114 stories
·
1 follower

Amazon Books: $5.00 off when you spend $20.00 or more

1 Comment
Amazon Books: $5.00 off when you spend $20.00 or more

Thumb Score: +67
Amazon.com is offering an extra $5 Off $20+ or More on Select Books (Shipped & Sold by Amazon) w/ promo code PRIMEBOOKS18 (apply at checkout). Shipping is free with Prime or if you spend $25 or more. Thanks anupk4659

Note, must purchase books over $20 or more. Offer only applies to products sold by Amazon and not sold by third party sellers.
Read the whole story
Lythimus
6 days ago
reply
Amazon often increases the prices of books before these types of sales. I just checked a POD book and I would be saving $1 from what I consider the regular price.
Share this story
Delete

Dell C1760nw Single-Function Wireless Color Laser Printer $50 + Free Shipping

1 Comment
Dell C1760nw Single-Function Wireless Color Laser Printer  $50 + Free Shipping

Thumb Score: +65
Quill.com has Dell C1760nw Single-Function Wireless Color Laser Printer on sale for $49.99. Shipping is free. Thanks Gorman01

Deal Editor's Notes & Price Research: For in-depth reviews of the Dell C1760nw Wireless Color Laser Printer, head over to PC Mag & PC World ~RevOne
Read the whole story
Lythimus
7 days ago
reply
Ha, I was just trying to sell a used one of these for $40. I'm surprised anyone was interested. I just gave it to my family.
Share this story
Delete

Saturday Morning Breakfast Cereal - Noun

1 Comment and 8 Shares


Click here to go see the bonus panel!

Hovertext:
Fifty years after 'verb' becomes a verb, someone will create 'deverb' which means the same thing as 'verb.'


Today's News:
Read the whole story
Lythimus
16 days ago
reply
I thought all nouns were inverbbable. I verb nouns all the time.
jlvanderzwan
16 days ago
Can one noun verbs too?
lograh
16 days ago
Some verbs are trivially nounable, even the dictionaries have them nouned. Ex: I had a good run yesterday. I suspect it is more limited by one’s imagination and creativity. Unrelated: real shame NewsBlur still doesn’t support reply trees. :(
jlvanderzwan
16 days ago
Ah, yes. Good example. Also, agreed on the unrelated part
fancycwabs
16 days ago
I believe Calvin said it best when he said "Verbing weirds language."
jlvanderzwan
14 days ago
Unrelated: real shame NewsBlur still doesn't support likin replies :(
Share this story
Delete

CSS Is So Overpowered It Can Deanonymize Facebook Users

1 Comment

CSS mix-blend-mode attack

Some of the recent additions to the Cascading Style Sheets (CSS) web standard are so powerful that a security researcher has abused them to deanonymize visitors to a demo site and reveal their Facebook usernames, avatars, and if they liked a particular web page of Facebook.

Information leaked via this attack could aid some advertisers link IP addresses or advertising profiles to real-life persons, posing a serious threat to a user's online privacy.

The leak isn't specific to Facebook but affects all sites which allow their content to be embedded on other web pages via iframes.

Vulnerability resides in browsers, not websites

The actual vulnerability resides in the browser implementation of a CSS feature named "mix-blend-mode," added in 2016 in the CSS3 web standard.

The mix-blend-mode feature allows web developers to stack web components on top of each other and add effects for controlling to the way they interact.

As the feature's name hints, these effects are inspired by the blend modes found in photo editing software like Photoshop, Gimp, Paint.net, and others. Example blend modes are Overlay, Darken, Lighten, Color Dodge, Multiply, Inverse, and others.

The CSS3 mix-blend-mode feature supports 16 blend modes and is fully supported in Chrome (since v49) and Firefox (since v59), and partially supported in Safari (since v11 on macOs and v10.3 on iOS).

Researchers uses a DIV stack to reconstruct iframe content

In research published today, Ruslan Habalov, a security engineer at Google in Switzerland, together with security researcher Dario Weißer, have revealed how an attacker could abuse CSS3 mix-blend-mode to leak information from other sites.

The technique relies on luring users to a malicious site where the attacker embeds iframes to other sites. In his example, Habalov embedded iframes for one of Facebook's social widgets, but other sites are also susceptible to this issue.

The attack consists of overlaying a huge stack of DIV layers with different blend modes on top of the iframe. These layers are all 1x1 pixel-sized, meaning they cover just one pixel of the iframe.

Habalov says that depending on the time needed to render the entire stack of DIVs, an attacker can determine the color of that pixel shown on the user's screen.

The researcher says that by gradually moving this DIV "scan" stack across the iframe, "it is possible to determine the iframe’s content."

Normally, an attacker wouldn't be able to access the data of these iframes due to anti-clickjacking and other security measures implemented in browsers and in the remote sites that allow their content to be embedded via iframes.

Two very impressive demos are available

In two demos Habalov published online (here and here), he was able to retrieve a user's Facebook name, a low-res version of his avatar, and the sites he liked.

The actual attack takes about 20 seconds to leak the username, 500 milliseconds to check the status of any liked/not-liked page, and around 20 minutes to retrieve a Facebook user's avatar.

The attack is easy to disguise because the iframe can easily be moved offscreen, or hidden under another element (see demo gif below, hiding the attack under a cat photo). Furthermore, keeping a user on a site for minutes is also possible by keeping him busy with an online test or a longer article.

CSS attack on Facebook

Fixes available for Chrome and Firefox

Habalov reported the bug to Google and Mozilla engineers, who fixed the issue in Chrome 63 and Firefox 60.

"The bug was addressed by vectorizing the blend mode computations," Habalov said. Safari's implementation of CSS3 mix-blend-mode was not affected as the blend mode operations were already vectorized.

Besides Habalov, another researcher named Max May independently discovered and reported this issue to Google in March 2017.

Let's block ads! (Why?)

Read the whole story
Lythimus
51 days ago
reply
It didn't seem to work in Brave, but it's just based on the Chromium engine, so I'm not sure why it would fail unless my settings somehow prevent the loading of the iframe?
Share this story
Delete

GDPR

4 Comments and 16 Shares
By clicking anywhere, scrolling, or closing this notification, you agree to be legally bound by the witch Sycorax within a cloven pine.
Read the whole story
Lythimus
57 days ago
reply
another God Damn Privacy Report.
Share this story
Delete
3 public comments
satadru
56 days ago
reply
Also, for GDPR purposes, I live in France now.
New York, NY
alt_text_at_your_service
57 days ago
reply
By clicking anywhere, scrolling, or closing this notification, you agree to be legally bound by the witch Sycorax within a cloven pine.
zippy72
51 days ago
But Sycorax Rock!
alt_text_bot
57 days ago
reply
By clicking anywhere, scrolling, or closing this notification, you agree to be legally bound by the witch Sycorax within a cloven pine.

Saturday Morning Breakfast Cereal - Extinction

1 Comment and 6 Shares


Click here to go see the bonus panel!

Hovertext:
One good way to use semicolons is to not.

New comic!
Today's News:
Read the whole story
Lythimus
141 days ago
reply
I try to only use semicolons when it's my inclination to have a run on sentence to complete a thought. Even though they look formal, they're good for making print read like spoken language. But I'm no expert.

Tell me, what's the male's opinion on overuse of emdashes, or putting spaces around emdashes, or using a single, spaced, endash an an emdash?
Share this story
Delete
Next Page of Stories