No, that is the whole point of this problem. I can give you a link that, if you click on it (or even just read a HTML mail message with an IMG SRC pointing to it) will send me your amazon cookies and all the information I need to access amazon as you. I tried this the other week. It works. This is why the issue is news. It is not a simple issue to understand the implications of.
If you don't have one click shopping enabled, then they would still need your password. Someone can probably can modify the page you see to grab it if you follow a specially fomatted link to amazon.
Sure, in this case they can only buy books for you and there is still the physical delivery aspect stopping a true theft. But this is the sort of thing that this hole exposes.
There are issues here that have not been widely known before. The issues that have been known for a long time are that if user A submits content for user B to view, it has to be properly encoded. This advisory shows that even if user A submits content that only user A views, it can still pose a security problem. Even worse, encoding things properly is a very difficult task, especially when alternate character sets are concerned.
Many many many sites are vulnerable to this. yahoo, ebay, various Microsoft sites, amazon, etc. The list goes on. Slashdot is vulnerable.
I like to think I know what I'm doing around the web, and I certainly had trouble figuring out all the ins and outs of how things have to be encoded in particular situations. I still don't think they are all figured out.
The real issues here are a lot more subtle than they may appear at first. While the basic components of the issue aren't anything new, and no one familiar with the technologies should be suprised to hear that this issue exists (even without being aware of the details beforehand), they have never been publicly put together in this manner.
Also note that this isn't just about script tags; you can insert other HTML that can be just as dangerous.
Do you really think that VA has offered all the stock they ever can? They still hold a lot of stock that is very useful for acquisitions, etc. in the future as long as the price remains high.
On the other hand, having cash around is great for those times when the stock is relatively undervalued.
If this trend continues, then there will be a day when people participating in such a program end up loosing, at least over the short term, when the stock drops below offering pricefor a few months or longer. We will see how people's tunes change then. Unfortunately, some company may get a lot of undeserved bad publicity if this does happen to them.
I don't think that is likely to happen with LNUX. But treating it as a free money handout is bogus.
I fully support them raising the IPO price to something more reasonable. It it of significant benefit to VA Linux to do so and, in the long term, it is a good thing for investors becaues it give the company more capital for growth. It is unfortunate that they had to do it at the last minute, but that isn't entirely their choice either. Pricing IPOs is a tricky game; too low and the company doesn't get the benefit they could have, too high and the could flop. Often the build up doesn't begin until after it's first price range is filed. Now, it is unfortunate that it makes their 100 share directed share program far richer than it was initially. Perhaps they should have allowed people to buy less shares. I can't make a judgement on that since I don't know all the issues involved.
They are probably using f5's bigip load balancer, which runs on BSD/OS and makes www.marspolarlander.com show up as a BSD/OS box. The actual boxes serving the content would be something behind that.
Well, in this case the boxes behind it are netapp boxes ("netcache" is their product name) acting as accelerators. The idea here is that if most of their content is static (and it looks like it is), then the accelerators can serve the vast majority of the hits.
You don't need a whole lot of disk IO, and lots of architectures can easily run out of network bandwidth or memory before having any problems with bus bandwidth.
I would also like to add a thanks for their attention paid to the fact that people do exist outside the US. No, it is not available in all countries and some people will miss out because of that. However, they are not limiting this capriciously. There are a lot of regulations involved, some quite legitimate some well-intentioned but misplaced or outdated. They didn't make most of the rules, and if they don't follow them, they get in trouble.
See page 69 of the prospectus. It describes the conditions that apply to Canadian participation, which would seem to imply it is ok. It is always a fuzzy area of securities laws when a company in one country sells to individuals in another; it may be against regulations in the country they are being sold to, but why should that matter for the seller if they aren't in that country?
My conditions are a bit more complicated, since I am currently a Canadian resident but am also a US resident alien for tax purposes; when I asked them (just no by email; quick response), they said it should be no problem and to try sending the forms in. I would recommend trying it. Nothing to lose except the cost of a fax.
