TrendMicro Housecall sends over a signed applet. Of course, because it is signed, that prompts a dialogue as to whether you trust TrendMicro or not as a distributor and want to add it to your trusted certs list. It's strange that unsigned applets just get to launch without asking, and there seems to be no way to prevent them from doing so.
Any Java VM needs a similar warning for unsigned applets. Perhaps a whitelist feature, with all other sites applets either rejected, or subject to a user confirmation, as a per user setting.
No ideas about the Javascript version of the exploit though. Yikes!
-- Toro
Re:It's up to you, unless I don't agree
on
Patent Lawsuits Galore
·
· Score: 2, Informative
The idea behind a jury trial is that you are tried by a jury of your peers. The problem with the current implementation of the system is that you are actually tried by a load of random, often uninformed, people. In cases hinged on domain-specific information, there should be an understanding that your peers must be people who understand the subject matter. That's an interesting thought, but the Bill of Rights only mentions a "jury of the State and district wherein the crime shall have been committed." "Peers" is the traditional paraphrase of that, but it really only refers to people who are geographically near you. The Constitution says nothing of "competent jurors," or "equals," which is what you seem to wish (me too!).
The basic (and antiquated) concept is that you should be judged by people who know you, which is about the exact opposite of what modern voir dire jury selections produce. A "jury of peers," as I read the intent, is pretty much dead law. You now get a bunch of folks from your rough geographic area (if no venue games are being played!), which meets the letter, but not the intent, IHMO.
I think expert juries make a lot of sense too, especially in civil cases, and especially one's that would have power to instruct the judge when the judge was not himself a competent expert, but that would require new law. It might require a new system altogether, in fact.
The first sentence of the article:
Microsoft has succeeded in fracturing the Linux and open-source community with the patent indemnity agreements it has entered into with several prominent vendors, Ubuntu leader and Canonical CEO Mark Shuttleworth told eWEEK. Followed by Shuttleworth later directly quoted (in the same article!) as saying:
"I think it's obvious at this stage that really what Microsoft is doing is trying to unsettle the marketplace. It isn't working and has not had the slightest impact on those companies that refuse to be drawn into that line of discussion with Microsoft." Equals near to direct contradiction, folks.
How eWeek's Peter Galli managed to divine that "Microsoft has succeeded in fracturing the Linux... community" from Shuttleworth's clear refutation that "Microsoft is trying to unsettle the marketplace. It isn't working..." is beyond me.
This dubious claim of Galli's is one of the clearest cases of "white is black" reporting I've seen in a while. Shuttleworth clearly, from his own statements, does not agree with the concept that the community is "fractured." At best, he believes that a few insignificant vendors have been "drawn into [negotiations with MS and] have paid a significant price."
I would say, from his clear, concise statements, that he sees the whole, sordid event as "extortion," and a crucible that has purified the community, rather than "fractured."
Read Shuttleworth's statements (in TFA) and see if you don't agree that Peter Galli is either a) a poor reporter who made a gross mischaracterization or b) has a strong agenda and preconceptions and can't even tell white from black in his zeal to follow them.
Don't use Ubuntu's installer tools to partition a dual-boot.
When I installed 6.06 (Dapper), they were destructive. It miswrote the partition header and wiped out a 60GB Windows data partition (by somehow overlaying the swap partition over my extended partition on the drive). It took a session of "Super F-disk" on a floppy to repair the damage. It happened multiple times, so it was no fluke.
Edgy and Feisty may have fixed this problem.
What worked, however, was just grabbing my copy of Partition Magic and having it put down an ext3 and swap partition. I told Ubuntu to set its mount points to the already present partitions. Worked like a charm. I now dual boot Ubuntu.
Point is, setting up a dual-boot of anything is an advanced activity, no matter how basic or "user-friendly" the distro is. You tackled an advanced problem, and there is nothing any distro installer can do to make such a matter easy, or even safe.
