Slashdot Mirror

← Back to Stories (view on slashdot.org)

CSS Is Now So Overpowered It Can Deanonymize Facebook Users (bleepingcomputer.com)

Posted by FirehoseFavorites on from the I'll-be-seeing-you dept.

An anonymous reader writes: Some of the recent additions to the Cascading Style Sheets (CSS) web standard are so powerful that a security researcher has abused them to deanonymize visitors to a demo site and reveal their Facebook usernames, avatars, and if they liked a particular web page of Facebook. Information leaked via this attack could aid some advertisers linking IP addresses or advertising profiles to real-life persons, posing a serious threat to a user's online privacy. The leak isn't specific to Facebook but affects all sites which allow their content to be embedded on other web pages via iframes.

The actual vulnerability resides in the browser implementation of a CSS feature named "mix-blend-mode," added in 2016 in the CSS3 web standard. Security researchers have proven that by overlaying multiple layers of 1x1px-sized DIV layers on top of iframes, each layer with a different blend mode, they could determine what's displayed inside it and recover the data, to which parent websites cannot regularly access. This attack works in Chrome and Firefox, but has been fixed in recent versions.

92 comments

  1. umm no by Anonymous Coward · · Score: 1

    Umm Facebook is soo overpowered that they have soo much information COUPLED with poor coding that permits leaking this infomation...

    1. Re:umm no by multi+io · · Score: 0

      The information leak has nothing to do with Facebook specifically. It works by "scanning" the contents of an iframe, which you should work with any other website just as well.

    2. Re:umm no by Anonymous Coward · · Score: 0

      The information leak has nothing to do with Facebook specifically. It works by "scanning" the contents of an iframe, which you should work with any other website just as well.

      Wow, by complete and total coincidence, that's exactly what the fucking summary says!

  2. If it was already fixed... by Anonymous Coward · · Score: 1

    What's the big deal? CSS isn't the problem, browser's shoddy implementations is/was.

  3. Only last sentence is relevant by 93+Escort+Wagon · · Score: 4, Informative

    ”This attack works in Chrome and Firefox, but has been fixed in recent versions.”

    In other words, this is a clever exploit of a bug - not a fundamental issue with CSS. The rest is FUD.

    --
    #DeleteChrome
    1. Re:Only last sentence is relevant by Anonymous Coward · · Score: 1

      This is hardly the first time CSS has been used as an attack vector. You used to be able to tell the websites a visitor visited by listing a bunch of links, and then checking if they matched visited link CSS.

    2. Re:Only last sentence is relevant by Actually,+I+do+RTFA · · Score: 3, Informative

      No, this is an exploit of a fundamental issue with CSS. By breaking with the standards, Chrome and FireFox are avoiding the issue.

      It's similar to how no browser fully implements the JS spec. Because it has some (very edge case) stupid behavior. But that's okay, because the unimplemented parts will never come up anyhow.

      --
      Your ad here. Ask me how!
    3. Re:Only last sentence is relevant by Peter+P+Peters · · Score: 1

      ”This attack works in Chrome and Firefox, but has been fixed in recent versions.”

      In other words, this is a clever exploit of a bug - not a fundamental issue with CSS. The rest is FUD.

      'This attack works in Chrome and Firefox, but has been fixed in recent versions' really means 'this attack no longer works in Chrome or Firefox'. But to sell clicks you need to FUD it up as much as you can.

    4. Re:Only last sentence is relevant by HarrySquatter · · Score: 1

      So you think everyone is always running the latest versions of all software? Are you naive or just intentionally dense?

    5. Re:Only last sentence is relevant by Narcocide · · Score: 1

      That one might actually still work...

    6. Re:Only last sentence is relevant by Anonymous Coward · · Score: 0

      It's not FUD. This is not how FUD works. FUD is when you blow a non-issue out of proportion. This was a legitimate issue, as older browser versions remain vulnerable. Btw, this still works in the latest Firefox version.

    7. Re: Only last sentence is relevant by Anonymous Coward · · Score: 0

      Uh, no, it isn't. It's a timing attack. Timing attacks work when the code does not run in constant time. You make it run in constant time and the problem disappears. That's not a "fundamental issue". It's a bug.

    8. Re:Only last sentence is relevant by Anonymous Coward · · Score: 0

      So you think everyone is always running the latest versions of all software? Are you naive or just intentionally dense?

