I fail to see why this is even considered an issue. You can EASILY spoof any website with server-side code and the "attack" is cross-browser.
The security bulletin talks about how using a specifically formed URL, you can download content from a remote site. I do the same thing all the time with a simple bridge in php:
so if you want to get content from google in javascript:
var A=null;try{A=new ActiveXObject('Msxml2.XMLHTTP');}catch(e){try{A=ne w ActiveXObject('Microsoft.XMLHTTP');}catch(oc){A=nu ll;}}if (!A && typeof XMLHttpRequest!='undefined'){A=new XMLHttpRequest();} A.open('GET', 'http://www.yoursite.com/httpbridge.php?url=http://www.google.com', false); A.send() document.write(A.responseText);
And now you can do any of the listed attacks in any browser. This is nothing new, lots of people already do it for useful reasons. The most recent use I've found is to pull geocodes.
I fail to see why this is even considered an issue. You can EASILY spoof any website with server-side code and the "attack" is cross-browser.
The security bulletin talks about how using a specifically formed URL, you can download content from a remote site. I do the same thing all the time with a simple bridge in php:
httpbridge.php: ---------------
so if you want to get content from google in javascript:
var A=null;try{A=new ActiveXObject('Msxml2.XMLHTTP');}catch(e){try{A=ne w ActiveXObject('Microsoft.XMLHTTP');}catch(oc){A=nu ll;}}if (!A && typeof XMLHttpRequest!='undefined'){A=new XMLHttpRequest();} A.open('GET', 'http://www.yoursite.com/httpbridge.php?url=http:/ /www.google.com', false); A.send() document.write(A.responseText);
And now you can do any of the listed attacks in any browser. This is nothing new, lots of people already do it for useful reasons. The most recent use I've found is to pull geocodes.
This company has obviously put $$$ into developing tihs laptop. With their huge R&D budget, you'd think that they would have been able to spring for a graphic artist to get a nicer logo than "AtomChip" in a 24pt arial font.
I had a friend who worked for a gov't agency. We went on vacation for about 2 weeks once and every morning at 9am he would send an e-mail from his cell phone, wait a few minutes for a confirmation and then continue his day. After a few days of this I asked him what the hell was going on. He informed me that if he didn't log-in to his computer daily by noon, it would auto-wipe a few gigs of encrypted data and inform his supervisors that he was either dead or captured.
Now I'm not sure if it was his paranoia or if he really was doing something -that- important (he would never say anything about it), but I've taken up the same idea, although to a lesser extent. If I don't check my e-mail at least once every two weeks, I have some scripts set up that will e-mail someone my passwords, delete some info off my computer and encrypt a lot of data with a 512bit key so that I -can- get the data back if I happen to not be dead:-)
They've had this in virginia at least for quite a while. Travel down King Street near alexandria and there's a set of stop lights near a school that will turn red instantly if you're going past 25mph. Not only that but if they "catch" you, they stay red significantly longer than their normal timing.
Memories are tied to time in someway or another...
in high school, I got a concussion on a mountain biking trail in the rockies...
afterwords I couldn't (and still can't) remember anything that had happened for about a week previous to the accident, but everything before that is fine.
Currently, i'm using two differentfilters. Each one filters well around 99.9%+ of all spam if properly configured. It's cut the spam that gets through on my server from around 5,000/day to an avg. of 2/day with each user on the server seeing maybe 1 spam per month.
The problem with using the filter described is that a good portion of spammers DO send from legitimate e-mail addresses...just usually not their own. Sometimes it's even being sent from the person receiving it (by simply faking the from: tag)
I currently get around 5,000+ spams/day sent one of our servers (50 users). After fiddling with text filters that parse things like "FREE DVDS" from the subject and mark them as spam, I ended up with around 1,000/day getting through and roughly 2 false positives/week.
Seeing how this failed miserably, I now use two differentmethods of spam prevention. it's cut spam down to roughly 2 per day (which means each user might see 1 spam/month avg.) with 0 false positives over the first 30 days of testing.
