You can be sure the probes brought some microorganisms to Mars...
And given microorganisms are quite more resilient, than, say, mammals, who knows. Those probes might begin the life on Mars, if there wasn't any.
If you follow how nature works, there's only one thing to know: life will push and proliferate in incredible ways, if given the chance. The probes could've been enough of a chance.
Notice that in the article if you have IE7 it'll stop the attack since the user will be notified the page executes an unknown ActiveX and ask for permission (in the yellow creeping bar) before doing anything.
Of course IE7 is only at 20% vs IE6 at more than 60%, but still, shows the browser going in the right direction.
This is on/. not because of the that info... this is on/. because NYT is writing "MS products sucks ! don't use them.".
I realize that, but that's pretty sad right? Looks like we Slashdot submitters/editors/readers are just a bunch of lo-life geeks who go to a news site just to get their daily dose of "haha Microsoft sucks!" finger pointing.
Last time I realized that I stopped reading Slashdot for 7 months. It's about to happen again.
There's such a thing as "too much of Slashdot" even for a hardcore geek I guess.
Larger, centralized electricity production is more efficient than having tons of little internal combustion engines running around. On top of that, it's much easier to control pollution at a power plant than it is on all those cars on the road.
You're wrong though. Yes, centrally *producing* the electricity may be easier to control, but then you'll have a massive problem on your hands trying to transport this electricity to the client, and you'll also have charge decay over time.
Even the best ever batteries have decaying charge over time, you have to agree than once you hermetically pack a liter of hydrogen it stays a liter of hydrogen even after 10 years. I wanna see a battery holding 100% of its charge for that long.
It's all about what the generators do. If they are designed to be ecological and use special filters and collect waste in special bags (for example) that can be passed for processing, then you'll have a lot more efficient infrastructure for transport.
IE 7 has kicked in at last on all MS Windows OS... IE7 was supposed to comply more with the standards what in fact isn't true... IE7 is a night mare... standards for crossbrowsing... many things does not function as expected and "not function as expected" isn't the right word for it... I found that submiting through JavaScript has some pretty uncool things which I don't actually blame IE but some functions did not work when not passing all the parameters and so on... And the MOST killer thing was the DISability of IE... the whole sites data... I don't actually blame the programmers that they did it so but IE for not keeping with standards again... and this with crush some of the small companies business
Jar Jar Binks, you're in big doo-doo this time. How many times have we told you: web development is not for Gungans!
Notice he had the task of making a IE-only site work in Firefox. You can imagine the kind of code he was working with, no wonder it was breaking in IE7.
And this is just brilliance:
And a final TIP from me! Try avoiding writing JavaScript without testing it 100% on all of the major used web browsers like FireFox, IE7, Opera and Safari!
As a professional web developer this is completely new to me. I mean, actually test in the browsers we deploy?! It's all Microsoft's fault, I tell you!
well, as I understand, the brilliance is that the malicious script, loaded into the page context by a conventional means of XSS or whatever, now could be able to reach beyond the sandbox it's supposed to be confined in. it does this by screwing up the prototypes. but, please don't kill me if I'm wrong
Well, nope. That's not the thing since when you can access a page's code you already are outside the sandbox. Prototypes changes nothing.
Google, while great for english speakers, is quite a ways behind for other languages (not necessarily French, but when I use google in Japanese or in eastern-european languages, for example, it's pretty crap).
Google has very good internationalization features and I'm also looking up information in Eastern European language (Bulgarian) with it.
You have to understand though: the results can only be as good and as much, as is the available content on the lookup topic. You realize the enormous amount of sites on the Internet are written in English, and a small fraction in all other languages.
You can see the same in Wikipedia where the non-English editions have worse and less content, and lots of common items missing from them. You want too suggest this is fixable not by more people improving on a category, but creating special EU Wikipedia... Well, sorry to burst your bubble about it.
Before you embarass yourself any further, please do read the paper and try for yourself if a script can sniff the communication of a script from a different domain (which runs on the same page)
Stop for a second and think about what you just said: which runs on the same page.
You need to get it running on the same page. Now read the same paper you're pushing in my face and tell me what breakthrough way of attacking a foreign page do you see there related to JS prototypes WITHOUT having compromised the page in any other "classical" and well known way (split requests, XSS etc.).
Also, while you're whining about how foreign domain scripts can access your page, again, stop, and think a bit. How does this foreign domain script get included on the page? Most likely by a snippet like this one:
[script src="www.domain.com"][/script]
This according to you is Very Evil and should not be allowed. But the attacked already can write this snippet up there, so instead of including a foreign script, he could just insert it right there in the snippet:
[script]
EVIL CODE EVIL CODE
[/script]
And then what good is that it can't run scripts from other domains?
