Keylogger Found On Nearly 5,500 WordPress Sites

An anonymous reader writes: Nearly 5,500 WordPress sites are infected with a malicious script that logs keystrokes and sometimes loads an in-browser cryptocurrency miner. The malicious script is being loaded from the "cloudflare.solutions" domain, which is not affiliated with Cloudflare in any way, and logs anything that users type inside form fields as soon as the user switches away from an input field. The script is included on both the sites' frontends and backends, meaning it can steal both admin account credentials and credit card data from WP sites running e-commerce stores. According to site source code search engine PublicWWW, there are 5,496 sites running this keylogger. The attacker has been active since April.

Block '*cloudflare*' at your router

[Bing+Tsher+E]

Noxious flatulent gas clouds are flammable and prone to flare up. Avoid that risk by banning cloudflare from your world.

This is my shocked face

Why people keep using Wordpress never ceases to amaze me.

Re:This is my shocked face

[Joce640k]

Because they can use it to scam people out of $250 for 20 minutes work setting up a "website".

Re:This is my shocked face

[Bryansix]

Troll harder dude. Wordpress runs some of the most successful websites in the world. This includes CNN, Playstation, The New York Times, etc.

Re: This is my shocked face

Nobody said that except you asshole.

Re:This is my shocked face

Hurray for javascript(!) {/sarc}

More details?

[DontBeAMoran]

They don't say if it's WordPress itself or in a popular plug-in.

Re:More details?

It would not be part of wordpress, the team would notice that. This was a plugin.

I'm not sure how familiar you are with wordpress, but basically its a blog that people have mutated via a bajillion plugins into all sorts of other things. The plugins almost never play nice nice with one another, and the type of people who just slap in a plugin often haven't the foggiest how to write javascript code. You could label the plugin almost anything and make it perform that function, then quietly make it perform all sorts of skeevy stuff and the users would never know.

The problem is wordpress itself and it's enabling of this type of dumbed-down website creation, at some point expertise needs to be brought in to create but most business owners and web site creation teams are just not interested in paying a developer, that is why they use wordpress to begin with.

They end up in trouble and do not understand why, because they never understood how any of it works to begin with.

Firefox 57's extension breakage enabling this?

It's well-known that Firefox 57 unnecessarily, but intentionally, broke most extensions for most users. It was released back in the middle of November, and many users upgraded to it without realizing how it would break their extensions. It doesn't help that they didn't have an easy to way downgrade to Firefox 56.

Some of the most popular extensions are those that help prevent JavaScript from being used maliciously, and these kinds of extensions were among the ones to suffer the worst breakage, due to being so intricately tied to the operation of the browser.

While there have been efforts to port some of these extensions to Firefox's new WebExtensions model, in some cases it has proven to be impossible to replicate the existing functionality because WebExtensions is so, for a lack of a better word, crippled.

So I'm now wondering how many Firefox users are now browsing without any kind of protection from malicious JavaScript code. I'm thinking it could be a far higher number than we might expect.

As an experienced Firefox user and a long time programmer, I found it awkward enough to find alternative extensions that would work with Firefox 57 and at least partially replicate the locked-down experience I easily got with Firefox 56 and earlier. I'm sure that less-experienced or less-knowledgeable users would find it far more difficult, and some of them probably wouldn't even realize that they have no real protection at all any longer.

Although I hope I'm wrong, I fear that Firefox 57 and its breaking of JavaScript-limiting extensions may have allowed attacks like these to become far easier and simpler to implement, and the breaking of extensions in Firefox 57 may have left a lot of unsuspecting people vulnerable to attacks they think they're protected from, not realizing that their protective browser extensions are no longer working.

Re:Firefox 57's extension breakage enabling this?

The extension thing was made known for over a year before FF57's release. Plenty of time for users and extension authors to get up to speed.

Re: Firefox 57's extension breakage enabling this?

Why's that comment modded down? I think the parent is right. I spent part of my family's and also my wife's family's Thanksgiving celebrations fixing FF installations where most or even all of the addons were marked 'legacy' and disabled, including ad blockers and JS blockers. Those were just the computers of the hosts, too, or the few other guests who had their laptops with them. I tried to provide instructions to the other people who might have been affected. Many of them didn't even realize that they might be vulnerable.

Re:Firefox 57's extension breakage enabling this?

Right. But for all the people out there who don't closely follow web browser development it would have been a surprise.
When it upgraded on my computer there may have been a small dialog box that some extensions were disabled, when I actually got around to looking at the extensions only two of the six or seven I'd had were still installed. The others weren't even disabled, just gone. Boom.

Even with a year's notice and working closely with Mozilla developers noscript wasn't updated until a week or so after the release.
  It's a decently fast browser now, or that would have been the end of firefox for me.

Re: Firefox 57's extension breakage enabling this?

The parent comment ought be modded up. All of my ad blockers and script blockers were broken by FF 57. I would have been vulnerable if I hadn't already been aware that FF 57 would break them. I've had to help a lot of relatives with broken ad and script blockers, too. These people would have continued to use FF without ad and script blocking if I hadn't helped them.

Re:Firefox 57's extension breakage enabling this?

[EndlessNameless]

I don't see how that could possibly be the issue.

Both NoScript 10+ and YesScript2 support Firefox 57+. If the users don't update their plugins after updating the browser, that's not really Mozilla's fault.

The old NPAPI support needed to die---for security reasons. Your attempt to cast a security improvement as a problem is ill-founded, and, quite frankly, idiotic.

Re:Firefox 57's extension breakage enabling this?

