There's some BIG differences there. First, there's OS tools available that try to handle this case. Second, there's great workarounds for this insecure-but-fast disk habit, such as storing the data encrypted, or on an encrypted partitions. Third, the time/tradeoff is much greater with disk cases- writing a block of RAM on SHUTDOWN ONLY is not nearly as great a burden as writing over an arbitrary file on the disk.
I could see Google's position on this- it's not technically their fault- but they could at least try to blank the RAM that they allocate on exit.
One thing I've always wondered about was the choice to run everything at ring 3 or ring 0. There's probably a reason I don't understand, but the original intention was a hierarchy. If user stuff was commonly at ring 2 or whatever, then you could have less trusted crap like network drama at ring 3. Maybe someone will post the reason, I dunno.
The bigger thing is, the industry IS moving in this direction. SE Linux in particular offers a pretty good solution here.
I think the core problem is often that there's just so goddamned many vectors available thanks to how overly robust and powerful the scripting is.
That's good to know, but not what I meant. No, the fix to the Forbes issue requires you to import the cookies with values as listed. The list in question is valid as JSON, but really anything that sets it would work. It's not about clearing cookies in this case, it's about setting them to specific values. In Chrome, "Edit This Cookie" does this just fine. Whenever people are like "how do I $THING", I normally try to answer for Firefox and Chrome if I can, and I couldn't get a cookie editor to work in Firefox.
Offtopic also- how good at cleaning cookies is CCleaner? Like, does it get cookies from Chromium, Opera, Palemoon? Is there a list? I know it's a Windows only guy, but how well does it nuke cookies?
Without lava running along the floor, how does the home owner rapidly burn off unwanted feet? Or did you mean he has to carry a blowtorch with him any time he wants to melt his own feet?
It *might* be a hatchet job. But remember, malicious code is not written by script kiddies- it frequently tries to detect what it is running on, and ONLY sends the payload if it passes a whole bunch of checks. It wants to put off landing on the desk of a security researcher as long as possible. So someone being lucky enough to find the malware, but being unable to repro, is not exactly uncommon these days.
Maybe we should stop downloading and running code when we want to read a news article?
Most adblock detection works by trying to download hostile content, and then checking to see if it downloaded. Then it stops the rest of the page from loading if you are running a properly secured system. In Forbes case, the workaround is to save cookies that make Forbes think you are running a standard issue garbage install, and then it works normally.
Hosts and the current generation of adblockers are BOTH vulnerable to this attack, because they check to see if the hostile payload is present. The cookies workaround SHOULD work with a hosts solution too... but long term, you will need an adblocker that pretends to (or actually DOES) grab the hostile payload, but never executes or renders it in any way. Essentially, the sandbox that the scripts are running in needs to become much tighter, such that there's a decoupling of what is DISPLAYED (what YOU need to see, which never ever includes an ad) and what the script THINKS is displayed (which is whatever payload it's trying to drop). The risk here is that *scripting always sucks*, so they will probably be able to still get a lot of drive by crap even through that.
> Then what means of deploying an application across platforms isn't fundamentally broken?
The part where you deploy an application. That part is broken.
Did you follow the link to your spreadsheet? Or was it to a news article? There's an application you have for "display a news article". It's a browser running HTML with no scripting enabled. That displays text just fine- it's the only fucking purpose.
The reason scripts are FUNDAMENTALLY broken is that they are code. The fact that they are code that is treated by browsers as if they are just part of the browsing experience is ludicrous. If you want to use like Google Docs, that's a pretty good time to need code, so if you click through some script-enable dialogs, or honestly even a UAC in Windows for that, that could be reasonable. If the majority of browsers in the world just download and execute code, you are asking for exactly the security shitstorm we constantly and ceaselessly see. Running javascript is AS RISKY as running raw opcodes, because at any given day since Javascript's release, there's been multiple exploits to turn the javascript straight into those opcodes. The fact that the world is full of fools who think you need a webapp to display a news story is hideous.
By the way, if anyone wants to throw in a link to a working cookie editor in Firefox that would be pretty sweet. "Edit Cookies" looks abandoned and useless, and "Cookie Manager+" (I merged the names in my OP) seems hard to use- it's supposed to be like, hamburger -> wrench -> Manage Cookies, but it's not there for me.
See, Forbes says "Oh, we send all the advertisements to these third party networks, of which ONE was bad. We're following best practices, can't sue us!" Then you find the network that served the shit ads, and they have some excuse about a contractor. "We're following best practices, can't sue us!" The contractor has an excuse, if you can even find him, if he's even a person instead of some bot-generated identity. Can't sue what doesn't legally exist!