I suggest your read through this several times before/if you reply.
This is about a script subverting scripts which are loaded from other hosts and are running in the same page sandbox.
Yup, but for this to happen you need to somehow make the page load your script. The methods described in the paper don't do this by some JS weakness. Instead request splitting, XSS and some other common and well known techniques were described.
Every time a page itself loads a script, it owns the whole page, not just the prototypes but absolutely everything in this page. So I miss the brilliance of this specific way of sniffing information out of a page via proto hacks.
There is one problem with this: Cross site checks don't apply.
You didn't test that and just assumed it's true I guess. But if they applied, and each page context runs in its own sandbox with its own version of String, Number, and so on, you'd sound pretty stupid right?
Try it yourself, the prototypes are NOT shared. They are not shared even among two page tabs on the same domain.
In fact not shared even among two instances of the SAME PAGE.
Embarassing, I guess, for all modded 5+ claiming this on this article.
As far as whether prototype overloading is a fundamental flaw of javascript, from the security perspective the current implementation most certainly is. There is no mechanism to identify whether a fundamental library feature has been replaced, or whose implementation you're using.
Repeat after me: client-side, interpreted language.
You're loading SOURCE CODE on a machine you DO NOT CONTROL.
In other words, the fact you can "hijack" prototype methods is not a major discovery, since you can actually modify the actual *source code* itself, the classes instantiated can be replaced with other classes, variables can be read and written, instances can be destroyed and replaced.
This is what "scripting" is about. If you don't like it and you're juggling with sensitive info on the client side, there's only one option: not allow XSS by carefully validating scenarios where this may occur (such as displaying poorly sanitized customer data on public pages).
I guess some people still have some difficulty comprehending that anything in JS is subject to change on the client side.
...The issue has surfaced after the avatar Anshe Chung (real name Ailin Graef) was attacked by animated flying penises...
In hundred years from now as virtual reality will be everywhere and has become a core part of our lives.
I'm sure old folks will bring back aging memories from real life... "when I was young, at least you couldn't be attacked by a flock of animated flying penises"...
The paper is quite insightful, and the author is almost blase about the whole thing. It's quite clear that he simply believes he's unearthed a new form of attack, and he's in fact quite correct.
Would you let me know what's new in XSS? All the paper describes are pedestrian ways to sniff info out of a site via existing XSS exploit.
The sniffing examples he shows are not an attack in any way. The XSS allowing him to run those examples are that attack. And XSS is by no means new, or "fundamental flaw" of JS.
When XSS can occur, it's an implementation flaw of the browser and/or site, and by no means "fundamental" as it's usually fixed in the next point release or site update.
Fundamental would mean it can't be fixed, and if you BS detectors aren't screaming by his paper, you're more gullible than you suspect.
You can detect it even from the summary: "a Web Worm that lives in the very fabric of Web 2.0 and could kill the Web as we know it."
Even if JS suddenly stopped working outright today, web wouldn't change a whole lot, from what we know it.
Apparently the guy just comes from compiled languages like C++ where you can't modify a class once its defined, and he decided to spread some FUD to express his disgust with dynamic languages.
I guess he was disappointed he can't safely store his server root passwords in his JS files.
Some of the bizarre setups I've witnessed on previous and current work locations:
* Intranet Application server also running a TV tuner for the workers to enjoy their favorite TV shows without a hassle.
* The server room is actually the living apartment of the boss. He has a cat. The cat is occasionally found napping on top of the servers, despite attempts to keep it outside that specific room inside the apartment.
* A guy running a bunch of servers decided that using electric socket splitters is too messy, so he instead cut a bunch of PC power cable and soldered them directly to the bare wires in the wall.
* Mission critical databases backed up daily to a collection of attached USB (mp3 player) flash sticks.
I'm not sure it helped, but at least you're nominated for Cynical Poster of the Month award. I hope you attend the show to take the prize, but as always, the competition for that spot on Slashdot is really tough.
They can't be all that sophisticated if they restrict the videos on their website to the.wmv format as they have.
Yeah, yeah, I know... blah blah blah blah blah.... Not to mention (albeit I disagree)... blah blah blah blah blah...
You'd think Bezos would be more considerate to the non-Windows folks.
