Google Blogoscoped

Forum

Netscape Hacked  (View post)

Elias KAI [PersonRank 10]

Wednesday, July 26, 2006
13 years ago4,552 views

What fighting online ?

/pd [PersonRank 10]

13 years ago #

Rsnake sez :"Apparently Netscape’s version of Digg was vulnerable to cross site scripting (or HTML injection anyway). The way I understand it, that widget was/is at least sometimes exposed to the main page. When it got higher in popularity it showed more often on the main page, and therefor got presented more often – thereby defacing it more often. It wasn’t persistant, but based on it’s virulance it became fairly well seen. "

as this has become full discolure mode.. heres the defacement methods


majorsecurity.de/advisory/nets ...



majorsecurity.de/advisory/nets ...



majorsecurity.de/advisory/nets ...


alek [PersonRank 10]

13 years ago #

DIGG hacked in the escalating battle (?)
   digg.com/tech_news/Bug_or_Cons ...

Note EVERYTHING is modded way, way down – any explanation for that?

NateDawg [PersonRank 10]

13 years ago #

I saw this about two weeks ago, but as I recalled it fell way short of a simple monster search.

Philipp Lenssen [PersonRank 10]

13 years ago #

> Note EVERYTHING is modded way, way down – any
> explanation for that?

Hah. This one is funny.

Sohil [PersonRank 10]

13 years ago #

[put at-character here] alek, Sweet.

Philipp Lenssen [PersonRank 10]

13 years ago #

By the way, I won't join the modding down 'cause we all know Digg sometimes deletes accounts for stuff like that...

Philipp Lenssen [PersonRank 10]

13 years ago #

On a related note, someone seems to have found a Digg API (in progress):
serverboy.net/wiki/Digg
[Via Waxy]

/pd [PersonRank 10]

13 years ago #

the theory is that slashdot users are POC'ing the comments flaws in digg....

not sure if there are comments voting flaws within digg...not my cuppa tea!!

NateDawg [PersonRank 10]

13 years ago #

woops, posted on the wrong post :D

/pd [PersonRank 10]

13 years ago #

oh nice.. catch Philipp.. just when the veto was on – who was first goin to produce the API!!

Philipp Lenssen [PersonRank 10]

13 years ago #

Another screenshot of the hack:
flickr.com/photo_zoom.gne?id=1 ...
[Via Valleywag]

Caleb E [PersonRank 10]

13 years ago #

I bet I know what happened with the digg thing. All these diggers are coming up with grandiose conspiracy/flaw theories. I think all that happened is that the first few comments were buried on the firefox thing so the next six or so people that came through thought that'd be funny and it just built off that. As for the actual article's comments, that was clearly a large number of diggers with a sense of irony. Remember, it only takes 6 people to bury a comment.

On a more fundamental level, digg suffers from groupthink: en.wikipedia.org/wiki/Groupthi ... . (this was mentioned in one of the buried comments). The problem is, you see a comment with +4. You can either agree with the majority and mod it up, disagree and mod it down, or do nothing. Modding it down isn't really going to do any good, so I think people who are obsessive about modding and such just mod up when they see something that is say greater than +2 or +3. I mean, even if you mod down a +2, you're essentially wasting your time because NOBODY knows that you don't approve of that comment. Then you have comments with like +154 at which point nothing anyone does matters. but these still grow. It's a flaw. The solution is a kharma system, but I think Digg has already implimented a simple one for submissions (prompting stuff like this: seomoz.org/blogdetail.php?ID=1 ...).

One thing is for sure: the comment system is messed up.

Andrew Hitchcock [PersonRank 10]

13 years ago #

People give slashdot a hard time for their moderation and meta-moderation system, but it seems to have most of the kinks worked out of it. Digg is still a newbie and now they are having to learn how to deal with crowds.

ShellehS [PersonRank 5]

13 years ago #

seem only my IE dont suport this, it pop up nothing.

Splasho [PersonRank 10]

13 years ago #

"I mean, even if you mod down a +2, you're essentially wasting your time because NOBODY knows that you don't approve of that comment."