So your complaint is that with a years notice and doing what they could to let people know that a non-backwards compatible change was coming, you were still caught off guard and this is Mozillas fault? What were they supposed to do? Trace every user and send a representative to each of their houses, sit down with them and have a one on one discussion with them on what this change was going to mean? And what? Were they supposed to personally see to it that all the plugins you used were ported over? Sorry, but with the plugins not getting ported, your beef is with those devs, not with Mozilla. They did more than a reasonable amount of effort to warn people. At some point your demands are unreasonable. And you can get huffy and say you'll leave, but honestly, where will you go? Will this new pasture actually do a better job at giving warning? I know Chrome will be a no go, they just change stuff as they see fit with little to no warning because "they know better".

Re: Firefox 57's extension breakage enabling this?

Maybe those extensions support FF 57 now, but there were lots that didn't support FF 57 when FF 57 was first released and when most users would have upgraded. It is Mozilla's fault for breaking compatibility. The users and extension devs aren't at fault when stuff that worked excellently with FF 56 is suddenly broken in FF 57 because of changes that Mozilla's devs made. Mozilla and only Mozilla is to blame for that I think. Them breaking important security extensions should not have happened!

Re: Firefox 57's extension breakage enabling this?

[c6gunner]

Noscript 10 is pretty terrible though. At this point it looks and feels like an Alpha release.

How's YesScript? Any better?

Re: Firefox 57's extension breakage enabling this?

Mozilla should never have broken compatibility with the older extensions, especially the blockers that provide FF users with greater security. Mozilla should have found a way to retain compatibility, even if doing so would be difficult and costly. Their laziness is no excuse for putting FF users at risk of harmful JS code.

Re: Firefox 57's extension breakage enabling this?

This is what ESR is about, except you are too stupid to know that. That is why you are whining on Slashdot, because this site is for people that think they are smart but are actually stupid. Dunning-Kruger.

Re:Firefox 57's extension breakage enabling this?

Except that 99% of people can't be (and shouldn't need to be) bothered to track shit like that because they have better things to do with their time than worry about the internal workings of software that they run. Let's also not pretend that Mozilla doesn't have a history of "asking" the community if they think a change is a good idea, and then unilaterally ramming that change down everyone's throat no matter how many people are opposed to it.

I wish Waterfox wasn't so shitty.

Re:Firefox 57's extension breakage enabling this?

Why bring up NPAPI? We're talking about extensions here, not plugins. Plugins and extensions are two completely different things.

But since you brought it up, what the fuck is up with Mozilla pulling the plug on NPAPI for everything except flash? Stupid fucking pricks.

Re: Firefox 57's extension breakage enabling this?

Noscript 10 is pretty terrible though. At this point it looks and feels like an Alpha release.

Given the complete overhaul of the UI, the fact that the drop-dead deadline was missed by almost a week, the fact that the first patch was less than 48 hours later, the software isn't feature complete, and some of the needed browser API that was used in the first 10 release wasn't finalized until literally 2 weeks before the deadline, I'd say that is a safe conclusion.

Re:Firefox 57's extension breakage enabling this?

[Trax3001BBS]

It's well-known that Firefox 57 unnecessarily, but intentionally, broke most extensions for most users.

Have you tried to access cloudflare.solutions? I have and can't. Google shows this a problem since 2011, I got nothing.

cloudflare.solutions isn't being blocked by me.

Re:One question?

[Bing+Tsher+E]

My bassoon reed is NOT a phallus.

How long have you been an A.C. crapflooder?

Addendum: You may also wish to block these

See subject & https://publicwww.com/websites/%22cloudflare.solutions%2Fajax%22/ as they are infected w/ this script also BUT per the source article, blocking the C&C domain ought to be enough!

APK

P.S.=> Good luck (this part MAY take time as I do not see a straight easily downloadable list to import from that website - you must go thru all 275 pages afaik & then clean the entries from the stupid leading + trailing characters their tables show AFTER you copy them over (& since this is so NEW, I am not sure if the 10 sources in the security community I get data from for hosts have imported it yet themselves))...apk

Re:Client-side Rust could help.

[fph+il+quozientatore]

Client-side Malbolge. Try writing a cryptominer with *that*!

Re:One question?

[Opportunist]

About 25 years, but what does this have to do with...

Wait... you're trying to come on to me? Hey, I'm no guy for just one night! I at least want dinner first.

This is why we need cryptographic authentication

[bluefoxlucid]

We need to switch to cryptographic authentication. FIDO U2F makes a lot of this moot.

With some software put in place at the CRAs, they could use FIDO devices to prevent opening new accounts. If you go into a bank with ID (Driver's ID, passport) and a FIDO device, the bank has done the best identification of you it can. Plug the key into a USB port in a computer, have the bank authorize trust establishment, and you generate 3 new key pairs--one for each CRA. The CRAs get the public key; the private key stays on your FIDO device. If it gets lost or stolen, call your bank, voice-verify, and they can cancel the trusts: your credit cards still work, but you can't open any new credit accounts until you physically enter a bank.

Credit cards? Your computer should have an EVM reader. Google accepts FIDO U2F authentication; Google Wallet (or Verified by Visa) could readily authenticate you before accepting a transaction, providing EVM--cryptographic credit card transacting.

Social Security? Walk into a DMV, Social Security building, or other Government building. They all federate trust. Generate a pile of new keys for all the Government service providers.

The weakest link is really any Internet provider to whom you authenticate, since you'll need a method of recovery. Anyone handling credit card transactions should use the CRAs as a secondary: if you can authorize a credit check, you're probably you.

You can lose personally identifiable information, but you can't lose authentication--not for any broad window, and not over the Internet.

Re:Client-side Rust could help.

