Additionally, it is, in certain respects, a retarded piece of journalism.
No, it's an example to those "complete and utter idiots" out there that write off XSS attacks as meaningless.
The XSS mentioned requires the use of phishing techniques
Sure, this one does, but many don't even require that. Many take input directly from the URL so you don't have to use a third site. The passed info in the URL can be obfuscated, too, so it's not obvious that some JavaScript is being passed. Don't say this is a retarded article just because of the method this specific attack requires.
Secondly is the ability to transfer a session.
Wait, you're saying this is a worthless article because of how the author decided to propogate the hijacked session? The article would have been better if the guy used GET, or what?
Thirdly, is simple abuse of a poorly designed web application
Duh, no shit. That's what all XSS attacks are. Who's writing the article here? In fact, the rest of your reply falls into the "no shit" category, too. You're just repeating what everyone says when vulnerabilities like this are announced. At least the article writer went through the effort of going into all of the details of a specific attack so that those who are clueless (99% by your calculations) can see exactly why this is an issue.
That's not validating anything. That's taking the shotgun approach by running everything through a specific function. You're now screwed when you need the plain text version of what the user supplied because it's gone. If you use a user variable in a query without quotes (since you're expecting an integer), the query is still open to SQL injection.
Wouldn't it work the other way around? I still flag crap like this as spam, so it seems like it'd train my spam filter to have more false positives, no?
If you want to really go to extremes, you might even be able to find a way to send information *in* to the keyboard by carefully delaying network packets
Since when do network packets get sent to the keyboard??
strip_tags() is one of the most worthless functions PHP offers. First, it gets rid of evil, nasty, harmfull code such as or . Why do you have to jack up the text that the user wrote when there's no need? There are much better functions or methods to escape and not parse JavaScript or HTML, such as htmlentities() or htmlspecialchars() for two.
The second issue is with the "allowed tags" attribute of strip_tags. You may think to yourself that allowing <b>, <i>, <strong> tags, etc. is pretty harmless. Except that there's still no checking on the attributes of those tags. I can include a <b onmouseover="whatever_javascript();">mouse over me!</b> and strip_tags will happily allow that through and you think you're safe by only allowing a couple of harmless tags.
This whole article is just another example of blaming the technology instead of the shitty programmers who implement it.
strip_tags() is one of the most worthless functions PHP offers. First, it gets rid of evil, nasty, harmfull code such as or . Why do you have to jack up the text that the user wrote when there's no need? There are much better functions or methods to escape and not parse JavaScript or HTML, such as htmlentities() or htmlspecialchars() for two.
The second issue is with the "allowed tags" attribute of strip_tags. You may think to yourself that allowing , , tags, etc. is pretty harmless. Except that there's still no checking on the attributes of those tags. I can include a mouse over me! and strip_tags will happily allow that through and you think you're safe by only allowing a couple of harmless tags.
This whole article is just another example of blaming the technology instead of the shitty programmers who implement it.
There is no room for that in the cell phone market, which is oversaturated with low-margin Asian manufacturers/vendors whose phones are often given away for free.
How is this any different than the computer market? It too is saturated with cheap, low margin PCs and some are even tied to certain services. Yet people still continue to pay the "apple premium" for the pretty boxes and interfaces.
Isn't it the same with the MP3 market, too? There are tons of cheap MP3 players out there, yet people want the iPods regardless of the price.
Look at the RAZR phones. They aren't cheap and everyone seems to have one. That fact alone may mean the market is ready for another "premium" phone. RAZRs used to be status symbols (hello, iPod), but now everyone seems to have one.
I don't really follow Mac rumors at all, but if they've done their homework, maybe this really is the time to get into the market.
Most people look at price and buy what they can afford.
I'm an admitted geek, but after price, "style" is the next deciding factor for me. My last computer was a Shuttle because of the form factor. My next computer will be a Mac Mini size, although probably windows based since they seem to finally be coming out now. Not sure if you relate "form factor" with style, design and "pretty", but I do.
Plus there's the fact that pretty much any computer made over the past few years is good enough for most people. Most of us don't need the Pentium 6 12Ghz chip to check email, watch porn and program PHP, do we?;)
That's what we used to be taught too, but times have changed. With modern medicine, using a tourniquet doesn't mean you're going to lose the limb. We're authorized to even losen tourniquets on the way to the hospital, so long as the clots hold. I hear what you're saying and a few months ago would have said the same thing, but the training I've received recently says otherwise.:)
I think the average time for Soldiers to be evac'd to a hospital is 45 minutes. The leading cause of death is blood loss, too. Do the math. Applying a tourniquet doesn't mean you're going to lose the limb automatically, so long as you get to medical care fast enough, which Soldiers are.
