The point wasn't that the seemingly innocuous domain could be attacked with this method. What I was trying to point out is that the seemingly innocuous web site could be used as a vector for an attack on the victim site.

As I explained, the difference between JavaScript and Flash is what they consider to be "its own domain". JavaScript considers its own domain to be the domain of the page it's running in. Flash considers its own domain to be the domain the flash object is served from. It doesn't seem like it should be a big difference, but it is. Let me flesh out my example a bit more.

Suppose you have an account on the victim site. Suppose you are also a semi frequent visitor of the seemingly innocuous site that I host. If I want to steal your account on the victim site, and the victim site allows arbitrary file uploads, I can upload a flash movie to the victim site. The next time you visit my site, I embed the movie, hosted on the victim site, somewhere in my site that you can't see it. Because Flash considers the victim site to be in its own domain, it is free to contact the victim site however it wants without checking the contents of the crossdomain.xml file. I have just been able to compromise your account without you noticing, and without convincing you to do anything you wouldn't normally do. Performing the same attack with JavaScript, without having to engineer you into visiting a page you don't normally visit on the victim site, would be a much more difficult proposition.

You missed the point. Flash is not equally bad as JavaScript, it's far worse.

Suppose I'm an attacker, and I upload a malicious javascript file to www.victimsite.example. I then reference it in a site I control www.seemingly-innocuous.example, the javascript file runs in the www.seemingly-innocuous.example domain sandbox. Even though the file was loaded from www.victimsite.example, it can't actually access anything on the victim's site. In order for that to happen I would have to also upload a malicious html document to www.victimsite.example, and convince unwary surfers to visit this new page.

Now I decide to switch to flash. I upload a malicious SWF to www.victimsite.example, and embed it into a page at www.seemingly-innocuous.example. Unlike the JavaScript example, my malicious SWF now runs in the www.victimsite.example domain security sandbox, and can make any requests it wants to the victimsite.example domain without the visitor to my seemingly innocuous domain being any the wiser.

It is a big deal, and it is nothing at all like JavaScript. But it's also not remotely new. I'm having a hard time finding anything in this article that hasn't been widely know for some time now. It even mentions attacks that have been going on for years.

I wonder if it would be possible to store this hidden volume directly inside the free space of an NTFS volume instead of inside a TrueCrypt encrypted volume?

You can, I'm pretty sure, but then it's not truly hidden anymore - there's no obvious file hanging out, but anyone who did a forensic analysis of the drive would likely notice that instead of being full of unmapped fragments of old files, the unused space on your disk is full of random garbage. There is also a big catch - if you ever write to the NTFS volume while the hidden volume is not mounted, you will corrupt the hidden volume.

it would have to be something that is there by default like having a separate partition or container file for each user with the encryption tied-in to their user account so when logging in their login credentials are the encryption key and the volume is auto mounted transparently

This sounds to me like the system that Mac OS X comes with, called FileVault. It asks whether you want to enable it when the account is created. If you say yes, it creates an encrypted file that gets mounted on top of your home directory automatically when you log in. It's installed by default with every new Mac. Not very good for deniability, though - it's pretty obvious if you are using it.

Not sure about the older mice, but it seems to me that every USB mouse made by Apple has been roughly equally bad for different reasons. Scratch that, the hockey puck was by far the worst. But the Apple Pro Mouse and Mighty Mouse still rank up there as the second and third worst mice I have ever used by a fair margin.

This is something that has been bothering me for a while now. It's been a couple years since sound servers were in any way necessary. The sole purpose of ESD was to work around the fact that only one application could open /dev/dsp at a time. It was a horrible, nasty hack that was unfortunately necessary at one point in our history. Nobody really wanted it to be a long term solution, we just wanted something that would work until the people ho wrote the sound drivers got their sh*t together.

