Slashdot Mirror
Google Goofs On Firefox's Anti-Phishing List
Stephen writes "While phishing is a problem, giving one company the power to block any site that it wishes at the browser level never seemed like a good idea. Today Google blocked a host of legitimate web sites by listing mine.nu. mine.nu is available as a dynamic dns domain and anybody can claim a sub domain. All sub-domains are blocked regardless of whether phishing actually occurs on the sub-domain or not. Several Linux enthusiast sites are caught up in the net including Hostfile Ad Blocking and Berry Linux Bootable CD."
While phishing is a problem, giving one company the power to block any site that it wishes at the browser level never seemed like a good idea
Actually, giving a single company this kind of authority is usually not a bad idea. Spamhaus and email, for example.
The issue is about trust. Even with this goofup, I trust google ( although their response to this could change that ). Hell, I trust MS here too, to a limited extent.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
"...giving one company the power to block any site that it wishes at the browser level never seemed like a good idea."
How exactly would assigning maintenance of anti-phishing lists to different organizations avoid a problem like this?
Isn't the implication that Google is intentionally blocking these innocuous subdomains (which share the same domain as phishing sites) just a tad disingenuous?
Let's presume that I used my domain to provide subdomains for free. Lets also presume that I or one of my free subdomains did some phishing. It's not out of the ordinary for a network administrator to ban an entire domain to help secure his network. Do you know how much work it would be to go through a site with tons of subdomains to cherry pick which ones are malicious and which ones are not? What if the admin can't even get a list of the subdomains? What if the site has 10k subdomains? It's easier (and usually safer) to "deny all, allow some" than to spend your entire day finding every malicious website and blocking it by hand.
Then, someone can come along who is a user of the network with the blacklist and complain to the network administrator. The administrator can fix the problem by unbanning a specific subdomain if they choose to.
Isn't this just general network administration? I see it as a non story.
Granted, I can see there are opportunities for abuse here, but if the owners of dynamic dns domains don't properly police their "customers" and spammers and/or other malicious websites start using it, then Google has every right to blacklist the entire domain. Of course, it's arguable exactly how much can be done to prevent it, but if you're really concerned about not getting your site blocked, go ahead and blow the $7 a year on your own domain, or use a smaller ddns service that can actually pay attention to the nature of the hosts it's serving.
As far as having any one third party responsible for maintaining a blacklist, exactly how else do you intend to do it? You can always create your own blacklist, but that would first require you to "enjoy" the sites you would prefer get blocked automatically. You'll just have to trust someone to make that reasonable decision for you. Sure, there will be some mistakes, but that's the price you pay for protection.
-Restil
Play with my webcams and lights here
If people thing this is a useful service, split it off, or ask someone like Spamhaus to do it,and add it some more checks and balances.
Better yet, release the code to the web service, and allow any sysadmin to host the server side portion themselves, of course with the ability to update from a central list, and accept 0% - 100% of a given list as they see fit.
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
Great, if the blocked site makes use of frames, you just can't bypass the warning. And there's no way to permanently unblock a site...
<sarcasm>I feel safer already</sarcasm>
Yeah. While I reflexively rankle at the idea of blocking a whole swathe of domains like that, it's unfortunately clear that services like dyndns and mine.nu are going to be overrun with phishers and scammers because they're just as convenient to them as they are to non-malicious Internet users.
In my mind giving this power to Google is the most objectionable thing related to the company. I know somebody who has had his legitimate business ruined because Google mistakenly added his site to this list. Why? Because it was hosted on the same physical server as a truly objectionable web site.
People need to stop childishly sneering at Windows users and take their focus away from Microsoft. The terrible Goliath is clearly Google now. Even when it's not being evil it causes trouble just by being *clumsy*.
This is the first time we've heard about Google (or any others) making a bad block. As long as Google fixes this expediently, I'd say that it's an acceptable margin of error and the amount of phishing sites blocked is by far worth it. Now, if wikileaks suddenly gets blocked for 'phishing', something is definitely awry.
The summary reads as though it was google's fault that the entire domain was blacklisted, while it's more of a mozilla issue. Mozilla releases this list of "Attack Sites" and Google Search automatically blocks them. Even if I get to the site without google, FF3 still lists it as dangerous, and warns me.
If anyone should receive blame (which IMO they shouldn't), it's Mozilla and their blacklist.
