Not all websites are fooled by this. For instance, Expedia refuses to allow disgused Opera users.
That's probably because the Opera user agent string is the MSIE string and then "Opera", so a normal check will find that the browser is MSIE, but looking specifically for Opera will show that it is in fact Opera. Opera may have an option to set the user agent string exactly, but if not you can always use a proxy server like Privoxy or Proxomitron to do it for you.
I believe that *nix systems have been using salts for a long time, and the most recent version of the NT password hash uses a salt, too. I'm not sure exactly how it is implemented (look at wikipedia, everything2, or the source code for that), but I think every password has a different salt which is stored along with the hash. This makes cracking a set of password hashes more difficult.
If we're looking at and md5 problem though, having a salt or not may not add much protection. I guess if they're finding any string that hashes to that md5 hash, then they would have to keep trying until they got a string with the salt in the right place, which would take a lot longer than without a salt.
This is as a cleaner way than JavaScript to enforce data verification client side, so it doesn't have to touch the server. With HTML forms and JavaScipt, you can simply disable JavaScript to get rid of the data validation. A programmer that wasn't already checking the data server-side has written bad code either way. XForms just makes the client-side interface easier to create.
I've never used ICQ, but for quick history you can use the "History" plug-in which comes with Gaim. Every time you open a conversation window, it displays the log of your previous conversation with that person on top (it makes all the text black and puts a to separate it from your current conversation).
I remember that past AIM viruses often worked by infecting through a browser exploit and changing the infected user's profile or away message to be a link to the browser exploit (sometimes just the link, sometimes with something like "visit this cool link"). Although this is an AIM exploit and not a browser exploit, the same strategy could be used.
This reminds me of this recent poll. Was this some sort of trick to get Slashdotters to admit they were doing something wrong? Did/. record the IPs of everyone who said they didn't save all their e-mails and delay this story until after that poll was off the main page?
How is this different from the FireFox vulnerability? You can target uncustomized versions of either much easier than customized versions. On my computer, the fake browser window looks awful because I've customized the tool bar (moved bookmarks next to menu bar and small icons) and I have the disable Javascript hiding stuff enabled (mentioned in multiple other messages). A toolbar picture in IE would look equally awful on any customized IE interface.
This is not the point. We are talking about normal users with default settings. This type of exploit will work on either browser for them. I agree with the other posters that (1) remote pages should not have XUL access (which may make this easier on FireFox, but not any less convincing), and (2) the disable javascript hide preferences should default to enabled so doing a similar attack with images would not work on FireFox.
I do not own a Windows CE machine, but Palm OS has a special reset mode where no OS add-ons are loaded in order to allow the user to troubleshoot problems with them (hold the up button while pushing the reset pin). In this mode it would be possible to delete any virus that has been installed and then reset regularly. I assume Windows CE has a similar option.
Yes, in AIM you can set it so only people on your buddy list can IM or so only people on your whitelist can IM you (I think that means up to 400 whitelisted between the two, but I've never used either feature).
At least when their consoles come out, Nintendo, Sony, and Microsoft all lose money on each console sale. This is a standard business practice in the video games industry. I do not know much much they currently lose or gain on each sale. The companies probably don't want their consoles being seen as old and therefore bad or some other marketing nonsense. Maybe console sales look good for 3rd parties deciding which platforms to develop for.
Am I the only one whose first thought on seeing the topic was, "If they're testing the asteroid defense, wouldn't that require an asteroid coming toward Earth?"
They support multiple archive formats, although bzip2 and rar are strangely missing from the list:
Can I send or receive an executable file?
As a security measure to prevent potential viruses, Gmail does not allow you to receive executable files (such as files ending in.exe) that could contain damaging executable code.
Gmail does not accept these types of files, even if they are sent in a zipped (.zip,.tar,.tgz,.taz,.z,.gz [emphasis added]) format. If someone tries to send this type of message to your Gmail account, the message will be bounced back to the sender.
I assume they use file or something similar to identify executables and archives. I fail to see how that is any worse than Yahoo identifying file type and scanning for viruses.
It's pretty well hidden in Windows XP. You have to use the group policies manager to disable it. Goto start --> run --> "gpedit.msc" (thanks to the other replier, I forget what it was called) --> Local Computer Policy --> Administrative Templates --> System (click it) --> on the right pane find "Turn off Autoplay" in the list --> right-click --> properties --> select the "enable" radio button.
Note that you can hold down shift while putting in a CD to disable autoplay for just that time.
Meanwhile: If the private space race stalls after the X prize is won, look for a Y prize. B-)
So, you're saying the A-W prizes didn't help much? Hopefully the X-prize will help, otherwise we'll have to move on to multi-letter prize names pretty soon!
Surely your joking! Using a Mac OS 9 computer with FoolProof it took about 20 minutes for me (a Windows user) to figure out how to disable it. It's quite simple: hold down space at boot up. It shows the list of extensions, all you have to do is uncheck FoolProof. I'm sure OS X's built-in security as a multi-user operating system is better.
If you really wanted to use an older version of Mac OS, At Ease, which my elementry school used (uses?), is far harder to crack. It replaces Finder and gives access to an admin determined application list and home directory. It disables the extentions screen, so it can't be broken in the same way. By now it's probably rather out-of-date though.
