Please prove me wrong on this one if you are able, but to all my knowledge, changing the address bar with JavaScript is impossible. JavaScript can read the URI, and can write a new URI via the "window.opener.parent.location" object, but cannot change the address bar without changing the URI (thus executing the new request). This would have to be accomplished via URL rewriting software or modules on the Web server, which the attacker has control over, but I'm not 100% sure (as in, I have not done so myself) if you can change the protocol using rewrites, though it's been suggested via documentation that you can. Even if you could, I don't see why any modern browser wouldn't still verify the existence/validity of an SSL Certificate, even with a rewritten URL. That's just faith-based, though:).
I've worked with WebApp security for a few years now, and the worst I've seen JavaScript capable of in this time has been XSS, which is not exactly a vulnerability of JavaScript. I'd also love someone to provide some examples if JS is indeed so vulnerable.
Regardless of the SSL Certificate issue you brought up, though an entirely valid point, I could think of many social engineering methods around the need to technically "break" SSL here. For example, they've already connected to my Web server via my localized DNS attack, and I simply need the "secure" login page to be hosted on a domain which I have authority over. As those of us who work with SSL know too well, you only need to own a domain name to register a certificate to it. If the attacker is concerned with people not accepting the site due to a bad certificate (which the majority of users still will not understand as a breach), they simply change the login page to a valid SSL domain, fooling the majority of the remaining users who simply look for validated SSL. Many banks do not use trademarked domain names for login pages, so I myself have a hard time verifying the validity of some SSL sites I end up on.
I was shocked to hear this attack had never been witness "in the wild." Of course it has been theorized for a long time, but I gave our blackhat counterparts a little more credit than that.
I was aware that my analogy did not use ebola in realistic terms. I'm not a virologist or an epidemiologist. It's a bit of a sad shot to poke such holes in an analogy, but thanks for your words of wisdom, mighty syphilis man. If any such analogy were so flawless as you seem to suggest they all should be, we would indeed have computer-to-human virii. I'll assume such absurd statements were attempts at humor, though, as were mine.
Let me stop using analogies so I can make this simple, direct, and boring. Diversity is not simply determined by OS. I agree, though, that it is a major factor in epidemics, since many epidemic-grade virii are highly tailored to automate the exploitation of a large base of the same OS. You make a good point by explaining that multi-OS networks are an example of diversity in this attack scenario, and I agree that statistically a network has been safer from the majority of epidemic attacks by running OS-diverse networks.
Perhaps in this light, I invited such a response (ie: "fucked up (my) analogy") by my use of epidemic imagery, which was not necessarily the attack methodology I was referring to. My intended focus was in the fact that uniformity exists in many networks on lower levels than just the OS, using the Intel CPU as the relevent example for our article, thus undermining the idea of security through diversity of the OS. My response was to those who at one time thought changing to Mac was a safe security option by default because of targetting trends, and now to those who suggest jumping to Ubuntu, etc., because somehow Macs have begun to be targeted. I'm not going to take any more time to try to explain why this is a problem, because you clearly have more of a clue than the schmuck who waves a Ubuntu banner every time a zero-day vulnerability is announced on a mainstream OS.
To be honest, I'm not sure it was necessary to make a point of joining the fray on this one, considering how clear of a mistreatment of the problem changing one's OS is to those who care enough to know better, and how unimportant it is to those who don't. Of course, I suppose I did get a sexual offer out of it. Where should we meet?
A good point, Britz, but I'm not sure I agree entirely.
"By the toll of a billion deaths man has bought his birthright of the earth, and it is his against all comers..." --H.G. Wells, War of the Worlds
I'm sure there's consensus to the truth in this. That species which is attacked most by the most diversity of attackers will be naturally resilient to future attacks through its survivors. That's that point, and I have a slightly different one.
Diversity is important, but we're not talking about diversity within a species when we compare Ubuntu, Windows, Mac, etc., we're talking about a different species altogether, and the newcomer may as soon be a Debian as a Mac.
The key, however, is in the fact that they often belong to the same genus, phylum, what-have-you (this is only an analogy of course). After all, an Intel chip, under any other OS, is still an Intel chip, and a buffer overflow vulnerability will smell as sour; in a kernel, in an OS, in a plug'n'play driver, ready to exploit your specific CPU, just as my pet ebola is patiently waiting on that taco. Ebola doesn't ask you what clothes you're wearing before it wants to eat your organs. If you eat it, it is hilariously good at what it does. It's just a matter of time before I find out what you like to eat.