01110000 01010111 01101110 00110011 01100100
I dunno how much good it could do, but I suppose people could do the "Report Incorrect Forgery Alert" thing. I'd think it really would be better if they individually added the malicious subdomains individually, rather than blocking the entire domain, which (I'd guess) contains legitimate, or at least non-harmful, sites as a majority.
(Oh, and btw, here's Google's Safe Browsing report for mine.nu.)
Any maintained blacklist of any reasonable size is going to end up with false positives. It's one of those things you just have to accept. People notice and report it, the entry gets removed, and we move on.
1- Firefox automatically downloads a list of 32-bit hashes of "dangerous" addresses
2- when the user browses on a site matching one of these hashes, Firefox sends a request to Google for a 256-bit version of the same hash
3- does the site match the 256-bit hash? If yes, warn user; if not, continue silently.
Convinced? Well, here's how it really works:
1- <insert name here> tells Google to monitor www.terrorist.com
2- Google adds the 32-bit hash of www.terrorist.com to the list
3- when the browser sends a request for the 256-bit hash of www.terrorist.com, Google replies with a hash that does not match www.terrorist.com
4- the user notices nothing strange and continues browsing
5- Google sends <insert name here> a list of all the people browsing on www.terrorist.com, identified through cookies (including their GMail password).
Please forget the usual "??? - Profit!" jokes, and go warn the Firefox developers.
My first program:
Hell Segmentation fault
We need to educate users to check the URL before entering anything. Any time you rely on a technological solution to a social problem you end up with woes.
93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
Note that the anti-phishing feature makes Firefox slow over time.
This is history repeating itself. At first, blacklists seem like a good idea, they gain a following and become more influential. With rising influence they draw the attention of their enemies. The black lists either become overloaded with evasive maneuvers or accept increasing amounts of collateral damage, either as a form of kin liability or simply as a time-saving broad brush. It's not a simple mistake which can be avoided with better care. It's inevitability. All blacklists do it. Blacklists are an inherently bad idea.
Putting anti-phishing filters into browsers just shifts the responsibility of good security practices from the user to some blacklisting company. What incentive is there to be weary about suspicious sites if you can count on the almighty Google to hold your hand while you browse the Web? This makes about as much sense as someone installing parental controls in their machine and declaring that their Internet connection is now "kid-friendly."
I've never had these filters turned on, and I've never exposed my financial data to others by accident. Usually this has something to do with me hovering the mouse over links and checking the URL in the status bar.
If you're serious about blocking phishing sites, you have to accept some collateral damage. Blocking by URL stopped working last year; most attacks have unique URLs now. Many have unique subdomains. So you have to block at the second-level domain level to be effective.
We publish a list of major domains being exploited by phishing scams. Today, there are 46 domains listed. eBay, for example, is on the list, because eBay has an open redirector exploit. Click on that URL. It says "ebay.com", right? It looks like eBay, right? It's not.
On the other hand, "tinyurl.com", which used to be popular with phishers, has been able to get off the blacklist by cracking down on misuse of their service. It's possible to do redirection competently.
When we started our list last year, it had about 175 exploited domains. After some serious nagging and an article in The Register, we're down to 46. And only 11 have been on the list for more than three months; the others come and go as exploits are reported and holes plugged. So this is a problem that can be solved.
I'm glad to see Google taking a hard line on this. It's necessary that sites that do redirection feel the pain when they accept redirects to hostile sites. Google can apply much more pain that we can. Few sites will want to be on Google's blacklist for long.
This is something that strikes me as the first time Firefox really pushed something out by default that shouldn't be. Just for one example, people who are on LTSP networks, say, 200 users, will ALL download anti-phishing, anti-malware blacklists from Google, each in their own home directory. There's no way that I know of, anyway, to share this data - SQLite seems to make it impossible. That's the first mistake in creating a compatible, light web browser.
The second mistake is enabling website blocking based on 3rd party blacklists by default. This is basically Microsoft UI thinking - "You *need* this because you don't know any better." Screw that. I mean, make it a checkbox on setup - "Use Google-provided anti-malware blacklists" Simple as that. I spent weeks trying to find out why, after just a few Firefox instances were launched on an LTSP server, none more would load - part of this was because every user logging in was trying to download the anti-malware stuff from Google, saturating the line, and preventing Firefox from loading for the first time.