Let me translate your post for the rest of us simpler folks:
"I chose Linux so I can rant left and right about people not supporting my distro"
Either use Linux and shut up (I mean, you KNEW people will prefer to target the overwhelmingly dominant desktop OS versus your flavor of Linux right?), or switch to Windows, OR find a way to play WMV. Ranting doesn't help.
I trust them to know their job more than a random Slashdot poster (me) does, but it looks like they are running out of fuel pretty fast in that way. The tests work well, I wonder though if they can get it actually in orbit.
If it was me, I'd try a different idea. Like.. make the longest rope in the world, then send astronauts to mount it on the moon, and make them pool the capsules from Earth into orbit.
Come on you guys, no Neuronet? The soon-to-be replacement of teh Internets, the powerful and mysterious thick pipes that will allow full immersive virtual reality in exchange for your domain registrations and membership fees?
I'm not saying what he did was morally right, but it's a darn close to acceptable in my book. I'm frankly uncertain of what I'd do in that situation. I keep an off site mp3 version of all of my legitimately purchased music, so I'm less exposed in the case of a natural disaster.
You know, I see people cursing music DRM, swearing left and right about RIAA tactics, now I'm reading also about having offsite backups of your music. I mean WTF you guys?!
It's MUSIC. Have you ever considered you can actually just understand for the huge hassle all of this has become, and just not buy music at all?
DRM is bad, CD-s have to be ripped and can be damaged, legal unencumbered downloads nowhere in sight. Well, and? I mean, is music so crucial to your quality of life that your life is worth wasting in arguments for or against music downloads, when they are moral, when they are not and when we have obscure edge cases that are neither.
It's so all redundant, pointless and ridiculous. Listen to radio, or whistle or hum or whatever or loop some white noise of you need something playing in the background. There's far more worthy things to discuss and spend time on.
Slashdot Mirror
You can be sure the probes brought some microorganisms to Mars...
And given microorganisms are quite more resilient, than, say, mammals, who knows. Those probes might begin the life on Mars, if there wasn't any.
If you follow how nature works, there's only one thing to know: life will push and proliferate in incredible ways, if given the chance. The probes could've been enough of a chance.
Notice that in the article if you have IE7 it'll stop the attack since the user will be notified the page executes an unknown ActiveX and ask for permission (in the yellow creeping bar) before doing anything.
Of course IE7 is only at 20% vs IE6 at more than 60%, but still, shows the browser going in the right direction.
This is on /. not because of the that info... this is on /. because NYT is writing "MS products sucks ! don't use them.".
I realize that, but that's pretty sad right? Looks like we Slashdot submitters/editors/readers are just a bunch of lo-life geeks who go to a news site just to get their daily dose of "haha Microsoft sucks!" finger pointing.
Last time I realized that I stopped reading Slashdot for 7 months. It's about to happen again.
There's such a thing as "too much of Slashdot" even for a hardcore geek I guess.
The article contains advices such as "use firewall", "use antivirus", "update your OS", "don't buy stuff from spam mails"...
Why is this on Slashdot? Is this the sort of information we need to be fed? What's next, an article describing in detail how to turn on our computers?
Larger, centralized electricity production is more efficient than having tons of little internal combustion engines running around. On top of that, it's much easier to control pollution at a power plant than it is on all those cars on the road.
You're wrong though. Yes, centrally *producing* the electricity may be easier to control, but then you'll have a massive problem on your hands trying to transport this electricity to the client, and you'll also have charge decay over time.
Even the best ever batteries have decaying charge over time, you have to agree than once you hermetically pack a liter of hydrogen it stays a liter of hydrogen even after 10 years. I wanna see a battery holding 100% of its charge for that long.
It's all about what the generators do. If they are designed to be ecological and use special filters and collect waste in special bags (for example) that can be passed for processing, then you'll have a lot more efficient infrastructure for transport.
FTFA:
... IE7 was supposed to comply more with the standards what in fact isn't true ... IE7 is a night mare ... standards for crossbrowsing ... many things does not function as expected and "not function as expected" isn't the right word for it ... I found that submiting through JavaScript has some pretty uncool things which I don't actually blame IE but some functions did not work when not passing all the parameters and so on ... And the MOST killer thing was the DISability of IE ... the whole sites data... I don't actually blame the programmers that they did it so but IE for not keeping with standards again ... and this with crush some of the small companies business
IE 7 has kicked in at last on all MS Windows OS
Jar Jar Binks, you're in big doo-doo this time. How many times have we told you: web development is not for Gungans!
