I used to type just "ma" to get mail.myemployersdomain.com, but it was bringing up slashdot ("Slashdot: News for nerds, stuff that matters"). eventually, after typing "mail" for long enough, now mail.myemployersdomain.com is the first thing that comes up when I just type "ma".
when you open up a comment in a new tab/window, by clicking the subject, a script runs (presumably ajax) when you go to close the tab. you can see the "loading" section below the "More|Prefs|Reply" section in the left panel open up, and there's a slight delay. it only seems to happen the first time you open the comment.
why? I dont like it. It slows me down, and I dont think any script should be allowed to run after I hit X to close the tab.
doesn't exclude dev packages in pursuit of user friendliness
was a jab at Ubuntu. I dont know if the latest release is the same, but i remember being flabbergasted because i get anything to install from source. I think i had to manually get something from synaptic (libc-dev, maybe gcc, I dont remember). Whatever it was shouldve been there by default.
Even if it did, it wouldnt really change anything, since it's not just 1 server doing it, it's everyones' PCs. They couldnt be expected to all communicate and coordinate how often then hit servers. If they're going to coordinate, it would make more sense to just share the info about which sites were malware and which werent, which would actually be better than what they're doing now.
Safari does it too:) Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_5_2; en-us) AppleWebKit/525.18 (KHTML, like Gecko) Version/3.1.1 Safari/525.18
notice the "like Gecko", probably to impersonate Firefox
I'm looking a log files of thousands of them, and I dont see the words "User-Agent". I think that's a mistake in the article. I only see:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;1813)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
The Mozilla part at the beginning is the standard IE user agent. IE has been falsifying their UA as Mozilla since the beginning, originally because Netscape was the top dog, and Microsoft wanted to make sure that it worked with sites that sniffed the UA only worked with Netscape.
A couple months ago, a random article on my company's site got around 20 times the number of hits that the top story of the day should be getting. I checked the logs, and saw legit-looking IE user agents, but they didnt look normal. None of them had any cookies, and none of them were downloading the CSS or image files that they should have been. The IP addresses were from all around the world. WTF?
I found out that Google was doing one of its things where it changes the google logo for some special occasion, and it links to a search. That article was on the first page of the results.
I did a search for the exact user agent and discovered it was AVG. When you go to a Google search, AVG downloads each result looking for malware. Hooray for falsified user agents.
Though, I suspect the reason they use a legit-looking IE user agent is because malware sites could sniff the AVG user agent and serve up an innocent page for them, and malware for everyone else.
browser based rich-text editing is a huge mess. of the browsers that claim to support it, there's very few functions that work universally, and everything else has to be hacked together. one of the 4 major browsers, up until the latest version, couldnt even create hyperlinks!
we need a standard desperately, and we needed it years ago.
Another BIG annoyance: 4chan has a browse button. Upon hitting browse, you can select a lolcat image, and hit OK. This populates a filename field right next to browse.
Hadnt noticed this before, but you're right. And it's not just 4chan, it's all file inputs. You also cant type at all in the text box part of it, you have to browse for it.
There was a Firefox vulnerability a while ago where you could use javascript to change the focused element of the form while you where typing into a textbox and quickly change back, so that 1 character at a time was added to the file input. Eventually, if you typed all of the right characters in the right order, you could fill up the file input with a valid file path, and when you hit submit it would be uploaded. I wonder if this new behavior is in response to that.
Stop right there. You're taking it as a given you've already gotten into her computer. If you have, absolutely nothing on her computer is secure.
SSL is not a magic wand that can protect everything. It has one specific duty, and it does it very well. The fact that it doesnt work on a system that has been compromised is completely irrelevant. The same is true with every security mechanism. That does not mean you shouldnt use it.
Phishing and spoofing are the low-hanging fruit, and CAs and certs don't help you with this at all.
