Except the attack fails if the image is modified in any way, fails if the server does minimal validation, *and* it only works in IE because that ignores mime types from the server.
I doubt there's an attack surface worth the effort. You can bet facebook does checks.
The opposite is true - for this to work the extension must be wrong and the server must not use any fingerprinting the validate the file (just looking for GIF89a at the start is normally enough).
Ignoring the extension is precisely what should be done.. the server is accepting a.jar just by renaming it as a.gif therefore the server is broken.
Interesting.. so they've only shut it down in the US? Explains why it's working fine here (in fact their page still lists half a million daily active users).
xen doesn't have virtualised DMA so it's all software copy via qemu.. that means that ethernet and hard disk both bottlneck making the performance very substandard.. about 1% of VMWare on the same hardware.
You can buy commercial drivers for it that speeds up the hard disk somewhat (nowhere near VMware speed though) but there seems to be nothing that stops the ethernet throughput sucking the bug one.
We have a total mishmash of pure theory and applied (like software design and databases) and end up producing a lot of very muddled code monkeys
CS hasn't changed then. When I did it (1991) they made us learn Ada, 68k machine code, Pascal, Statistics and Double Entry Bookeeping - that the was supposed to make us into 'Software Engineers'.
When I'm looking to recruit I actually prefer people who've worked their way up than those with CS degrees for this very reason.
If they thought it was a beta they'd have written off any glitches and slowness as the kind of stuff you get in betas (especially in debug builds).
Then there's the whole psychological thing.. you've been invited by MS to see their 'new' OS. Of course you're going to say it's nice.. because (a) that's what you're expected to say,and (b) you want to be invited back to see more cool stuff.
The better question is why is Windows Server 2008 way better as a client OS than Vista.. given that they use the same kernel.
It's like they put two teams on it.. one loaded the OS with crapware until it collapsed, and one produced a usable system. The usable one got released as 'Server'.
I had crazy problems like: The OS writing app configuration information to 'Virtual Store' and reading from the original file locations. Let's see a non-techie figure that one out.
I ended up with a batch file that synced between the two. It's got the same problem in the registry too.. that's a bitch to track down when something breaks.
The real WTF moment for me was when I found out that you can't make an elevated shortcut out of cmd.exe.. they've specifically blocked it to be damned annoying (and of course once in cmd.exe it's impossible to elevate a command because that only works from the desktop). You have to copy cmd.exe to cmd1.exe then create and elevated shortcut out of that.
Dual core 64 bit processor with 4GB RAM. Ran it for 9 months as I had to port some software over to it. I'll never, ever, install that POS on any piece of hardware I own again. Just not ready for prime time - as buggy as hell, even lost files on me on some occasions.. especially copying, which had clearly never been tested. UAC was nuts, often asking me for permission for the same file 3-4 times in successon... I could go on.
BS it's 4 years old. The chip wasn't even released until 3 years ago and unless you paid top dollar for it it'll be probably at least a year newer than that.
It's also a pretty decent processor compared to what a lot of people are running.
It does tend to fall apart over time.. the dev one I worked with for 9 months was so insane at the end it refused point blank even to tell me if the network cable was plugged in, telling me I had no permission to d oso.
They were caught doing it in court, so yes they would go to that trouble in heartbeat.
I'm wondering if it was a 2008 server in a client build with some of the bling switched on... with 90% of the CPU sucking services disabled it ends up a reasonable OS.
The other way to stack the deck is to run it with at least 4gb of memory and a blazing fast processor. Hand picked hardware with the best drivers goes without saying.
The problem is so many of our own population spout rubbish about 'unwritten consitutions' and 'no right to free speech' because they don't care to know the laws of their own country.
You in the US have a huge advantage.. you *know* your constitution. Half our population don't even realize we've got one - so the government can continue to take the piss out of it without any serious opposition.
On the US side the owners tried to file for chapter 7 then use that to close down the operation without being liable for the debts (we have no chapter 11 here). I'm not sure exactly *how* they've managed to do that.. it's an odd point of law if it's possible. Someone complained to the judge and the chapter 7 was blocked..
