Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×

Comment Re:this is not NEW (Score 1) 116

The concept of web-based DDoS is not new. Attacks based on refreshing images and scripts have been around for a good while. The use of HTML5 cross-origin requests to perform these attacks at much higher rates, combined with URL shortening obfuscation, is, afaik, a new concept. That is not to say that others hadn't thought of it, but I certainly haven't seen it implemented anywhere.

But yeah, if you did indeed have this idea 10 years ago, before HTML5 was even conceived, I commend you. That kind of foresight is rare.

Comment Re:The joy of being a programmer... (Score 5, Interesting) 116

Thank you for pointing out the extra http:/// issue, it's been fixed in the live version. Bug leftover from an earlier test version.

The image tag display:block and position:absolute was to fix a bug I was seeing in one of the browsers (don't remember which) that pushed the iframe down slightly. I know the display:block was necessary, don't remember about the position:absolute. That might be a holdover from some other stuff I was messing with.

As for the Javascript, I like using Array() for readability. With the setTimeout, yeah, that was incompetence.

You are indeed correct, I am by no means a Javascript expert, and never claimed to be. I actually mention in the post that web development is not my strong suit, and what few skills I have are outdated. I got the idea for the attack after reading an interesting post by Attack and Defense Labs, and just wanted to hack something together in an hour or two to see if a.) I could reproduce their results and b.) my twist on it was a feasible idea. It seems so far that it was. But yeah, any suggestions you have are definitely welcome. Always love getting input from those smarter than me. Thanks

Submission + - The Evil URL Shortener (

supernothing writes: DDoS attacks seem to be in vogue today, especially considering the skirmishes over Wikileaks in the past few weeks. The size of a DDoS attacks, however, has historically been limited by how many computers one has managed to recruit into a botnet. These botnets almost universally require code to be executed on the participants' local systems, whether they be willing or unwilling. A new approach has been emerging recently, however, which uses some simple Javascript to achieve similar ends. is a new service that utilizes these techniques, but provides a unique twist on the idea. Posing as a legitimate URL shortening service, it serves users the requested pages in an iframe, while simultaneously participating in a DDoS attack in the background. No interaction is required beyond clicking the link and staying on the page. This makes it relatively trivial to quickly mount large scale DDoS attacks, and affords willing participants plausible deniability in the assault. Full writeup here.

Submission + - Gmail XSS in Google Chrome (

supernothing writes: I recently discovered an XSS vulnerability in Gmail, which could be triggered by a user simply viewing a malicious email with a specially named file attached. This bug was particularly interesting in that it only affected Google Chrome users of the service. Successful exploitation could run Javascript in the context of the logged in user, opening the door for all kinds of malicious activity. While it has now been patched by Google, it still provides an interesting look into the kinds of problems that still occasionally plague webmail interfaces.

Submission + - NEW Defcon Social Engineering CTF competition (

An anonymous reader writes: n a twist to the popular "capture the flag" game played by hacking teams every year at Defcon, the hacker conference is hosting a contest that aims to test participants' social engineering skills — without anyone getting hurt.

Submission + - Quit Facebook Day ( 1

robbievienna writes: The movement to quit Facebook due to privacy concerns has just taken a new turn. Over 2^15 facebookers think so, and have pledged to cancel their accounts. Quitting Facebook isn't easy. Facebook is engaging, enjoyable and quite frankly, addictive. Quitting something like Facebook is like quitting smoking. It's hard to stay on the wagon long enough to actually change your habits. Having peer support helps, but the way to quit Facebook is not to start a group on Facebook about leaving Facebook.

Submission + - Facebook, I loved you. And you blew it. (

cirictech writes: A dear john letter to facebook. the whys you should leave and not feel bad.
I can't do it anymore. I wish I could, but this just isn't working out, Facebook. The lies, the viruses, the two-timing with advertisers, I just can't handle it all. I don't have the time or the energy to deal with all of your deceptions and all of your constant attacks on my privacy. I need my personal space. I think I want to try other social networking sites, and I think it's best that I leave you alone with your soul mates: the advertisers, the identity thieves, the stalkers, and the spies. It will be better this way.

