Try it with netscape 7.
The MS windows Media Player plugin demands active X support to work correctly, so Netscape 7 has code especially written to support this particular active X control.
I'm not sure if it's possible to build mozilla/firefox with the same hack.
I suspect CmdrTaco forgot to put his tags. Upon reading "Alexis de Tocqueville", most slashdot readers equipped with a working associative memory can't help but see the word "Microsoft" dancing in their head.
I have a vague recollection of french versions of Basic (or was it Logo) when I was young (around 1985). Those were extremely annoying to code with, since you had to guess what could be the translation for "gosub" or "on error resume next". (or nag the owner/school for a basic manual they usually didn't know existed.)
It's weird though. Nowadays, programmers compete for jobs on a global scale. It seems backward to start using localized programming languages usable only by a small fraction of the global workforce, unless the plan is to protect jobs through a language barrier.
> Well, obviously allowing anonymous posting is not a good idea, as it significantly lowers your signal to noise ratio
One could make an argument a site with <100 users doesn't have the same needs than a site with >100000 users has. The first thing to do with a community site is: "Put something out there". If you spend 12 months preparing this overly complex but oh so perfect site, you just lost 11 months of community-building time.
Start simple, with whatever is good enough to get by, and make things better as you go.
well there's plenty of practical evidence MiTM attacks for ssh and ssl are real, no matter what books may say about it.
I'm also fairly sure the recent %01 bug in IE could be used advantageously to cheaply pretend to be someone else's SSL server. The URL will look ok, the little lock will be closed, and no warning popup will show up. That's good enough for 99.9% of users.
I remember a time when web spoofing was just a theorical attack.
Anyway, if you re-read brad's post, his home grown SSL replacement will be rolled out at the same time as a full SSL login system, with most likely the javascript version being the default.
This will allow the SSL believers to feel comfortable, which keeping the overall system load at an acceptable level.
Okie dokie. So I assume you agree a javascript challenge/response system is sufficient to protect against a passive man in the middle attack (aka sniffing). SSL is sufficient for this as well.
Now, it is true such a system could be vulnerable to an active man in the middle attack, but the very same applies for SSL, as ettercap has shown.
Active man in the middle attacks are darn hard to prevent, and SSL alone is not sufficient to do it.
You don't have to wait.
This little site happens to implement exactly the kind of javascript digest challenge/response he's talking about.
This sends a non-replayable authentication token over the wire from which the password cannot be derived.
You can certainly "mutate" the script to send your password in the clear, but an even better attack would be to write your password in big letters on a web page, and post the URL here.
I'm looking forward to hearing more of your brilliant scheme to let the world know your password in spite of this mechanism.
However keep in mind this is really meant to protect legitimate users from attacks, not stupid people from themselves.
yeah, journalists with an agenda are a bit evil, but it's not all bad: - LJ gains some exposure from this - real security folks reading over this most likely won't feel livejournal is that far behind. Half of the complains in the articles are generic (phishing, impact of social networks on an account compromise), and the other half is mild (there might be XSS there, just like anywhere else), or unreasonable (what? you're sending session cookies over a non-SSL connection? how dare you!)
Brad, I'd suggest you post a copy of your reply at this url: http://securityfocus.com/cgi-bin/sfonline/fo rms/co mment_form.pl?section=news&id=7739 SecurityFocus happens to have a fairly visible forum system, you might as well use it.
Re:This is why it's a was of time to "Ask Slashdot
on
Can I Distribute This?
·
· Score: 1
> these vendors are known litigous assholes!
hm ok. None of these 3 companies are suing 12 years old yet AFAIK.
Anyway, these are end-user client software those companies would most likely not mind being distributed, as long as you ask them first. I somehow don't see Macromedia saying "Well yeah we make that flash player for linux, but we don't want linux users having it pre-installed, that's a bit too easy." Same goes for the others.
I'm just saying this is a line of business that's starting to flourish, that wouldn't even have a chance to exist if a more robust file system had been used in the first place.
Quite possibly, and that's their right. Don't like it, come up with your own formats and protocols, in the same way that someone who doesn't like the GPL can "write their own damn code" (as I've often heard here).
Well, try to put 2 and 2 together here.
Microsoft has a de facto monopoly on the desktop.
Now, we're seeing Microsoft deploying licenses for "potential patents" on several of their most used file formats and protocols.
It doesn't take a huge stretch of imagination to see Microsoft extending their practice to every format and protocol that would be necessary to interoperate with their platform.
This would result in Microsoft controlling quite tightly the ways in which "competitors" can try to "threaten" their monopoly.
If this goes on unchecked, a few years from now, "alternative OSes" will have to exist in a vaccum, unable to implement any form of interoperability with Microsoft without paying the Tax.
