wot no linux?
I take it they learned their lesson from last year and neatly avoided the operating system that cannot be hacked. Cowards.
Posts by Danny
50 publicly visible posts • joined 26 May 2007
Hacking contest offers $10,000 for iPhone exploit
Woolies Pic'n'Mix bows out with eBay auction
Cross-site hacks and the art of self defence
Wednesday 3rd September 2008 00:43 GMT
csrf is suble
@Anomalous Cowherd
Nothing technical about it. It can be coded either way. The server has all the same information. With broadband, conventional page reloading is not the tedium it once was with dial-up. I'm in agreement about the slick interface for an app feel. There are some very good ones out there. For the discussion of the article, however, the former does not demand JS, the latter cannot function without it. And JS opens up the prospect of CSRF...
@James Butler
It has nothing to do with phishing nor input validation. It is impersonation and forged requests. My website can be perfect but can still be the target of attacks from another site with XSS holes. But (and it's a big but) the requests are from my customers. I cannot distinguish real requests from forged ones unless I make user access such a pain that nobody wants to visit. With CSRF you'll realise there is almost no easy defence against it /and/ keep all your users. Hence the doom and gloom of the article.
To recap, it happens like this. We have four agents in this scenario.
- Bob, at home, using his browser.
- SiteA, perfect, with no XSS holes or anything. Perhaps a bank.
- Sid the bad guy who want to rip off Bob's account at SiteA.
- SiteB that hosts the malware created by Sid. A forum or blog perhaps. Could be a site owned or 0wn3d by Sid and/or has exploitable XSS holes. The malware is a combination of html (iframes etc) and javascript as needed to execute the CSRF.
(1) Sid puts malware on SiteB.
(2) Bob visits SiteA and logs into his account. SiteA sends Bob a cookie (a random token or nonce) so that further requests from his browser do not require him to re-enter his password for every requested page (a convenience feature).
(3) While still browsing SiteA, Bob opens up a new tab and surfs into SiteB.
(4) His browser downloads a page from SiteB along with Sid's malware. Remember, the browser will not allow SiteB to access SiteA's cookies. Not now. Not ever (bugs in IE excepted). His browser displays the page. The html part of the malware open a 1x1 pixel iframe to http://SiteA/... Bob can't see it as it's so tiny and tucked away. The javascript part of the malware has access to the cookie for SiteA and any request from within the iframe to SiteA will include this cookie (same-domain rules). The malware builds a request and sends it to SiteA, say a form POST. (GET attacks that do damage should be a thing of the past now.)
(5) SiteA receives this request. It is coming from Bob's browser at his IP address along with the Bob's cookie for SiteA. The server checks the cookie and sees that it's a valid cookie for Bob's current session and executes the request. Fill in the blanks of what the request could be. SiteA logs the request, IP address etc.
(6) Much later Bob complains to SiteA that his bank account is now empty. SiteA examine the logs and sees that it was Bob who made the request and tells him tough bananas.
Hopefully it will be clear now why the various solutions in the article have been given. It's the result of using iframes, xhr and javascript to sidestep same-domain rules set up to protect cookies (themselves used to overcome the limitations of stateless pages).
While it is up to SiteA to do all they can to thwart this (they don't want customers being ripped off) you need to be aware of what might be going on while browsing. If you browse one site at a time, logout and delete cookies before going somewhere else then leaving JS on is just fine. If you like to have many tabs open (I do) then you need to make the necessary security adjustments. You could keep one browser strictly for online banking.
A long post but I hope it clears up why this is important. It's not that I hate JS (or Web 2.0), it's that it's too dangerous to just give it free reign for no really good reason.
Monday 1st September 2008 18:40 GMT
@jon
If that's how you ensure your own security, knock yourself out.
I notice that you've not addressed the charge that running untrusted code on your own machine is dangerous. Do you wonder why noscript is the most popular add-on for Firefox? Or why IE is now copying it?
As hinted by the article, CSRF is likely to be the next big thing and provides some solutions. And, much like disabling VBscript in Word for those that have discovered the joys of finding Trojans where they least expected them, disabling javascript is a solution to CSRF.