JavaScript is an old language, developed back when the web was a much safer place

...back before JavaScript?

The problem is JavaScript!

The websites involved are irrelevant. The software they're running is irrelevant.

The real problem here is JavaScript, and more specifically, how JavaScript has pretty much no legitimate uses but a huge number of illegitimate, unwanted uses.

JavaScript adds nothing beneficial to the web. Some people will claim that JavaScript + AJAX can allow for a better user experience, but that's nonsense.

Just look at a site like Slashdot. The more that JavaScript has been used here, the worse the user experience has gotten! In the past it used to be easy to view all comments at -1. There were just a couple of dropdown menus for setting the threshold, and things just worked flawlessly. Now there's this goddamn JavaScript slider junk that often doesn't work, and even when it does work it's still several times slower than it was when using dropdown menus!

We shouldn't be distracted with irrelevant stuff like WordPress. We need to focus on the real problem: JavaScript.

The solution is clear: JavaScript needs to go.

Re:The problem is JavaScript!

You sir, sound insane.

Re:The problem is JavaScript!

[Kid+CUDA]

How do you think the old dropdown menus detected change?

Re: The problem is JavaScript!

Diff AC here. It has been many a year since then and my memory might be failing me but it didn't use JS. There was a 'Change' button you clicked after setting the drop down values. It worked even in browsers with no JS support.

Clickbait this is

Hah. Clickbait. If you want to know if you're on the list you need to sign up. And probably pay for the information.

Re:Clickbait this is

Does one need to enter his user id and password to find if they were stolen?

Unimportant news used to advertise some site

This isn't really news. There are tens of thousands of hacked wordpress sites, and the fact people have been loading miners into javascript is ancient news

This is a simple push to advertise some shitty search engine

Bigger threat news /. missed (Intel AMT/ME)

See subject & it's been out for 2 days now: Intel Management Engine pwned by buffer overflow http://www.theregister.co.uk/2017/12/06/intel_management_engine_pwned_by_buffer_overflow/ UNPATCHABLE / UNFIXABLE!

Pertinent Excerpts/Quotes:

"Positive Technologies security researchers Mark Ermolov and Maxim Goryachy plan to explain the firmware flaws they found in Intel Management Engine 11, along with a warning that vendor patches for the vulnerability may not be enough."

+

"Ermolov and Goryachy contend it fails to protect against the bugs identified in three of the ten disclosures: CVE-2017-5705, CVE-2017-5706, and CVE-2017-5707"

* I've got the way to "proof" you vs. it though & the "hidden switch" fix doesn't help vs. that either + NEITHER DO UPDATES/PATCHES (BUT my method does)...

APK

P.S.=> Odd /.'s "missed" posting about that imo... apk

Use NoScript. It works the best (eve n in FF57)

[DrYak]

Some of the most popular extensions are those that help prevent JavaScript from being used maliciously, and these kinds of extensions were among the ones to suffer the worst breakage, due to being so intricately tied to the operation of the browser.

Regarding ads:
uBlock Origin - was WebExtension compatible in advance, well before the release of FF57 (I use that one)
uBlock - was WebExtension compatible in advance, well before the release of FF57
AdBlock Plus - was WebExtension compatible in advance, well before the release of FF57

Regarding trackers:
FSF's Prvacy Badger - was WebExtension compatible in advance, well before the release of FF57 (I use that one)

Regarding script blocking :
uMatrix - was WebExtension compatible in advance, well before the release of FF57
NoScript - well Giogio Maone was a tiny bit in a hurry, but slill manage to make it compatible within a couple of days after the release of FF57. Still kudos to him for having managed it. (I use that one)

etc.

Well what was you point ?

Yup, maybe that weird specific no widely known extension that 3 other people beside you use, and whose authors have abandoned for the last 10 year, maybe that extension broke for you in FF57.

Meanwhile, all the major security extension were transitioned more or less on time. Partly on the grounds of Mozilla crew members closely collaborating with extension authors, to make sure that their WebExtensions interface provides all the necessary API to make the functionality possible.

So I would suggest that you stop bitching about the change of API by spitting the same copy-pasta whining on each remotely relevant /. news story, and instead spend your time and effort switching to extensions with a tiny bit more active developers and a little bit more active community than whatever rare precious gem you were using up until now.

While there have been efforts to port some of these extensions to Firefox's new WebExtensions model, in some cases it has proven to be impossible to replicate the existing functionality because WebExtensions is so, for a lack of a better word, crippled.

Which is why Mozilla devs have actively reached out to authors of popular XUL extensions to see how they could make them still work once transitioning to the WebExtensions API.
All the major security extensions worth mentioning have more or less finished transitioning, despite some of them not working on the Google's Chrome spin of WebExtensions.

So I'm now wondering how many Firefox users are now browsing without any kind of protection from malicious JavaScript code. I'm thinking it could be a far higher number than we might expect

I'm thinking it's only the stupider ones among them like you, who can't even put some though into the selection of security tools they'll use.

Next time, pick an extension with an author that is still alive and a number of users which exceeds your direct family.

Re:Use NoScript. It works the best (eve n in FF57)

[Shogun37]

I'm going to go ahead and stick my head in a bear trap, but why does Mozilla rely so much on outside programmers to make the thing even borderline secure? I understand the reasoning not to include ad blockers, but some of the other commonly used extensions should just be baked in. Or am I really just too paranoid?

Not surprising

The minute I see a site is running Wordpress I am skeptical of putting information I care about into it. PHP has bad a bad philosophy leading to insecure code. Wordpress is one of the shining examples of poor code quality. Then combine it with a "marketplace" of plug-ins and you get exactly what you asked for: cookie cutter software of the lowest quality.

