Slashdot Mirror
Worm Exploit Distributed by Advertising Network
Zocalo writes "Given that a lot of Slashdot readers also check The Register, it's important to note that their Internet advertising provider, Falk AG, was compromised by the BOFRA exploit yesterday. The Falk AG service has been suspended by The Register and a statement from Falk AG is due on Monday. The upshot is that if you visited the Register yesterday morning and use IE as your browser, then you probably need to run a full virus scan with up to date data files. Of course, those of us running other browsers and something like AdBlock have nothing to worry about. Again." You're OK for now if you're running SP2. There's also a good security writeup about the problem.
This is a really big problem. Okay, so its Register and they realized this and stopped it. But we visit so many other websites - how are we to know which one of those ad providers are infected and which are not?
Sheesh, where is accountability? Blame the sysadmins, blame the software, pity the customer. Lather, rinse repeat.
Maybe site owners will start moving or demanding text-based ads (like Google's)?
Rock that crushes, Paper & Scissors that don't matter.
how many ie users have switched to sp2 ,yet ?
Trolling using another account since 2005.
You're OK for now if you're running SP2.
Ummm... My Win machine is running SP4. Oh, you mean XP SP2. Not on my machines, man... The highest I'll go on my personal machines is 2k.
Aside, you left out another browser of very worthy note. Oh, well, make that two.
I'm not a prophet or a stone-age man,
I'm just a mortal with potential of a super man.
What's with all this "Microsoft should patch this", "Microsoft should patch that". I am NOT a pro Microsoft person, but they made SP2 for a reason. If SP2 fixes it, why in the hell should they go back and patch an older version? If you don't like SP2 that's your problem, but if you want to actually get the latest updates, use it. Don't complain if sticking with SP1 (or no SP) is going to stop you from getting any security fixes.
WASTE - The Secure P2P
Utter drivel. I suppose you think that it is "theft" to change the channel on the TV when adverts come on, as well. Is it also "theft" to turn the page of a magazine without looking at the adverts on it? As far as I am concerned, advertising is a form of pollution. It reduces the visual beauty of the environment and I don't want to see it.
flossie
Write now. Defend liberty
"Extensions and programs like AdBlock are tantamount to theft; you are acquiring the content but not "paying" for it by loading the advertisements."
Um, it is clearly *your* problem if your website's cash flow relies on wasting my bandwidth with advertisements.
Your supposed 'right' to profit does not extend to the point where I have to bend my life around your profit model. Thanks.
... but if you are on the net, you aren't safe...
/. about another piece of malware, there is always the refrain: "Does not affect Mac users". Unless you are running some proprietary vertical app, why still suffer Windows? What computing JOB can be done in Windows that can't be done as well or better by a Mac or Linux?
Unless you are a Mac user that is. Every time there is anything in the news or
All theory is gray
Comment removed based on user account deletion
If there's a point, I don't see it.
Why bother googlebombing a phrase that nobody in their right mind would want to search for? Sure, I don't particularly like Microsoft either but this "project" seems like one big self-righteous circlejerk to me.
You're a troll, but I'm biting even so.
We are under no obligation to play by whatever crooked-up business model a company cooks up. Unless I sign/click an agreement to view the ads, they don't have a legal leg, nor a moral one for that matter, to stand on.
They offer a web-page because they have something to say. I select how to view it. What more is there to it?
I guess you're ok with printer cartridge prices too? After all, its 'their business model' and not following it would be 'theft of service and fraud'?
"" How about taking the safety labels off everything, and let the stupidity-problem solve itself? """
Hmm, Seing as we can have "laws" which make it illegal to fast forward through a commercial on your device, it seems it would be a trivial matter to make it illegal for you to do this on your DNS server or with your hosts file...
I'll reiterate what I've said before regarding skipping advertisements.
For decades, advertisers have seemingly understood that what they do is a gamble. There is absolutely no guarantee that the advertisement will be viewed, paid attention to, or even work well to sell a product. Just because this model has worked in the past does not guarantee it will continue to work for all time.
If companies involved can no longer take the risk that people may not see advertisements, then they should reconsider their business models.
"You spoony bard!" -Tellah
Hmm, has anyone thought of blaming the web site and its advertisers? Going to a site should be like going to a restaurant. Sure, IE is also to blame, but it's not as if the web site and advertisers have no responsibility to keep things clean and secure.
testing out my trending skills
My browser has a built-in RSS reader. Why doesn't yours?
Marxism is the opiate of dumbasses
There was never any agreement between me and the website admins that I had a limited license to view the content predicated by my looking at ads. Websites that are on the internet are free to the consumer, unless explicitly stated otherwise.