This is why ads (and really scripts) are such a bad idea. Forbes is a huge company, and they can turn your machine into a russian kiddy porn server, and face no legal repercussions. Without the force of the law to fall on them, they'll simply do whatever they can get away with- which is everything.
The exploit is social engineering. First they shame you into turning off your adblocker ("You're STILL using an adblocker, please enjoy our ad-light experience!"), and then, once you are fooled, they shove the malware in.
As to which exact drive by download exploit the malware used- who cares? They will never be fixed, scripts are fundamentally broken.
For Forbes you'll need a cookie editor. I tested it with uBlock origin, but I suspect it will work fine with hosts solutions, including APK's. The two weaknesses of APK's host engines are: a hosts solution currently has reasonably easy workarounds if an advertiser wants to fight (and they do- advertisers are just like spammers, and they deleted usenet and almost ruined email), and I'm pretty sure the Host Engine is not multiplatform.
I could be wrong about the second one, and the first one isn't *really* a weakness compared to today's reasonably simple adblockers. Other complaints, such as search depth being a problem, are somewhat valid, but are also subject to being fixed at the OS level.
Anyway, if someone using the host engine wants to test the cookie fix (I found it on https://www.reddit.com/r/Adblo... and put the cookie values later in this thread), that would probably be useful for the other users of that.
Closing the site is fine, but it would be better to simply read their content. The technical workarounds should get easier as sites fight this losing battle- they'll invest more and more into garbage that can be fixed easily on clientside.
But just leaving the shitsites alone is also fine.
These instructions are for Chrome. The only thing you need (besides an adlbocker!) is a cookie editor that can import JSON. For Chrome, EditThisCookie works.
I tested this with Chrome and uBlock Origin. I'm willing to bet it works with adblock (based on the URL) and likely hosts based solutions as well. For Firefox, you just need to be able to edit the cookies with either the above string or a similar one. I couldn't (in about 2 minutes) find the interface for Edit Cookies+, but if you can find it, it should work.
When Forbes dicks around with their shit again in a month, to reduce functionality further, rest assured that there will be this as a solution, or a tamper/grease/violent monkey script, or whatever. They'll never win. But they will gladly load up the machines of any less technical users with malware, just as often as they can, given that the law seems to allow it. Somehow.
I went ahead and went to the Forbes site (which it says I'm "still" using an adblocker, in the same sense that I'm "still" a carbon based life form), and then I went and grabbed one of the scripts that they serve on the main page in lieu of fucking content.
Here's a link: I originally put a TINY amount of it here, but it was SO shitty than even after cutting it down it would just ruin you. view-source:http://i.forbesimg.com/welcomead/scripts/12662fd2.vendor.js
Just go read that script. It might make you cry.
blah blah blah just megabytes of this shitscript to push through an article that maxes out at a kilobyte. It's fucking ludicrous.
And that's without all the ads (which are meant to own your head, and of course maliciously own your computer, and DO YOU THINK THEY ARE LIABLE FOR SERVING ADS THAT TURN YOUR MACHINE INTO A RUSSIAN SERVER?)
Stop. Linking. Forbes.
It's a pile of shit website. If you must, EACH link should go through archive/is or some other service to neuter the malware and bullshit. Stop enabling these fucks. If you need to serve megabytes of malware and bullshit just to put text on the screen, drink bleach kthx
Now stop linking to Forbes, slashdot. Archive.is if you need to. That website has been a steaming pile of shit since they started demanding what you think and see, of course they think nothing of demanding what your computer processes and does. They are tyrants, STOP LINKING FORBES
Lets pretend that Obama somehow, for some reason, wanted to get a missile to Cuba. Would this be a smart way to do it? One where it's on record and looks ridiculous? Especially the conspiracy-theory version of Obama you are implying exists- that guy would have all manner of crazy ways to do things.
It's just like... man, can't you be real? You know it's not on purpose, and you know it's not some crazy plot. Can't you stick to calling out politicians for the shit they actually do, instead of making up batshit insane nonsense?
First, some of games require online drama. When older, these games are in some cases entirely unplayable, and in other cases are missing whole game modes. Obviously you're smart enough to dodge those games, but the point is, you HAVE to dodge those games. If you want online multiplayer (which an 11 year old and a 49 year old probably don't), you're going to need to go much more modern, because it's based in large part on the actions of other people. I'll bet you that in 6 years, your son will either not care about games or care enough to want to play a modern thing.
Second, even absent that entirely, if your son makes friends with people who game, or simply wants to talk about current games with those people (IRL I'm assuming) he won't really be able to. He may or may not care, but even if he doesn't, recognize that many would. When I was a kid, no one would talk about the Atari 2600- it was too old, even though it had a huge library of games, many of which were fun.