Notice he had the task of making a IE-only site work in Firefox. You can imagine the kind of code he was working with, no wonder it was breaking in IE7.
And this is just brilliance:
And a final TIP from me! Try avoiding writing JavaScript without testing it 100% on all of the major used web browsers like FireFox, IE7, Opera and Safari!
As a professional web developer this is completely new to me. I mean, actually test in the browsers we deploy?! It's all Microsoft's fault, I tell you!
well, as I understand, the brilliance is that the malicious script, loaded into the page context by a conventional means of XSS or whatever, now could be able to reach beyond the sandbox it's supposed to be confined in. it does this by screwing up the prototypes. but, please don't kill me if I'm wrong
Well, nope. That's not the thing since when you can access a page's code you already are outside the sandbox. Prototypes changes nothing.
Google, while great for english speakers, is quite a ways behind for other languages (not necessarily French, but when I use google in Japanese or in eastern-european languages, for example, it's pretty crap).
Google has very good internationalization features and I'm also looking up information in Eastern European language (Bulgarian) with it.
You have to understand though: the results can only be as good and as much, as is the available content on the lookup topic. You realize the enormous amount of sites on the Internet are written in English, and a small fraction in all other languages.
You can see the same in Wikipedia where the non-English editions have worse and less content, and lots of common items missing from them. You want too suggest this is fixable not by more people improving on a category, but creating special EU Wikipedia... Well, sorry to burst your bubble about it.
Before you embarass yourself any further, please do read the paper and try for yourself if a script can sniff the communication of a script from a different domain (which runs on the same page)
Stop for a second and think about what you just said: which runs on the same page.
You need to get it running on the same page. Now read the same paper you're pushing in my face and tell me what breakthrough way of attacking a foreign page do you see there related to JS prototypes WITHOUT having compromised the page in any other "classical" and well known way (split requests, XSS etc.).
Also, while you're whining about how foreign domain scripts can access your page, again, stop, and think a bit. How does this foreign domain script get included on the page? Most likely by a snippet like this one:
[script src="www.domain.com"][/script]
This according to you is Very Evil and should not be allowed. But the attacked already can write this snippet up there, so instead of including a foreign script, he could just insert it right there in the snippet:
[script]
EVIL CODE
EVIL CODE
[/script]
And then what good is that it can't run scripts from other domains?
I suggest your read through this several times before/if you reply.
This is about a script subverting scripts which are loaded from other hosts and are running in the same page sandbox.
Yup, but for this to happen you need to somehow make the page load your script. The methods described in the paper don't do this by some JS weakness. Instead request splitting, XSS and some other common and well known techniques were described.
Every time a page itself loads a script, it owns the whole page, not just the prototypes but absolutely everything in this page. So I miss the brilliance of this specific way of sniffing information out of a page via proto hacks.
There is one problem with this: Cross site checks don't apply.
You didn't test that and just assumed it's true I guess. But if they applied, and each page context runs in its own sandbox with its own version of String, Number, and so on, you'd sound pretty stupid right?
Try it yourself, the prototypes are NOT shared. They are not shared even among two page tabs on the same domain.
In fact not shared even among two instances of the SAME PAGE.
Embarassing, I guess, for all modded 5+ claiming this on this article.
As far as whether prototype overloading is a fundamental flaw of javascript, from the security perspective the current implementation most certainly is. There is no mechanism to identify whether a fundamental library feature has been replaced, or whose implementation you're using.
Repeat after me: client-side, interpreted language.
You're loading SOURCE CODE on a machine you DO NOT CONTROL.
In other words, the fact you can "hijack" prototype methods is not a major discovery, since you can actually modify the actual *source code* itself, the classes instantiated can be replaced with other classes, variables can be read and written, instances can be destroyed and replaced.
This is what "scripting" is about. If you don't like it and you're juggling with sensitive info on the client side, there's only one option: not allow XSS by carefully validating scenarios where this may occur (such as displaying poorly sanitized customer data on public pages).
I guess some people still have some difficulty comprehending that anything in JS is subject to change on the client side.
...The issue has surfaced after the avatar Anshe Chung (real name Ailin Graef) was attacked by animated flying penises...
... "when I was young, at least you couldn't be attacked by a flock of animated flying penises"...
In hundred years from now as virtual reality will be everywhere and has become a core part of our lives.
I'm sure old folks will bring back aging memories from real life
The paper is quite insightful, and the author is almost blase about the whole thing. It's quite clear that he simply believes he's unearthed a new form of attack, and he's in fact quite correct.