      Sure, but in that scenario there is an element of choice. A given person (or organization) gets to decide how much they care about security. That's fair enough. It works for me.

    9. Re: Only last sentence is relevant by Actually,+I+do+RTFA · · Score: 1

      On the contrary, timing attacks are a problem in the specification. "Do X as fast as possible" is the default. "Do X in constant time" is an exception. It's a fundamental flaw in the spec.

      Ultimately, specifications need to anticipate attacks and include mitigations.

      --
      Your ad here. Ask me how!
    10. Re:Only last sentence is relevant by Anonymous Coward · · Score: 0

      That's why people who know run Edge.

    11. Re:Only last sentence is relevant by Anonymous Coward · · Score: 0

      "This attack works in older, obsolete versions of X and Y" is just as true and considerably less clickbaity. But I guess you were to dense to get that.

    12. Re: Only last sentence is relevant by Anonymous Coward · · Score: 0

      Caring about security != Always deploying newest version.

    13. Re:Only last sentence is relevant by Peter+P+Peters · · Score: 1

      So you think everyone is always running the latest versions of all software? Are you naive or just intentionally dense?

      Cool story...

  4. Lazy Coding not CSS by Anonymous Coward · · Score: 0

    CSS can't magically make AJAX calls to a service API and rewrite the service code to return private information. The devs are probably re-using an API call that returns a ton of data just to pick out 1 or 2 fields to display.

    If you send it to the client, it's no longer a secret. One of the mobile carriers would send back this huge JSON object containing everything about you on a simple account details page (name, address, etc). The object contained a ton of "private" information like your credit rating, SSN, type of customer, and even the "comments" field used by Customer Service.

    1. Re: Lazy Coding not CSS by Anonymous Coward · · Score: 1

      Congratulations on having no grasp at all of the security implications in the premise of this article.

  5. uMatrix by Anonymous Coward · · Score: 0, Informative

    Get it now. Block all CSS across the board.

    1. Re:uMatrix by grub · · Score: 3, Informative

      I use uMatrix and the "CSS Exfil Protection" add-on for Firefox. There are some sites I use that need CSS to be even remotely useable. Check it out, it has a test page.

      --
      Trolling is a art,
  6. Iframes should just be banned. by Anonymous Coward · · Score: 0

    I have never seen an implementation of iframes that didn't cause problems or just plain suck. Browsers should just stop supporting them.

    1. Re:Iframes should just be banned. by jellomizer · · Score: 1

      At least apply the same rules that most browsers to in AJAX calls prevent calling a site that is on a different server. Yes it sucks for developers but if you make the serverside passthru you now have some control of the security.

      Unfortunately good security doesn’t mean the easiest way to code it

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    2. Re:Iframes should just be banned. by Narcocide · · Score: 1

      Interestingly enough, the W3C did try to remove iframes and frames both from the spec. Pressure from advertisers over this and some other sanity-induced changes caused the industry to split with the W3C though and make their own "HTML5" standard, which the W3C then only later ratified in order to remain relevant.

    3. Re: Iframes should just be banned. by reanjr · · Score: 1

      Lots of web apps nowadays don't even pass through anything but a static server. Requring third party APIs to pass through a server in many cases undermines the way the web is designed to work.

    4. Re: Iframes should just be banned. by jellomizer · · Score: 1

      The web was designed to be a choose your own adventure book.

      Then people wanted better formatting options, and then they want to fill out information with forms, then these forms would like to have a client side to validate data. Then we wanted more advanced formatting options, and be able to change the HTML without refreshing a page.

      The Web is now an Application Platform. Because of this, it needs security restrictions to make it work as such.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  7. CSS so overpowerd it changes headline color by Anonymous Coward · · Score: 1

    and if I don't use Facebook?

    oh it's fixed too?

    clickbait!

  8. The problem here isn't with CSS3 by mykepredko · · Score: 0, Troll

    The headline should read Facebook security is so underpowered that CSS can deanonymize users.

    Another day, another reason to stay away from Facebook.

    --
    Mimetics Inc. Twitter
    1. Re:The problem here isn't with CSS3 by Anonymous Coward · · Score: 1

      The headline should read Facebook security is so underpowered that CSS can deanonymize users.

      I'm no fan of Facebook, but that's definitely not what the headline should read.

      The attack works by using the blend effects to read the pixels rendered within an iframe. It's not reading the DOM of the iframe at all.