Slashdot Mirror
No, that is the whole point of this problem. I can give you a link that, if you click on it (or even just read a HTML mail message with an IMG SRC pointing to it) will send me your amazon cookies and all the information I need to access amazon as you. I tried this the other week. It works. This is why the issue is news. It is not a simple issue to understand the implications of.
If you don't have one click shopping enabled, then they would still need your password. Someone can probably can modify the page you see to grab it if you follow a specially fomatted link to amazon.
Sure, in this case they can only buy books for you and there is still the physical delivery aspect stopping a true theft. But this is the sort of thing that this hole exposes.
There are issues here that have not been widely known before. The issues that have been known for a long time are that if user A submits content for user B to view, it has to be properly encoded. This advisory shows that even if user A submits content that only user A views, it can still pose a security problem. Even worse, encoding things properly is a very difficult task, especially when alternate character sets are concerned.
Many many many sites are vulnerable to this. yahoo, ebay, various Microsoft sites, amazon, etc. The list goes on. Slashdot is vulnerable.
I like to think I know what I'm doing around the web, and I certainly had trouble figuring out all the ins and outs of how things have to be encoded in particular situations. I still don't think they are all figured out.
The real issues here are a lot more subtle than they may appear at first. While the basic components of the issue aren't anything new, and no one familiar with the technologies should be suprised to hear that this issue exists (even without being aware of the details beforehand), they have never been publicly put together in this manner.
Also note that this isn't just about script tags; you can insert other HTML that can be just as dangerous.
Do you really think that VA has offered all the stock they ever can? They still hold a lot of stock that is very useful for acquisitions, etc. in the future as long as the price remains high.
On the other hand, having cash around is great for those times when the stock is relatively undervalued.
If this trend continues, then there will be a day when people participating in such a program end up loosing, at least over the short term, when the stock drops below offering pricefor a few months or longer. We will see how people's tunes change then. Unfortunately, some company may get a lot of undeserved bad publicity if this does happen to them.
I don't think that is likely to happen with LNUX. But treating it as a free money handout is bogus.
I fully support them raising the IPO price to something more reasonable. It it of significant benefit to VA Linux to do so and, in the long term, it is a good thing for investors becaues it give the company more capital for growth. It is unfortunate that they had to do it at the last minute, but that isn't entirely their choice either. Pricing IPOs is a tricky game; too low and the company doesn't get the benefit they could have, too high and the could flop. Often the build up doesn't begin until after it's first price range is filed. Now, it is unfortunate that it makes their 100 share directed share program far richer than it was initially. Perhaps they should have allowed people to buy less shares. I can't make a judgement on that since I don't know all the issues involved.
They are probably using f5's bigip load balancer, which runs on BSD/OS and makes www.marspolarlander.com show up as a BSD/OS box. The actual boxes serving the content would be something behind that.
Well, in this case the boxes behind it are netapp boxes ("netcache" is their product name) acting as accelerators. The idea here is that if most of their content is static (and it looks like it is), then the accelerators can serve the vast majority of the hits.
You don't need a whole lot of disk IO, and lots of architectures can easily run out of network bandwidth or memory before having any problems with bus bandwidth.
I would also like to add a thanks for their attention paid to the fact that people do exist outside the US. No, it is not available in all countries and some people will miss out because of that. However, they are not limiting this capriciously. There are a lot of regulations involved, some quite legitimate some well-intentioned but misplaced or outdated. They didn't make most of the rules, and if they don't follow them, they get in trouble.
See page 69 of the prospectus. It describes the conditions that apply to Canadian participation, which would seem to imply it is ok. It is always a fuzzy area of securities laws when a company in one country sells to individuals in another; it may be against regulations in the country they are being sold to, but why should that matter for the seller if they aren't in that country?
My conditions are a bit more complicated, since I am currently a Canadian resident but am also a US resident alien for tax purposes; when I asked them (just no by email; quick response), they said it should be no problem and to try sending the forms in. I would recommend trying it. Nothing to lose except the cost of a fax.