What's not explained, though, is how you get rid of these clots afterwards...
---John Holmes...
Re:Aren't we forgeting something....
on
Talking iPods
·
· Score: 1
I'm pretty sure they are since most people use an FM transmitter, tape adapter, input jack, CD changer port, etc. to plug the iPod into the radio.
1. Register_globals are not evil. It just made it easier for idiot programmers to write insecure code. Those idiots can write the same insecure code when register_globals is disabled. You can write secure scripts independent of the register_globals setting by initializing your variables and sanitizing user input.
4. True on the first part, but you can (and should!) use magic_quotes_runtime(0) within your script to disable runtime magic quotes regardless of the setting.
Certainly have good points with the rest of the comments, though.
I use runas to open up Explorer/IExplore and then go to the Control Panel to run the Windows Update. Or just go to the website in IE opened with Runas. I use automatic download and install, so I haven't done this in a while, but I seem to remember it working. Does that not work now?
---John Holmes...
Re:Nintendo's Wii akin to Chevrolet's Nova?
on
Both Sides of Wii
·
· Score: 1
I certainly plan to by one of those Nintendo weenies.
You mean Nintendo Wiinies?
---John Holmes...
Re:Mr. Thurrott forgives Microsoft
on
How Vista Disappoints
·
· Score: 2, Informative
What programs do this, because I've never seen this to be true? I use runas to open up command line prompts and Explorer so I can start programs as an administrator. When installation programs finish after being started with runas, the startup the program still running as the admin user. I don't even log in as admin anymore and use runas shortcuts for everything that requires an admin's touch. This is all on XP, btw.
The original reply to yours was simply a quote from the article. How is that obnoxious? You actually replied out of line first by asking if the user was melting down. Your post was confusing, at best.
* Really Slick Screensavers - Yeah, screen savers are kind of corny, but if you never shut off your computer like I do, this site has some really, really nice looking screen savers.
* Scite - Text editor, easy to use on Windows or Linux and a full featured executable weighs in at 430K, so it's too easy to carry on a thumb drive.
* TheOpenCD.org - Has some other programs listed that are free and may be worth checking out.
Slashdot Mirror
No, it's an example to those "complete and utter idiots" out there that write off XSS attacks as meaningless.
The XSS mentioned requires the use of phishing techniquesSure, this one does, but many don't even require that. Many take input directly from the URL so you don't have to use a third site. The passed info in the URL can be obfuscated, too, so it's not obvious that some JavaScript is being passed. Don't say this is a retarded article just because of the method this specific attack requires.
Secondly is the ability to transfer a session.Wait, you're saying this is a worthless article because of how the author decided to propogate the hijacked session? The article would have been better if the guy used GET, or what?
Thirdly, is simple abuse of a poorly designed web applicationDuh, no shit. That's what all XSS attacks are. Who's writing the article here? In fact, the rest of your reply falls into the "no shit" category, too. You're just repeating what everyone says when vulnerabilities like this are announced. At least the article writer went through the effort of going into all of the details of a specific attack so that those who are clueless (99% by your calculations) can see exactly why this is an issue.
---John Holmes...
That's not validating anything. That's taking the shotgun approach by running everything through a specific function. You're now screwed when you need the plain text version of what the user supplied because it's gone. If you use a user variable in a query without quotes (since you're expecting an integer), the query is still open to SQL injection.
---John Holmes...
I didn't really do that much...
---John Holmes...
Wouldn't it work the other way around? I still flag crap like this as spam, so it seems like it'd train my spam filter to have more false positives, no?
---John Holmes...
If you want to really go to extremes, you might even be able to find a way to send information *in* to the keyboard by carefully delaying network packets
Since when do network packets get sent to the keyboard??
---John Holmes...
see my other reply... "plain old text" means something different to me than it does to slashcode, I guess...
strip_tags() is one of the most worthless functions PHP offers. First, it gets rid of evil, nasty, harmfull code such as or . Why do you have to jack up the text that the user wrote when there's no need? There are much better functions or methods to escape and not parse JavaScript or HTML, such as htmlentities() or htmlspecialchars() for two.
The second issue is with the "allowed tags" attribute of strip_tags. You may think to yourself that allowing <b>, <i>, <strong> tags, etc. is pretty harmless. Except that there's still no checking on the attributes of those tags. I can include a <b onmouseover="whatever_javascript();">mouse over me!</b> and strip_tags will happily allow that through and you think you're safe by only allowing a couple of harmless tags.
This whole article is just another example of blaming the technology instead of the shitty programmers who implement it.
---John Holmes...
strip_tags() is one of the most worthless functions PHP offers. First, it gets rid of evil, nasty, harmfull code such as or . Why do you have to jack up the text that the user wrote when there's no need? There are much better functions or methods to escape and not parse JavaScript or HTML, such as htmlentities() or htmlspecialchars() for two.
