Nope, because no example exploit is given and the means of exploitation looks rather unlikely:
"To create a popup warning, a script embedded on the page calls: window.open('file:///c:/windows/temp/xxxxxxx.htm', 'new2',''),
with a name calculated by repeating a procedure implemented in SetUpTempFile() with a seed calculated by the server based on reported system time (p2.html?time)."
1. It assumes that the temp file is c:/windows/temp. It isn't, unless you're running Windows 95, and only then if you've not changed it from default. That's the *system* default temp file. The *user* temp directory is inside local settings in the user specific area (much harder to find out remotely. Maybe not impossible, but you'd have to get lucky (it's not just the username as the directory name.. it has things like.000 after it). 2. Calculating the seed to that accuracy is damned hard.
Of course if you do £20 - £2000 then you get noticed real quick.
Do it at a petrol station or somewhere where the price varies a lot, add £1 onto the transaction (screening out the 'obvious' figures to avoid people who put exactly £20 of petrol in for example noticing the error), and have the 'real' transaction come from the 'real' retailer and you'd get away with it for quite a while.
Petrol station employees are paid minimum wage and not security checked & have an incentive to get involved in this too.
Don't stay in one place for too long, move around, and with a bit of luck and a following wind you'd be quite rich at the end of it.
Just have to work on the shops (mainly larger ones) that insist on taking the card off you and using their own proprietary chip/pin system. They'd probably do the same "oh, we don't use those things.. here type your pin into this keypad".
In the UK PC World still print your entire CC number *and* expiry date on receipts (or they did a couple of months ago... I complained... again... one day they'll listen).
A bit of dumpster diving around one of them and you'd have a handful of legit card numbers to clone. All you're missing is the CVE.
Now find online retailers that don't ask for the CVE (admittedly getting fewer... My ISP doesn't for example).
Or just pay for car parks, which aren't chip/pin enabled and just take the magstripe and debit your card.
Oh come on... there is no standard 'look' for these things - they come in all shapes and sizes, and many larger shops still take the card off you and swipe on their terminal (so you don't even *see* the chip/pin thing they just hand you a keypad which is connected to the till & may or may not be encrypted or recording your pin for later use).
You really don't have to get hold of one of the legit boxes, just make something that looks passable and has an LCD display and card reader. That gets you the pin, assuming the data between the chip and the reader is encrypted. Getting the keys you'd need a proper box for.. this research proves these have weaknesses that allow you to get the data.
RTM of Vista has been available to developers since November. Apple would only hurt themselves by saying this now, since they'd be saying they sat on their arses and refused to fix it for 2 months.
Program search isn't worth the tradeoff - having your hard drive on 100% all the time, and not allowing the CPU to idle. Personally as a laptop owner I want my battery to last more than an hour.
Big problems with vista
1. The program files menu doesn't cascade and can't be made to.. it's squashed into the left side of the screen. 2. It also takes 2-3 seconds to respond to clicks. 3. You can't change the default folder view from 'big huge-ass icons' to something sane. The button is there, albeit hidden ('make all folders look like this one') but it doesn't actually work. 4. Battery usage - XP consistently got 3-3.5 hours. Vista with search service enabled - less than 1 hour. Vista with search service disabled - slightly under 2 hours.
I haven't got used to the UI and I've been using it for a while.. it's awful. As soon as this project is over XP is back.
eml from outlook is a binary format dumped from the MAPI data.. unless they've changed it with vista. It's not compliant with anything.
I used to get the occasional misconfigured exchange server send me it instead of the message and I'd have to reply 'what is this binary junk?' to get them to fix it.
Box came with dodgy driver CD.. went to Creative site - they only had an upgrade.. and that required the driver CD.
Asked for full version from creative, and they refused point blank (basically accused me of being a pirate.. FFS who would want to 'pirate' a driver without the card?)
Later I nstalled Linux. Fully working from install.. no hassles. For about 3 months I had no sound in Windows and fully working sound in Linux.
OTOH I never bought or considered buying a creative product again (it became moot once motherboards started to have decent audio chips on them anyway).
Plus they work. The 32bit drivers are rock solid (the latest ones fixed a small problem I was having with the resolution coming out of standby). The 64bit drivers I never had an issue with (seemed better than the 32bit even a month or so ago, so unless they've got a lot worse then there's little to worry about).
Sure, they aren't *fast* (well, the latest 32bit is but the others were about 25%-50% slower than XP drivers) but I'm sure the nvidia license doesn't make any speed guarantees so no legal avenues there either.
I have Vista and know that you don't need a reboot to install new video drivers.
If you *really* had vista you'd know that of course you do. Installing drivers requires a reboot (in the case of the realtek sound drivers, 2 reboots).
In the absence of any specific statement from those authors they implicitly accepted the license in effect at the time - the one on the whole package which is v2 only. Saying anything different without having a *good* lawyer on retainer is not wise.
