Slashdot Mirror


User: jonadab

jonadab's activity in the archive.

Stories
0
Comments
5,933
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 5,933

  1. Re: pop-ups on First Reviews of Mozilla 1.0 Roll In · · Score: 1

    > I just went there for the first time after > installing Mozilla, and a CheapTickets.com > ad popped up in my face. Did you disable unrequested windows in the Scripts & Windows preferences pane? By default, popups are _not_ disabled. You have to set that as a preference. If you _did_ set the pref, and still got popups that were not in response to a user click event, but happened when a page was loaded or unloaded, then you should check your system for spyware. Certain file-sharing software is known to come bundled with software that runs in the background and does this.

  2. Re:hahaha on First Reviews of Mozilla 1.0 Roll In · · Score: 1

    window.open can be allowed or disallowed on a
    per-site basis using capability policies, but
    if you turn on dom.disable_open_during_load it
    will disable all popups from onLoad and
    onUnLoad events across all sites, even those
    where window.open is otherwise permitted. I think
    there is a bug filed at bugzilla.mozilla.org
    about this issue.

  3. Re:the large issue... on South African Internet Blackout? · · Score: 2, Informative
    > However, I have to ask what kind of response > we would see from ICANN... Are we looking at > a complete backout of .za? Will this be an > across-the-board version of the Usenet Death > Penalty

    Nothing quite so dramatic as that. If ICANN does not approve of the change, the root nameservers simply won't change the way they delegate the .za domain. Remember, in terms of toplevel domains, if ICANN doesn't say that you are the authority, your authority is meaningless. The South African government can set up its new .za domain servers and declare them to be authoritative, and set up as many committees as it wants to manage them, but if the ICANN nameservers delegate .za elsewhere, then every name lookup in the world will look elsewhere for .za domains. In particular, everyone will continue to use the existing servers managed by the current administrator, as long as ICANN continues to delegate to them and they continue to function.

    Therein lies the problem...

    The only serious danger to continued functioning of the internet in South Africa (and this is a very real possibility) would be if the government legally forced the current .za administrator to shut down the existing nameservers. In that case, all name lookups in the .za domain would fail, until he turned them back on or ICANN delegated to a new administrator.

    Probably the people who drafted the legislation believe that they can force ICANN to delegate to their new official servers, but ICANN says they will not delegate to technically incompetent administrators, and there is reason to believe them.

    Note that everything else internet-related in South Africa would continue to work, except for domain name lookups. Anything you can do with just IP addresses would still work. Web servers would still work, but could not be accessed using domain names. (You could use the IP numbers, if you know them.) In a pinch, you could probably even still exchange email, but it would be problematic for non-technical users because there would be no way to determine the correct mail server from a domain-based email address. So you would have to know the IP address of the mail server in question. Et cetera.

  4. Re:Wow... on Latest IE Hole Lets Gopher Root You · · Score: 1

    Right, the _exploiter_ has to have something listening for gopher connections, but the _exploitee_ (i.e., the user being rooted) only has to click on a link or visit a site that happens to be malicious.

  5. Re:All three gopher links left.. on Latest IE Hole Lets Gopher Root You · · Score: 1

    switch to Opera 6, Netscape 6, or Mozilla Don't switch to Netscape 6. It's hopelessly out of date. If you're going to switch to Netscape, at least get Netscape 7.

  6. Re:All three gopher links left.. on Latest IE Hole Lets Gopher Root You · · Score: 1

    Interesting point. Microsoft could probably resolve this security issue just by removing gopher support from IE (doubtless easier than fixing the real problem), and almost nobody would care. Anyone who still needs gopher could be advised to go get a freely available gopher client.

    They won't do that, though.

  7. Re:My thoughts: on Latest IE Hole Lets Gopher Root You · · Score: 2
    How about this pattern:
    1. The existence of the exploit is announced. Geeks complain loudly about the potential problems it could cause. Microsoft says they are working on the problem.
    2. Some time later, someone familiar with the details of the exploit tires of waiting for Microsoft to develop a patch, and releases a relatively harmless version of the exploit that doesn't really do any serious harm, but demonstrates the exploit. Microsoft says they are working on the problem.
    3. Microsoft releases a patch. Admins who are on the ball (a relative few) install it. Nobody else notices or cares, and the majority of systems remain vulnerable.
    4. Months later, somebody releases a more serious version of the exploit, that does real dammage and self-propagates. Work grids to a halt at millions of companies worldwide.
    The existence of the exploit in the first place is troubling, but the *really serious* problem is #3, where almost nobody installs the patch until it is too late. Basically, Microsoft may not care as much about security as the security experts do, but the sad truth is that many users and even sysadmins care even less.
  8. Re:My thoughts: on Latest IE Hole Lets Gopher Root You · · Score: 1

    The user wouldn't even have to click on a link
    to a gopher site. If all that is necessary is
    to visit a (hostile) gopher site, then it would
    be enough to visit a site that contains
    javascript of dubious merit, which could foist
    gopher content on the user, possibly in a
    background window, resized to tiny and moved
    off the screen.

    All that has to be done is convince the users
    to visit a site with javascript that does this.
    There are assorted ways to convince users to
    visit a site, but the most obvious is to offer
    porn.

    When the patch comes out and the exploit is
    made public, it would be a public service for
    some major site (microsoft, cnn, or the ultimate
    would be yahoo) to use the exploit to install
    the patch on vulnerable systems. Only if the
    User-Agent seems to be an unpatched IE, of
    course. Probably nobody wants to use their
    bandwidth that way, though.