flat assembler
Message board for the users of flat assembler.

flat assembler > Heap > Why we should always disable JS (and flash)

Goto page Previous  1, 2, 3 ... 9, 10, 11
Author
Thread Post new topic Reply to topic
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15904
Location: SDSS J140821.67+025733.2
Furs wrote:
Do you really audit addons when you install them?
I audited them by use. That is, I have a temporary browser which I proxy and run the new add-on for a while to monitor the outgoing data stream and watch for anything new and/or unusual. After a few days, if I was satisfied, then I would install the same code into my awesome FF3.6.28. Then I never update them. And whenever I've checked back later there has not been any new "Feature" that I have wanted so I wasn't missing anything by keeping the old code.

I don't have many add-ons so it is not a greatly onerous task actually.
Post 10 Feb 2018, 14:08
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15904
Location: SDSS J140821.67+025733.2
https://scotthelme.co.uk/protect-site-from-cryptojacking-csp-sri/
Quote:
If you want to load a crypto miner on 1,000+ websites you don't attack 1,000+ websites, you attack the 1 website that they all load content from. In this case it turned out that Text Help, an assistive technology provider, had been compromised and one of their hosted script files changed.
"Things could have been much worse," Cluley said in a blog post. "Imagine if the plug-in had been tampered with to steal login passwords rather than steal CPU resources from visiting computers."
Post 12 Feb 2018, 13:40
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15904
Location: SDSS J140821.67+025733.2
The following site is a total disgrace:

http://www.wherestheflux.com/single-post/2018/03/19/tldr-DIPPING

It is run by Wix. And all of the Wix based sites have the same <body> content:
Code:
<body>
        <div id="SITE_CONTAINER"></div>

    
    
    
    
    
    
    

    </body>    
Yes, that is an empty body, not a misquote. Sad
Post 20 Mar 2018, 09:14
View user's profile Send private message Visit poster's website Reply with quote
Furs



Joined: 04 Mar 2016
Posts: 1201
I've seen a lot of stupid sites like that, where nothing shows up without turning on JavaScript. Retarded.
Post 20 Mar 2018, 13:35
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15904
Location: SDSS J140821.67+025733.2
What website are you really on? Edge zero-day leaves users with no clue
Quote:
Beautifully simple’ flaw allows attackers to impersonate trusted sites.
I bet you can guess the problem here. JS. Without JS there is no problem.
Post 04 May 2018, 02:02
View user's profile Send private message Visit poster's website Reply with quote
Picnic



Joined: 05 May 2007
Posts: 1244
Location: Icarian Sea
Oh what a fuss, i think i am gonna begin Javascript lessons Razz
Post 04 May 2018, 09:31
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15904
Location: SDSS J140821.67+025733.2
https://arstechnica.com/information-technology/2018/05/attackers-can-send-sounds-to-ddos-video-recorders-and-pcs/
Quote:
The technique was also able to disrupt HDDs in desktop and laptop computers running both Windows and Linux. In some cases, it even required a reboot before the PCs worked properly. The technique took as little as 45 seconds to cause a Dell XPS 15 9550 laptop to become temporarily unresponsive when it was exposed to a “self-stimulation attack”—meaning when the laptop played malicious audio over its built-in speaker. When the sound played for two minutes or more, the computer had to be rebooted for the drive to work properly again.
The article appears to miss the point about the potential "audience" of the attack. Sites running JS can play audio without prompting from the user. So just play some ultrasonic "music" that the human users can't hear and make their systems crash.
Post 01 Jun 2018, 16:43
View user's profile Send private message Visit poster's website Reply with quote
Furs



Joined: 04 Mar 2016
Posts: 1201
More fuel for me in my quest of making stubborn people use headphones, thanks.
Post 01 Jun 2018, 19:10
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 7394
Location: ˛                              ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣ Posts: 6699
crazy shit,
the fragile computers and mobile phones,
i demand a new processor from scratch, Laughing

does shrinking things into nano size somehow expose them to more variables?
Post 01 Jun 2018, 22:35
View user's profile Send private message Reply with quote
Furs