You may believe this is their right, but it seems to me there is more than their right at stake here.
Are you positively sure all they're licensing is the implementation?
For other formats, MS license covers "possible patents" MS may have regarding the format.
I'd be somehow surprised if MS didn't have a similar scheme for FAT. After all, it's not like it actually requires a patent to pull off.
Yeah using ext3 would put out of business all those "Flash card recovery" services, that typically don't deal with physical damage, but just with fat corruption.
That'd obviously be a bad thing for our recovering economy.
I suspect Microsoft current trend of licensing every protocol and file format they possibly can is not a small thing.
IANAL, yet I have the sneaky feeling the terms of those licenses preclude GPL products from using protocols or file formats covered by them, *even those licensed for free*.
Re:Similar techniques are in use already
on
Javascrypt
·
· Score: 2, Informative
Yeah, home pages are good. Someday I'll write one.
In the meanwhile, my original page has been mirrored at this page by a kind soul.
The pajhome source code is arguably prettier than mine, and should almost always be used, rather than mine.
To my defense, mine was developed and works under netscape 2.0, which probably makes it the first md5 implementation in javascript ever.
I have a nagging feeling pajhome's version requires at least NS3/IE3, although I haven't checked that.
At the time, after I benchmarked it and realized how slow it was to run at the time, I had serious second-thoughts about its usefulness (the 7 hashes test on the page above would take 10 to 15 seconds to run on some very reasonable desktop hardware.)
Things have gotten better, both on the CPU and the javascript speed front, and it does make a lot of sense now to use it for password submissions if you don't want to take the extra cost of SSL.
Not if they're smart. People that are motivated enough to saturate their phone lines are extremely unlikely to ever buy anything from telemarketers. People can get pissed off, but businesses usually still just care about their bottom line.
To be honest, it's a lot better than I make it sound. Well kinda. It's not supposed to be a game as much as it's supposed to be a place to hang out and unwind. I guess that's a reasonable alternative to the self-inflicted servitude of many MMORPGs.
I got really addicted for a month. Then I got really bored of it. But then again, I'm not a chick, and I don't like to hang out. Only reason I'd go back at this point would be to reverse engineer their protocol, just because it looks pretty complex. I think they're still in beta so you can simply go there and apply for an account.
Not sure if that qualifies but the virtual world "There" is entirely tailored to attract women. A few things they do off the top of my head: - no killing, no blood. ever. - lots of overly cute things (pets, environment) - shopping. lots of shopping. - lots of pretty clothes. - very easy to find people to chat with
It's clearly not as "goal-driven" as most traditional games, and that might also be part of its women appeal.
> all they are doing is transferring the danger from themselves to someone who actually picked a vehicle of the size that they needed.
My theory is that SUV buyers are well aware of that fact, and that it is in fact one of the strong selling points for such vehicles.
If somebody comes up with a car that *guarantees* you and your family will never be hurt, but happens to randomly kill a stranger about once a month, it will instantly replace SUVs.
And Darwin tells us those people are what's going to be left after they're done crashing into the last of us.
Guess I better buy an SUV to survive and prove Darwin wrong...
Well, not really. Frag Island didn't use "Java 3D" or any other fancy API that didn't exist 5 years ago.
It was doing all its rendering in software, and was drawing a plain bitmap on a plain AWT canvas, probably using a method very similar to yours (ImageProducer etc..).
Obligatory counter-example: Frag Island, a veyr impressive quake-like FPS, written in late 1997. ( so quake-like that they ripped off a bunch of quake graphics and let you play in multiplayer in an authentic quake map with an authentic rocket launcher. ID lawyers didn't like, although Carmack was reportedly impressed.) You would get more than usable framerates on 320x200. Keep in mind that was on way old 1.1 JIT runtimes. Things have gotten better.
On a sad note, it seems the page/applet is still dead. I wish they'd have done something with their fast java 3d engine coded over AWT, which looked like nothing short of a small miracle.
Trust me, anyone that finds another way to teleport himself or anyone else at will in a world, will NOT need any encouragement to use it. The second way you could mean it is that other people are going to be looking for similar flaws because of it. Again, I'm certain that's happening now, not because of the aftermath, but because they realize if the coders let one slip through, there are probably others waiting to be found. The players got a taste of blood, and they're going to spend a lot of time trying to get more.
Making it all fit into the in-game world is just a way to make some good lemonade with the whole thing.
Slashdot Mirror
Try it with netscape 7.
The MS windows Media Player plugin demands active X support to work correctly, so Netscape 7 has code especially written to support this particular active X control.
I'm not sure if it's possible to build mozilla/firefox with the same hack.