Third, new games really do offer new experiences. Maybe not as many as they used to, but to someone who plays a lot of games, they'll want the latest and greatest even absent social reasons or multiplayer reasons.
Fourth and finally- note that many games companies are looking for ways to "obsolete" their older games. Microsoft almost shipped the Xbone in a way that they could remotely cancel all the games at a later time (the system would need to check in, etc- picture if Atari had had that requirement!). They failed, but the presence of used games, and the fact that game companies are trying constantly to target them (for instance, many games ship with "downloadable content included", which, when resold, is not accessible to the next guy in line). This isn't going to be a problem for you or your son, but it's likely going to be an issue for someone in 10 years.
The big thing you are correct about, however, is this: The number of games is large and increasing, and the older games are still very fun. They will probably always be fun. Pacman and Mario I are still fun. Someone in a hundred years won't be having the conversation in the same way we are now, and somewhere between now and then gaming will have to shift. I can't really predict how, simply that it must in some way.
> Nobody is going to bomb the hell out of a city full of civilians.
No, none of the sane nations are going to start a war with such an action. China would never do something like that. America, Russia, etc. No way. But if the Kims nuked Seoul? The response might well be nuclear, and if it wasn't, it would be a three sided superpower pincer.
Slashdot Mirror
There's some BIG differences there. First, there's OS tools available that try to handle this case. Second, there's great workarounds for this insecure-but-fast disk habit, such as storing the data encrypted, or on an encrypted partitions. Third, the time/tradeoff is much greater with disk cases- writing a block of RAM on SHUTDOWN ONLY is not nearly as great a burden as writing over an arbitrary file on the disk.
I could see Google's position on this- it's not technically their fault- but they could at least try to blank the RAM that they allocate on exit.
Patents cost money to file, and require a lot of effort to write. It's still a good idea, just an expensive one.
Bruce's statement is factual (or if not, it certainly APPEARS factual), and is meant to be kind. Stop manufacturing offense.
One thing I've always wondered about was the choice to run everything at ring 3 or ring 0. There's probably a reason I don't understand, but the original intention was a hierarchy. If user stuff was commonly at ring 2 or whatever, then you could have less trusted crap like network drama at ring 3. Maybe someone will post the reason, I dunno.
The bigger thing is, the industry IS moving in this direction. SE Linux in particular offers a pretty good solution here.
I think the core problem is often that there's just so goddamned many vectors available thanks to how overly robust and powerful the scripting is.
That's good to know, but not what I meant. No, the fix to the Forbes issue requires you to import the cookies with values as listed. The list in question is valid as JSON, but really anything that sets it would work. It's not about clearing cookies in this case, it's about setting them to specific values. In Chrome, "Edit This Cookie" does this just fine. Whenever people are like "how do I $THING", I normally try to answer for Firefox and Chrome if I can, and I couldn't get a cookie editor to work in Firefox.
Offtopic also- how good at cleaning cookies is CCleaner? Like, does it get cookies from Chromium, Opera, Palemoon? Is there a list? I know it's a Windows only guy, but how well does it nuke cookies?
Without lava running along the floor, how does the home owner rapidly burn off unwanted feet? Or did you mean he has to carry a blowtorch with him any time he wants to melt his own feet?
It *might* be a hatchet job. But remember, malicious code is not written by script kiddies- it frequently tries to detect what it is running on, and ONLY sends the payload if it passes a whole bunch of checks. It wants to put off landing on the desk of a security researcher as long as possible. So someone being lucky enough to find the malware, but being unable to repro, is not exactly uncommon these days.
Maybe we should stop downloading and running code when we want to read a news article?
> his is an advertisement network issue.
So they hired a hitman. Who cares who they contracted out their illegal deeds to?
Most adblock detection works by trying to download hostile content, and then checking to see if it downloaded. Then it stops the rest of the page from loading if you are running a properly secured system. In Forbes case, the workaround is to save cookies that make Forbes think you are running a standard issue garbage install, and then it works normally.
Hosts and the current generation of adblockers are BOTH vulnerable to this attack, because they check to see if the hostile payload is present. The cookies workaround SHOULD work with a hosts solution too... but long term, you will need an adblocker that pretends to (or actually DOES) grab the hostile payload, but never executes or renders it in any way. Essentially, the sandbox that the scripts are running in needs to become much tighter, such that there's a decoupling of what is DISPLAYED (what YOU need to see, which never ever includes an ad) and what the script THINKS is displayed (which is whatever payload it's trying to drop). The risk here is that *scripting always sucks*, so they will probably be able to still get a lot of drive by crap even through that.