I hope the Firefox devs will take all scenarios into account when making changes. It seems lame that every user needs all of the stuff in places.sqlite. And even if you argue with that, at the LEAST make it cross-DB compatible, so you can put everyone's in a nice big central MySQL database.
It is pitch black. You are likely to be eaten by a grue.
My position is that dynamic DNS services have nothing to do with phishing and scamming. Since either way, the URL is phony, there's not much practical difference between running a fake hotmail site at http://h0tm4il.mine.ru/ rather than at http://24.64.197.48./ There aren't many people out there who would be fooled by one but not the other.
DRM: Terminator crops for your mind!
Never ascribe to malice what can be equally ascribed to incompetence.
The corollary of this is, of course, that you should still be wary of single points of failure, even if you do not believe they will fail you on purpose.
Please correct me if I got my facts wrong.
But what about legit sites? I don't mean these dynamic that could be nice one day and nasty the next either. I have noticed for the past week and a half or so Firefox has been screaming Freeware World Team is a malicious malware site. I have been using FWT for nearly a decade to find little niche freeware to fill jobs me or my customers needed done and never had so much as a piece of spyware. So maybe we should have more than one group comparing their notes to make up our anti phishing/anti malware lists? Because it seems like a false positive could really hurt a business,and could possibly even be used by a rival to cause real damage when their competitor is in bad shape. But as always this is my 02c,YMMV
ACs don't waste your time replying, your posts are never seen by me.
Except that none of us use IE, so they could very well block the same domains in IE7's phishing filter and we'd never know it.
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
I don't know anything about the FWT site; it may be fine. However, do remember that just because a site is trustworthy over time doesn't mean it is trustworthy today , on this visit.
I just had that driven home for me the other day. In my off time, I am a youth soccer coach. The website for our league has been fine for several years. Last week I visited it and got the malware warning from FireFox. I checked with the webmaster and sure enough, they had gotten hit with a SQL injection attack and had indeed gotten malware of some sort hosted on the site.
So, FWT may be a false positive - but it is at leat possible that they also got successfully attacked.
We really don't have a good system to evaluate trust on the fly due to the dynamic nature of internet content. A page that was fine 20 minutes ago may attack you now.
That's why huge numbers of people have and are dumping it for Chrome.
Firefox is an gigantic mess of a codebase that is years overdue for having a complete rewrite from scratch. Or even better just dump the shitpile that is the Firefox source and fork off a version of Chrome.
LOL: Dear asshole wishful thinking is not a good replacement for reality.
Nice trolling here. The "anti phishing" option in IE7 slows down your surfing considerably, which is why most of our users (freemail service) disable it so they don't have to wait 10-40 sek. to log out of the webmailer (IE7 does not complete the logout until the URL has been "confirmed" being "good", which sadly takes "ages" even via DSL, let alone dialup...). MS keeps its own blacklist and it is naturally just a matter of time until they have bad entries there, too. Apart from that, who'd really trust MS to tell their browser what's good and what's bad?
anything within shacknet.nu subdomain - also provided for free by dyndns.com - got blacklisted as well.
Shit happens. Yes, it sucks, but it happens. Now, should we try to blow up the googleplex? No. Google are not blocking based on a secret agenda here, and you can bypass it or turn off the feature. OK, it'd be nice if you could choose who provides the service, but overall, it's not that big a deal.
-- Lattyware (www.lattyware.co.uk)
I believe that Spamhaus does not block anything. It reports opinions based on users' experiences and leaves it to individuals to make their own judgements and act accordingly
Whats about blocking Google, with their search users can be found malicious websites
It's just not going to happen. We like to think that "everyone" is capable of understanding what is going on when they browse the web, but that's wishful thinking.
It will be a LONG time until you can ever hope that the general public is as smart as the malicious few out there. Until then technology solutions will continue to be needed, desired and our best bet in combating this. Hell, they always will.
Except that none of us use IE, so they could very well block the same domains in IE7's phishing filter and we'd never know it.
While you may not use IE, some of us do. Just use the right tool for the right job.
Case and point: My online college coursework sometimes disappears if submitted using FF3. Using IE8 beta does not (and it worked fine under IE7 as well).
Yet another case and point: Flash videos under Ubuntu 8.04 with FF3 crash the browser every 4th video. FF3 under windows works without a hitch.
