The governor of Utah signed a nonbinding resolution on Tuesday that calls on the US Congress to do something about the rising tide of Internet pornography, preferably using technology to stick it in a ghetto where those who don't want to see it don't have to do so. The resolution, which passed both houses of the Utah legislature, was backed by CP80 ("Clean port 80"), a group founded and headed by Ralph Yarro. CP80's plan to cleanse the Internet isn't the only controversy that Yarro's involved in, though; he also happens to chair the board of directors for SCO.

"I'm pretty sure if they took all the porn off the Internet there would only be one site left, and it would be called 'Bring Back the Porn!'" -- Scrubs.

"The Internet is not a force of nature—it's a man-made creation. It can be changed and evolved to better serve us all," said Yarro in a statement after the signing of the resolution. "There is no reason why we should tolerate an Internet that allows children to easily access pornography."

And let's just ban television, because there's no reason that we should tolerate a world where kids can turn on Cinamax at 10:30pm on a Saturday night and watch erotic trillers. Ahhh Skinamax... you gave me the porn before the Internet did...

CP80's solution would apply to the US only, of course, and their plan for dealing with international pornographers (who are unlikely to move to another port dictated by the US) is a simple but draconian one: consumers would ask ISPs to "simply block all IP addresses originating from a non-compliant country." Problem solved!

"So build a wall, behind it crawl, and hide until it's light" --Metallica

Utah wants Congress to make port 80 porn-free

And now, your moment of zen:

Microsoft researchers are currently investigating the issue but have seen no evidence that the alleged flaw is currently being used maliciously, the software giant said in a statement sent to SecurityFocus.

Translation: Honey Monkey hasn't seen this, so it must not be in use.

The company also spelled out its policy that flaws should be directly reported to the software maker.

Translation: Please, please, please, for the love of god, stop dropping 0day on blogs!

Microsoft on IE XSS Flaw

The navcancl.htm local resource is used by the browser when for some reason a navigation to a specific page is canceled.
When a navigation is canceled the URL of the specific page is provided to the navcancl.htm local resource after the # sign. For example: res://ieframe.dll/navcancl.htm#http://www.site.com.

Microsoft Mistake #1: Using a nonstandard mechanism to pass parameters to a page.

The navcancl.htm page then generates a script in the "Refresh the page.” link in order to reload the provided site again when the user clicks on this link.
It is possible to inject a script in the provided link which will be executed when the user clicks on the “Refresh the page.” link.

Microsoft Mistake #2: Having a DOM-Based XSS Exploit standard in every version of IE7.

Luckily, Internet Explorer now runs most of its local resources (including navcancl.htm) in “Internet Zone”, so this vulnerability cannot be exploited to conduct a remote code execution.

Ok, well this is better... wait a second, did they just say "most" resources? Hmmmm

Unfortunately, there is also a design flaw in IE7. The browser automatically removes the URL path of the local resource and leaves only the provided URL. For example: when the user visits res://ieframe.dll/navcancl.htm#http://www.site.com, IE7 will show http://www.site.com in the address bar.

... ... are you kidding me?

Microsoft Mistake #3: Allowing the address bar to say its pointing at one URL when its really pointing at another

To perform a phishing attack, an attacker can create a specially crafted navcancl.htm local resource link with a script that will display a fake content of a trusted site (e.g. bank, paypal, MySpace).
When the victim will open the link that was sent by the attacker, a “Navigation Canceled” page will be displayed. The victim will think that there was an error in the site or some kind of a network error and will try to refresh the page. Once he will click on the “Refresh the page.” link, The attacker’s provided content (e.g. fake login page) will be displayed and the victim will think that he’s within the trusted site, because the address bar shows the trusted site’s URL.

Ok, seriously now. I've meet the security PM for IE7 and he is a cool guy and all, but I'm seriously wondering if IE team actually cares about security. Ignoring the implications of their mistakes, I simply fail to understand how things like mistake 1 or mistake 3 make it through a code review on a project that was "redesigned from the ground up with security in mind." You mean to tell me that you actually have code in your app that allows the URL in the address bar and the URL of the content you are displaying to become unlinked? Are you smoking crack?

Phishing using IE7 local resource vulnerability

Even the most successful business models erode over time.

The key to thriving under such tough conditions is adaptability. ... companies must continually update their business model ...

All of the possible methods of bringing customers value -- anything from more-efficient production lines to new products and services -- boil down to just three fundamental strategies:

* Industrial efficiency, which creates value by producing standardized offerings at low cost. Manufacturers and fast-food restaurants rely on this approach.

* Network services, which creates value by connecting clients to other people or other parts of the network. Telephone companies, delivery services and Internet middlemen such as eBay use this method.

