Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Comment Pixel Perfect Timing Attacks (Score 1) 41

Easily one of the best technical talks I have ever seen; how timing attacks can be used to break the same origin policy and read the contents of a frame. This talk included demo's of an attacker site loading up a target site in a frame and reading the contents to grab the CSRF token. It was awesome.

Comment Giant virtual bar (Score 3, Interesting) 630

In my experience, the most popular dating sites (listed as type 1 in the article, like OKCupid and Match) are like giant bars. The women are hounded from all directions by men, and the men seem to have to fight to distinguish themselves. Every good friend I know that is female and on one of these sites is constantly bombarded and things quickly devolve into shallow initial impressions. I'm willing to bet most relationships started at bars are often shaky when things get real as well.

Bethesda Criticized Over Buggy Releases 397

SSDNINJA writes "This editorial discusses the habit of Bethesda Softworks to release broken and buggy games with plans to just fix the problems later. Following a trend of similar issues coming up in their games, the author begs gamers to stop supporting buggy games and to spread the idea that games should be finished and quality controlled before release – not weeks after."
The Internet

The Puzzle of Japanese Web Design 242

I'm Not There (1956) writes "Jeffrey Zeldman brings up the interesting issue of the paradox between Japan's strong cultural preference for simplicity in design, contrasted with the complexity of Japanese websites. The post invites you to study several sites, each more crowded than the last. 'It is odd that in Japan, land of world-leading minimalism in the traditional arts and design, Web users and skilled Web design practitioners believe more is more.'"

Comment A bit misleading ... (Score 5, Informative) 71

I see this and think the word "Hacked" gets thrown around a bit too easily. This is an example of non-persistent (also referred to as reflected) cross site scripting. This means that in order to take advantage of it, they have to convince a target to visit their specially crafted link. To me, "Hacked" sort of implies "They got in!" or "Data was breached!" or other such bad things and that simply isn't the case here.

So what does this type of XSS do? Mostly embarass people because defacement examples are posted to "look what I can do" forums (which is basically what happened). Think about the attack vector here, they have to get a victim to visit their specific url that includes their attack. How is that done? Malicious email, posting the link to some website or forum and hoping they find it and visit, embedding the link in other sites that have been hacked or something like a banner ad, or whatever. All of these involve the target going out of their way to visit this maliciously crafted url. When you consider that they could still do all these things without XSS and simply host malicious code themselves, all this reflected XSS is doing is making it a bit harder for an end user to spot that this is something non-standard and dangerous.

Think of it this way, "With reflected XSS, I can send them a link, and if they visit it, I can do bad things to their computer!" but then again, you can do that without XSS too, it just isn't quite as effective. How many users are taking the time to carefully look at a link before clicking on it, checking to make sure it contains the domain name they expect and not just an IP address, or a domain name that is similar, but not quite right, etc. A user who is doing this sort of thing will more likely fall victim to this XSS attack, but most users, who don't scrutinize things at that level, were just as susceptible to a classic phishing/malicious linking attack anyways.

Comment Re:Major Plotholes ... Spoiler Alert (Score 1) 967

Your second plothole isn't a plothole at all. Joker was taunting them, "I was here, clearly I couldn't have done this" while making it plain that he was responsible/involved. His "What time is it?" comment is followed by something about depending on the time they would be in one place or several. It's a very clear threat that they are in danger and time is sensitive. I think you are reading more into that scene then is actually there.

Slashdot Top Deals

Stinginess with privileges is kindness in disguise. -- Guide to VAX/VMS Security, Sep. 1984