Every Myspace user that logs in to Myspace sends their username and password in the clear. It's been that way from the beginning, and the shiny new redesign didn't help.
Maybe if it came to a state where one specific benchmark was so prominent every browser was being judged by it, there might be a temptation for browsers with an inferiority complex to compensate by making the benchmarks lie, but we're not in that situation.
When you have a cost center, you try to optimize it away. minimize costs, so that it impacts the bottom line as little as possible. Typically no revenue gets recognized by an IT department. They "just" keep things working, not entirely unlike the way janitors keep the floor clear. I suspect it's that very logic that makes execs think it's a good idea to outsource IT, in the same way many already outsource janitorial services.
On the other hand, software developers are usually part of a business unit, that recognizes some kind of revenue. Things are a lot smoother when execs can see on a dashboard that you appear to be generating more revenue than you cost to them.
That said, if you really enjoy doing IT stuff as opposed to development stuff.. well, it takes all kind.
It's not just elementary school teachers. Browsers are in on the conspiracy. As proof, paste either of the following lines in your browser location line. Any browser. they're all in on it:
metalpet: >It wouldn't be fair to convict them for more than we have evidence for, but it certainly makes sense to keep tabs on them once they get out.
voice_of_all_reason: > So you admit that by the nature of this arrangement is it pretty much unproveable, but we should go "charging mah lazer" regardless as if it were absolutely true?
Would you like to rephrase your question?
Nothing in my post(s) can be construed as being in favor of tracking people that are presumed innocent. It should however be obvious that I am strongly in favor of tracking known convicted sexual predators.
> Obviously the justice system failed in placing a non-rehabilitated criminal back on the street
That's a tough one. When is a sexual predator that describes the motive for his crimes as "animal urges he just couldn't control" considered rehabilitated? Would you advise giving convicted molestors a choice between a life-sentence or mandatory castration (chemical or bricks)? That's another doozy for civil rights right there.
> And do you realize how incredibly rare a serial molestor is?
You're apparently lucky enough to have been spared having to know much about child molestors.
After they transgress once, realize how easy it is, and see that nobody is coming after them for it, they all too often continue, either with the same victim, or with new ones.
That's the nagging question with every convicted molestor: How many other kids did he hurt before he got caught on this one? It wouldn't be fair to convict them for more than we have evidence for, but it certainly makes sense to keep tabs on them once they get out.
Err.. Why is a 2 lines blob describing how "Megan's law" came to be modded as flamebait?
Impulsive modders out there, re-read the summary carefully: Megan's law is unrelated to this "precrime registry" concept, except for the part they both deal with sex offenders.
Apparently, this "precrime" idea was put forward by some shrewd local bishops as an alternative to extending the statute of limitation in order to convinct some priests. With this alternative, the priests don't get convicted, but end up in a "almost sex offender registry" of some sort. At least until some supreme court smacks down the concept.
I'm guessing this is a half-hearted attempt by the local govt at bringing some closure in some blatant sexual abuse cases that are otherwise too old to be successfully prosecuted.
If I had to guess, I'd say the PPC effort was well underway before Apple announced it was switching to x86 CPUs.
ARM cpus tend to be found in phones and pdas, and Adobe has great hopes to get FlashLite on every phone someday.
With all that said, I'll be pretty surprised if the next flash player (10?) don't have x86-64 support, unless Vista is able to run in 64bit mode while using 32bit software.
There's also the possibility that the singularity just doesn't happen. It goes like this:
1. Punny humans create conscient intelligence much smarter than themselves. 2. Smarter intelligence considers creating another even smarter intelligence. 3. Smarter intelligence foresees grave consequences should that ever happen, and decides to go fishing instead.
See how that works?
All in all, it's a big jump to assume a greater intelligence will have exactly the same impulses we do.
I know it's popular to hate on flash, a bit like it was popular to hate on javascript a few years back, and let's face it, there's enough bad uses of the technology it's easy for people that don't understand it to throw a blanket statement and say "All flash is bad, kthx."
Hopefully, as better built flash-using sites become more prevalent, and as people learn more about flash itself, things will improve, just like they did with javascript^WAJAX.
alright, so taking over the mines into one's own army of hopping kamikaze robots might be a stretch.