They can't legally change that without contacting every contributing author and getting permission to change to v3... and I can bet that more than a few would refuse (not least Linus). I'm sure my meagre contributions don't exist any more (long time ago) but I personally would refuse if asked.
Anyway 'bits' or even 'most' of the kernel is still pretty much nonfunctional - you'd have to fork it to rewrite the v2 bits (all the bits that linus wrote, which is a substantial amount of the core..)
If Novel fork v2 it'll cause a massive split. Novell are big enough and have enough developers to make it stick.. so you'll end up with 2xgcc, 2xsed, 2xgrep, etc. etc.
It's inevitable that forks will happen - a lot of people don't like the way gplv3 is headed - but a major player doing it is a big issue.
Kill SuSE and you've killed the most popular business oriented linux distribution in Europe.
You think that businesses will go back to Linux after that fiasco? Nope. Hell, I'd think twice myself! I can't afford to fight legal battles. It used to be that you comply with the license then you're OK. Now if you comply with the license and the FSF take a dislike to your distribution - or worse, you - you're stuffed.
So you get either one of two outcomes:
1. Migration to BSD (OpenSolaris is GPL so not an option due to the same risk). 2. Windows.
Novell will just stop using GPL products and do something else. Closely followed by just about every other business, under fear of litigation from the FSF.
It could well be the turning point where linux itself gets killed. Which is what MS wanted all along, really. Way to play into their hands, stallman.
regardless if you discovered Colbert on YouTube, you would have discovered him sooner of later.
That's odd logic. I've never heard of the guy, until I read the name about 3 or 4 posts ago. If he hadn't been on youtube he wouldn't have been mentioned on this article so I would have continued never to have heard of him.
The idea that I would have 'discovered' him (if he's any good) inevitably simply doesn't make any sense. I'll probably go my whole life never having heard of many people.. some of whom I'd probably quite like if I met them.
Slashdot Mirror
Can anyone test?
, 'new2',''),
.000 after it).
Nope, because no example exploit is given and the means of exploitation looks rather unlikely:
"To create a popup warning, a script embedded on the page calls: window.open('file:///c:/windows/temp/xxxxxxx.htm'
with a name calculated by repeating a procedure implemented in SetUpTempFile() with a seed calculated by the server based on reported system time (p2.html?time)."
1. It assumes that the temp file is c:/windows/temp. It isn't, unless you're running Windows 95, and only then if you've not changed it from default. That's the *system* default temp file. The *user* temp directory is inside local settings in the user specific area (much harder to find out remotely. Maybe not impossible, but you'd have to get lucky (it's not just the username as the directory name.. it has things like
2. Calculating the seed to that accuracy is damned hard.
Is anyone still running 1.5.0? I thought the auto upgrade had handled that months ago.
Huh? What the fuck have the FSF got to do with this? You said yourself it's not GPL and definately not copyright FSF.
Of course if you do £20 - £2000 then you get noticed real quick.
Do it at a petrol station or somewhere where the price varies a lot, add £1 onto the transaction (screening out the 'obvious' figures to avoid people who put exactly £20 of petrol in for example noticing the error), and have the 'real' transaction come from the 'real' retailer and you'd get away with it for quite a while.
Petrol station employees are paid minimum wage and not security checked & have an incentive to get involved in this too.
Don't stay in one place for too long, move around, and with a bit of luck and a following wind you'd be quite rich at the end of it.
That's pretty much the only way it would work.
Just have to work on the shops (mainly larger ones) that insist on taking the card off you and using their own proprietary chip/pin system. They'd probably do the same "oh, we don't use those things.. here type your pin into this keypad".
In the UK PC World still print your entire CC number *and* expiry date on receipts (or they did a couple of months ago... I complained... again... one day they'll listen).
A bit of dumpster diving around one of them and you'd have a handful of legit card numbers to clone. All you're missing is the CVE.
Now find online retailers that don't ask for the CVE (admittedly getting fewer... My ISP doesn't for example).
Or just pay for car parks, which aren't chip/pin enabled and just take the magstripe and debit your card.
Oh come on... there is no standard 'look' for these things - they come in all shapes and sizes, and many larger shops still take the card off you and swipe on their terminal (so you don't even *see* the chip/pin thing they just hand you a keypad which is connected to the till & may or may not be encrypted or recording your pin for later use).
You really don't have to get hold of one of the legit boxes, just make something that looks passable and has an LCD display and card reader. That gets you the pin, assuming the data between the chip and the reader is encrypted. Getting the keys you'd need a proper box for.. this research proves these have weaknesses that allow you to get the data.
Now he sells white boxes to freaks.
RTM of Vista has been available to developers since November. Apple would only hurt themselves by saying this now, since they'd be saying they sat on their arses and refused to fix it for 2 months.
Program search isn't worth the tradeoff - having your hard drive on 100% all the time, and not allowing the CPU to idle. Personally as a laptop owner I want my battery to last more than an hour.
