The Java Popup you Can't Stop

An anonymous reader writes "In his brand new hackademix.net blog, Giorgio Maone, known as the author of the NoScript security extension for Firefox, reveals how popup blockers can be easily circumvented using Java. Worse, popups opened this way are really evil, because they can be sized to cover the whole desktop (the wet dream of any phisher) and cannot be closed by user (the wet dream of any web advertiser). Impressive demos available, all cross-browser and cross-platform, in the best Java tradition: 'Write once, hack anywhere' "

So how about how to stop this?

[RaigetheFury]

I'd really like to see counter methods posted as (special) comments under articles like these. "Links to: How to prevent this". It would be really nice if we could use our mod points to "mark" a comment as a solution that an administrator could then move it to the top. Why the administrator involvement? Simple, to prevent the teams of people who go around and exploit this type of function on Yahoo. This would still allow Slashdot to work off the same random moderator point system it has while keeping some semblance of order. They could play around with how many mod points a comment needs before it can before an admin is notified.

Just a thought.

Remind me: Why do we have applets again?

[Toreo+asesino]

Seriously, name me one "house-hold" name website that uses Java applets anyway. Can't we just have it switched off by default? I like Java as a broad technology, but I'm finding applets increasingly irrelevant - interactive rich sites are being taken over by flash, ajax, and the probably-to-be-mainstream-soon Silverlight/Moonlight.

This isn't a flame....Java on the desktop is awesome and I love it.

*runs to the hills*

Re:Obvious solution?

[Ed+Avis]

The whole point of Java was that it was super-sandboxed when running applets and you could enable it for all sites. To prevent phishing, any windows created by a Java applet would have to show 'Warning: Applet window' and a big red border or something like that. I wonder what went wrong to allow this attack, and whether it has been in Java since the beginning (i.e. would work even with Netscape 2.0) or takes advantage of some recently added kewl feature that forgot to do sandboxing properly.

Re:Why?

[Anonymous+Brave+Guy]

The problem with ads is that, apparently, the annoying ones are exactly the ones that work. People like you and me hate them, but we're never going to buy their **** anyway. Those irritating jingles that get played endlessly on TV ads irritate the **** out of us, but they attract the attention (and memory) of those gullible enough to buy the goods.

I'm not sure how much this is really backed up by evidence and how much is just "accepted wisdom" in the marketing community, though. There was a particular local firm advertising on the biggest local radio station in these parts a few years ago. They basically took traditional melodies from things like popular nursery rhymes, and rewrote the lyrics to mention their company name repeatedly and the product they were pitching. After a while, they even ran an ad that had the lyrics "We know the songs get on your nerves", which I remember all too well, perhaps making the point for them. That was, however, the last ad they ever ran on that radio station as far as I can tell. I'm not sure what happened to the company...

To bring this back to the current context, though, the theory seems entirely reasonable. Most of us will never support spammers or get caught by phishing, but those stupid enough to reply to bank password checks or ads for legal software downloads are probably also the ones stupid enough to click on the slightly odd-looking dialog warning about a virus attempting to install itself through your web browser. Sadly, given the tiny running costs, it only take a very small proportion of people to be idiots for the spammers/adware merchants to make an awful lot of money.