Now, again, I agree that diversity is important, and I submit that diversity in computers is far more vast and complex than simply saying Mac, Ubuntu, Windows are species in a genus, and I can make ebola tacos, but all of these OS's can be far less diverse on fundamental levels. Let's say I plop ebola on a big mac, a taco, and a garden burger on one plate, make 6 million of these plates, and hand them out. If I know 90% of everyone who gets a plate will eat one of those meals, I'm the freaking iron terrorist chef.
I agree with the popularity factor, and I happen to also think that Mac OS will not withstand the security demands as the competing, current, time-tested, and server-grade OS's that have been targets for as long as I've been able to grep. I hope I'm wrong; it'd be nice to have Mac live up to its self-hype. However, this is a moot point to make without a lengthy, dead-horse argument that will only fuel the flamewars. I say this only to make clear that this is not my point.
I'm here to point out that the Ubuntu user, in all his leety indi-ness, has just as much to worry about as the Maccy did so many years ago; when he was dancing around singing "Under Pressure" in front of a bright green background, as the newest Zero-day vulnerability exploits ravaged his friend's XP home edition box. Abandoning ship or gloating is the boob's argument.
You can island hop all you want, but the waters are still rising. As a Windows user who has stuck it through all the way to Vista, lost and won many a battle with a straight face, and learned so much more throughout on how to protect myself in my environment of choice, I say bring it on. If you so can't stand being exploited as to learn from it, get off the Internet.
I completely agree, garatheus. I'm getting more and more fed up with Slashdot being filled with these flame-wars, and the posters egging it on with these ridiculous titles. As a user-based community, we need to regulate ourselves better by learning to question our posters.
Who can conclude "Vista sucks" after readings stats about IE and Firefox? Sure, it's a possible reason, but here's a better title: "50% of IE6 Users Switching to Firefox."
We need to stop making these issues something they're not before presenting the case and evidence. It's perpetuating bad (and by that I mean uninformed) press, and the ignorance cloud that is increasingly surrounding Slashdot.
We're all a lot smarter than this.
I hope everyone took the time to read the article, and to find other articles on the same data, or the data itself. Unfortunately, once again, I find myself having difficulty seeing past a slashdotter's inability to simply report information without introducing controversy on his own terms or relaying the bais of a bad journalist.
The only content of this post that wasn't quoted was in the form of the question "Is this report card's implication accurate, or is this a symptom of one company turning a blind eye [1]while the other concentrates on timely bugfixes," which is actually not a question.
One side of this supposed question, "Is this report card's implication accurate," suggests the data is flawed. OK, we can consider that good, yet obvious question, but I hope they back it up (they did not). The other side begins by accusing "one company" as "turning a blind eye (to problems)." This side of the question has already validated the first part of this supposed question, because this claim, if true, would invalidate any study that relies on such a company such as this to report security flaws without silently fixing them. I wonder which company they mean? The second part of the "question" continues, glorifying the "timely bugfixes" of the "other" company. Which company is which, here, slashdotter? You might as well come out and clearly accuse who you accuse so we can see how baised and unfounded those claims are without backup, no matter what name you put on these companies. Adding question marks at the end of a sentence doesn't always make it a question, but does sometimes help in evoking a lean in support toward a statement hidden inside a valid question, as the slashdotter did here. Also, notice the "[1]" citation's placement (on the "timely bugfixes" company's side). Citations/footnotes (unfortunately) add an immediate, and in this case, false sense of validity to information they're placed on. A reader could be misled to believe what the slashdotter wrote as a statement of fact if they did not notice this was simply linking to the article they read, in which case it belongs at the beginning of this "question." However, the entire statement portion of the question, including claims toward both of these ambiguous companies, is subjective, coming completely from the mind of the slashdotter, with no support to them, so validates no usage of any citation at all.
The slashdotter goes on to quote the author's statements against Windows Vista. The author failed to provide any details of Mac OS vulnerabilities, instead showcasing Apple's generosity in paying hackers to "hack" a Macbook, then give them a bunch of money and a free Macbook (thanks Apple! *ding!*). Herein lies both the author and the slashdotter's bais. I can't fault the slashdotter for reporting what they read, and not being objective about it, but this is clearly flame fodder to post like they have.
