Not Just Equifax. Rival Site Transunion Served Malware Too -- and 1,000 More Sites

An anonymous reader quotes Ars Technica: Equifax isn't the only credit-reporting behemoth with a website redirecting visitors to fake Adobe Flash updates. A security researcher from AV provider Malwarebytes said transunioncentroamerica.com, a TransUnion site serving people in Central America, [was] also sending visitors to the fraudulent updates and other types of malicious pages... Malwarebytes security researcher Jerome Segura says he was able to repeatedly reproduce a similar chain of fraudulent redirects when he pointed his browser to the transunioncentroamerica.com site. On some occasions, the final link in the chain would push a fake Flash update. In other cases, it delivered an exploit kit that tried to infect computers with unpatched browsers or browser plugins... "This is not something users want to have," Segura told Ars...

Equifax on Thursday was quick to say that its systems were never compromised in the attacks. TransUnion said much the same thing. This is an important distinction in some respects because it means that the redirections weren't the result of attackers having access to restricted parts of either company's networks. At the same time, the incidents show that visitors to both sites remain much more vulnerable to malicious content than they should be.
Both sites hosted fireclick.js, an old script from a small web analytics company which pulls pages from sites like Akamai, SiteStats.info, and Ostats.net. "It appears that attackers have compromised the third-party library," writes BankInfoSecurity, adding that Malwarebytes estimates over a 1,000 more sites are using the same library.

That's it.

[jargonburn]

Kill it! Kill it with fire!
Seriously.

Re:That's it.

[Aighearach]

"Whatever the problem, solve it with fire! ;)" -- Magical Kyoko

Have incompetent security, get hacked

[gweihir]

Noting surprising here. And unless these people get limited in their greed and stupidity by really unpleasant and, most important, personal consequences for the CEO when that happens, nothing will change. No, I am not talking about firing them. I am talking about them paying for the damage and, depending how extreme their failure, prison time.

Re:Have incompetent security, get hacked

You're completely nuts. It's not unusual for a 3rd party analytics site or ad network to get compromised and start serving up malware directly, or redirect to a malware site. Just fucking google it there's plenty of examples. It's just unfortunate timing for Equifax to be hit with this now after the major breach they had earlier. As the TFS stated, "a 1000" more sites using that same analytic company's js script would be also redirecting users to malware sites. Are you going imprison the owners of those sites too?

Re:Have incompetent security, get hacked

Yes, it's true, there's no penalty for incompetence, and until people start going to prison for their incompetence, nothing is going to change. But you're missing the bigger problem here, one that is running rampant across the Internet. I predicted this a long time ago.

The Internet is now filled with thousands of middlemen. Ad networks, ad brokers, analytics companies, etc....... and websites are blindly pulling in Javacript from all these middlemen. All someone has to do is compromise one of these middlemen and they can inflict a lot of damage.

We've already seen this with ads on high profile "respectable" websites delivering malware. This is just another variation of that same problem. You don't have to hack Equifax or any other website. If you can compromise one of the middlemen it opens up hundreds or even thousands of websites to your malware all at once.

And its all because of the insane stupidity of websites blindly pulling in third party Javascript from companies with questionable integrity and even more questionable security.

Re:Have incompetent security, get hacked

[CaptainDork]

This.

NOTHING will change until litigation kicks in.

Re:Have incompetent security, get hacked

You mean until the Republicans get ousted from non-power.

Re:Have incompetent security, get hacked

[Billly+Gates]

This.

NOTHING will change until litigation kicks in.

HA! Good luck buddy. I read Trans-Union makes $233 million a year from these adnetworks. You think they will sit and take this or fight out tooth and nail!

We have a political party who feels any regulation === communism and we will turn into Venezuela if we secure people quite literally! Diane Feinstein who is the leader of the other party is based in Silicon Valley.

You think Silicon Valley who makes up her district which makes money off these slimy ad networks and supplies her with voters and millions of campaign contributions is going to put an end this? Hell no!

I would not be surprised if the new tax bill includes sections to PREVENT litigation in order to help secure the job creators and Miss Finstein will side with the Republicans on this based on her district and money from the .COMs she has received who do not want to be sued.

The corruption is so bad it stinks and everyone who is doing the ill deeds are selfish to the nth degree and only care about their own interests.

Re: Have incompetent security, get hacked

[Monster_user]

Unfortunate timing?

