Gah. I hate to keep posting things repeatedly but my thinking is fragmented today:)
I don't think it's similar to a FORM at all, you can get the user to access other sites that they wouldn't normally access and get a parseable response from that site (as I mentioned above). I plan on testing this out some more with a friend of mine to see if I can grab their modems information remotely.
If you're using AJAX in a legitimate fashion (eg, requesting information from the original server) then yeah, it is as simple as a FORM request (maybe some session verification with PHP) but this manner I just outlined completely defeats that.
Hah, well after posting this I decided to check out exactly how feasible it is. FF (2.0) w/Firebug will tell me that Firefox denied access to the call. I assume it sees any calls that start out with http:/// that doesn't match the server and automatically denies it.
IE 6.0 on the other hand merely says "This page is accessing information that is not under its control" and gives you a Yes/No choice.
Well, think of this. It wouldn't be all that hard to setup some javascript, use AJAX and have it call to http://192.168.1.1/ and try a random smattering of common admin logins to modems (I know my DSL modem @ home supports it) and then report back to the server the IP address of the user. You could easily get their PPPoE login right there provided some other details. At the very least you could take down their modem.
Sure this is kinda out there and the simple response is to change your modems password or turn off web administration on it but then again a quick wireless scan around my apartment reveals at least two people with open systems.
Not everyone is an IT tech and there will always be a market for the exploitation of insecurities just as there will always be insecurities. It's merely a matter of being preemptive, recognizing potential risks and doing what you can to both (a) lower risk to an acceptable level and (b) maintain usability depending on how important access to similar sites is for you/company.
You've got to learn to use quotes more accurately. If by "the people" you mean anyone willing to go far enough, pay enough, and be unconstitutional enough to do what it takes to ensure a political position; then yes, "the people", is correct.
I've always wondered this and I'm not sure entirely how it would work but if a household has a wireless connection setup and they maintain standard security (WEP, MAC filtering) and the such, which clearly shown to be vulnerable to attacks/intrusion, how can a court prove without doubt that it was in fact that person who was involved in piracy?
Furthermore, would it be their fault? They implemented the security they could yet there are still ways around it. If it still holds up for the RIAA side, couldn't they just blindly point fingers at people (not that they already don't) and win?
Slashdot Mirror
Gah. I hate to keep posting things repeatedly but my thinking is fragmented today :)
I don't think it's similar to a FORM at all, you can get the user to access other sites that they wouldn't normally access and get a parseable response from that site (as I mentioned above). I plan on testing this out some more with a friend of mine to see if I can grab their modems information remotely.
If you're using AJAX in a legitimate fashion (eg, requesting information from the original server) then yeah, it is as simple as a FORM request (maybe some session verification with PHP) but this manner I just outlined completely defeats that.
Hah, well after posting this I decided to check out exactly how feasible it is. FF (2.0) w/Firebug will tell me that Firefox denied access to the call. I assume it sees any calls that start out with http:/// that doesn't match the server and automatically denies it.
IE 6.0 on the other hand merely says "This page is accessing information that is not under its control" and gives you a Yes/No choice.
Well, think of this. It wouldn't be all that hard to setup some javascript, use AJAX and have it call to http://192.168.1.1/ and try a random smattering of common admin logins to modems (I know my DSL modem @ home supports it) and then report back to the server the IP address of the user. You could easily get their PPPoE login right there provided some other details. At the very least you could take down their modem.
Sure this is kinda out there and the simple response is to change your modems password or turn off web administration on it but then again a quick wireless scan around my apartment reveals at least two people with open systems.
Not everyone is an IT tech and there will always be a market for the exploitation of insecurities just as there will always be insecurities. It's merely a matter of being preemptive, recognizing potential risks and doing what you can to both (a) lower risk to an acceptable level and (b) maintain usability depending on how important access to similar sites is for you/company.
miss. Thanks for playing, come back soon.
You've got to learn to use quotes more accurately. If by "the people" you mean anyone willing to go far enough, pay enough, and be unconstitutional enough to do what it takes to ensure a political position; then yes, "the people", is correct.
I've always wondered this and I'm not sure entirely how it would work but if a household has a wireless connection setup and they maintain standard security (WEP, MAC filtering) and the such, which clearly shown to be vulnerable to attacks/intrusion, how can a court prove without doubt that it was in fact that person who was involved in piracy? Furthermore, would it be their fault? They implemented the security they could yet there are still ways around it. If it still holds up for the RIAA side, couldn't they just blindly point fingers at people (not that they already don't) and win?