You may have read recently how Google's China division was attacked by Chinese nationalists to locate political dissidents, spurring Google to refuse to keep censoring their search results in China.

This is an interesting topic in its self, but I want to talk about the security exploit used, the 0-day exploit, "Aurora," used against Microsoft Internet Explorer that caused this whole fiasco.

Yet again IE screws up big time. Why Google employees were using IE is beyond me, but it highlights just another disaster caused by the buggy IE.




...

Last year, I started a study. I wanted to observe comment spammers in their natural environment, see how they function, how they move, and every other bit of data I could possibly find.

So, I set up a spam trap. A fake comment form rigged to collect data, here are the results.

1) These bots found my comment form via a robots.txt Disallow statement, or via a rel="nofollow" link, meaning they intentionally look for things that web developers don't want scanned.

2) Only one out of the nearly 2,000 spammers had JavaScript enabled.




...

Dear assorted banking institutions, specifically those with online banking.

Please stop putting absurd restrictions on password length or permitted characters.

Recently, I changed banks, from who to who will remain private, but suffice it to say that I have now experienced three separate banking websites.

In each case, the password length was restricted to less than 10 characters, and only permitted alphanumeric characters, in other words, a-z, A-Z, and 0-9.

One particularly bad case, the password was limited to 7 alp







...

From the same guy who brought the AutoStumbler I bring you the AutoDigger!

I reported the issue, and it has been corrected, meaning I get to publish!

The exploit works on the same principle as before, a common XSS keyhole located in the search engine allows for automatic submission of the "Digg It" action.

Granted, the code I made for this exploit was much nicer than before. Based on AJAX as opposed to iframes, and used referrer spoofing in the AJAX headers.

The exploit works like th







...

There are few things more irritating than comment or contact form spam.

The general sense in the web development community is to add a CAPTCHA. This is great for things like a registration form, or anything requiring security, but for something as simple as spam in your comments and contact forms, there has to be a better way.

I did an experiment, I set up an unprotected contact form on a hidden part of humanbagel.com, and linked to it via the robots.txt. I then logged all the dynamics of over 1,000 spambots over six months.





...