KDE Dot News: Growing Pains

As the Dot has been getting more and more successful, and more and more popular, we've been attracting script kiddies and trolls like flies. As Dre previously reported: "On March 13, 2001, at 1:33 am EST, someone using the anonymizer.com service succeeded in putting malicious Javascript code into one of the posts. While the code was relatively harmless -- it changed all links on the page to point to a shockingly disgusting porno site -- we feel this security lapse requires us to disable all posting until the problem in the Squishdot code is solved." This news has been out for a while in all the wrong places (1, 2) and is attracting attention. Read on to see what we're doing about it.

Unfortunately for the kiddies and trolls, we care deeply about our site, and we're taking many measures to ensure that it remains a valuable resource to the KDE community. As of now, things should be mostly back to normal. We've long reenabled posting and we've fixed the Squishdot Name/Email/Title security hole that the kids were exploiting -- Dre reports that there was failed attack attempt no less recently than this morning. On top of this, we're working on some much more strict HTML restrictions and we're also implementing Dot banishments by IP/domain/other for severe cases.

We will eventually have a proper policy in place for dealing with trolls and script kiddies, whether by article marking or deletion, IP banning, or other means. We try to be fair. For example, it's fair to talk about what's wrong with KDE, or what other environments have that KDE does not, as long as there is no obvious abuse. However, what we will not have here is Slashdot-type leniency, for the simple reason that we are not actually Slashdot.

Have any suggestions? Feel free to vent them. If you want to test out potential hacks on an article, please test them in this temporary forum. I'd like to add that we hope to keep the Administrivia to a minimum in the future. You can certainly look forward to much more interesting KDE news and developments on the Dot! Look for some upcoming news on KuickShow...

Dot Categories: 

Comments

by Sheldon Lee Wen (not verified)

Thank you. I appreciate you taking a strong stand on this kind of abuse. I can't tell you how angry I was last time I was reading the posts on slashdot. I had my 4 year old and 2 year old son's sitting with me and unfortunately I was browsing in windows at the time. Up popped a homosexual porno site, which was very explicit. I was not a happy camper. In fact, if I could have gotten my hands on the person who did that they'd have been beaten black and blue.

by raindog (not verified)

FYI, the goatse.cx thing isn't a "homosexual porno site", but rather created by whomever for use exactly as it has been here - to troll. I seriously doubt its author was even gay, as most of us find that image as irritating as you do, not only because it's not nice to look at but because it sparks anti-gay sentiment. (My personal thought is always "Will someone PLEASE light a match already.")

At any rate, I consider this another reason Konqueror should include an easily accessible menu item, preferably with hot key, for enabling/disabling Javascript like Galeon has. I prefer to surf most sites without Javascript turned on just to avoid this sort of crap, but need to turn it on for things like web banking and buy.com.

I'd like to see iframes easily disabled as well, but I've resigned myself to having to write patches for that. Mozilla's "block images from these domains" feature would be nice to copy also, not just for this but to control banner ads as well. Disclaimer: I have downloaded KDE 2.1 but haven't had time to install it yet, so maybe some of this stuff is already in there ;)

by Jonathan Brugge (not verified)

It's already possible to turn on/off javascript, java and cookies for specific sites. I agree a hotkey would be a good thing too, but only in addition. To turn off javascript, go to the konqueror-options, choose "Konqueror-browser" => JavaScript. Unset the option "Enable JavaScript globally" to disable JavaScript. In your situation, it might be a good idea to set some domains that may use it, like .buy.com. You can do the same for Java and cookies (in fact, even more for cookies).

Jonathan Brugge

by raindog (not verified)

I know, that's what I do now. I just don't understand why it's buried on the last page of a dialog under two levels of menus, which takes me 10-15 seconds to remember, find and set rather than a fraction of a second.

It's not just Konqueror, though. Netscape and IE do it too. I always assumed it was their inherent ties to commercial interests (who most often abuse javascript, cookies, etc) that led them to make it complicated to disable.

If I do end up trying to write a patch, I'll probably also try to allow hotkey disabling of certain specific Javascript methods, like window.open (to disable just popups) or right-click onclicks (to avoid those "You aren't allowed to view the source!" messages which are completely meaningless when you use Konqi anyway.) This is assuming I get over my OOPophobia and can even figure out where all that functionality is.

Rob

by ben (not verified)

I think there is a plugin made for konqueror that allows you to quickly en-/disable javascript, graphics and other things via toolbar. You should take a look at the dot, it was on here somewhen.

by Evan "JabberWok... (not verified)

I own a company that does commercial sites that manage user content... I've seen TIFFs dumped into textboxes, gotten SQL commands thrown into my URLs, and even had someone try and upload a file that I believe was /dev/random!

I wanted to try to execute some SQL commands in the forum, but it occured to me that you might be running the test forum on the same database the rest of the dot is running. Also, some of the things that I thought of might bring down the dot, and I do NOT want that...