A civil action is enforced by the courts, and ultimately by a judge. The government doesn't have any say in it apart from drafting the law in the first place... in fact a court can enforce an action *against* the government and there are many cases where this has happened.
The same is true in the UK - The 1689 Bill of Rights (on which our historic right of free speech is based) states:
"That it is the right of the subjects to petition the king, and all commitments and prosecutions for such petitioning are illegal"
(I really like the nice short wording of that..)
It was further clarified by the Human Rights Act in 1998 to read:
"Everyone has the right of freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without inference by public authority and regardless of frontiers."
In both versions it's clear that the freedom of speech in our interactions with the ruling authority.. initially the king and later whoever happened to be in charge at the time.
The point of Godwins Law is that once a thread degenerates into comparisons with Hitler that thread is effectively over, and can be killfiled by the participants without risk of losing any useful information.
This leads to the tradition that mention of Nazis in a thread by a participant automatically makes them lose the argument (http://www.jargon.net/jargonfile/g/GodwinsLaw.html)
..and they both log into myspace. What username do they get?
At the moment most sites seem to use the entire http string. That's absolutely ridiculous - I want the account in my name not some ranadom gibberish - and one of the reasons why I never use the openid account that I have.
Google Blogger just uses the last part, with a hyperlink to the openid account itself. This means that in the example above the two users appear to be identical and you could easily trash someones reputation that way.
It's just created another problem that needs solving.. by having separate accounts on each site so you don't get duplication - thus we're back to square one.
Slashdot Mirror
Except the attack fails if the image is modified in any way, fails if the server does minimal validation, *and* it only works in IE because that ignores mime types from the server.
I doubt there's an attack surface worth the effort. You can bet facebook does checks.
No it would just take facebook to do better validation, and any other site that allowed this to happen.
I have my doubts it would even work in the real world, otherwise facebook need a kick up the arse as they should have seen it coming.
The opposite is true - for this to work the extension must be wrong and the server must not use any fingerprinting the validate the file (just looking for GIF89a at the start is normally enough).
Ignoring the extension is precisely what should be done.. the server is accepting a .jar just by renaming it as a .gif therefore the server is broken.
You can buy plenty of brand new motherboards today that lack a TPM.. and personally I wouldn't buy one that did have it.
I've seen a fully charged phone go from full to halfway unexpectedly for no good reason. Of course it was a crappy phone.
Calling the iphone crappy is fighting talk around these parts...
Interesting.. so they've only shut it down in the US? Explains why it's working fine here (in fact their page still lists half a million daily active users).
The ESXi footprint is only 32mb. It can just be an extra chip on the motherboard.
xen doesn't have virtualised DMA so it's all software copy via qemu.. that means that ethernet and hard disk both bottlneck making the performance very substandard.. about 1% of VMWare on the same hardware.
You can buy commercial drivers for it that speeds up the hard disk somewhat (nowhere near VMware speed though) but there seems to be nothing that stops the ethernet throughput sucking the bug one.
We have a total mishmash of pure theory and applied (like software design and databases) and end up producing a lot of very muddled code monkeys
CS hasn't changed then. When I did it (1991) they made us learn Ada, 68k machine code, Pascal, Statistics and Double Entry Bookeeping - that the was supposed to make us into 'Software Engineers'.
When I'm looking to recruit I actually prefer people who've worked their way up than those with CS degrees for this very reason.
If they thought it was a beta they'd have written off any glitches and slowness as the kind of stuff you get in betas (especially in debug builds).
Then there's the whole psychological thing.. you've been invited by MS to see their 'new' OS. Of course you're going to say it's nice.. because (a) that's what you're expected to say,and (b) you want to be invited back to see more cool stuff.
The better question is why is Windows Server 2008 way better as a client OS than Vista.. given that they use the same kernel.
It's like they put two teams on it.. one loaded the OS with crapware until it collapsed, and one produced a usable system. The usable one got released as 'Server'.
I had crazy problems like: The OS writing app configuration information to 'Virtual Store' and reading from the original file locations. Let's see a non-techie figure that one out.
I ended up with a batch file that synced between the two.
It's got the same problem in the registry too.. that's a bitch to track down when something breaks.