This slashdotter seems to have already made up his mind, but I hope you would read the article, and try to gather some more information from other sources. Citing some more sources that analyze the same data, or back up the seemingly baised statements made in the post, would have been helpful.
I wonder if string theory can explain why people feel the need to share any interesting or debatable fact they come across with slashdot, even if the information is multiple years old...
Holy crap, guys, my age has increased with the price of gasoline too! This study suggests the price of gasoline can affect time itself! Trust me, I'm an expert on my own age!
ALERT THE INTERNET!1one!1!
I realize I'm reposting information already provided, but with all the "op-ed" posts, I want to make sure that people are aware of possible solutions, since the majority of us agree on the topic, rather than only discussion.
Daltorak, thank you for finally pointing out that this is Wikipedia's issue, and for suggesting that Wikipedia is well equipped with objective opinions (as yourself) so that one way or another, Wikipedia and its advocates will keep this under control.
You, and all your posts, supportive of Microsoft or not, prove that some people still care about the facts, even in a flame war older than most people on this thread are acting.
I do not pretend to understand Microsoft's "ethics" as others do, because nothing has happened yet. Time will tell, and so will the Wiki logs.
I hope those who use this as an Appleseed spitting arena are better informed than they sound, and check back on this when the facts are in.
Frankly, I see far more crap by juvenile pro-Apple zealots lol.
The fact that I get spam mentioning penis enlargement does not mean that Shoprite must have lost my value club card data to Sum Yung Gai who now knows I buy "modest" size Trojans. I hope the correlation is clear.
Similarly, an "ongoing investigation" with "outside agencies" can mean they've got a private security firm analyzing their systems; which is normal, and nothing to be worried about if they even said as much. Companies are always vague about things like this, but they're not necessarily the evil empire.
Don't get me wrong; spam can come from some pretty shady activity. What you are, and everyone else is saying is not impossible, but your example shows a lack of understanding, and does not prove or even suggest any correlation to this trading company aside from both parties having something to do with stocks.
Hell I get stock spam. Everyone does. You don't need to sign up for stuff these days to get spam. That much has been said already. If you don't want spam, talk to your email provider. They're probably already blocking a few hundred spam messages a day. And who knows where those come from? *creepy music*
Slashdot Mirror
Please prove me wrong on this one if you are able, but to all my knowledge, changing the address bar with JavaScript is impossible. JavaScript can read the URI, and can write a new URI via the "window.opener.parent.location" object, but cannot change the address bar without changing the URI (thus executing the new request). This would have to be accomplished via URL rewriting software or modules on the Web server, which the attacker has control over, but I'm not 100% sure (as in, I have not done so myself) if you can change the protocol using rewrites, though it's been suggested via documentation that you can. Even if you could, I don't see why any modern browser wouldn't still verify the existence/validity of an SSL Certificate, even with a rewritten URL. That's just faith-based, though :).
I've worked with WebApp security for a few years now, and the worst I've seen JavaScript capable of in this time has been XSS, which is not exactly a vulnerability of JavaScript. I'd also love someone to provide some examples if JS is indeed so vulnerable.
Regardless of the SSL Certificate issue you brought up, though an entirely valid point, I could think of many social engineering methods around the need to technically "break" SSL here. For example, they've already connected to my Web server via my localized DNS attack, and I simply need the "secure" login page to be hosted on a domain which I have authority over. As those of us who work with SSL know too well, you only need to own a domain name to register a certificate to it. If the attacker is concerned with people not accepting the site due to a bad certificate (which the majority of users still will not understand as a breach), they simply change the login page to a valid SSL domain, fooling the majority of the remaining users who simply look for validated SSL. Many banks do not use trademarked domain names for login pages, so I myself have a hard time verifying the validity of some SSL sites I end up on.
I was shocked to hear this attack had never been witness "in the wild." Of course it has been theorized for a long time, but I gave our blackhat counterparts a little more credit than that.
I was aware that my analogy did not use ebola in realistic terms. I'm not a virologist or an epidemiologist. It's a bit of a sad shot to poke such holes in an analogy, but thanks for your words of wisdom, mighty syphilis man. If any such analogy were so flawless as you seem to suggest they all should be, we would indeed have computer-to-human virii. I'll assume such absurd statements were attempts at humor, though, as were mine.
