If the Linux CVE-2010-3081: 64bit Linux Kernel Root Exploit didn’t get you, then this little birdy might. It seems the implementation of the AES encryption algorithm which protects the integrity of the Session Cookies in ASP.NET has a weakness which could enable an attacker to hijack sessions – Which bank? The idea behind the use of AES is to ensure that the crypt’d data hasn’t been tampered with – and hence decryptable, but unfortunately the flawed implementation of the use of AES and how it handles errors gives out some much needed clues for an attacker to pursue.
In this case, ASP.NET’s implementation of AES has a bug in the way that it deals with errors when the encrypted data in a cookie has been modified. If the ciphertext has been changed, the vulnerable application will generate an error, which will give an attacker some information about the way that the application’s decryption process works. More errors means more data. And looking at enough of those errors can give the attacker enough data to make the number of bytes that he needs to guess to find the encryption key small enough that it’s actually possible.
“It’s worth noting that the attack is 100 [per cent] reliable, [that is], one can be sure that once they run the attack, they can exploit the target. It’s just a matter of time. If the attacker is lucky, then he can own any ASP.NET website in seconds. The average time for the attack to complete is 30 minutes. The longest time it ever takes is less than 50 minutes.”
We started with the existing Jake2 Java port of the Quake II engine, then used the Google Web Toolkit (along with WebGL, WebSockets, and a lot of refactoring) to cross-compile it into Javascript. You can see the results in the video above — we were honestly a bit surprised when we saw it pushing over 30 frames per second on our laptops (your mileage may vary)!
At the moment you have to build from source and mess about a bit, but fear not, I followed the guide on OSNews by Kroc on our MacBook Pro and it worked quite well, yet to try it on Linux.
Well finally Google has released Chrome 4.0 and with it extensions support amongst the many other features which finally brings some much needed juice to the browser. I’ve been running Firefox and Chrome simultaneously (Chrome for gmail & google apps, firefox for daily browsing) but I have a feeling I may change to using Chrome full time now.
Some cool extensions to try (most are from Firefox)
Xmarks Bookmarks Sync – I’ve been using FoxXmarks to sync my bookmarks for a while now, so its only natural I install this for Chrome. You can also stick with the standard Bookmark sync via Google which you’ll need a Google account for.
Chromed. There’s lots more if you’re into Facebook, Twitter and all the other fancy things these days, even one for uTorrent! Download the latest build and give things a go!
PS. You don’t need to restart Chrome to install extensions either!
Had a nasty issue with jQuery + jSON + IEx just now – still at work because of it!
This bit of code works perfectly fine on Firefox and Chrome:
function onUnitsModified() {
$.getJSON("<%=Url.Action("GetTotalUnitCount", "ProjectReaper")%>", null, function(result) {
if(result > 0)
// Do stuffs here
}
});
return true;
}
But in IE we’ve come to realise that the first hit is successful, future json requests ones are not hitting the ASP.NET MVC actions (I put a breakpoint). You could append a time stamp to get rid of this annoying caching bug, but alternatively you can use the ajaxSetup options to disable caching.
function onUnitsModified() {
$.ajaxSetup ({ cache: false});
$.getJSON("<%=Url.Action("GetTotalUnitCount", "ProjectReaper")%>", null, function(result) {
if(result > 0)
// Do stuffs here
}
});
return true;
}
Darnit! Hope someone else doesn’t waste their time trying to fix this now
- Revamped user interface
- Boosted speed from the new Opera Presto 2.2 engine, giving it a 40% increase from the previous version when running web applications (such as Gmail)
- Opera Mail has seen various improvements
- Opera Turbo, designed to increase browsing speed for those on slower Internet connections
- An inline spell checker, to help catch mistakes when typing in entry forms
- Thumbnail tabs which are resizable
- Speed Dial has been given personalization features
Download a copy or read up on the new features in this release, the site’s being hammered right now by the looks of it? I still remember starting out with Opera 5 back in 2001, a close friend designated Opera as his ‘porn browser’, purely because of the tabbing and speed (not to mention lightweightness ) of the browser.
The moment we’ve all been waiting for, Mozilla has released the final version of Firefox 3.5 (which was originally slated to be 3.1). Amongst the highlights include the new Gecko 1.9.1 rendering engine and (from their release notes):
Available in more than 70 languages. (Get your local version!)
Improvements to the Gecko layout engine, including speculative parsing for faster content rendering.
Support for new web technologies such as: downloadable fonts, CSS media queries, new transformations and properties, JavaScript query selectors, HTML5 local storage and offline application storage, <canvas> text, ICC profiles, and SVG transforms.
A few weeks ago saw the launch of Wolfram Research Alpha, a natural search engine which could do some funky things. Now Microsoft have stepped up from their previous attempts – Ms Dewey (Janina Gavankar, who’s quite a hottie! reminds me of Tiffany) and now we have the final release of Bing (aka codenamed Kumo) which is going to be a behemoth search engine.
In either case, its an interesting take on the ‘aging’ way we search for what we want and seems to go onto the concepts that came with the Wolfram Alpha. When it actually comes out – still shows as coming soon for me, we’ll have to see.
Steven Wolfram of Mathematica fame (and pure genius) has launched Wolfram Alpha, its a ‘computational knowledge engine’ and quite a cool tool too! Taking on the big giants Google and Yahoo, Live etc, this bit of kit allows you to search using natural language.
Let me demonstrate, suppose you want to know who the prime minister of Bulgaria is, it will not only give you the answer but also some background information on the person.
Not only can you ask formal questions, but you can even give it some mathematical problems to solve.
Got told by a co-worker about this today, a news site that searches, scrapes and analyses news items for you. wotnews.com.au, even has a Google Alerts style notification system to get told when interesting news items trickle through. Whats really impressive about this little beauty is that its written by a very small team and is packed with functionality.
Say we want to know more about the Sun being acquired by Oracle item from yesterday, query it. You’ll get a bunch of highlights for the month regarding the two keywords, and the latest articles aggregated over the internet. It even has Twitter integration to findout the latest goss.
While it seems to be still in its infancy, this web-application (and the AI behind it) will surely improve over time bringing some very interesting utilities for gathering news. Who needs Digg.com now apart from the memes and references to PedoBear?
The web framework behind it I was told is Django (which I’ve toyed around with) and the front-end makes heavy use of CSS Sprites as seen on this graphic.
Learn about CSS Sprites
You can learn more about CSS Sprites via these links:
This is my personal blog, the opinions expressed here represent my own thoughts and not of my past or current employers, my mother, father, sister, non-existant brother, our dog neo, puppies I've trained, neighbors or countrymen and women. If anything, they serve as a memory of my ideas, thinking and musings at a point in time.
I may inadvertently link to or quote content that is useless, rude, pointless, idiotic, inappropriate, wtf or hilariously-not-funny. I do not condone, endorse or take responsibilty for such content.
All content is Copyright (c) Thushan Fernando unless otherwise stated.
Disclaimer is tiny just to make it look fancy spansy.