However, I think self-redacting/auto-revising article text is a bad idea. Have you ever lurked on (for example) the Associated Press feed and watch an article headline slowly morph from "Bush puts off decision" to "Bush faces tough decision" and finally end up as "Bush makes decision" while the text, in which he clearly puts off the decision, stays static? I have. Or worse yet, both the headline and the body texts change according to an agenda.
There is pressure being brought on news agencies to make those changes, which are becoming commonplace. This is the danger of Internet publication in the information age. It becomes unreliable. It's too easy to change it.
So I prefer a news feed to retain previous revisions so I can get a good idea of the reliability of the news source. If there's an update, I expect it to be published as a separate note, not superseding the article text in place. I expect the act of publication to have permanent consequences, not be an act that you can wash away with something more responsible at a later date.
My expectation, of course, is not realistic. It is borne of growing up with a print media. The only logical expectation is that Internet publication will be abused, and that "print media" is now less reliable, because it is no longer in print. I only ask that you understand the consequences of your demand that Slashdot "clean up" their articles. Your desire for "clean" can rapidly turn into an engine for censorship and yellow journalism.
I can assure you of one thing: that CowboyNeal's article will fall off the bottom of the page soon enough, and you can then feel at ease.
No. It's not just you. It's not actually a dupe, but it's a new angle on the same article. Part of the problem of continually producing articles as the news develops, is having to produce dupe articles to add new important details to a previous article.
I would assume that these viral vulnerabilities are the contents of...
Additional reports [which] will be made available as the Secretary of State determines that they do not inadvertently disclose security-sensitive information. ...as mentioned in the previous article about California auditing the machines.
Since the Sony Walkman, and the promise of isolating yourself from the world within your own soundtrack, your own world of sound, technology has been specialized to deal in providing individual tastes and "needs" with increasingly specialized services.
Every time I see someone walking down the street with an earbud cell phone in, talking to himself and ignoring the world at large, even cars in the street sometimes, I wonder if all of this "connectivity" isn't, in fact, isolating us from each other more than we realize.
It's no surprise that this lifestyle choice might be fundamentally in conflict with the lifestyle choice of marriage, which is interpersonal at its basis. I think the article is the tip of the iceberg of the larger issue of technology being isolating, and it may be a bigger problem than most of us realize.
I find it hard to believe that this "leading lawyer" from Australia is competent to make proclamations any important jurisdictions, such as any state of the United States (especially Louisiana, yikes), where most of these companies headquarter and do business. The U.S. lawyers are wisely keeping their mouths shut pending actual litigation that would provide a real case to evauluate, I should think. They have reputations to worry about, after all.
Besides, I thought the GPLv3 already exempted the MS-Novell deal as "grandfathered?" If so, this isn't even a legal opinion, it's a summary of exemptions written into the GPLv3. TFA seems primarily concerned with a deal that the FSF has already said is "off limits."
intentional data cloaking provides incriminating evidence, even if the perpetrator is successful in cloaking the data itself. That sounds very much like the DMCA prohibition against DRM circumvention methods, with one very important difference: your data is yours, and what you do with it is your business. In the DMCA, circumvention utilities are suspect because they can only be used to take the locks off someone else's data. In this case, Mr. Gill is arguing that you aren't allowed to circumvent his software, and doing so is suspect, if not criminal.
I wonder if he realizes that if a person has data to which he holds copyright on his hard disks, and then hides it, Gill's recovery software is then in violation of the DMCA anti-circumvention clause? His software is DMCA Grade-A illegal if anyone stores anything, no matter how trivial, that is his own copyright, is legal, and is deliberately hidden from this program.
Anyone with a legal background want to send this guy a "cease and desist" letter? }:^>
There is no promise of Privacy in the Constitution Incorrect. There is no explicit promise of privacy.