People eat at McDonalds knowing it's bad for you yet they do it anyway.

Re:Not surprising

[bluefoxlucid]

This is why my Wordpress site runs Wordfence and uses Google Authenticator. At least I have 2FA and everything thrown at it gets run through an analysis engine to detect known exploits (and attack patterns) before it gets passed onto Wordpress. Updating the plug-ins and theme also helps. It also runs inside a Docker container, without write access to the Wordpress core (just plug-ins, themes, and uploads).

It's nice software, but you need a security product dedicated to protecting that one piece of software if you're going to use it. Plus running as a Congressional candidate with an IT security background and getting hacked would be embarrassing.

Re:Not surprising

but nobody trusts that you actually do what you say, and you can't prove it, so none of that matters

Reaction faces...

[DrYak]

Random users :
"OOH MY GOD !!! NO !!!! ALL MY PRECIOUS PASSWORDS!!!!"

Users of password managers :
"Phew !... at least they didn't log these".

Users of NoScript (and other such popular script blocking extensions) :
"...yeah... whatever...."

---

Bonus:

Users of links/elinks/lynx, curl/wget and straight telnet :
"Bwaaah.... we're left out of the fun once again!..."

Re: Use NoScript. It works the best (eve n in FF57

Being concerned with one's online security isn't 'bitching'. Being concerned when Mozilla breaks security extensions isn't 'bitching'. It's disturbing that you, and apparently Mozilla, take such a carefree attitude about the security of FF's users. All extensions that worked with FF 56 should have worked with FF 57. There's no excuse for them not to have worked.

He's right about a good deal... apk

See subject & I'll add to what he said or missed - Javascript's misused like mad, slows you, runs on your dime clientside taking up power/cpu/ram & other forms of I/O + it slows you way, Way, WAY down! CGI bins/WinCGI run server side (so did ISAPI/NSAPI iirc but were often leaky due to being written in C as well as buffer overflow vulnerable thus - that could be changed by writing them in C++ instead, easily) NOT using YOUR POWER BILL or cpu cycles/ram & other I/O either.

Nobody has to note that Javascript's also HUGELY MISUSED in malware & trackers etc. too!

APK

P.S.=> Javascript has 1 decent use (but could be easily replaced by server-side processing methods noted above) in accessing database material (e.g. bankaccount, shopping, online tests etc.) but again, could be replaced by what I noted above that was around BEFORE script in documents online (dumb, they didn't even learn from Office program macros on that note - you open the door, trash comes blowing in)... apk

Re:He's right about a good deal... apk

Javascript misused like mad - So is .net, c++, c# and any other language. Javascript is not the problem, people are the problem. You cannot blame a language for the nature of your species.

Slows you - no it does not.

Runs on your dime - all client side code runs client side, that's what client side means.

Write it in c++ - and how would you run it? C++ compiles to run on a particular OS, so break the web I guess?

Javascript is used in malware - So if it was written in c++ malware wouldn't be written? You live in a fantasy.

Javascript has 1 decent use - Actually javascript has a ton of incredibly decent usages. It can power the server side, client side, create websockets, allow for dynamic content, does away with long polling and performs significantly better than PHP ever did.

Older sites didn't need javascript - Yes and they sucked pretty bad, thats why everyone uses it now, it works very well and efficiently and does things php could never hope to dream of being able to do with dynamic content and dom element targetting and manipulation. If you would like to go back to 1990 please call Doc Brown and set up an appointment with his delorian.

Re:He's right about a good deal... apk

You clearly have no idea what you are talking about.

Javascript is just fine.

If sites you visit overload their pages with buckets of inefficient code that is hardly Javascript's fault.

If sites you visit pull in all kind of Javascript from other sites for advertising/tracking/malware that is not Javascript's fault.

I will admit that browser security in this respect is just terrible. When I visit site A which I trust a bit, I should not see my browser fetching code from random sites X, Y, and Z that I did not ask for and are up to no good. That is not Javascript's fault.

Finally, your proposed "1 decent use" for Javascript is insane. Nobody lets a web browser, or any other client software, direct access to their databases.
 

Learn to read, noob... apk

See subject: CGI bins/WinCGI are earlier alternates that run SERVER-SIDE & can do the same (not on your dime in your power bill raised by it, or cpu/ram & other I/O used client-side) OR ISAPI/NSAPI (do you know what those are OR were?) serverside (on modern webserverware) - that's how noob!

Written by in-house devs a website SHOULD have (not XSS/CSS risks from 3rd parties) would avoid its misuse HUGELY!

PLUS Anything clientside running that users don't REALLY need slows 'em (I post on /. constantly minus javascript & do fine for example + a HELL OF A LOT FASTER!).

WTF?

CLIENTSIDE MEANS IT USES YOUR POWER & CPU/RAM + I/O & THAT IS A DOWNSIDE (for shit you do NOT need like tracking or infections) - this can be done SERVERSIDE INSTEAD, dumbass!

Yea - "javascript works well alright" - for tracking & infecting users!

OLDER SITES SUCK?

Do you know how OLD /.'s base codebase is? It's MOSTLY THE SAME as it always was - for such a 'sucky OLD site' YOU SEEM TO USE IT JUST FINE!

Eat your words...

Javacript's used because the ENTRY BARRIER is LOW for 'wannabe coders' (like YOU obviously) that can't handle C/C++ (real languages, not interpreted buggy garbage that causes more trouble than it's worth (javascript)).