      Are you suggesting that Facebook and other websites should have come up with a way to make it impossible to read the pixels on a webpage? .... ohhhhh, you're a DRM developer, aren'tcha? :)

    2. Re:The problem here isn't with CSS3 by Anonymous Coward · · Score: 0

      I'm no fan of Facebook, but that's definitely not what the headline should read.

      I agree with the AC above, and disagree with the (+4, at the time of this writing) modded grandparent post.

      Facebook was an example, but the attack would work against other sites as well. Nothing about it is Facebook specific.

      (Facebook sucks: don't use it - but that's not the trouble here).

    3. Re:The problem here isn't with CSS3 by Anonymous Coward · · Score: 0

      The headline should read Facebook security is so underpowered that CSS can deanonymize users.

      How on earth did that nonsense get modded to +5?

      This technique has nothing to do with Facebook itself! Shit, it says right in th summary, and I quote: "The leak isn't specific to Facebook".

      Please stop spreading misinformation... and whoever modded it to +5, please stop modding misinformation up.

    4. Re:The problem here isn't with CSS3 by Anonymous Coward · · Score: 0

      It has nothing to do with site security, and everything to do with how browsers render CSS... if you bothered reading the article instead of reaching for your facebook-hate toolbox, you might not look like a complete fucking moron.

  9. We need to freeze the Web Specifications. by xack · · Score: 1

    No more adding features to HTML5/CSS/JS. They are only being used for things like tracking, spying, malware and crypto mining.

    1. Re:We need to freeze the Web Specifications. by Actually,+I+do+RTFA · · Score: 2

      No more adding features to HTML5/CSS[3]> /JS

      You mean, let's go back to HTML4/CSS2/[No JS, because why]. If people want GoogleDocs let it be a fucking native plugin.

      --
      Your ad here. Ask me how!
    2. Re:We need to freeze the Web Specifications. by Anonymous Coward · · Score: 0

      Or ditch them entirely?
      CSS and JS are pretty much just patches added on top of HTML because HTML isn't a suitable document format to describe web pages the way page creators want them to be.

      If the document format was better suited for what it is used for then it wouldn't be necessary to expose so much to the JS engine either.

      Also, embedding a scripted programming language in a different document format is an abomination.
      JS should be the outer layer and generate/modify the document in those cases JS is needed.

    3. Re:We need to freeze the Web Specifications. by K.+S.+Kyosuke · · Score: 1

      Also, embedding a scripted programming language in a different document format is an abomination.

      I agree, it should have been Lisp all the way down.

      --
      Ezekiel 23:20
    4. Re:We need to freeze the Web Specifications. by Sarten-X · · Score: 1

      If people want GoogleDocs let it be a fucking native plugin.

      Oh yes... because having Flash everywhere worked so well for us all.

      --
      You do not have a moral or legal right to do absolutely anything you want.
    5. Re:We need to freeze the Web Specifications. by Sarten-X · · Score: 1

      CSS and JS are pretty much just patches added on top of HTML because HTML isn't a suitable document format to describe web pages the way page creators want them to be.

      HTML, CSS, and JS all do completely different things, if used correctly.

      HTML should describe the content of the page. It should be the words spoken by a screen reader, or the information a search engine should index. In essence, it is just the meaningful information, in its most-native structure, and nothing more.

      CSS is the presentation of that information. There should be CSS definitions for how that screen reader should pronounce particular words or emphasize particular phrases. There should be CSS definitions for how the page appears at all different display sizes, or if it's being printed to a static medium, or even being sent to Braille output hardware.

      Scripts should describe the page's behavior. Beyond the built-in behaviors of the browser (which IMHO should themselves be defined in built-in scripts, just like the browsers have built-in default CSS), scripts are responsible for building interaction between elements of the page and back-end server.

      If the document format was better suited for what it is used for...

      ...then accessibility and dynamic presentation would be horribly broken, as it was back in the bad old days before CSS.

      JS should be the outer layer and generate/modify the document in those cases JS is needed.

      ...which means that everything that wants to access the informational content of a web page would need an embedded script engine, and enough watchdogs and security to mitigate the risks inherent in executing remotely-generated code on your system. This is a huge problem for browsers already, but making a script be a mandatory layer would mean using the Web is far more expensive for caching proxies and embedded devices.

