Slashdot is powered by your submissions, so send in your scoop


Forgot your password?

Comment Re:javascript? (Score 3, Interesting) 238

I think you are thinking PostScript. PDF requires that all computations resolve to a well defined value based on information contained within the document (i.e. not turning complete). So then of course Adobe had to add a turing complete language back in.

I don't know if any implementations are stupid enough to implement this(at least without some very careful sanitizing); but(in addition to ramming in javascript and the ability to embed basically anything at all, thanks for nothing 'rich media annotations'), they even added: Launch Actions!

" Launch Actions
A launch action launches an application or opens or prints a document. Table 203 shows the action dictionary
entries specific to this type of action.
The optional Win, Mac, and Unix entries allow the action dictionary to include platform-specific parameters for
launching the designated application. If no such entry is present for the given platform, the F entry shall be
used instead. Table 203 shows the platform-specific launch parameters for the Windows platform. Parameters
for the Mac OS and UNIX platforms are not yet defined at the time of publication."

Your Standards Compliant Solution for executing arbitrary binaries with arbitrary parameters. No need for messy, version-sensitive, exploit code! Combine with javacript and web-interaction support to build documents that search the target's hard drive for interesting things upon being opened... Or(miracle of miracles!) build a PDF that runs the adobe update utility when you open it, you're sure to find something new every time!

Comment Re:Print to PDF (Score 3, Interesting) 238

Out of curiosity, were you dealing with enough fancy-forms-and-interactive-nonsense type PDFs that the 'just brutally rasterize it and let them eat .jpeg!' option wasn't an option, or were the attackers good enough that you didn't have a PDF renderer you could trust for the rasterizing duties?

Comment Re:Foxit Reader? (Score 5, Insightful) 238

That isn't really 'sanitizing', though: It's certainly good that you practice safe text on your computer; but if you are the mailserver guy, and may or may not have as much control as you'd like over the users and their filthy, weatherbug-encrusted, systems, you want to modify the file such that it no longer contains a potential payload, not merely use a reader that doesn't execute payloads.

Comment Re:Hmm (Score 3, Insightful) 175

Problem: Poor people can't afford power.
Solution: Supply just about the most expensive form of power available... for free.

Problem: The infrastructure build-out needed to produce cheap coal-fired electricity is never going to be justified by poor people as customers,and we can't afford it as a social or populist program.

Solution: As with so many things, the marginal value of going from 'nothing' to 'something' is a whole hell of a lot higher than the marginal value of going from 'something' to 'lots of something', so we can gain many of the benefits at a fraction of the cost by choosing a system that costs a lot per kilowatt-hour; but comparatively little in capital costs, and fuck-all in ongoing maintenance.

I realize that all the best insights fit on bumper stickers; but it is occasionally possible that ideas occupying several whole sentences are actually just elitist plots against honest common sense, rather than elitist communist plots against honest common sense and economic logic.

It's pretty mind blowing.

Comment Re:hmm.. (Score 1) 243

Of course the citizens are left to fend for themselves but the prisoners are evacuated in air conditioned buses.

California probably isn't the state to play that particular card in: their prison standards are so... exemplary... that they've been judged a violation of 8th-amendment prohibitions on cruel and unusual punishment. The not-notoriously-soft-on-crime feds have had them under oversight for a bit over 15 years trying to get the reckless negligence and massive overcrowding down to constitutionally-viable levels...

(Plus, of course, incarcerating somebody makes them your responsibility to a degree that you'd be accused of extreme nanny-stating for adopting with respect to free citizens. How popular would having the feds herd the locals out to protect them from the fungal menace be?)

Comment Re:Ah, no... (Score 1) 274

He didn't go to jail because somebody gives a damn about the class president, he went to jail because he compromized hundreds of access credentials and used them to gain unauthorized access to systems(and, unless the school's IT office is fairly conservative, the odds are increasingly good that you can hardly touch their system without crossing state lines).

His pitiful attempts at hiding probably didn't endear him to anybody, either.

Comment Re:Just Glass has this problem? (Score 2) 81

Architecturally, anything that scans QR codes(or accepts any other sort of input that isn't trivially human-verifiable beforehand, mag-stripes, NFC, 2d barcodes, whatever).

In terms of UI/UX constraints, I assume that 'glass' is atypically vulnerable because it has severely limited space(in terms of both screen resolution and user input options) for showing the user the details of what, exactly, a given QR code is going to do and asking them whether they want to do it, which creates an incentive to just do it automatically.

Any computer can be made to do dumb things based on valid-but-malicious input automatically; but some computers are more equal than others when it comes to being able to inform the user(though user density creates a fundamental upper limit here).

Comment Ah, all better! (Score 1) 95

Given that, at present, 'via the legal process' seems to consist of a variety of procedures that make getting a search warrant rubber-stamped by a handpicked sycophant look positively robust, I'm not sure how reassured I'd be even by 100% ironclad evidence that all data were divulged in accordance with 'legal process'.

Even aside from the high-volume shenanigans on the NSA side, whose legal justifications themselves are rather secretive, the good old 'National Security Letter' is a 'legal' process that essentially boils down to 'Somebody at a three letter agency asserts that the information demanded is in some way related to an investigation with national security implications. Pinkie Swear!'. No judicial involvement, no need to present any evidence for that assertion, a downright farcically bad record on recordkeeping(the FBI won't even tell congress how often they use the things), and a gag order that makes the operation essentially silent.

Sure, maybe Microsoft are better people if they are always complying under penalty of law, rather than as enthusiastic little quislings voluntarily cozying up to the spooks; but from the perspective of a potential customer, rather than an observing ethicist, what difference does it make?

Comment Re:Do Not Track... (Score 2) 162

it says a lot for the people that bought into the DNT, they'll buy into just about anything. Uncheck your third party cookies in your browser and that should take care of them tracking you to other sites. I have a multi purpose firewall that kept finding tracking cookies until I cut out third party cookies now it doesn't find any.

Your measures are... outmoded.

Sure, cookies make things markedly easier(since data persistence is what they do, in a sort of feeble, hacky way); but there are so many more bits of information available if you want to fingerprint a user. Even better, the ones that squirm the hardest against the easy methods tend to end up with the most unusual configurations.

Slashdot Top Deals

Weekend, where are you?