The second issue is with the "allowed tags" attribute of strip_tags. You may think to yourself that allowing , , tags, etc. is pretty harmless. Except that there's still no checking on the attributes of those tags. I can include a mouse over me! and strip_tags will happily allow that through and you think you're safe by only allowing a couple of harmless tags.
This whole article is just another example of blaming the technology instead of the shitty programmers who implement it.
---John Holmes...
There is no room for that in the cell phone market, which is oversaturated with low-margin Asian manufacturers/vendors whose phones are often given away for free.
How is this any different than the computer market? It too is saturated with cheap, low margin PCs and some are even tied to certain services. Yet people still continue to pay the "apple premium" for the pretty boxes and interfaces.
Isn't it the same with the MP3 market, too? There are tons of cheap MP3 players out there, yet people want the iPods regardless of the price.
Look at the RAZR phones. They aren't cheap and everyone seems to have one. That fact alone may mean the market is ready for another "premium" phone. RAZRs used to be status symbols (hello, iPod), but now everyone seems to have one.
I don't really follow Mac rumors at all, but if they've done their homework, maybe this really is the time to get into the market.
---John Holmes...
think...
Or maybe that's just what Google wants you to thing...
Most people look at price and buy what they can afford.
;)
I'm an admitted geek, but after price, "style" is the next deciding factor for me. My last computer was a Shuttle because of the form factor. My next computer will be a Mac Mini size, although probably windows based since they seem to finally be coming out now. Not sure if you relate "form factor" with style, design and "pretty", but I do.
Plus there's the fact that pretty much any computer made over the past few years is good enough for most people. Most of us don't need the Pentium 6 12Ghz chip to check email, watch porn and program PHP, do we?
---John Holmes...
That's what we used to be taught too, but times have changed. With modern medicine, using a tourniquet doesn't mean you're going to lose the limb. We're authorized to even losen tourniquets on the way to the hospital, so long as the clots hold. I hear what you're saying and a few months ago would have said the same thing, but the training I've received recently says otherwise. :)
---John Holmes...
I think the average time for Soldiers to be evac'd to a hospital is 45 minutes. The leading cause of death is blood loss, too. Do the math. Applying a tourniquet doesn't mean you're going to lose the limb automatically, so long as you get to medical care fast enough, which Soldiers are.
What's not explained, though, is how you get rid of these clots afterwards...
---John Holmes...
I'm pretty sure they are since most people use an FM transmitter, tape adapter, input jack, CD changer port, etc. to plug the iPod into the radio.
---John Holmes...
This is one case where having a boring name would help.
Or a name that'll get them in trouble if they click on any of the results... ;)
---John Holmes...
1. Register_globals are not evil. It just made it easier for idiot programmers to write insecure code. Those idiots can write the same insecure code when register_globals is disabled. You can write secure scripts independent of the register_globals setting by initializing your variables and sanitizing user input.
4. True on the first part, but you can (and should!) use magic_quotes_runtime(0) within your script to disable runtime magic quotes regardless of the setting.
Certainly have good points with the rest of the comments, though.
---John Holmes...
I use runas to open up Explorer/IExplore and then go to the Control Panel to run the Windows Update. Or just go to the website in IE opened with Runas. I use automatic download and install, so I haven't done this in a while, but I seem to remember it working. Does that not work now?
---John Holmes...
I certainly plan to by one of those Nintendo weenies.
You mean Nintendo Wiinies?
---John Holmes...
What programs do this, because I've never seen this to be true? I use runas to open up command line prompts and Explorer so I can start programs as an administrator. When installation programs finish after being started with runas, the startup the program still running as the admin user. I don't even log in as admin anymore and use runas shortcuts for everything that requires an admin's touch. This is all on XP, btw.
---John Holmes...
The original reply to yours was simply a quote from the article. How is that obnoxious? You actually replied out of line first by asking if the user was melting down. Your post was confusing, at best.
I really hope you're not a teacher...
---John Holmes...
* Really Slick Screensavers - Yeah, screen savers are kind of corny, but if you never shut off your computer like I do, this site has some really, really nice looking screen savers.
* Scite - Text editor, easy to use on Windows or Linux and a full featured executable weighs in at 430K, so it's too easy to carry on a thumb drive.
* TheOpenCD.org - Has some other programs listed that are free and may be worth checking out.
---John Holmes...
pfft... I'd rather have the $300 grand in the bank, still have the attention and let whoever call me a whiner.
---John Holmes...
I DO NOT want to know what #4 is in this case... doesn't sound worth it. ;)
---John Holmes...
Make it two beers then, bitch.