Then they need to be completely liquidated to proportionaly recompense as much as possible for all 100,000. Then suits need to be filed against the board of directors to go after the rest.
In a follow-up to yesterday's story, Allen Zadr writes "Computer Business Online has an article up today entitled 'Judge astonished by SCO's lack of evidence against IBM'.
What part of "in a follow-up to yesterday's story" is escaping your comprehension skills?
/. does enough real dupes without people bitching at non-dupes.
One of the creators of SOAP is lecturing on security, that is quite a laugh. SOAP still stands as the poster child for the "design something first, try to hack on security after the fact" crowd.
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Make sure you restart firefox and then check it (not just the setting, but the actual paypal spoof site), most people find it stops working after the restart.
That said, the r3 build might not have that problem, I am running the regular 1.0 release.
It stayed off in the about:config, but it is not actually off. Go to the paypal site and you will find that it happly spoofs again, so you are worse off, now you think you are protected but are actually not.
Unless it still works for you, in which case I would love to know what version you are running because it seems to be broken for most everyone else.
Upon restart about:config and set network.enableIDN remains set to false.
Yes, yes it does. HOWEVER IDNs are now enabled again even though the setting says it is false. Try hitting the paypal page again and you will see what I mean.
It works perfectly for me with Firefox 1.0 and fully patched WinXP -- I didn't even have to restart the browser or clear the cache or anything.
Uh huh. You weren't reading what I wrote. Restart your browser, THEN it stops working, even though the setting says it is still "false" in about:config.
Well, changing the actual setting via about:config works OK for me with Firefox 1.0 on both MS Windows XP and Fedora Core 3 (both fully patched). However, even with IDN supposedly disabled in Firefox clicking on the links still takes me to the spoofed version of Paypal on both links, and I'm not seeing any of the URL bar glitches either.
Not to be a dick, but if that is the case then changing the setting via about:config does NOT work OK. Did you restart your browser? you will see that the config change has no effect.
Uh huh, try restarting your browser and going back. With mine (Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0) I get the meeow paypal page even though about:config shows the setting is still set to false.
Frightening to see this kind of bug in Firefox, I hope it is fixed soon.
Anyone should know better than to base their trust on being on a particular, secure web page only on the address shown in the address bar!
Why should anyone know this? They see the correct address in the address bar, they see that the ssl lock worked and didn't kick back any cert errors, what more do you expect Joe Computer User to do? Hell half the time we would be thrilled if we knew they just did what I mentioned.
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
It is true for me, this does not fix the problem at all. That is after clearing the cache, restarting, double checking the setting, and making sure I am not behind any kind of cache.
Look around in this story, it is not working for a lot of people.
If they don't "understand" something they shouldnt "use" it. would you give your 3 year old your net banking details to use them?? NO!
Wow, I can only assume you are a troll laughing about this, because if you are actually serious...damn
In case you are serious, I hope you built that computer you are working on, or at least can draw for me the complete schematics. If you don't understand how it works, you shouldn't be using it.
Oh, and can you describe in great detail the process of cellular respiration? If not, you should really drop dead right now. You should not be using those mitocondria unless you know what you are doing.
WFM. I am unable to visit those links after disabling IDN. This is because the browser is no longer translating the name to the Punycode format that the IDN DNS system requires, therefore the lookup fails.
Perhaps your cache setting is fucked.
I cleared the cache, reloaded the page, restarted again, checked the setting. Still not working.
Look around, I am not the only one noticing that this does not work. I wonder what specific versions it does work for.
I can tell you that this workaround does NOT work on Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
What version? I am running a clean (no extensions) FireFox 1.0 (Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0) on OS X 10.3.7 and I can report that it most certainly does NOT work. I click on the links and go right to the "meeow" page. Refreshing just pulls up the same page. Clearing the cache STILL pulls up the spoofed page.
I was fully prepared to test this myself, find out you were either full of it (or a troll), and let/. know you were wrong.
My plan was going perfectly, right up to the point where what you said turned out to be 100% correct:(
Shame on Firefox for taking a bad situation and making it worse. If about:config reports that a security related setting is X when in fact it is Y, this is worse than not providing a fix at all. A false sense of security (from a browser that is supposed be better) is worse than being aware of the security problems and reacting accordingly.
Mozilla: Working on finding a good long-term solution; provided clear workaround for disabling IDN.
Yup, except that the clear workaround does not fix the problem at all. The setting stays set to false in about:config after retstarting the browser, but in reality it goes back to enabling IDNs, and the paypal spoof referenced in this story still works.
Shame on Firefox (my favorite browser) for taking a bad situation and making it worse by providing a false sense of security:(
To disable IDN as a workaround for this problem (on Gecko-based browsers): hit about:config and set network.enableIDN to false.
That is a great suggestion, except for the part where it does not work.
Go ahead, make the change, then restart your browser. Now go look at about:config again. Yup, still set to false. Now go see if it the setting worked. It does not. So at least with Firefox 1.0 just took a bad situation and made it worse. Now people will think turning off this setting will actually accompolish something and protect them and it will not.
Slashdot Mirror
Then they need to be completely liquidated to proportionaly recompense as much as possible for all 100,000. Then suits need to be filed against the board of directors to go after the rest.
Finkployd
My bad, wrong windbag.
Thinking of Metcalf.
Finkployd
My bad, wrong windbag
Dvorak has pretty much not uttered anything remotely competent or accurate since inventing Ethernet. Why should this blather be any different? :)
Finkployd
I do not believe I have ever heard of anyone confusing Civil Air Patrol with the International Telecommunication Union before.
Finkployd
what apart from the big fat security warning in the hemdail docs concerning addressless tickets???