Sure, we could outlaw cookies (another solution), but then we have the session id problem. Embedded tokens only leads to either session fixation or a broken back button (the most used button on a browser) and does not fully fix the CSRF vulnerability. SSL ids for session ids is a good solution but has it's own penalties. It's a tricksy problem and the devil is in the detail.
It is an imperfect universe filled with Windows and bad people who just won't play cricket. This isn't helped by client-side scripting languages with too much power and users who opt for convenience over security. I know, guns don't kill people but until there is sandboxing or virtual browsers or whatever it is a solution that works 100%.
Monday 1st September 2008 14:25 GMT
@Anomalous Cowherd
Go and read the forums at the hacker sites and consider whether one should be doing everyday browsing with JS enabled?
Yes, it annoys me that in 2008 some sites resort to "enable JS or fuck off" for stuff that doesn't even need to be. JS links anyone? JS breaks the Web for the blind, disabled or anyone using a stylus. You know, that accessibility thing. Web 2.0 be damned. Does El Reg demand its users be JS-enabled? Even Gmail has a non-Web-2.0 interface that works really well.
JS is necessary for media type stuff hence my keeping Mozilla JS+Flash enabled to visit utoob. Actually, the new look Beeb site is a good example of providing accessibility and (semi-nagging) relevant alternatives to embedded Flash. The JS provides additional functionality not critical functionality. Web 2.0 stuff is pretty groovy and the slick interface seductive but there is nothing JS can do that cannot be done by a scripting server (I do it everyday).
JS has been given too much power and now it's being abused by those who want to steal your money. It's your choice: keep your accounts secure or create another million zombies.
Monday 1st September 2008 08:51 GMT 
xhr
Everything can be faked. See http://en.wikipedia.org/wiki/XHR
Headers, GET, POST, refer[r]ers, fetch, response - javascript and XHR can do pretty much everything. As the article says the request comes from *your* browser, at your IP addr and using your (re)login credentials stored in permanent cookies. Add a 1x1 pixel iframe and the hosting site (hosting the attack code - the one you are visiting) can do pretty much anything it wants. The target website cannot know if this is a genuine request from you or a forgery. Hence the problem. Hurrah for Web 2.0
When browsing:
(1) Disable JS, Flash and other random downloaded code exectutors to mitigate the XHR problem.
(2) Log out when done and delete cookies - tell the browser to only use session cookies (Mozilla allows this).
(3) Only keep one browsing window open when visiting important sites to limit cookie exposure (and delete them when done)
(4) As suggested, use multiple browsers. I use Konqueror (no JS, no plugins, cookies) and Mozilla (JS, Flash, session cookies only) this way.
For web dev:
(1) Don't use JS and recommend user's disable JS (a long shot but hey it's you that's being ripped off.)
(2) Add the following iframe breakout script to every page
<script type="text/javascript">if (top!=self) top.location.replace(location.href);</script>
If anyone tries to put your site in an (invisible or otherwise) iframe it will become pretty obvious to the user who will then (hopefully) contact the hosting site to say that something is horribly wrong and the webmaster can go and fix the XSS to whatever they are hosting.
location.href could be replaced with a redirect to some other site (so as not use your cookies) or to a page on your site that deletes your cookies on the browser to make them safe.
(3) Reconfirm credentials often. Keeping the sessions short to mitigate time at risk. And ask for passwords to authorise actions on really sensitive pages.
(4) As already suggested, random tokens to return to the site as GET or POST parameters will stop the less sophisticated attacks that do not scan for tokens. An advanced JS script with XHR can load a page, scan for the token value, insert it, post it back @Nick Clarke: a neat idea but a preprogrammed script could search for the JS rather than hidden input tags. It would need to be a big XSS hole but it's possible.
Russell Crowe to play Bill Hicks?
Thales wins first UK ID card contract
Sunday 3rd August 2008 19:24 GMT
ID Cards are not about security
As we all know ID cards have nothing to do with security. The security experts all say its about control. And a big fat gravy train for Herr Brown and chums.