Let me stop using analogies so I can make this simple, direct, and boring. Diversity is not simply determined by OS. I agree, though, that it is a major factor in epidemics, since many epidemic-grade virii are highly tailored to automate the exploitation of a large base of the same OS. You make a good point by explaining that multi-OS networks are an example of diversity in this attack scenario, and I agree that statistically a network has been safer from the majority of epidemic attacks by running OS-diverse networks.
Perhaps in this light, I invited such a response (ie: "fucked up (my) analogy") by my use of epidemic imagery, which was not necessarily the attack methodology I was referring to. My intended focus was in the fact that uniformity exists in many networks on lower levels than just the OS, using the Intel CPU as the relevent example for our article, thus undermining the idea of security through diversity of the OS. My response was to those who at one time thought changing to Mac was a safe security option by default because of targetting trends, and now to those who suggest jumping to Ubuntu, etc., because somehow Macs have begun to be targeted. I'm not going to take any more time to try to explain why this is a problem, because you clearly have more of a clue than the schmuck who waves a Ubuntu banner every time a zero-day vulnerability is announced on a mainstream OS.
To be honest, I'm not sure it was necessary to make a point of joining the fray on this one, considering how clear of a mistreatment of the problem changing one's OS is to those who care enough to know better, and how unimportant it is to those who don't. Of course, I suppose I did get a sexual offer out of it. Where should we meet?
A good point, Britz, but I'm not sure I agree entirely.
"By the toll of a billion deaths man has bought his birthright of the earth, and it is his against all comers..." --H.G. Wells, War of the Worlds
I'm sure there's consensus to the truth in this. That species which is attacked most by the most diversity of attackers will be naturally resilient to future attacks through its survivors. That's that point, and I have a slightly different one.
Diversity is important, but we're not talking about diversity within a species when we compare Ubuntu, Windows, Mac, etc., we're talking about a different species altogether, and the newcomer may as soon be a Debian as a Mac.
The key, however, is in the fact that they often belong to the same genus, phylum, what-have-you (this is only an analogy of course). After all, an Intel chip, under any other OS, is still an Intel chip, and a buffer overflow vulnerability will smell as sour; in a kernel, in an OS, in a plug'n'play driver, ready to exploit your specific CPU, just as my pet ebola is patiently waiting on that taco. Ebola doesn't ask you what clothes you're wearing before it wants to eat your organs. If you eat it, it is hilariously good at what it does. It's just a matter of time before I find out what you like to eat.
Now, again, I agree that diversity is important, and I submit that diversity in computers is far more vast and complex than simply saying Mac, Ubuntu, Windows are species in a genus, and I can make ebola tacos, but all of these OS's can be far less diverse on fundamental levels. Let's say I plop ebola on a big mac, a taco, and a garden burger on one plate, make 6 million of these plates, and hand them out. If I know 90% of everyone who gets a plate will eat one of those meals, I'm the freaking iron terrorist chef.
I agree with the popularity factor, and I happen to also think that Mac OS will not withstand the security demands as the competing, current, time-tested, and server-grade OS's that have been targets for as long as I've been able to grep. I hope I'm wrong; it'd be nice to have Mac live up to its self-hype. However, this is a moot point to make without a lengthy, dead-horse argument that will only fuel the flamewars. I say this only to make clear that this is not my point. I'm here to point out that the Ubuntu user, in all his leety indi-ness, has just as much to worry about as the Maccy did so many years ago; when he was dancing around singing "Under Pressure" in front of a bright green background, as the newest Zero-day vulnerability exploits ravaged his friend's XP home edition box. Abandoning ship or gloating is the boob's argument. You can island hop all you want, but the waters are still rising. As a Windows user who has stuck it through all the way to Vista, lost and won many a battle with a straight face, and learned so much more throughout on how to protect myself in my environment of choice, I say bring it on. If you so can't stand being exploited as to learn from it, get off the Internet.
I completely agree, garatheus. I'm getting more and more fed up with Slashdot being filled with these flame-wars, and the posters egging it on with these ridiculous titles. As a user-based community, we need to regulate ourselves better by learning to question our posters. Who can conclude "Vista sucks" after readings stats about IE and Firefox? Sure, it's a possible reason, but here's a better title: "50% of IE6 Users Switching to Firefox." We need to stop making these issues something they're not before presenting the case and evidence. It's perpetuating bad (and by that I mean uninformed) press, and the ignorance cloud that is increasingly surrounding Slashdot. We're all a lot smarter than this.