APK

P.S.=> You're OBVIOUSLY a "webdouche" & a NOOB if you're not aware of those older technologies that do the job BETTER (since they're off client & serverside instead) minus all the downside bullshit of Javascript... apk

Re:Learn to read, noob... apk

Heh, struck a nerve there old timer?

Shake your tiny rage fist and keep yelling get off my lawn while I develop the future.

Block cloudflare.solutions in hosts via

See subject & NEW APK Hosts File Engine 10++ 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/

Ads/script/malware rob speed/security/privacy/bandwidth.

Hosts add speed (via hardcodes/adblocks), security (vs. bad sites/malware/poisoned dns), reliability (vs. dns down), & anonymity (vs. dns requestlogs/trackers).

Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus + less security bugs/complexity & faster vs. addons/routers/remote dns!

Avoids DNSChangers in routers/IP settings & dns redirect (99++% of ISP DNS != patched vs. it) + DNS tracking & lighten DNS load & resolve faster via local RAM!

* Via what u NATIVELY have in a FASTER kernelmode IP stack (does more w/ less).

APK

P.S. - Safe https://www.virustotal.com/en/file/e01211ca36aa02e923f20adee0a3c4f5d5187dc65bdf1c997b3da3c2b0745425/analysis/1433430542/ (self check vs. infection of it built-in)

Addons=inferior/inefficient/faulty vs. hosts

Hosts protect when addons can't (or as well):

NoScript tag parses. Hosts block script prior to it!

Bad sites (past ads)
Botnet C&Cs
DNS down/poisoned
Trackers (dns logs/ads/transparent ISP proxy)
Dns blocks
Spam/phish payload
Slowdown 2 ways: adblocks & hardcodes
Hosts = Ez edit.

AB+ 151mb https://www.google.com/search?q=Adblock+memory+consumption&btnG=Search&hl=en&gbv=1/

UBlock 64MB https://www.google.com/search?q=UBlock+memory+consumption&btnG=Search&hl=en&gbv=1/

Hosts~6mb

Addons = ClarityRay defeatable & crippled http://www.businessinsider.com/google-microsoft-amazon-taboola-pay-adblock-plus-to-stop-blocking-their-ads-2015-2/

No 1 addon does as much.

Stacked addons slowup.

ADDONS = EXPLOITABLE https://news.slashdot.org/comments.pl?sid=11166303&cid=55266729/

APK

P.S.=> APK Hosts File Engine 10++ 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/

Re:Addons=inferior/inefficient/faulty vs. hosts

[barbariccow]

I wrote you the source code for a Linux port weeks ago and you still didn't do it? Also.. how would this even block a script running from the same domain, a la this paticular exploit?

I AM A DUMBFUCK

See subject and the URL I posted above only the first 26 entries are visible - yes you must pay for an account to get the full list that is available in a download. I was made aware of this when my boyfriend whispered this fact into me ear while he was riding me.

APK

P.S.=> Don't expect me to take time to check out the sites/lists/apps that I recommend I am busy with my Bruno!! apk

Impersonating me? Weak, &?? apk

See subject: 1st, you're a fool impersonating me & 2nd I noted ALL YOU NEED TO BLOCK really is cloudflare.solutions (yes, that's a valid gTLD @ the end) which is ALL THOSE SITES "hooked into" via the bogus keylogger script!

* I didn't like the "must join" bs to see the rest of those either but you don't NEED to & I said so, clearly (learn to read dumbshit).

YOU ARE CORRECT ON 1 THING You are a dumb fuck BUT YOU ARE NOT ME & I'm NOT that dumb (like you).

APK

P.S.=> When will FOOLS like you learn you're just too stupid to try "take me down"? Oh, I think most EVERYONE knows that & it is WHY you harass me nigh constantly or DOWNMOD BOMB my posts using UNIDENTIFIABLE anonymous posts (you're chickenshit losers)... apk

A future of shit via infection & tracking?

A future of shit of infection & tracking + slowness on YOUR powerbill & cpu/ram + I/O? Some "bright future"!

* The "new hotness" = OLD & BUSTED crap for noobz like you as coding in C/C++ or Delphi, extremely HIGH-PERFORMANCE real languages, not interpreted slow garbage is TOO MUCH for "your kind"...

Why's javascript REALLY used instead of CGI/WinCGI or ISAPI/NSAPI?

1st - it LOWERS THE BARRIER TO ENTRY so underpaid underskilled NOOBZ can do the job cheap (shittily but cheap)

2nd - To LET USERS PAY THE CHARGE OF RUNNING THE SHIT too clientside vs. serverside (where it SHOULD be with FAR LESS RISK TO USERS)!

APK

P.S.=> Get 1 thing straight - you & "your kind"? Too unskilled & you lack knowledge to "get the best of me" - ever! apk

Re:A future of shit via infection & tracking?

Tie another onion to your belt

NICE TRY FOOL ..THE REAL APK

See topic and be sure that I am the real Alexander Peter Kowalski and NOT you!!! - though you surely must wish you were as does everyone else - your lame attempt to impersonate me is obvious and ridiculous as are you!!!!!

APK

P.S.=> Bruno would never shag a little bitch like you! apk

Apparently you DO wish you were me

Apparently you do wish you were me seeing as it's the 2nd time you've tried to impersonate me in the post I'm replying to now.

* You're actually RIGHT about that & PROVE it no less by PROJECTING it yourself as you try impersonate me, lol!

APK

P.S.=> You DO wish you were me - but you do a POOR JOB OF IT projecting what's in my subject line & instead you come off as a STRAIGHT-UP FOOL!... apk

Re:Apparently you DO wish you were me

COWARDS want to be me look above for all these fakers

* Eating Their Words!!!!