> Then what means of deploying an application across platforms isn't fundamentally broken?
The part where you deploy an application. That part is broken.
Did you follow the link to your spreadsheet? Or was it to a news article? There's an application you have for "display a news article". It's a browser running HTML with no scripting enabled. That displays text just fine- it's the only fucking purpose.
The reason scripts are FUNDAMENTALLY broken is that they are code. The fact that they are code that is treated by browsers as if they are just part of the browsing experience is ludicrous. If you want to use like Google Docs, that's a pretty good time to need code, so if you click through some script-enable dialogs, or honestly even a UAC in Windows for that, that could be reasonable. If the majority of browsers in the world just download and execute code, you are asking for exactly the security shitstorm we constantly and ceaselessly see. Running javascript is AS RISKY as running raw opcodes, because at any given day since Javascript's release, there's been multiple exploits to turn the javascript straight into those opcodes. The fact that the world is full of fools who think you need a webapp to display a news story is hideous.
By the way, if anyone wants to throw in a link to a working cookie editor in Firefox that would be pretty sweet. "Edit Cookies" looks abandoned and useless, and "Cookie Manager+" (I merged the names in my OP) seems hard to use- it's supposed to be like, hamburger -> wrench -> Manage Cookies, but it's not there for me.
No, it's a shell game. They'll never get caught.
See, Forbes says "Oh, we send all the advertisements to these third party networks, of which ONE was bad. We're following best practices, can't sue us!"
Then you find the network that served the shit ads, and they have some excuse about a contractor. "We're following best practices, can't sue us!"
The contractor has an excuse, if you can even find him, if he's even a person instead of some bot-generated identity. Can't sue what doesn't legally exist!
This is why ads (and really scripts) are such a bad idea. Forbes is a huge company, and they can turn your machine into a russian kiddy porn server, and face no legal repercussions. Without the force of the law to fall on them, they'll simply do whatever they can get away with- which is everything.
The exploit is social engineering. First they shame you into turning off your adblocker ("You're STILL using an adblocker, please enjoy our ad-light experience!"), and then, once you are fooled, they shove the malware in.
As to which exact drive by download exploit the malware used- who cares? They will never be fixed, scripts are fundamentally broken.
For Forbes you'll need a cookie editor. I tested it with uBlock origin, but I suspect it will work fine with hosts solutions, including APK's. The two weaknesses of APK's host engines are: a hosts solution currently has reasonably easy workarounds if an advertiser wants to fight (and they do- advertisers are just like spammers, and they deleted usenet and almost ruined email), and I'm pretty sure the Host Engine is not multiplatform.
I could be wrong about the second one, and the first one isn't *really* a weakness compared to today's reasonably simple adblockers. Other complaints, such as search depth being a problem, are somewhat valid, but are also subject to being fixed at the OS level.
Anyway, if someone using the host engine wants to test the cookie fix (I found it on https://www.reddit.com/r/Adblo... and put the cookie values later in this thread), that would probably be useful for the other users of that.
Closing the site is fine, but it would be better to simply read their content. The technical workarounds should get easier as sites fight this losing battle- they'll invest more and more into garbage that can be fixed easily on clientside.
But just leaving the shitsites alone is also fine.
> People who scream that they should be able to use ad blockers because they don't want to see ads sound like self-entitled jerks.
I don't give a fuck what name you call me, I'm not watching your fucking ads. Go to hell.
Reddit has a solution that is reasonably easy to google:
https://www.reddit.com/r/Adblo...
These instructions are for Chrome. The only thing you need (besides an adlbocker!) is a cookie editor that can import JSON. For Chrome, EditThisCookie works.
Here's the cookies:
[ { "domain": ".forbes.com", "hostOnly": false, "httpOnly": false, "name": "dailyWelcomeCookie", "path": "/", "secure": false, "session": false, "storeId": "0", "value": "true", "id": 3 }, { "domain": ".forbes.com", "hostOnly": false, "httpOnly": false, "name": "welcomeAd", "path": "/", "secure": false, "session": true, "storeId": "0", "value": "true", "id": 9 } ]
I tested this with Chrome and uBlock Origin. I'm willing to bet it works with adblock (based on the URL) and likely hosts based solutions as well.
For Firefox, you just need to be able to edit the cookies with either the above string or a similar one. I couldn't (in about 2 minutes) find the interface for Edit Cookies+, but if you can find it, it should work.
