You won't get anywhere with just smoke detectors (although it wouldn't surprise me if that is indeed being monitored, too).
What you need is beryllium and a high-energy alpha emitter. That guy used radium which he found by pure luck. Both of those will most likely set off some serious warnings if you try to obtain them these days.
Actually, if there was anything he "mostly" made it from, it was beryllium and radium. I'm not sure about the beryllium, but radium is certainly not easy to get, unless you get lucky like he did.
I'm getting very tired of hearing about groups not just going after responsible parties, but anybody connected, even in secondary ways, to the activities.
The company distributing the advertisements are only connected to them in "secondary ways" now?
This is old news. Please give more credit to your fellow slashdotter; they're not as stupid as you seem to believe.
My apologies, but when you say "scripts" when you mean "applications", it's easy to make quick assumptions. That said, I still don't quite see what you're getting at here:
"Do I know what protocol that is? No? Then don't let it run applications." That isn't at all the same thing as removing protocol handlers entirely. Protocol handlers can explicitly name applications and then IE knows what they are; this requires user interaction, which you know if you've ever installed Yahoo Messenger.
By "I", do you mean the user? And do you mean that the browser should ask you if you want to launch an external application?
That helps against automatic attacks, but it does not seem to protect against attacks of the variety "Click this button to open our cool app in Firefox!" / click / "Do you want to open Firefox?"
The problem is that you can inject commands to launch arbitary apps in the Firefox command line, not that you can launch Firefox.
Oh, how great for you. We're all very happy to know that.
If you use a torrent you necessarily have to expose your IP, and thus your ISP, and thus the police can demand the name of the owner of that IP at that time me from the ISP. Using a proxy or a public WiFi point, say, might make that harder to determine, but at least you'd expect the cops to try. Anyone stupid enough to put illegal images on a public torent site is not likely to be terribly competent in covering their tracks.
Of course, you still can't tell who uploaded it. And just downloading child porn is not illegal in Sweden. And most of those IPs will still not be in Sweden.
So you just made that up.
Actually, I mis-remembered, I confused that arrest and the mentioned FBI investigation of another photographer mentioned later.
Warning: Depending on where you are, it might be illegal for you to visit that page.
And I'm pretty sure the police also think that; otherwise they'd be all over the uploaders
And how, pray tell, would they be "all over" people who are outside the country, and whose only personal data they have is their nickname on Pirate Bay?
Sleazy, but obviously legal, as they were hosted in the USA and the FBI would send a tank through their door if they weren't.
I guess you didn't read it, then, as it explained that the FBI did, in fact, arrest a whole bunch of them.
You use George Bush logic: Bin Laden sent Saudi terrorists to attack the USA. Therefore the USA must attack Saddam, because we can't catch bin Laden and I hate him anyway. There is no connection between the acts you decry and the people you are actually attacking.
Please don't insult my intelligence with that kind of strawman.
Your original statement was that their only defense is that they don't censor their users. You have not provided any support for this, and as far as I can tell you just refuted it.
I don't think you're understanding the problem. It has nothing to do with "running scripts". And your solution is basically to remove external URL handlers completely. Now, it might be argued that that would be safest, but it certainly does not make for a very useful system.
The actual problem is that the Firefox main executable has command-line options which have an unintended side effect of being able to run external programs. And Firefox installs an unsafe command-line-based URL handler which allows web pages to pass arbitary options to the Firefox executable.
If it doesn't turn someone on, it's not porn. Though the converse doesn't apply.
Did you actually read the article? It turns lots of people on. Which still isn't the point of the argument.
And "it's a fact" is it? Or just what you imagine.
Did you actually read the article?
And how does campaigning against a Swedish torrent site help them in the slightest?
It would certainly help that site if it cleaned up its act in relation to child porn, because as it is that is a huge weapon for its opponents to use against it. I like The Pirate Bay, and I don't want to see them get dragged down for this. And the only way that will happen is if they take responsibility, which they won't do if they just keep making excuses for child porn.