APK

P.S. 8===D suck it....apk

You castrated your 2 onions... apk

See subject: It's not my fault you can't code real languages (vs. interpreted crap in javascript, root of all evil online) either!

* SEE SUBJECT LINE ABOVE AGAIN (lmao) & GROW A PAIR OF BALLS beneath that belt of YOURS & realize something:

Use of clientside javascript was all done to allow CHEAP LABOR with crap product 2 ways as I said:

1.) Javascript 'coders' (quoted because you're not) = cheap vs. C/C++ or Delphi coders to do NSAPI/ISAPI or WinCGI/CGI script (usually in PERL though).

2.) Doesn't raise serverside bills but instead PUTS THE COST + RISK ONTO THE USER to run javascript crap that INFECTS, TRACKS & SLOWS end users instead!

(Follow the money - it's the answer to 99/100 questions & usually RIGHT as rain (like me)).

APK

P.S.=> Lastly, it always amazes me how you goof trolls don't have ANY originality in your ribbing (means you lack creativity - hence WHY you had to 'code' (not) in interpreted crap) - it's always some TIRED & PLAYED OUT STALE 'meme' (what a whimp term that in quotes) in what YOU spewed - "your kind" = "Screamy MEEMIES", lol... apk

Re:You castrated your 2 onions... apk

Javascript was created to allow a simplistic logic language for the web, its ease of use speaks to its utility to empower and enable. The cost factor is not to be considered, the world does not owe you a living.

Compiled code won't run on every operating system, so again like I asked before how do you run compiled c++ code on multiple operating systems, tables, mobile devices. It makes perfect sense to run a script interpreted by the browser and not compiled code.

It also makes sense to use a low barrier of entry. It is a great thing and should be encouraged most especially for this use case as it democratizes the web which is the point.

I don't care that some code runs client side. It does not make sense when you have a multi user platform to run everything on the server. The client computer has a lot of spare horse power and most javascript uses only a tiny fraction of it, you make it sound like it is going to drive up your power bill which is insane and disingenuous. The slow down you speak of is realistically non existent.

Javascript cannot infect, it performs its operation within the browser tab, close the tab and its operation ceases. You make it sound like it writes permanently to the hard drive and continues operations when the browser tab is closed, which could be the case with c++ but is not the case with javascript since it requires the browser to interpret it except in the case of nodejs which operates independent of the browser server side.

Your still old, your still insane, and your still shilling for a by-gone era. The modern web utilizes the tools that make sense to get the job done, if you had your insane way the web would not function and we would lose the amazing applications and utility we have come to expect, and that customers and clients expect in a 2017 web browsing experience.

This obsession with C++ is also really weird. C++ doesn't do dom element targeting and css manipulations etc, it was never built to do that, so even if your insanity was followed your putting forth an example that doesn't have the capabilities to do much of anything required by a web centric language.

LEAVE APK ALONE!!!!

APK Hosts File Engine 9.0++ SR-2 actually works pretty well. Since I installed it I have yet to be infected by a virus. The only thing I find odd is that after installing it whenever I try to do a google search all of the results default to gay porn sites. Small price to pay to be safe I guess.

APK, keep up the good work ;)

Captcha Satisfied

You didn't write ANY code (scripts != code)

See subject & you also missed a TON of functionality covered both here https://linux.slashdot.org/comments.pl?sid=11356847&cid=55558543/ & https://linux.slashdot.org/comments.pl?sid=11356847&cid=55558543/ - vs. my program literally being written by MYSELF by hand/from scratch equivalent to roughly 14 *NIX shellscript commands (which again, YOU DID NOT WRITE - you merely used others' work in script commands).

* There is a HUGE diff. between you & myself - I actually code, you don't!

(Don't feel too bad - You're the 5th fool who tried to emulate my GUI multithreaded multitasking work via shitty shellscripting that I had to CORRECT no less on what you missed (& you missed even MORE than what I listed too no less, lol)).

APK

P.S.=> Gimme a break "wannabes" - you're just plain "not up to spec", period... apk

OMG learn to READ (ISAPI/NSAPI)... apk

See subject & learn to READ! Yes costs play a factor (money always does) & compiled code won't run on every system? BS with proof of that (from not only C/C++ but Delphi too (for all the majors))

"Read 'em & WEEP" + EAT YOUR WORDS https://www.embarcadero.com/products/delphi/

* Man you're SO full of shit & mistakes it's not funny above & WORSE about javascript infectors next!

FACT: Javascript usage = the harbinger of ALL DOOM online (tell me - how often is javascript misused & where do MOST threats come from/get delivered by (other than Flash), hmmm? Answer = javascript).

Costs matter for labor in ANY business & it's a FACT C/C++ or Delphi coders just plain COST MORE but do better work by FAR in performance alone!

Going to TRY tell me that running scripts clientside doesn't RAISE cpu/ram & OTHER I/O use too (& in doing so raising your powerbill also)?

You're a noob & it SHOWS - you don't even KNOW what NSAPI/ISAPI or WinCGI/CGIBins are for OR what they do!

(Anything they don't do I don't need (I rarely if ever allow script online as it infects, tracks, slows you & raises costs).

APK

P.S.=> You lose, get it (what do you THINK ISAPI/NSAPI were largely written in in the past? Answer = C/C++ or even Delphi if you wanted)...apk

Re:OMG learn to READ (ISAPI/NSAPI)... apk

Lose what? Javascript rules the web, get over it, the battle was lost before it began. Nobody wants c++ running in their browser except you. Which is why I call you insane. You keep harping over something that doesn't exist to replace something working perfectly fine on the idea that it would fix problems when really those problems would just be copied over with c++ code.

c++ would still need to run client side, c++ would be used to write malware, c++ would eat your precious cpu cycles. Nothing would change.

