Those domains don't sell subdomains to 3rd partties. I can't go buy a evilhacker.Amazon.com, and evilhacker.gmail.com.
The point of the attack is to MITM non-https sessions with a subdomain to manipulate future HTTPs sessions.
AHhhhhhhhhhhh!!!!!!!! (I didn't read the PDF - just the linked article.) Now that you say this the article makes much more sense. They MITM the HTTP session, set a cookie, that cookie is read by the HTTPS session. The cookie spec was supposed to take that into account since it has flags for secure and not secure. Sounds like the browsers aren't really abiding by that, probably since it used to be more common to mix HTTP and HTTPS.
It's not THAT bad. You can only do this if the site are in the same domain. So foo.example.com and bar.example.com can get/set cookies for example.com. So foo.example.com can "hijack" bar.example.com.
Thanks for the write-up. It clarifies it a lot. But there is something unfair about these examples. You show how this attack could be used against JD.com, amazon.com, or gmail.com -- but only if those sites allowed subdomains. But since they don't offer subdomains, it seems inappropriate to use them even as hypothetical examples. The github example is a good one.
The second means of injecting cookies seems to go without saying. If someone can MITM, then you are screwed. They don't need this attack.
To set the record straight, I skimmed the article and missed the "no false positives" claim. Doh! But I am skepitcal of that claim. The article says:
And since the technique offers up the full genomes of whatever virus it detects, it shouldn't throw up any false positives
That's like me saying "because I showed my work, my answer cannot be wrong." Just because it gives the sequence of what it thinks it found, doesn't mean that it was actually present, and that the sequence is correct. I've worked on PCR systems, but never sequencing systems. Are they really 100% perfect? If so, then... wow... that's amazing.
Suppose the false positive rate is 2%. The article says it detects 700 vriuses. 2% of 700 viruses is 14 viruses. 14 tests could require 14 samples: so 5 blood draws + 6 urine samples + 3 stool samples. Ugh! (And no - you can't usually run 2 arbitrary tests from one sample.) So to make this work, the doctors would have to look through the results to see which viruses match the symptoms, so they only run the specific tests for those. That is probably what happened in this example. They probably saw a dozen viruses, and said "Hey, this one might actually fit."
Of course, this example makes one wonder why didn't they consider dengue in the first place. Perhaps it just goes to show that the test still is useful since it compensates for human fallibility.
Can you afford to walk away from your job right this minute?
That's a terrible excuse for committing fraud. Especially for a software engineer who is in a high-demand field and is making enough money that they should not be living paycheck to paycheck.
We cannot allow a financial incentive for fraud: If crime pays, we are screwed. We should make sure that the engineers who did this are penalized sufficiently that it would have been better for them to be fired than to commit fraud. To do otherwise actually incentivizes the crime. We would not want one engineer saying to another "Remember that viral code you refused to write? So while you got fired, I wrote it and now the CEO and our boss got canned! Ha ha! Now I get a promotion and you are on the street for your morals!"
This is why it is very important to punish the engineers who stayed on and didn't get fired. Their punishment must be more severe than merely being fired, otherwise we create incentive to perform the crime. If the punishment for saying "no" is being fired, but the punishment for saying "yes" is continued employment, that's not good.
I do wonder if this really happened though. Did anyone try to quit over this?
We need to step back and observe that search engines have become so important that governments wan to control them. This is fascinating, and also frightening. Perhaps the EU needs to create its own search engine, and simply outlaw all other search engines. They can call it "Ministry of Truth." Or perhaps the EU needs to setup a "Great Firewall" like what China has. Each country could have their own set of rules: So no Nazi results on the German proxy, no California wines on the French one, and the whole EU can share a "right to be forgotten" blacklist too.
This approach of suing each search engine that doesn't comply with the blacklist is not a real great solution. If the EU citizens really support this, they need to find another way.
To effectively regain my 4th amendment rights as they were when the constitution was written, I would need to avoid the power company, credit card companies, banks, credit monitoring services, Amazon, ebay, hospitals, grocery stores, phone companies, and ISPs. They all could share my information with the government, without a warrant, and without notifying me. We have some specific laws in place for medical records and banking records - but those are the exception, not the rule.
This is all possible because the default legal position is that any data they have on you is theirs to disseminate, not yours. You can't avoid this unless you go Amish.
