> I just went there for the first time after
> installing Mozilla, and a CheapTickets.com
> ad popped up in my face.
Did you disable unrequested windows in the
Scripts & Windows preferences pane? By default,
popups are _not_ disabled. You have to set that
as a preference.
If you _did_ set the pref, and still got
popups that were not in response to a user
click event, but happened when a page was
loaded or unloaded, then you should check
your system for spyware. Certain file-sharing
software is known to come bundled with software
that runs in the background and does this.
window.open can be allowed or disallowed on a per-site basis using capability policies, but if you turn on dom.disable_open_during_load it will disable all popups from onLoad and onUnLoad events across all sites, even those where window.open is otherwise permitted. I think there is a bug filed at bugzilla.mozilla.org about this issue.
> However, I have to ask what kind of response
> we would see from ICANN... Are we looking at
> a complete backout of.za? Will this be an
> across-the-board version of the Usenet Death
> Penalty
Nothing quite so dramatic as that. If ICANN does
not approve of the change, the root nameservers
simply won't change the way they delegate the.za domain. Remember, in terms of toplevel
domains, if ICANN doesn't say that you are the
authority, your authority is meaningless. The
South African government can set up its new.za domain servers and declare them to be
authoritative, and set up as many committees
as it wants to manage them, but if the ICANN
nameservers delegate.za elsewhere, then every
name lookup in the world will look elsewhere
for.za domains. In particular, everyone will
continue to use the existing servers managed
by the current administrator, as long as ICANN
continues to delegate to them and they continue
to function.
Therein lies the problem...
The only serious danger to continued functioning
of the internet in South Africa (and this is a
very real possibility) would be if the government
legally forced the current.za administrator to
shut down the existing nameservers. In that case,
all name lookups in the.za domain would fail,
until he turned them back on or ICANN delegated
to a new administrator.
Probably the people who drafted the legislation
believe that they can force ICANN to delegate
to their new official servers, but ICANN says
they will not delegate to technically incompetent
administrators, and there is reason to believe
them.
Note that everything else internet-related
in South Africa would continue to work, except
for domain name lookups. Anything you can do
with just IP addresses would still work. Web
servers would still work, but could not be
accessed using domain names. (You could use
the IP numbers, if you know them.) In a pinch,
you could probably even still exchange email,
but it would be problematic for non-technical
users because there would be no way to determine
the correct mail server from a domain-based
email address. So you would have to know the
IP address of the mail server in question. Et
cetera.
Right, the _exploiter_ has to have something
listening for gopher connections, but the
_exploitee_ (i.e., the user being rooted)
only has to click on a link or visit a site
that happens to be malicious.
switch to Opera 6, Netscape 6, or Mozilla
Don't switch to Netscape 6. It's hopelessly
out of date. If you're going to switch to
Netscape, at least get Netscape 7.
Interesting point. Microsoft could probably
resolve this security issue just by removing
gopher support from IE (doubtless easier than
fixing the real problem), and almost nobody
would care. Anyone who still needs gopher
could be advised to go get a freely available
gopher client.
The existence of the exploit is announced.
Geeks complain loudly about the potential
problems it could cause. Microsoft says
they are working on the problem.
Some time later, someone familiar with the
details of the exploit tires of waiting for
Microsoft to develop a patch, and releases
a relatively harmless version of the exploit
that doesn't really do any serious harm, but
demonstrates the exploit. Microsoft says
they are working on the problem.
Microsoft releases a patch. Admins who
are on the ball (a relative few) install
it. Nobody else notices or cares, and
the majority of systems remain
vulnerable.
Months later, somebody releases a more
serious version of the exploit, that does
real dammage and self-propagates. Work
grids to a halt at millions of companies
worldwide.
The existence of the exploit in the first
place is troubling, but the *really serious*
problem is #3, where almost nobody installs
the patch until it is too late. Basically,
Microsoft may not care as much about security
as the security experts do, but the sad truth
is that many users and even sysadmins care
even less.
The user wouldn't even have to click on a link to a gopher site. If all that is necessary is to visit a (hostile) gopher site, then it would be enough to visit a site that contains javascript of dubious merit, which could foist gopher content on the user, possibly in a background window, resized to tiny and moved off the screen.
All that has to be done is convince the users to visit a site with javascript that does this. There are assorted ways to convince users to visit a site, but the most obvious is to offer porn.
When the patch comes out and the exploit is made public, it would be a public service for some major site (microsoft, cnn, or the ultimate would be yahoo) to use the exploit to install the patch on vulnerable systems. Only if the User-Agent seems to be an unpatched IE, of course. Probably nobody wants to use their bandwidth that way, though.