'A National ID Card Wouldn't Make Us Safer'
http://www.schneier.com/essay-034.html
'Ex-MI5 Chief Calls ID Cards "Useless"'
http://www.schneier.com/blog/archives/2005/11/exmi5_chief_cal.html
and many others...
Rogue SF sysadmin coughs up passwords
Instant trojan to worm toolkit sighted
Wednesday 18th June 2008 14:11 GMT
hurrah! bsod decends on windows
Nasty. Being boiled is too good for them. More cruft for s'kiddies to abuse Windows lusers. Article is thin on how the worm propagates. I'm guessing that a firewall will keep the bugger out and that it's intended as an email attachment that will run an internal (Windows) intranet ragged.
And how does a UFD infect your machine? Does Windows really autorun from UFDs? Or is this U3 or whatever nonsense? Will Microsoft never learn. Doesn't affect Linux of course.
Anyway, as ever the cure is get a real OS and install Linux.
Creative settles MP3 player capacity clash
Friday 2nd May 2008 14:57 GMT
10^9 vs 2^30
This is a long standing bugbear. It's been long established, rightly or wrongly, that fs storage is measured using M=10^6 and G=10^9 whereas RAM has always been K=2^10 and M=2^20 and G=2^30 (more due to their intrinsic design requirements). I guess it's debatable which one applies to flash memory. Clearly the marketroids are going to go for the one that makes it look bigger. Traditionally communications and bitrates have always been powers of 10.
We have long had the prefix K=1024 so as not to confuse it with the SI unit of k=1000. But after that all bets are off. The other prefixes, whether "G" or "giga" are strictly SI units. So Creative are correct about using powers of 10 to describe gigabytes. Some smart folk came up with Ki/Mi/Gi (kibi/mibi/gibi and so on) for the powers of two. While they are a bit ugly, perhaps it's time to start using them. Linux already uses them for its utilities. Maybe The Reg can champion their use?!
So, I have a 4Gb UFD that is 4043Mb or 3948Mib.
30 years of Spam - and we ain't finished yet
Friday 2nd May 2008 09:13 GMT
UCE vs spam?
I always thought the first spam (vs UCE) appeared on Usenet (early '90s?) where two US lawyers cross-posted advert-laden messages across thousands of groups. Cross-posting on its own is a capital offence on Usenet but advertising as well! Regardless of the flame war they created, the two mother lovers were proud of their stunt.
My point is at the time there was differentiation between UCE (what is now email spam) and Usenet spam. I don't really see the need myself but some pedants at the time were quite adamant about insisting on the correct terminology...
Oh yeah, clicking on and/or buying from a spammed link should be punishable by public boilng.
Whitehats tackle The Great Botnet Dilemma
Wednesday 30th April 2008 03:50 GMT 
Drama Queen
Dilemma? Just fix it already, duh. I don't believe the airheads still using Windoze and allowing their machines to become zombies would even notice. And if it did go tits up how would they know it was the fix and not the zombie code? A fresh reinstall might well do their machine a world of good and rid it of any other parasites they are doubtless hosting.
Better still, install a keylogger, grab the lusers credit card number and order them a copy of F-Secure et al. D'ya think they'd get the message? Hell, why not just install Ubuntu and have done with it.
If TP leaves the network be, then the spammers will see these reports (if they haven't already) and reconfigure Kraken. TP will be back to where they started and the rest of us will continue to drown in invitations to buy dodgy rolexes and fake v1Agrrr.
Arthur C. Clarke dead at 90
Google fitted with (temporary) Digg implant
Friday 30th November 2007 10:03 GMT
An interesting idea
So many times when searching all I get is a blizzard of directory sites. Usually when looking for odd behaviour of product X and all that shows up is sites informing you of sites flogging product X. Excluding these sites from the search would be brilliant.
I guess they don't want to affect the global status of links thus the need to be logged in. Google won't spy on us surely? Nah. If we have to log in then maybe be able to create preset search parameters to make similar searches a breeze. (If Google are reading this!)
