In fact disabling eXeem's spyware is a breech of contract. From the EULA:
6.5 In exchange for downloading the Software at no cost,
you expressly agree that you accept the Embedded Third Party Software and that so long as you have not entirely deleted the Software from your computer you will not take any action, including downloading other software which modifies, is intended to modify or permits others to modify registry or other settings on your computer to, disable, remove, block, prevent the functioning of, or otherwise interfere with any of the Embedded Third Party Software.
I'm not saying that this should surprise anyone. Kazaa is well known for its spyware and eXeem is positioning itself as a Kazaa replacement. For most users the free (as in no money) access to large amounts of copyrighted content is ample compensation for having their machine rooted by a company which wants to make money off their personal info. The hidden cost of being 0wned by cydoor is much less than the obvious cost of actually buying the CDs or DVDs that you want to enjoy.
One attack of non-SSL communication would be to target software downloads. When you see an exe, msi, zip come through in the clear, simply add your virus to it. Unless the user double-checks the md5 hash, the user will probably never know what hit him.
You a right about me needing to get my learn on, but what you say is contrary to what I thought I knew. The SSL cert is based on the domain name, right? The IP shouldn't matter because without physical possession of the CA issued certificate you can't pretend to be that domain. And the user doesn't need to always check that the server's cert matches the domain name because the browser will do that.
Once your box is rooted the CA trust could be messed with, but rooted is rooted. Game over. Same for if the server gets cracked.
The weakest link I see is the user. How many people would just ignore the browser's warning about an invalid SSL cert? Probably many.
ActiveX shows Microsoft's commitment to the developer experience. Just think how hard it would be to write a webpage which makes firefox or any other browser format the user's harddrive.
In fact, it doesn't even have to be an IE user. Firefox also allows embedding of media player 9. Media player will then use IE to display the "license acquisition url", which then allows the infection.
[sarcasm] OMG, we've just found a security bug in Firefox! [/sarcasm]
If the user was already using IE to view your web page, there is no need to use media player. Just put your exploit directly in your page.
I don't see how Microsoft could do anything differently. They support playback of DRM files and non-DRM files. They support creation of DRM files and non-DRM files. It is up to the content producer how or if DRM is used. Sure, microsoft could have refused to create a DRM system to begin with, but it can't force other companies to release non-DRM content.
Two things: SP2 supports NX only where available. Not many people have hardware that supports it.
Secondly, dlls are not loaded into "The Heap". In fact, the entire dll is not even executable. The PE header of a dll or exe specifies which segments are executable and which are not.
www.prcview.com has a program which will show you the layout permissions for a process's memory.
You are certainly correct that no one thing will solve all security problems. But everything else in your post is plain wrong.
If somebody can intercept the request to google.com and return their own data, they could have injected whatever javascript they want right from the beginning.
I don't know how happy google is about this, but there is already a FF extension to put suggest in the toolbar. Great plugin and also amazing how fast somebody
implemented it!
"runas explorer.exe no work" - try runas iexplore.exe instead (with explorer you must disable the single process mode)
"runas control.exe no work" - Either use the IE trick above, or even better, hold down the shift key while right-clicking the control panel item. Click runas. (possibly not available on all XP versions)
Also note that regedit does the single process thing too. So if you runas regedit, make sure it isn't already running.
No sudo... but runas comes pretty close to satisfying the same need.
Re:Hard to not see this as for google, not for us
on
Google Suggest
·
· Score: 1
Is autocomplete useful? I think so. This gives you a pre-populated autocomplete list. That sounds pretty useful to me, but I'd have to use it for a few days to really decide.
Sometimes I actually rely on the built-in autocomplete to save information for me that I might want later but don't want to bookmark yet.
To really be useful though, I would need it in the firefox toolbar. I never go to the google homepage anymore.
That may just be a (fixable?) bug in the implementation of the exploit. Try this: Middle click to open Citibank, click the alert (not vulnerable yet). Go back and left click to open another Citibank. The switch tabs to the alert popup. The alert page now refreshes with the secunia payload.
Personally, I wouldn't mind it if firefox completely removed the ability for separate pages to script each other. This would break a bunch of sites. But I hate pop-ups anyway.
Also their advice is sound: "Do not browse untrusted sites while browsing trusted sites". Or put another way: restart your browser before and after going to a bank's website.
I would also guess blue counties might have higher net usage. But simply because it may be easier to get broadband in california than in wyoming.
There is plenty of GOP favored opinion on the net, so I don't think it would bring down the republicans. But just maybe the diversity of opinion could break us out of the 2 party system.
ps. isn't it amusing that reds always complain about the elitist liberal media, while the blues claim the media is corporate controlled 'old monopolies'. Somebody must be lying.