Hopefully it is fortunate timing. This malvertising is a matter which needs attention, and companies with information that has been considered sensitive, like Trans Union and Equifax, should not be vulnerable to malvertising. Especially if they are so lucrative.

They're not Google, they don't make money from advertising to visitors to their site, right? How many people used their site and clicked on their ads before this incident? This shouldn't have been a problem to begin with. This isn't Facebook or MSN.com, this vulnerability ahouldn't have existed to begin with.

Re: Have incompetent security, get hacked

They can't get prison time because any of their assets becomes evidence since you have to have a trial first. The 1% use credit too, if you catch my meaning. So, they'll just scapegoat until people stop caring instead.

Re:Have incompetent security, get hacked

[CaptainDork]

Your remarks address issues other than legal.

"Those who don't learn from history are bound to repeat it. Those who do learn are bound to predict it." ~ © 2017 CaptainDork

For a template of what's to come, look at fire codes.

We did not have those until a critical number of people died.

We are on a similar trajectory for data security.

"Enough is enough and more than enough is too late." ~ © 2017 CaptainDork

When "All your base are belong to us," litigation will kick in.

So it is written, so let it be done.

Re:Have incompetent security, get hacked

[Khyber]

"personal consequences for the CEO "

Fuck that, personal consequences for all of the shareholders. This is THEIR property. If their property causes damage to other people, they're on the fucking hook.

Re: Have incompetent security, get hacked

[Brockmire]

Quoting yourself is the first listing in "how to detect a douche"

Re:Have incompetent security, get hacked

[gweihir]

They chose to embed 3rd party analytics, which then turned out to be insecure. This is either entirely their fault, or they must have a contract in place that applies the consequences I described to the CEO of the company that supplied the analytics. Seriously, people that mess up must feel consequences.

As long as it is not gross negligence, I have no problem with the CEO actually getting insurance for this, but the damage must be paid for in full and at a realistic rate.

Re:Have incompetent security, get hacked

[gweihir]

I believe I do see the bigger problem. If you pull in stuff from middlemen, then it is _your_ responsibility to make sure it is safe. I fully agree on your last sentence.

Of course, this is within reason. A food-store, for example, does not need to test anything it sells for poison. They can reasonably expect the food they get delivered from suppliers is clean, unless they get notified otherwise. The same is currently not true for anything you pull into your site from a 3rd party.

Re:Have incompetent security, get hacked

[gweihir]

Indeed. People do stupid things until something really important breaks. Then some measures are put in place, these days usually via liability. Then more important things break. Then some better measures are put in place. Repeat until breaking of important things gets rare enough that people forget (Tchernobyl...Fuckushima: 25 years).

Those who do learn are a small minority and usually ignored, see also the story of Kassandra. All others usually need several catastrophes to get a glimmer of insight that things maybe should be done differently.

Re:Have incompetent security, get hacked

[gweihir]

Might also work for publicly traded companies. Not all are.

Re: Have incompetent security, get hacked

[CaptainDork]

Quoting yourself is the first listing in "how to detect a douche"

Wrong.

1. He Has “Lines”

Stop blaming incompetent security pros

When security pros recommend something management often turns it down because itâ(TM)s expencive or complex. Itâ(TM)s the management that assesses and manages risk. The info sec engineers advise and implement

It's not Equifix or TransUnion

[Billly+Gates]

Each site freaking horrible 20+ ad networks, brokers, analytics, and marketing networks middleman who are the ones being compromised. It is the fireclick.js which directs data from somewhere that uses data from somewhere which then piggybacks from somewhere else until BAM the malware JS gets executed and the pop up appears.

This system is totally unacceptable and retarded! All it takes if you use 20 different ad networks with ad brokers gettings things from the highest bidder is JUST ONE compromised or malicious player and the the trust is done.

Looking at the rest of the site (I am not a web architect but others reading this post who are please reply) show some red flags. Curl shows it uses IIS 7.5 which went EOL in 2015! No COR headers so cross domain shit can be run from anywhere from the network of players, and no forcing HTTPS to prevent snooping in a man in the middle attack.

This is why we run adblockers. And website owners have the gullibility to call us thieves for doing so. I mean even the bad SSL certificates have trusts in a chain. There is no trust when anyone can insert themselves in without encryption.