When Forbes dicks around with their shit again in a month, to reduce functionality further, rest assured that there will be this as a solution, or a tamper/grease/violent monkey script, or whatever. They'll never win. But they will gladly load up the machines of any less technical users with malware, just as often as they can, given that the law seems to allow it. Somehow.
I went ahead and went to the Forbes site (which it says I'm "still" using an adblocker, in the same sense that I'm "still" a carbon based life form), and then I went and grabbed one of the scripts that they serve on the main page in lieu of fucking content.
Here's a link: I originally put a TINY amount of it here, but it was SO shitty than even after cutting it down it would just ruin you.
view-source:http://i.forbesimg.com/welcomead/scripts/12662fd2.vendor.js
Just go read that script. It might make you cry.
blah blah blah just megabytes of this shitscript to push through an article that maxes out at a kilobyte. It's fucking ludicrous.
And that's without all the ads (which are meant to own your head, and of course maliciously own your computer, and DO YOU THINK THEY ARE LIABLE FOR SERVING ADS THAT TURN YOUR MACHINE INTO A RUSSIAN SERVER?)
Stop. Linking. Forbes.
It's a pile of shit website. If you must, EACH link should go through archive/is or some other service to neuter the malware and bullshit. Stop enabling these fucks. If you need to serve megabytes of malware and bullshit just to put text on the screen, drink bleach kthx
Now stop linking to Forbes, slashdot. Archive.is if you need to. That website has been a steaming pile of shit since they started demanding what you think and see, of course they think nothing of demanding what your computer processes and does. They are tyrants, STOP LINKING FORBES
> How the USPS manages to route a piece of mail addressed to Japan to Iran, is just as mysterious.
They probably stuffed it into the sack for "stuff destined for countries ending in -an", and then it got jostled later....
That's way too fucking paranoid.
Lets pretend that Obama somehow, for some reason, wanted to get a missile to Cuba. Would this be a smart way to do it? One where it's on record and looks ridiculous? Especially the conspiracy-theory version of Obama you are implying exists- that guy would have all manner of crazy ways to do things.
It's just like... man, can't you be real? You know it's not on purpose, and you know it's not some crazy plot. Can't you stick to calling out politicians for the shit they actually do, instead of making up batshit insane nonsense?
> What I would give for a light modest (but capable) C++ widget set built only on OpenGLES. Linux UI development is so horribly confused.
The sad part is, if a magic fairy stumbled upon your request and PWOOFed exactly that into existence, it would only add to the confusion.
Would it support Vulkan?
Also are you sure it isn't somewhere in this massive list of things?
https://en.wikipedia.org/wiki/...
The huge amount of things available is in many ways a strength, but in many ways obnoxious.
All ads are bad. These ads are worse. But all ads are bad.
Well, YOU are missing a few things.
First, some of games require online drama. When older, these games are in some cases entirely unplayable, and in other cases are missing whole game modes. Obviously you're smart enough to dodge those games, but the point is, you HAVE to dodge those games. If you want online multiplayer (which an 11 year old and a 49 year old probably don't), you're going to need to go much more modern, because it's based in large part on the actions of other people. I'll bet you that in 6 years, your son will either not care about games or care enough to want to play a modern thing.
Second, even absent that entirely, if your son makes friends with people who game, or simply wants to talk about current games with those people (IRL I'm assuming) he won't really be able to. He may or may not care, but even if he doesn't, recognize that many would. When I was a kid, no one would talk about the Atari 2600- it was too old, even though it had a huge library of games, many of which were fun.
Third, new games really do offer new experiences. Maybe not as many as they used to, but to someone who plays a lot of games, they'll want the latest and greatest even absent social reasons or multiplayer reasons.
Fourth and finally- note that many games companies are looking for ways to "obsolete" their older games. Microsoft almost shipped the Xbone in a way that they could remotely cancel all the games at a later time (the system would need to check in, etc- picture if Atari had had that requirement!). They failed, but the presence of used games, and the fact that game companies are trying constantly to target them (for instance, many games ship with "downloadable content included", which, when resold, is not accessible to the next guy in line). This isn't going to be a problem for you or your son, but it's likely going to be an issue for someone in 10 years.
The big thing you are correct about, however, is this: The number of games is large and increasing, and the older games are still very fun. They will probably always be fun. Pacman and Mario I are still fun. Someone in a hundred years won't be having the conversation in the same way we are now, and somewhere between now and then gaming will have to shift. I can't really predict how, simply that it must in some way.
> Nobody is going to bomb the hell out of a city full of civilians.
No, none of the sane nations are going to start a war with such an action. China would never do something like that. America, Russia, etc. No way. But if the Kims nuked Seoul? The response might well be nuclear, and if it wasn't, it would be a three sided superpower pincer.