Would you let me know what's new in XSS? All the paper describes are pedestrian ways to sniff info out of a site via existing XSS exploit.
The sniffing examples he shows are not an attack in any way. The XSS allowing him to run those examples are that attack. And XSS is by no means new, or "fundamental flaw" of JS.
When XSS can occur, it's an implementation flaw of the browser and/or site, and by no means "fundamental" as it's usually fixed in the next point release or site update.
Fundamental would mean it can't be fixed, and if you BS detectors aren't screaming by his paper, you're more gullible than you suspect.
You can detect it even from the summary: "a Web Worm that lives in the very fabric of Web 2.0 and could kill the Web as we know it."
Even if JS suddenly stopped working outright today, web wouldn't change a whole lot, from what we know it.
Apparently the guy just comes from compiled languages like C++ where you can't modify a class once its defined, and he decided to spread some FUD to express his disgust with dynamic languages.
I guess he was disappointed he can't safely store his server root passwords in his JS files.
so I'd think that you'd be philosophically against the government stepping in to prevent what companies do with their own infrastructure.
It's not their own infrastructure. The internet "pipes" are layed on public property and has natural monopoly of service.
The free market requires multiple competing solutions. With giganting telecoms, and no competing choices, apparently the government steps in.
God I wish I had mod points for that one! Bumblebee is NOT a Camaro!
VW refused a license. I suppose they should've went for VW anyway and then spend few years in jail. That's the most logical option.
Some of the bizarre setups I've witnessed on previous and current work locations:
* Intranet Application server also running a TV tuner for the workers to enjoy their favorite TV shows without a hassle.
* The server room is actually the living apartment of the boss. He has a cat. The cat is occasionally found napping on top of the servers, despite attempts to keep it outside that specific room inside the apartment.
* A guy running a bunch of servers decided that using electric socket splitters is too messy, so he instead cut a bunch of PC power cable and soldered them directly to the bare wires in the wall.
* Mission critical databases backed up daily to a collection of attached USB (mp3 player) flash sticks.
Those coolers will be used in the upcoming Neuronet Ethernet cards to be released later this year. Stay tuned.
I heard they wander around the Solar system wrecking anything they see.
I hope this helped.
I'm not sure it helped, but at least you're nominated for Cynical Poster of the Month award. I hope you attend the show to take the prize, but as always, the competition for that spot on Slashdot is really tough.
They can't be all that sophisticated if they restrict the videos on their website to the .wmv format as they have.
... blah blah blah blah blah .... Not to mention (albeit I disagree) ... blah blah blah blah blah...
Yeah, yeah, I know
You'd think Bezos would be more considerate to the non-Windows folks.
Let me translate your post for the rest of us simpler folks:
"I chose Linux so I can rant left and right about people not supporting my distro"
Either use Linux and shut up (I mean, you KNEW people will prefer to target the overwhelmingly dominant desktop OS versus your flavor of Linux right?), or switch to Windows, OR find a way to play WMV. Ranting doesn't help.
It's powered by H2O2.
I trust them to know their job more than a random Slashdot poster (me) does, but it looks like they are running out of fuel pretty fast in that way. The tests work well, I wonder though if they can get it actually in orbit.
If it was me, I'd try a different idea. Like.. make the longest rope in the world, then send astronauts to mount it on the moon, and make them pool the capsules from Earth into orbit.
I'm sure it'll work fine.
Come on you guys, no Neuronet? The soon-to-be replacement of teh Internets, the powerful and mysterious thick pipes that will allow full immersive virtual reality in exchange for your domain registrations and membership fees?
I feel disenfranchised.
I'm not saying what he did was morally right, but it's a darn close to acceptable in my book. I'm frankly uncertain of what I'd do in that situation. I keep an off site mp3 version of all of my legitimately purchased music, so I'm less exposed in the case of a natural disaster.
You know, I see people cursing music DRM, swearing left and right about RIAA tactics, now I'm reading also about having offsite backups of your music. I mean WTF you guys?!
It's MUSIC. Have you ever considered you can actually just understand for the huge hassle all of this has become, and just not buy music at all?
DRM is bad, CD-s have to be ripped and can be damaged, legal unencumbered downloads nowhere in sight. Well, and? I mean, is music so crucial to your quality of life that your life is worth wasting in arguments for or against music downloads, when they are moral, when they are not and when we have obscure edge cases that are neither.
It's so all redundant, pointless and ridiculous. Listen to radio, or whistle or hum or whatever or loop some white noise of you need something playing in the background. There's far more worthy things to discuss and spend time on.