We need a better solution from the IEEE or W3C or something to address the problem.

Re:It's not Equifix or TransUnion

We need a better solution from the IEEE or W3C or something to address the problem.

People got mad when they standardized DRM, now you want them to standardize pervasive incompetence and tracking and analyzing your every move?

Re:It's not Equifix or TransUnion

[Scutter]

If it's your website, you are responsible for the ad content you serve on it. This ridiculous "pass the buck" ecosystem that we've allowed to be created is the problem. End users who get infected by a bad site are told "Oh, gee, well I guess you should just use an antivirus. Also, pretty please turn off your ad blocker so we can make a little money to keep the site running for you?". The end user has no way of knowing who the ad network is, nor do they have any way to hold that network responsible.

No, this is ABSOLUTELY Equifax and Transunion's fault. THEY are serving bad ads on their site. THEY are the ones who contracted with companies with terrible security. THEY are the ones inserting that bad security into their web site. THEY are responsible for any breaches as a result of that negligence. It's time to stop allowing these sites to keep getting away with this behavior over and over.

Re:It's not Equifix or TransUnion

[Billly+Gates]

If it's your website, you are responsible for the ad content you serve on it. This ridiculous "pass the buck" ecosystem that we've allowed to be created is the problem. End users who get infected by a bad site are told "Oh, gee, well I guess you should just use an antivirus. Also, pretty please turn off your ad blocker so we can make a little money to keep the site running for you?". The end user has no way of knowing who the ad network is, nor do they have any way to hold that network responsible.

No, this is ABSOLUTELY Equifax and Transunion's fault. THEY are serving bad ads on their site. THEY are the ones who contracted with companies with terrible security. THEY are the ones inserting that bad security into their web site. THEY are responsible for any breaches as a result of that negligence. It's time to stop allowing these sites to keep getting away with this behavior over and over.

They are a for profit company. A comment in the parent URL mentioned they make $233,000,000 a year in ads. That is alot of cash. They can't just say no. The shareholders have a right to demand a return and not make their website for free as it costs money to produce and Trans-Union has a fiduciary responsibility .

Who they outsource with has no control who they outsource with and they bid with another sourcer and so on. It's impossible to keep track and secure.

Re: It's not Equifix or TransUnion

I mean I hate the credit tracking companies too, but ultimately the responsibility of this lies with the makers of fireclick.

Re:It's not Equifix or TransUnion

[Scutter]

Are you actually saying that it's not their fault because A) the ads make them money, and B) the contracts are too hard to understand? Is that really what you are claiming? Because that is laughable at best and moronically idiotic at worst.

Re:It's not Equifix or TransUnion

[Billly+Gates]

Are you actually saying that it's not their fault because A) the ads make them money, and B) the contracts are too hard to understand? Is that really what you are claiming? Because that is laughable at best and moronically idiotic at worst.

No. What I am saying basically is the CEO can't turn off the adnetworks as he would be fired immediately. What we have in my other post is a broken system that even if you sign such a contract with an ad network it is still out of their control as they outsource to someone and so forth. I am sure they have clauses in these to prevent them from being sued due to incompetence down the chain.

We need to verify the identity similar to how DNS is being used to prevent spam/phising in Email with DKIM keys in the DNS records. Even then all someone has to do is hack one of the *trusted* partners or channels to infect the whole chain.

I would be in favor of the government forcing insurance on websites for liability. This would force auditors to put in security but it won't happen as the US government is way too far to the right now to believe in regulation not to mention Silicon Valley is in the district of the top Democrat Miss Finstein who also don't want to be sued or pay for insurance and will fight tooth and nail via campaign contributions.

We need a solution to keep the ads in (as sorry but you will never see anyone say no to money), but verify content has not been altered via a man in the middle and to verify the identity of each player and a trust needs to be setup similar how we use certificates for websites today. Just a few ideas.

Re: It's not Equifix or TransUnion

[Monster_user]

No. The solution is that there should be such backlash and such bad press from advertising on sites for high profit companies centered around highly sensitive information, like Equifax and Transunion, or sites which contain HIPAA protected information, etc., that risking malvertising should result in the immediate firing of a CEO, CIO and CTO.

They should not be forgiven for this. Forgiving them only encourages negligence in the name of profit. What benefit is it to the consumer to have their data and personal computer put at unnecessary risk? What benefit is there to the economy to increase the amount of micromanagement required of every citizen?