The DMCA requires that the copyright holder signs an affidavit indicating that they own the content. Does it also require them to state that it violates fair use? But if YouTube provides a "back door" where certain "privileged" copyright holders can take down videos without having to file actual DMCA requests, then the protections the law provides are moot. It is yet another case where 3rd-parties are interfering with our property rights.
Law-enforcement agencies don't need to get a warrant to force a company like Google or Facebook to turn over those communications. Agencies just need to assert in writing that they need the communication to further an active investigation.
If that is the case, it is because Google and Facebook *choose* to turn over those communications. Back when the constitution was written, it was assumed that the accused would refuse to provide information without a warrant. But today, most of our information is held by 3rd-parties who have no reason to withhold our information. So the 4th amendment doesn't work any more.
The ultimate fault here is that when Google holds my email, it should be *my* email not theirs, so they should not have the legal power to give it out without my consent. That is how the post office worked. They are actually not allowed to intercept mail without a warrant: it isn't theirs to give out. We lost that protection. Same without your gas-and-electric bill, your credit card records, and your passwords (don't forget that one if you use a password manager!). Those things are not yours, so the constitutional protections don't apply.
I think that they are caught up in their own bullshit that they have forgotten how ''the man in the street'' thinks.
While I agree, could you be caught up in Slashdot culture so much that you have forgotten how "the man on the street" thinks?
I think you will find that the average "man on the street" supports surveillance. It is a vocal minority who does not. But we, Slashdot posters, are that vocal minority. Most people do not understand the constitution, or the founding fathers' intentions, or the dangers of unchecked surveillance. Most of them have not read 1984 and don't care.
It is important that we not forget that, if this was put to a pure vote, we would lose. Congress does not seem to be able to stop them. The checks and balances of the court system that is the only thing is preventing a total surveillance state. (Well, more likely, we are in a surveillance state already, but the courts are what keeps them from publicly admitting much of what they do.)
The AC is wrong. This does have to do with the US government, per the reply by AthanasiusKircher (1333179).
But this is not a tax, it is merely money that a company or individual is compelled by the government to pay. Big difference.
Based on the recent SCOTUS ruling on the ACA, it seems that these kinds of mandatory fees may indeed be considered taxes. See http://obamacarefacts.com/supr... under "Supreme Court Ruling: A Tax not a Mandate"
And it is now standard advertising practice.:-( Commercials are ineffective. Bloggers are. The FTC has stated that that bloggers must disclose such things because it is a form of advertising.
Who makes this mandatory? I can understand making it mandatory to join an oversight board or reporting data to the FDA. But I hope the government isn't requiring companies to join advocacy groups. That's a small step away from mandatory lobbying.
Is there any easy way to see the entire posting tree for a thread? Right now, it shows me my post, and all the parents and children of it. But if I expand your post, I don't see other replies. The two ways I know to find those replies are either go back to the original story and find this thread, or to click on your name and find your post. At that point it shows me the replies to your post. Surely there is a better way.
The confusion here stems from the fact that someone named a piece of application software with the word "web" and "app" in it. That's almost as bad as naming a web site with "slash" and "dot" in the name just to confuse people.
When this card is opened from within the app...
There's an app. It's vulnerable.
Speaking more generally: this is the problem with operating systems allowing applications to register custom URLs. Someone can click on a link, but the link doesn't open in a web browser, it launches a local application and passes that data to the application. So it allows local vulnerabilities to become remote vulnerabilities.
No, GrantRobertson was right. You accounted for gravitational time dilation but forgot relative velocity time dilation. The one on the ground aged longer because the ISS is moving so quickly.
We put on the "more powerful" sunscreens and then suddenly think we're Batman or some other superhero who can stay out in the sun indefinitely.
Wait... since when is Batman analogous to someone who stays out in the sun all day? I'm am pretty sure Batman is the "dark knight" who mostly goes out after dark. That was the most confusing example anyone could possibly have come up with.
Slashdot Mirror
What do you mean they don't allow subdomains?
Those domains don't sell subdomains to 3rd partties. I can't go buy a evilhacker.Amazon.com, and evilhacker.gmail.com.
The point of the attack is to MITM non-https sessions with a subdomain to manipulate future HTTPs sessions.
AHhhhhhhhhhhh!!!!!!!! (I didn't read the PDF - just the linked article.) Now that you say this the article makes much more sense. They MITM the HTTP session, set a cookie, that cookie is read by the HTTPS session. The cookie spec was supposed to take that into account since it has flags for secure and not secure. Sounds like the browsers aren't really abiding by that, probably since it used to be more common to mix HTTP and HTTPS.