I suspect CmdrTaco forgot to put his tags.
Upon reading "Alexis de Tocqueville", most slashdot readers equipped with a working associative memory can't help but see the word "Microsoft" dancing in their head.
I have a vague recollection of french versions of Basic (or was it Logo) when I was young (around 1985).
Those were extremely annoying to code with, since you had to guess what could be the translation for "gosub" or "on error resume next". (or nag the owner/school for a basic manual they usually didn't know existed.)
It's weird though. Nowadays, programmers compete for jobs on a global scale. It seems backward to start using localized programming languages usable only by a small fraction of the global workforce, unless the plan is to protect jobs through a language barrier.
> Well, obviously allowing anonymous posting is not a good idea, as it significantly lowers your signal to noise ratio
One could make an argument a site with <100 users doesn't have the same needs than a site with >100000 users has.
The first thing to do with a community site is: "Put something out there".
If you spend 12 months preparing this overly complex but oh so perfect site, you just lost 11 months of community-building time.
Start simple, with whatever is good enough to get by, and make things better as you go.
cool. we're slashdot number neighbors, or something.
Are you related to Xenomorph by any chance?
Just curious..
I'm also fairly sure the recent %01 bug in IE could be used advantageously to cheaply pretend to be someone else's SSL server. The URL will look ok, the little lock will be closed, and no warning popup will show up. That's good enough for 99.9% of users.
I remember a time when web spoofing was just a theorical attack.
Anyway, if you re-read brad's post, his home grown SSL replacement will be rolled out at the same time as a full SSL login system, with most likely the javascript version being the default.
This will allow the SSL believers to feel comfortable, which keeping the overall system load at an acceptable level.
Okie dokie. So I assume you agree a javascript challenge/response system is sufficient to protect against a passive man in the middle attack (aka sniffing). SSL is sufficient for this as well.
Now, it is true such a system could be vulnerable to an active man in the middle attack, but the very same applies for SSL, as ettercap has shown.
Active man in the middle attacks are darn hard to prevent, and SSL alone is not sufficient to do it.
This little site happens to implement exactly the kind of javascript digest challenge/response he's talking about.
This sends a non-replayable authentication token over the wire from which the password cannot be derived.
You can certainly "mutate" the script to send your password in the clear, but an even better attack would be to write your password in big letters on a web page, and post the URL here.
I'm looking forward to hearing more of your brilliant scheme to let the world know your password in spite of this mechanism.
However keep in mind this is really meant to protect legitimate users from attacks, not stupid people from themselves.
yeah, journalists with an agenda are a bit evil, but it's not all bad:
o rms/co mment_form.pl?section=news&id=7739
- LJ gains some exposure from this
- real security folks reading over this most likely won't feel livejournal is that far behind. Half of the complains in the articles are generic (phishing, impact of social networks on an account compromise), and the other half is mild (there might be XSS there, just like anywhere else), or unreasonable (what? you're sending session cookies over a non-SSL connection? how dare you!)
Brad, I'd suggest you post a copy of your reply at this url:
http://securityfocus.com/cgi-bin/sfonline/f
SecurityFocus happens to have a fairly visible forum system, you might as well use it.
> these vendors are known litigous assholes!
hm ok. None of these 3 companies are suing 12 years old yet AFAIK.
Anyway, these are end-user client software those companies would most likely not mind being distributed, as long as you ask them first.
I somehow don't see Macromedia saying "Well yeah we make that flash player for linux, but we don't want linux users having it pre-installed, that's a bit too easy."
Same goes for the others.
I'm just saying this is a line of business that's starting to flourish, that wouldn't even have a chance to exist if a more robust file system had been used in the first place.
Well, try to put 2 and 2 together here.
Microsoft has a de facto monopoly on the desktop.
Now, we're seeing Microsoft deploying licenses for "potential patents" on several of their most used file formats and protocols.
It doesn't take a huge stretch of imagination to see Microsoft extending their practice to every format and protocol that would be necessary to interoperate with their platform.
This would result in Microsoft controlling quite tightly the ways in which "competitors" can try to "threaten" their monopoly.
If this goes on unchecked, a few years from now, "alternative OSes" will have to exist in a vaccum, unable to implement any form of interoperability with Microsoft without paying the Tax.
You may believe this is their right, but it seems to me there is more than their right at stake here.
For other formats, MS license covers "possible patents" MS may have regarding the format.
I'd be somehow surprised if MS didn't have a similar scheme for FAT. After all, it's not like it actually requires a patent to pull off.
Yeah using ext3 would put out of business all those "Flash card recovery" services, that typically don't deal with physical damage, but just with fat corruption.
That'd obviously be a bad thing for our recovering economy.