If the girls are exploited, WHY DOESN'T ANYONE DO SOMETHING ABOUT THAT?
People are. Did you actually read the article?
If you delete the photos, the acts are undone?
Do you think those girls enjoy having those pictures circulated across the net, once they've realized what they are for?
That's about as relevant as saying that it's not Firefox that's parsing them, it's the CPU.
Fact is, they made a choice to go with the MS parser, which is not appropriate for this task. It's a subtle bug, but it's a bug nonetheless, and it's up to them to fix it. Furthermore, even if they do use the MS parser, they could still avoid this bug - the actual problem is that they are expecting the quotes they put into the registry string to protect them from spaces. This is not the case. They should be expecting the argument to come in across several different argv[] entries.
It would certainly be less of a hassle if the string was escaped in some standardized way, but those are not the rules of the game. It isn't, and you compensate for that in other ways, or you do not use the command line at all, which is definitely the safest option.
It's the bloatware developers who think it's a feature, and you who thinks it's a bug. I'll bow out.
I do not. I think it's a bug to use the main Firefox executable as the target for the URL handler, given that its command-line parsing is not safe to be used as such.
Whether or not it does is largely irrelevant, as IE and Safari both simply call into the OS APIs for URL handlers, which behave in a certain fashion by design. The developers of Firefox failed to take that behaviour into account.
The fact that that behaviour is somewhat unhelpful is no excuse for not accommodating for it.
Perhaps you are forgetting that we are not worrying about how turned-on anybody gets here? It's still about the fact that young girls are being deceived into posing for pedophiles.
Read that again. He's showing that command line processing of the pipe character does not take place, because it shows up verbatim in the arguments of the process launched. If the shell was processing the pipes, the command line would stop just before the pipe, and there would be a second process with the rest in it.
He then proceeds to find a real exploit by using unintended consequences of normal Firefox options, specifically, the -chrome option. So, once again, the bug is that the -chrome option of firefox allows you to execute commands, combined with the fact that you can inject a -chrome option into the command line parser.
Firefox does not chose how to parse the command line, that happens before main() is ever called. Firefox _does_ get argc and argv. So yet again, it's not Firefox's fault.
Yes, it does. It choses to accept what gcc's startup code feeds it. That's a choice. It could, and would have to, implement its own argument parsing to work properly as an URL handler.
More sanely, it should use an external executable as the URL handler, or even better, use DDE and not the command line.
PS:
If that's the case, then windows is broken beyond repair.
Not really any more broken than Unix. Unix enforces some minimal command line parsing, but not enough for programs to be in any way consistent, while it does too much processing to implement certain other kinds of argument parsing, such as AmigaOS-style ReadArgs().
There is no requirement to use the main executable as the URL handler. Proper design would use an auxillary executable as the URL handler, or would use DDE instead, or would have a special-case command-line parser when called with some kind of "-urlHandler" option that would disable quoting and spaces after that point.
The fact that Firefox *must* interpret the string as being composed of several different parameters by following those old DOS conventions is because IE _created a sting which must be interpreted that way_.
It did no such thing, and there is no requirement to follow any old DOS conventions. It created a string as dictated by the registry entry and the API design. Firefox did not understand how the API works, and misinterpreted the resulting string.
If IE wants to pass spaces, quotes, piping, redirection, etc. in the command line
Piping and redirection are handled by the shell, and totally irrelevant to this argument. If Firefox is unable to handle spaces and quotes in the URL, it should be using DDE, which does not have these problems. They chose to use the command line, but they disregarded the fact that the options are by OS design NOT escaped in any way.
Perhaps the amount of activity has some small relevance, hmm?
Yes, we get the point. You are just not funny.
You won't get anywhere with just smoke detectors (although it wouldn't surprise me if that is indeed being monitored, too).
What you need is beryllium and a high-energy alpha emitter. That guy used radium which he found by pure luck. Both of those will most likely set off some serious warnings if you try to obtain them these days.
Actually, if there was anything he "mostly" made it from, it was beryllium and radium. I'm not sure about the beryllium, but radium is certainly not easy to get, unless you get lucky like he did.
