I suggest that if you want to be up to date with the web app security world, you should keep reading blogs of security researchers, and perhaps security research-related fora (like sla.ckers.org).
As for your first question, I suggest you read the HTML 6 specs that have been presented. Also, remember that a browser is just a tool that parses text into pretty "websites". We simply don't need Flash and Silverlight if we have better options for, say, video client-side.
And, in it's current form, Javascript, should be switched off everywhere too. We _cannot have_ exploitable vulnerabilities in W3C recommended document formats like CSS, and widespread used technologies like Javascript.
What we -should- do is focus on things that we can actually benefit from. Instead of mass-murder, why not fix the internet by fixing javascript (ie. dis, fucking, allow, whitelist basis only), fixing flash (bye), fixing CSS (stop reading my history and stop scanning my ports!) and fixing HTML so we don't need to rely on stupid things (flash, silverlight, the thing Google made) to make browsing an enjoyable experience.
I can deliver you a browser that is virtually unexploitable. Firefox running with NoScript, Flash on a whitelist basis and a few other security-related add-ons - it will be -very- secure. Why not make these security (pre)cautions _mandatory_ in browsers that come with purchasable operating systems?
Honestly, just making javascript operate on a whitelist basis only would reduce online malware attacks by about 99.5%.
What's wrong with using vim/notepad++, links, and perhaps a self-refreshing firefox tab open on a second monitor/desktop?
I have developed and worked on many (PHP powered) websites in my life, and never felt the need for some big IDE. Although I do have to admit I did this as an amateur, not as an employed web dev.
Also, people mocking Notepad++, you are probably not aware of it's (mostly plugin-based) features. It has plugins for ftp, svn and cvs, for example.
Like I said, never felt the need to use a big IDE, and I don't understand why others do.
Summary: The first five films come from the Sundance Film Festival. The service will go live on 22 january, for US citizens only. The first five films available for rent are "The Cove," "Bass Ackwards," "One Too Many Mornings," "Homewrecker" and "Children of Invention."
Interesting excerpt from the BBC article: "Content providers will be able to set their own prices, with YouTube taking a cut of the revenue. All but one of the Sundance films is being offered for $3.99 (£2.50) each for users to watch over a 48-hour viewing period."
Apple's own security update page (http://support.apple.com/kb/HT4004) lists these six, where did Threatpost author get the number 12 from?:
Security Update 2010-001
*
CoreAudio
CVE-ID: CVE-2010-0036
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2, Mac OS X Server v10.6.2
Impact: Playing a maliciously crafted mp4 audio file may lead to an unexpected application termination or arbitrary code execution
Description: A buffer overflow exists in the handling of mp4 audio files. Playing a maliciously crafted mp4 audio file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. Credit to Tobias Klein of trapkit.de for reporting this issue.
*
CUPS
CVE-ID: CVE-2009-3553
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2, Mac OS X Server v10.6.2
Impact: A remote attacker may cause an unexpected application termination of cupsd
Description: A use-after-free issue exists in cupsd. By issuing a maliciously crafted get-printer-jobs request, an attacker may cause a remote denial of service. This is mitigated through the automatic restart of cupsd after its termination. This issue is addressed through improved connection use tracking.
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2, Mac OS X Server v10.6.2
Impact: Multiple vulnerabilities in Adobe Flash Player plug-in
Description: Multiple issues exist in the Adobe Flash Player plug-in, the most serious of which may lead to arbitrary code execution when viewing a maliciously crafted web site. The issues are addressed by updating the Flash Player plug-in to version 10.0.42. Further information is available via the Adobe web site at http://www.adobe.com/support/security/bulletins/apsb09-19.html Credit to an anonymous researcher and Damian Put working with TippingPoints Zero Day Initiative, Bing Liu of Fortinet's FortiGuard Global Security Research Team, Will Dormann of CERT, Manuel Caballero and Microsoft Vulnerability Research (MSVR).
*
ImageIO
CVE-ID: CVE-2009-2285
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution
Description: A buffer underflow exists in ImageIO's handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.2.
You can't just ignore the problems away. If you'd start reading various specs (esp. Javascript-related ones) you would realize that enforcing extra security is just common sense.
In addition to the add-ons listed above, may I recommend SafeCache and SafeHistory, you will most likely need Nightly Tester Tools (another add-on) to override compatibility (warning, etc).
You should use aptitude instead of apt-get (handles dependencies better). And I hope you do realize that aptitude isn't just usable for Ubuntu users, but any system supporting APT (ie. Debian-based).
Also also, ubuntuforums.org sucks. Really. It does.
TG Daily is a horrible, horrible news website with even more horrible, horrible "journalists". Please Slashdot, for the love of news, don't ever link to TG Daily again.
Installing the Winamp toolbar (comes with Shoutcast) does the same thing. Changes your search engine in Firefox, you actually have to go to about:config and manually replace a string to get your old default back for the URL-bar searches.