The real WTF moment for me was when I found out that you can't make an elevated shortcut out of cmd.exe.. they've specifically blocked it to be damned annoying (and of course once in cmd.exe it's impossible to elevate a command because that only works from the desktop). You have to copy cmd.exe to cmd1.exe then create and elevated shortcut out of that.
Dual core 64 bit processor with 4GB RAM. Ran it for 9 months as I had to port some software over to it. I'll never, ever, install that POS on any piece of hardware I own again. Just not ready for prime time - as buggy as hell, even lost files on me on some occasions.. especially copying, which had clearly never been tested. UAC was nuts, often asking me for permission for the same file 3-4 times in successon... I could go on.
It's the "makes newer hardware painfully slow" that people can't deal with.
Oh and the "drains laptop batteries like hell" problem - due to crapola services thrashing the hard disk 24/7.
BS it's 4 years old. The chip wasn't even released until 3 years ago and unless you paid top dollar for it it'll be probably at least a year newer than that.
It's also a pretty decent processor compared to what a lot of people are running.
It does tend to fall apart over time.. the dev one I worked with for 9 months was so insane at the end it refused point blank even to tell me if the network cable was plugged in, telling me I had no permission to d oso.
They were caught doing it in court, so yes they would go to that trouble in heartbeat.
I'm wondering if it was a 2008 server in a client build with some of the bling switched on... with 90% of the CPU sucking services disabled it ends up a reasonable OS.
The other way to stack the deck is to run it with at least 4gb of memory and a blazing fast processor. Hand picked hardware with the best drivers goes without saying.
We've had freedom of speech since 1689.
The problem is so many of our own population spout rubbish about 'unwritten consitutions' and 'no right to free speech' because they don't care to know the laws of their own country.
You in the US have a huge advantage.. you *know* your constitution. Half our population don't even realize we've got one - so the government can continue to take the piss out of it without any serious opposition.
On the US side the owners tried to file for chapter 7 then use that to close down the operation without being liable for the debts (we have no chapter 11 here). I'm not sure exactly *how* they've managed to do that.. it's an odd point of law if it's possible. Someone complained to the judge and the chapter 7 was blocked..
Maybe someone familiar with US law can make more sense of what they're doing than I can:
http://www.ministryoftruth.me.uk/2008/07/24/spck-owner-seeks-to-bankrupt-uk-charity-in-us-court
A civil action is enforced by the courts, and ultimately by a judge. The government doesn't have any say in it apart from drafting the law in the first place... in fact a court can enforce an action *against* the government and there are many cases where this has happened.
The same is true in the UK - The 1689 Bill of Rights (on which our historic right of free speech is based) states:
"That it is the right of the subjects to petition the king, and all commitments and prosecutions for such petitioning are illegal"
(I really like the nice short wording of that..)
It was further clarified by the Human Rights Act in 1998 to read:
"Everyone has the right of freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without inference by public authority and regardless of frontiers."
In both versions it's clear that the freedom of speech in our interactions with the ruling authority.. initially the king and later whoever happened to be in charge at the time.
So the retarted practice of patenting '[obvious action] ON THE INTERNET' will still continue. No change there then.
Software is a mixture of maths, art, sweat and donuts.
You can also add coffee/beer flavouring depending on your tastes.
Try reading the The Godwins Law FAQ
The point of Godwins Law is that once a thread degenerates into comparisons with Hitler that thread is effectively over, and can be killfiled by the participants without risk of losing any useful information.
This leads to the tradition that mention of Nazis in a thread by a participant automatically makes them lose the argument (http://www.jargon.net/jargonfile/g/GodwinsLaw.html)
..and they both log into myspace. What username do they get?
At the moment most sites seem to use the entire http string. That's absolutely ridiculous - I want the account in my name not some ranadom gibberish - and one of the reasons why I never use the openid account that I have.
Google Blogger just uses the last part, with a hyperlink to the openid account itself. This means that in the example above the two users appear to be identical and you could easily trash someones reputation that way.
It's just created another problem that needs solving.. by having separate accounts on each site so you don't get duplication - thus we're back to square one.