. I can't get over this article - it's nearly like a spoof or something.
I've never had problems with Mozilla Firebird - ever. And it's not even v1.0 yet! I've been using it since November last, every day nearly, at work and home.
-- *~()____) This message will self-destruct in 5 seconds...
Can I have my karma now?
While it is true the IE is the holiest browser currently available, it also has an immense amount of incorrectly implemented features. Maybe I should start over...
IE has support for a large deal of things I wish were standard. However, too many internet bodies can't make decisions and standards are simply corrupted leaving Microsoft to run around generating their own sudo standards. As far as web development goes and building high quality, web-based applications (trust me, the backend to all sites I work on are served by one the last servers VA's sold) IE simply offers more flexability, creative applications, and...well, a larger userbase. While the application is inheriently flawed, the theory and principals are good and would only furthur extend the realm of creative outlets if there was one standard.
I don't suffer because I use IE or develop sites that don't run in Opera. I suffer wasting time making sure the stripped down version of these sites work in Mozilla.
Time is money; I don't have either.
Why do I have a chill running down my spine about a new patent concerning "Zero click navigating"
-ph
Do you have any suggestion how to deal with web-forms? Especially those using POST method?
Sincerelly yours ...
I'm laughing so hard I can't type. Hang on... OK. This MS article is so wrong I don't even know where to begin... How about here:
The most effective step that you can take to help protect yourself from malicious hyperlinks is not to click them. Rather, type the URL of your intended destination in the address bar yourself.
Is MS going to issue a patch to disable hyperlinks then? If you can't click hyperlinks, doesn't IE cease to meet the definition of a browser? Look at the bright side, finally Netscape has closure.
Now, from the "but it's so easy to use" department:
Make sure that the Web site uses Secure Sockets Layer/Transport Layer Security (SSL/TLS) and check the name of the server before you type any sensitive information. [....] By checking the name on the digital certificate user for SSL/TLS, you can verify the name of the server that provides the page that you are viewing. [...] double-click the lock icon, and then check the name that appears next to Issued to. If the Web site does not use SSL/TLS, do not send any personal or sensitive information to the site. If the name that appears next to Issued to is different from the name of the site that you thought provides the page that you are viewing, close the browser to leave the site.
Huh? Does anyone expect Joe Luser to understand that? Checking the certificate against the stated URL and the IP address supplied by a DNS lookup of that URL seems rather straightforward. Someday, someone ought to invent a machine to do things like that. We could call it a computer. A computer might also be able to display the actual site name an nothing else, rather than allowing it to be spoofed in any way, eliminating the need for such manual babysitting.
From the "but it's so easy to use" department, take two:
In the Address bar, type the following command, and then press ENTER:
javascript:alert("Actual URL address: " + location.protocol + "//" + location.hostname + "/");
I see. We just proved this week that a huge segment of the Windows user base still hasn't learned about attachments. But grandma, who wants to look at the pictures of her grandchildren, is expected to be a Java programmer. There must be some incredible acid floating around Redmond. A complete break from reality, this is.
They don't usually know what a browser is, let alone that there is more than one browser out there, and when they read stories about viruses and how clicking on things can make your computer infected, they see microsoft as a victim.
As far as they are know, Microsoft is the company that makes the things on their computer, and they know that MS is a really clever company that makes really good programs and that if they find anything wrong with those programs, they don't think that microsoft should have fixed it, or designed it differently like we do, no, they just think that they shouldn't be doing whatever it was they wanted to do that way.
Honestly, I know so many people that don't know the difference between Windows and Office - they think that all computers come with the thing for writing letters and the thing for making spreadsheets and the thing for sending email and the thing for the internet, and any time a new virus comes out, they talk about how horrible those virus writers. I read a letter to pc world magazine just a few months ago where someone was praising microsoft for all the hard work they're doing to defeat the virus writers!
So asking for these sorts of people to 'use a different browser'.... you may as well tell them to please speak in a different language when they come back from lunch because there's a problem with English. Most people wouldn't know where to begin.
Just imagine going to:
a u/
https://ϲоmmоnwealthbank.com.
(may not display properly - whatever, you get the picture)
and getting a perfectly valid ssl session. With entirely the wrong people - but the user would only notice if they looked at the cert.