I suspect Microsoft current trend of licensing every protocol and file format they possibly can is not a small thing.
IANAL, yet I have the sneaky feeling the terms of those licenses preclude GPL products from using protocols or file formats covered by them, *even those licensed for free*.
As to whether or not those licenses are necessary is a great question. Do you really need a license to read an XML file? According to microsoft, you "may", since "Microsoft may have patents and/or patent applications that are necessary for you to license in order to make, sell, or distribute software programs that read or write files that comply with the Microsoft specifications for the Office Schemas.".
Worry.
In the meanwhile, my original page has been mirrored at this page by a kind soul.
The pajhome source code is arguably prettier than mine, and should almost always be used, rather than mine.
To my defense, mine was developed and works under netscape 2.0, which probably makes it the first md5 implementation in javascript ever.
I have a nagging feeling pajhome's version requires at least NS3/IE3, although I haven't checked that.
At the time, after I benchmarked it and realized how slow it was to run at the time, I had serious second-thoughts about its usefulness (the 7 hashes test on the page above would take 10 to 15 seconds to run on some very reasonable desktop hardware.)
Things have gotten better, both on the CPU and the javascript speed front, and it does make a lot of sense now to use it for password submissions if you don't want to take the extra cost of SSL.
Not if they're smart.
People that are motivated enough to saturate their phone lines are extremely unlikely to ever buy anything from telemarketers.
People can get pissed off, but businesses usually still just care about their bottom line.
To be honest, it's a lot better than I make it sound. Well kinda. It's not supposed to be a game as much as it's supposed to be a place to hang out and unwind. I guess that's a reasonable alternative to the self-inflicted servitude of many MMORPGs.
I got really addicted for a month. Then I got really bored of it. But then again, I'm not a chick, and I don't like to hang out.
Only reason I'd go back at this point would be to reverse engineer their protocol, just because it looks pretty complex.
I think they're still in beta so you can simply go there and apply for an account.
Not sure if that qualifies but the virtual world "There" is entirely tailored to attract women.
A few things they do off the top of my head:
- no killing, no blood. ever.
- lots of overly cute things (pets, environment)
- shopping. lots of shopping.
- lots of pretty clothes.
- very easy to find people to chat with
It's clearly not as "goal-driven" as most traditional games, and that might also be part of its women appeal.
> Ok, but I'm still waiting on push technology, portals and b2whatever to revolutionize my web 'experience'(*).
There are at least 3 major portals out there. One of them is mentioned in this story. Guess which.
Push technology may not have happened in a purely web-based context, but ask yourself what all those Instant Messaging programs are really about.
Marketing hype, despite popular belief, is sometimes based on an actual idea.
> all they are doing is transferring the danger from themselves to someone who actually picked a vehicle of the size that they needed.
My theory is that SUV buyers are well aware of that fact, and that it is in fact one of the strong selling points for such vehicles.
If somebody comes up with a car that *guarantees* you and your family will never be hurt, but happens to randomly kill a stranger about once a month, it will instantly replace SUVs.
And Darwin tells us those people are what's going to be left after they're done crashing into the last of us.
Guess I better buy an SUV to survive and prove Darwin wrong...
Well, not really. Frag Island didn't use "Java 3D" or any other fancy API that didn't exist 5 years ago.
It was doing all its rendering in software, and was drawing a plain bitmap on a plain AWT canvas, probably using a method very similar to yours (ImageProducer etc..).
The (now rather dead and smelly) site for the applet is at: http://hem.passagen.se/carebear/fraggame.htm
Unfortunately it doesn't load as it seems to be missing some data files, but the code is there for the grabbing and the jading.
Obligatory counter-example:
Frag Island, a veyr impressive quake-like FPS, written in late 1997. ( so quake-like that they ripped off a bunch of quake graphics and let you play in multiplayer in an authentic quake map with an authentic rocket launcher. ID lawyers didn't like, although Carmack was reportedly impressed.)
You would get more than usable framerates on 320x200. Keep in mind that was on way old 1.1 JIT runtimes. Things have gotten better.
On a sad note, it seems the page/applet is still dead. I wish they'd have done something with their fast java 3d engine coded over AWT, which looked like nothing short of a small miracle.
Trust me, anyone that finds another way to teleport himself or anyone else at will in a world, will NOT need any encouragement to use it.
The second way you could mean it is that other people are going to be looking for similar flaws because of it. Again, I'm certain that's happening now, not because of the aftermath, but because they realize if the coders let one slip through, there are probably others waiting to be found.
The players got a taste of blood, and they're going to spend a lot of time trying to get more.
Making it all fit into the in-game world is just a way to make some good lemonade with the whole thing.