TechnowledgeBase

Some ISP’s have taken to altering web pages in transit… this means that what you see in your browser may NOT be what was actually sent from the server.

In other words, you are seeing what your ISP WANTS you to see rather than what the creator of the web page you’re viewing wants you to see. Right now, this foolishness is limited to inserting ads, but who knows where this slippery slope might lead. That’s not censorship, but it is some serious BS.

Don’t get me wrong… I don’t have a problem with advertising. But I DO have a problem with what essentially is a man in the middle attack perpetrated by ISPs.

So how can you tell if YOUR should be in the market for a new ISP?

Easy. The University of Washington is doing some research into the matter, and they have a tool that will test your ISP’s level of asshattery. Just visit the page and look at the results.

Popularity: 16% [?]

The Problem:
At my day job, we use Microsoft Visio 2002 for… whatever the hell people use Visio for. A client emails a Visio file to me, but when I try to open it, instead of a nice pretty diagram, I get this:

Upgrade information? No thanks. I don’t want to upgrade, I want to view the friggin document! My next logical step is to go to Microsoft.com and download the latest Visio viewer. That happens to be the Visio 2007 viewer. I install it, but I am STILL presented with error/upgrade bullsh-t messages when I try to view my document. When I try to open the file with my web browser (more on that at the bottom of the post), I get “Page Cannot Be Displayed”

WTF?

The Cause:
Microsoft. Nuff said.

Oh, you want more? Okay: If you have Visio 2002 installed, then the Visio 2007 Viewer just doesn’t f’ing work. How ‘bout that?

The Solution:
UNINSTALL the Visio 2007 viewer. (I would suggest uninstalling ALL your Microsoft apps, but somebody might get mad at me. Even though it would save you headaches in the long run). Okay, now that the 2007 viewer is out of there… install the Visio 2003 viewer. Huh?

You mean, you have to install the Visio 2003 Viewer so you can view a Visio 2007 file on a computer with Visio 2002?

That… Does Not… Make… Sense…

This is Microsoft; It’s not supposed to make sense. Just do it.

NOW you can view your document.

I should point out that the Visio viewer is implemented as an ActiveX component, which means it uses Internet Explorer to display the content. In my case, I had to drag my visio file onto an IE window to get it to work. Double-clicking on the file in Outlook still tries to open the file in Visio 2002, which produces the upgrade message. So now you have to open your Visio 2007 files with IE… with the Visio 2003 viewer installed.

There IS no logic left in the world, because this crap has just neutralized all of it. As long as Microsoft is in business, I will never run out of content for this site.

Popularity: 23% [?]

I was building a GUI in Java and discovered, to my annoyance, that the getText() method for the JPasswordField component has been deprecated. (It’s probably been deprecated for a WHILE and I just never cared before). So I use the getPassword() method instead.

Only getPassword() returns an array of characters (a char[]) instead of a String, which the rest of my code expects. I had a brain-fart and couldn’t remember how to turn one into the other. It happens. Rather than hunt through the API for which method turns a char[] into a String, I just Googled it. I found a nice discussion where experienced programmers jumped all over some guy for asking them how to turn a char[] into a String. He asked them instead of just reading the API docs for himself. Their response, predictably, was along the lines of “Read the API and stop asking stupid questions.”

I ALSO found that you could just do a String s = new String(char[]) , but that’s not what this post is about. Why am I bothering to post this, then?

Two reasons:

1. Berating someone for wasting your time with a simple question on the internet is…wasting your time. This guy asked a question in a public forum. If you think it’s a stupid question, all you have to do is NOT FRIGGING ANSWER IT. Making the effort to berate someone does indeed waste time and bandwidth… but YOU are the one doing it. Not them. These people were wasting their own time and blaming this guy for it.
2. If it’s easier for people to find answers to simple API questions on Google than it is for them to simply look in the documentation, maybe… just maybe… the problem is the documentation, not the people.

End of rant.

Popularity: 7% [?]

Some people just don’t get it.

By “It”, I mean the difference between warning people about the dangers of playing with sharp sticks and leaving a crate of authentic Zulu spears on your front porch.

What the hell am I talking about?

This blog’s inaugural entry contains detailed instructions… including source code… on how to conduct a Cross-Site scripting attack.

Yes, information wants to be free.
Yes, the people need to know.
Yes, (insert other vomit-inducing cliche here)… but COME ON!

It amazes me how many bloggers and so-called “security experts” go around handing out loaded guns in the interest of promoting gun safety.

Source Code?
SOURCE CODE!?!

No one needs the source code of an XSS attack in order to protect themselves from XSS attack. Ditto for any other scripting or software-based attack. So what, exactly, is the point of posting code+instructions and saying, in no uncertain terms, “Here, go play with these hand grenades, and if you blow something up real good, send me a picture!”

Are you trying to educate the programmers about the holes in their code? Code is their life and livelihood… DESCRIBE the problem and they can write their own code without your help. Are you trying to prove that it can be done? Then DO it… post a screenshot of it being done instead of instructions/code on how to do it. Are you trying to entice a new generation of script-kiddies to perform attacks on the unsuspecting web-public by giving them live ammo to play with? Hmm…

I’m not one of those people who thinks information I don’t like should be hidden or restricted. But I don’t think information of this type should be actively disseminated, either. Should the information be available? Yeah… maybe… that’s debatable. Personally, I’m leaning toward “yes”. Somewhere. But being “out there somewhere” is a lot different than me painting it on a billboard in my front yard. Unless, of course, I have some ulterior motive (like: “I hate the MPAA so I’m going to post the AACS key” or “I hate Yahoo so I’m going to show the world how to screw them.”) If that’s the case, then I won’t do it under the guise of being concerned about security. If security awareness IS my main objective, then the last thing I’m going to do is hand out source code for exploits. That’s sort of like having sex to support virginity.

BY THE WAY:
For real information about XSS attacks that (last time I checked) didn’t contain actual source code, try:
http://en.wikipedia.org/wiki/Xss
http://www.cgisecurity.com/articles/xss-faq.shtml

Popularity: 100% [?]