Of course, you'd have to find a cert registrar dumb or unethical enough to give you a cert for the domain, but with people like Verisign around that can't be hard.
The same MS advisory page recommends (way down at the bottom for those that don't bother to RTFA):
...
Read E-mail Messages in Plain Text.
By reading e-mail in plain text, you can see the full URL of any hyperlink and examine the address that Internet Explorer will use. The following are some of the characters that may appear in a URL that could lead to a spoofed Web site:
* %00
* %01
* @
Gee, ya think that HTML email is a bad idea..? I wonder how many people even realize that this "IE advisory" applies to Outlook and their email as well?
Nice way to bury that one, guys..
Possible fixes:
1. Display something for EVERY byte in the URL! (this is Microsoft's main problem). The only character that could plausably display as a blank area is the byte with the value 32, and even that could show an underscore or something. If "%0102" is in the url, show the characters '%', "0', etc. And obviously the text "%00" in the url should not cause the rest to disappear. In case you think only Microsoft is stupid, Unix software often displays '\n' characters as breaks making multiple lines, in Mac's Safari this makes those spoof URL's display almost as badly as IE.
2. Display all non-ascii characters in a different color. Please ignore the probably loud Politically Correct crowd that will say you are demonstrating anglo-centric bias, those same people kept UTF-8 from being adopted for over 12 years (since it is obviously a bias to have westerners have the shorter characters) and actually hurt i18n far more than the most ignorant midwestern Cobol programmer did.
3. Display as much of the URL that corresponds to a site you have visited before in a different color. Ie similar to showing a visited link a different color in the page, show the preview of the URL with the hostname and leading directory levels colored that match some URL you visited before. Then, assumming you visited your bank once, the fake bank address will be noticable by not being colored.
So what's next then? ....Write your emails in outlook, then print them and mail them in an envelope, all the benefits of outlook with the added security of Physical Delivery (tm)*(new improved feature, Microsoft patent pending).
You missed the point.
http://www.amazon.com%01@malicious-site.com
will show as http://www.amazon.com%01@malicious-site.com in Mozilla, Firebird, Opera, etc.
In IE, it will show as http://www.amazon.com
That is the flaw. It has everything to do with IE.
http://www.microsoft.com%01@example.com
/. already filters this attack.
Visit that link in IE and see where it takes you. You might be surprised. I'd have just linked it, but
My other post
Goatse trolls on Slashdot taught me not to click hyperlinks LONG before they became a security issue!
There's a Mercedes gap too. I want one and can't afford one, but it's not government's job to do anything about it.
It looks like the only browser immune to this is Opera.
"Though little-used, the tricky URL form is a recognised Internet standard as documented in various RFC documents. For this reason the developers of other browsers, like Mozilla, don't feel they can simply get rid of it. Instead, the Mozilla developers and a horde of kibitzers have spent almost a year and 156 comments discussing what can be done. Right now that effort has got precisely nowhere and Mozilla users are almost as vulnerable as Internet Exploder users to being hoaxed in this way."
I stole this sig.
i'm a braindead single mom with 4.9 kids and i'm told by microsoft to instead of clicking on icons to write by hand urls...
does this actually acomplish anything?
if i get a url like http://www.cnn.com@www.schnits.org/?comments=foo3 or whatever...and this is copy/pasted through manually copying each character with myself... isn't the conclusion of this story the same as if i were to have just clicked on it? microsoft's advice accomplishes absoluteley nothing!
and anyway...99% of the time i'm perfectly content with elinks.
GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
So they're not going to fix the spoofed URL bug then? Well, I guess a KB page is cheaper than paying developers to figure it out!
When I am king, you will be first against the wall.
Anyone that's trying to exploit the address bar bug, will undoubtedly also include some javascript to set the status bar to say the name of the site they're spoofing as well. They're hardly likely to do one and not the other. Only the example exploits tend not to modify the status bar.
Microsoft Coperation today advised users to upgrade their current Internet Explorer web browsers to Carrier Pigeon 1.0. This newly released software package transferes HTML documents safely and securly over the friendly skies.
NOTE: Microsoft is not responsible for packet loss during hunting season, unless it's wabbit season but definatly not duck season!
I know I should probebly read the advisory, but I use mozilla. So how would it help?
~~ Behold the flying cow with a rail gun! ~~
Where we go "cool, nice features" they... don't.