It would be useful to be able to tag or categorise sites and be able to include or exclude them when doing searches. Or be able to specify the type of site one is looking for. User tags might be more useful (and avoid sites keyword spamming) with some kind of evolution of the fittest process so that weak tags (left by some ranter) are eventually culled and the strongest appear first. Hey, sounds like a patent idea (TM).
Dell moves 40,000 Ubuntu PCs
Microsoft offers $300m for web-washing ad campaign
Thursday 29th November 2007 19:30 GMT
why?
Windows Live - Why?
Windows Live - Don't even think of visiting using Linux
Windows Live - When we suck, you suck too.
Windows Live - The world is not enough.
Windows Live - Assimilate and extend.
Windows Live - We are not a commodity.
Windows Live - Better dead than Windows.
Windows Live - You'll wish you were dead.
Windows Live - You'll wish M$ was dead.
Windows Live - Spam, not content.
Windows Live - Only one ActiveX plugin away...
Windows Live - Where clear thinkers dare to tread.
Windows Live - A World of Pain.
Windows Live - Abandon all hope.
Turkey probes The God Delusion for 'insulting religion'
Thursday 29th November 2007 17:33 GMT
outdated business model
Religion is nothing more than an outdated business model and, much like other businesses we've seen, its CEOs are clinging on to old ideas and suing all and sundry around them to have their way.
In its time it was the law when there wasn't law. It was about controlling the plebs. A commentary on how to behave in social situations and the like. Not eating swine is handy health advice in hot climes before the invention of the refrigerator. Now we have 'fridges it's redundant advice. Now we have our modern-day laws. Now we have science and understand there is no god or gods. Only atoms and the universe.
Science has demonstrated time and time again the fallacies in the various Good Books. Earth-centric universe anyone? Earth created 6kya? Total lack of mention of dinosaurs? How about the various "acts of god" demonstrating there is nobody out there or He is indifferent to human suffering. And while religious intolerance has caused more killing than anything else in human history I think the psychopaths in society will just find some other reason to kill each other.
I've read most of his books I can see Dawkins is an astonishingly clear thinker. People are opening their eyes and seeing that the indoctrination they were subjected to as kids is just nonsense.
Religion is dying concept. Get over it.
Tories: Europeans could get access to UK ID database
Man sentenced to 20 years in murder of online rival
Thursday 29th November 2007 10:15 GMT
tragedy
It's ironic that the two who thought they had a hot young date turn out to be both middle aged. The sadness is the guy then couldn't see the funny side and have a laugh over it and maybe make a good online friendship and instead became obsessed to the point of killing.
The BBC Worldservice podcast go into some detail about the incident. Get 'em while they're hot (only kept up for 7 days.) Look for chatroom murder 22 Nov 2007:
http://www.bbc.co.uk/radio/podcasts/docarchive/
There must be some moral point to this story that presently escapes me...
El Reg fires up online standards converter
Datapocalypse Now
Will Darling's data giveaway kill off ID cards?
Wednesday 21st November 2007 14:09 GMT
biometics
Some people will never learn. Using biometrics for identification is a fatally flawed concept. A compromised password or bank account details is hassle but they can be replaced at the drop of a hat and normal life resumes. If the biometric hashes for your id are stolen what do you do? Get a new id? New fingerprints? Iris? Humm. Thought so. And it only has to be compromised once by some minimum-wage flunky...
This compromise demonstrates that no government department is fit to hold this data regardless of how much they promise to look after it.
Go and read Bruce Schneier's books (and others) for the grisly details.
I can only think that some chums of the current and previous Junta are setting up a big fat IT gravy train and they've seduced enough ministers into the ridiculous notion that it will somehow make the world a safe and happy place.
Remembering the Commodore PET 2001
Saturday 10th November 2007 03:49 GMT
FAB
I remember some of the older geezers (the real UNIX grey beards) reminiscing over the PET when the Amiga was still king. They had fond memories. I was a bit too young at the time and was still drooling over Princess Leia (or was it R2D2) at the time. I love the Deep Thought photo.
A built-in cassette deck? How modern. Clearly Commodore didn't want any of this mucking around with cassette leads like we had to with the Speccy. It wasn't until the CPC when Sir Alan slapped a deck onto the side of his carbuncle.