However, the fact that it's running a little embedded computer and doing radio is enough to come up with various scenarios:
- If you know what to listen for, you can actually hear the mines telling you where they are. Yes, the datastream is wrapped in mad crypto, but the underlying signal can probably still be triangulated the old fashion way. - If you know what frequency ranges to disrupt, you can prevent mines from talking to each other, eliminating their ability to hop around to cover holes in the grid (I suppose they could start hopping around like headless chicken, though.) - If you had some kind of hardware lying around that's able to generate an EMP, you could possibly fry a chip or two inside the mine, stopping them from hopping at least. That one is a bit less likely, as mad.mil scientists have probably already designed electronic thingies that can withstand EMP blasts.
I had to read the first posts to remember when I had seen that name before. Then it all came back to me: Last week, as I wasted a few hours cleaning up a relative's computer, and was getting amazed at the seemingly endless list of malware that can fit on one single computer. At least, they didn't have a hidden service that refused to die and kept rewriting the same registry key every 2 seconds to guarantee it'd run next time the box reboots. (if you ever bump into that, setting a draconian ACL on the parent registry key can help.)
Exactly what version of MSIE would reject "Microsoft.XMLHTTP"? Would those versions have any hope of understanding any of the "MSXML2.*" names?
I keep seeing the same voodoo everywhere ajax is found, and conscientious voodoo priests like the author of the code in parent post make a point to list not 2, but 5 possible names.
In my testing, it seems every version of MS' XMLHttpRequest object is linked to the "Microsoft.XMLHTTP" name, so there's no reason to ever want something more complicated than this:
Ah yes, me versus a giant money-grubbing corporation. An epic fight, where two men enter, one man leaves. That'd show them.
Seriously though, the only reason I find security bugs in stuff is because I use that stuff in the first place. I use it because I like it, so I don't have any particular ill-will toward them. I've been around enough coders to know how easy it is to screw up, particularly when you don't really understand all the security implications of what you're doing.
and I'm a terrible poker player. As I've detailled on the child of your older sibling post, I don't intend to post it publicly. I consider those particular bugs are mere symptoms of a flawed underlying design decision. My hope is that they adjust their design, not quickly cover their collective behinds. It's a long shot, I know.
Having been on both sides, as a security bug reporter, and as a web company employee having had to figuring out how to handle those exact kind of reports, I try to be reasonable on both sides. I agree there are situations where public disclosure of an unpatched vulnerability is the right thing to do. In the LJ case, the underlying problem, in my opinion, is that their HTML parser attempts to filter bad things using a blacklist approach, rather than a whitelist. If I go public and effectively force them to scramble and fix those particular bugs quickly, I can guarantee the fix will end up being a few more blacklisted patterns. This in turns guarantees the exact same situation will happen over and over again. So I'm holding out, in hope they will use that time to rewrite proper HTML filters.
Another way to look at it is, if I had gone public with my bugs 2 years ago, they'd have been fixed quickly, and the recent bantown crap would have happened in exactly the same way, causing just as much damage. Both strategies appear to be equally ineffectual here, with the difference that my approach still gives me some theorical leverage I'm using to try and gently prod the LJ team toward fixing this the right way.
Although LJ is currently holding the record in the "most ignored security bugs I reported" category (clocking at 25 months. previous holder was MS, and that was only 2 months), my usual disclosure policy is to not publicize details of a bug once it has been acknowledged until after it gets fixed. XSS on LJ seems minor enough not to warrant an exception.
I've reported an XSS flaw exploitable over IE to LJ over 2 years ago, and the flaw is still exploitable to this day. (Yes, the email report was read by the right folks over at LJ.)
I'm slightly overdue to send them my yearly reminder, I think. (I should probably set up a cron job for that.)
Slashdot Mirror
ScreamingMonkey is a project that aimed at providing IE with a JS runtime able to run EcmaScript 4 programs.
Since ES4 is apparently dead, I'm not sure where that leaves ScreamingMonkey.
The canvas stuff is a different project that follows the same general approach, but on a different browser component.
Every Myspace user that logs in to Myspace sends their username and password in the clear.
It's been that way from the beginning, and the shiny new redesign didn't help.
Ironically, the URL it gets sent to is:
http://secure.myspace.com/index.cfm?fuseaction=login.process
Hey, there's a "secure" in the hostname, it must be okay!
So... When Myspace becomes an OpenID provider, will the OpenID authentication page be over plain HTTP too?
It's okay, it's not like most Myspace users log in to check their profile on every public computer they see.
> Would it be fair to say (...)
No.
Maybe if it came to a state where one specific benchmark was so prominent every browser was being judged by it, there might be a temptation for browsers with an inferiority complex to compensate by making the benchmarks lie, but we're not in that situation.
ah yes.
