SoylentNews is people
SoylentNews
from the running-windows—I-mean-javascript—I-mean-malware dept.
From The Daily Swig:
A serious vulnerability in the latest version of Microsoft Edge [a Windows web browser ed] enables attackers to spoof URLs with just five lines of code. The flaw, discovered by Argentine researcher Manuel Caballero, can make a malicious website appear to be legitimate through the use of the Stop() command, which interrupts the page loading process. With the target URL still appearing in the address bar, the document.write() JavaScript command can then be used to overwrite the contents of the page.
[...] With this bug, probably the only truly safe way reach any website using Edge is to open a new tab and type the URL by hand, or access it through your bookmarks.
This vulnerability appeared in a recent "security" update from Microsoft; users of Edge might want to investigate what version they are using.
(Score: 4, Informative) by bob_super on Thursday May 03 2018, @10:40PM (10 children)
> What Website Are You Really on?
Silly question:
On SN, I can say I'm on SN.
Since I browse with Noscript, I'm usually on whatever the address bar says.
Most people and websites ? They're not "on" any website, but merely occupying a virtual space bounded by the 30+ VMs serving them scripts which display pixels and track activity.
Modern websites are not a "site". Using the standard house analogy, their foundation is a heterogeneous cluster of blocks from different multiverses, the walls are paper-thin and badly decorated, like a museum with too few art pieces and not enough explanation, and the roof is incomplete, but there's 20 cameras following you everywhere you look, though none intended to notice if you take half of the valuables into your pocket.
(Score: 5, Informative) by Fluffeh on Thursday May 03 2018, @11:24PM (7 children)
Lets not nit-pick.
When I am logging into my bank's internet banking, I am on "my bank's website". I don't care whether it comes from a single server, a small army of my bank's servers or randomly generated packets from pigeons indigenous to my part of the world. What I do care about is that when I am entering my details, they are going to my bank - not to some other site.
This Edge flaw is dangerous as it is indeed easy enough to write malicious code that can capture usernames and passwords easily and do so without the user being aware that they were even lifted.
1. User is on malicious site. Starts typing in their banking URL and thinks they are going to the banking site.
2. Site captures the request, stops legitimate bank site, creates a render of the login screen.
3. User enters username and password.
4. Generic "Your details are incorrect, please check for typos etc" message is displayed and user is redirected to legitimate banking site login.
5 User successfully log into their banking site, thinking they must have typo'ed their username and thinks nothing of it again.
Their actual username and password were however captured neatly and cleanly in step 4 - to be used as needed or sold on some shady marketplace.
(Score: 4, Insightful) by bob_super on Friday May 04 2018, @01:14AM (6 children)
Why not nit-pick ?
The responsibility of delivering clean code without nasty tag-alongs should be legally enforced on the website you visit.
Right now, people just grab executable code left and right to build their site, security is a friggin nightmare, and the place you thought you visited is never responsible when bad things happen.
Real-world commercial insurance covers your ass when some third-party screws up while you are in a store (the store is responsible when the A/C conduit crushes you, then sues the contractor who installed it). Online ? You're on my site, but yeah, not really, you see, because it's not my fault that someone injected malware in the ad trackers, and I can't do anything about it, you see...
(Score: 0) by Anonymous Coward on Friday May 04 2018, @01:28AM (1 child)
(Score: 3, Insightful) by requerdanos on Friday May 04 2018, @02:30AM
Yeah, that's what this story is about. Nit-picking over whether you are "on a website" or "looking at data loaded from somewhere linked by a script loaded from the website."
Given that many websites aren't "sites" so much as agglomeration of scripts from dozens of servers each with its own tracking and misfeatures, this is a very, very fine distinction indeed.
(Score: 1, Troll) by realDonaldTrump on Friday May 04 2018, @04:31AM (2 children)
We have to see Bill Gates and a lot of different people that really understand what's happening. We have to talk to them about, maybe in certain areas, closing that Internet up in some ways. Somebody will say, "oh, freedom of speech, freedom of speech." These are foolish people!!
