Comments on: Mikeyy’s StalkDaily Twitter Worm vs NoScript

By: Twitter Trackbacks for hackademix.net » Mikeyy's StalkDaily Twitter Worm vs NoScript [hackademix.net] on Topsy.com

Sat, 29 Aug 2009 23:16:24 +0000

[…] hackademix.net » Mikeyy’s StalkDaily Twitter Worm vs NoScript hackademix.net/2009/04/13/mikeyys-stalkdaily-twitter-worm-vs-noscript – view page – cached Giorgio Maone’s answers to the Web, the Universe, and Everything * Home * Why * Me, ma1 — From the page […]

By: Jake Kasprzak Online › The Twitter XSS Worm and Lessons That Can Be Learned From It

Mon, 27 Apr 2009 23:52:15 +0000

[…] here, is a modified yet non-obfuscated version of the source code used by the original worm. As Giorgio Maone said, it appeared as if those trying to correct this issue were trying to defend again…. A few days after this was mentioned, Lynne Pope mentioned that with variations of the worm […]

By: Tom T.

Tom T. — Tue, 14 Apr 2009 21:43:18 +0000

#9 Giorgio says:
April 14th, 2009 at 12:18 pm

@Tom T.:
I believe there’s a little misunderstanding here. What therube means, I guess, is that most NoScript users keep the default (medium lockdown) configuration, i.e. they’ve got “Base 2nd level Domains” checked in the Appearance options…

#12:
However most tech savvy users do understand this issue and switch “Full domains” or “Full address” view (I use the former, and I guess therube does as well)

Yes, my misunderstanding. I assumed therube was referring to the General tab, "Temp Allow … by default" (Full, Base 2nd, etc.), rather than the Appearance tab. FWIW, I do have "Full address" view selected there. Thanks for clearing up my misunderstanding.

By: Giorgio

Giorgio — Tue, 14 Apr 2009 18:41:59 +0000

@duryodhan:
for the sake of usability. NoScript is aimed to the average user, despite some dissenting voices, and you need to draw the line somewhere: on some sites the number of menu items is already overwhelming by default, and the choice can be hard and time consuming.

However most tech savvy users do understand this issue and switch “Full domains” or “Full address” view (I use the former, and I guess therube does as well).

By: duryodhan

duryodhan — Tue, 14 Apr 2009 18:28:01 +0000

Hmm .. he does raise a good point though… is there any way to host a js on Google.com / Yahoo.com etc. subdomain?

Any particular use cases why "Base 2nd level domains" is the default?

By: Web worm infetta Twitter: di cosa si tratta? - Appunti Digitali

Web worm infetta Twitter: di cosa si tratta? - Appunti Digitali — Tue, 14 Apr 2009 11:00:43 +0000

[…] le raccomandazioni sono sempre le stesse: tenere sempre la guardia alta e usare plugins come NoScript. Gli sviluppatori web, dal canto loro, dovrebbero seguire con cura le linee guida indicate da OWASP […]

By: Giorgio

Giorgio — Tue, 14 Apr 2009 10:18:25 +0000

@Tom T.: I believe there's a little misunderstanding here. What therube means, I guess, is that most NoScript users keep the default (medium lockdown) configuration, i.e. they've got "Base 2^nd level Domains" checked in the Appearance options. This doesn't mean they've got anything allowed by default, this just means that when they popup NoScript's menu they can see 2^nd level domains (like uuuq.com) rather than full domains (mikeyy.uuuq.com. However it's just as unlikely that any NoScript user has uuuq.com in his/her (permanent) whitelist.

By: Zero Day mobile edition

Zero Day mobile edition — Tue, 14 Apr 2009 09:19:27 +0000

[…] campaigns. With the proof of concept code for both of the worms now publicly available, and with NoScript’s creator Giorgio Maone logical conclusion that Twitter may have in fact not taken care of the XSS flaw as the second variant launched by a […]

By: Tom T.

Tom T. — Tue, 14 Apr 2009 04:11:56 +0000

therube wrote:

"Going on the assumption that the majority of NoScript users have (the default) ‘Base 2nd level Domains’ enabled,"

Ever since the decision to default to full lockdown of ClearClick protection (trusted and un-), I had assumed that full lockdown was the default on all. We are telling people, "Everything is blacklisted by default". I’ve always run that way.
http://img21.imageshack.us/img21/884/nslockdown.png
If *any* levels of domains are allowed by default, perhaps that decision should be reconsidered, or we should warn people and amend the FAQ, Beginner’s Guide, etc. accordingly.

By: GµårÐïåñ

GµårÐïåñ — Mon, 13 Apr 2009 20:47:20 +0000

Well as I always say, stop chasing fads, use common sense, and try to take a pessimistic approach to the web and protect yourself proactively. Always knew NoScript rocks, now the proof is in the pudding :)