      --
      You do not have a moral or legal right to do absolutely anything you want.
    6. Re:We need to freeze the Web Specifications. by Actually,+I+do+RTFA · · Score: 1

      because having Flash everywhere worked so well for us all.

      Yes it fucking did. Flash/HTML4/CSS2 was strictly superior tech stack to HTML5/CSS3/JS. It handled cross-domain security better. It handled browser isolation better. It was a better programming language. It had fewer super-tracking features.

      I will give you that Flash pushed people towards XML and JS pushed people towards JSON.

      --
      Your ad here. Ask me how!
    7. Re:We need to freeze the Web Specifications. by Anonymous Coward · · Score: 0

      It used to be that way. You could freeze the entire state of the machine and modify the Lisp code at any level, then resume. Since then computing is just getting worse and worse. I don't understand how companies can continually ruin their products. See Reddit's new design as an example.

      If I won a lottery, I'd try to bring back Lisp Machines. I'd fail, but at least I'd try to advance the industry.

    8. Re:We need to freeze the Web Specifications. by tlhIngan · · Score: 2

      Yes it fucking did. Flash/HTML4/CSS2 was strictly superior tech stack to HTML5/CSS3/JS. It handled cross-domain security better. It handled browser isolation better. It was a better programming language. It had fewer super-tracking features.

      It may be technically better, but the implementation was clearly worse.

      Because there were constant security issues, basically weekly. Update, update and update, and Adobe was completely inept at it, because even "installing fresh" still installed old vulnerable versions. Eventually, they gave up simply due to cost reasons.

      And super tracking used flash extensively - the "super cookie" exploit where a website could set an non-removable cookie used flash. You could delete every cookie on your system but miss one and they would re-appear. And the way to manage Flash cookies was extremely lame. There was no need to do super tracking because flash ensured your cookies stayed with you. Or better yet, even violating the cookie policies of the browser.

      I'd say things are better off now, simply because we're not relying on a single company to update their plugin. Heck, Adobe was genuinely slow enough that 0-days will be up, forcing the security release, and timelines were often at least a week away. for a fix. (And remember, Adobe has no incentive to fix Flash player issues, since it was something it had to give away).

    9. Re:We need to freeze the Web Specifications. by Anonymous Coward · · Score: 0

      If I won a lottery, I'd try to bring back Lisp Machines.

      You'd be better off just spending the money on hookers and blow.

    10. Re:We need to freeze the Web Specifications. by Actually,+I+do+RTFA · · Score: 1

      Adobe has no incentive to fix Flash player issues, since it was something it had to give away

      Flash Player was given away. Flash (the developer software) was highly profitable software. Econ 102 says you give away things that make more people buy your highly profitable goods.

      d say things are better off now, simply because we're not relying on a single company to update their plugin.

      Adobe opened up Flash Player precisely because they didn't make money off it/didn't want to maintain it. IIRC, there was even a GNU implementation. I know Mozilla had an inhouse one. Yeah, it had issues, but I'm not so sure that it was that much worse than the general tech of the day. Fortunately, all software seems to be more secure now. (Even Windows!)

      And super tracking used flash extensively

      The supercookie used everything, pretty much by definition.

      I grant that Flash ignored the cookie policy of the browser. But it had things like "don't allow cookies from third party domains" before it was a glimmer in the browser's eye (do all browsers even have that yet?) I found their settings easier (among other things, turning off all cookies broke practically no sites.) But you are right that even superior settings, if different from what people expect, can be pretty bad.

      --
      Your ad here. Ask me how!
    11. Re:We need to freeze the Web Specifications. by Anonymous Coward · · Score: 0

      It really did; Despite all the problems with Flash, I assert it is superior to what we have now.

      Why?

      Because you could TURN IT OFF!!!

      This has been the biggest problem with moving everything to HTML5+CSS+JS - You can't fucking turn it off so any website can essentially do what it likes.
      You can turn off javascript on some browsers but it is awkward unless you use an browser extension, and even those bring problems. (I just discovered noscript, even disabled but still installed, has been responsible for most of the site-rendering issues I've been having!)

      This is partly why I still use Opera 12 as my main browser - PLEASE OPERA!! DUMP CHROMPERA AND GO BACK TO YOUR OWN ENGINE! I WILL HAPPILY PAY AS I DID WHEN YOU STARTED!!!