I'm getting very tired of hearing about groups not just going after responsible parties, but anybody connected, even in secondary ways, to the activities.
The company distributing the advertisements are only connected to them in "secondary ways" now?
They would pull out of the market that is making them all their money? Yeah, I can see that happening.
This is old news. Please give more credit to your fellow slashdotter; they're not as stupid as you seem to believe.
My apologies, but when you say "scripts" when you mean "applications", it's easy to make quick assumptions. That said, I still don't quite see what you're getting at here:
"Do I know what protocol that is? No? Then don't let it run applications." That isn't at all the same thing as removing protocol handlers entirely. Protocol handlers can explicitly name applications and then IE knows what they are; this requires user interaction, which you know if you've ever installed Yahoo Messenger.
By "I", do you mean the user? And do you mean that the browser should ask you if you want to launch an external application?
That helps against automatic attacks, but it does not seem to protect against attacks of the variety "Click this button to open our cool app in Firefox!" / click / "Do you want to open Firefox?"
The problem is that you can inject commands to launch arbitary apps in the Firefox command line, not that you can launch Firefox.
But I'm afraid they don't outrage me.
Oh, how great for you. We're all very happy to know that.
If you use a torrent you necessarily have to expose your IP, and thus your ISP, and thus the police can demand the name of the owner of that IP at that time me from the ISP. Using a proxy or a public WiFi point, say, might make that harder to determine, but at least you'd expect the cops to try. Anyone stupid enough to put illegal images on a public torent site is not likely to be terribly competent in covering their tracks.
Of course, you still can't tell who uploaded it. And just downloading child porn is not illegal in Sweden. And most of those IPs will still not be in Sweden.
So you just made that up.
Actually, I mis-remembered, I confused that arrest and the mentioned FBI investigation of another photographer mentioned later.
Look, you keep stating that there is, or was, "child porn" on TPB. That is not a fact.
+ av+barnporren+pa+Pirate+Bay/
Here are some examples: http://www.xingfu.se/blogge/posts/07/07/08/Analys
Warning: Depending on where you are, it might be illegal for you to visit that page.
And I'm pretty sure the police also think that; otherwise they'd be all over the uploaders
And how, pray tell, would they be "all over" people who are outside the country, and whose only personal data they have is their nickname on Pirate Bay?
Sleazy, but obviously legal, as they were hosted in the USA and the FBI would send a tank through their door if they weren't.
I guess you didn't read it, then, as it explained that the FBI did, in fact, arrest a whole bunch of them.
You use George Bush logic: Bin Laden sent Saudi terrorists to attack the USA. Therefore the USA must attack Saddam, because we can't catch bin Laden and I hate him anyway. There is no connection between the acts you decry and the people you are actually attacking.
Please don't insult my intelligence with that kind of strawman.
Your original statement was that their only defense is that they don't censor their users. You have not provided any support for this, and as far as I can tell you just refuted it.
Here:
firefox-urlhandler.exe %s
I don't think you're understanding the problem. It has nothing to do with "running scripts". And your solution is basically to remove external URL handlers completely. Now, it might be argued that that would be safest, but it certainly does not make for a very useful system.
The actual problem is that the Firefox main executable has command-line options which have an unintended side effect of being able to run external programs. And Firefox installs an unsafe command-line-based URL handler which allows web pages to pass arbitary options to the Firefox executable.
And who "builds" the command line? The OS which just runs sprintf(template,url), or the application which supplies the template?
I'd say it's the responsibility of the application to supply a safe template to the OS.
If it doesn't turn someone on, it's not porn. Though the converse doesn't apply.
Did you actually read the article? It turns lots of people on. Which still isn't the point of the argument.
And "it's a fact" is it? Or just what you imagine.
Did you actually read the article?
And how does campaigning against a Swedish torrent site help them in the slightest?
It would certainly help that site if it cleaned up its act in relation to child porn, because as it is that is a huge weapon for its opponents to use against it. I like The Pirate Bay, and I don't want to see them get dragged down for this. And the only way that will happen is if they take responsibility, which they won't do if they just keep making excuses for child porn.
