Referencing your wikipedia link, I describe the Type 2 XSS vulnerability, which is what was used in this case.
When you say "script injection" are you talking about "SQL injection"? THis is where you manipulate data submitted to a database-backed web site to place a SQL statement termination character in the data (knowing that it is going to be put into a SQL INSERT statement). Then you append malicious SQL code which will be executed by the RDBMS of the web-site.
I'm not really sure how your example would work. If you embed the PayPal in an IFRAME on a page hosted on your site, clicks on the PayPal site will be routed to the PayPal server, not yours.
Cross-site scripting is a family of vulnerabilities that share these attributes: a) a web-site that takes and displays text (e.g. Slashdot allows you to post comments) and b) a web browser that processes javascript in webpages.
The exploit involves placing javascript code into your posting on a website, such that when other people visit the website their browsers download your comment with the embedded javascript, which is then processed. The javascript, because it is being processed on your machine as part of the rendering of the page, can be used to exploit all sorts of vulnerabilities within browsers. When you have browsers tightly coupled with operating systems, this can open up some rather scary scenarios.
In this case, the guy just used the vulnerability to make some relatively benign changes, but he could have just as easily exploited some of the many problems with IE to be more malicious.
What it's useful for in large enterprises
on
Do You Code Sign?
·
· Score: 1
When you are developing applications and are compiling against packaged components that maybe you didn't write, it's critical to be able to say "I am building this application against this component/library - when it gets out in the production world, don't link/load any version of the library that isn't digitally signed with the private key that matches this public key". That is what code signing is good for. Not some farsical "proof of correctness" aquatic ceremony.:)
The author obviously has never dealt with any real IdM issues at a large company. With mergers and divestitures constantly happening, you end up with a patchwork of HR systems, facilities management systems, access request systems, application data stores and authentication systems. Saying "use OpenLDAP for IdM" is like saying "this paper airplane flies well - if you throw it hard enough, you can get it to the moon."
This is not to say it couldn't be part of the solution, but the end state is going to have a bunch of different components.
And MS's out-of-the-box tools (e.g. AD Users & Computers) are deeply pathetic for anything other than casual directory browsing. Third party tools are needed for the variety of different tasks involved in managing an AD-based NOS.
That being said, some of the cool new work being done with Samba taken with a Kerberos KDC for authorization and OpenLDAP for authentication could be a good place to start in building out an IdM system. Unfortunately, you would really need to be starting from scratch to have this be feasible....
We are a Fortune 200 company and have IGS as our Strategic Operations Outsourcing Partner. As far as I know, they have never mentioned Linux to us. The theory one of their engineers gave to me is that MS products are very expensive to support, and bringing in a stable OS into our environment would cut into the tens of millions of dollars we lob over the fence to them.
This may have been stated other places, but in general, I start with two domains, an "empty" root and a child that contains everything. I only add domains if there is a good reason to do so. Wanting to have a domain is not a good reason. Some good reasons are:
- Need to have different password policies (these are only configurable at the domain level).
- Replication issues that cannot be handled through the site topology.
You don't really talk about what is being put in this OU, is it your users' accounts, their workstations' accounts, security or distribution groups, your servers, or what? The OU model needs to be driven by your administrative model. Does your IT area handle all user provisioning? Email account creation (I assume you are an Exchange 2000 shop)? As someone else said, it may not even make sense for you to keep all of the possible AD objects within your OU, some may make more sense to turn over to the larger group for centralized management.
As an American, I would like to apologize to the rest of the world for this atrocity being instigated by the far right of our political spectrum. We promise not to elect them in 2004 either.
There is really no need to have Microsoft be a trusted publisher of ActiveX controls. The "complete fix" for this problem, removing Microsoft from the trusted publisher list, is a standard part of securing IE.
recommendation
on
Blogger Hacked
·
· Score: 5, Informative
Disable or reset the password of the account used to FTP your blog to your web server ASAP.
Not to be a Red Hat basher (I run various flavors of RH on all my machines) but do they usually not mention the GPL-required downloadability in their press releases?
I had the worst time trying to transfer a couple of domains away from Verisign. After a couple of weeks of trying, I panicked because the domain names expired and just re-upped with Verisign.
dystopia Pronunciation Key (ds-tp-)
n.
1. An imaginary place or state in which the condition of life is extremely bad, as from deprivation, oppression, or terror.
2. A work describing such a place or state: "dystopias such as Brave New World" (Times Literary Supplement).
M$ is betting quite a bit on LDAP with AD, touting it as the number one reason for enterprises to move off of NT to 2000 server platforms. Unfortunately upgrading is such a complicated operation very few larger organizations are moving to it as fast as M$ would like. They have integrated all sorts of things into the standard directory service and it can be very confusing trying to figure out exactly what it is.