    12. Re: We need to freeze the Web Specifications. by Anonymous Coward · · Score: 0

      Yea if he buys hookers and blow at least he will have something to show for it....herpes.

  10. Crying wolf by Anonymous Coward · · Score: 1

    This attack works in Chrome and Firefox, but has been fixed in recent versions.

    So then it _can't_ be used to deanonymize Facebook users.

    Why is this a problem then?

    1. Re:Crying wolf by HarrySquatter · · Score: 2

      Because lots of people run old versions of software?

    2. Re:Crying wolf by Anonymous Coward · · Score: 0

      Because lots of people run old versions of software?

      Lots of people drive drunk too, it doesn't mean we should just accept that.

    3. Re: Crying wolf by Anonymous Coward · · Score: 0

      Worst analogy ever.

  11. uh no? by pezpunk · · Score: 1

    this is moronic. if Facebook is leaking private data to the client browser, this is NOT a CSS problem. what an insipid and misleading headline.

    --
    i could live a little longer in this prison
    1. Re:uh no? by Hognoxious · · Score: 1

      if Facebook is leaking private data to the client browser

      Would it make a difference? They're leaking it everywhere else.

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    2. Re: uh no? by oobayly · · Score: 1

      That's only true if you were to lazy to read how the attack actually works.

  12. Facebook security? by Anonymous Coward · · Score: 0

    That made me laugh.

  13. Joke on them by Anonymous Coward · · Score: 0

    Even if it was still working, it,s not like I ever gave facebook a single real information. They don't have my real name, picture, phone number, real email, etc...

    1. Re: Joke on them by Anonymous Coward · · Score: 0

      I promise you they have all that, and much more. The best part (for them) is the fact that they never needed any overt consent or direct interaction with you to obtain all that data. Cheers, bud. -PCP

  14. it also breaks by Anonymous Coward · · Score: 0

    /. green, too. css needs a nerf, too op.

    captcha: styling

  15. Good thing I clear my data by quonset · · Score: 1

    And don't use Facebook.

    Every day I clear my data. Everything is wiped clean and I start fresh. Yes, advertisers could deduce about me with each daily trek through the Net wilderness, but I also have uMatrix which blocks other forms of advertising and intrusive behavior so they have to work for it.

    Regardless, since I don't see whatever it is they're peddling, it's no big deal. It costs them money so I'm happy.

  16. Blue? by fisted · · Score: 1

    So why is this story blue?

    --
    CLI paste? paste.pr0.tips!
    1. Re:Blue? by hcs_$reboot · · Score: 1

      CSS powerfulness.

      --
      Slashdot, fix the reply notifications... You won't get away with it...
    2. Re:Blue? by mentil · · Score: 1

      Probably related to it being posted by 'FirehoseFavorites' which I presume is a bot that autoposts highly-rated Firehose entries if the editors don't post (or queue) anything for long enough. Although this was followed by 2 queued stories so who knows.

      --
      Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
    3. Re:Blue? by 93+Escort+Wagon · · Score: 1

      “Firehose Favorites” are blue. This is only the second or third one I’ve seen since Whipslash talked about it quite a while ago.

      --
      #DeleteChrome
    4. Re:Blue? by fisted · · Score: 1

      S-so CSS can be used to color elements of a web page? I never knew.

      --
      CLI paste? paste.pr0.tips!
    5. Re:Blue? by whipslash · · Score: 1

      Yes just live testing a feature that 93 Escort Wagon remembers from a while back. Autoposting extremely popular firehose items to the front page. Won't happen unless it's extremely popular.

    6. Re: Blue? by Anonymous Coward · · Score: 0

      Firing the editors soon I see. Good move, they fucking suck anyway. Just employ a bunch of AI and I guarantee your ad impressions will rise. Chase the money you greedy fucks.

  17. Facebook is the root of all evil. by shm · · Score: 1

    Just delete your account already and flush its cookies.

    I know it doesn't really delete any as Zuck is confirmed liar, but at least don't give him any excuse to have your data.

    Hopefully the EU GDRP is the first step to wipe this obscenity off the face of the earth.

  18. The problem here is JS, not CSS by Anonymous Coward · · Score: 0

    It sounds like this is yet another case of JavaScript having access to a side-channel that should never have been possible - in this case, being able to determine how long it takes the browser to render the page.

    Of course, there's also the eternal problem of permitting pages to embed access-controlled content from other domains in the first place (rather than, e.g., tying all cookies to the URL bar domain.)

