Forgot your password?
typodupeerror

Comment: Re:Only as secure as the gate-keeper. (Score 1) 280

by zaajats (#28886653) Attached to: Null Character Hack Allows SSL Spoofing

This isn't really a browser issue.

The browser is going "Show me that this cert is valid for paypal.com" and the CA is going "Here it is, for paypay.com" , at least as far as the browser is concerned.
  This is no more a flaw then if the CA just started letting anyone buy certs for paypal.com.

Having multiple CAs (and cheap CAs) is a good thing, but we're only ever secure with ssl as the least secure CA.

As far as I understand, it's more like:

* Browser gets cert for Paypal.com\0.badguy.com from the server

* Browser reads domain from cert, but does so invalidly, and only gets Paypal.com

* etc

Security

New Click-Fraud Attack Is Stealthiest Yet 99

Posted by kdawson
from the penny-here-penny-there dept.
An anonymous reader sends news from The Washington Post's Security Fix blog of a new Trojan horse program that takes click fraud to the next level. The Trojan, dubbed FFsearcher by SecureWorks, was among the pieces of malware installed by sites hacked with the Nine-Ball mass compromise, which attacked some 40,000 Web sites this month. The Trojan takes advantage of Google's "AdSense for Search" API, which allows Web sites to embed Google search results alongside the usual Google AdSense ads. (SecureWorks' writeup indicates that Yahoo search is targeted too, but the researchers saw no evidence if the malware redirecting Yahoo searches.) While most search hijackers give themselves away on the victim's machine by redirecting the browser through some no-name search engine, FFsearcher "...converts every search a victim makes through Google.com, so that each query is invisibly redirected through the attackers' own Web sites, via Google's Custom Search API. Meanwhile, the Trojan manipulates the victim's PC and browser so that the victim never actually sees the attacker-controlled Web site that is hijacking the search, but instead sees the search results as though they were returned directly from Google.com (and with Google.com in the victim browser's address bar, not the address of the attacker controlled site). Adding to the stealth is the fact that search results themselves aren't altered by the attackers, who are merely going after the referral payments should victims click on any of the displayed ads. What's more, the attackers aren't diverting clicks or ad revenue away from advertisers or publishers, as in traditional click fraud: They are simply forcing Google to pay commissions that it wouldn't otherwise have to pay." If FFSearcher were the only piece of malware on the machine, it would have a better chance of staying under the radar.

Comment: Re:Well that's just fantastic (Score 2, Insightful) 150

by zaajats (#28386781) Attached to: iPhone 3.0 Update Delivers Prodigious Patch Batch

Now I'm looking at keeping my Sanza Fuze and Nokia E51. Apple can get fucked.

Your Fuze gets feature-rich updates often?

Point being — I find it somewhat strange that when Apple charges for an update, it's somehow worse than the competitors who don't offer any of the features, free or otherwise.

Comment: Re:Well that's just fantastic (Score 1) 150

by zaajats (#28380817) Attached to: iPhone 3.0 Update Delivers Prodigious Patch Batch

But when are they going to patch these security flaws on my 2.1 ipod? Paying for an update is ridiculous, especially when it fixes critical security flaws. I sure hope apple does the right thing.

Sure, paying for a security update alone is a bit strange, but really — it's only $10 and gives you so much more. Besides, it's not like your iPod has been taken over by viruses due to the bugs.

Privacy

EU Data-Retention Laws Stricter Than Many People Realized 263

Posted by timothy
from the you-mean-like-a-12-month-year? dept.
An anonymous reader writes with a snippet from the Telegraph: "A European Union directive, which Britain was instrumental in devising, comes into force which will require all internet service providers to retain information on email traffic, visits to web sites and telephone calls made over the internet, for 12 months."

Comment: Re:I wonder what really got fixed... (Score 1) 129

by zaajats (#25778615) Attached to: Apple Quietly Releases Safari 3.2

The question is: why is Apple so quiet about rolling this update out and what it fixes, and since when does a minor Safari update require a reboot?!!

I'm not sure (lousy memory etc), but I believe (some) previous Safari updates have required a reboot too. It might have something to do with the Webkit engine being used by apps other than Safari

Microsoft

IE8 Breaking Microsoft's Web Standards Promise? 329

Posted by Soulskill
from the not-too-promising dept.
An anonymous reader points out a story in The Register by Opera Software CTO Hakon Lie which tells the story of how Microsoft's interoperability promise for IE8 seems to have been broken in less than six months. Quoting: "In March, Microsoft announced that their upcoming Internet Explorer 8 would: use its most standards compliant mode, IE8 Standards, as the default. Note the last word: default. Microsoft argued that, in light of their newly published interoperability principles, it was the right thing to do. This declaration heralded an about-face and was widely praised by the web standards community; people were stunned and delighted by Microsoft's promise. This week, the promise was broken."
It's funny.  Laugh.

Chinese Restaurant Suffers Large Translation Error 364

Posted by kdawson
from the invisible-and-insane dept.
linuxwrangler writes "Preparing for English-speaking visitors, a restaurant in China recently ran its name through an online translator, took the result, then purchased and mounted a large sign displaying the English version of their name: Translate Server Error." This one has been around for a couple of weeks but it's destined to become a classic.
Cellphones

FSF's "Defective By Design" Targets Apple Genius Bars 838

Posted by timothy
from the win-friends-and-influence-people dept.
mjasay writes "At OSCON this year, MySQL's Brian Aker made this bold statement: 'Microsoft is irrelevant ... We're more worried about Apple.' The Free Software Foundation appears to have caught the hint, and has turned its attention to all-things-Apple with a 'denial of service' attack on the Apple Genius Bars. The idea is to completely book all Genius Bars and then ask the 'geniuses,' over and over again, a few questions about Apple's proprietary ways (while, apparently, real customers with support issues are left to flounder). Lost in this anti-Apple fervor, however, is the Free Software Foundation's complete and conscious failure to protect the web. Richard Stallman has long felt that software that doesn't sit on his desktop doesn't affect his freedom, but isn't the opposite true? Why is the FSF focused on Apple when the bigger concern should be Google, Yahoo!, Amazon, and other web players, a point made by Tim O'Reilly recently at OSCON?" Defective by Design is just one of many FSF projects, remember; it hardly seems fair to say that the FSF has been ignoring the implications of software as a service.

All constants are variables.

Working...