However, if you take the ninth amendment, and salt with a liberal (pun intended) helping of Supreme Court rulings, starting with Griswold v. Connecticut in 1965, you'll find that it is pretty much established law forty-two years later. It is a 9th amendment unenumerated right, but supposedly also supported by the "Due Process" section of the 14th amendment. I don't really understand how Justice Harlan's "substantive due process" rationale actually works, but it has been relied upon in decades of precedent and ruling after ruling, most notably Roe v. Wade, so it's basically legal fact at this point.
The scope is selective, however. Largely, privacy rights fall under the categories of "what you do in your bedroom," "what medical treatment you choose," and "what you do with your money." That's certainly enough of a basis to hold off a police state, however, and can always be amended to add new protected subject matter and activity without writing a new Bill of Rights. It's only going to expand at this point.
So, good news, you have a "right to privacy." It's established law and it's considered to be guaranteed by the 9th and 14th amendments. For instance, privacy law is the foundation of the various medical privacy acts. Someone just has to wake up the folks in Washington who don't understand that "common law" is, in fact, actual law.
The real problem, as you so aptly illustrated, is that we are voluntarily surrendering it with our own technology choices. Your "Brave New World" future portrait hits the nail on the head. The true blow to privacy is when we agree to use and implement such technologies, or allow them, through apathy and complacency, to become the only way to conduct our lives.
So, according to the morons on that court, even if you haven't actually encrypted any data, the fact that you had the tools to encrypt data was enough to judge criminal intent, sort of like possession of burglary tools. Which is really odd, because Windows XP Professional has a "encrypt contents to secure data" check box that you can tick off on the "Advanced Attributes" dialogue of any folder. It's built into the OS.
Fine, you think I'm hallucinating? Here's what Daniel Veditz has to say on Bugzilla:
On Windows XP some urls for "web" protocols that contain %00 launch the wrong handler and appear to be able to launch local programs, with limited argument passing. It is not yet clear that this can be used to compromise a machine but we can always fear the worst.
The same behavior is observed using "Run" from the Windows Start menu for the affected protocols (http, https, ftp, gopher, telnet, mailto, news, snews, nttp, possibly others?). (emph. added) The reason I call FUD is not because the remote launching of executables is false or benign, it's because the reasoning pegging it as a Firefox flaw is spurious and because, IMHO, the severity of this exploit is badly hyped. Mozilla's folks say system compromise potential is unclear. "Fearing the worst" is what security professionals do, but dire speculations are hardly reality.
Stop and think. If you can produce this effect from the Windows command line with Firefox closed, the problem is clearly not with a program that is not executing. It's in the way Windows Vista technologies (a.k.a.: the IE7 suite) handles URI calls containing %00 in the argument.
It isn't a Firefox exploit, it's a hole in the OS. All Firefox did was pass the argument to the OS according to spec.
Worse yet, if IE 7 itself doesn't produce the same problem, and I'll assume it doesn't as the article doesn't mention a problem with IE, it's seems likely it's because Microsoft knew about the %00 "feature" and hard coded around the exploit. In that case, whether they failed to mention the problem to other developers out of arrogance, insular culture, or outright malice is anyone's guess.
Why they left this "feature" in their operating system in the first place is beyond me.
So Firefox shouldn't even be mentioned. That's the FUD. This should be labeled a Windows OS (or IE7) security issue and patched no later than next super Tuesday.
The only reason Firefox is mentioned at all is because Microsoft is gunning for them, possibly by leaving time-bombs in their own operating system.
Someone say OMG! ponies! This is better than any "April Fools" joke I've ever seen on this site, and so frankly terrifying as a real story. Seriously, is the new ship in this movie going to be the NCC-0401?
Good point. Maybe it's high time browsers did that. Is there a Firefox extension that will show you the href argument in a tooltip? I don't code, but I would love to have that.