If the girls are exploited, WHY DOESN'T ANYONE DO SOMETHING ABOUT THAT?
People are. Did you actually read the article?
If you delete the photos, the acts are undone?
Do you think those girls enjoy having those pictures circulated across the net, once they've realized what they are for?
"No,"
Yes.
You did not actually support your earlier statement. My refutation still stands as stated.
That's about as relevant as saying that it's not Firefox that's parsing them, it's the CPU.
Fact is, they made a choice to go with the MS parser, which is not appropriate for this task. It's a subtle bug, but it's a bug nonetheless, and it's up to them to fix it. Furthermore, even if they do use the MS parser, they could still avoid this bug - the actual problem is that they are expecting the quotes they put into the registry string to protect them from spaces. This is not the case. They should be expecting the argument to come in across several different argv[] entries.
It would certainly be less of a hassle if the string was escaped in some standardized way, but those are not the rules of the game. It isn't, and you compensate for that in other ways, or you do not use the command line at all, which is definitely the safest option.
To add to the list of problems: Comparisons work differently for signed and unsigned types.
It's the bloatware developers who think it's a feature, and you who thinks it's a bug. I'll bow out.
I do not. I think it's a bug to use the main Firefox executable as the target for the URL handler, given that its command-line parsing is not safe to be used as such.
Whether or not it does is largely irrelevant, as IE and Safari both simply call into the OS APIs for URL handlers, which behave in a certain fashion by design. The developers of Firefox failed to take that behaviour into account.
The fact that that behaviour is somewhat unhelpful is no excuse for not accommodating for it.
Perhaps you are forgetting that we are not worrying about how turned-on anybody gets here? It's still about the fact that young girls are being deceived into posing for pedophiles.
Read that again. He's showing that command line processing of the pipe character does not take place, because it shows up verbatim in the arguments of the process launched. If the shell was processing the pipes, the command line would stop just before the pipe, and there would be a second process with the rest in it.
He then proceeds to find a real exploit by using unintended consequences of normal Firefox options, specifically, the -chrome option. So, once again, the bug is that the -chrome option of firefox allows you to execute commands, combined with the fact that you can inject a -chrome option into the command line parser.
Firefox does not chose how to parse the command line, that happens before main() is ever called. Firefox _does_ get argc and argv. So yet again, it's not Firefox's fault.
Yes, it does. It choses to accept what gcc's startup code feeds it. That's a choice. It could, and would have to, implement its own argument parsing to work properly as an URL handler.
More sanely, it should use an external executable as the URL handler, or even better, use DDE and not the command line.
PS:
If that's the case, then windows is broken beyond repair.
Not really any more broken than Unix. Unix enforces some minimal command line parsing, but not enough for programs to be in any way consistent, while it does too much processing to implement certain other kinds of argument parsing, such as AmigaOS-style ReadArgs().
Read a little closer:
Microsoft C startup code uses the following rules when interpreting arguments given on the operating system command line:
This is what their particular startup code does. It's just one particular implementation, not any kind of standard.
There is no requirement to use the main executable as the URL handler. Proper design would use an auxillary executable as the URL handler, or would use DDE instead, or would have a special-case command-line parser when called with some kind of "-urlHandler" option that would disable quoting and spaces after that point.
The fact that Firefox *must* interpret the string as being composed of several different parameters by following those old DOS conventions is because IE _created a sting which must be interpreted that way_.
It did no such thing, and there is no requirement to follow any old DOS conventions. It created a string as dictated by the registry entry and the API design. Firefox did not understand how the API works, and misinterpreted the resulting string.
If IE wants to pass spaces, quotes, piping, redirection, etc. in the command line
Piping and redirection are handled by the shell, and totally irrelevant to this argument. If Firefox is unable to handle spaces and quotes in the URL, it should be using DDE, which does not have these problems. They chose to use the command line, but they disregarded the fact that the options are by OS design NOT escaped in any way.