Well, there's a pair of boobies poking out at you on the mine.ru page.
Get your own free personal location tracker
Google search, email. advertising, mapping, etc., etc., and now self appointed non-reviewed internet police department.
Uhm, that's a bad scene folks.
Safe Browsing
Diagnostic page for mine.nu/
What is the current listing status for mine.nu/?
Site is listed as suspicious - visiting this web site may harm your computer.
Part of this site was listed for suspicious activity 3 time(s) over the past 90 days.
What happened when Google visited this site?
Of the 4329 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 09/21/2008, and suspicious content was never found on this site within the past 90 days.
Malicious software includes 7523 scripting exploit(s), 2911 trojan(s). Successful infection resulted in an average of 0 new processes on the target machine.
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, mine.nu/ appeared to function as an intermediary for the infection of 183 site(s) including culportal.info, mipt.ru, baikal-discovery.ru.
Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 932 domain(s), including bernard-becker.com, mipt.ru, dhammasara.com.
How did this happen?
In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.
Next steps:
* Return to the previous page.
* If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google's Webmaster Help Center.
The summary is terrible. It doesn't provide any information whatsoever, and makes a lot of claims that I'm apparently to take at face value. There's not even an article. Okay, that's not exactly new for Slashdot posts. Whatever. It took me several re-reads to figure out what the hell they were even talking about -- what the fuck does Slashdot have to do with Google? After sifting through the comments, I'm _guessing_ it has something to do with the new anti-phishing protections in Firefox 3 (and maybe they exist in Firefox 2 as well; I can't be bothered to check). But where the fuck does Google come in? No one even bothers to tell you, and apparently it's expected to be common knowledge (no one else has even asked).
I have seen those stupid Google warning pages that I get when I try to visit a page it has "blocked" for "my safety," which is completely and utterly fucking ridiculous. If I didn't want to click on a god damn motherfucking page, I wouldn't click on it. That's one of the reasons I'm about to stop using Google. I don't need a fucking search engine to hold my hand. That's also the reason I've turned off anti-phishing in Firefox whenever I've seen the option, because I'm not a complete fucking idiot. So I'm going to make a WILD conclusion that Google is sharing this list with Firefox. One post suggested that a hash of an IP address and/or hostname was sent to Google to check against their list. If that's the case, then that's even more ridiculous than I had ever suspected.
Both Firefox and Google can fuck off. They're both shit by now anyway.
Although a great idea, it won't work. Even when you speak to each person individualy, they will not understand the danger unless they are either technicaly savy enough or if they have been abused in some way because of it. And even then they will most likely not care. They clicked on 10.000.000 links so the next one won't be so bad and they have a virus program, so they MUST be safe, right?
It is as if you try to explain to RMS that personal presentation is importand for many people.
Don't fight for your country, if your country does not fight for you.
Maybe, but I'm still against the false sense of security these "anti-phishing" tools provide. And although I see it may be a necessary evil, it bugs me how many legitimate sites are going to be burned by this.
93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
"There's no way that I know of, anyway, to share this data - SQLite seems to make it impossible."
Well, I doubt it's SQLite that makes it impossible, it's more that you don't want ordinary users writing to a single shared blacklist. Because if a user can download and write good data to it, they can write bad data to it.
Suddenly all it takes is for one user to click on the dancing bunnies, and they're running a daemon without knowing it that writes bad data to the blacklist, monitors the list for changes, and rewrites it if any of the other users change it back to what it "should" be. That fucks things up for *everyone*, which kind of defeats the whole idea of having separate user accounts that protect everyone from each other.
"The second mistake is enabling website blocking based on 3rd party blacklists by default."
If you don't do that then non-geeks - the people who need this most - will never find it to switch it on. If you're a geek and you don't like it and are smart enough to spot phishing attempts yourself (and good luck with that by the way; I've seen reports of many trials here on /. where even seasoned network admins don't get a 100% success rate at spotting them) then you're probably smart enough to find the checkbox to disable it.
"And even if you argue with that, at the LEAST make it cross-DB compatible, so you can put everyone's in a nice big central MySQL database."
Bleargh! You want a DB-abstraction layer so that ... everyone can write to the same DB? That will add bloat and do nothing to fix the problem.
If you make the database writable only by root/Administrator and have a separate daemon/service that runs as that user to update, with all users having read-only access, that would solve your problem. But then someone else would complain that this service was running and creating network traffic uselessly when no-one was actually running firefox, or even logged in.