To make matters worse, when you combine something like this with Cross Site Scripting or Cross Site Request Forgery you can force another domain to send the payload for you... I've been in the security realm for some time now. Well then, it seems to me that that would be your PROOF OF CONCEPT, and you should have the resources and the ability to produce one. Right now, all you've proven is that you can launch a standard program (calc.exe), on a standard path, with a malformed URI that would produce immediate and visible results that would alert the user to a problem.
When you can launch arbitrary code silently, without any user interaction save browsing the page, THEN you have a PROOF OF CONCEPT.
Right now, you have unhelpful FUD (because you failed to define which URI's you deem "unnecessary") but have found an annoying flaw in Windows Mail that Microsoft should fix.
Thank you for revealing this problem with the way Microsoft Vista technologies handle URIs.
As a follow up, I actually tried to make Lynx pass the puked URI to Windows and it wouldn't do it. It has it's own handlers. Security through "stone knives and bearskins" still works.;^)
Here's a solution. Look at your status bar. If you see some wacko, malformed mailto: address appear when you hover over the link, don't click on it. The damned thing is longer than my arm! If it doesn't say joeuser@domain.foo, don't click. That simple.
I know no one here is dumb enough to click like a hamster hitting the feeder bar for pellets, so that's basically for rhetorical effect. But I want to know why these Heise security "gurus" are hyping Firefox "flaws" that are barely exploitable (the other day it was about a web domain being able to "steal" passwords for its own domain), and not nearly capable of causing the kind of damage they claim. Where do they get off attributing a Windows Mail exploit to Firefox, and how on earth would a conscious user fall for this? The exploit or the FUD?
A remote gateway? Baloney. You have to *click* on the mailto: (nntp:, etc.) to get it to even work. And even then, there'd have to be malicious code on your system in the first place to run. Calculator isn't a payload, folks. You need to have a trojan on board, in a default location, and then you need to click on another trojan (the malformed link). If the user is that stupid, they're already botnetted from double-clicking on "b00b13z.avi.wsf". It's FUD, FUD and more FUD.
A machine is only as secure as it's user is wise.
Plus, you have to be running IE7, which most Firefox users aren't, unless you got sucker punched into loading Vista.
And Heise spins this as somehow being Mozilla's problem? You could create the same situation with Lynx for crying out loud! All it takes is a malformed mailto: link. The command line will do it! That means you'd better watch out for malicious BATCH files, folks, because that's all it'll take.
No one on Slashdot is stupid enough to fall for that right? At least batch files are still "open source."
And since it doesn't happen with IE6, or if you have any sensible mail programs installed, clearly IE7's suite, Windows Mail in particular, has a flaw. A big juicy exploitable flaw. Else, Lynx has it's first 0-day exploit.
And you bet it'll slip past the UAC, if that's not a clear warning shot to you Vista boosters. Thank you Mozilla for having the sense to fix this problem even though it isn't your problem. You are proving that FOSS is the easiest code base to secure.
Boy, this kind of shoddy, FUD-laden, biased coverage really makes me mad. This has nothing to do with Firefox and everything to do with Microsoft not understanding its own code base and OS security structures.
High fructose corn syrup is an enzymatically produced sweetener that raises the fructose level in corn syrup so it can be used as a cheap substitute for refined sugar.
The stuff we use in products nowadays was invented in a lab in Japan in the 1970's and is produced in chemical plants. Corn syrup is not naturally a high-fructose product.
A great link contained within the article is the one to the New Zork Times.
the New Zork Times (later renamed The Status Line after The New York Times got cranky). You can find links to issues here: http://www.csd.uwo.ca/Infocom/Articles/NZT/index.h tml It's on page 13 (!!) so I thought I'd just call it out.
Try product abandonment. I bought an "Actimates" D.W. doll for my daughter in '99 ($60), with the computer hook-up ($30), and when it flopped, Microsoft never did another Arthur Actimates title again. They just quit with the original product line.
We got one math and one reading title and that was it. The sales pitch promised many such titles. It was like buying a game console, and the company stops producing games after the initial lineup.