People -- keep in mind that the point is to kill the test forum, NOT the server!!!

(and give us back HTML encoding!!! It *can* be done safely!!!)
--
Evan

by Navindra Umanee (not verified)

Hmmm, yeah. That was certainly not meant to be an invitation to disaster, but more to check that we had closed the javascript security holes.

We're working on bringing HTML back.

Thanks for your input!

Cheers,
Navin.

by Evan "JabberWok... (not verified)

>> but more to check that we had closed the javascript security holes. We're working on bringing HTML back.

Kinda hard to check for javascript holes if HTML posting is disallowed. For starters I'd limit the tags, and strip out all style="" and on.*="" strings. Remember the classic

dosomethingbad trick... it shows up as a paragraph tag or a script tag to different browsers.

--
Evan

by Navindra Umanee (not verified)

The interesting thing is that the Javascript hack did NOT take advantage of our HTML encoding feature, but lack of checks on the Name/Email/Title fields. They have been doing it on Gnotices as well, and that site does not support HTML encoding for articles.

-N.

by reihal (not verified)

No need to hurry. plain text is good enough!

by Evan "JabberWok... (not verified)

plain text is good enough!

Yes, but it makes links kinda hard to make, as well as limiting the ability to clearly delineate quotes versus replies.

--
Evan

by reihal (not verified)

"Yes, but it makes links kinda hard to make, as well as limiting the ability to clearly delineate quotes versus replies."

I don't agree, just copy and paste. Plain Text rules!

by greg l (not verified)

i agree, copy paste is what i usually do anyway!!
greg

by not me (not verified)

HTML encoding is not entirely disabled, actually. Using the preview button allows you to select HTML encoding again.

Just thought I'd warn you guys, although it doesn't seem like HTML encoded posts are really a problem (yet).

by Navindra Umanee (not verified)

Thank you! I *was* trying to track that down. I knew I had missed it. It'll be fixed immediately.

-N.

by not me (not verified)

Wow, that was fast!

The first time I did that, I thought it was just a problem with IE or something. Was it my previous HTML post that was causing you to try and track down how HTML posts were still getting through? I'm sorry! At that time, I didn't know you had disabled HTML on purpose.

by Navindra Umanee (not verified)

Yeah, I had noticed a post or two with HTML enabled. I had actually enabled it for a couple of comments myself (to fix the formatting) but I couldn't find out how it had happened with the other posts. It could have either been the other editors or a flaw somewhere. I found no evidence in the logs that another editor had done it, so I pretty much guessed there was a loophole somewhere.

:)

Cheers,
Navin.

by Otter (not verified)

The best thing you can do is to yank offending posts as quickly as possible. (Probably the ones responding to them as well.) If the trolls never get to make any permanent mark they'll get bored and go away. That's why Slashdot is full of trolls and Kuro5hin has none.

As with a lot of these exploits, this javascript trick is pretty clever and requires more brains and knowledge than does a lot of programming. It's a shame the kiddies don't apply themselves to coding. They'd get more satisfaction out of it and get something they could put on their resumes. ("Devised and implemented a way to obfustcate goatse.cx URL's in web forum posts" doesn't look nearly as good to employers.)

by Justin (not verified)

Yep. Nuke 'em good! I believe the only reason Slashdot uses a moderation system is because it became too difficult to keep up with all of the trolls, simply because of the sheer number of posts.

The Dot receives a managable number of posts, so goatsex trolls will stand out like a sore thumb. It's plain obvious that these posts are not only offensive, but insanly off-topic. It's unfortunate that we now have to deal with these types of posts, but I guess it's a sign that this forum has "made it in life."

Let's keep this place clean so we can focus on KDE.

-Justin

by Francisco Leon (not verified)

I say we take down that goatse.cx webpage
instead. I bet some good ol' naggin' from
some organizations can make congress or some
authority kill that webpage

by flikx (not verified)

Get rid of goatse.cx .. muwahahah. Are you fucken stupid or something??? Sure let's ban every web page that is slightly offensive. "That'll lern 'em!" .. don't get me wrong, that goatse.cx man is the most vile and disgusting picture I can think of; but that is still no excuse.

Crawl back into your hole you fuckwit. Why don't we get rid of the whole internet, it does nothing but ruin families and help child pornographers trade their wares.

ASS.