(Score: 1, Interesting) by Anonymous Coward on Friday May 04 2018, @08:05AM (1 child)
I don't think even Bill Gates knows what is happening anymore. Actually, I don't think *anyone* does.
Its become that big elephant that a lot of blind people are trying to describe... and all this "intellectual property" law regarding obfuscation and ignorance of how things work isn't helping one iota. Ignorance of how biology works does not help one iota for having a populace resilient to spreading of diseases.... nor does all this ignorance of how our technology works make our computational infrastructure resilient to outside attack from those who do not obey our "ignorance mandates by Congress".
But yet I realize how important our ignorance is for someone who wants to force-feed us ads, knowing we can't do anything about it.
And its also very important to have an ignorant populace if you want to hack into our power grids, elections, traffic control, commerce, banking, whatever.
To keep our population dumbed down requires a concerted effort by those empowered to craft law to keep knowledge away from the populace, so that those not under forced obeyance of that law can have the upper hand. Yes. Passed by the Congress of the United States of America.
Its gonna be interesting if they keep poking at China, and China decides to stand up, then we find a lot of our technology suddenly stops working - and no one knows why - as mandated by LAW passed by our own Congress.
Its simply not apparent to me that our Congress has much concern for the technical literacy of its populace, and wants us to know just enough to know how to buy stuff and listen to ads, while very few people, many outside the jurisdiction of our Congress, know the inner details of how the stuff works.
I see the Linux die-hards here being the last vestige of "do-er ship" outside of giant multinational corporations that hold no allegiance ( other than whoreship to the US Dollar - as long as the bankers are backing it ) to the United States.
(Score: 2) by realDonaldTrump on Friday May 04 2018, @06:17PM
The security aspect of cyber is very, very tough. And maybe it's hardly doable.
(Score: 2) by All Your Lawn Are Belong To Us on Friday May 04 2018, @01:44PM
I think you're right, bob_super It opens up a disconnect just a little for whom you consider "responsible" when you go to a website and are served something you didn't want (like malware, malvertising, whatever.) Who is repsonsible? When third-party ad services do it, the URL owner will happily point the finger.
To me, "what website am I on," is tantamount to saying, "Whom can I take action against, legal or otherwise, for what is being displayed to me?" And it wouldn't surprise me when there are cases when that is not the registrant of the address showing in my bar. It would be nice if there was a common-sense layer that let the address bar be solely responsible, but I fear that way lies SOSTA etc.
This sig for rent.
(Score: 2) by stormwyrm on Friday May 04 2018, @01:24AM (1 child)
Numquam ponenda est pluralitas sine necessitate.
(Score: 0) by Anonymous Coward on Friday May 04 2018, @08:22AM
That bit about not being able to trust the address bar was the first thing that sullied my acceptance of JavaScript.
I took a class in JavaScript at the local Community College, and when I learned the mischief I could do with it, I failed to see why ANY "Reputable" business would have it on their site. I saw it as the language of tinkerers, pranksters, and thieves. In all my naivety I never thought that ANY reputable business would have anything to do with it. To me it was like a child care business hiring known sex molesters ( well, because they showed an "interest" in the kids and worked for cheap. )
Yet, on the web, the "child care" businesses got Congress to approve "hold harmless" for them, and hired these molesters right and left, hence we have all this malware spreading via hostile "ads"- as sending your customer content by an "ad" is still seen as a businesslike and hold-harmless thing - and they know our Congress is too weak-willed to tell the business community things like "You straighten up your act, or all that legislation you has us pass about criminalizing reverse-engineering content is OUT THE DOOR! Those people are only trying to protect themselves from the crap you are sending them!". Even though Congressmen love to bandy the term "Elect ME and I will FIGHT for you!" before an election, I don't see too many putting up much of a fight for anything once they are in office. The Congressional hand extends, and if there is money in it when it retracts, it will sign a "law" into effect. And we are all expected to obey it, even though its a one sided law, deliberately crafted to give one side artificial enforced monopoly.
One guy ( I believe on this site ) made an insightful observation... something down the line of " In its magnaminous equality, the LAW equally forbids both rich and poor from sleeping under bridges."