It's not THAT bad. You can only do this if the site are in the same domain. So foo.example.com and bar.example.com can get/set cookies for example.com. So foo.example.com can "hijack" bar.example.com.
Thanks for the write-up. It clarifies it a lot. But there is something unfair about these examples. You show how this attack could be used against JD.com, amazon.com, or gmail.com -- but only if those sites allowed subdomains. But since they don't offer subdomains, it seems inappropriate to use them even as hypothetical examples. The github example is a good one.
The second means of injecting cookies seems to go without saying. If someone can MITM, then you are screwed. They don't need this attack.
To set the record straight, I skimmed the article and missed the "no false positives" claim. Doh! But I am skepitcal of that claim. The article says:
And since the technique offers up the full genomes of whatever virus it detects, it shouldn't throw up any false positives
That's like me saying "because I showed my work, my answer cannot be wrong." Just because it gives the sequence of what it thinks it found, doesn't mean that it was actually present, and that the sequence is correct. I've worked on PCR systems, but never sequencing systems. Are they really 100% perfect? If so, then... wow... that's amazing.
Suppose the false positive rate is 2%. The article says it detects 700 vriuses. 2% of 700 viruses is 14 viruses. 14 tests could require 14 samples: so 5 blood draws + 6 urine samples + 3 stool samples. Ugh! (And no - you can't usually run 2 arbitrary tests from one sample.) So to make this work, the doctors would have to look through the results to see which viruses match the symptoms, so they only run the specific tests for those. That is probably what happened in this example. They probably saw a dozen viruses, and said "Hey, this one might actually fit."
Of course, this example makes one wonder why didn't they consider dengue in the first place. Perhaps it just goes to show that the test still is useful since it compensates for human fallibility.
Can you afford to walk away from your job right this minute?
That's a terrible excuse for committing fraud. Especially for a software engineer who is in a high-demand field and is making enough money that they should not be living paycheck to paycheck.
We cannot allow a financial incentive for fraud: If crime pays, we are screwed. We should make sure that the engineers who did this are penalized sufficiently that it would have been better for them to be fired than to commit fraud. To do otherwise actually incentivizes the crime. We would not want one engineer saying to another "Remember that viral code you refused to write? So while you got fired, I wrote it and now the CEO and our boss got canned! Ha ha! Now I get a promotion and you are on the street for your morals!"
Yes!
This is why it is very important to punish the engineers who stayed on and didn't get fired. Their punishment must be more severe than merely being fired, otherwise we create incentive to perform the crime. If the punishment for saying "no" is being fired, but the punishment for saying "yes" is continued employment, that's not good.
I do wonder if this really happened though. Did anyone try to quit over this?
We need to step back and observe that search engines have become so important that governments wan to control them. This is fascinating, and also frightening. Perhaps the EU needs to create its own search engine, and simply outlaw all other search engines. They can call it "Ministry of Truth." Or perhaps the EU needs to setup a "Great Firewall" like what China has. Each country could have their own set of rules: So no Nazi results on the German proxy, no California wines on the French one, and the whole EU can share a "right to be forgotten" blacklist too.
This approach of suing each search engine that doesn't comply with the blacklist is not a real great solution. If the EU citizens really support this, they need to find another way.
You don't have to use Google or Facebook.
Yes, and think bigger!
To effectively regain my 4th amendment rights as they were when the constitution was written, I would need to avoid the power company, credit card companies, banks, credit monitoring services, Amazon, ebay, hospitals, grocery stores, phone companies, and ISPs. They all could share my information with the government, without a warrant, and without notifying me. We have some specific laws in place for medical records and banking records - but those are the exception, not the rule.
This is all possible because the default legal position is that any data they have on you is theirs to disseminate, not yours. You can't avoid this unless you go Amish.
The Post Office (1) delivers mail...So using the Post Office as an analogy...
It wasn't an analogy. It was a literal statement of fact.
Is this a DMCA case or not?
The DMCA requires that the copyright holder signs an affidavit indicating that they own the content. Does it also require them to state that it violates fair use? But if YouTube provides a "back door" where certain "privileged" copyright holders can take down videos without having to file actual DMCA requests, then the protections the law provides are moot. It is yet another case where 3rd-parties are interfering with our property rights.