Very true, besides spaces ARE allowed in urls. He could have named his file "10 Most Persistent Bugs.html" and the browser and webserver would seamlessly use URL encoding to figure it out. In fact, he apparently already knows this, as evidenced by his "%20 Off" joke.
The abc news story had some of that stuff.
>1.) Where exactly in the moon is the Helium-3 located?
In the surface rock, it is deposited by the solar wind. Got to heat the rock up to 800 celsius to extract it. Takes 200 MILLION tons of rock to get 1 ton of h3. But only 25 tons might last the US for a year.
> Could the helium-3 be used to power small reactors on the moon
I hope so, considering how much rock they have to cook!
Slashdot Mirror
whoops, there goes my "excellent" karma.
One attack of non-SSL communication would be to target software downloads. When you see an exe, msi, zip come through in the clear, simply add your virus to it. Unless the user double-checks the md5 hash, the user will probably never know what hit him.
Once your box is rooted the CA trust could be messed with, but rooted is rooted. Game over. Same for if the server gets cracked.
The weakest link I see is the user. How many people would just ignore the browser's warning about an invalid SSL cert? Probably many.
ActiveX shows Microsoft's commitment to the developer experience. Just think how hard it would be to write a webpage which makes firefox or any other browser format the user's harddrive.
[sarcasm] OMG, we've just found a security bug in Firefox! [/sarcasm]
If the user was already using IE to view your web page, there is no need to use media player. Just put your exploit directly in your page.
I don't see how Microsoft could do anything differently. They support playback of DRM files and non-DRM files. They support creation of DRM files and non-DRM files. It is up to the content producer how or if DRM is used. Sure, microsoft could have refused to create a DRM system to begin with, but it can't force other companies to release non-DRM content.
Yeah, I'd love to see how it does on the reading comprehension section of the SATs.
Secondly, dlls are not loaded into "The Heap". In fact, the entire dll is not even executable. The PE header of a dll or exe specifies which segments are executable and which are not.
www.prcview.com has a program which will show you the layout permissions for a process's memory.
You are certainly correct that no one thing will solve all security problems. But everything else in your post is plain wrong.
And given enough trust in the technology high speed lane merging would be very handy.
Or you could play on stereotypes. Lets see what happens when hollywood tries to ban TheBible or PrayerInSchools.
And for that reason I think the name "Google suggest" is misleading. "Google autocomplete" is more accurate.
If somebody can intercept the request to google.com and return their own data, they could have injected whatever javascript they want right from the beginning.
Typing "cstruct" gives one suggestion. Now type "c$%#$%#$%#^struct". It gives the same single suggestion.
I'm not sure exactly which characters it ignores, because it does recognize ".net"
I don't know how happy google is about this, but there is already a FF extension to put suggest in the toolbar. Great plugin and also amazing how fast somebody implemented it!
"runas explorer.exe no work" - try runas iexplore.exe instead (with explorer you must disable the single process mode)
"runas control.exe no work" - Either use the IE trick above, or even better, hold down the shift key while right-clicking the control panel item. Click runas. (possibly not available on all XP versions)
Also note that regedit does the single process thing too. So if you runas regedit, make sure it isn't already running.
Any more questions?
No sudo... but runas comes pretty close to satisfying the same need.
Sometimes I actually rely on the built-in autocomplete to save information for me that I might want later but don't want to bookmark yet.
To really be useful though, I would need it in the firefox toolbar. I never go to the google homepage anymore.
Anybody want to help me shutdown hotmail for a couple days?
Personally, I wouldn't mind it if firefox completely removed the ability for separate pages to script each other. This would break a bunch of sites. But I hate pop-ups anyway.
Also their advice is sound: "Do not browse untrusted sites while browsing trusted sites". Or put another way: restart your browser before and after going to a bank's website.
There is plenty of GOP favored opinion on the net, so I don't think it would bring down the republicans. But just maybe the diversity of opinion could break us out of the 2 party system.
ps. isn't it amusing that reds always complain about the elitist liberal media, while the blues claim the media is corporate controlled 'old monopolies'. Somebody must be lying.
In Korea, worrying about interplanetary bacterial contamination is only for old people.
Very true, besides spaces ARE allowed in urls. He could have named his file "10 Most Persistent Bugs.html" and the browser and webserver would seamlessly use URL encoding to figure it out. In fact, he apparently already knows this, as evidenced by his "%20 Off" joke.
No problem. I'll just do that while ScanDisk is fixing my MP3 player.
The abc news story had some of that stuff. >1.) Where exactly in the moon is the Helium-3 located? In the surface rock, it is deposited by the solar wind. Got to heat the rock up to 800 celsius to extract it. Takes 200 MILLION tons of rock to get 1 ton of h3. But only 25 tons might last the US for a year. > Could the helium-3 be used to power small reactors on the moon I hope so, considering how much rock they have to cook!