Comments for Keyboard Cowboy

Comment on Speaking at The Next HOPE by url

url — Sat, 17 Jul 2010 15:02:51 +0000

Wasn’t able to catch the speech, but looking forward to it.

219

Also, congrats

Comment on Speaking at The Next HOPE by DJ

DJ — Fri, 16 Jul 2010 20:22:12 +0000

Good luck! Hope it all goes well – and have fun too!

Comment on Hootsuite and their Ill-regard for their URL Shortener Service by Luke

Luke — Mon, 14 Jun 2010 18:38:36 +0000

Hootsuite can’t “keep further track of browsing activities”… Same Origin Policy, yo. Try navigating around in the ht.ly iframe and then document.getElementById(‘hootFrame’).src at the console. You will get the src attribute set for the iframe at load time. You can’t get href, location, etc. for the iframe because the content is in another domain.

I was able to create several ht.ly URLs without a Hootsuite or Twitter account, but HTTPS URLs or those pointing to a domain-level index were rendered as simple redirects. A couple of Youtube videos and a Wikipedia article were rendered in the ht.ly iframe with the social bar.

I agree that in principle using an iframe for this purpose (including added-value content like an ad or a social media bar) is a bad idea. Showing the URL in the title is inadequate (Chrome users won’t even see this if they are busy browsers).

The more I think about it the less I like the idea of these short URL services cloaking URLs like this. If I’m not mistaken the browser security model permits a document in an iframe to modify the location property of the parent viewport (this is the Ajax iframe XSS technique in reverse); from keyboardcowboy.ca you could set the parent fragment identifier to #https://www.facebook.com/. In my mind the less-observant user who would be confused by this type of phishing attack could be further reeled in this way.

Seems to me the social sharing functionality of the ht.ly bar is better implemented with a browser add-on, bookmarklet, or AddThis-type widget. Oh well.

Comment on Great Clips violates your privacy! by fuego

fuego — Sun, 23 May 2010 20:18:15 +0000

I think that his is just one more way for decent people to be tracked and watched. It should matter to you not at all whether I have an address as long as I am paying with accepted legal tender. You don’t need to know what I like, where I live… just give me a damn haircut and piss off. Pardon if I’m being rude.

Comment on Who’s letting me become ssladmin? by Jonas

Jonas — Mon, 19 Apr 2010 09:31:17 +0000

Bobby: There is the equivalent of a CA in DNSSEC but their role is vastly different. Your registrar is for obvious reasons much better suited to know if you own your domain or not. DNSSEC and SSL are interrelated in that you can store your latter certificates in the former. It’s not widely implemented (today’s understatement) but it is a simple retrofit that fixes the practical problems with SSL certs (and gets rid of today’s CAs as a bonus).

Comment on Who’s letting me become ssladmin? by Phailsauce

Phailsauce — Mon, 19 Apr 2010 08:29:08 +0000

DNSsec doesn’t provide link-level encryption so still allows for man-in-the-middle attacks. A transparant proxy will easily replace the lack of spoofability. Then there’s the enumeration information leak.

And then there is the problem of who owns the root key. Currently that will be the Team America World Police, excuse me, USA government. You may not care, but the other 95% of the world does. Though Americans not caring about that is curious because you appear to prefer to trust unaccountable private enterprises over that very same government. Maybe now that they’ve shown themselves to like being unaccountable themselves (warrantless this, warrantless that) you’ve started to trust them?

The message here is that too many techies wilfully ignore the political mess they’re making. And it’s going to bite us all in the behind. So please be a bit more considerate before you open your yap. Can’t expect that from Danny boy, unfortunately.

Comment on Who’s letting me become ssladmin? by Eric

Eric — Mon, 19 Apr 2010 00:31:36 +0000

@Moxy: good point.

Once upon a time, all SSL CA’s did all elaborate validation of documentation. I remember having to fax in a document with driver’s licenses on company letterhead, etc. Maybe not bulletproof, but humans actually used to read these things for every request.

Making someone pay extra to opt in to more validation doesn’t solve the problem at all. The base standard has to be raised, but there doesn’t seem to be any incentive for CA’s to do the extra work. They’re not generally impacted in the case of succesful fraud, I don’t think I’ve seen any browsers pulling CA root certs because of lax practices, so they’re going to compete for the best profit margin for the lowest reasonable price, which means more automation and less validation. (and thus a weaker overall PKI for everyone)

Comment on Who’s letting me become ssladmin? by Moxy

Moxy — Sun, 18 Apr 2010 20:43:55 +0000

I liked this vulnerability better two years ago when mike Zusman used it to get a cert for live.com. Verisign is right though, this is prevented by ev-ssl in the same way that ferraris prevent the existence of hyundais. Which is to say, it provides a wildly expensive alternative no one uses. How could any user have been spared this attack by the availability of EV? what user sees a normal cert and decides “this free webmail didn’t pay enough for their cert, I’m leaving!”. No one. Corporate verisign shills, thanks for reading.

Comment on Sony giveth and taketh with the Playstation 3 by ScepticalBob

ScepticalBob — Sun, 18 Apr 2010 20:07:28 +0000

Lets all buy a gun and storm Sony headquarters……….demand they stay the f*ck out of our systems!

Comment on Sony giveth and taketh with the Playstation 3 by Llanowyn

Llanowyn — Sun, 18 Apr 2010 19:52:00 +0000

Awesome, I like your take on this.