Of course they help, that's the purpose of CAs and certs. Assuming your machine, the web site, and the CA are not compromised, and your browser didnt tell your the cert was invalid, all you have to do is look at the domain name -- which is what I meant by paying attention. If says paypal.com, then it's really paypal.com. It's unnecessary to validate it any further.
the user has to verify the cert's signature via an out of band channel
I.E. the CA, using its public key, which the browser already has. To falsify a certificate without the browser telling you, either the CA, the web site, or your machine would have to be compromised. If it's your machine, you couldnt trust your traffic even if you did validate the signature personally. If the web site: it's likely the attacker could get a hold of any information you're trying to hide anyway. If the CA: you, along with millions of other people, are just plain screwed.
In other words, CA-signed certs arent perfect, so we shouldnt even bother with them? Is that your argument? Ridiculous
no security mechanism is perfect, that doesnt mean we shouldnt try. should we stop using passwords just because they could be brute forced?
a valid CA-signed cert gives you reasonable assurance that the party you're communicating with is who they say they are. a self-signed certificate gives you none whatsoever, and provides no protection whatsoever from anyone able to modify your traffic, which is a large subset of the only group you were trying to protect yourself in the first place: those able to sniff your traffic.
but they do not get valid certs for for paypal.com. they can only get them for their own domain. and if someone is duped by a phishing site without the right domain, they'll be duped regardless of whether or not it uses SSL.
just like anything other security mechanism, a cert wont help you if you're not paying attention.
If I click a link to download something, well obviously I want to download it. Clicking a second time to confirm is an annoyance.
True, but that's not the only way to get it to download. As the proof of concept code showed, all you have to do is put it inside a hidden iframe. If I go directly to a url ending in.dll, this might be excusable, but definitely not with an iframe.
I believe that's only true if you distribute the application. the GP was talking about just using it on a website, not necessarily distributing it. if you dont distribute it, you dont need to share the source.
and how would you distribute closed-source PHP code anyway?
but the folder modification dates for 3.0 are all today. maybe RC3 and 3.0 are the same?
not noticing the date of the.exe, i assumed it really was 3.0. after installing, the first page it took me was an RC3 "congratulations" page, or something.
And that makes we wonder, is it just the "download day" that starts at 1pm, or are they actually releasing it at 1pm? the wording in the summary is vague.
I'd say it is a security flaw in Safari, but for different reasons. As the same blog explains, you could have Safari download an executable to the desktop that pretends to be e.g. Internet Explorer. If they normally launch IE from the desktop, they could click the fake IE next time, running arbitrary code.
Slashdot Mirror
eventually that should change.
I used to type just "ma" to get mail.myemployersdomain.com, but it was bringing up slashdot ("Slashdot: News for nerds, stuff that matters"). eventually, after typing "mail" for long enough, now mail.myemployersdomain.com is the first thing that comes up when I just type "ma".
when you open up a comment in a new tab/window, by clicking the subject, a script runs (presumably ajax) when you go to close the tab. you can see the "loading" section below the "More|Prefs|Reply" section in the left panel open up, and there's a slight delay. it only seems to happen the first time you open the comment.
why? I dont like it. It slows me down, and I dont think any script should be allowed to run after I hit X to close the tab.
was a jab at Ubuntu. I dont know if the latest release is the same, but i remember being flabbergasted because i get anything to install from source. I think i had to manually get something from synaptic (libc-dev, maybe gcc, I dont remember). Whatever it was shouldve been there by default.
In fact, we arent even www.doxpara.com, we just hacked your name server. That's how we know.
it just occured to me that you were talking about disallow. i was thinking of crawl-delay :)
Even if it did, it wouldnt really change anything, since it's not just 1 server doing it, it's everyones' PCs. They couldnt be expected to all communicate and coordinate how often then hit servers. If they're going to coordinate, it would make more sense to just share the info about which sites were malware and which werent, which would actually be better than what they're doing now.