> I just went there for the first time after > installing Mozilla, and a CheapTickets.com > ad popped up in my face. Did you disable unrequested windows in the Scripts & Windows preferences pane? By default, popups are _not_ disabled. You have to set that as a preference. If you _did_ set the pref, and still got popups that were not in response to a user click event, but happened when a page was loaded or unloaded, then you should check your system for spyware. Certain file-sharing software is known to come bundled with software that runs in the background and does this.
window.open can be allowed or disallowed on a
per-site basis using capability policies, but
if you turn on dom.disable_open_during_load it
will disable all popups from onLoad and
onUnLoad events across all sites, even those
where window.open is otherwise permitted. I think
there is a bug filed at bugzilla.mozilla.org
about this issue.
Nothing quite so dramatic as that. If ICANN does not approve of the change, the root nameservers simply won't change the way they delegate the .za domain. Remember, in terms of toplevel
domains, if ICANN doesn't say that you are the
authority, your authority is meaningless. The
South African government can set up its new .za domain servers and declare them to be
authoritative, and set up as many committees
as it wants to manage them, but if the ICANN
nameservers delegate .za elsewhere, then every
name lookup in the world will look elsewhere
for .za domains. In particular, everyone will
continue to use the existing servers managed
by the current administrator, as long as ICANN
continues to delegate to them and they continue
to function.
Therein lies the problem...
The only serious danger to continued functioning of the internet in South Africa (and this is a very real possibility) would be if the government legally forced the current .za administrator to
shut down the existing nameservers. In that case,
all name lookups in the .za domain would fail,
until he turned them back on or ICANN delegated
to a new administrator.
Probably the people who drafted the legislation believe that they can force ICANN to delegate to their new official servers, but ICANN says they will not delegate to technically incompetent administrators, and there is reason to believe them.
Note that everything else internet-related in South Africa would continue to work, except for domain name lookups. Anything you can do with just IP addresses would still work. Web servers would still work, but could not be accessed using domain names. (You could use the IP numbers, if you know them.) In a pinch, you could probably even still exchange email, but it would be problematic for non-technical users because there would be no way to determine the correct mail server from a domain-based email address. So you would have to know the IP address of the mail server in question. Et cetera.
Right, the _exploiter_ has to have something listening for gopher connections, but the _exploitee_ (i.e., the user being rooted) only has to click on a link or visit a site that happens to be malicious.
switch to Opera 6, Netscape 6, or Mozilla Don't switch to Netscape 6. It's hopelessly out of date. If you're going to switch to Netscape, at least get Netscape 7.
Interesting point. Microsoft could probably resolve this security issue just by removing gopher support from IE (doubtless easier than fixing the real problem), and almost nobody would care. Anyone who still needs gopher could be advised to go get a freely available gopher client.
They won't do that, though.
- The existence of the exploit is announced.
Geeks complain loudly about the potential
problems it could cause. Microsoft says
they are working on the problem.
- Some time later, someone familiar with the
details of the exploit tires of waiting for
Microsoft to develop a patch, and releases
a relatively harmless version of the exploit
that doesn't really do any serious harm, but
demonstrates the exploit. Microsoft says
they are working on the problem.
- Microsoft releases a patch. Admins who
are on the ball (a relative few) install
it. Nobody else notices or cares, and
the majority of systems remain
vulnerable.
- Months later, somebody releases a more
serious version of the exploit, that does
real dammage and self-propagates. Work
grids to a halt at millions of companies
worldwide.
The existence of the exploit in the first place is troubling, but the *really serious* problem is #3, where almost nobody installs the patch until it is too late. Basically, Microsoft may not care as much about security as the security experts do, but the sad truth is that many users and even sysadmins care even less.The user wouldn't even have to click on a link
to a gopher site. If all that is necessary is
to visit a (hostile) gopher site, then it would
be enough to visit a site that contains
javascript of dubious merit, which could foist
gopher content on the user, possibly in a
background window, resized to tiny and moved
off the screen.
All that has to be done is convince the users
to visit a site with javascript that does this.
There are assorted ways to convince users to
visit a site, but the most obvious is to offer
porn.
When the patch comes out and the exploit is
made public, it would be a public service for
some major site (microsoft, cnn, or the ultimate
would be yahoo) to use the exploit to install
the patch on vulnerable systems. Only if the
User-Agent seems to be an unpatched IE, of
course. Probably nobody wants to use their
bandwidth that way, though.