Ceci n'est pas une sig.
:wq!
> One of the SP2 versions trashed my computer
Same here. On our new Dells, every one of them lost their activation. We had to reinstall from scratch to get them working again since MS wouldn't give us new activation keys when we called. Dell claimed it was MS's responsibility and MS claimed it was Dell's. We got stuck in the middle. We also have to do the same whenever some user accidentally turns-on automatic updates. I think we've spent more money trying to get XP to work than we paid for the damn things.
I still see the adds on penny arcade because they are small enough it's not worth my effort to block them, and occasionally something interesting comes up.
:\
I see no adds here because they are huge flash obscenities for Microsoft FUD campaigns.
You want clickthroughs? Rethink your ad placement policies. (If I could select as a pref nothing but text adds for Linux/Unix/Hardware with _informational_ content - I might well see adds on Slashdot. And you might get paid more that the 0 you get for me at present.)
The thing that pisses me off most of course is that the ultra lightweight version still has the heavy and blotated flash/animated adverts
Beep beep.
Oh boy, the old "You can't criticize IE's thousands of holes, because your browser has had almost ten!" argument.
...Mozilla need not support firefox 0.9.3 for two very good reasons. First, it is a pre-release piece of software (or preview if you prefer), second the cost of "entry" to obtain Firefox 1.0 is merely a 4-7 MB download.
If Microsoft say they will support older operating systems (i.e. Windows 2000) then they need to support it 100% (not 90%, for the extra 10% upgrade to XP that they are now). Lots of people paid good money for Windows 2000 and were led to expect full support, including security updates, for a substantial period. This period has not passed and as such Microsoft is re-negging their side of things.
I am NaN
They are when they don't work and expose the user to an an entire class of exploit. Most javascript is redundant anyway; onload events attached to webforms is lazy server side coding, users are quite capable of viewing images without requiring a popup and using client side script to validate form input without bothering to validate it on the server should be enough to render the dev unemployable for life!
With the possible exception of webmail (better served with a browser extension IMHO) show me one decent web app that couldn't provide full functionality to users using noscript tags and plain html/css.
you try finding every hole in millions of lines of code
That would be a hell of a lot easier to do if I had access to the code.
Lots of people do it constantly!
Yes it's a lie. They haven't suspended the service. When I first contacted the Falk AG support team in Germany they were clueless. It took them several hours before I received a response after I'd sent them an e-mail documenting the attack and where the exploit was on their site. I forwarded the same e-mail to several people at The Register too. Later today the article appeared on their site. I don't think The Register had any idea what was going on until much later. The original infection was in http://f.as-eu.falkag.net/server/asldata.js?rdm=01 684246 which was ad based just below the banner. What's there now is I think just data mining.
> Do you have any suggestions of alternative profit
> models for web sites?
Paid subscription?
Seriously, thanks to the Internet I've now exceeded the number of advertisements I'm prepared to view in my lifetime. I now block them on *any* site that I'm likely to visit more than once or twice. Advertisements stopped having any positive effect on me many years ago, and some are now so obtrusive (i.e. personally offensive) that I not only block them - I actively avoid buying those products.
Be honest - how many times have you seen an ad for e.g. some new model car, and decided "You know, I was just in the market for a car today. Good thing this ad appeared as now I know what to buy and where to go to buy one. And, what the hell, I'm not gonna buy the family wagon we really need; I'm gonna buy one of these fancy BMW sports cars because of the cool lifestyle aspects shown in the ad"? If what they're really trying to do with that ad is not sell me a car, but give me "brand awareness", then thanks - I'm aware of the brand, but I also feel free to remove it from my vision wherever and whenever it appears.
In my mind, and I suspect many others, Web advertising is now useless. The only Web ads I now notice are those that are too obnoxious to ignore, and I specifically block those out using AdBlock. I use Gmail constantly, but don't remember a single ad I've ever seen on Gmail; I know they're in the right-hand column, but my brain just doesn't parse them.
Bitter and proud of it.
If there were a beggar on your way to work, and you went out of your way to avoid him, it would be fine. If there were a beggar on your way to work, and you surrounded him with some walls so no one would see him, that would be unethical.
Same thing goes here.
Ah, the Chewbacca defense.
That premise only even begin to make sense if people were preventing OTHER people from seeing the-paid-for advertising. Lets look at it in more detail though...
If you saw a beggar on the way to work the ethical thing to do would be to report him to the authories - begging is illegal in most modern westernised nations after all, and with good cause.