Re:It's not Equifix or TransUnion

None of which absolves them of responsibility.

They could tell the shareholders "we can't serve ads on our website because the ad-serving ecosystem is insecure." Until the shareholders vote to force the issue, the argument "well the shareholders will demand it" is completely bogus.

They profit from it, they must take ownership of it. Same goes for the rest of the industry.

Re: It's not Equifix or TransUnion

[Billly+Gates]

No. The solution is that there should be such backlash and such bad press from advertising on sites for high profit companies centered around highly sensitive information, like Equifax and Transunion, or sites which contain HIPAA protected information, etc., that risking malvertising should result in the immediate firing of a CEO, CIO and CTO.

They should not be forgiven for this. Forgiving them only encourages negligence in the name of profit. What benefit is it to the consumer to have their data and personal computer put at unnecessary risk? What benefit is there to the economy to increase the amount of micromanagement required of every citizen?

You can't change human nature my friend. Money talks shit walks is an old 1980s saying that rings so true. Greed wins everytime throughout history and is part of our human psyche. Even if you make a new HIPAA act you still have the problem of the rest of the web including the 1,000 other sites.

Website owners have a right to want to be paid and not host things for free. The solution should be a safe way to do this and an organization like we do with SSL certificates monitor it. I still will use an ad blocker, but am not opposed for ethical safe ads to help out sites like slashdot.org who I want to help. I can't because before I used Adblock my AV scanner caught a malvertisement with a banking trojan here on www.slashdot.org in 2011!

I am not opposed to more regulation. I think using old browsers, unpatched WWW software, and not using standard good security practices should be a hefty penalty with HIPPA or PCI (credit cards). But that is not going to happen with the Trump Whitehouse and Republicans owning both houses.

Re:It's not Equifix or TransUnion

None of which absolves them of responsibility.

They could tell the shareholders "we can't serve ads on our website because the ad-serving ecosystem is insecure." Until the shareholders vote to force the issue, the argument "well the shareholders will demand it" is completely bogus.

They profit from it, they must take ownership of it. Same goes for the rest of the industry.

What?! You just cost us $233 million! You're FIRED!@

Re:It's not Equifix or TransUnion

Looking at the rest of the site (I am not a web architect but others reading this post who are please reply) show some red flags. Curl shows it uses IIS 7.5 which went EOL in 2015!

Not sure what you're talking about - IIS 7.5 is win2008R2, and Microsoft will be releasing patches for that for many years to come:

https://blogs.technet.microsof...

win2008R2 is out of "mainstream" support, but is in "extended" support.

Not that Equifax & Transunion don't have lots of other flaws...

Re:It's not Equifix or TransUnion

[Aighearach]

If it's your website, you are responsible for the ad content you serve on it.

Instant google monopoly. Who else can you trust to serve ads?

Re:It's not Equifix or TransUnion

[Billly+Gates]

Looking at the rest of the site (I am not a web architect but others reading this post who are please reply) show some red flags. Curl shows it uses IIS 7.5 which went EOL in 2015!

Not sure what you're talking about - IIS 7.5 is win2008R2, and Microsoft will be releasing patches for that for many years to come:

https://blogs.technet.microsof...

win2008R2 is out of "mainstream" support, but is in "extended" support.

Not that Equifax & Transunion don't have lots of other flaws...

Server 2008 R2 is, but IIS 7.5 is not.

Re: It's not Equifix or TransUnion

Website owners have a right to want to be paid and not host things for free.

They certainly have the "right to want". I sometimes dream too. And when I tell some random stranger about it (s)he monstly will look at me as if I'm mad, and either walks away ignores me. Which is exacly what I normally do with those "I want" website owners.

And on the off chance that you meant that someone may lawfully expect to be payed for the goods and/or services he delivers, they can. But those expectations come, by law, with duties. Like making clear up front that there is payment involved, what the prices are and how (currency wise) they expected to be payed.

I do occasionally encounter the (crudily said) "pay or take a hike" website, after which I mentally thank them for giving me the choice (how low has that branche come that I feel I have to be thankfull for having been given that choice!?), and hike. No problem.

