Forgot your password?

Comment: Re:haven't we learned from the last 25 exploits? (Score 1) 67

by Arker (#47420705) Attached to: 'Rosetta Flash' Attack Leverages JSONP Callbacks To Steal Credentials
"An HTML-only web is great for relatively static content, but not so great for anything much beyond that. "

This sounds like nonsense to me, but I will give you the benefit of the doubt and ask you for *concrete* examples of what you are talking about. I have yet to be cited a single good example here - very often what is being done would work just fine in HTML, with less overhead, but the 'designers' just do not understand HTML, or have any desire to learn it, so they do things this way instead.

Certainly javascript can produce a slicker appearance and make certain things a bit smoother - but to do so it sacrifices device-independence and browser agnosticism - critical advantages that underlie the success of the web and whose loss can only undermine it.

Now if you build a proper web page, and then *enhance* it with javascript sanely, preserving graceful fallbacks, that would be fine. You can have your slick interface without sacrificing the web. And I can choose to avoid your slick interface so as not to sacrifice my security.

The 'designers' that cant be bothered to do that, and the suits that keep them employed, are the reason we cant have nice things. In this case, javascript.

"Is it so difficult to grok why you might want content to change on the client?"

Not difficult to understand why it was desired.

The point is it's harmful and been proven harmful, and far too harmful for the small advantages it brings to outweigh that.

Comment: Re:haven't we learned from the last 25 exploits? (Score 1) 67

by Arker (#47414205) Attached to: 'Rosetta Flash' Attack Leverages JSONP Callbacks To Steal Credentials
"If you want the web to be useful, you should be pushing for only the most minimal use of Javascript."

When this crap first started getting pushed, a lot of us saw the potential problems coming and objected. We were assured it was only to be used to 'spice up' webpages, not to replace them.

Such assurances are obviously shit. If it's allowed to use it, then the lowest common denominator of self-proclaimed 'designers' can, will, and must overuse it. This overuse expands steadily and predictably until and unless there is effective pushback. Today we have reached the point where the typical corporate 'website' (and I use scare quotes because these things are NOT websites, at all) consists of hundreds of executable files, fetched from dozens of different servers, all of which the browser is expected to suck in and execute without so much as giving you a warning.

And contrary to the hilarious suggestion I see at the top of many many webpages today ("Enable Javascript for a better user experience") this does not bring with it any substantial improvements for the user. Quite the contrary, it results in a worse immediate experience (no, I didnt want a dozen popups, autoplaying video presentations, and a huge advertisement that floats over the text so I cannot see it!) and also in the longer term (like a week later when you discover that some random ad server sent your browser a rootkit and it happily executed it, oops!.)

But the point is history has proven this is a bad code drives out good situation. If it's allowed, it will take over, just like a weed.

Turn off javascript. See the web as it really is. And support the web that still exists, before it's too late.

Comment: Re:say wha? (Score 4, Insightful) 67

by Arker (#47412415) Attached to: 'Rosetta Flash' Attack Leverages JSONP Callbacks To Steal Credentials
"English translation: as usual, Flash is useless except as a vector for malware, viruses, trojans and keyloggers. Remove Flash from your system."

That's actually not quite true. Flash is a great way to develop simple games quickly and cheaply.

The problem isnt Flash itself (which is on the whole a fine product, used correctly) but the idea of using Flash as a substitute for a webpage, the installation of it as a browser plugin, and the auto-execution of it by the browser. None of that should be tolerated.

It's still possible to get a standalone flash interpreter and only feed it local, vetted files, which is really fine (or as close to fine as lots of other things you do every day, at least.)  But Adobe seems to be trying their best to discourage that and force everyone to use it as an auto-enabled browser component instead. The one way to use the program that causes major problems is also the one way they want you to use it.

Everyone who has been infected as a result of this should really get together and sue these arseholes, because money is the only language they understand.

Comment: Re:haven't we learned from the last 25 exploits? (Score 4, Insightful) 67

by Arker (#47412367) Attached to: 'Rosetta Flash' Attack Leverages JSONP Callbacks To Steal Credentials
Excellent advice.

Expect to be flamed into oblivion by all the 'web devs' that cant be bothered to learn how HTML works and rely on this crap instead, though.