I still have a Tatung Einstein and several Speccys and ZX81s around somewhere. The Amigas are still a joy to use. Doing stuff the upstarts of today can only dream about. Linux is the closest I'll ever get to the robustness and flexibility of the Amiga...
When I were a lad we used to 'ave to squeeze subroutine in't 100 bytes, graphics, sound an all, using hand crafted assembler, an't use ROM image for random numbers. And still have bytes left. Try you try telling that to the kids of today... and they won't belief you.
15 years ago: the first mass-produced GSM phone
Saturday 10th November 2007 03:49 GMT
Rabbit?
The rabbit commercials. That takes me back. I remember some spotty oik (was he from Grange Hill?) that said you can make calls whereever you see the 'rabbit' (sounds trippy now I say it).
My first 'phone was the Motorola v3688. I seem to remember it was call the v.small and the ads had a tiny baby tortoise crawling on it or something. Still pretty small but not as slim as todays models.
Sun: MoD has Bond/Potter/Klingon cloaking device
Wednesday 31st October 2007 13:43 GMT
Octoskin
This mucking around with cameras, projectors, metamaterials and other advanced technology is altogether unnecessary. All one would need is a large octopus skin (or several sewn together) within which to enclose the tank and an octobrain as the central cloaking control mechanism. How hard can it be?
Red Hat, Novell sued for patent infringment
Friday 12th October 2007 20:10 GMT 
The War for Freedom. Part 2.
< Hey, is this Jobs Satan or Ballmer Satan?
To quote Kosh, "It begins."
Follow the money and you will likely find MS funding this. The close examination of Linux regarding patents and the like during the SCO fiasco will soon put these lusers to bed and hopefully, like SCO, permanently.
MS just don't like to share. The only way they are able to keep customers is to handcuff them to the radiator at gunpoint. It's sad that the only way to run a business is by threats and not the merit of your products.
Another quote (from memory) that springs to mind is from Princess Leia Organa, "The more you tighten your grip the more star systems slip will through your fingers."
Suicide website creator arrested for murder
Fairly realistic flying car offered for 2009 delivery
Thursday 11th October 2007 09:45 GMT
Darwin Awards
At least bad drivers will be quickly and efficiently culled from the herd.
It sounds like a fab idea. Likely huge repercussions for society. Think of the mayhem as the paparazzi chase celebs around the sky. Weekend in Paris? Customs? Pah! Mobile phones won't work properly though (maybe a good thing). How will the speed Taliban persecute the motorists now? No more getting stuck on a windy road behind some dodery airhead towing a caravan...
Only Sky can save digital TV
Wednesday 10th October 2007 14:12 GMT
Sky-loving Shill Alert!
Who's been suckling on Murdoch's oily teat then? Normally I'm not one to attack a person for their misguided views but such a brazen and offensive DTT hit piece could not go unremarked.
Analogue vs digital? Do you think anyone other than us geeks know or care about the underlying technology? Your fixating on the tech. To non-geeks it's just a TV channel. Nothing else.
Sky subscribers are a sad bunch of sheep. they get shafted paying an outrageous subscription for trash channels and are still inflicted with adverts! Rupert Murdoch is laughing in your faces.
Handing the TV monopoly to megalomanic Murdoch? I guess you get your OS from Microsoft too? If we allow such a monopoly all we will end up with is shit on every channel targeted at the lowest common denominator (see Sky).
I take it you must be a marketeers dreamboy. You eat at McDs, holiday at Disneyland, watch Sky and buy your jewellery from QVC (I'd say watch The Peter Serafinowicz Show but we know how much you hate the BBC).
I'd happily pay the TV licence just to fund the BBC and Channel 4. They are the only ones with (mostly) excellent and interesting programming. And I'll never give RM even a single penny. Ever.
Spammers turn YouTube into spam relay channel
Saturday 6th October 2007 03:12 GMT 
crucifiction
Crucifiction's too good for these wankers polluting our lovely 'net. I can think of a better lingering death involving knitting needles and a hair drier. As for the tossers that actually respond to this shite...