Today's missing word is "<canvas/>"
I blame technology.
The use of Flash is optional.
You can write an Apollo app entirely in HTML/js/css.
The HTML renderer is WebKit.
I wonder if it supports the tag.
Now *that* would show Flash.
> Where's the OpenBSD version? Where's the DragonFlyBSD version?
Hiding somewhere inside your linux compatibility layer?
The real question is, where's the amigaOS version?
Darn Adobe for not caring about the coolest OS out there!
When you have a cost center, you try to optimize it away. minimize costs, so that it impacts the bottom line as little as possible.
Typically no revenue gets recognized by an IT department. They "just" keep things working, not entirely unlike the way janitors keep the floor clear.
I suspect it's that very logic that makes execs think it's a good idea to outsource IT, in the same way many already outsource janitorial services.
On the other hand, software developers are usually part of a business unit, that recognizes some kind of revenue. Things are a lot smoother when execs can see on a dashboard that you appear to be generating more revenue than you cost to them.
That said, if you really enjoy doing IT stuff as opposed to development stuff.. well, it takes all kind.
It's not just elementary school teachers.
Browsers are in on the conspiracy.
As proof, paste either of the following lines in your browser location line. Any browser. they're all in on it:
javascript:alert(1/0==Infinity)
javascript:alert(-1/0==-Infinity)
It's a sad world where computers are programmed to lie to us.
metalpet:
>It wouldn't be fair to convict them for more than we have evidence for, but it certainly makes sense to keep tabs on them once they get out.
voice_of_all_reason:
> So you admit that by the nature of this arrangement is it pretty much unproveable, but we should go "charging mah lazer" regardless as if it were absolutely true?
Would you like to rephrase your question?
Nothing in my post(s) can be construed as being in favor of tracking people that are presumed innocent.
It should however be obvious that I am strongly in favor of tracking known convicted sexual predators.
> Obviously the justice system failed in placing a non-rehabilitated criminal back on the street
That's a tough one.
When is a sexual predator that describes the motive for his crimes as "animal urges he just couldn't control" considered rehabilitated?
Would you advise giving convicted molestors a choice between a life-sentence or mandatory castration (chemical or bricks)? That's another doozy for civil rights right there.
> And do you realize how incredibly rare a serial molestor is?
You're apparently lucky enough to have been spared having to know much about child molestors.
After they transgress once, realize how easy it is, and see that nobody is coming after them for it, they all too often continue, either with the same victim, or with new ones.
That's the nagging question with every convicted molestor: How many other kids did he hurt before he got caught on this one?
It wouldn't be fair to convict them for more than we have evidence for, but it certainly makes sense to keep tabs on them once they get out.
Err.. Why is a 2 lines blob describing how "Megan's law" came to be modded as flamebait?
Impulsive modders out there, re-read the summary carefully: Megan's law is unrelated to this "precrime registry" concept, except for the part they both deal with sex offenders.
Apparently, this "precrime" idea was put forward by some shrewd local bishops as an alternative to extending the statute of limitation in order to convinct some priests. With this alternative, the priests don't get convicted, but end up in a "almost sex offender registry" of some sort. At least until some supreme court smacks down the concept.
I'm guessing this is a half-hearted attempt by the local govt at bringing some closure in some blatant sexual abuse cases that are otherwise too old to be successfully prosecuted.
If I had to guess, I'd say the PPC effort was well underway before Apple announced it was switching to x86 CPUs.
ARM cpus tend to be found in phones and pdas, and Adobe has great hopes to get FlashLite on every phone someday.
With all that said, I'll be pretty surprised if the next flash player (10?) don't have x86-64 support, unless Vista is able to run in 64bit mode while using 32bit software.
The flash 9 JIT can already emit code for PPC and ARM.
Apparently those have more potential flash users than x86-64 right now.
There's also the possibility that the singularity just doesn't happen. It goes like this:
1. Punny humans create conscient intelligence much smarter than themselves.
2. Smarter intelligence considers creating another even smarter intelligence.
3. Smarter intelligence foresees grave consequences should that ever happen, and decides to go fishing instead.
See how that works?
All in all, it's a big jump to assume a greater intelligence will have exactly the same impulses we do.
You may be surprised to learn Flash has some built-in accessibility features.7 _2/00001182.html
http://livedocs.macromedia.com/flash/mx2004/main_
I know it's popular to hate on flash, a bit like it was popular to hate on javascript a few years back, and let's face it, there's enough bad uses of the technology it's easy for people that don't understand it to throw a blanket statement and say "All flash is bad, kthx."