Big problems with vista
1. The program files menu doesn't cascade and can't be made to.. it's squashed into the left side of the screen.
2. It also takes 2-3 seconds to respond to clicks.
3. You can't change the default folder view from 'big huge-ass icons' to something sane. The button is there, albeit hidden ('make all folders look like this one') but it doesn't actually work.
4. Battery usage - XP consistently got 3-3.5 hours. Vista with search service enabled - less than 1 hour. Vista with search service disabled - slightly under 2 hours.
I haven't got used to the UI and I've been using it for a while.. it's awful. As soon as this project is over XP is back.
64bit works too... ran it for over a month.
Of course you'd be nuts to run 64bit vista at the moment... sure the graphics card work but good luck with anything else.
eml from outlook is a binary format dumped from the MAPI data.. unless they've changed it with vista. It's not compliant with anything.
I used to get the occasional misconfigured exchange server send me it instead of the message and I'd have to reply 'what is this binary junk?' to get them to fix it.
I had this with an SB Live (External).
Box came with dodgy driver CD.. went to Creative site - they only had an upgrade.. and that required the driver CD.
Asked for full version from creative, and they refused point blank (basically accused me of being a pirate.. FFS who would want to 'pirate' a driver without the card?)
Later I nstalled Linux. Fully working from install.. no hassles. For about 3 months I had no sound in Windows and fully working sound in Linux.
OTOH I never bought or considered buying a creative product again (it became moot once motherboards started to have decent audio chips on them anyway).
I have a 7300 GS which was purchased in november. It should work with vista.
Dude, 7300 has been supported 100% since the earliest driver betas. I should know I've been running it.
Plus they work. The 32bit drivers are rock solid (the latest ones fixed a small problem I was having with the resolution coming out of standby). The 64bit drivers I never had an issue with (seemed better than the 32bit even a month or so ago, so unless they've got a lot worse then there's little to worry about).
Sure, they aren't *fast* (well, the latest 32bit is but the others were about 25%-50% slower than XP drivers) but I'm sure the nvidia license doesn't make any speed guarantees so no legal avenues there either.
By default the 64 bit version wants this but it is easily turned off if you like.
Not a great idea. If you turn it off it disables the protected path so you can't view DRM material in full res.
I have Vista and know that you don't need a reboot to install new video drivers.
If you *really* had vista you'd know that of course you do. Installing drivers requires a reboot (in the case of the realtek sound drivers, 2 reboots).
In the absence of any specific statement from those authors they implicitly accepted the license in effect at the time - the one on the whole package which is v2 only. Saying anything different without having a *good* lawyer on retainer is not wise.
They can't legally change that without contacting every contributing author and getting permission to change to v3... and I can bet that more than a few would refuse (not least Linus). I'm sure my meagre contributions don't exist any more (long time ago) but I personally would refuse if asked.
Anyway 'bits' or even 'most' of the kernel is still pretty much nonfunctional - you'd have to fork it to rewrite the v2 bits (all the bits that linus wrote, which is a substantial amount of the core..)
If Novel fork v2 it'll cause a massive split. Novell are big enough and have enough developers to make it stick.. so you'll end up with 2xgcc, 2xsed, 2xgrep, etc. etc.
It's inevitable that forks will happen - a lot of people don't like the way gplv3 is headed - but a major player doing it is a big issue.
No it won't.
Kill SuSE and you've killed the most popular business oriented linux distribution in Europe.
You think that businesses will go back to Linux after that fiasco? Nope. Hell, I'd think twice myself! I can't afford to fight legal battles. It used to be that you comply with the license then you're OK. Now if you comply with the license and the FSF take a dislike to your distribution - or worse, you - you're stuffed.
So you get either one of two outcomes:
1. Migration to BSD (OpenSolaris is GPL so not an option due to the same risk).
2. Windows.
It's not hard to guess where most will go.
The Linux kernel doesn't have the 'or above' clause (neither do a lot of opensource projects, incidentally).
So OpenSolaris can't use any of it.
Novell will just stop using GPL products and do something else. Closely followed by just about every other business, under fear of litigation from the FSF.
It could well be the turning point where linux itself gets killed. Which is what MS wanted all along, really. Way to play into their hands, stallman.
regardless if you discovered Colbert on YouTube, you would have discovered him sooner of later.
That's odd logic. I've never heard of the guy, until I read the name about 3 or 4 posts ago. If he hadn't been on youtube
he wouldn't have been mentioned on this article so I would have continued never to have heard of him.
The idea that I would have 'discovered' him (if he's any good) inevitably simply doesn't make any sense. I'll probably go my whole life never having heard of many people.. some of whom I'd probably quite like if I met them.
The fault does not lie with Google. They are doing nothing more than providing a service where people can upload video.
I recall Napster tried that defence. Didn't work very well.
Even better.. round up the spammers and use them as fuel for the power plants.
Doubly green energy - less spam... more efficient networks, and an infinite fuel supply (we'll never run out of spammers).