    CSS is indeed overly complicated, and that's a problem too, but let's put the blame where it belongs.

    1. Re: The problem here is JS, not CSS by Anonymous Coward · · Score: 0

      Website needs to be using react.
      Open a website that uses a controlled component framework such as React. https://instagram.com.

      So it's not just CSS

  19. FYI by Anonymous Coward · · Score: 0

    3PRB can block CSS images.

  20. Password keylogger via CSS by Dynedain · · Score: 1

    You think this is bad, try a password keylogger implemented purely as CSS (no javascript):

    https://css-tricks.com/css-key...

    The real vulnerability in both this and the article example is allowing 3rd party code injection. If you can't trust the source of the code, the language being used doesn't really matter. There will be ways to abuse it.

    --
    I'm out of my mind right now, but feel free to leave a message.....
  21. I'm feeling blue! by Anonymous Coward · · Score: 0

    So very, very blue!

  22. What about non-Chrome/Firefox? by Titanek · · Score: 1

    Are browsers like Opera and Edge still vulnerable then? I can't seem to find anything on that.

  23. Attacks like these aren't new by Qbertino · · Score: 1

    Rendering blur effects on fonts and measuring the time to render to guess letters, checking for expected remote case to expose surfing history ... The stuff web hackers can do is pretty amazing. If you're in web development and are looking for a reason to switch to sheep farming just visit a web hacker conference. You'll come home crying.

    --
    We suffer more in our imagination than in reality. - Seneca
    1. Re:Attacks like these aren't new by Anonymous Coward · · Score: 0

      Capitalise "German", mutterficker!

  24. I read the article, and this hack shouldn't.... by Anonymous Coward · · Score: 0

    be a problem if you are using privacy plugins that already block single pixel tracking bugs. The attack ALSO REQUIRES, you guessed it, Javascript. So, it's not a pure CSS attack. See https://github.com/evonide/mis.... These blokes didn't test against a rig with any privacy plugins.

    Here's the real question: they're running a timing attack on how long it takes to render a pixel outside the parent element they're providing the style for. They specifically attack an iframe from Facebonk that shouldn't be able to receive styling from their CSS script unless they load at the same priority as Facebonk itself. So, this is a driveby attack that requires the FBonk to maintain your logged in state based on cookies. Otherwise, their little iframe to facebook isn't going to display any information.

    So, they can't really hack FB, but it's an interesting attack. Surely a bug.

    And one more thing.... this is a timing attack, right? Why are the browsers giving out time accurate to the millisecond? This sort of thing makes timing attacks possible? What possible purpose could there be in handing it out such accurate time to Javascript? Can't we just go with 0.01 (0.0254 metric) seconds resolution?

  25. I stop CSS tracking etc. via hosts... apk by Anonymous Coward · · Score: 0

    CSS tracking's nullified via APK Hosts File Engine 2.0++ for Linux. It protects you vs. tracking/ads/malware & speeds you up 2 ways (ad & script blocking) & DNS requestlog tracking via locally resolved favorites (avoids dns security issues too & dns down).

    Vs. Script it's faster (kernelmode vs. usermode + starting 1st) than NoScript.

    * Linux version's 10x FASTER vs. my Windows model (done in Delphi XE2-4 32/64-bit) via FreePascal + Lazarus 1.8.2 - speed gain's better underlying architecture (non-visible stringlists ONLY, Windows one did a mix of 'em + visible grids (had messagepass overhead I underestimated)).

    APK

    P.S.=> It's SO fast/accurate I'd race ugly inferior shellscripts (others' code merely USED in script) OR native tty term exes for same purpose (w/ same dataset) & I'd win - my reverse DNS resolution alone = 10x faster (IF scripts even do it, most don't) as ping in Windows/Linux are (& I "do the impossible" PING on Linux MINUS Root)... apk

    1. Re: I stop CSS tracking etc. via hosts... apk by Anonymous Coward · · Score: 0

      What? Lol.

  26. Sigh by Anonymous Coward · · Score: 0

    Millennial alert. It's just a tool, all tools can be utilized To wreak havoc, it doesn't imply inherent 'power'. That's your generation's biggest problem in life: your parents never taught you what real empowerment even looks like. Worse, they taught you to respect its opposite (that would be 'victimhood' for the less savvy members of the class). Give us a break. This isn't the worst aspect of Facebook or other social media, not by a long shot. It seems to me that no matter how old millennials get, everything they observe and share is essentially at root a cry for yet another safe space. Grow the fuck up.