FWIW, Novell's NDS has been the only enterprise-class directory service since the mid-90's and AD is a play into this arena.
Of course, this is all moot since this is Slashdot and of course you aren't interested in technology from the Dark Empire (tm).
From the point of view of IT in a Fortune 500 insurance company, some of the really interesting security legislation coming down the pike that's got everyone scratching their heads around here deals with privacy. I have only a cursory understanding of the various legislation but my understanding is that if a company allows "personally identifiable information" to be viewed by an unauthorized party, they are liable for fines of up to $US250K.
I personally think this is a very important effort, though it brings lots of juicy scenarios to mind where holes in software are exploited to generate fines and many suits are filed against the software vendor.
Whenever I get dragged into a meeting where people are going on about this stuff I can't help but think that it would be cool if the person who was able to access the "personally identifiable information" got to keep the $250K!
I suppose I should clarify my comment a bit. I've been working quite a bit with C# and.NET in an early adopter program. The technology is actually not all that bad. In fact, for Microsoft its quite good. My "disaster" comment was in reference to problems for large enterprises that have bet the bank on Microsoft (and who provide a large share of Microsoft revenues):
They have huge numbers of low-end IT workers who can barely struggle through VB and COM. The stricter OO nature and class structure of.NET is going to drop 80% of these clowns in their tracks.
Apparently Microsoft already has its next TWO iterations of Windows in development. The amount of money and resources that goes into rolling out new operating systems in a multinational corporate environment is a once-a-decade nightmare. There is a great deal of headshaking going on with an eye on ROI at the moment.
Microsoft has developed a reputation for foisting Beta products on customers and providing for-pay upgrades that fix glaring problems. I'm not aware of "TONS" of early adopters (Microsoft is paying our company to do a.NET pilot), but my experience here is that the upper IT management is shutting out.NET usage,.NET training and even.NET discussion.
Without the technology turnover Microsoft's revenue streams begin to dry up. Their support and consulting services are based on the assumption that they can continue to coax the corporate customer down the garden path -- and the customer is getting reluctant (here anyway).
Microsoft is in the process of slowly imploding. Its.NET stuff is a disaster. Managers are wondering why all the infrastructure developed around COM/MTS have to be thrown out (or kept on life support with interop) and why all the training money spent on VB/COM is now wasted. Corporate America is also questioning more than ever the ever-increasing licensing burden being imposed. Microsoft is so laden with fat there is no way they will be able to survive the economic downturn in its current state.
Doesn't deprecated mean "there's a better way to do this now -- don't use this any longer." With the understanding that it might be removed or gutted in the future?
I thought it was generally ok too, though I don't watch much TV. Voyager is a show that I didn't like much the first season or so but it became the one show on tv these days that I felt comfortable watching with my young (9 year old now) son. Some of the plots were a bit cheesey, but hey, its tv! I hope this show provides a similar generation-spanning opportunity in the future.
Slashdot Mirror
Isn't it "repel" rather than "repeal"?
Referencing your wikipedia link, I describe the Type 2 XSS vulnerability, which is what was used in this case.
When you say "script injection" are you talking about "SQL injection"? THis is where you manipulate data submitted to a database-backed web site to place a SQL statement termination character in the data (knowing that it is going to be put into a SQL INSERT statement). Then you append malicious SQL code which will be executed by the RDBMS of the web-site.
I'm not really sure how your example would work. If you embed the PayPal in an IFRAME on a page hosted on your site, clicks on the PayPal site will be routed to the PayPal server, not yours.
Cross-site scripting is a family of vulnerabilities that share these attributes: a) a web-site that takes and displays text (e.g. Slashdot allows you to post comments) and b) a web browser that processes javascript in webpages.
The exploit involves placing javascript code into your posting on a website, such that when other people visit the website their browsers download your comment with the embedded javascript, which is then processed. The javascript, because it is being processed on your machine as part of the rendering of the page, can be used to exploit all sorts of vulnerabilities within browsers. When you have browsers tightly coupled with operating systems, this can open up some rather scary scenarios.
In this case, the guy just used the vulnerability to make some relatively benign changes, but he could have just as easily exploited some of the many problems with IE to be more malicious.
When you are developing applications and are compiling against packaged components that maybe you didn't write, it's critical to be able to say "I am building this application against this component/library - when it gets out in the production world, don't link/load any version of the library that isn't digitally signed with the private key that matches this public key". That is what code signing is good for. Not some farsical "proof of correctness" aquatic ceremony. :)
The author obviously has never dealt with any real IdM issues at a large company. With mergers and divestitures constantly happening, you end up with a patchwork of HR systems, facilities management systems, access request systems, application data stores and authentication systems. Saying "use OpenLDAP for IdM" is like saying "this paper airplane flies well - if you throw it hard enough, you can get it to the moon."