The other thing is, they always, with unwavering precision and frightening speed, manage to find the pages that it doesn't render properly.
gah, normal people.
the other thing is, that MS have succeeding frighteningly well in making their applications and icons synonymous with the tasks they perform in the minds of so many people. it's been said before, but that blue 'e' sort of IS the internet to so many people, like that 'w' IS the word processor. gah again. sorry for the lack of capital letters in this post.
lolThis is my Sig, this is my Gun. One is for Slashdot and one is for Fun.
Also, if you have any reason to suspect the authenticity of a site, leave it by closing the browser window immediately.
.... ahhheee CTRL-ALT-DEL..... *pant* ..... holding in the power switch now.........*blink*..... man that was too close, I almost got slashdotted....
ahhheee.... CLICK CLICK CLICK CLICK They are going to get me... ALT-F4 ALT-F4
There is nothing about Moz Firebird that's going to make this less of an issue. The fact is that the typical user is going to see http://www.amazon.com@/fakepath/usualAmazoncrap:ru ssianmafia.ru and think it's an Amazon URL.
Ah! The joyous sound of yet another microsoft apologist.
If the user is dumb as a brick and cannot see something funky with the URL - that's the users problem.
If Microsoft SCREWS the URL so royally that it looks perfectly normal that's Microsoft being the mass producer of crap software and failing to patch it.
How are either of those examples of bad software in Firebird?
Visit CryptoGnome in his home.
Just check my site at http://kobylkin.com and follow any link. You will see your address bar staying the same, does not matter what site you have landed on.
I just did, Firebird 0.71 on XP.
Every URL clearly shows the correct site it's going to in the statusbar when I mouseover.
Yeah you faked it by putting your entire site in a whole-page frameset, but that's cheating - as opposed to showing a major security flaw and violation of the standards (which in this instance Microsoft is clearly admitting but flat out failing to fix).
Visit CryptoGnome in his home.
In an ideal, standardized world where W3C-specs were followed, and no-one sought to conquer the entire web trough non-standard HTML-extensions and market-dominance...
In such a pretty and ideal place, you wouldn't have to develop different sites for different browsers. You are making yourself the extra work, by supporting none-standards. No sympathy for you, my friend. No sympathy for the devil, indeed.
As a slashdotter I thought you knew that IE is more or less a Win32-only product. And there's a hell lot more to the internet than Win32.
Anyone excusing their IE-support with sheer marketdominance has obviously ridden themselves of all the principles the net was founded on. But I guess that is ok, since most IE-users wouldn't know.
Not Buzzword 2.0 compliant. Please speak english.
MYIE2 installs a front end for the IE engine that does all of this. It also allows tabbed browsing. It is definitely worth a look.
Note: If the status bar is not enabled, the lock will not appear.
.jpg file to the average Windows home user.
Whoever wrote this KB article needs to send it to their neighbors in WinXP product development. The status bar is disabled by default in Windows Explorer in XP.
Also, Windows still has "hide known file extensions" option checked by default. So something like annavirus.jpg.vbs looks like a
I know this is offtopic flamebait, but hell it's so likely to be true...
I believe Microsoft intentionally has a slightly broken CSS, so that everything that looks good in IE will look crappy in any standard-compliant browser.
C'mon, it's not that crazy! We all know which mother has the marketshare's here.
It's not like most people even know there are standard's anyway. "People" use FrontPage, or even worse, Word to make webpages these days, remember?
So yes, I believe IEs CSS-support (or the CSS-support in any Microsoft product) to be intentionally broken. To gain marketshare. And that's paranoid me.
Btw, my W3C-validated, visually confirmed (opera, mozilla) good webpages look like shit in IE. And, no I don't bother to make IE-CSS.
Not Buzzword 2.0 compliant. Please speak english.
To ask the user not to click on bad URL's is to admit:
1) we (Microsoft) know what a bad url is
2) we (Microsoft) assume that you may know what a bad url is
3) but for the life of us, we (Microsoft) just can't tell IE what a bad URL is
4) we (Microsoft) give up trying to teach IE what a bad URL is
5) hence we (Microsoft) ask you to please take care and avoid bad URL links
Hallowed are the Ori
The bug is not allowing URLs style:
http://fake.host.as.username@the.real.evi
This is perfectly legal and most people will spot it! (well, at least I do.)