Law-enforcement agencies don't need to get a warrant to force a company like Google or Facebook to turn over those communications. Agencies just need to assert in writing that they need the communication to further an active investigation.
If that is the case, it is because Google and Facebook *choose* to turn over those communications. Back when the constitution was written, it was assumed that the accused would refuse to provide information without a warrant. But today, most of our information is held by 3rd-parties who have no reason to withhold our information. So the 4th amendment doesn't work any more.
The ultimate fault here is that when Google holds my email, it should be *my* email not theirs, so they should not have the legal power to give it out without my consent. That is how the post office worked. They are actually not allowed to intercept mail without a warrant: it isn't theirs to give out. We lost that protection. Same without your gas-and-electric bill, your credit card records, and your passwords (don't forget that one if you use a password manager!). Those things are not yours, so the constitutional protections don't apply.
I think that they are caught up in their own bullshit that they have forgotten how ''the man in the street'' thinks.
While I agree, could you be caught up in Slashdot culture so much that you have forgotten how "the man on the street" thinks?
I think you will find that the average "man on the street" supports surveillance. It is a vocal minority who does not. But we, Slashdot posters, are that vocal minority. Most people do not understand the constitution, or the founding fathers' intentions, or the dangers of unchecked surveillance. Most of them have not read 1984 and don't care.
It is important that we not forget that, if this was put to a pure vote, we would lose. Congress does not seem to be able to stop them. The checks and balances of the court system that is the only thing is preventing a total surveillance state. (Well, more likely, we are in a surveillance state already, but the courts are what keeps them from publicly admitting much of what they do.)
The AC is wrong. This does have to do with the US government, per the reply by AthanasiusKircher (1333179).
But this is not a tax, it is merely money that a company or individual is compelled by the government to pay. Big difference.
Based on the recent SCOTUS ruling on the ACA, it seems that these kinds of mandatory fees may indeed be considered taxes. See http://obamacarefacts.com/supr... under "Supreme Court Ruling: A Tax not a Mandate"
Awesomest reply I've had on Slashdot in years. Thank you.
And it is now standard advertising practice. :-( Commercials are ineffective. Bloggers are. The FTC has stated that that bloggers must disclose such things because it is a form of advertising.
That's even worse.
Who makes this mandatory? I can understand making it mandatory to join an oversight board or reporting data to the FDA. But I hope the government isn't requiring companies to join advocacy groups. That's a small step away from mandatory lobbying.
I think it is JavaScript hate, not Node hate.
Is there any easy way to see the entire posting tree for a thread? Right now, it shows me my post, and all the parents and children of it. But if I expand your post, I don't see other replies. The two ways I know to find those replies are either go back to the original story and find this thread, or to click on your name and find your post. At that point it shows me the replies to your post. Surely there is a better way.
I am dumb. I even quoted TFA. Somehow I missed it. Thank you! (sheepishly hides)
According to the article:
Despite a court order instructing the company to hand over text conversations between iMessage accounts to the FBI,
How was the court order to do this obtained? Is the FBI investigating someone? Is there some other case in progress?
The confusion here stems from the fact that someone named a piece of application software with the word "web" and "app" in it. That's almost as bad as naming a web site with "slash" and "dot" in the name just to confuse people.
When this card is opened from within the app...
There's an app. It's vulnerable.
Speaking more generally: this is the problem with operating systems allowing applications to register custom URLs. Someone can click on a link, but the link doesn't open in a web browser, it launches a local application and passes that data to the application. So it allows local vulnerabilities to become remote vulnerabilities.
No, GrantRobertson was right. You accounted for gravitational time dilation but forgot relative velocity time dilation. The one on the ground aged longer because the ISS is moving so quickly.
A discussion of the two, and which one outweighs the other:
http://ideonexus.com/2009/02/1...
Other links:
https://www.quora.com/Why-is-t...
http://www.wired.com/2014/11/t...
SPF 15 filters out about 93 percent of UV-B rays, SPF 30 filters out 97 percent, SPF 50 filters out 98 percent, and SPF 100 might get you to 99.
Sounds like we need a new labeling system. Perhaps they should say "XX% percent protection for Y hours."
We put on the "more powerful" sunscreens and then suddenly think we're Batman or some other superhero who can stay out in the sun indefinitely.
Wait... since when is Batman analogous to someone who stays out in the sun all day? I'm am pretty sure Batman is the "dark knight" who mostly goes out after dark. That was the most confusing example anyone could possibly have come up with.