Sure, we had some great times in the beginning.

Submission + - Breaking Up With Facebook (

supernothing writes: This is the last staw. Facebook has betrayed its users for the last time. Time and time again it has violated the trust its users have given it. This article summarizes why it is time to break up with Facebook, and forge a new, healthy relationship with a social networking site more deserving of our data.

Submission + - Google Releases a Tutorial for Hackers 1

Hugh Pickens writes: ""Learn how hackers find security vulnerabilities and exploit web applications!" as the San Francisco Chronicle reports that Google has released Jarlsberg, a "small, cheesy" web application specifically designed to be full of bugs and security flaws as a security tutorial for coders and encourages programmers to try their hands at exploiting weaknesses in Jarlsberg as a way of teaching them how to avoid similar vulnerabilities in their own code. Jarlsberg has multiple security bugs ranging from cross-site scripting and cross-site request forgery, to information disclosure, denial of service, and remote code execution. The codelab is organized by types of vulnerabilities. In black box hacking, users try to find security bugs by experimenting with the application and manipulating input fields and URL parameters, trying to cause application errors, and looking at the HTTP requests and responses to guess server behavior while in white-box hacking, users have access to the source code and can use automated or manual analysis to identify bugs. The tutorial notes that accessing or attacking a computer system without authorization is illegal in many jurisdictions but while doing this codelab, users are specifically granted authorization to attack the Jarlsberg application as directed."

Submission + - How Assumptions Are Making Us All Insecure (

Trailrunner7 writes: In the space of a given year, untold thousands of vulnerabilities are found in operating systems, applications and plug-ins. In many cases, the affected vendors fix the flaws, either with a patch, a workaround or some other mitigation. But there's also a huge population of security bugs that vendors never fix because they're deemed unexploitable, an assumption that may be turning into a serious mistake for software makers. Microsoft made such a call earlier this year, after researchers at Core Security informed the company that they had found a vulnerability in the Microsoft Virtual PC software. The flaw, which affected the virtual machine monitor (VMM) in Virtual PC, could enable an attacker to use applications running in user-space on a guest OS to access portions of the Virtual PC memory that should be inaccessible to those applications. This gives the attacker the ability to bypass anti-exploitation technologies in the underlying operating system and exploit flaws in the OS that otherwise would not be exploitable.

The difference in this case, experts say, is that the Virtual PC vulnerability is the symptom of a larger problem lurking beneath the surface: assuming that protections such as ASLR, DEP and SafeSEH will always be around to save us. "We're less worried about this particular vulnerability than we are about the now-exposed (incorrect) assumption that various security mechanisms will always be in place. It's obvious that a complete re-calibration of exploit potential for uncategorized bugs will become necessary if vulnerabilities like the one described here remain in our fielded systems. Not so good for Windows 7," Gary McGraw of Cigital said.


Submission + - Google Acquires BumpTop, a 3D Desktop Developer | (

WhiteDragon writes: "Google has acquired Bump Technologies Inc., better known as the creators of BumpTop--a freeware application that transforms one's generic, two-dimensional desktop into a walled, three-dimensional, navigable display. In addition, the software is fully compatible with multi-touch gesturing as well, provided one's hardware supports such technology."

Submission + - Why Chinese Hackers Aren't A Threat (

supernothing writes: There's a lot of of crazy talk going around about imminent cyber warfare with China, helped in no small part by the largely debunked claims of Richard Clarke. This article explores the true motivations behind the recent Chinese cyber attacks, and why we would shouldn't act like the sky is falling.

To summarize for those who won't read anything unless it's in meme form:

"1.) China loans U.S. large sums of money.
2.) U.S. uses said money to create new intellectual property.
3.) China breaks into networks and takes said property, then also forces U.S. to pay back their debt with interest.
4.) ????

Slashdot Top Deals

Established technology tends to persist in the face of new technology. -- G. Blaauw, one of the designers of System 360