Very often it's done on private property (shop doorways, underground stations), often very assertively/aggressively causing harm to local business and increasing fear of crime (and increase in actual crime) in the area . It does very real damange to communities and the issues of drunkeness, instances of public disorder and the proliferation of hard drugs that go along with it to name but a few. It's such a problem in London that many local councils have put up paid advertisements trying to get it into peoples heads NOT to give to street beggers.
I could say "It's unethical to set kittens on fire and kick them around, same applies here." that would make about as much sense. Setting fire to kittens is something I'd consider unethical, and just like your analogy it doesn't in any way relate to the ethics of blocking adverts however.
Windows 2000 is still meant to be supported, so there SHOULD be an update for IE6 in Win2k, but there's not. You're the one that makes no sense.
Here's two slightly more appropriate viewpoints.
This is a free market economy. If advertising in exchange for "free" services isn't becoming viable as a business model.. don't do it! The internet will survive without doubleclick.com and the countless "free" webmail vendors. If you gave away cars to people with "adverts" on the bonnets, and you went flat broke after giving away two cars with cola ads on them, don't complain. Don't complain if people paint over the ads, either. You gave away the cars. What did you expect? It's like people who build their houses in flood plains who whine when the flood comes and takes away thier houses. There's no guarantee that if you provide a service for "free" on the expectation that people will in turn do you a favour, they will.
But you seem to say there is!
Extensions and programs like AdBlock are tantamount to theft
Theft is a very strong word. The basis you ply is, to say the least, a poor understanding of the legal state of the world (despite efforts by the US congress to change it). Theft is a crime, crimes are enforced by laws. Let's look at the law. You assert there exists a "contract" between the client and the server. The client, under your contract, views the adverts and views the meaningful content. Adblocking is therefore a circumvention of this contract. Sounds reasonable. But consider this. Nowhere does the website state that viewing of advertisements is mandatory in exchange for content. The advertisements are imbedded within the content, and there is no way for me to avoid them, even if the content should be offensive to me in some way (and really, you can be offended by anything these days, personally, I'm offended by ads). So I'm getting my content, and I'm getting these ads. But I haven't agreed, signed, clicked, on anything that states I explicitly need to see these ads. I haven't agreed to any contract. If you don't agree to a contract, then there is no contract. But you've already "given" the content away. It's on a public web server. So I'm free to view what is visible on that basis, in the same way that if I left a newspaper on my front lawn you could read it. I can also choose which parts of the freely visible information I want to see - because again, there's no contract, and copyright is not an issue because I'm not altering or republishing this information, just reading it, and only the non-advertising parts of it.
If you find adblocking annoys you - don't run a website with an unworkable revenue methodology. The free market economy is unforgiving, even less so when you give things away with no conditions attached.
I am government man, come from the government. The government has sent me. -- G.I.R.
Put it this way: Firefox offers pre-WinXP users a *free* path to being secure. Microsoft forces them to spend a significant amount of money.
No, the latest version for EVERYONE is IE6 SP2. If they're still using an older OS, that's tough shit for them. You can't say "Well the latest version of Windows is XP, but some people decided not to upgrade so the latest version for them is 2000." It just makes no sense.
Yet another disadvantage of tying the web browser to the OS. Atleast the latest versions of Opera and Firefox run on Windows 95 just fine.
Besides, I don't think IE6SP2 runs on Windows 2003 Server. What do you have to say to users of that OS?
I think we're forgetting the rather nice paper that was linked from Slashdot some weeks ago that stated quite clearly*,
It's not just the number of security exploits an O.S. or application has which makes it a bad or good choice, but the level of access allowed by the exploit and whether or not the exploit is accessable remotely or locally.
Context is just as important as content.
* Could someone reply and link that article please? I forget what it was called and I'd like a copy, thanks.
His name is Robert Paulsen...
I find it some what disgusting that there has yet to be one person to post that it might be their own fault for putting themselves in danger of this exploit, when, if they are registered with Slashdot, should be aware of the dangers of using IE in the first place.
Please, stop blaming others when you have at least a choice of 4 other browsers available to you without the same level of security issues as IE:
Who cares what every one else should be doing when YOU YOURSELF are not willing to every thing YOU can to avoid these dangers?
Perhaps I would say stop surfing the net from the server, O Master of Secure Computing.
> No, the latest version for EVERYONE is IE6 SP2. If they're still using an older OS, that's tough shit for them.
Except for those that need Windows 2000 for other software they NEED for running their business, and those that need software that is incompatible with SP2 and and..
> You can't say "Well the latest version of Windows is XP, but some people decided not to upgrade so the latest version for them is 2000." It just makes no sense.
Microsoft supports Windows 2000, people pay for that support, why the fuck should they have to pay yet again to get an incomaptible OS?
You are not makign a well thought out argument there, not to say you are being stupid.