Safari does it too :)
Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_5_2; en-us) AppleWebKit/525.18 (KHTML, like Gecko) Version/3.1.1 Safari/525.18
notice the "like Gecko", probably to impersonate Firefox
I'm looking a log files of thousands of them, and I dont see the words "User-Agent". I think that's a mistake in the article. I only see:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;1813)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
The Mozilla part at the beginning is the standard IE user agent. IE has been falsifying their UA as Mozilla since the beginning, originally because Netscape was the top dog, and Microsoft wanted to make sure that it worked with sites that sniffed the UA only worked with Netscape.
A couple months ago, a random article on my company's site got around 20 times the number of hits that the top story of the day should be getting. I checked the logs, and saw legit-looking IE user agents, but they didnt look normal. None of them had any cookies, and none of them were downloading the CSS or image files that they should have been. The IP addresses were from all around the world. WTF?
I found out that Google was doing one of its things where it changes the google logo for some special occasion, and it links to a search. That article was on the first page of the results.
I did a search for the exact user agent and discovered it was AVG. When you go to a Google search, AVG downloads each result looking for malware. Hooray for falsified user agents.
Though, I suspect the reason they use a legit-looking IE user agent is because malware sites could sniff the AVG user agent and serve up an innocent page for them, and malware for everyone else.
browser based rich-text editing is a huge mess. of the browsers that claim to support it, there's very few functions that work universally, and everything else has to be hacked together. one of the 4 major browsers, up until the latest version, couldnt even create hyperlinks!
we need a standard desperately, and we needed it years ago.
Hadnt noticed this before, but you're right. And it's not just 4chan, it's all file inputs. You also cant type at all in the text box part of it, you have to browse for it.
There was a Firefox vulnerability a while ago where you could use javascript to change the focused element of the form while you where typing into a textbox and quickly change back, so that 1 character at a time was added to the file input. Eventually, if you typed all of the right characters in the right order, you could fill up the file input with a valid file path, and when you hit submit it would be uploaded. I wonder if this new behavior is in response to that.
Google's 2007 Summer of Code had a a few projects with Wine, and one of them was to start working on DirectX 10. i have no idea how it went, though.
SSL is not a magic wand that can protect everything. It has one specific duty, and it does it very well. The fact that it doesnt work on a system that has been compromised is completely irrelevant. The same is true with every security mechanism. That does not mean you shouldnt use it.
In other words, CA-signed certs arent perfect, so we shouldnt even bother with them? Is that your argument? Ridiculous
no security mechanism is perfect, that doesnt mean we shouldnt try. should we stop using passwords just because they could be brute forced?
a valid CA-signed cert gives you reasonable assurance that the party you're communicating with is who they say they are. a self-signed certificate gives you none whatsoever, and provides no protection whatsoever from anyone able to modify your traffic, which is a large subset of the only group you were trying to protect yourself in the first place: those able to sniff your traffic.
just like anything other security mechanism, a cert wont help you if you're not paying attention.
I believe that's only true if you distribute the application. the GP was talking about just using it on a website, not necessarily distributing it. if you dont distribute it, you dont need to share the source.
and how would you distribute closed-source PHP code anyway?
it's there. 1 download. zoom in if you're having trouble mousing over it.
but the folder modification dates for 3.0 are all today. maybe RC3 and 3.0 are the same?
.exe, i assumed it really was 3.0. after installing, the first page it took me was an RC3 "congratulations" page, or something.
not noticing the date of the
I've reached http://www.mozilla.com/en-US/firefox/ several times since 1pm, and it's still showing the download for Firefox 2, not 3.
And that makes we wonder, is it just the "download day" that starts at 1pm, or are they actually releasing it at 1pm? the wording in the summary is vague.
you didnt know? Opera is adware. fortunately, we have IE 5.0 and Netscape Navigator as alternatives.
wtf is Firefox?
I'd say it is a security flaw in Safari, but for different reasons. As the same blog explains, you could have Safari download an executable to the desktop that pretends to be e.g. Internet Explorer. If they normally launch IE from the desktop, they could click the fake IE next time, running arbitrary code.