The bug is:
http://fake.host.as.username[somespecialchar
where the special character prevents IE from displaying anything after it.
This is NOT the case in other browsers, this is a serious vulnerablity (because no matter how hard you look at the URL bar in IE, you won't see the URL is fake) and this is THE way crackers and spammers exploit the bug!
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Perhaps same reason than why mozilla do not do that filtering?
there is this status bar that they want to hide.
...
in every win xp i use, i always have to specify i want the status bar.
also longhorn screenshots show that status bar is hated by microsoft look designers.
the average user should be then informed about:
- "right-click" on the link
- select "copy link address"
- paste in address bar
-
- profit
i think it is not easy to explain.
let the status bar survive!
greetings,
ppp
p.s. i vote for firebird. best on linux and win. but camino on osx.
I know this really isn't a popular opinion around here, but still, it needs to be said.
While it's true Windows isn't really the state of the art platform when it comes to security, it beat's Linux when it comes to a few key issues. Like hardware support.
Yes. I know. Hardware support in Linux isn't that bad, but still you encounter hardware you simply cannot get working under Linux. This isn't exactly a flaw in Linux, but for all hardware that is developed, you can swear the vendor will release Windows-drivers that makes hardware support a non-issue.
And as far as voting with your wallet goes, you really never can tell it's an issue before you try it. This goes for my MP3-player (Creative). I couldn't get it working under any Linux or *BSD platform.
Back to the issue. Running Windows securely really only requires you to configure the system properly. Like disabling all unnecassery services (Universal PnP, Remote assistance, remote registry and so on...), and using none-Microsoft products. Like Mozilla or Opera for web-browsing.
As much as we all love to hate Windows, it can be configured to operate decently. But in the name of "user-friendlyness" it configured to be insecure by default.
And there goes my karma.
Not Buzzword 2.0 compliant. Please speak english.
While risking a lampooning from the Slashdot crowd - I use both IE and Outlook - though I have to admit that as a result of this story I've been tempted to try Firebird again. To be honest, it has improved greatly and I'm now giving it another shot.
Outlook is less easy to replace... I've a target platform of XP, and need to interact with an exchange server. While I hate the clunky configuration, gaping security flaws and slow bloated memory-hogging Outlook, I have to admit that I find Word a very effective productivity tool when writing prose - even though it is a sledgehammer to crack a nut. I only want to send ASCII mail, but I want real-time spelling and grammar checking. When will open source catch up on this front?
In almost all cases, if the link text in a page was not link text (i.e.: if all the href attributes were removed) it would have the same meaning.
I've seen your "almost all" shrink. Some blog authors write in a style reminiscent of Wikipedia, Everything 2, and the like, whose pages gain some of their meaning from what their words link to. For example, "dumb MF" means one thing, but "dumb MF" means another thing, namely "dumb MF, one example of which is President Bush".
If you're roommate is that unwilling to change browsers when other people suggest, perhaps he's be willing to upgrade when "Microsoft" tells him to.
I've sent that page to a few people now, and the responses are pretty amusing. It redirects IE users to a spoofed MS Update page for Internet Explorer that offers Mozilla for download as the "update" for IE.
I just received an email the other day, which was worded something like:
Look very closely at that content, and you'll see the subtle exploit in it.
How can John Q. Public or your grandmother be sure of this, without actually viewing and auditing the source of the webpage/email they're receiving? This assumes that some mail readers can actually allow you to view the raw source of the email, to see if it contains any maliscious flaws like this.
If you visit e-qo1d.com in a browser, you'll see the exact exploit it uses. Not to worry, it is relatively safe (unless you are a customer of e-gold.com, and purchase gold online).
This is one example of how these companies are misusing this type of exploit to liquidate people's bank accounts. Nice.
I can see Microsoft telling British Telecom:
"We're not paying you any license fees, we'll just have our users MANUALLY TYPE THE URLS"
I like microcars
But then I thought of a third possibility: even though this class of exploits may be fixable in future versions of IE, there are plenty of people who are running older versions of Windows with older versions of IE. Even if Microsoft's commitment to secure computing is genuine, there may simply not be enough manpower to go back and fix every version of IE for any new security fix that comes along.