Oh, don'tcha just love visiting The Reg after a night at the pub. Hey, what are these icon thingies?
DRM on steroids controls backfires on Blu-ray
Saturday 6th October 2007 00:07 GMT
gun>foot
<sigh> yet another case of self-inflicted foot in mouth disease. Anyone who wants to rip the movie will have done so. Punishing the users who are *actually paying money for the stuff* will end up with them return the crap for a refund.
To Sony: remember this at your peril. Destroying customer's expectations will be rewarded by them being scared away from making furthur purchases. And in this market there is competition. Remember the Memory Stick incompatibility fiasco? I do.
Sony Walkman NWD-B105 2GB MP3 player
Tuesday 2nd October 2007 19:57 GMT
compatibility
Reading some of the above comments regarding software bundled with the player and re-reading the article I popped over to the Sony site and downloaded the manual.
Well, according to the manual it really does appear to do what it says on the tin: it mounts as a USB Mass Storage Device on your favourite OS. There is software bundled with the player called "AutoTransfer", and, as the article points out, it appears to essentially sync a designated music folder on your PC with the player. I assume the software is Windows only. The manual implies you can delete this software and accompanying PDF user manual and get a bit more space on the device.
Though ominously on the last page the manual then says that the only supported OSs are 2k, XP and Vista and if you want anything else you can go fuck yourself (or words to that effect.)
I'll contact Sony to confirm if it really is a USB Mass Storage Device, that they made a mistake and it will in actual fact support Linux...
Tuesday 2nd October 2007 13:49 GMT
What's happened to Sony?
Wow. Sony have finally realised the pretty gadgets laughingly called mp3 players (actually atrac players) are utterly pointless for anyone using Linux. Or OSX. Or no longer trusts Sony's software offerings. Looks like a groovy device. I might have to get one as a reward to Sony for finally seeing the light! Probably the F model with FM radio.
What with the RDR-HXDx70 series of recorders, it appears that Sony are waking up to producing stuff people want. Hurrah!
(Long time Sony fan but not tempted by their handiwork for many years. Poor design, poor build. That, and, along with everyone else on the planet, the unforgivable bandwagon jumping of lets not give anyone any choice even if they already have stuff in black, and love black, and hate anything not black, and go and paint everything that's lovely and wonderful that vile and hideous colour, that custard of Satan's loins, the wretched pustule encrusted silver. Grrr.)
Brute force attack yields keys to Google's kingdom
Tuesday 2nd October 2007 10:20 GMT
John C. Dvorak and crankygeeks.com
"John C. Dvorak talked about this in his column weeks ago.
http://www.pcmag.com/article2/0,1895,2188281,00.asp"
OT but, there's a link from the pcmag site to JCD's crankygeeks.com where he has a video magazine thingy. Watching the latest episode now (#83) and noticed there's some guy on the show called Drew Cullen from The Reg...
Microsoft punts web-based apps to the masses
Monday 1st October 2007 12:10 GMT
Why?
Amazing. Let's see if I've understood this.
(A) Use Google or OpenOffice giving unrestricted access to your files using standard open file formats.
or (B) Use a service that requires MS Office or restricts access to your files and uses non-standard closed proprietary file formats.
Humm, difficult choice.
So, what's the first rule of Reg Club?
Friday 28th September 2007 15:26 GMT
rules...
@Sam
>>"(5) You must point out spelling, grammer, calculator gaffes and other faux pas. Try not be overly smug."
>"...It's "GRAMMAR", you peasant!"
Oh, the irony.
(10) Do not ever forget this: your computer hates you. Features such as, say, the spell checker, will bite you back at a moment precisely calculated to be the most inconvenient and embarrassing.
(11) You must blame the computer for suboptimal processing of data in the vain hope of diverting attention away from one's failings.
Friday 28th September 2007 12:41 GMT
rules...
(1) You must not talk about Reg Club
(2) You must not talk about Reg Club
(3) You must not, under any circumstances, ask what the IT angle is.