They completely abandoned the line.
They didn't write Sidewinder customization software for XP either. My $120 force feedback 1 joystick just collects dust. My Gamepad has no macro capability like in Win98.
As a result, I no longer trust MS hardware products. They don't understand the durable goods market at all. The only thing they've done right is mice.
For me, XBox360 is just another unsurprising nail in the coffin that is MS hardware.
my bet is that the 360 MUST turn a profit by the end of its lifespan, or Microsoft will back out of the console market. One can only hope. Then they can return their focus to developing OS software that works.;^)
I agree. If they are in this same trouble after Christmas, the enitre XBox venture (both 1 & 2) is a disaster. Right now, however, it just may be the result of people waiting for the other 3rd gen consoles to come out.
The console market is funny that way. Time will tell.
One thing is for sure, the 360 is a flop in Japan. That's not good news for MS. They are going to have to relocate or duplicate the heart of the console market (Japan) to succeed.
Disclosure: I have a Gamecube and will be buying a Wii, and will never get an Xbox. I'm in the Nintendojo as a gamer.
Being banned from a casino (which is private property) isn't quite the same as being jailed for fraud. Indiana is talking about filing criminal charges here.
Slashdot Mirror
TrendMicro Housecall sends over a signed applet. Of course, because it is signed, that prompts a dialogue as to whether you trust TrendMicro or not as a distributor and want to add it to your trusted certs list. It's strange that unsigned applets just get to launch without asking, and there seems to be no way to prevent them from doing so.
Any Java VM needs a similar warning for unsigned applets. Perhaps a whitelist feature, with all other sites applets either rejected, or subject to a user confirmation, as a per user setting.
No ideas about the Javascript version of the exploit though. Yikes!
--
Toro
The basic (and antiquated) concept is that you should be judged by people who know you, which is about the exact opposite of what modern voir dire jury selections produce. A "jury of peers," as I read the intent, is pretty much dead law. You now get a bunch of folks from your rough geographic area (if no venue games are being played!), which meets the letter, but not the intent, IHMO.
I think expert juries make a lot of sense too, especially in civil cases, and especially one's that would have power to instruct the judge when the judge was not himself a competent expert, but that would require new law. It might require a new system altogether, in fact.
--
Toro
How eWeek's Peter Galli managed to divine that "Microsoft has succeeded in fracturing the Linux... community" from Shuttleworth's clear refutation that "Microsoft is trying to unsettle the marketplace. It isn't working..." is beyond me.
This dubious claim of Galli's is one of the clearest cases of "white is black" reporting I've seen in a while. Shuttleworth clearly, from his own statements, does not agree with the concept that the community is "fractured." At best, he believes that a few insignificant vendors have been "drawn into [negotiations with MS and] have paid a significant price."
I would say, from his clear, concise statements, that he sees the whole, sordid event as "extortion," and a crucible that has purified the community, rather than "fractured."
Read Shuttleworth's statements (in TFA) and see if you don't agree that Peter Galli is either a) a poor reporter who made a gross mischaracterization or b) has a strong agenda and preconceptions and can't even tell white from black in his zeal to follow them.
--
Toro
Don't use Ubuntu's installer tools to partition a dual-boot.
When I installed 6.06 (Dapper), they were destructive. It miswrote the partition header and wiped out a 60GB Windows data partition (by somehow overlaying the swap partition over my extended partition on the drive). It took a session of "Super F-disk" on a floppy to repair the damage. It happened multiple times, so it was no fluke.
Edgy and Feisty may have fixed this problem.
What worked, however, was just grabbing my copy of Partition Magic and having it put down an ext3 and swap partition. I told Ubuntu to set its mount points to the already present partitions. Worked like a charm. I now dual boot Ubuntu.
Point is, setting up a dual-boot of anything is an advanced activity, no matter how basic or "user-friendly" the distro is. You tackled an advanced problem, and there is nothing any distro installer can do to make such a matter easy, or even safe.