Why? Go play some SNES/Cube games. I'm not sure which guys in Nintendo are developing the controllers, but they used to do a very, very good job. Too bad they kind of screwed up the Classic Controller for the Wii. They should have gone with the SNES controller, without editing too much, just new start and select buttons.
Not sure if you're trolling or not, but you realize that when a site like RapidShare goes down, it's users will just move to another hosting-service and "abuse" that one, right? It's not RapidShare's fault, they aren't uploading any material. They can't prevent any illegal material from being uploaded, so they really have no fault in this matter.
For every HTTP-based upload service you take down, you'll get ten in return. You can't prevent this from happening.
As far as I know, Natal is still vaporware with some sexy CGI and PR. The live demonstration seemed crude when compared to the promising, albeit slightly ambitious CGI-movies.
I realize that the technology to enable such a contraption as Natal are already available, but I doubt that Microsoft is ready to develop for such a system, and I also doubt that most of Xbox's fanbase is ready for this change in how people play games. Not sure if Microsoft should be betting all it's money on Natal.
I seriously hope that the graphics aren't there to make up for something bad (like storyline), because it looks absolutely -stunning-. This is, by far, the most beautiful game I've ever seen. Ever.
Slashdot Mirror
What are you talking about? -Real- admins play nethack/rogue/crawl in a (20% transparent) shell, while complaining about their lusers.
Everything. I'll just throw a couple of links at you and then you can go be scared.
http://ha.ckers.org/weird/javascriptless-port-scanning.cgi, http://ha.ckers.org/weird/CSS-history.cgi.
I suggest that if you want to be up to date with the web app security world, you should keep reading blogs of security researchers, and perhaps security research-related fora (like sla.ckers.org).
As for your first question, I suggest you read the HTML 6 specs that have been presented. Also, remember that a browser is just a tool that parses text into pretty "websites". We simply don't need Flash and Silverlight if we have better options for, say, video client-side.
And, in it's current form, Javascript, should be switched off everywhere too. We _cannot have_ exploitable vulnerabilities in W3C recommended document formats like CSS, and widespread used technologies like Javascript.
What we -should- do is focus on things that we can actually benefit from. Instead of mass-murder, why not fix the internet by fixing javascript (ie. dis, fucking, allow, whitelist basis only), fixing flash (bye), fixing CSS (stop reading my history and stop scanning my ports!) and fixing HTML so we don't need to rely on stupid things (flash, silverlight, the thing Google made) to make browsing an enjoyable experience.
I can deliver you a browser that is virtually unexploitable. Firefox running with NoScript, Flash on a whitelist basis and a few other security-related add-ons - it will be -very- secure. Why not make these security (pre)cautions _mandatory_ in browsers that come with purchasable operating systems?
Honestly, just making javascript operate on a whitelist basis only would reduce online malware attacks by about 99.5%.
Print, actually. But, yeah, that's how I roll. I also use php-cli/php in a shell and tools like time and grep.
What's wrong with using vim/notepad++, links, and perhaps a self-refreshing firefox tab open on a second monitor/desktop?
I have developed and worked on many (PHP powered) websites in my life, and never felt the need for some big IDE. Although I do have to admit I did this as an amateur, not as an employed web dev.
Also, people mocking Notepad++, you are probably not aware of it's (mostly plugin-based) features. It has plugins for ftp, svn and cvs, for example.
Like I said, never felt the need to use a big IDE, and I don't understand why others do.
Bit more info on the first five films, taken from: http://news.bbc.co.uk/2/hi/technology/8471635.stm
Summary: The first five films come from the Sundance Film Festival. The service will go live on 22 january, for US citizens only. The first five films available for rent are "The Cove," "Bass Ackwards," "One Too Many Mornings," "Homewrecker" and "Children of Invention."
Interesting excerpt from the BBC article: "Content providers will be able to set their own prices, with YouTube taking a cut of the revenue. All but one of the Sundance films is being offered for $3.99 (£2.50) each for users to watch over a 48-hour viewing period."
Apple's own security update page (http://support.apple.com/kb/HT4004) lists these six, where did Threatpost author get the number 12 from?:
Security Update 2010-001
*
CoreAudio
CVE-ID: CVE-2010-0036
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2, Mac OS X Server v10.6.2
Impact: Playing a maliciously crafted mp4 audio file may lead to an unexpected application termination or arbitrary code execution
Description: A buffer overflow exists in the handling of mp4 audio files. Playing a maliciously crafted mp4 audio file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. Credit to Tobias Klein of trapkit.de for reporting this issue.
*
CUPS
CVE-ID: CVE-2009-3553
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2, Mac OS X Server v10.6.2
Impact: A remote attacker may cause an unexpected application termination of cupsd
Description: A use-after-free issue exists in cupsd. By issuing a maliciously crafted get-printer-jobs request, an attacker may cause a remote denial of service. This is mitigated through the automatic restart of cupsd after its termination. This issue is addressed through improved connection use tracking.
