The governor of Utah signed a nonbinding resolution on Tuesday that calls on the US Congress to do something about the rising tide of Internet pornography, preferably using technology to stick it in a ghetto where those who don't want to see it don't have to do so. The resolution, which passed both houses of the Utah legislature, was backed by CP80 ("Clean port 80"), a group founded and headed by Ralph Yarro. CP80's plan to cleanse the Internet isn't the only controversy that Yarro's involved in, though; he also happens to chair the board of directors for SCO.

"I'm pretty sure if they took all the porn off the Internet there would only be one site left, and it would be called 'Bring Back the Porn!'" -- Scrubs.

"The Internet is not a force of nature—it's a man-made creation. It can be changed and evolved to better serve us all," said Yarro in a statement after the signing of the resolution. "There is no reason why we should tolerate an Internet that allows children to easily access pornography."

And let's just ban television, because there's no reason that we should tolerate a world where kids can turn on Cinamax at 10:30pm on a Saturday night and watch erotic trillers. Ahhh Skinamax... you gave me the porn before the Internet did...

CP80's solution would apply to the US only, of course, and their plan for dealing with international pornographers (who are unlikely to move to another port dictated by the US) is a simple but draconian one: consumers would ask ISPs to "simply block all IP addresses originating from a non-compliant country." Problem solved!

"So build a wall, behind it crawl, and hide until it's light" --Metallica

Utah wants Congress to make port 80 porn-free

The navcancl.htm local resource is used by the browser when for some reason a navigation to a specific page is canceled.
When a navigation is canceled the URL of the specific page is provided to the navcancl.htm local resource after the # sign. For example: res://ieframe.dll/navcancl.htm#http://www.site.com.

Microsoft Mistake #1: Using a nonstandard mechanism to pass parameters to a page.

The navcancl.htm page then generates a script in the "Refresh the page.” link in order to reload the provided site again when the user clicks on this link.
It is possible to inject a script in the provided link which will be executed when the user clicks on the “Refresh the page.” link.

Microsoft Mistake #2: Having a DOM-Based XSS Exploit standard in every version of IE7.

Luckily, Internet Explorer now runs most of its local resources (including navcancl.htm) in “Internet Zone”, so this vulnerability cannot be exploited to conduct a remote code execution.

Ok, well this is better... wait a second, did they just say "most" resources? Hmmmm

Unfortunately, there is also a design flaw in IE7. The browser automatically removes the URL path of the local resource and leaves only the provided URL. For example: when the user visits res://ieframe.dll/navcancl.htm#http://www.site.com, IE7 will show http://www.site.com in the address bar.

... ... are you kidding me?

Microsoft Mistake #3: Allowing the address bar to say its pointing at one URL when its really pointing at another

To perform a phishing attack, an attacker can create a specially crafted navcancl.htm local resource link with a script that will display a fake content of a trusted site (e.g. bank, paypal, MySpace).
When the victim will open the link that was sent by the attacker, a “Navigation Canceled” page will be displayed. The victim will think that there was an error in the site or some kind of a network error and will try to refresh the page. Once he will click on the “Refresh the page.” link, The attacker’s provided content (e.g. fake login page) will be displayed and the victim will think that he’s within the trusted site, because the address bar shows the trusted site’s URL.

Ok, seriously now. I've meet the security PM for IE7 and he is a cool guy and all, but I'm seriously wondering if IE team actually cares about security. Ignoring the implications of their mistakes, I simply fail to understand how things like mistake 1 or mistake 3 make it through a code review on a project that was "redesigned from the ground up with security in mind." You mean to tell me that you actually have code in your app that allows the URL in the address bar and the URL of the content you are displaying to become unlinked? Are you smoking crack?

Phishing using IE7 local resource vulnerability

Absolut Hacker + Red Bull

The $1 billion question prompted by Viacom Inc.'s suing Google Inc. yesterday is how a 1998 law that was supposed to retrofit copyright protection for the digital future applies in the YouTube age.

The DMCA also contained important so-called safe-harbor clauses, provisions designed to protect access providers, search engines, Web-hosting services and others from liability for copyright claims if they met several conditions.

But now some legal experts say there is little consensus or precedent on how that protection applies to video-sharing sites like YouTube. The safe-harbor dispute could hinge on several key issues, such as the extent to which YouTube has direct knowledge of copyright clips posted on its site without permission and whether it profits directly from them.

Some lawyers say court decisions may have broad ramifications. "The DMCA safe harbor covers a lot of businesses, and it's hard to see how you could go after YouTube without threatening all of the others," says Fred von Lohmann, senior attorney at the Electronic Frontier Foundation in San Francisco.

