So to settle all this craziness about disclosing Firefox 0day, I decided to call Six Apart's press office, as Mischa Spiegelmock claimed he works there.
A gal named Jane Anderson, who has a killer accent BTW, talked with me and here what I found out.
-Mischa does work for Six Apart -Mischa didn't tell them he was doing this -The company has contacted Mozilla, but Six apart has nothing to do with getting the issue (issues?) resolved -Any future information regarding this flaw (flaws?) will not be released/discussed by Six Apart -Six Apart believes in responsible disclosure -It is the understanding of Six Apart that the presentation was supposed to be funny, but people didn't seem to take it that way. How exact stack overflows in FF's JavaScript interpreter are funny was never really explained to me -Jane has be *very* busy for the last day or so and this is causing them some major issues
I thanked Jane for talking so frankly with me but truth be told, they need to fire this guy. Immediately.
Short and sweet: I can find out what you have been searching Google for from JavaScript. I can put this JavaScript on any site either because I own it (How much do you trust memestreamas.net?) or because I have a XSS vuln that lets me inject JavaScript in the site.
Think the AOL leakage... only for everyone on the internet.
Some fun use cases:
-HMO’s website could check if a visitor has been searching other sites about cancer, cancer treatments, or drug rehab centers.
-Advertising networks could gather information about which topics someone is interested based on their search history and use that to enchance their customer databases.
-Government websites could see if a visitor has been searching for bomb-making instructions.
I ran across a mix tape I made in the Summer 1997 between my Sophmore and Junior years in highschool.
Side 1 Session, The Offspring Clones, Smashing Pumpkins I want to conquer the world, Bad Religion Don't Stay Home, 311 Sunday Morning, No Doubt Torn Apart, Stabbing Westward Paranoid Android, Radio Head Ain't My Bitch (Live), Metallica Breathe, Prodigy Battle of Britian, David Bowie Intermission, The Offspring
Side 2 Flat Earth Society, Bad Religion Jenny Says, Cowboy Mouth Tainted Loves, Shades Apart Throw-away Culture, Trinket All I want, The Offspring The Becoming, Nine Inch Nails Basket Case, Greenday Under The Bridge, Red Hot Chilli Peppers Zero, Smashing Pumpkins Lucy Can't Dance, David Bowie London Calling, The Clash Money Wrench, Foo Fighters Ta Ta, The Offspring
A guy from Thailand was in my microeconomics class this morning and told me the real story behind all this coup stuff. Apparently, the PM was a satelite communications mogul who bought them from the gov't and didn't pay any taxes on them. He's the 4th richest person in Thailand, and his approval rating in the city is only about 20%. In the country its much higher, however that's more than likely because he bribes the peasants to vote for him. His main goal in life? To be the 1st richest person in Thailand.
I doubted my classmate until he concluded that his mom lives over there and says there hasn't been an ounce of rioting. Of course there's no rioting when it's what the people want.
Fuck our call to "return to democracy"...these guys seem to be making their own stew just fine.
A very good interview with Gen John Abizaid on tonight's NewsHour with Jim Lehrer. Gen Abizaid is the commander of the Central Command, which includes all U.S. forces in Iraq and Afghanistan.
The General talked a lot of why he feels the situation in Iraq is improving. And by, "situation in Iraq" he really means "in the areas where we've applied military forces. The overall numbers show a slight decrease [in violence]; I wouldn't say [the decrease in violence is] substantial."
... ... well that sure is good to know. He did discuss trying to turn over more and more responsiblity to the Iraqi's, though he ducked a question about how many resources the US is spending on training new Iraqi solders to kill the new insurgents as opposed to cutting out the middle man and doing that ourselves.
There was one thing that certainly shocked me, especially that such a high ranking general made such a point calling our attention to it.
And then the final thing I'd say is it's hugely important for us to keep in mind that the flow of oil and the flow of natural resources through the Straits of Hormuz, the Bab-el-Mandeb, and the Suez Canal have got to continue. And that falls to the United States Armed Forces, which is why we currently have about 215,000 Americans serving in my region.
I'm not such a crazy lefty that I don't realize that Oil is a strategic resource and we want to protect our resources (especially when "our" resources are in other country's borders), but when the General in charge of all military operations in the Middle East says that safe guarding the flow of oil is "why" we have almost a 1/4 million troops there is a little shocking.
Oracle: Oracle encourages independent security researchers to follow a 'responsible disclosure' policy. Researchers notify vendors about a vulnerability and do not publicly disclose information regarding the vulnerability until we have released a patch for it.
... which is all well and good under you realize that Oracle is horrible about patching security issues, regularly taking not weeks, not months, but years to release a patch. If Oracle thinks security researchers are going to wait years, they are mistaken. At that point, its irresponsible not to release a public notice.