However, most sites (which often do not even have anything to sell and are best comparable to art galleries or musea) act very welcoming with their barn doors as wide open as they will permit -- up until the moment you dare to step over the treshold, after which they somehow think they have the right to gauge their <s>visitors</s> victims any way they want (in that regard they act like pickpockets. You never know what hit you until its way too late to do anything against it)

So, nowerdays I enter every website fully buttoned up, not allowing those entiteled entrepreneurs to "have their way" with me.

tl;dr:
No, someone putting a website up has no right to demand that others will carry the burden of his choice(s) ?

If you think so, you're read this post and I now "have the right to want" to be payed by you for my time (time is money). So, when can I expect to get access to your bank account so I can take whatever I think is due to me ?

Huh ? You won't ? And you're such a proponent of it when its for the benefit of those poor "website owners". <sarcasm>I don't get it ... </sarcasm>

Captcha: levies. I get the feeling that some AI is picking them ...

Re:It's not Equifix or TransUnion

Server 2008 R2 is, but IIS 7.5 is not.

Got a reference for that?

Everything I've read from Microsoft is that parts of windows (like IIS) have the same support policy as the rest of windows.

For example, here is a fix for IIS running on win2008, released in 2016: https://technet.microsoft.com/...

And win2008R2 came out after win2008...

Re: It's not Equifix or TransUnion

The real question is this:. Why the fuck are credit reporting companies (who shouldn't even fucking be connected to the internet in the first place) serving ads at all? Do they not make enough fucking money already?

Re: It's not Equifix or TransUnion

[Brockmire]

Were you born yesterday?

Is that why these executives are paid so much?

Because of the awesome responsibilities that only a handful of people can handle? Is that why they never take responsibility when the shit hits the fan? Instead they fire all the employees and get huge bonuses?

Why do we accept this situation?

I'm actually surprised!

I've dealt with all three major credit reporting agencies, and Transunion seemed to be the most technically savvy. The Equifax website, in contrast, has been so broken that I've never been able to request my Equifax credit report electronically--I always need to send a paper request. Experian has always seemed to be a little more technically competent than Equifax, but not as competent as Transunion.

Flash

Do people still use this? I haven't had it installed in years. I don't use a browser that has it and sites load just fine.

Anyway, thanks again useless credit rating agencies. You're doing your job about as well as the ratings agencies did for the subprime crisis.

Third-party javascript includes are EVIL

You should never do that on your website.

By using third-party javascript, you are giving control of your users' web browsing to that third party.

If any of those third parties are compromised, your users suffer.

Not to mention it's slow and annoying for all those scripts to run.

Re: Third-party javascript includes are EVIL

We need to get rid of JavaScript. We need to use a more secure language in our web sites: Rust. Web browsers should only support running Rust scripts, and only Rust scripts from the same origin as the web page that refers to them. That would avoid a lot of these problems.

Re: Third-party javascript includes are EVIL

[Billly+Gates]

We need to get rid of JavaScript. We need to use a more secure language in our web sites: Rust. Web browsers should only support running Rust scripts, and only Rust scripts from the same origin as the web page that refers to them. That would avoid a lot of these problems.

Rust can just as easily display a page asking to install something. A language by default is designed to execute code.

Re:It's not Equifix or TransUnion - YES IT IS

[Fly+Swatter]

Companies whose job is to secure the data of an entire nation should have an extreme case of NIH Syndrome. Sadly now its all copy-paste third party junk that no one can really trust.

Agree.

The moral judgment being passed upon users of ad-blocking software is totally unjustified. THE ADS SPREAD MALWARE! That is the bottom line. That alone justifies ad-blocking software.

When the web sites give you those prompts saying "please disable your ad blocker, we work hard to give you content and need the money" just remember that they are saying "we can't secure our systems, please make your system vulnerable to malware so we can make money!"

Just say "no."

Re:Agree.

web sites give you those prompts saying "please disable your ad blocker, we work hard to give you content and need the money"

and yet it's amazing how many of those sites will let you waltz right in, ad blocker shields at maximum, as soon as you alter your user agent string to say "I'm the Google Bot Bitch!". If there's one thing that greedy websites cannot ignore, it's the Google bot and the magic page ranking algorithm because they wouldn't dare throw up the "please disable your adblocker" roadblock if it possibly meant that the Google bot wouldn't be able to index their pages. Just tell them that you're the Google bot and they'll be giving you a BJ just as fast as you can unzip your fly.