--
Toro
This article is awful. Reading it modded my brain down.
;^)
Thanks a bunch, editors.
--
Toro
This is true.
However, I think self-redacting/auto-revising article text is a bad idea. Have you ever lurked on (for example) the Associated Press feed and watch an article headline slowly morph from "Bush puts off decision" to "Bush faces tough decision" and finally end up as "Bush makes decision" while the text, in which he clearly puts off the decision, stays static? I have. Or worse yet, both the headline and the body texts change according to an agenda.
There is pressure being brought on news agencies to make those changes, which are becoming commonplace. This is the danger of Internet publication in the information age. It becomes unreliable. It's too easy to change it.
So I prefer a news feed to retain previous revisions so I can get a good idea of the reliability of the news source. If there's an update, I expect it to be published as a separate note, not superseding the article text in place. I expect the act of publication to have permanent consequences, not be an act that you can wash away with something more responsible at a later date.
My expectation, of course, is not realistic. It is borne of growing up with a print media. The only logical expectation is that Internet publication will be abused, and that "print media" is now less reliable, because it is no longer in print. I only ask that you understand the consequences of your demand that Slashdot "clean up" their articles. Your desire for "clean" can rapidly turn into an engine for censorship and yellow journalism.
I can assure you of one thing: that CowboyNeal's article will fall off the bottom of the page soon enough, and you can then feel at ease.
--
Toro
I would assume that these viral vulnerabilities are the contents of... Additional reports [which] will be made available as the Secretary of State determines that they do not inadvertently disclose security-sensitive information. ...as mentioned in the previous article about California auditing the machines.
--
Toro
Since the Sony Walkman, and the promise of isolating yourself from the world within your own soundtrack, your own world of sound, technology has been specialized to deal in providing individual tastes and "needs" with increasingly specialized services.
Every time I see someone walking down the street with an earbud cell phone in, talking to himself and ignoring the world at large, even cars in the street sometimes, I wonder if all of this "connectivity" isn't, in fact, isolating us from each other more than we realize.
It's no surprise that this lifestyle choice might be fundamentally in conflict with the lifestyle choice of marriage, which is interpersonal at its basis. I think the article is the tip of the iceberg of the larger issue of technology being isolating, and it may be a bigger problem than most of us realize.
--
Toro
I find it hard to believe that this "leading lawyer" from Australia is competent to make proclamations any important jurisdictions, such as any state of the United States (especially Louisiana, yikes), where most of these companies headquarter and do business. The U.S. lawyers are wisely keeping their mouths shut pending actual litigation that would provide a real case to evauluate, I should think. They have reputations to worry about, after all.
Besides, I thought the GPLv3 already exempted the MS-Novell deal as "grandfathered?" If so, this isn't even a legal opinion, it's a summary of exemptions written into the GPLv3. TFA seems primarily concerned with a deal that the FSF has already said is "off limits."
This article is a waste of time and bandwidth.
--
Toro
I wonder if he realizes that if a person has data to which he holds copyright on his hard disks, and then hides it, Gill's recovery software is then in violation of the DMCA anti-circumvention clause? His software is DMCA Grade-A illegal if anyone stores anything, no matter how trivial, that is his own copyright, is legal, and is deliberately hidden from this program.
Anyone with a legal background want to send this guy a "cease and desist" letter? }:^>
--
Toro
(c) 2007 *all rights reserved*
However, if you take the ninth amendment, and salt with a liberal (pun intended) helping of Supreme Court rulings, starting with Griswold v. Connecticut in 1965, you'll find that it is pretty much established law forty-two years later. It is a 9th amendment unenumerated right, but supposedly also supported by the "Due Process" section of the 14th amendment. I don't really understand how Justice Harlan's "substantive due process" rationale actually works, but it has been relied upon in decades of precedent and ruling after ruling, most notably Roe v. Wade, so it's basically legal fact at this point.
