Archive for May, 2008

Discovered the ultimate cure for the NIMBY syndrome!

Reported by Beppe Grillo (popular Italian blog), but ignored by mainstream television news as usual: with an urgent decree effective since May 1st 2008, Italian Government allows toxic/nuclear waste storage sites, polluting power plants, incinerators and similar tourist attractions to be covered by State Secret.
Information about their existence, location and environmental impact can be declared "classified": anybody revealing them risks up to 5 years in prison.
Even the official Public Health agencies are banned from exercising their ordinary monitoring powers: in other words, no common people can actually measure, know or tell if a certain place in the sun-blessed Italian seaside or countryside is being actively poisoned by a government-blessed shit factory.

In the embedded Youtube movie clip, former Minister of Culture and Tourism Francesco Rutelli (of the cabinet which wrote the aforementioned decree) invites you to visit the Best Country in the World®.
Where are you going to spend your summer vacations?
Any relocation hint for me and my family?

Paypal XSSThe Register columns are getting better and better at web security related content.
In one single article, Dan Goodin managed to:

  1. Report an XSS hole in PayPal "safe" area (the wet dream of all XSS kiddies), enabling all sort of profitable scams from credential stealing to automated transactions riding the session of an authenticated user.
  2. Make a very valid point about extended validation SSL certificates being overrated, if not just an expensive joke, because the green bar is more than happy of "certifying" XSS compromised pages as legitimate (obviously): in other words, the perfect phishing works even better if you've got a modern, secure browser supporting EV SSL :)
  3. Deride McAfee's Hacker Safe one more time for its ridiculous stance on XSS vulnerabilities -- OK, that's just beating a dead horse...

Just a little addition of mine: despite PayPal's safe browser nonsense, the browser which can save you from XSS exploitation is only one.

In other news, Remond - The Independent Voice of the Microsoft IT Community, formerly known as the Microsoft Certified Professional Magazine, joined the party of the ASP/MS SQL Server sites SQL Injected to serve JavaScript malware.
Considering the wide coverage this epidemics enjoyed in the past week, I wonder what a "Certified Professional" usually reads aside Microsoft EULAs...

Rhino VS BeanEven if I'm the NoScript guy, I write a lot of JavaScript all the day. As you probably know, even the JavaScript Annihilator is mostly written in JavaScript. Like Crock, I love the language, despite its current browser-bound shortcomings.

So far, my favourite editor for JS coding has been JEdit with its JavaScript plugin, providing syntax highlighting (of course!), on the fly syntax checking via Rhino and optional code completion with configurable scopes, including Mozilla "chrome window" and XPCOM.

But today I've watched a presentation of the new NetBeans 6.1 JavaScript capabilities, and I'm impressed.
Dynamic type guessing, browser-specific contextual help and DOM-aware AJAX library support (John, guess which they show in their demo?) may be really worth the switch.

After hearing me crying for help, my friend Sirdarckcat went hunting and entrapped a poltergeist which haunts IE only.

Is it this the one Manuel Caballero was talking about?
Or was that a different cross-browser evilness?

However, I ain't afraid of no ghosts :)

Casper on PaypalI would be very interested in learning some technical details of Manuel Caballero's talk at BlueHat, titled A Resident in My Domain, but so far news are very scarce, fragmented and contradictory.

Its abstract is intriguing:

A Resident in My Domain

Do you believe in ghosts? Imagine an invisible script that silently follows you while you surf, even after changing the URL 1,000 times and you are feeling completely safe. Now imagine that the ghost is able to see everything you do, including what you are surfing and what you are typing (passwords included), and even guess your next move.

No downloading required, no user confirmation, no ActiveX. In other words: no strings attached. We will examine the power of a resident script and the power of a global cross-domain. Also, we will go through the steps of how to find cross-domains and resident scripts.

Then we've got two quite reticent posts by Nate McFeters, who was there but pretends he doesn't remember well enough and/or he can't disclose such an atomic bomb ;)

There's some discussion at TSSCI, but it adds more questions than answers: the article devises similarities with two distinct old and fixed bugs, the nastier affecting IE and the other Firefox; some comments speculate about an IE7 only, possibly patched, vulnerability; but why so much secretiveness if it was already fixed?
Nate, on the other hand, wrote that this is "a horribly serious issue that affects all browsers and is currently not fixed on any of them".

Direct inquiries in security circles I'm member of did not bring anything less ectoplasmic on the table.

Therefore, all the juice we've got so far is a couple of photos authorizing only the following statements:

  1. It is scary.
  2. It has something to do with JavaScript and IFrames.
  3. It definitely works in IE7.

If you can summon anything useful, you're very welcome!

Bad Behavior has blocked 1348 access attempts in the last 7 days.