Hopefully, as better built flash-using sites become more prevalent, and as people learn more about flash itself, things will improve, just like they did with javascript^WAJAX.
alright, so taking over the mines into one's own army of hopping kamikaze robots might be a stretch.
.mil scientists have probably already designed electronic thingies that can withstand EMP blasts.
However, the fact that it's running a little embedded computer and doing radio is enough to come up with various scenarios:
- If you know what to listen for, you can actually hear the mines telling you where they are. Yes, the datastream is wrapped in mad crypto, but the underlying signal can probably still be triangulated the old fashion way.
- If you know what frequency ranges to disrupt, you can prevent mines from talking to each other, eliminating their ability to hop around to cover holes in the grid (I suppose they could start hopping around like headless chicken, though.)
- If you had some kind of hardware lying around that's able to generate an EMP, you could possibly fry a chip or two inside the mine, stopping them from hopping at least. That one is a bit less likely, as mad
Somehow I am reminded of a recent issue of AppleGeek Lite.
I had to read the first posts to remember when I had seen that name before.
Then it all came back to me: Last week, as I wasted a few hours cleaning up a relative's computer, and was getting amazed at the seemingly endless list of malware that can fit on one single computer.
At least, they didn't have a hidden service that refused to die and kept rewriting the same registry key every 2 seconds to guarantee it'd run next time the box reboots. (if you ever bump into that, setting a draconian ACL on the parent registry key can help.)
Exactly what version of MSIE would reject "Microsoft.XMLHTTP"?
Would those versions have any hope of understanding any of the "MSXML2.*" names?
I keep seeing the same voodoo everywhere ajax is found, and conscientious voodoo priests like the author of the code in parent post make a point to list not 2, but 5 possible names.
In my testing, it seems every version of MS' XMLHttpRequest object is linked to the "Microsoft.XMLHTTP" name, so there's no reason to ever want something more complicated than this:
if( typeof window.XMLHttpRequest == "undefined" ) {
window.XMLHttpRequest = function() {
try {
return new ActiveXObject( "Microsoft.XMLHTTP" );
} catch( e ) {}
}
return undefined;
}
}
It's not like anyone uses any new functionality that weren't present in the older versions.
Ah yes, me versus a giant money-grubbing corporation. An epic fight, where two men enter, one man leaves. That'd show them.
Seriously though, the only reason I find security bugs in stuff is because I use that stuff in the first place. I use it because I like it, so I don't have any particular ill-will toward them.
I've been around enough coders to know how easy it is to screw up, particularly when you don't really understand all the security implications of what you're doing.
and I'm a terrible poker player.
As I've detailled on the child of your older sibling post, I don't intend to post it publicly.
I consider those particular bugs are mere symptoms of a flawed underlying design decision.
My hope is that they adjust their design, not quickly cover their collective behinds.
It's a long shot, I know.
Having been on both sides, as a security bug reporter, and as a web company employee having had to figuring out how to handle those exact kind of reports, I try to be reasonable on both sides.
I agree there are situations where public disclosure of an unpatched vulnerability is the right thing to do.
In the LJ case, the underlying problem, in my opinion, is that their HTML parser attempts to filter bad things using a blacklist approach, rather than a whitelist.
If I go public and effectively force them to scramble and fix those particular bugs quickly, I can guarantee the fix will end up being a few more blacklisted patterns. This in turns guarantees the exact same situation will happen over and over again.
So I'm holding out, in hope they will use that time to rewrite proper HTML filters.
Another way to look at it is, if I had gone public with my bugs 2 years ago, they'd have been fixed quickly, and the recent bantown crap would have happened in exactly the same way, causing just as much damage.
Both strategies appear to be equally ineffectual here, with the difference that my approach still gives me some theorical leverage I'm using to try and gently prod the LJ team toward fixing this the right way.
Although LJ is currently holding the record in the "most ignored security bugs I reported" category (clocking at 25 months. previous holder was MS, and that was only 2 months), my usual disclosure policy is to not publicize details of a bug once it has been acknowledged until after it gets fixed.
XSS on LJ seems minor enough not to warrant an exception.
...about the 16 other XSS attacks.
I've reported an XSS flaw exploitable over IE to LJ over 2 years ago, and the flaw is still exploitable to this day.
(Yes, the email report was read by the right folks over at LJ.)
I'm slightly overdue to send them my yearly reminder, I think. (I should probably set up a cron job for that.)