Yet here we are, years later, and not only have we never tried to phase out these horrid abominations, we keep adding new and more complicated ones. I have no words for how absurd this is. Why is it that we can't just fix the issues in the drivers where they belong rather than piling heap after steaming heap on top of them? And even when they do actually fix the issues, nobody ever tries to dig us back out of the pile...

My father is originally from rural Nebraska, and any time we visit that side of the family it's pretty much all gravel roads for miles in any direction. Even I, having learned to drive on the southern California freeways, never had a problem driving over 30MPH on the gravel roads there. That said, I do remember my dad complaining an awful lot about having to get the windshield fixed or replaced after visiting his family when I was younger.

You're mixing two different animals with different problems, and no, I'm not talking about your unicorns and kittens.

Oil is almost universally used for transportation because it is portable, relatively energy dense, and easily refillable anywhere in the world. The fact that we already have a vast infrastructure in place to deal with it provides an additional barrier of entry to any new technology.

Oil is relatively non-existent in municipal energy production. The vast majority of our municipal power production comes from coal, followed I believe by nuclear. Each have their own problems, but geopolitical concerns about funding people we don't like - or who don't like us - are not among them.

All of the technologies that you mention in your post, as well as the kites in TFA, address the issue of municipal power generation. Changes in municipal power generation don't do anything to address our dependence on foreign oil, unless we can come up with a replacement for oil that is comparable to oil in portability, energy density, and ability to refuel on the go. Batteries are not there yet, and may never be. Plugin hybrids will help, but not solve, the problem. Hydrogen may be a viable solution someday but there are a large number of significant technical hurdles ahead of us on that road. Biofuels may be a solution, and unlike any of the others that I mentioned, have the bonus of not relying on municipal power generation. But biofuels will never be competitive as long as we insist on getting them from corn.

A single button was the right choice in 1984. Nothing stops you from connecting a multi-button mouse to your Mac, and all of the buttons and scroll wheel work swimmingly.

And 1984 was 25 years ago...

While it's true that connecting a multi-button mouse to a Mac just works, I don't really consider that to be a valid argument if you use a MacBook, which seem to me to be an order of magnitude more popular than their desktop systems. And Control+Click is not an acceptable replacement either.

I have a MacBook on loan from my work, but it is the only Mac of several computers that I use. While I've found myself using the MacBook more and more, I still do most of my work on Windows or Linux computers, either through VirtualBox, Remote Desktop, or SSH+X11 forwarding. In any of those cases I need a real second (and often third) mouse button, and I would rather not have to always carry an external mouse around with me. Control+Click doesn't work because 1) Control+Click actually means something different than right click in Linux and Windows, and 2) Control+Click doesn't allow me to emulate a middle mouse button by clicking both buttons.

Apple finally - albeit silently, and IMO poorly - admitted they were wrong about having two buttons with the Mighty Mouse. If they would ever extend that to their laptops, I might consider buying one for myself, although I still think the Pro models have an absurdly low screen resolution for such a high powered laptop.

Eh, I know what it does. It's essentially one gigantic IRC chat room.

What I'm having a hard time figuring out is why so many people think it's such a big deal.

Lasers!

(duh...)

The glossy screen hasn't bothered me too much on the MacBook that I've been using for work recently, but the big thing keeping me from buying my own (aside from the current state of my bank account) is the lack of a decent resolution on anything smaller than the 17" model.

Well, that and the mouse, but Mighty Mouse aside, I can't imagine Apple ever sucking up their pride enough to actually change that.

Your two years doesn't even have to be all the way up to sign up for a new one. I don't know exactly what their cut off is, though. I've known people who got new phones and contracts with six months remaining on their previous contract. I've heard of people who have done it with a year still remaining on the previous contract with a little bit of negotiation.

I don't know about the iPhone specifically, but if you are far enough into your current contract (typically at least a year) AT&T will always let you sign a "new two-year AT&T wireless service contract". You don't have to be a new customer to sign a new contract.

I must be living under a rock. I hadn't heard of this before today....

So now Microsoft is helping me search for low fares on Southwest? Neet!