hackademix.net http://hackademix.net Giorgio Maone's answers to the Web, the Universe, and Everything Wed, 16 Oct 2013 15:50:48 +0000 http://wordpress.org/?v=2.2.3 en NoScript and FlashGot Unsigned http://hackademix.net/2013/07/20/noscript-and-flashgot-unsigned/ http://hackademix.net/2013/07/20/noscript-and-flashgot-unsigned/#comments Sat, 20 Jul 2013 18:36:29 +0000 Giorgio http://hackademix.net/2013/07/20/noscript-and-flashgot-unsigned/ Notice to mariners: starting with NoScript version 2.6.6.9 (ATM still a RC) and next version of FlashGot (1.5.5.6, most likely) the packages (XPIs) of my Firefox add-ons won’t be signed anymore.

Almost no other Firefox extension gets signed these days (NoScript and FlashGot had been among the earliest and few for a long time), and AMO being the only authorized repository you can install the add-on from by default, there’s little or no point in keeping the relatively expensive and clunky signature machinery in place.

You probably noticed AMO lags quite a lot behind stable versions. That’s because the editorial staff manually checks every line of code published as “stable” for security issues and known performance problems. Therefore, if you’d like to always run the latest and safest (a good idea for a security tool like NoScript), you may want to switch to the fast lane, i.e. the automatically up-to-date beta channel, by installing 2.6.6.9rc1 now.

]]>
http://hackademix.net/2013/07/20/noscript-and-flashgot-unsigned/feed/
NoScript’s “Security and Privacy Info” Feature http://hackademix.net/2013/04/06/noscripts-security-and-privacy-info-feature/ http://hackademix.net/2013/04/06/noscripts-security-and-privacy-info-feature/#comments Sat, 06 Apr 2013 19:59:20 +0000 Giorgio http://hackademix.net/2013/04/06/noscripts-security-and-privacy-info-feature/ NoScript: Site Security and Privacy InfoMaybe you haven’t noticed yet (and I admit it’s not an exceedingly discoverable thing), but for a long time now NoScript has offered a “Security and Privacy Info” page.

This feature is meant to help you assess the trustworthiness of any web site shown in your NoScript menu.

You can access this service by middle-clicking or shift-clicking the relevant menu item.

Furthermore, power users can customize it by changing the value of their noscript.siteInfoProvider about:config preference to any URL template of their choice.

]]>
http://hackademix.net/2013/04/06/noscripts-security-and-privacy-info-feature/feed/
YAM (Yet Another Maone) http://hackademix.net/2013/04/03/yam-yet-another-maone/ http://hackademix.net/2013/04/03/yam-yet-another-maone/#comments Wed, 03 Apr 2013 20:53:13 +0000 Giorgio http://hackademix.net/2013/04/03/yam-yet-another-maone/ Alberto Giuseppe Maone
Annuntio vobis gaudium magnum:
Habemus Pupum;
Eminentissimum ac reverendissimum Dominum,
Dominum Albertum Maonem,
Qui sibi nomen imposuit Einstenium.

Timestamp: 201304030735UTC.

Previous releases:

]]>
http://hackademix.net/2013/04/03/yam-yet-another-maone/feed/
So Unicredit, Doesn’t My Visa Make Me Human Enough?! http://hackademix.net/2012/11/05/so-unicredit-doesnt-my-visa-make-me-human-enough/ http://hackademix.net/2012/11/05/so-unicredit-doesnt-my-visa-make-me-human-enough/#comments Sun, 04 Nov 2012 22:43:32 +0000 Giorgio http://hackademix.net/2012/11/05/so-unicredit-doesnt-my-visa-make-me-human-enough/ No kidding, this is what I’ve been shown this afternoon by Unicredit’s payment processor when I was trying to make a payment with my own credit card (which, incidentally, is itself fed by a Unicredit bank account) on behalf of my sister:

Unicredit's captcha to demonstrate you're human before paying with your credit card

Of course, there’s always a lot to learn from a big fat financial institution about information security…