Viacom says it decided to file suit because its request last month that YouTube remove Viacom clips failed to keep them off the site. As recently as yesterday, one of the most viewed videos on YouTube was one from "The Colbert Report," owned by Viacom. The media company says it spends "tens of thousands of dollars" a month searching for its programming on YouTube so it can request its removal.

In its suit, Viacom alleges that the availability of copyright works on YouTube "is the cornerstone of [its] business plan."

"Time is up for YouTube," said Time Warner Inc. General Counsel Paul Cappuccio. "It's no longer permissible for them to have unauthorized copyrighted material on there."

Decius and I have talked about this before and he proposed some of the same points raised in this article.

How is YouTube any different than a Warez site that also has freeware programs? Perhaps a better comparison is Napster and YouTube. Napster was basically a warez site that received VC funding. How different is YouTube? One difference I can see in YouTube's favor is substantially less of its available content are copyrighted works.

This is going to be a very interesting case with immense implications in the "user generated content" world of Web 2.0

Viacom vs Google, or: How the DMCA stopped being something only 1337 hackers and pinko lawyers cared about.

I just found a site, quite by random, that is vulnerable to remote command execution through a finger.cgi gateway. This site is subdomain at a major engineering college in the US and no, I didn't find it with Google Hacking.

... ...

[SMACK]
Its #$&*ing 2007! Why the #$&* are you using CGI!?! Bad Monkey!

Basically a guy set up a test page with certain unique words either hardcoded in HTML (as a control) written to the page using JavaScript's document.write() function, and written to a page using JavaScript in a externally referenced file. Here are hist results:

I then searched for each of the six words at Google.

* The two HTML words both generated a search result that included the page.
* The two words inserted by a JavaScript in the page generated no search results.
* The two words inserted by a remotely sourced JavaScript generated no search results.

Which are utterly unsurprising if you think about it. Google's crawler doesn't implement a JavaScript interpreter. Plain and simple. Because it doesn't have to.

As someone whose career is researching, designing, and developing advanced web crawlers, I can tell you JavaScript parsing/interpretation is a giant pain in the ass and a big performance killer. Plus things like client side validation and image pre-loading (things that most crawlers don't care about) also gets in the way and slows you down. From a shear cost vs. gain, it currently makes no sense for Google to interpret or index JavaScript. Ajax apps only makes crawling much harder.

Does Google Index Dynamic JavaScript Content? No, of course not.

Holy moly that is a close up zoom of a camel (see my screenshot above) – and it works for other place on Google Maps too!

Yes, it turns out that you can zoom in much more deeply onto Google Maps by doing this:

* Select a location and switch to satellite view
* Zoom in as far as you can, and click “link to this page” at the top right
* Now replace the “z” parameter in the URL with a higher value, e.g. 20, 22, or 23, and wait. Some locations will now show more detailed imagery

Super-Close Google Maps Zooms hack

This is, quite possibly, the coolest, round-about compliment I have ever, ever received.

Mark Frauenfelder (whose name apparently means "fields of women" in German) appeared on the Colbert Report, talking about Make Magazine. I wrote for Make and my article on reading magstripe cards appeared in the first issue. From the episode:

Mark Frauenfelder: Things like an electric card reader, so you can swipe your credit card or driver's license and swipe them through and see on the computer all the information thats stored on them.

Stephen Colbert: So, so, so, so this is a magazine for people are like in real life, like Matthew Broderick from Wargames.

[begins singing We are the Champions...]

I was (indirectly) on the Colbert Report!

Paste this into your IE address bar:

javascript:for(x in document.write)f(x)

This can also be placed inside a block and nail anyone who comes to a website.

Update: Null pointer dereferences can't really be 0wnabl3. Oh well.

Crashing IE with 39 bytes

The simple example I use in this article is an Intranet application that looks up employees in a SQL database based on parameters provided by the user. The example allows the user to enter any combination of Last Name and/or First Name . The application then queries the SQL database using an ASP page and shows the user the entries in the database that matched the query without performing a hard refresh.

This is an article written in 2000 by a co-worker of mine at SPI which discusses using the XmlHttpRequest object (then known as XMLDOM) to do "Ajax" operations.

Dennis loves to tell me how he has been doing it all these years, and in fact, he has. But I like to pull out a slide from one of my presentations:

* Why didn’t this happen in 2000?
* Many reasons
  * Lack of standards compliant browsers
    * JavaScript implementations all different
    * DOM manipulation/Eventing all different
  * CSS support lacking
  * Lower connection speeds
  * Lower processing power

The long and short of it: Screw the Microsoft IE team and Netscape Navigator team from the 1990s. Their petty bullshit set web application development back 4 years. We could have had this stuff in 2000 if they had stopped slitting each other's throats and actually worked with the W3C. I find endless amusement in the fact that the IE 7 exists because of some hippie programmers.

Solving the Hard Refresh Problem Using XML and ASP