  27. Impossible by Anonymous Coward · · Score: 0

    >> CSS ... Can Deanonymize Facebook Users
    That's impossible.
    Facebook users are not anonymous to begin with.

  28. fear the clock by epine · · Score: 2

    I've commented to a mathematical friend more than once that computer science is mathematics, plus the assumption that time exists. (This also explains why I'm LISP-boner impotent. LISP is computer science, ++delay, minus the assumption that time exists; the user sees time, while the programmer doesn't—what's not to like?—but I still don't get the happy hardness.)

    Moral of the story: fear the clock.

    Do not fear napkin Turing-complete, CSS Turing-complete, nor LISP Turing-complete. (Turing-complete happens by accident at least once out of every nine innings of billiard-table HO-gauge NAND-gate pick-up-sticks.)

    Perhaps what we need is a degraded system timer.

    Ideally, the local mean would wander somewhat slowly on a fractalish time scale, only minimally convex around the extremes so as to stay within a +/- 30 second deviance specification for 99.8% of all samples. Ideally, the estimate of the mean would converge considerably more slowly than sqrt(N). But I don't know my thick-tailed distributions well enough to say what that would look like as an actual thing. You also don't want the difference between step changes to be small, on average; and you don't want the locations of the step changes to occur on precise, minute boundaries, either (duh!) In fact, I think sloppy-clock would return an ascending integer sequence, but the wall-time duration of each distinct integer interval (of minute-ish duration) would be unpredictable, as described.

    My math is feeble enough that I can't even prove that my sloppy-clock as roughly stipulated even exists in practice, but let's assume it does.

    Then you need to implement a security ring where the best clock available is sloppy-clock—and stuff all foreign scripts in there. Yes, plugging time leaks from the outside world in a sophisticated API is hard. True mathematicians need not apply (i.e. LISP won't help you in this endeavour, not even a little bit).

    By avoiding capacitors (condensors) von Neumann's IAS computer could be frozen and single-stepped, or run at any frequency you desired, until the internal bit signals themselves became unstable. (Some of these early designs were actually asynchronous and self-timed.) Effectively uncoupled from the real world, such a machine has no ability to introspect the duration of its own operations—unless you screw up, and give it an actual wall clock or cycle-clock or global operation-count API (the second case is only possible with synchronous designs).

    Uncoupled computing (Internet 404) is not popular under the modern CSS paradigm, so you do probably have to at least make a concession for sloppy-clock (which dingbat users can upgrade to precise-clock if it bothers them that their ESPN scoreboard page refreshes aren't entirely concurrent with the real world; it would also suck for implementing chess clocks; but not, strangely, for anticipating when a soccer game will officially end).

    Anyways, this whole proposal is a massive research project.

    I'm merely pointing out that computer science is merely mathematics—right up until time begins.

    Von Neumann's early IAS computer didn't even have (internal) time. (That's because they had more than enough problems to deal with, already, without scoring an own goal.) Interestingly, Turing specified hardware random number generation from the get go, on purely formal reasoning about the space of available computation. Turns out, precisely measurable operational elapsed-time is ultimately more insidious (under promiscuous interconnection) than nondeterminacy. (A promiscuous web page being any web page bearing more than one cookie, or related code artifact.)

    Maybe time does not fly like an arrow as described in its early scouting reports—but it certainly does leak (across code-execution trust domains) like a bat out of hell.

    1. Re:fear the clock by epine · · Score: 1

      My "own goal" comment was actually a bit of a joke (ha! made you think) because elsewhere I state that time oracles were far less of a hazard back in the day of Internet 404.

      But you could already have your programming team for the hydrogen bomb's neutron Monte Carlo simulation partitioning into less classified programmers who write the I/O portion (generally punched cards on stdin and stdout, in some cases every card representing a separate neutron) from the highly classified mathematicians coding the actual neutron model.

      So imagine you've got Klaus Fuchs on your I/O team, and he wants to write I/O code to leak secrets about the neutron algorithm, which he stegs into some output stream he's actually allowed to see (this is probably a severe security oversight, already, but oh well).