]]>
http://hackademix.net/2012/11/05/so-unicredit-doesnt-my-visa-make-me-human-enough/feed/
NSA++: NoScript is Back on your Android Smarphones http://hackademix.net/2012/11/04/nsa-noscript-is-back-on-your-android-smarphones/ http://hackademix.net/2012/11/04/nsa-noscript-is-back-on-your-android-smarphones/#comments Sat, 03 Nov 2012 23:32:46 +0000 Giorgio http://hackademix.net/2012/11/04/nsa-noscript-is-back-on-your-android-smarphones/ NSA++, NoScript on Android

NSA++ (NoScript Anywhere Plus Plus, or NoScript 3.5 alpha for Android Native) has been in the works for a while now, and it’s finally ready for prime time, thanks also to the continuous help of the NLNet Foundation.

Even if it’s not as complete as its legacy Electrolysis-orphaned obsolete predecessor (NSA, designed for the now discontinued XUL Fennec, AKA Firefox 4 Mobile) yet, NSA++ already provides the best security you can get in any mobile browser: beside its trademark flexible script blocking facility, it features the first ever and still strongest XSS filter available, plus partial but functional portings of the unique ClearClick anti-Clickjacking technology and ABE’s firewall/LAN CSRF protection.

You can read more or try it with a recent Firefox Nightly (mobile or desktop, too!) on the NSA project page.

]]>
http://hackademix.net/2012/11/04/nsa-noscript-is-back-on-your-android-smarphones/feed/
WYSIWYP (Re: Printing a Web Page) http://hackademix.net/2012/06/19/wysiwyp-re-printing-a-web-page/ http://hackademix.net/2012/06/19/wysiwyp-re-printing-a-web-page/#comments Mon, 18 Jun 2012 23:03:21 +0000 Giorgio http://hackademix.net/2012/06/19/wysiwyp-re-printing-a-web-page/ Answering yesterday’s <Glazblog/> post: here’s your WYSIWYP (What You See Is What You Print) bookmarklet, to be dragged onto your bookmarks bar and used as an alternate Print button which strips away all the printer-specific styles and restores them after printing.

Tried on Firefox only, it’s likely buggy as hell: the W3C FAQ page comes out fine and dandy, complete with its logo and all, but the ERCIM page looks remarkably ugly. Anyway I’m confident my audience can amend and give back :)

]]>
http://hackademix.net/2012/06/19/wysiwyp-re-printing-a-web-page/feed/
AntiGareth V2 (Sniper Edition With Scanner) http://hackademix.net/2012/06/08/antigareth-v2-sniper-edition-with-scanner/ http://hackademix.net/2012/06/08/antigareth-v2-sniper-edition-with-scanner/#comments Thu, 07 Jun 2012 23:34:25 +0000 Giorgio http://hackademix.net/2012/06/08/antigareth-v2-sniper-edition-with-scanner/ As promised, I refined the AntiGareth bookmarklet I introduced yesterday by making it aim precisely at those Unicode code points (mostly combining characters) which are found to bleed vertically by this canvas-based scanner.

Warning: I’m hosting the scanner on evil.hackademix.net because it amounts to a quite effective DOS attack against your CPU, especially on Firefox (which, on the other side, finds much more “overbleeders” than Chrome): you’ll probably want to click the “STOP” button after \u20d2. Could anybody explain the awful speed difference, by the way?

However, I’m sure the script can be improved, both accuracy and performanc wise, hence patches and forks are welcome. Enjoy :)

]]>
http://hackademix.net/2012/06/08/antigareth-v2-sniper-edition-with-scanner/feed/
AntiGareth (Deunicodeized Twitter Bookmarlet) http://hackademix.net/2012/06/06/antigareth-deunicodeized-twitter-bookmarlet/ http://hackademix.net/2012/06/06/antigareth-deunicodeized-twitter-bookmarlet/#comments Wed, 06 Jun 2012 11:34:38 +0000 Giorgio http://hackademix.net/2012/06/06/antigareth-deunicodeized-twitter-bookmarlet/ Annoyed to death by unicode dickery like this?
Just drag AntiGareth on your bookmark bar and click it whenever nasty characters try to spoil your day :P

Note: I do know this bookmarklet currently replaces too much (everything higher than \u0100), and therefore is suitable only if your stream is entirely US English. I’ve got an idea for an automated HTML5-based method to detect misrendered code points and deliver selective killing, so stay tuned.

