Comments on: Malware 2.0 is Now!

By: » You Suck at Web Security riahmat1c

» You Suck at Web Security riahmat1c — Mon, 04 Feb 2008 21:45:16 +0000

[…] The only reason I stumbled into actual web security consciousness was because of some catchy headline in the search results fro a totally unrelated query. Gareth’s post about JavaScript hacking immediately appealed to the coder in me. The strange looking mangling of the language was oddly appealing. “How the heck does that still run!”, I thought. It was only after exploring the blog a bit more and the others it linked to did the situation begin to sink in. This was a whole other face of web applications I had never known about. It’s shocking that such a fundamental part had totally escaped me for so long (perhaps some people are just lazy, but I plead ignorance). “if today’s malware mostly runs on Windows because it’s the commonest executable platform, tomorrow’s will likely run on the Web, for the very same reason. Because, like it or not, Web is already a huge executable platform, and we should start thinking at it this way, from a security perspective.” Giorgio Maone […]

By: silveralfa

silveralfa — Mon, 04 Feb 2008 17:46:30 +0000

I can only think of 2 good reasons to go around without your e-armor. 1) To phish for hackers and such, using a program that records attacks, but is not preventing them, on a dedicated “screwing around” kind of PC which is expendable. And then…what could you do with tracing their sources? You might also like to watch the programs compete to do the most damage. 2) To test the effectiveness of anti-whatever programs, having created a truly infested machine for them to play on. I think I know why Java is “Java” script … not only do the coders stay up all night with lots of java, but it “brews” trouble, and causes us to need lots of java whilst fixing the problems!

By: Giorgio

Giorgio — Mon, 21 Jan 2008 03:07:29 +0000

@Steve Miller:
Thank you for reporting the excessive width of the main page: it was caused by my “Merry XSSMas” post, whose final greeting was a long cryptic URL which couldn’t be wrapped. Now it’s fixed :)

Regarding my captcha (which is the famous ReCaptcha service), it has a scriptless fallback, which does work: in facts, I’m currently using it to submit this comment.
Some reasons why it may fail:

You’ve got IFRAMEs disabled (not your case, as you could see the captcha)
You’ve got cookies disabled (you need to accept cookies from recaptcha.net, which are used to maintain current captcha state)
You didn’t copy the whole code (admittedly, the textarea size sucks, hiding half of the validation string)

I wish I could find the time to set up a self-hosted scriptless captcha, but until then I guess I must live with this one…

By: Steve Miller

Steve Miller — Mon, 21 Jan 2008 00:46:04 +0000

Great site, but why is the first page wider than my screen, therefore forcing me to horizontally scroll for reading all? (looking at the comments scales it, making it more user friendly.)

BTW: The Captcha test failed with my freshly installed NoScript. It told me “You’re a human! Please enter the following code in to the text box below:”; there was a window with a random looking string; submit consequently failed.

Obviously being able to post a comment needs JavaScript; I would have expected that a (rightfully) advocate of having them turned off would not use them :-) (No offense! Only an observation; I am sure you have good reasons for using them)

By: Onyx

Onyx — Sun, 13 Jan 2008 20:38:16 +0000

No I don’t believe in browsing the web without noscript on 24/7 blocking all content by default.

By: zomo

zomo — Sun, 13 Jan 2008 08:36:24 +0000

No doubt, Web is already the main target now.Everything we did with our desktops , we do it now over the web including commonalities like spreadsheets etc.