Easy to stop using hosts file (just like coinhive)

Put these in hosts as blocked:

0.0.0.0 aa.econsumer.equifax.com
0.0.0.0 econsumer.equifax.com
0.0.0.0 equifax.com
0.0.0.0 ostats.net
0.0.0.0 webhostinghub.com
0.0.0.0 usa.quebec-lea.com
0.0.0.0 usa.zerodirect6.com
0.0.0.0 cdn.centerbluray.info
0.0.0.0 quebec-lea.com
0.0.0.0 zerodirect6.com
0.0.0.0 centerbluray.info
0.0.0.0 transunioncentroamerica.com
0.0.0.0 a248.e.akamai.net
0.0.0.0 e.akamai.net
0.0.0.0 akamai.net
0.0.0.0 snap.sitestats.info
0.0.0.0 itechnews.org
0.0.0.0 usd.quebec-lea.com
0.0.0.0 usd.zerodirect6.com
0.0.0.0 www.temocycle.site
0.0.0.0 temocycle.site
0.0.0.0 www.theapplicationappm23.download
0.0.0.0 theapplicationappm23.download
0.0.0.0 www.bestapps4ever161.download
0.0.0.0 bestapps4ever161.download
0.0.0.0 beta.sitestats.info
0.0.0.0 1freewebhosting.org

* To block coinhive https://news.slashdot.org/comments.pl?sid=11233583&cid=55368753/

APK

P.S.=> Enjoy (list is from malwarebytes source articles)

You leak my data when I don't have a reltionship?

[Snotnose]

Fuck you. You get sued out of existence. Your CXX suite gets sued out of existence (that is, everything you have. Houses, 401ks, whatever). Your board of directors gets sued out of existence.

. Lets be honest. These hacks happen because Those In Charge can't be bothered with security. So, if their lack of attention can throw the rest of my life into the shitter, then their lives also go into the shitter.

Re:You leak my data when I don't have a reltionshi

[CaptainDork]

Sorry to inform, but size matters.

You lose the bankroll battle.

no scripts

Scripts are completely unnecessary. The web worked perfectly fine back before all these bells and whistles were added. Things loaded fast, they didn't need so much bandwidth, and things were much more stable - I still have sites where I see the unresponsive script error.

Some sites have so much crap that they are just unusable. The web is becoming this big fat slow thing that I find myself spending less and less time on.

Re:no scripts

Scripts are completely unnecessary. The web worked perfectly fine back before all these bells and whistles were added.

The real transition was around 2009. That was when the World Wide Web Consortium abandoned the idea of a webpage as a static document , and embraced the idea of a webpage as an interactive application . See

https://www.cnet.com/news/an-epitaph-for-the-web-standard-xhtml-2/

Re:no scripts

Server side includes, cgi-bin/wincgi + isapi did the job server-side in the past better too minus javascript crap. Now most all ads are 3rd party from advertisers as they don't trust webmasters on click/view counts.

Re:no scripts

[Billly+Gates]

Scripts are completely unnecessary. The web worked perfectly fine back before all these bells and whistles were added. Things loaded fast, they didn't need so much bandwidth, and things were much more stable - I still have sites where I see the unresponsive script error.

Some sites have so much crap that they are just unusable. The web is becoming this big fat slow thing that I find myself spending less and less time on.

... yeah as you type this comment with a reply button using logic run in JavaScript. :-)

That is unrealistic. Slashdot as an example can't sort through thousands of comments, let you post, filter by score, etc without Javascript. People keep saying this over and over again but I do not want a 1996 Mindspring page with sparkly jpegs in the background with just colored text.

The web is a platfrom and has been since the late 1990s when Javascript took off. It will not be usable without and not to mention how can you tell a CEO he has to say no to $100,000,000 a year in from the ad networks on a site that costs money to produce?? It ain't gonna happen even if the CEO is not a moron who understands a little about security. You can't say no to money when you are publicly traded company.

Re:no scripts

The web is a platfrom and has been since the late 1990s when Javascript took off. It will not be usable without

It's perfectly usable without in almost all cases. I use no-script and adblock to cut out every script except the ones that are absolutely needed, which seem to be less than 10% of them these days. What does all of the rest of that script do besides eat my bandwidth? I don't know and I don't care since it obviously isn't needed from my point of view. So you can take your "web platform" and shove it and I will keep blocking your scripts m'kay?