      If his I/O code has some access to a precision wall clock, which he can read as many times as he wants each time his I/O code runs, who knows what details might leak about the simulation algorithm itself, based on electrical artifacts it leaves behind. (I believe row hammer was already very much a thing concerning the Williams tube storage array.)

      Really, the pernicious time problem stems from any partition of the trust domain roped into the same computational task (or shared processing environment).

  29. Blue headline? by Anonymous Coward · · Score: 0

    In my browser the headline is blue. What does that imply?

    1. Re:Blue headline? by whipslash · · Score: 1

      This story was autoposted from the Firehose without editor input due to reaching an extreme threshold of upvotes. New feature we are testing

  30. This is not an attack... by Evergreener · · Score: 1

    THIS IS FACEBOOK!!!

  31. I ported something from Win32/64 to Linux by Anonymous Coward · · Score: 0

    See subject: It's MUCH faster + more efficient now on Linux (rethought part of it). 1st link sheds more light on it https://www.google.com/search?client=ubuntu&channel=fs&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&ie=utf-8&oe=utf-8/ & it gives users of it greater speed/security/reliability, natively, minus "Bolt-on-'MoAr'" ILLOGIC-logic + less complexity (& bugs/security issues) + faster using what you already have in a 45++ yr. PROVEN subsystem in the IP stack itself...

    * Soon to be ported to FreeBSD/PC-BSD (trueOS) & Mac OS X too!

    (FACT: No SINGLE "so-called 'competitor'" of it does as much for much less natively - period)

    APK

    P.S.=> If that's not enough? Ask any questions you like, I'll do my best to answer... apk

    1. Re:I ported something from Win32/64 to Linux by Anonymous Coward · · Score: 0

      Spread some more of your BS lies there APK we will call you out like always.
      I bet you will get angry and make some of your antisemitic posts or decide to threaten physical violence.
      Too bad everyone knows you are just a weak little keyboard warrior who will stalk and harass people in real life.
      Here is a question for you, have you actually been taking your medication as directed or are you ignoring your doctors orders again?

  32. Words matter. by TheRealHocusLocus · · Score: 1

    [TFA] security researcher has abused them

    Hey wait. This is a tech site.
    How about leveraged them, or even used them?

    Imagine non-tech readers. It's a gimmick to trigger one of those "there oughta be a law" responses. THIS is how we get laws against the sale and possession of radio scanners that can tune in unprotected police communications. And instead of forcing police to upgrade their equipment, they get a bonus opportunity during traffic stops to pretend that their K9s 'signalled' the presence of an illegal scanner. Which in turn, encourages farmers to grow smaller potatoes.

    --
    <blink>down the rabbit hole</blink>
  33. Like film? An analogy... apk by Anonymous Coward · · Score: 0

    "The language of the mystic arts is as old as civilization (truthtables behind boolean logic are, foundation of these machines). Sorcerors of antiquity called the use of this language spells but if that offends your modern sensibilities, you can call it a program: We draw energy (information) from other parts of the multiverse to make shields (no weapons> to make MAGIC...

    * FROM Dr. Strange ala https://www.youtube.com/watch?v=PN6JFVQfwp8/

    APK

    P.S.=> In a very REAL sense, that's what I'm up to & I couldn't put it ANY BETTER than that... apk

    1. Re:Like film? An analogy... apk by Anonymous Coward · · Score: 0

      APK is still living in a world of fantasy.

  34. It's no lie I built a good program & you can't by Anonymous Coward · · Score: 0

    See subject & You're nothing but a jealous do-nothing "ne'er-do-well" that WISHES he was me. You can't justify stalking me & IF I ever found out who you are + WHERE you are? I'd pound the fucking SHIT out of you, you disgusting waste of life PUSSY projecting your own faults onto me & failing as always (it's all you've ever done - fail).

    * ... & you KNOW it + show it...

    APK

    P.S.=> Why won't you tell me your name, address, and phone number so I can verify WHO you are & come pay you a visit in person, pussy? We all KNOW why (you are a pussy)... apk

  35. Better than a "ne'er-do-well" like you by Anonymous Coward · · Score: 0

    See subject: You're just a lazy psychotic do-nothing "ne'er-do-well" loser that stalks me on /. via your unidentifiable anonymous posts - big accomplishment on your part (lmao - not).

    * You're a sick in the head little pussy bitch - no questions asked.

    APK

    P.S.=> Why not meet me face to face & we can settle this by my smashing your teeth out of your jaw - ok? apk