Kevin J. Chase (thegreyeminence) wrote,
Kevin J. Chase
thegreyeminence

Happy 4th-chan of July (or: Stay Away from You Tube)

Update 16:00 Sun 04 Jul 2010: You Tube is reporting that they fixed this bug and cleansed the comments. I, however, am perfectly content to give it another day before trying them again. Back to the original post…

I have commented out the links to You Tube in yesterday's Swedish Chef “Popcorn” post. There's a cross-site scripting (XSS) vulnerability in You Tube's comments (and maybe in video titles, too). Taking advantage of this vulnerability is as easy as copy and paste, and last night, someone told 4chan about it.

They are now doing their best to destroy You Tube, because destroying things is what they do. The damage is mostly limited to scrolling marquees saying “4CHAN ROXORZ” and “LOLOOLOLOL” popups, but a few of them are trying to harvest browser cookies and login sessions.

Since You Tube is useless without JavaScript, I'm removing the links until the Google / You Tube guys get this cleaned up. You should probably consider You Tube a no-go zone for the rest of the day.

I feel sorry for the sysadmins and web coders who will lose their holiday weekend dealing with this bullshit.

NoScript — Live It, Love It

If you use Firefox, you should consider using NoScript. It prevents scripts (and some other sneaky attacks) from running unless you've specifically allowed their site to run scripts. This lets you run JavaScript on, say, Live Journal without allowing any other sites. This isn't perfect, but it's a huge improvement for most people.

Even better, with two clicks you can grant temporary permission to sites that don't know how to write a form or image gallery properly. And you don't have to remember which sites you allowed; just hit “Revoke Temporary Permissions” and they're all banned again.

(Unfortunately, it does not allow specific scripts to run, so you can't enable just the bit that plays You Tube videos without also allowing the rest of You Tube… including the infected comments.)

I often hesitate to recommend NoScript, because it requires a little understanding of how the Web works. NoScript will show you how many incompetent web designers are out there. You can spot them because videos, images, and even plain old links, which have worked since the Web was invented, don't work on their sites… without JavaScript. It's infuriating, but at least it's safer.

If you're going to risk using the Web, you must control JavaScript. It's more dangerous than ever, but it's also required for some important tasks. (Google Maps, for instance, is hard to use without it, and some other Google apps won't work at all. Ditto any mis-programmed but useful site like Deviant Art, whatever bank you use, and of course You Tube.) So you can't afford to turn it off entirely, but you can't risk turning it on indiscriminately, either.

Until the W3C and the browser vendors agree on a way to restrict JavaScript execution, NoScript will have to do.

(Also: AdBlock Plus, FlashBlock.)

Vandals Are the Same Everywhere

If you saw any of the G20 riots recently, you surely noticed that the hooligans who started wrecking the town weren't actually protesting anything. There was no message. If they hadn't been burning cars at the G20 summit, they'd have been burning storefronts after a Lakers game, or trees in a state forest. Maybe a synagogue. They don't have a cause, they have a cover story — one that allows them to burn shit.

Not too long ago, 4chan wanted us to believe they were a bunch of heroes because they were picking on Scientologists instead of furries. No, this wasn't just the usual bullying, this time 4chan had a higher purpose. “Anonymous” was going to make the world a better place, and we'd all see we were wrong for doubting them. It was only co-incidence that Tom Cruise had recently embarrassed his Scientology masters, making Scientology look weak in front of a group that preys on the weak.

But that was like, whoa, a year ago or something, and Scientology is kinda boring now. Making a difference turned out to be too much like work.

Today a new weakness appeared, this time in You Tube, and within hours 4chan was attacking them with the same joy and intensity as their crusades against Scientology, furries, and that kid who lost his iPod. Like the G20 riots, it's hard to imagine a less ambiguous way of showing they don't care what their target is, so long as they have one.

4chan is the Internet equivalent of the black-clad morons heaving bricks into a coffee shop. If this were a hurricane, they'd be looting department stores.

  • Post a new comment

    Error

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 2 comments