For a home user, what they've got makes sense. If you're running a reasonable-sized network, or have something like LTSP, you should be able to set up Squid proxy (or similar) so that only one user causes the list to be fetched from the network and everyone else loads your cached copy.
Make it do the right thing for n00bs out of the box. Experts can configure it differently for themselves because, well, they're experts.
Why doesn't the gene pool have a life guard?
Which is why I use Noscript and have begun giving it to my customers and teaching them how to use it. JavaScript has become simply too dangerous,much like ActiveX was during its heyday. I have found that most sites work just fine without JScripting,in fact they usually load quicker.
So does anyone know how to turn the stupid malware alert in Firefox off? With Noscript I don't really need it,and I'm certainly not going to any website by email links. but FWT has the best freeware search engine I have ever seen,and use the site several times a day to find freeware to do a niche job,and it is really irritating to have to click on the website two or three times just to get the thing to go away. So is there anyway to turn it off,or at least tell it to quit bothering me about FWT? Because it is beginning to bug me enough that I have been using Kmeleon with Noscript,but I really miss my other extensions. And as always this is my 02c,YMMV
ACs don't waste your time replying, your posts are never seen by me.
oh yes, ddns providers usually check what people do with each registered domain because they don't have anything better to do.. and for your super-practical solution "pay for your domain, pay for your ssl cert, pay for..." i know a much better bush-stile-solution: unplug your fucking internet connection to stay secure and leave us alone. it is NOT normal to ban thousends of domains because someone has used the service for pishing
A page that was fine 20 minutes ago may attack you now.
You're saying websites are like women?!?
Preferences->Security
"Tell me if the site I'm visiting is a suspect attack site"
"Tell me if the site I'm visiting is a suspect forgery"
First of all, let me point out that I started PhishTank.com, which is a free + community-managed version of what Google's anti-phishing service does. Our service is in use by OpenDNS, Yahoo Mail, Kaspersky and countless other large and small companies (and researchers, too), so my thoughts are both highly informed, but also biased.
The main issue comes down to control. When something is blocked incorrectly, as it inevitably will, do you have the ability to by pass it easily? If you are the webmaster, do you have a clear path to get it resolved in a timely manner?
The mechanism Googlefox uses to automagically enable and block malicious sites is very very aggressive and it's not very clear how users can disable the feature. Additionally, the "let me through to the site" often doesn't work, and it requires you to re-validate on every pageload. It's a user experience nightmare, effectively removing control from the user.
As a publisher, it's not clear how to get yourself unblocked or how to escalate your concern. You can fill out a form with Google, but there is zero transparency into that process.
At PhishTank, we allow all users, and site owners, to flag what they believe is a mistake. It almost never is a mistake, more often they've simply corrected the issue. We make it easy for publishers and users to see the history of data in our system.
At the end of the day, you need to have an open system that is transparent and reliable. A security system that is inside a blackbox is no kind of security system at all.
-davidu
# Hack the planet, it's important.
This time google was fast.
I don't think it's a very bright idea to visit a reported attack site regardless of what browser and security addons you have. I'd leave it on and not use FWT until the alert goes away (presumably it's because it was hacked or has an evil third-party advertisement).
Basically any site that includes a forum can get blocked if someone in the forum links to something considered malware. I actually have no idea how places like Slashdot haven't gotten blocked for that (maybe they special-case high-profile sites?), but a bunch of smaller sites with forums like ratebeer and Gamasutra have gotten blocked repeatedly.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
The biggest problem for me isn't the default blocking and a need for me to manually verify if I do indeed want to visit the site after seeing the warning. It's that I can't then tell it to go away. Even if I click "ignore", it'll then load the site, but it'll pop up the red block screen every single time I click on another link to another part of the site. It also throws away POST data when doing this, so I can't use search features on sites. There's no way to add an exception, like "foo.com really is OK, I mean it, now shut the fuck up about it forever".
The only way to get that functionality is to turn the "anti-phishing protection" off entirely, so that's what I did of necessity, since it's not usable otherwise.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Maybe not h0tm4il, but what about hotmailsecure.mine.ru, or www.hotmail.mine.ru? Not everyone knows that Russia is a key area for phishing, and almost nobody technical would get the link between .ru and Russia anyway. Most people wouldn't be able to tell you how a URL is formed (the combination of little and big endian can be very confusing), and even if you get the basic concepts, there are other techniques that can be used to obfuscate the URL.