First up, let's get one thing straight. Heimdal is a throughly shitty impletmentation of Kerberos.
something to the effect "don't use addressless tickets because it opens you to the same weakness as using kerberos4"
Total BS, another reason to avoid Heimdal (they seem to not understand a lot about Kerberos).
Finkployd
When was the last time you used it? '96? The convention regarding Kerberos has been to use addressless tickets for a long time now.
In a follow-up to yesterday's story, Allen Zadr writes "Computer Business Online has an article up today entitled 'Judge astonished by SCO's lack of evidence against IBM'.
/. does enough real dupes without people bitching at non-dupes.
What part of "in a follow-up to yesterday's story" is escaping your comprehension skills?
Finkployd
One of the creators of SOAP is lecturing on security, that is quite a laugh. SOAP still stands as the poster child for the "design something first, try to hack on security after the fact" crowd.
Finkployd
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Make sure you restart firefox and then check it (not just the setting, but the actual paypal spoof site), most people find it stops working after the restart.
That said, the r3 build might not have that problem, I am running the regular 1.0 release.
Finkployd
It stayed off in the about:config, but it is not actually off. Go to the paypal site and you will find that it happly spoofs again, so you are worse off, now you think you are protected but are actually not.
Unless it still works for you, in which case I would love to know what version you are running because it seems to be broken for most everyone else.
Did you restart the browser? That is when the workaround fails.
Finkployd
Upon restart about:config and set network.enableIDN remains set to false.
Yes, yes it does. HOWEVER IDNs are now enabled again even though the setting says it is false. Try hitting the paypal page again and you will see what I mean.
Finkployd
It works perfectly for me with Firefox 1.0 and fully patched WinXP -- I didn't even have to restart the browser or clear the cache or anything.
Uh huh. You weren't reading what I wrote. Restart your browser, THEN it stops working, even though the setting says it is still "false" in about:config.
Finkployd
Well, changing the actual setting via about:config works OK for me with Firefox 1.0 on both MS Windows XP and Fedora Core 3 (both fully patched). However, even with IDN supposedly disabled in Firefox clicking on the links still takes me to the spoofed version of Paypal on both links, and I'm not seeing any of the URL bar glitches either.
Not to be a dick, but if that is the case then changing the setting via about:config does NOT work OK. Did you restart your browser? you will see that the config change has no effect.
Finkployd
Try restarting your browser then checking it out, you will find it to in fact be true.
Finkployd
Uh huh, try restarting your browser and going back. With mine (Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0) I get the meeow paypal page even though about:config shows the setting is still set to false.
Frightening to see this kind of bug in Firefox, I hope it is fixed soon.
Finkployd
Anyone should know better than to base their trust on being on a particular, secure web page only on the address shown in the address bar!
Why should anyone know this? They see the correct address in the address bar, they see that the ssl lock worked and didn't kick back any cert errors, what more do you expect Joe Computer User to do? Hell half the time we would be thrilled if we knew they just did what I mentioned.
Finkployd
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
It is true for me, this does not fix the problem at all. That is after clearing the cache, restarting, double checking the setting, and making sure I am not behind any kind of cache.
Look around in this story, it is not working for a lot of people.
Finkployd
If they don't "understand" something they shouldnt "use" it. would you give your 3 year old your net banking details to use them?? NO!
Wow, I can only assume you are a troll laughing about this, because if you are actually serious...damn
In case you are serious, I hope you built that computer you are working on, or at least can draw for me the complete schematics. If you don't understand how it works, you shouldn't be using it.
Oh, and can you describe in great detail the process of cellular respiration? If not, you should really drop dead right now. You should not be using those mitocondria unless you know what you are doing.
Finkployd
WFM. I am unable to visit those links after disabling IDN. This is because the browser is no longer translating the name to the Punycode format that the IDN DNS system requires, therefore the lookup fails.
Perhaps your cache setting is fucked.
I cleared the cache, reloaded the page, restarted again, checked the setting. Still not working.
Look around, I am not the only one noticing that this does not work. I wonder what specific versions it does work for.
I can tell you that this workaround does NOT work on Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
(FireFox 1.0 / OS X 10.3.7)
Finkployd
What version? I am running a clean (no extensions) FireFox 1.0 (Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0) on OS X 10.3.7 and I can report that it most certainly does NOT work. I click on the links and go right to the "meeow" page. Refreshing just pulls up the same page. Clearing the cache STILL pulls up the spoofed page.
Finkployd
I was fully prepared to test this myself, find out you were either full of it (or a troll), and let /. know you were wrong.
:(
My plan was going perfectly, right up to the point where what you said turned out to be 100% correct
Shame on Firefox for taking a bad situation and making it worse. If about:config reports that a security related setting is X when in fact it is Y, this is worse than not providing a fix at all. A false sense of security (from a browser that is supposed be better) is worse than being aware of the security problems and reacting accordingly.
Finkployd
Mozilla: Working on finding a good long-term solution; provided clear workaround for disabling IDN.
:(
Yup, except that the clear workaround does not fix the problem at all. The setting stays set to false in about:config after retstarting the browser, but in reality it goes back to enabling IDNs, and the paypal spoof referenced in this story still works.
Shame on Firefox (my favorite browser) for taking a bad situation and making it worse by providing a false sense of security
Finkployd
To disable IDN as a workaround for this problem (on Gecko-based browsers): hit about:config and set network.enableIDN to false.
That is a great suggestion, except for the part where it does not work.
Go ahead, make the change, then restart your browser. Now go look at about:config again. Yup, still set to false. Now go see if it the setting worked. It does not. So at least with Firefox 1.0 just took a bad situation and made it worse. Now people will think turning off this setting will actually accompolish something and protect them and it will not.
Finkployd