The web - the real web, the HTML web, appears to be shrinking at the moment. New content is often hidden behind some kind of opaque app crap for no apparent reason and with no actual webpage for fallback (thanks google!) and old content occasionally gets removed as well. Each time this happens, it makes it even harder and less likely to revive the healthy web we once built with such love and care.

And naturally the people that are making a profit on this crap will just keep right on cranking it out as long as that is true.

The real victims here are future generations, who should inherit that world-wide web, but are set to inherit something entirely different - and inferior in every way (when judged from the users perspective - from the perspective of big Advertising of course the story will be different, but we built this web for humans, not for marketing.)

Comment: Re:I doubt the dna stuff will come true (Score 1) 341

by Arker (#47410185) Attached to: Here Comes the Panopticon: Insurance Companies
"The real problem we are having is not the loss of privacy per se, it's the abuse of private information. Most people are fine letting Onstar know their current location. We are not fine with Onstar telling anyone that information - not the police, not our wife, not our boss. "

It sounds more like the real problem is that people are so stupid they do not realize that you cannot have your cake and eat it too. If Onstar has the information, others will be able to obtain it, whether by hook or crook.

If you want your privacy you must defend it consistently, not only when it is convenient and inexpensive to do so.

Comment: Re:Christmas is coming early this year (Score 1) 657

by Reziac (#47408499) Attached to: TSA Prohibits Taking Discharged Electronic Devices Onto Planes

That's an interesting insight. I suppose the logic is that you don't want to plug it into the wall to prove it's a working device, because OMG that might utilize the higher current to set off a bomb. (I see no reason why internal batteries couldn't do the same job, with a lot more control at that, but, TSA logic.)

I wonder how they'd respond to my laptop, which is old enough that the battery is entirely dead, and it's not worth spending $150 to replace a battery in a laptop now worth about $50. It works fine when plugged into the wall, and not at all otherwise. (When I do drag it around, I also take an extension cord.)

Comment: Re:How do you defeat dogs? (Score 1) 415

by Reziac (#47408227) Attached to: Police Using Dogs To Sniff Out Computer Memory

And it would only take once for a bright dog to connect "scent of activated charcoal" with "target". They DO make that sort of association.

As to the various things hunters attempt to disguise their scent, I'm too lazy to look for it right now but I recall seeing a study on the effectiveness of scent-disguising potions and amulets, and the conclusion was that they accomplish about the same as any magical potion or amulet.

See also above where I talk about distinguishing one scent from many, as dogs do all the time anyway.

Comment: Re:How do you defeat dogs? (Score 1) 415

by Reziac (#47408155) Attached to: Police Using Dogs To Sniff Out Computer Memory

The fallacy is that the smell of dirty diapers will overwhelm and disguise the scent of the target. The truth is that dogs with good noses (which not all have) are quite capable of sorting out different scents from a multitude (in fact they do this every time they follow ANY scent, since almost everything in the world HAS a scent), and merely covering up the target scent is usually insufficient. Also, they can detect a mere handful of molecules, what any object might naturally ablate. Furthermore, experienced dogs learn that if you lose one scent, you follow an associated scent, in this case the foot track or bodyscent track of the person who hid the bagged target.

I used to live where some prior resident had thrown beer cans around the front yard, but across the years two feet of dirt had blown in over 'em (very fine dirt, very densely packed). I was mystified by the deep narrow holes my dogs were digging, til I realised the goal was an aluminum can, two feet down, which the dogs evidently scented and targeted. (Dogs tend to home in on galvanic reactions and electronics in general, even without training. This is why keyfobs are a fave chewtarget.)

[Pro dog trainer here]

Comment: Re:Amazoing (Score 1) 415

by Reziac (#47408015) Attached to: Police Using Dogs To Sniff Out Computer Memory

And even if dogs could make explicit statements, dogs are like children in that they want to please -- and that includes telling you what you want to hear. If there's more reward for telling you "drugs and disks in that box" than for finding nothing, you betcha the dog will alert, every single time. Dogs can and do "lie".

[I am a pro dog trainer. That detection dogs commonly produce bogus results a la "Clever Hans" is pretty obvious to me... but evidently not to the people training detection dogs. But it does explain why perhaps the most sought-after detection training prospect is the retriever fieldtrial washout, who has already been extensively taught to take direction.]

The IQ of the group is the lowest IQ of a member of the group divided by the number of people in the group.