I do not recognize any proof or intention to proof that information is harmful (to child).
Never, mind, people just use their power. Do you?
URL has been "confirmed" being "good", which sadly takes "ages" even via DSL, let alone dialup
Really, the server processes the confirmation request and sends back that byte of information over your connection slower if you are using dialup?
Wow, you are super smart, can I be your friend?
Geesh...
MS keeps its own blacklist
MS's blacklist is a community created and supported blacklist, not just a service or a list that one company can go 'bang' and kill a domain. Even MS isn't stupid enough to give themselves that kind of power. (Apparently Google is that stupid *cough*)
You also seem to not understand how IE works with MS anti-phising, if you think it slows down the browser, as the content is downloaded while the URL is being checked, so it doesn't slow down page loads like OTHER browsers or anti-phising technoloogies do.
Maybe research the Anti-Phishing technology MS uses next time and not make up crap on the fly.
LOL: Dear asshole wishful thinking is not a good replacement for reality.
I assume this is something you have experienced to the point of becoming an expert?
OSS will kill Microsoft, the Desktop computer is a thing of the past, Firefox is more secure than IE7, OS X is more secure than Vista, Linux will replace Windows on the Desktop (insert year here).
Sadly even as many times as this crap is repeated on SlashDot and other publications, it still isn't true, and looks like it won't be true for a long time if ever based on the current trend.
Microsoft is stronger and richer than ever, hows that for reality?
same domains in IE7's phishing filter
But here is a part of the point being made. MS's Anti-Phishing doesn't block complete domains in one whack.
URL based checking vs domain based seems a bit 'brighter' to me, and apparently with this example in the news, it is.
*snip* ...and rewrites it if any of the other users change it back to what it "should" be. That fucks things up for *everyone*, which kind of defeats the whole idea of having separate user accounts that protect everyone from each other.
I think you're misunderstanding the usage of FF's anti-phishing blacklists. Think of it as anti-virus definitions. You only need ONE copy. See http://www.mozilla.com/en-US/firefox/phishing-protection/ for more information. Downloading individual blacklists per-user would be like downloading anti-virus definitions per-user. Completely redundant.
You also seemed to miss my point regarding places.sqlite - it stores user history, bookmarks, and other things. Think of what you could do with multi-user access to this information (provided the DB tables are secured properly) - shared history, shared bookmarks...Mmmm...that's music to any administrator's ears that wants to share information, in say, a school. Shared bookmarks for each class. Shared history so someone can just say "go to my history" for a website. How cool would that be?
It is pitch black. You are likely to be eaten by a grue.
"Think of it as anti-virus definitions. You only need ONE copy."
Yes, but how is that one copy updated? If it's not by a central daemon/service that runs even if no-one is logged in, then it has to be run by a user while they're running Firefox. If that is the case, that user needs write access to the shared database in order to write the updated definition. In which case, if you have a malicious user (or code running as a malicious user, thanks to a dancing bunnies error) who can write to the database, they can erase or alter the contents of the blacklist for everyone on the system.
"You also seemed to miss my point regarding places.sqlite"
Oh yeah, I did miss that bit. It is a pretty interesting idea, and could have the potential to be awesome.
But you still don't need a MySQL server to do it. SQLite (at least according to the docs I've read) can support a single writer/multiple readers of the same DB. So even with SQLite, if each users' places.sqlite is writable by them but readable by everyone, then you should still be able to tell someone to see your bookmarks, and have Firefox automatically look in "/home/[user]/.mozilla/firefox/[salt].default/places.sqlite" (or the Windows equivalent) to find it.
You can use all the standard file permissions that you'd need to use anyway to share other data between members of the same project/class/etc...
Why doesn't the gene pool have a life guard?
Actually, only the torso on which said boobies are attached. The rest of the body is not visible so we don't really know whether she's human or some alien race we haven't met before.
8 of 13 people found this answer helpful. Did you?
Install proxy.
Block: sb.google.com
Problem solved. :-)
Maybe a solution to the line overload would be using a caching Web Proxy in the middle, if not directly in the L
My 2c
... yeah right
Hot Russian space-babe?
Get your own free personal location tracker