* Knowledge intensive, which creates value by applying customized expertise to clients' problems. Law firms and medical practices are prime examples.

It's everything you need to know.

The article is also available here.

At both locations, there's a sidebar with pointers to further reading.

The Path to Growth

Here are the transcripts of the interviews by the Defense Department of the three most senior Al Qaeda leaders in custody in the world, provided to us by Jean Charles Brisard. The Defense Department has posted more information at a special website.

Khalid Sheikh Mohammed: "I was responsible for the 9/11 operation from A to Z"

Abu Faraj al-Libi (who did not attend his session)

Ramzi Binalshibh (who refused to attend the session)

This is a pretty cool website. We haven't heard a lot recently about enemy combatant trials and these transcripts provide insight that they appear to be as dull as standard legal proceedings: Lots of red tape, sprinkled with bits of interestingness.

Counterterrorism Blog: Transcripts of Interviews of Khalid Sheikh Mohammed, Abu Faraj al-Libi, & Ramzi Binalshibh

Absolut Hacker + Red Bull

The $1 billion question prompted by Viacom Inc.'s suing Google Inc. yesterday is how a 1998 law that was supposed to retrofit copyright protection for the digital future applies in the YouTube age.

The DMCA also contained important so-called safe-harbor clauses, provisions designed to protect access providers, search engines, Web-hosting services and others from liability for copyright claims if they met several conditions.

But now some legal experts say there is little consensus or precedent on how that protection applies to video-sharing sites like YouTube. The safe-harbor dispute could hinge on several key issues, such as the extent to which YouTube has direct knowledge of copyright clips posted on its site without permission and whether it profits directly from them.

Some lawyers say court decisions may have broad ramifications. "The DMCA safe harbor covers a lot of businesses, and it's hard to see how you could go after YouTube without threatening all of the others," says Fred von Lohmann, senior attorney at the Electronic Frontier Foundation in San Francisco.

Viacom says it decided to file suit because its request last month that YouTube remove Viacom clips failed to keep them off the site. As recently as yesterday, one of the most viewed videos on YouTube was one from "The Colbert Report," owned by Viacom. The media company says it spends "tens of thousands of dollars" a month searching for its programming on YouTube so it can request its removal.

In its suit, Viacom alleges that the availability of copyright works on YouTube "is the cornerstone of [its] business plan."

"Time is up for YouTube," said Time Warner Inc. General Counsel Paul Cappuccio. "It's no longer permissible for them to have unauthorized copyrighted material on there."

Decius and I have talked about this before and he proposed some of the same points raised in this article.

How is YouTube any different than a Warez site that also has freeware programs? Perhaps a better comparison is Napster and YouTube. Napster was basically a warez site that received VC funding. How different is YouTube? One difference I can see in YouTube's favor is substantially less of its available content are copyrighted works.

This is going to be a very interesting case with immense implications in the "user generated content" world of Web 2.0

Viacom vs Google, or: How the DMCA stopped being something only 1337 hackers and pinko lawyers cared about.

With Text_Highlighter it is possible to create syntax highlighted versions of different file formats.

Currently, the following formats are supported:

C++
CSS
DTD
HTML
Java
Javascript
MySQL
Perl
PHP
Python
Ruby
SQL
XML

PEAR might not be as complete of crazy stuff as CPAN, but its got what I need!

PEAR :: Manual :: Text_Highlighter

I just found a site, quite by random, that is vulnerable to remote command execution through a finger.cgi gateway. This site is subdomain at a major engineering college in the US and no, I didn't find it with Google Hacking.

... ...

[SMACK]
Its #$&*ing 2007! Why the #$&* are you using CGI!?! Bad Monkey!

Basically a guy set up a test page with certain unique words either hardcoded in HTML (as a control) written to the page using JavaScript's document.write() function, and written to a page using JavaScript in a externally referenced file. Here are hist results:

I then searched for each of the six words at Google.

* The two HTML words both generated a search result that included the page.
* The two words inserted by a JavaScript in the page generated no search results.
* The two words inserted by a remotely sourced JavaScript generated no search results.

Which are utterly unsurprising if you think about it. Google's crawler doesn't implement a JavaScript interpreter. Plain and simple. Because it doesn't have to.

As someone whose career is researching, designing, and developing advanced web crawlers, I can tell you JavaScript parsing/interpretation is a giant pain in the ass and a big performance killer. Plus things like client side validation and image pre-loading (things that most crawlers don't care about) also gets in the way and slows you down. From a shear cost vs. gain, it currently makes no sense for Google to interpret or index JavaScript. Ajax apps only makes crawling much harder.

Does Google Index Dynamic JavaScript Content? No, of course not.