Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Comment Re:Logitech C610 + ZoomText (Score 1) 63

Under Linux, I'm using a C615 with a Python OpenCV script to push it onto the screen.

The important point with using a webcam is that it needs to be able to focus at very short distances - the cheaper cams I've tried fail to produce sharp images when placed close enough to the book. Unfortunately this capability doesn't seem to get mentioned in the specs.

Does anyone know of cams with a good short-range focus other than Logitech C61x?

Comment Re:trust (Score 1) 83

Coming "from the world of browser toolbars" is somewhat of an understatement in this case.

We are talking about a founder of CDT (latterly Zango Canada), who paid affiliates to bulk-install spyware on unwitting Windows users' machines, using tactics up to and including browser security hole exploits. Hats don't come much blacker.

Comment Ancient news (Score 2) 68

Not sure why this is suddenly news, the Russian iframe traffic hubs have been running for over a decade now.

The destination URLs are typically clickfraud, exploits, and iframes to other traffic redirectors.

The domain registrar mentioned in the article (DirectI) is notorious for high levels of abuse from the Russian-language sploit/AWM community.

Comment Re:Now that other companies browser has a huge fla (Score 1) 83

Even without the security problem, I would disable XSS protection on my sites. If I've made a mistake and let an HTML-injection flaw in my app, chances are it'll still be vulnerable (since IE8's XSS protection is a pathetic string-hack on the HTML source which is insufficient to protect against anything but the most basic of attacks), so IE8 is offering only to obfuscate and not fix my problems.

Meanwhile if I allow XSS “protection”, I have a problem when someone legitimately uses a term in the query string that appears in the page and looks to IE like it might be dangerous. This is easy to do: just searching for ‘<style>’ will often break the CSS of the search results page.

Not only that, but I'm also open to deliberate sabotage when an attacker looks at my source, finds some script they don't like, and puts it in the query string so that IE8 doesn't execute it. Certainly this can be used to deliberately disable things like frame-buster scripts, to get around redress attack protections. It is presumably a form of this deliberate attack crafting that leads to whatever the undisclosed vulnerability is.

So no, I don't think Google are wrong. IE8's XSS protection is utterly, utterly bogus. It adds only more complication and more problems to webmasters' lot and no real effective security.

Comment Re:I like the Ras Al Gul approach (Score 2, Informative) 218

It will be nearly impossible to get delisted, too, and for good reason. For years the Russian malware gangs played silly buggers with changing names, corporations and hosting providers to pretend to be different unrelated entities whilst still engaging in the abuse.

So “but I bought this netblock from someone else, I'm not a hacker!” is, unfortunately, something we've already heard many times from the hackers.

Comment Re:Can't Pay Me (Score 5, Insightful) 405

The entire article is predicated on the idea that anti-virus software is effective at stopping malware.

But today, that simply isn't true. With the proliferation of web exploits and constantly-updated payloads, the traditional signature-based methods of detecting malware are almost totally useless. OK, they still pick up the odd old-school mail worm or whatever, but no-one's going to get infected by those these days; it's all about the web exploits.

(Even against the pen-drive infectors, which should be slower to mutate and easier to track, they're doing pathetically badly at the moment.)

Heuristics-based detections can pick up a few more trojans, but at the expense of user-befuddling and potentially dangerous false positives. Behaviour blocking is the only approach likely to be effective, but today's implementations are shonky and unreliable. This sort of stuff - full per-program-permissions - really needs to be provided at an OS level, not as a wobbly vendor layer on top.

Encouraging people to spend money on ineffective, performance-butchering anti-virus software is what we're doing too much of already, not something we need to be asking the Government to do more of. All it does is give users a false sense of security.

Slashdot Top Deals

Real Programmers think better when playing Adventure or Rogue.