I see two classes of people benefitting from this KB article: those who are still running ancient versions of Windows on their old PC's, and those in a corporate environment where the IT department locks down their PC's to use only older, tested versions of Windows (and IE). In either case, even if Microsoft were to provide patches for every version of IE, the chance that the patch would actually be applied is slim.
Of course, the probability of these users actually encountering this KB article in the course of their daily websurfing is also slim, but we'll let that slide for the moment...
If you're roommate is that unwilling to change browsers when other people suggest, perhaps he's be willing to upgrade when "Microsoft" tells him to.
Just one question... how does it change the location in the address bar from (http://zcat.wired.net.nz/upgrade/) to (http://msie.microsoft.com)? Yes, I'm using IE.
You want a sig? I can get you a sig... Hell, I can get you a sig by 3 o'clock this afternoon... with nail polish.
My hands cramped up about halfway through typing http://support.microsoft.com/default.aspx?scid=kb; %5Bln%5D;833786 . :)
We've discovered a security problem where computers that receive tcp/ip packets are vulernable to various attacks.
To protect yourself from these attacks, plese type each tcp/ip packet by hand into your editor, print them out and mail them to their destination. When the reply arrives, please type them in by hand to ensure no malicious trojans sneak their way into your tcp/ip stack.
Obviously people who wrote this article advising to type in urls have NO IDEA how bad things are right now. I had a job in phone support for an ISP recently, and it's impossible to get the average user to type a url in the adress bar, because most don't even HAVE an adress bar anymore!
Typical conversation:
me: "Ok, now go to the adress bar and type the following..."
customer: "Go to the what?"
me: "Ok, do you have a web browser open? It's the program you use to view websites."
customer: "I thought I had you guys."
me: "Yes, now click on whatever you use to view our homepage."
customer: "But I just told you I don't have that anymore all I have is this incredifind.com thing."
me: "That's ok, I'll fix that in a minute, just click on it and open it up."
customer: "Ok, I have the incredifind open. Now how do I get to my internet?"
me: "Ok, do have an adress bar at the top?"
customer: "Wait, there's popups in the way now, let me close them."
(wait 4 minutes to close popups that spawn other popups)
customer: "Ok I can see, you said adress? I don't see that."
me: "Well we want to type in a web page, so do you see a long white bar at the top?"
customer: "Yeah I have 4, let me just type it in this super search one..."
me: "Umm ok let's not..."
customer: "Ok I'm at ultimatelinks.com, what do I click on now?"
me: "Ok let's forget about that for a minute, what do the white bars at the top say next to them"
customer: "Umm.. searchnow, supersearch, fastsearch, quickfind..."
me: "Do any of them say adress next to them?"
customer: "No."
me: "Ok do you have the word adress anywhere in the gray area up at the top?"
customer: "I have file... edit.."(wait 3 minutes to read entire list)
Now, either the adress bar is there and collapsed, and I spend 5 minutes trying to instruct them how to use the mouse to drag it open, or it's not and I try to go through the view menu and turn it on, and spend 5 minutes trying to figure out which options are removed from their menus by spyware hijacks.
me: "Ok fine, hit ctrl+o, does a little window pop up?"
customer: "Yes, you want me to type it in there?"
me: "Yes do that."
customer: "Ok, I'm there but there's a big popup and I can't close it because it has no X."
me: "Ok can you drag it out of the way?"
customer: "How do I do that?"
me: "Ok try just hitting control and the F4 key at the top of your keyboard, does it go away?"
customer: "Yeah. That's neat, I'll write that down. Wait, another popup came up..."
I'm not kidding, this is in no way an exaggeration or parody. While this is not a real conversation in itself, all these things have occured in similar conversations I had on the phone during support calls. And they seriously expect these people to type in URLs? How about making the browser so malicioius programs can't remove or replace the adress bar first?
Introducing the new Occam Fusion! Now with sqrt(-1) fewer blades!
Secondly, you can get 90% of the effect in any JavaScript-enabled web browser by using a mouseover in the status bar. That's not as bad as spoofing in the URL bar, as IE does, but it would likely fool far more geeks than would care to believe it.
You see, humans have lazy eyes and creative brains. The eye can only focus on a small area (which is why eye tracking allows psychologists to tell what word someone is reading) and yet we think we can see everything all at once. Peripheral vision is very good at detecting motion, which compensates quite well in the natural world. However, when a GUI element changes in a predictable way (e.g. the URL changing in the URL bar), our brains tend to be lazy at fact-checking and just fill in the blanks. Thus, even geeks like myself who use the URL bar extensively won't look when we think we know what's there.