(4) The Reg is mother, The Reg is father, The Reg is your friend. Trust The Reg.
(5) You must point out spelling, grammer, calculator gaffes and other faux pas. Try not be overly smug.
(6) You must refer to anatomical features by anything other than established jargon or slang.
(7) You must not expect sympathy when, as a Windows/Explorer/Word/Excel luser, you get a virus/Trojan/worm/lose all your data/computer explodes.
(8) You are positively encouraged to indulge in bigging up Linux but please keep it brief. You're preaching to the choir.
(9) Sarcasm must not be delimited by <sarcasm> tags lest we be deprived of the frantic replies of the humour challenged among us.
Unholy trinity of flaws put Google users at risk
Tuesday 25th September 2007 02:56 GMT
just say no to js
XSS and Javascript: Or why you shouldn't just let arbitrary code run on your machine.
Just switch it off and let sites that demand javascript be enabled know why you aren't shopping there anymore. Ditto Flash. Or if that's a hassle, have a separate browser for these sites and set it to delete all cookies on exit, and only visit one site at a time. I keep Mozilla for this purpose. Konqueror with js off and no plugins for general browsing.
Of course, XSS, can be prevented if the sites in question are ruthless with input filtering and html quoting. If. Having some js to do frame breakout will make iframe injection attacks pretty obvious. Ahh, frames. Don't you wish you could go back in time and give that smartarse at Netscape a good kicking. It would have been nice for a site to inform the browser than js should be disabled for this page regardless of any other setting or outer frames. But it's way too late for that.
CSRF is a trickier beast. It's your site (which naturally is perfect) being attacked by a badguy or compromised site. As the request comes from a legitimate user of your site, or technically from their browser, discriminating a genuine request from a bad one is a knotty problem. A solution being to ask for their password to confirm serious actions.
Or, ironically, have some js detection code to say "This site best viewed with JS off."
The joys of unintended consequences...
Microsoft dispels rumors of stealth Windows updates
Be kind to your stomach: eat chilies
Boffins develop Terminator-vision goggles
Thursday 13th September 2007 17:13 GMT
trippy
Hey, they're pretty cool if a little geeky. Would be a talking point at a party and depending on the type of party you could get twice the trip. And if they come with headphones, Terminator sound effects, real time object identification system and list of handy responses for when one's grey stuff is off playing with the pixies...
SanDisk goes launch-crazy
Microsoft vs. Google – the open source shame
Tuesday 21st August 2007 14:56 GMT
@ashley: typo
"...Google could care less about that though..." should be "couldn't care less" - it doesn't make sense otherwise, unless Google do want to release their code?
Google wanting to keep their own code as a trade secret is completely understandable. So long as it is in-house I don't see why there should be a problem. I guess they figure that such things like the search and ranking algorithms are part of what makes Google different from other search engines. I wouldn't be expected to release the code for my website just because I'm using a LAMP setup?
Of course, nobody's forced to use Google, Gmail etc, unlike, say, wanting to play the latest game, which pretty much demands Windows. (Though I do have Quake III for Linux.)
As for moving from Google webmail to Yahoo webmail (which I think is what you're suggesting) why would one want this? Sign up for both (they're free). Tell people one or the other depending on whichever has your favour that month. If it's not being tied to a single ISP that you're after get your own domain and redirect email to whomever you like.
DARPA seeks 'Deep Green' battle computer
Enron emails inspire GCHQ spooks
Strange spoofing technique evades anti-phishing filters
Saturday 26th May 2007 10:08 GMT
Use Knoppix
As well as the usual stuff of not using IE nor Windows, if you need access to your online bank the simple solution is to boot from Knoppix. It being a live-CD that doesn't touch the hard disk you can use it with confidence even if you are uncertain about what may be lurking within your OS.
Connection to Ethernet modems is easy-peasy with DHCP - no configuration required. Your milage might vary with a USB modem (throw it away and get a real modem). Even though I'm a happy Debian user I still use this technique to access my bank, just to be sure. Rebooting the machine is a hassle but it is *your* money that's at stake.
http://www.knoppix.net/
Biting the hand that feeds IT