I hope everyone took the time to read the article, and to find other articles on the same data, or the data itself. Unfortunately, once again, I find myself having difficulty seeing past a slashdotter's inability to simply report information without introducing controversy on his own terms or relaying the bais of a bad journalist.
The only content of this post that wasn't quoted was in the form of the question "Is this report card's implication accurate, or is this a symptom of one company turning a blind eye [1]while the other concentrates on timely bugfixes," which is actually not a question.
One side of this supposed question, "Is this report card's implication accurate," suggests the data is flawed. OK, we can consider that good, yet obvious question, but I hope they back it up (they did not). The other side begins by accusing "one company" as "turning a blind eye (to problems)." This side of the question has already validated the first part of this supposed question, because this claim, if true, would invalidate any study that relies on such a company such as this to report security flaws without silently fixing them. I wonder which company they mean? The second part of the "question" continues, glorifying the "timely bugfixes" of the "other" company. Which company is which, here, slashdotter? You might as well come out and clearly accuse who you accuse so we can see how baised and unfounded those claims are without backup, no matter what name you put on these companies. Adding question marks at the end of a sentence doesn't always make it a question, but does sometimes help in evoking a lean in support toward a statement hidden inside a valid question, as the slashdotter did here. Also, notice the "[1]" citation's placement (on the "timely bugfixes" company's side). Citations/footnotes (unfortunately) add an immediate, and in this case, false sense of validity to information they're placed on. A reader could be misled to believe what the slashdotter wrote as a statement of fact if they did not notice this was simply linking to the article they read, in which case it belongs at the beginning of this "question." However, the entire statement portion of the question, including claims toward both of these ambiguous companies, is subjective, coming completely from the mind of the slashdotter, with no support to them, so validates no usage of any citation at all.
The slashdotter goes on to quote the author's statements against Windows Vista. The author failed to provide any details of Mac OS vulnerabilities, instead showcasing Apple's generosity in paying hackers to "hack" a Macbook, then give them a bunch of money and a free Macbook (thanks Apple! *ding!*). Herein lies both the author and the slashdotter's bais. I can't fault the slashdotter for reporting what they read, and not being objective about it, but this is clearly flame fodder to post like they have.
This slashdotter seems to have already made up his mind, but I hope you would read the article, and try to gather some more information from other sources. Citing some more sources that analyze the same data, or back up the seemingly baised statements made in the post, would have been helpful.
I wonder if string theory can explain why people feel the need to share any interesting or debatable fact they come across with slashdot, even if the information is multiple years old...
Holy crap, guys, my age has increased with the price of gasoline too! This study suggests the price of gasoline can affect time itself! Trust me, I'm an expert on my own age! ALERT THE INTERNET!1one!1!
I realize I'm reposting information already provided, but with all the "op-ed" posts, I want to make sure that people are aware of possible solutions, since the majority of us agree on the topic, rather than only discussion.
? alertid=9631541
Write your state reps:
http://capwiz.com/saveinternetradio/issues/alert/
Find more info:
www.savethestreams.org
Thanks
Tucows sucks? I'm curious to know why you think so. I would've pointed you to them if you hadn't said that.
You, and all your posts, supportive of Microsoft or not, prove that some people still care about the facts, even in a flame war older than most people on this thread are acting.
I do not pretend to understand Microsoft's "ethics" as others do, because nothing has happened yet. Time will tell, and so will the Wiki logs.
I hope those who use this as an Appleseed spitting arena are better informed than they sound, and check back on this when the facts are in. Frankly, I see far more crap by juvenile pro-Apple zealots lol.
The fact that I get spam mentioning penis enlargement does not mean that Shoprite must have lost my value club card data to Sum Yung Gai who now knows I buy "modest" size Trojans. I hope the correlation is clear.
Similarly, an "ongoing investigation" with "outside agencies" can mean they've got a private security firm analyzing their systems; which is normal, and nothing to be worried about if they even said as much. Companies are always vague about things like this, but they're not necessarily the evil empire.
Don't get me wrong; spam can come from some pretty shady activity. What you are, and everyone else is saying is not impossible, but your example shows a lack of understanding, and does not prove or even suggest any correlation to this trading company aside from both parties having something to do with stocks.
Hell I get stock spam. Everyone does. You don't need to sign up for stuff these days to get spam. That much has been said already. If you don't want spam, talk to your email provider. They're probably already blocking a few hundred spam messages a day. And who knows where those come from? *creepy music*