There was an interesting usability study once regarding how often people use the status bar in Office-type programs. During the test, at random intervals, a message showed up in the status bar which said something like "There is a $20 bill on the bottom of your chair. If you see this message, you can take the bill." Not a single one of the test subjects took the money.
--
Friendster has a new direction.
"The most effective step that you can take to help protect yourself from malicious hyperlinks is not to click them."
OK, great - but how do I tell the malicious hyperlinks from the benign ones?
http://images.google.com/imgres?imgurl=internet.ls -la.net/pictures/images/Computer/Microsoft-XP-suck s.jpg&imgrefurl=http://internet.ls-la.net/pictures /Microsoft-XP-sucks.html&hl=en&h=480&w=640&start=6 &prev=/images%3Fq%3Dmicrosoft%2Bsucks%26svnum%3D10 %26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26sa% 3DN
photosMy Photostream
"I have a suggestion that's not in the Knowledge Base: don't use IE!"
If your the type of person who misstypes www.paypl.com(www.paypal.com) and end up going to a scam site, using Konqueror, Opera, Safari, whatever isn't going to help you not get scammed.
Thats why it's important for those who make those types of mistakes to pay attention to the url, and not what the page looks like. And if your complaining about not having popup blocking well, most AV (Norton, McAffee) programs now include popupblocking. And if the person doesn't have a AV then they probably the person who also doesn't pay attention to their url's and is also the person who needs to learn about these things.
I know you want to be "1337" and all but pick a better example or reason to flame a product thats obviously more used than your favorite browser.
Ave Molech Setting
Any solution that relies upon millions of people changing their behavior is dead on arrival.
Hey, Windows users, there is no such thing as "forward" slash, there is only slash and backslash.
Money. Or rather, saving it. XHTML+CSS designed websites are faster, and smaller (often in terms of many kilobytes). When you're dealing with a site that gets the volume of traffic that a site like this one gets (quoted at ~20 pages served per SECOND), the bandwidth savings are huge.
While we're on the topic of /. and web standards... Rob and co. really should look into updating. Check out A List Apart for a detailed analysis on how they could feasibly to go about doing this.
But Maaa! Everyone else has a
Jesus God, this is stupid.
Has anyone received any of those "www.e-qo1d.com" fraud emails?
Try clicking the link. It does the standard URL spoofing.
If you select the address and retype it (so long as you don't type a "/" at the end), you will remain at the scammer's website.
So really, when they say "don't click; type the link" they mean:
1) Click the link, so you can find out what the URL is.
2) Open a whole new IE window and retype the link. The IE window you have already opened is poisoned.
There are no trails. There are no trees out here.
The biggest problem with browsers and other web-technologies is that they give more control to designers and webmasters, not to the users. Java, ActiveX, Flash, Javascript, CSS, etc. all allow designers and webmasters to determine more precisely what should happen on the user's end. Completely wrong and inacceptable, yet this is exactly what is happening.
It is entirely possible to design a page that would open in an IE window without toolbars, scrollbars and statusbar. Then it is entirely possible to add interactive graphical elements to the sides that would behave exactly like real IE interface elements, only they would be fake. This is wrong. The standards should give limited control to providers of information, while browsers give ultimate control to the users. It is completely wrong that standards allow javascript to intercept mouseclicks and block rightclick menu. It doesn't affect me because I use Opera, which doesn't give a shit about that, but when I click the wheel (button 3), I see that stupid message window that informs me I shouldn't right click on that site. This isn't more than an annoyance, since scrolling still works and rightclicking is not affected at all, but this should never happen in the first place.
Unicode addresses are wrong as well. They are an annoyance to the users. Have you ever seen a user (a visitor, the one who browses the web) request ability to use Unicode in URLs? I've never heard about that. It's some webmasters, who decided they want this stupid-stupid-stupid trick to work (and greedy registrars and their marketdroids) and broke a perfectly good addressing mechanism (I am Russian, but I never ever wanted Cyrillic URLs, even though now they are apparently supported).
Future Wiki -- If you don't think about the future, you cannot have one.