Author Archives: guya

Lose when you’re better

Posted on by
2

Microsoft was always used to win with inferior products. Windows was inferior to the Mac OS for many years and yet it dominated the market. Internet Explorer, the infamous browser, was the best browser for a few seconds in history when it triumphed over Netscape when both were at version 4. We still feel the stagnation it created since than being the most inferior browser ever since.

Lately Microsoft started to create better products and yet instead of winning they fail. Silverlight is better than Flash & Flex and yet it lost to it not being able to gain any significant market share (Flash is better than HTML5 but lost to it as well, but that’s a different story).

What worries me a bit now is that the truly impressive Windows 7 mobile won’t be able to gain any significance market share. Not yet saying that it’s better than the iOS (iPhone) and/or Android, but it is an impressive OS that didn’t just copy the concepts of the other two. It’ll be interesting to see what will come out of it.

Phones

Adobe Flash – Brave Fold

Posted on by
3

In poker, a brave fold would be a case where you have a strong hand and you are already committed to the pot (you’ve already put in some substantial amount of money), even so, you sense that your opponent might have a stronger hand and you fold – losing your strong hand and the pot. Staying in the game would have required you to danger even more money, maybe too much.

Adobe was in similar situation, it has a very strong hand – Adobe Flash, and has already committed a lot of money on this loss leader. But staying in the game would have required them to put even much more money/resources on it. They would have to be fully committed, they would have to be “all-in”, borrowing from poker again. They could have end up winning the hand but if they will lose they can be out of the game completely.

We should have all known that the iOS will never run Flash. It’s almost like Steve Jobs last words were “exterminate the Flash” – similar to the hate Genghis Khan had for the Tatars when he ordered  “the extermination of the Tata Mongols

In retrospect, seems like wasting all that resources on porting Flash for the mobile was good only for Adobe and us in the Flash crowed to be able to give Steve and the other mongers the finger, telling them – see, Flash runs well on the mobile! It was supposed to be obvious that Flash will never rich similar ubiquity on the mobile as on the desktop. Than again, everything is easier in retrospect.

There are many reasons why Flash succeeded where 1,000 other plugins failed. And it’s also amazing how a relatively small corporate like Adobe managed to be in front of much bigger competitors, Microsoft with it’s buckets of money and Sun with it’s Java Java Proxy Proxy, to name only two.

I’m just sick of layman’s that are quoting laymen’s that are quoting a reporter that quotes another reporter that quote “someone who knows” that quote anther one that “really knows” – it’s like that game, what’s is name?! The other day I’ve heard from someone who should have known better that – “lake of multithreading killed Flash” – you’ve probably heard that BS before, yep it’s total BS. Add that to the many other miss-consumptions people make regarding this issue and it piles to a big pile of sh<bip>it. I wonder how many of these laymen’s knows the hassle of cross browser HTML development?!

So, congrats on the brave fold Adobe, with the right hand I solute you. On the other hand I give you the finger – f*ck you big proprietary beast, how dare you stab so many people in the back.

Webcam ClickJacking Revived

Posted on by
2

Two weeks ago this guy managed to revive my 3 years old Webcam ClickJacking POC and also managed to revive some of the buzz surrounding it.

The revived attack is exactly the same as my 2008 POC it even uses lots of my code. The different is that instead of using the settings manager html page as the source of the iframe it’s now uses the setting manager swf directly. Actually, this was the first thing I’ve tried after Adobe frame bust the settings manager pages. It didn’t work well for my windows browsers so I’ve ditched it. One of the first comment on my Webcam Clickjacking post created the same thing and gave a link to it (it is now links to an AD). So obviously everyone knew it or at least thought about it – everyone except Adobe.

The Flash Player provide great power on the web, it’s still the only practical mean to interact with the user’s webcam and microphone. You know the cliché, with great power comes great responsibility. Adobe needs to be vigilant when it comes to her users security and privacy, and her users are practically everyone.

Obviously that every new version of the Flash Player should go through vigorous security testing. It’s also needs to be done with every new browser and OS version. That’s a huge matrix but it needs to be done. For example, browser change the way they embed plugins which can easily leads to flaws even if the Flash Player stays the same.

Back than Adobe knew about the ClickJacking beforehand coz they were informed by RSnake and Jeremiah Grossman. They didn’t knew specifically about my POC and the way it exploits the settings manager, but anyhow they should have at least frame-bust every related page. It’s insane that in all of these 3 years no one bothered to at least Flash-bust the settings manager SWF and prevent the resurrection of my POC.

BTW, good job Feross Aboukhadijeh, my name is Guy Aharonovsky – whois is easy…

Windows is still too easy to kill

Posted on by
2

Windows 7 that is, got no reason to believe it’ll change in Windows 8.

Yesterday I accidently/stupidly right-clicked on Computer and than went to –> Mange –> Storage –> Disk Management –> right clicked on my external HD and selected “Mark Partition as Active”. Realizing this is not what I was looking for, I wanted to undo it but couldn’t found where. I than had to go, and left my laptop running. When I went back I saw my computer has crushed, might be cause of WinDirStat was running in the background but that’s irrelevant.
Anyhow, I started my computer and got  this message:

BOOTMGR is missing
Press Ctrl+Alt+Del to restart.

Restarting won’t help obviously. Googleing this issue gives you tons of info that basically tells you the same two things – use the windows installation CD and if you don’t have it, like in many OEM machines, or you left it in the office, you can download this windows recovery CD from this obscure website and that will cost you 10 USD.

I think it’s very bad, to say the least,  that any common user can get himself in such trouble without the ability to easily revert it. Even though I knew it was probably cased by marking the external HD as active I can’t say I wasn’t slightly stressed – no boot record can easily mean HD failure.

This is how to fix it without the windows installation disc and without buying the recovery disc:

1. Go and download Hiren’s boot CD. This handy collection of software’s used to include pirated apps, but I believe that it is now legit (since version 10.1, current is 14.1) and only include freewares and sharewares.

2. (Optional step) boot into tiny-XP to see your HDs and files are intact – hopefully. (I wonder how they include this XP legally?)

3. There are many boot (MBR) fixing tools in Hiren’s boot CD, I’ve used the freeware MBRWizard
The command line I used was MBRWizard \disk=1 \part=1 \inactive. This set my external HD as inactive
It’s easy, once you run MBRWizard you get help on how to use it.

That’s it.

Come’on Microsoft, you ask the user all kind of redundant questions like “do you want to see the files of your C drive”  but then let him completely kill the functionality of his machine without the ability to easily revert it. ??!