newfurniturey - Slashdot User

Submission + - Silk Road 2.0 Seized By FBI, Alleged Founder Arrested In San Francisco

Submitted by blottsie on Thursday November 06, 2014 @01:34PM

blottsie writes: The FBI has arrested the online persona "Defcon," identified as Blake Benthall, a 26-year-old in San Francisco, who the agency claims ran the massive online black market Silk Road 2.0. Benthall's FBI arrest comes a year after that of Ross Ulbricht, also from San Francisco, who's alleged mastermind of the original Silk Road and still awaiting trial.

The largest of those reported down is Silk Road 2.0. But a host of smaller markets also seized by law enforcement include Appaca, BlueSky, Cloud9, Hydra, Onionshop, Pandora, and TheHub.

Submission + - Can anything escape a black hole? (nature.com)

Submitted by Annanag on Monday October 13, 2014 @04:00AM

Annanag writes: *Nothing* escapes a black hole, right? Except 40 years ago Stephen Hawking threw a spanner in the works by suggesting that, courtesy of quantum mechanics, some light particles can actually break free of a black hole's massive pull. Then you have the tantalising question of whether information can also escape, encoded in that so-called 'Hawking radiation'. The only problem being that no one has ever been able to detect Hawking radiation being emitted from a black hole. BUT a physicist has now come closer than ever before to creating an imitation of a black hole event horizon in the lab, opening up a potential avenue for investigating Hawking radiation and exploring how quantum mechanics and general relativity might be brought together.

Submission + - PETA is not happy that Google used a camel to get a desert "StreetView" (kitsapsun.com)

Submitted by flopwich on Sunday October 12, 2014 @08:51PM

flopwich writes: So Google used a camel-mounted camera to get a "street view" of a stretch of desert in the United Arab Emirates. PETA's director is all sniffy about it, saying they should have used jeeps. Oblivious to PETA's opinion, the camel in the video, munching food as it carries the camera, really doesn't look like it minds all that much.

Comment CISO of Yahoo says "not Shellshock" (Score 1) 69

by newfurniturey on Tuesday October 07, 2014 @09:44AM (#48082449) Attached to: Hackers Compromised Yahoo Servers Using Shellshock Bug

Alex Stamos, the CISO of Yahoo, posted an in-response bulletin on Hacker News to clear up the rumor that this breach was caused by Shellshock.

Straight to the point, he states that it was not Shellshock that the system was vulnerable to but a separate command-injection vulnerability in their log parsing scripts. Though... Shellshock itself is a command-injection / parsing vulnerability so I'm sure many will skip over the technicalities and consider them one-in-the-same.

At first I was surprised that he came forward and gave explicit details that, well, can now be targeted against. On the other hand, I think it's pretty cool of them to be so open (either that, or they really didn't want to be the "large company" that was effected by Shellshock =P).

Submission + - "Rosetta Flash" attack leverages JSONP callbacks to steal cookies! (arstechnica.com)

Submitted by newfurniturey on Tuesday July 08, 2014 @06:16PM

newfurniturey writes: A new Flash and JSONP attack combination has been revealed to the public today dubbed the "Rosetta Flash" attack..

JSONP callback functions normally return a JSON blob wrapped in a user-specified callback function which the browser will then execute as JavaScript. Nothing out of the ordinary here. However, the "Rosetta Stone" attack has leveraged a method of crafting a Flash file to contain a restricted character set that's usable within JSONP callbacks (i.e. in a URL). By combining the two, the attack demonstrates it's possible to use a JSONP URL with the contents of the crafted flash file as the callback function. When set as the data of a standard HTML object tag, the SWF file executes on the site being targeted bypassing all Same-Origin policies in place.

Services such as Google, YouTube, Twitter, Tumblr and eBay were found vulnerable to this attack; however, several were patched prior to the public release and Tumblr has patched within hours of the release.

Comment Comments based on experience? (Score 0) 516

by newfurniturey on Tuesday June 03, 2014 @08:45AM (#47154059) Attached to: Microsoft Won't Bring Back the Start Menu Until 2015

When Microsoft first announced Windows 8, the bashing began (as usual and expected). "Metro's bad", "no Start Menu", yada yada.

Now, fast forward to today - Windows 8.1 and still no Start Menu. Is it really that bad? How many users that are commenting here, complaining about it, have actually tried it? Does it truly hinder your ability to use the computer?

I, for one, have not tried Windows 8. Not because I don't like the idea of it but because I'm still on Windows 7 and have no need to actually upgrade yet. However, I have *seen* both PCs and laptops with Windows 8 (neither with touch screen) and it actually looked pretty good. Both switched from the Metro-giant-buttons screen over to the desktop and it looked like a normal computer with a normal version of Windows on it, nothing crazy.

The primary reason I'm not going to issue a complaint about the "no Start Menu" isn't because I haven't actually tried Windows 8 and dislike it, it's because as an actual "power user" of Windows, I don't use the Start Menu that much. WinKey+R to run whatever I need, main apps pinned to the taskbar, "My Computer" / "Documents" icons available on the desktop - everything one double-click away. My linux boxes are quite similar (except the WinKey+R, of course =P).

Are there any users out there that actually had their "experience" ruined because they didn't have a Start Menu and, if so, why / how?

Comment Not too convincing... (Score 4, Insightful) 60

by newfurniturey on Saturday May 24, 2014 @10:49AM (#47082879) Attached to: Severe Vulnerability At eBay's Website

The linked article has zero information regarding this attack and instead focuses on eBay's attack history; once more, it also links to it's own eBay page so +1 for that.

The one hint it does include is a picture and in the picture you can see that the JavaScript is being inserted into the title of the listing (not sure if that's the actual vulnerability or not though). However, as a security researcher, showing a PoC against a large company requires more than a simple alert(1) and instead should use something such as alert(document.domain). The reason for document.domain is because it will show what hostname the JavaScript is executing under - which means everything when it comes to security.

If this is really an XSS hole and eBay comes back with "it's not that bad", there's a good chance that the JavaScript is executing in an iframe on a separate domain which means attackers would not have important access such as a user's cookies / etc. Instead, they'll only be able to execute arbitrary JavaScript (which is bad, but nothing worse than setting up a bad domain and using SEO tricks to drive traffic to it).

Can anyone find a more relevant article that spills out the actual details of this, or maybe one that includes the actual PoC this researcher has created?

Slashdot Top Deals