Which is great until you want to have a GUI. Although it's being worked on, GNU Classpath doesn't really support Swing. Of course, it sounds like mostly Java is used for non-graphical programs anyway, but not always. Open-sourcing Java would mean that it could be included by distros and used for desktop apps.
Slashdot Mirror
But... no... this makes no sense!
He... he... used the word "malapropism" outside of English class... it can't be!
BitTorrent.
I believe that *nix systems have been using salts for a long time, and the most recent version of the NT password hash uses a salt, too. I'm not sure exactly how it is implemented (look at wikipedia, everything2, or the source code for that), but I think every password has a different salt which is stored along with the hash. This makes cracking a set of password hashes more difficult.
If we're looking at and md5 problem though, having a salt or not may not add much protection. I guess if they're finding any string that hashes to that md5 hash, then they would have to keep trying until they got a string with the salt in the right place, which would take a lot longer than without a salt.
This is as a cleaner way than JavaScript to enforce data verification client side, so it doesn't have to touch the server. With HTML forms and JavaScipt, you can simply disable JavaScript to get rid of the data validation. A programmer that wasn't already checking the data server-side has written bad code either way. XForms just makes the client-side interface easier to create.
I've never used ICQ, but for quick history you can use the "History" plug-in which comes with Gaim. Every time you open a conversation window, it displays the log of your previous conversation with that person on top (it makes all the text black and puts a to separate it from your current conversation).
I remember that past AIM viruses often worked by infecting through a browser exploit and changing the infected user's profile or away message to be a link to the browser exploit (sometimes just the link, sometimes with something like "visit this cool link"). Although this is an AIM exploit and not a browser exploit, the same strategy could be used.
This reminds me of this recent poll. Was this some sort of trick to get Slashdotters to admit they were doing something wrong? Did /. record the IPs of everyone who said they didn't save all their e-mails and delay this story until after that poll was off the main page?
Yes, I know. That's called "Get file" on the Windows version. "Send file" is the normal file transfer (sender initates connection) feature.
I assume you mean the "get file" feature. It has been in WinAIM for several years (it was in 4.x), although I've never seen anyone actually use it.
Oh, ok, I didn't know remote sites were supposed to be able to access XUL.
Yes, I remember hearing about XAML.
How is this different from the FireFox vulnerability? You can target uncustomized versions of either much easier than customized versions. On my computer, the fake browser window looks awful because I've customized the tool bar (moved bookmarks next to menu bar and small icons) and I have the disable Javascript hiding stuff enabled (mentioned in multiple other messages). A toolbar picture in IE would look equally awful on any customized IE interface.
This is not the point. We are talking about normal users with default settings. This type of exploit will work on either browser for them. I agree with the other posters that (1) remote pages should not have XUL access (which may make this easier on FireFox, but not any less convincing), and (2) the disable javascript hide preferences should default to enabled so doing a similar attack with images would not work on FireFox.
I do not own a Windows CE machine, but Palm OS has a special reset mode where no OS add-ons are loaded in order to allow the user to troubleshoot problems with them (hold the up button while pushing the reset pin). In this mode it would be possible to delete any virus that has been installed and then reset regularly. I assume Windows CE has a similar option.
Yes, in AIM you can set it so only people on your buddy list can IM or so only people on your whitelist can IM you (I think that means up to 400 whitelisted between the two, but I've never used either feature).
At least when their consoles come out, Nintendo, Sony, and Microsoft all lose money on each console sale. This is a standard business practice in the video games industry. I do not know much much they currently lose or gain on each sale. The companies probably don't want their consoles being seen as old and therefore bad or some other marketing nonsense. Maybe console sales look good for 3rd parties deciding which platforms to develop for.
Huh? I thought FF X was for PS2.
Am I the only one whose first thought on seeing the topic was, "If they're testing the asteroid defense, wouldn't that require an asteroid coming toward Earth?"
I don't know about other browsers, but on Windows I'm sure that both Opera and FireFox have options for making all cookies session cookies.
What would be the point? You think politicians read their regular mail any more often than they read their e-mail?
Strange, my SanDisk memory stick has been working quite well. How is that exclusive?
It's pretty well hidden in Windows XP. You have to use the group policies manager to disable it. Goto start --> run --> "gpedit.msc" (thanks to the other replier, I forget what it was called) --> Local Computer Policy --> Administrative Templates --> System (click it) --> on the right pane find "Turn off Autoplay" in the list --> right-click --> properties --> select the "enable" radio button.
Note that you can hold down shift while putting in a CD to disable autoplay for just that time.
Surely your joking! Using a Mac OS 9 computer with FoolProof it took about 20 minutes for me (a Windows user) to figure out how to disable it. It's quite simple: hold down space at boot up. It shows the list of extensions, all you have to do is uncheck FoolProof. I'm sure OS X's built-in security as a multi-user operating system is better.
If you really wanted to use an older version of Mac OS, At Ease, which my elementry school used (uses?), is far harder to crack. It replaces Finder and gives access to an admin determined application list and home directory. It disables the extentions screen, so it can't be broken in the same way. By now it's probably rather out-of-date though.
Which is great until you want to have a GUI. Although it's being worked on, GNU Classpath doesn't really support Swing. Of course, it sounds like mostly Java is used for non-graphical programs anyway, but not always. Open-sourcing Java would mean that it could be included by distros and used for desktop apps.