Put simply, if every mail server in the world were to switch to using decent filters, it would make spam all but irrelevant and thus we wouldn't all be sitting here reading about it.
Slashdot Mirror
I fail to see why this is even considered an issue. You can EASILY spoof any website with server-side code and the "attack" is cross-browser.
e w ActiveXObject('Microsoft.XMLHTTP');}catch(oc){A=nu ll;}}if (!A && typeof XMLHttpRequest!='undefined'){A=new XMLHttpRequest();}/ /www.google.com', false);
The security bulletin talks about how using a specifically formed URL, you can download content from a remote site. I do the same thing all the time with a simple bridge in php:
httpbridge.php:
---------------
<?
readfile($_GET['url'])
?>
so if you want to get content from google in javascript:
var A=null;try{A=new ActiveXObject('Msxml2.XMLHTTP');}catch(e){try{A=n
A.open('GET', 'http://www.yoursite.com/httpbridge.php?url=http:
A.send()
document.write(A.responseText);
And now you can do any of the listed attacks in any browser. This is nothing new, lots of people already do it for useful reasons. The most recent use I've found is to pull geocodes.
I fail to see why this is even considered an issue. You can EASILY spoof any website with server-side code and the "attack" is cross-browser.
e w ActiveXObject('Microsoft.XMLHTTP');}catch(oc){A=nu ll;}}if (!A && typeof XMLHttpRequest!='undefined'){A=new XMLHttpRequest();}/ /www.google.com', false);
The security bulletin talks about how using a specifically formed URL, you can download content from a remote site. I do the same thing all the time with a simple bridge in php:
httpbridge.php:
---------------
so if you want to get content from google in javascript:
var A=null;try{A=new ActiveXObject('Msxml2.XMLHTTP');}catch(e){try{A=n
A.open('GET', 'http://www.yoursite.com/httpbridge.php?url=http:
A.send()
document.write(A.responseText);
And now you can do any of the listed attacks in any browser. This is nothing new, lots of people already do it for useful reasons. The most recent use I've found is to pull geocodes.
This company has obviously put $$$ into developing tihs laptop. With their huge R&D budget, you'd think that they would have been able to spring for a graphic artist to get a nicer logo than "AtomChip" in a 24pt arial font.
I had a friend who worked for a gov't agency. We went on vacation for about 2 weeks once and every morning at 9am he would send an e-mail from his cell phone, wait a few minutes for a confirmation and then continue his day. After a few days of this I asked him what the hell was going on. He informed me that if he didn't log-in to his computer daily by noon, it would auto-wipe a few gigs of encrypted data and inform his supervisors that he was either dead or captured. Now I'm not sure if it was his paranoia or if he really was doing something -that- important (he would never say anything about it), but I've taken up the same idea, although to a lesser extent. If I don't check my e-mail at least once every two weeks, I have some scripts set up that will e-mail someone my passwords, delete some info off my computer and encrypt a lot of data with a 512bit key so that I -can- get the data back if I happen to not be dead :-)
They've had this in virginia at least for quite a while. Travel down King Street near alexandria and there's a set of stop lights near a school that will turn red instantly if you're going past 25mph. Not only that but if they "catch" you, they stay red significantly longer than their normal timing.
Memories are tied to time in someway or another...
in high school, I got a concussion on a mountain biking trail in the rockies...
afterwords I couldn't (and still can't) remember anything that had happened for about a week previous to the accident, but everything before that is fine.
The problem with using the filter described is that a good portion of spammers DO send from legitimate e-mail addresses...just usually not their own. Sometimes it's even being sent from the person receiving it (by simply faking the from: tag)
Seeing how this failed miserably, I now use two different methods of spam prevention. it's cut spam down to roughly 2 per day (which means each user might see 1 spam/month avg.) with 0 false positives over the first 30 days of testing.
Put simply, if every mail server in the world were to switch to using decent filters, it would make spam all but irrelevant and thus we wouldn't all be sitting here reading about it.