The scope is selective, however. Largely, privacy rights fall under the categories of "what you do in your bedroom," "what medical treatment you choose," and "what you do with your money." That's certainly enough of a basis to hold off a police state, however, and can always be amended to add new protected subject matter and activity without writing a new Bill of Rights. It's only going to expand at this point.
So, good news, you have a "right to privacy." It's established law and it's considered to be guaranteed by the 9th and 14th amendments. For instance, privacy law is the foundation of the various medical privacy acts. Someone just has to wake up the folks in Washington who don't understand that "common law" is, in fact, actual law.
The real problem, as you so aptly illustrated, is that we are voluntarily surrendering it with our own technology choices. Your "Brave New World" future portrait hits the nail on the head. The true blow to privacy is when we agree to use and implement such technologies, or allow them, through apathy and complacency, to become the only way to conduct our lives.
--
Toro
Did anyone point that out to the court?
--
Toro
handler and appear to be able to launch local programs, with limited argument
passing. It is not yet clear that this can be used to compromise a machine but
we can always fear the worst.
The same behavior is observed using "Run" from the Windows Start menu for the
affected protocols (http, https, ftp, gopher, telnet, mailto, news, snews,
nttp, possibly others?). (emph. added) The reason I call FUD is not because the remote launching of executables is false or benign, it's because the reasoning pegging it as a Firefox flaw is spurious and because, IMHO, the severity of this exploit is badly hyped. Mozilla's folks say system compromise potential is unclear. "Fearing the worst" is what security professionals do, but dire speculations are hardly reality.
Stop and think. If you can produce this effect from the Windows command line with Firefox closed, the problem is clearly not with a program that is not executing. It's in the way Windows Vista technologies (a.k.a.: the IE7 suite) handles URI calls containing %00 in the argument.
It isn't a Firefox exploit, it's a hole in the OS. All Firefox did was pass the argument to the OS according to spec.
Worse yet, if IE 7 itself doesn't produce the same problem, and I'll assume it doesn't as the article doesn't mention a problem with IE, it's seems likely it's because Microsoft knew about the %00 "feature" and hard coded around the exploit. In that case, whether they failed to mention the problem to other developers out of arrogance, insular culture, or outright malice is anyone's guess.
Why they left this "feature" in their operating system in the first place is beyond me.
So Firefox shouldn't even be mentioned. That's the FUD. This should be labeled a Windows OS (or IE7) security issue and patched no later than next super Tuesday.
The only reason Firefox is mentioned at all is because Microsoft is gunning for them, possibly by leaving time-bombs in their own operating system.
--
Toro
Someone say OMG! ponies! This is better than any "April Fools" joke I've ever seen on this site, and so frankly terrifying as a real story. Seriously, is the new ship in this movie going to be the NCC-0401?
Jeepers.
--
Toro
...that "MI-5 persecution" guy, a celebrated Usenet-spamming lunatic, is the anonymous user who submitted this article?
--
Toro
Good point. Maybe it's high time browsers did that. Is there a Firefox extension that will show you the href argument in a tooltip? I don't code, but I would love to have that.
--
Toro
When you can launch arbitrary code silently, without any user interaction save browsing the page, THEN you have a PROOF OF CONCEPT.
Right now, you have unhelpful FUD (because you failed to define which URI's you deem "unnecessary") but have found an annoying flaw in Windows Mail that Microsoft should fix.
Thank you for revealing this problem with the way Microsoft Vista technologies handle URIs.
--
Toro
As a follow up, I actually tried to make Lynx pass the puked URI to Windows and it wouldn't do it. It has it's own handlers. Security through "stone knives and bearskins" still works. ;^)
--
Toro
Here's a solution. Look at your status bar. If you see some wacko, malformed mailto: address appear when you hover over the link, don't click on it. The damned thing is longer than my arm! If it doesn't say joeuser@domain.foo, don't click. That simple.