I know what you're saying but that's not really accurate. The point is that by modding down you cancel out the person who modded up, that means the person after you will be equally likely to mod down as up.

Reto Meier [PersonRank 10]

13 years ago #

The problem with this system is that it's very time sensitive. The first bunch of voters have the most control over the eventual rating. The result is that the dozen or so obsessives modding every post / comment have the power to (unduly?) influence everyone who comes next.

People are less likely to bother modding down something that's already +5, they'll tend to either vote it up or leave it. The iniital modders can quickly burry things they disagree with and upvote others beyond most people's 'why bother?' threshold. End result is a squewed view based largely on the opinion of the first responders.

Ludwik Trammer [PersonRank 10]

13 years ago #

Netscape.com not only showed alerts, but redirected to digg.com.

Digg comment by by eplawless:
-----
*sigh*
It's not like I did anything illegal. I just submitted a story. It's not my fault that there is a cross site scripting vulnerability; my story should never have been able to go through. I even sent them five messages about it over the past week, which they ignored, and posted a couple news items about it, which they deleted, before I decided to submit the cuteness story. A friend provided the text for the alerts. I apologize that this has gotten out of hand, but they have had ample warning. I mean, AMPLE warning: packetstormsecurity.org/0606-e ...
-----

And here is Netscape.com html source from netscape.com (via munkt0n):

[... cut... Philipp's forum doesn't allow me to send source code ...]

As you see they didn't filter HTML, so hackers could even still people cookies...

Ludwik Trammer [PersonRank 10]

13 years ago #

Here is the source from hacked netscape: digg.com/tech_news/Netscape_co ...

/pd [PersonRank 10]

13 years ago #

yeah but dont you find it strange that the seed story never made it to the front pages of Dig .. even though it got over 1000 diggs within 1 hr and approx 6000 diggs within 24 hrs...

So within the digg system istories are being manually supressed ??

Philipp Lenssen [PersonRank 10]

13 years ago #

Caleb
> One thing is for sure: the comment
> system is messed up.

Agreed. Especially how you see replies to buried comments, totally out of context, but they still show up. Maybe they should just allow one to "digg" a comment (to plus it), so that superb information gets a different highlight color. Then, you can scroll down the comments page and see what's very interesting to read.

I won't even suggest it to them as they're mostly unresponsive to feedback. :)

An interesting example of groupthink is the Tchernobyl accident in 1986. There were *a lot* of warning signs that were being ignored because the group was thinking
- they're all experts anyway (delusion)
- nothing ever happened, so most security measures tend to be ignored
- when person A thinks it's OK, then it must be OK, 'cause person A is well-respected

Basically, groups that don't encourage you to question conclusions made by those higher up in the rankings come to failed conclusion. Also, groups that "play too well" together, that are too similar to each other, tend to suffer stronger from groupthink and come to bad conclusions (like the internet bubble around the turn of the century... most everyone was repeating the gospel!).

Another example of groupthink leading to desaster is the Columbia explosion in 2003. There were clear warning signs (during take off, parts were crashing into the wing, which would lead to the explosion when the shuttle would reenter atmosphere) but alerts brought up from lower ranks were ignored. Quote Wikipedia:
"While the shuttle was still in orbit, some engineers suspected damage to the thermal protection, but NASA managers limited the investigation, feeling that nothing could be done even if damage was found."
en.wikipedia.org/wiki/Space_Sh ...

Apparently the organizational structure of the NASA was changed after that incident.

/pd [PersonRank 10]

13 years ago #

=="Maybe they should just allow one to "digg" a comment (to plus it), so that superb information gets a different highlight color."

They should just have a vote button 1-5 and user votes on a comment using that method.. Once voted on, the system can aggreated the number of votes and place the number of star's for that comment..

just like the google star/vot system

/pd [PersonRank 10]

13 years ago #

still not fixed!!!

This thread is locked as it's old... but you can create a new thread in the forum. 

Forum home

Advertisement

 
Blog  |  Forum     more >> Archive | Feed | Google's blogs | About
Advertisement

 

This site unofficially covers Google™ and more with some rights reserved. Join our forum!