*
Flash Player plug-in
CVE-ID: CVE-2009-3794, CVE-2009-3796, CVE-2009-3797, CVE-2009-3798, CVE-2009-3799, CVE-2009-3800, CVE-2009-3951
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2, Mac OS X Server v10.6.2
Impact: Multiple vulnerabilities in Adobe Flash Player plug-in
Description: Multiple issues exist in the Adobe Flash Player plug-in, the most serious of which may lead to arbitrary code execution when viewing a maliciously crafted web site. The issues are addressed by updating the Flash Player plug-in to version 10.0.42. Further information is available via the Adobe web site at http://www.adobe.com/support/security/bulletins/apsb09-19.html Credit to an anonymous researcher and Damian Put working with TippingPoints Zero Day Initiative, Bing Liu of Fortinet's FortiGuard Global Security Research Team, Will Dormann of CERT, Manuel Caballero and Microsoft Vulnerability Research (MSVR).
*
ImageIO
CVE-ID: CVE-2009-2285
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution
Description: A buffer underflow exists in ImageIO's handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.2.
*
Image RAW
CVE-ID
Cool, even more content restricted to geographical boundaries.
No, it doesn't sound like that at all:
"Mozilla Drumbeat is [..] using technology to help internet users [..] take control of their online lives."
Furthermore, directly below what you quoted you can read this:
"Open. Built on technologies that anyone can study, use or improve without asking permission.
Participatory, fueled by the ideas and energy of 100s of millions of people.
Decentralized in both architecture and control, ensuring continued choice and diversity.
Public much like a public square, with space not just for commerce but also for vibrant social and civic life."
Open, participatory, decentralized and public. Does that sound like someone wants to take control of your online life? Doesn't sound like that to me.
BBLean and Litestep (shell replacement software for Windows) both have themes available which emulate multiple desktops.
Sorry to reply to myself, but I just realized I totally skipped over the part where I tell you about the awesomeness that is Xinerama.
Don't think there is a GUI for it yet, though.
sudo vim /etc/X11/xorg.conf
Or, if you need a GUI, try xorgconf-gui: http://fosswire.com/post/2007/8/ubuntu-getting-xorgconf-gui/ (could be deprecated).
Drupal, drupal, drupal drupal. Drupal.
You can't just ignore the problems away. If you'd start reading various specs (esp. Javascript-related ones) you would realize that enforcing extra security is just common sense.
In addition to the add-ons listed above, may I recommend SafeCache and SafeHistory, you will most likely need Nightly Tester Tools (another add-on) to override compatibility (warning, etc).
Everywhere. Here's an example: http://en.kioskea.net/faq/sujet-2154-apt-get-or-aptitude
Googling for "aptitude vs. apt-get" yields many results, too.
You should use aptitude instead of apt-get (handles dependencies better). And I hope you do realize that aptitude isn't just usable for Ubuntu users, but any system supporting APT (ie. Debian-based).
Also also, ubuntuforums.org sucks. Really. It does.
TG Daily is a horrible, horrible news website with even more horrible, horrible "journalists". Please Slashdot, for the love of news, don't ever link to TG Daily again.
http://xkcd.com/137/
Fuck. That. Shit.
For interested readers; these were the same people who killed astalavista. (Logs of that attack can be found all over the internet if you google).
Installing the Winamp toolbar (comes with Shoutcast) does the same thing. Changes your search engine in Firefox, you actually have to go to about:config and manually replace a string to get your old default back for the URL-bar searches.
D-pad: SNES
Analog: Gamecube.
Why? Go play some SNES/Cube games. I'm not sure which guys in Nintendo are developing the controllers, but they used to do a very, very good job. Too bad they kind of screwed up the Classic Controller for the Wii. They should have gone with the SNES controller, without editing too much, just new start and select buttons.
Not sure if you're trolling or not, but you realize that when a site like RapidShare goes down, it's users will just move to another hosting-service and "abuse" that one, right? It's not RapidShare's fault, they aren't uploading any material. They can't prevent any illegal material from being uploaded, so they really have no fault in this matter.
For every HTTP-based upload service you take down, you'll get ten in return. You can't prevent this from happening.
As far as I know, Natal is still vaporware with some sexy CGI and PR. The live demonstration seemed crude when compared to the promising, albeit slightly ambitious CGI-movies.
I realize that the technology to enable such a contraption as Natal are already available, but I doubt that Microsoft is ready to develop for such a system, and I also doubt that most of Xbox's fanbase is ready for this change in how people play games. Not sure if Microsoft should be betting all it's money on Natal.
http://www.google.com/search?q=site%3Ahttp%3A%2F%2Fnightjack.wordpress.com
"In Cache" link works as usual. I think most/all data can be recovered this way.
I seriously hope that the graphics aren't there to make up for something bad (like storyline), because it looks absolutely -stunning-. This is, by far, the most beautiful game I've ever seen. Ever.