Re:no scripts

Slashdot as an example can't sort through thousands of comments, let you post, filter by score, etc without Javascript.

Bull, and shows to me you have very little understanding to what JS does.

And don't tell me you actually think that your browser will first download all those "thousands of comments" to enable client-side JS to work (sorting, filtering, etc) on them.

And on the off(?) chance you are referring to server-side JS, how is that of any consequence to the visitor ? Way to confuse the issue there mate. :-(

And by the way: My browser has JS disabled and I can view this website just fine. Replying to post seems to be no problem either (you are reading this one, aren't you ? :-) ).

And funny: Back in those 1990s you spoke of everyone who just downloaded-and-executed an random program from the web was deemed an idiot. Nowerdays you are regarded a freak if you do not allow your machine to download-and-execute random scripts that come from god-knows-where. Go figure. :-(

It will not be usable without

Again, bull. JS is most often the proverbial flag on a shitbarge, trying to make a(ny) website look like its "with the times". In most cases JS doesn't do anything which either PHP cannot do on its own, or needs to be duplucated in PHP itself (which can cause another problem, the double lock-out).

Nope, you sound like one of those groupies, who have no clue what their idol is doing and definitily doe not care. :-(

But I give you one thing: Nowerdays there are more-and-more (company (CEOs ?)) websites which purposely refuse to work if JS is not enabled.

When will these IDIOTS learn

[chromaexcursion]

If you need to have a secure site you can't use cross links.
Anything financial needs to have a secure site.
These "business" decisions are penny wise, pound foolish.
How many more CEOs have to resign in disgrace for the idiots to catch on?

Re:When will these IDIOTS learn

[bill_mcgonigle]

Golden Parachutes and old-boy networks ensure that occasional resignations are irrelevant.

Get credit on a blockchain if you want to get on with things - otherwise these people will just take a stock beating and get propped up with government bailouts (courtesy of the very people they have harmed). The whole thing is a systematic abusive relationship.

Re:When will these IDIOTS learn

[Bryansix]

Have you seen Mr. Robot where the banks control the blockchains?

Re:When will these IDIOTS learn

[Mitreya]

How many more CEOs have to resign in disgrace for the idiots to catch on?

At least one -- but that CEO has to not get a large bonus + severance package on the way out.

Re:It's not Equifix or TransUnion - YES IT IS

Don't worry, I'm sure they could hire a competent Node.js developer to build them a new secure system.

NoScript

And this is why I use NoScript.

Unfortunately, it often takes me multiple iterations until I figure out what the bare minimum is necessary to temporarily whitelist for any particular site to work.

why do they have ads at all?

they literally have control over most (credit-dependent) american and every entity needing to do business with them, by the short and curllies, .. so are they so greedy for money that they need another $.02 from selling ads?

they failed at their cost/benefit analysis by not properly evaluating security costs .. but considering their chief security officer .. no surprise there

Its going to get worse

As some under developed countries struggle for jobs. People take up whatever they can to make money. Sadly the increase in personal information sitting on servers that are not being properly secured is creating a little kid in a candy store sort of atmosphere.

Risk/Responsibility mitigation

It almost seems like an intentional business strategy to outsource everything that could potentially break. If (more like when) the stuff does break, the buck can get passed to the third party that was compromised, keeping the mother-business free of blame and responsibility.

If you want something done right, do it yourself. If you can't do it yourself, you probably shouldn't be holding the reins.

Re:It's not Equifix or TransUnion - YES IT IS

You're advocating for security by obscurity.

Re:It's not Equifix or TransUnion - YES IT IS

[Fly+Swatter]

Share the code, share the bugs, and share the attack vectors.

In a round a bout way, I guess you are right. However in a world where there is a new exploit in a random third party package every day, its not looking too bad these days. Weren't both of their failures through known third party exploits?

Re: Easy to stop using hosts file (just like coinh

[Brockmire]

Your subject says it's easy to stop using hosts file, and then you instruct them to use the hosts file. Make up your fucking mind!

"Quagmire" you have no common-sense... apk

See subject: Why would I post C&C servers to block coinhive using hosts if I was out to block using hosts itself? Learn to read & use common-sense imbecile!

APK

P.S.=> Seriously - is THAT the "best ya got", quagmire? Go back to the MUD behind your FAKE NAME for your FAKE LIFE (your name IS mud)... apk