This is not to say it couldn't be part of the solution, but the end state is going to have a bunch of different components.
And MS's out-of-the-box tools (e.g. AD Users & Computers) are deeply pathetic for anything other than casual directory browsing. Third party tools are needed for the variety of different tasks involved in managing an AD-based NOS.
That being said, some of the cool new work being done with Samba taken with a Kerberos KDC for authorization and OpenLDAP for authentication could be a good place to start in building out an IdM system. Unfortunately, you would really need to be starting from scratch to have this be feasible....
They just announced the surface where Opportunity is was "drenched" with water for an extended period of time.
We are a Fortune 200 company and have IGS as our Strategic Operations Outsourcing Partner. As far as I know, they have never mentioned Linux to us. The theory one of their engineers gave to me is that MS products are very expensive to support, and bringing in a stable OS into our environment would cut into the tens of millions of dollars we lob over the fence to them.
What happened to the borg-gates icon? Are we going soft on the auld enemy?
This may have been stated other places, but in general, I start with two domains, an "empty" root and a child that contains everything. I only add domains if there is a good reason to do so. Wanting to have a domain is not a good reason. Some good reasons are:
- Need to have different password policies (these are only configurable at the domain level).
- Replication issues that cannot be handled through the site topology.
You don't really talk about what is being put in this OU, is it your users' accounts, their workstations' accounts, security or distribution groups, your servers, or what? The OU model needs to be driven by your administrative model. Does your IT area handle all user provisioning? Email account creation (I assume you are an Exchange 2000 shop)? As someone else said, it may not even make sense for you to keep all of the possible AD objects within your OU, some may make more sense to turn over to the larger group for centralized management.
Good question and a very valid concern though!
As an American, I would like to apologize to the rest of the world for this atrocity being instigated by the far right of our political spectrum. We promise not to elect them in 2004 either.
There is really no need to have Microsoft be a trusted publisher of ActiveX controls. The "complete fix" for this problem, removing Microsoft from the trusted publisher list, is a standard part of securing IE.
Disable or reset the password of the account used to FTP your blog to your web server ASAP.
1. An imaginary place or state in which the condition of life is extremely bad, as from deprivation, oppression, or terror.
2. A work describing such a place or state: "dystopias such as Brave New World" (Times Literary Supplement).
How does one become an ex-graduate?
M$ is betting quite a bit on LDAP with AD, touting it as the number one reason for enterprises to move off of NT to 2000 server platforms. Unfortunately upgrading is such a complicated operation very few larger organizations are moving to it as fast as M$ would like. They have integrated all sorts of things into the standard directory service and it can be very confusing trying to figure out exactly what it is.
FWIW, Novell's NDS has been the only enterprise-class directory service since the mid-90's and AD is a play into this arena.
Of course, this is all moot since this is Slashdot and of course you aren't interested in technology from the Dark Empire (tm).
I personally think this is a very important effort, though it brings lots of juicy scenarios to mind where holes in software are exploited to generate fines and many suits are filed against the software vendor.
Whenever I get dragged into a meeting where people are going on about this stuff I can't help but think that it would be cool if the person who was able to access the "personally identifiable information" got to keep the $250K!
Without the technology turnover Microsoft's revenue streams begin to dry up. Their support and consulting services are based on the assumption that they can continue to coax the corporate customer down the garden path -- and the customer is getting reluctant (here anyway).
Microsoft is in the process of slowly imploding. Its .NET stuff is a disaster. Managers are wondering why all the infrastructure developed around COM/MTS have to be thrown out (or kept on life support with interop) and why all the training money spent on VB/COM is now wasted. Corporate America is also questioning more than ever the ever-increasing licensing burden being imposed. Microsoft is so laden with fat there is no way they will be able to survive the economic downturn in its current state.
Doesn't deprecated mean "there's a better way to do this now -- don't use this any longer." With the understanding that it might be removed or gutted in the future?
I thought it was generally ok too, though I don't watch much TV. Voyager is a show that I didn't like much the first season or so but it became the one show on tv these days that I felt comfortable watching with my young (9 year old now) son. Some of the plots were a bit cheesey, but hey, its tv! I hope this show provides a similar generation-spanning opportunity in the future.
I think the most important development was the 30 years-in-coming grammatical retraction in Scott Dracula's dad's speech:
"...to go boldly..."
Did anyone notice Scott Dracula's dad's speech had "...to go boldly..."
:)