Joined: 04 Mar 2016
Posts: 1201
sleepsleep wrote:
crazy shit,
the fragile computers and mobile phones,
i demand a new processor from scratch, Laughing
Processor? This is about hard drives and their sensitivity to sounds.

sleepsleep wrote:
does shrinking things into nano size somehow expose them to more variables?
What's easier to break or smash: a real car or a toy car?
Post 02 Jun 2018, 11:19
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15904
Location: SDSS J140821.67+025733.2
sleepsleep wrote:
does shrinking things into nano size somehow expose them to more variables?
I'm not sure about the actual physical shrinking aspect, but certainly the ability to make things more complex will open up more opportunities to have flaws.
Post 02 Jun 2018, 17:48
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15904
Location: SDSS J140821.67+025733.2
https://www.bleepingcomputer.com/news/security/css-is-so-overpowered-it-can-deanonymize-facebook-users/
Quote:
In research published today, Ruslan Habalov, a security engineer at Google in Switzerland, together with security researcher Dario Weißer, have revealed how an attacker could abuse CSS3 mix-blend-mode to leak information from other sites.

The technique relies on luring users to a malicious site where the attacker embeds iframes to other sites. In their example, the two embedded iframes for one of Facebook's social widgets, but other sites are also susceptible to this issue.

The attack consists of overlaying a huge stack of DIV layers with different blend modes on top of the iframe. These layers are all 1x1 pixel-sized, meaning they cover just one pixel of the iframe.

Habalov and Weißer say that depending on the time needed to render the entire stack of DIVs, an attacker can determine the color of that pixel shown on the user's screen.

The researchers say that by gradually moving this DIV "scan" stack across the iframe, "it is possible to determine the iframe’s content."

Normally, an attacker wouldn't be able to access the data of these iframes due to anti-clickjacking and other security measures implemented in browsers and in the remote sites that allow their content to be embedded via iframes.
Naturally it is all run by JS code. Such a pity that without JS running the attack fails. Wink
Post 03 Jun 2018, 13:34
View user's profile Send private message Visit poster's website Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 301
Location: Belarus
I like it how researchers these days tend to do some stupid stuff like relying on time measurement, heat output and moon phases to determine in a very cool way that target user has set Google as his/her default search engine.

They’d better do something useful.
Post 03 Jun 2018, 21:20
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15904
Location: SDSS J140821.67+025733.2
DimonSoft wrote:
I like it how researchers these days tend to do some stupid stuff like relying on time measurement, heat output and moon phases to determine in a very cool way that target user has set Google as his/her default search engine.

They’d better do something useful.
And probably all of those attack methods would be stopped by simply having no JS running.
Post 04 Jun 2018, 14:35
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 7394
Location: ˛                              ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣ Posts: 6699
maybe time for a new standard that allow basic layout functionality and simple scripting support, why is more and more feature is good? it should be kiss and follow unix philosophy?

Do One Thing and Do It Well
Post 04 Jun 2018, 17:49
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15904
Location: SDSS J140821.67+025733.2
sleepsleep wrote:
... and simple scripting support,
Noooooo. This part is where it all goes wrong.
Post 04 Jun 2018, 23:47
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 7394
Location: ˛                              ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣ Posts: 6699
revolution wrote:
sleepsleep wrote:
... and simple scripting support,
Noooooo. This part is where it all goes wrong.


Laughing
then what is your replacement to those useful simple scripting features,
Post 05 Jun 2018, 21:00
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15904
Location: SDSS J140821.67+025733.2
Why do you want to replace them? Just kill them. They are dangerous. They are not needed.
Post 06 Jun 2018, 01:25
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 7394
Location: ˛                              ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣ Posts: 6699
just limit their power, contained them, it is possible, imo,
Post 06 Jun 2018, 17:42
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15904
Location: SDSS J140821.67+025733.2
sleepsleep wrote:
just limit their power, contained them, it is possible, imo,
Yes, I agree. It is easy to limit the power. We just need to prevent it from running, then we have limited it to having no power. Problem solved. Very Happy
Post 07 Jun 2018, 09:20
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3 ... 9, 10, 11

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2018, Tomasz Grysztar.

Powered by rwasa.