Your pretty shill about it too typing in bold and trying to get all uppity, it's honestly pretty hilarious.

If the two of us went in for a website job, I'd win it hands down and you'd be laughed out the door.

Ohhhh wait, that is what's been happening to you eh old timer? I'm eating your lunch, om nom nom, delicious.

Re: Firefox 57's extension breakage enabling this

Wrong. The ESR releases aren't perpetually supported, so eventually an upgrade will be required. The ESR releases after FF 57 will be just as broken as FF 57 is. The ESR releases are not a valid solution to this problem.

Give me a break #2/2

Thanks for the compliment (2nd time now in what I replied to here & https://developers.slashdot.org/comments.pl?sid=11453163&cid=55697385/ but you're trolling & lying!

OR you are "man in the middled" via a DNS redirect poisoning.

Why do I say that?

It's IMPOSSIBLE you used my program otherwise OR you didn't use it FULLY (providing hardcoded favs resolved locally @ TOP of hosts for most speed & security vs. dns fails/downed/poisoned for sites you use MOST).

Lastly: 9.0++ SR-2 is NOT a current model (& will miss a few new gTLDs - part of why I updated it & a performance boost too (theoretical 67% in 1 part, actual = ~ 40%))

APK

P.S.=> Check your router + IP stack DNS settings (if you are not f'ing around trolling) OR cut it out - I am helping others in this case (moreso in the gTLD post's "p.s." above )... apk

Re:Give me a break #2/2

Just curious, you made a decent hosts blocker and it's useful, I get that, but why do you have to be so obnoxious? More flies with honey and all that.

Again: Read - doesn't run IN BROWSER

See subject: WinCGI/CGIBin & NSAPI/ISAPI dll/libs run serverside as I said - NOT IN BROWSER as you say (WinCGI/CGIBin = perl usually as I said or ISAPI/NSAPL libs/dlls via Delphi/C/C++) & jscript 'rules' due to it being FORCED since it costs them less in serverside power + labor costs period/fact!

Man - that PROVES you're a noob unaware of those things above & TRYING to twist what I said - I never said they run IN BROWSER (I said opposite & serverside).

(C/C++/Delphi coders cost more but produce faster better product USERS DON'T TAKE THE RISK ON CLIENTSIDE or RAISE THEIR POWER BILLS ON CLIENTSIDE!)

* That's the ONLY REAL REASON, period (money talks - they say "talk is cheap"? NOT when money does the talking!).

Face reality - javascript the "new hotness" BLOWS & causes all kind of shit online being misused as the harbinger of exploits & tracking!

Web jobs = noob jobs for chumps - I am LONG retired but I wouldn't take that low of pay (though it was often forced on me to do via .NET). Shit's chumpwork (SQLExecute type stuff to DB is hardest part, & that's EZ! Rest is text formatting & putting up pictures pretty much, lol!)

APK

P.S.=> I see you don't argue about CROSS-PLATFORM now regarding C/C++ or Delphi anymore as I proved QUITE otherwise (they do ALL of the majors) - you f'd up on that showing you are as I said - an ill-informed NOOB... apk

Script on same site = easiest of all

See subject: Via Opera 12.18 classic BySite preferences. I block script globally & IF I need it I make exception sites.

* Script = bullshit & I avoid it @ ALL costs (due to tracking, infecting & SLOWING users like me down blowing MY POWERBILL up w/ increased RAM/CPU & other I/O)!

Lastly: Addons & other means don't do a FRACTION of what hosts do https://yro.slashdot.org/comments.pl?sid=11452421&cid=55695771/

APK

P.S.=> You made me LAUGH here deluding yourself that YOU actually "wrote code" https://yro.slashdot.org/comments.pl?sid=11452421&cid=55697041/ & not only that but I HAD TO SHOW YOU WHAT YOUR grep commandline switch (that you didn't write grep for but I wrote ALL my code myself) didn't do by itself... apk

Which security extensions ?

[DrYak]

Being concerned when Mozilla breaks security extensions isn't 'bitching'.

Which security extensions got broken ?
Most of the major ones got ported to WebExtension API well in advance.
The ones that were not ready on D-day, managed to get ready over the few days after the big switch.

Really in practice, I haven't anyone I know bitten by missing security extensions.

If you're complaining that your specific security extension got broken, means :

- you're using a very rare one. at least it means the biggest part of firefox users (those who use the most common security extensions) aren't affected. Only the few eccentric people with unusual choices of extensions are affected and they a re much smaller fraction of the user base.

- you're using a very rare extension, which is used by an extremely small number of other users. That might be a little bit problematic regarding security because it means less opportunity to discover and fix bugs in the extension.
(Though some might argue that you could also be protected by the relative obscurity of your extension. There might be obvious ways to circumvent the security, but because there are only 5 users of this extension, nobody bothers to check).

- the author of the extension hasn't bothered to upgrade youre extension for over a year. That by it self is a major security problem. It also means that, even if you keep the latest ESR version of Firefox instead of upgrading, your extension hasn't been fixed against any problem that might have been discovered over the past year.

It's disturbing that you, and apparently Mozilla, take such a carefree attitude about the security of FF's users.

Mozilla hasn't been taking a carefree attitude. They have been actively collaborating with the developers of extensions, including lots of security extensions, including the most popular extensions, just to make sure that WebExtension API provides everything needed to make the old XUL extensions portable to the new API.

