devitry.com

Tech in the country. Programming & Technology inovations.

Friday, February 24, 2006

Flash XSS security hole lets MySpace hackers run free.

Flash allows free execution of javascript. (details here) MySpace allows users to embed flash objects into their profile. While myspace does some checking on embedded flash, services like SpySpace and clones actively get around that. Spyspace uses javascript to determine the identity of the myspace user, then reports to the profile owner who is viewing their page. Spyspace uses and number of techniques to hide their motives. First, their swf is compressed, so parsing you can't see the functions. Secondly, they change the extension on it (using http headers to report that it's flash)

To me, this is a problem with flash, which should not be allowed to script. In the meantime, don't use myspace for anything private, because almost anyone you view can have access to your account.

Thursday, February 09, 2006

Mark this date: February 17, 2009

The end of an era is soon upon us. TV as we know it will be turned off on February 17, 2009, according to a new law signed by Bush. All broadcasters in the US must switch to 100% digital TV by that date. Old TV that only pick up analog transmissions will no longer be able to find a station. Here is the story and here is the FAQ. If you want to still use your old TV, you'll have to buy a converter. This is certainly a win for Big Media and Big Electrionics Manufacturers. The little guy will have to foot the bill on their conversion. Why can't they just let the market decide how fast to switch to DTV?