I know no one here is dumb enough to click like a hamster hitting the feeder bar for pellets, so that's basically for rhetorical effect. But I want to know why these Heise security "gurus" are hyping Firefox "flaws" that are barely exploitable (the other day it was about a web domain being able to "steal" passwords for its own domain), and not nearly capable of causing the kind of damage they claim. Where do they get off attributing a Windows Mail exploit to Firefox, and how on earth would a conscious user fall for this? The exploit or the FUD?
A remote gateway? Baloney. You have to *click* on the mailto: (nntp:, etc.) to get it to even work. And even then, there'd have to be malicious code on your system in the first place to run. Calculator isn't a payload, folks. You need to have a trojan on board, in a default location, and then you need to click on another trojan (the malformed link). If the user is that stupid, they're already botnetted from double-clicking on "b00b13z.avi.wsf". It's FUD, FUD and more FUD.
A machine is only as secure as it's user is wise.
Plus, you have to be running IE7, which most Firefox users aren't, unless you got sucker punched into loading Vista.
And Heise spins this as somehow being Mozilla's problem? You could create the same situation with Lynx for crying out loud! All it takes is a malformed mailto: link. The command line will do it! That means you'd better watch out for malicious BATCH files, folks, because that's all it'll take.
No one on Slashdot is stupid enough to fall for that right? At least batch files are still "open source."
And since it doesn't happen with IE6, or if you have any sensible mail programs installed, clearly IE7's suite, Windows Mail in particular, has a flaw. A big juicy exploitable flaw. Else, Lynx has it's first 0-day exploit.
And you bet it'll slip past the UAC, if that's not a clear warning shot to you Vista boosters. Thank you Mozilla for having the sense to fix this problem even though it isn't your problem. You are proving that FOSS is the easiest code base to secure.
Boy, this kind of shoddy, FUD-laden, biased coverage really makes me mad. This has nothing to do with Firefox and everything to do with Microsoft not understanding its own code base and OS security structures.
--
Toro
Oh man, Joe Jackson would have a field day with that...
--
Toro
A little note on this post:
Corn syrup is glucose, not fructose.
High fructose corn syrup is an enzymatically produced sweetener that raises the fructose level in corn syrup so it can be used as a cheap substitute for refined sugar.
The stuff we use in products nowadays was invented in a lab in Japan in the 1970's and is produced in chemical plants. Corn syrup is not naturally a high-fructose product.
--
Toro
--
Toro
...but not surprising.
Try product abandonment. I bought an "Actimates" D.W. doll for my daughter in '99 ($60), with the computer hook-up ($30), and when it flopped, Microsoft never did another Arthur Actimates title again. They just quit with the original product line.
We got one math and one reading title and that was it. The sales pitch promised many such titles. It was like buying a game console, and the company stops producing games after the initial lineup.
They completely abandoned the line.
They didn't write Sidewinder customization software for XP either. My $120 force feedback 1 joystick just collects dust. My Gamepad has no macro capability like in Win98.
As a result, I no longer trust MS hardware products. They don't understand the durable goods market at all. The only thing they've done right is mice.
For me, XBox360 is just another unsurprising nail in the coffin that is MS hardware.
The "Surface" will be a disaster too, just wait.
--
Toro
I agree. If they are in this same trouble after Christmas, the enitre XBox venture (both 1 & 2) is a disaster. Right now, however, it just may be the result of people waiting for the other 3rd gen consoles to come out.
The console market is funny that way. Time will tell.
One thing is for sure, the 360 is a flop in Japan. That's not good news for MS. They are going to have to relocate or duplicate the heart of the console market (Japan) to succeed.
Disclosure: I have a Gamecube and will be buying a Wii, and will never get an Xbox. I'm in the Nintendojo as a gamer.
--
Toro
Being banned from a casino (which is private property) isn't quite the same as being jailed for fraud. Indiana is talking about filing criminal charges here.
--
Toro