I don't have a carefree attitude about security neither.
That's why I have been following the evolution closely as soon as there was announcement about future deprecation of XUL extension (in fact even earlier : I've been following since the release of Electrolysis and other such stability/security features - because even back before announcement of API deprecation, some of these extra features did rely on all installed extensions only using the Webextension API).
I've been checking the development of the extensions I use, and observed that lots of them were available rather fast with the new API. Even more so among security extensions, they were probably the fastest to react and port their code (or in the case of NoScript's guy : start to collaborate with Mozilla to see how the API could be adapted to their need).

All extensions that worked with FF 56 should have worked with FF 57. There's no excuse for them not to have worked.

I think that "this extensions was written 10 years ago and since then we're not even sure if the dev is still alive" might be a good excuse, specially for a security extension (you know, those things are supposed to be kept up to date and adapted as new security threats arrive).

Because of Netflix

[DrYak]

I'm going to go ahead and stick my head in a bear trap, but why does Mozilla rely so much on outside programmers to make the thing even borderline secure? I understand the reasoning not to include ad blockers, but some of the other commonly used extensions should just be baked in. Or am I really just too paranoid?

In a way you are paranoid, in that unlike most of the typical users you value your security much more than ease of use.

Most of the user don't have any idea about security. On the other hand, most of the users want to just watch their Netflix movie, post their shit on Facebook, etc. they want all the typical online activity to work straight out of the box.

Saddly, the current accepted standard behavious of *ALL* browser, is to download and execute any bullshit linked in a web page, no question asked
(though there are very tiny baby steps being made, like the "allow origin" HTTP(S) directive to restrict some APIs accross different webservers).
That's how chromium works, that's how microsoft edge work.

Web designers thus design the pages you visit taking that into account (just look at all the the external scripts downloaded by most of the webpages. Any random simple thing that you visit, like a webshop to order something online, downloads and executes javascript libraries from at least a dozen of different 3rd parties, some of which are absolutely critical for even the basic functionnality of the webshop to work. Not everything from 3rd party is something nefarious like a tracker).

So if suddenly firefox were to by default block all non-whitelisted scripts, or block all script no originating from the same domain, most of the users will be seeing their usual web sites not working.

They will not be appreciating the sudden new added security to Firefox compared to everything else, they would be mostly noticing that most of "their web" is broken compared to any other browser.
You'd see backlash against non functioning stuff out-of-the-box.
You'd see users complaining that they need to whitelist and fine tune tons of stuff just to get facebook working.
You'd see less advanced users complaining that they don't even understand what a "whitelist" is, and why the hell does the netflix pages stays entirely black ?

So that's the current situation, current normal usage patterns (leading to current design techniques) lead to a situation which makes it hard any increase of security without fundamentally breaking the online experience.

So, therefore, good Javascript blockers needs currently to be only offered as extensions for power users who know what they do, and are not affraid to do some tweaking to get the website to work back again.

Note: all the above only applies to the standard Firefox package as installed from the website.

Special package targetting specific user base differ :
the Firefox browser packaged as part of the Tor browser bundle has quite a few security extensions installed and enabled by default.

Re:Because of Netflix

[Shogun37]

Thank you. That's what I thought, but it is nice to have a second opinion.

Actually no

[DrYak]

Dear "hosts" APK troll.

Nope, your hosts doesn't work in the case of malicious javascript code.
You can't block just scripts, while still letting the plain HTML webpages.
A "hosts" entry can only block access to a whole domain.

Also it depends on the "hosts" list containing the new threat (it's fundamentally a black-listing approach. If a threat isn't known, a hosts list cannot prevent it).
Systems like NoScripts are White-Listing. They block by default unless told otherwise. I could never be affected by malicious javascript code running on "http://cloudflare.solutions/" even before I hard about it, because it's not among my whitelists.

Also you bullshit only runs on Windows, and there's no source available for review. Not interested.

DrYak = full of it! Hosts block 3rd party script

Yes, hosts can & faster vs. 3rd party scripts by not parsing for script src tags as NoScript does blocking the script server source.

My program runs on Windows the most used OS on PC desktops & servers combined but the OUTPUT in hosts itself runs just above everywhere - so much for your bs!

APK

P.S.=> It's easy to determine those sources (NoScript's a great help to me on that account & WHY I use it - yes, I use it - albeit only to help populate hosts vs. what I said above (3rd party scripts XSS stuff)) - so again - so much for your bs...apk

Javascript's misused a lot - fact... apk

Javascript's misued a lot - fact & that's my point. It's used to deliver up tracking & infectors often from ads even!

APK

P.S.=> Does it work for GOOD things too? Sure, but it runs up your/clientside powerbill even there along w/ CPU cycles, RAM & other forms of I/O doing so (for good OR bad) & COULD BE DONE SERVER-SIDE instead via NSAPI/ISAPI libs/dlls for example (instead of putting the powerbill burden & slowup on the clientside - that would be TRUE CLIENT-SERVER TOO - just ask a question, let server do the work & send back the answer (which of course then puts the burden on the server owner's end & NOW YOU SEE WHY Javascript clientside is done))... apk

I'm being impersonated & attacked

See subject in case you hadn't noticed. I'm not being obnoxious. I'm defending myself. Thanks for the compliment on my work though.

* I just give it back like I get it - albeit I do it w/ facts (& imo, you're just another one of the fools giving me guff - but you ARE PROJECTING what you want to happen... trying to make me look bad!)

APK

P.S.=> Thanks for giving it away (I knew that's your game) - doesn't faze me 1 bit & I don't react the way you'd like (I just use facts & quoted /.ers liking my program vs.r bs instead, @ least 99% of the time it's what I do & it works)... apk