Update:

version 2, which replaces “overbleeding” characters only, can be found here, together with the scanner I created to find them.

]]>
http://hackademix.net/2012/06/06/antigareth-deunicodeized-twitter-bookmarlet/feed/
All Speech is Free Speech http://hackademix.net/2012/03/08/all-speech-is-free-speech/ http://hackademix.net/2012/03/08/all-speech-is-free-speech/#comments Wed, 07 Mar 2012 22:16:59 +0000 Giorgio http://hackademix.net/2012/03/08/all-speech-is-free-speech/ Looks like the following quote is acceptable content under current Mozilla Planet’s policy, and a rather pertinent answer to this now extremely popular post:

“The irony of religion is that because of its power to divert man to destructive courses, the world could actually come to an end. The plain fact is, religion must die for mankind to live. The hour is getting very late to be able to indulge in having in key decisions made by religious people. By irrationalists, by those who would steer the ship of state not by a compass, but by the equivalent of reading the entrails of a chicken. George Bush prayed a lot about Iraq, but he didn’t learn a lot about it. Faith means making a virtue out of not thinking. It’s nothing to brag about. And those who preach faith, and enable and elevate it are intellectual slaveholders, keeping mankind in a bondage to fantasy and nonsense that has spawned and justified so much lunacy and destruction. Religion is dangerous because it allows human beings who don’t have all the answers to think that they do. Most people would think it’s wonderful when someone says, “I’m willing, Lord! I’ll do whatever you want me to do!” Except that since there are no gods actually talking to us, that void is filled in by people with their own corruptions and limitations and agendas. And anyone who tells you they know, they just know what happens when you die, I promise you, you don’t. How can I be so sure? Because I don’t know, and you do not possess mental powers that I do not. The only appropriate attitude for man to have about the big questions is not the arrogant certitude that is the hallmark of religion, but doubt. Doubt is humble, and that’s what man needs to be, considering that human history is just a litany of getting shit dead wrong. This is why rational people, anti-religionists, must end their timidity and come out of the closet and assert themselves. And those who consider themselves only moderately religious really need to look in the mirror and realize that the solace and comfort that religion brings you actually comes at a terrible price. If you belonged to a political party or a social club that was tied to as much bigotry, misogyny, homophobia, violence, and sheer ignorance as religion is, you’d resign in protest. To do otherwise is to be an enabler, a mafia wife, for the true devils of extremism that draw their legitimacy from the billions of their fellow travelers. If the world does come to an end here, or wherever, or if it limps into the future, decimated by the effects of religion-inspired nuclear terrorism, let’s remember what the real problem was that we learned how to precipitate mass death before we got past the neurological disorder of wishing for it. That’s it. Grow up or die.”
― Bill Maher, Religulous

]]>
http://hackademix.net/2012/03/08/all-speech-is-free-speech/feed/
Sandboxes are Overrated (Told You 4 Years Ago) http://hackademix.net/2012/02/16/sandboxes-are-overrated-told-you-4-years-ago/ http://hackademix.net/2012/02/16/sandboxes-are-overrated-told-you-4-years-ago/#comments Thu, 16 Feb 2012 20:42:27 +0000 Giorgio http://hackademix.net/2012/02/16/sandboxes-are-overrated-told-you-4-years-ago/ Universal XSS 0day in Adobe Flash controlled users’ Web accounts:

As useful as sandboxes are in restricting potentially buggy code to a small part of the operating system, they do nothing to minimize the damage that can be done by attacks that exploit universal XSS flaws, researchers said.

I was already preaching this four years ago: the more our assets move “in the cloud”, the less traditional security measures, meant to protecting just your local system, suffice.

The battlefield is the web now, and there’s no coming back…

]]>
http://hackademix.net/2012/02/16/sandboxes-are-overrated-told-you-4-years-ago/feed/