-- You run shitty code on your site, then expect every little faggot to come crawling out of the sewer to piss on it. I have no pity for what transpired here. --

by KDE User (not verified)

Unfortunately, you start out correct but then you mix issues. Freedom on the web has nothing to do with abusing another's website. Your right to goatse does not mean you have the right to abuse dot.kde.org.

by The goatse.cx man (not verified)

My website has fostered a global community that promotes clean air for the environment and healthy food for our children.

by KDE User (not verified)

There is no brilliance here. Being a script kiddie means copying the exploits or observations of others, without any brainpower whatsoever.

by ac (not verified)

whoever made that up sucks

by kdeFan (not verified)

I'm glad you guys are keeping this place clean and useful (very). Thanks for all your work! I was wondering how banishment would work with so many people having dynamic IPs? Maybe a registration system is required? It would mean you need a new email address every time you registered, which would be a pain for the casual abuser.

by robert (not verified)

Anyone can force a new DHCP lease by just changing the date, and I think that there aren't many kids with static IPs.

by ajuin (not verified)

well, and don't forget us students behind a big masquerading box, if one of us misbehaves, we are all punished with the ip system.

by Toastie (not verified)

If you try to block out JavaScript, also remember to filter out this syntax:

by Adam Rice (not verified)

This will not work. Netscape, in their infinite wisdom, have introduced numerous ways to incorporate Javascript into a page, many of them undocumented (some of them unintended). Plus there are attacks that don't even require Javascript--cross site scripting attacks and redirect attacks come to mind. Hotmail have been trying to use a blacklist approach against HTML for years and they still haven't got all the holes closed up.

The *only* way to safely filter HTML is with a whitelist. Disallow everything, and then allow well-known tags with well-known parameters matching carefully designed regular expressions. Be especially careful about HREFs and %xx encodings.

If you won't take my word for it, read the numerous and exhaustive Bugtraq threads on this very topic.

by John Allsup (not verified)

What you want to do is simply to have a
'paranoid' filter for the posts.
Basically, you pick out all tags, delete
all tags that don't occur in an 'allowed'
list. Then for each tag that is allowed,
pick out the options (using a per-tag
allowed list), throw away the rest.
In the case of links, you also filter
the 'ref=' etc. bits to use a protocol
from an allowed list (i.e. http:// ftp://
https:// and possibly a few others).

This allows you to pick out only the essential options for tags, and what you want to do is to reconstruct the message from the original by only taking text and allowed tags+etc.

by Kill the Trolls... (not verified)

The same happened to Gnotices a while ago.
May the trolls get blasted by Lina Inverse!

by Robbin Bonthond (not verified)

just wondering, are you putting your fixes back in the original squishdot ?
(this also applies to the threading enhancement add to the dot)

by kidcat (not verified)

Good Q.
And allso, please post the final "product" (allow/deny scripts/cfg-files) to the relevant sites when you guys are done filtering/baning/castrating all the possibleties that the kiddies have to make my one-and-only newspage crash! It's not because I'm interested in what will accually get done.... it's more all the soothing lime-lite that would shine on KDE and it's community ;)
(did i just say the same as robin?)

BTW!... If you are going to remove the linx... please remove "(Check those URLs! Don't forget the http://!)", etc from the posting form ;D

by Troels (not verified)

As a start you could hurry to ban anonymizer.com and any other known service like it. People do have a freedom of speech, but if they have to hide their identity that badly then im sure the rest of us are better off not listening to them.

by Gene Scott (not verified)

Ban anonimity? Are you sure you're a Linux user? :>

by David Johnson (not verified)

You missed the point. Users of anonymizing services would be banned from *here*, not everywhere. Big difference.

by migis (not verified)

see my other posting

by migis (not verified)

Banishing people who are unwilling to write without anonymizer is the first step to kill these things.

This should be unnecessary to say, but i got the impression it was not.

OFF TOPIC:

I am really afraid that all the differences (paths, libs, packages) between debian, red hat, mandrake, suse will lead to no good.
Comercial companies have to spend a great efford to customize their software for different distributions. May be the costs for this are to high to engage in linux software development.
( i read a posting from a free contractor relating this subject and framemaker for linux at www.deja.com/usenet at the tex or framemaker section)

OFF TOPIC the second:
What do you think about freeBSD ?
I heard it is *better* than linux, but I was unable to install it without a handbook - so i have no personal experience.
If so would it be bette to spend all the effort to develop freeBSD rather than linux ?
Or has this to do with gpl or lgpl ?

No trolling - just curious about opinions.

by robert (not verified)

BSD uses a liscence that says you can take the source and do anything you want with, windows NT/2000 uses a bunch of BSD code. The advantage of BSD is that is tends to run better under extremely heavy loads and is a tad more tested than linux, the problem with BSD is that it can be somewhat difficult to install drivers/install the OS compared to linux. Also because linux has more hype there's better hardware support for it for closed spec hardware. BSD tends to use open standards(as published by a standard organization), therefore BSD is a UNIX not a UNIX clone(this is probably one of linux's greatest weakness's, and one of it's strengths as well). Another advantage with BSD is that the 1st offtopic comment dosen't apply to BSD(much). Many benchmarks say that BSD performs better than linux, but alot say the reverse. It realy comes down to the liscences, would you care if someone used the code you wrote and did not contribute back?

by migis (not verified)

No i would probably not. But on the other hand the discussion about the integration of real player into KDE and the search for an BSD like license
(Peter Godmann: ". If anyone knows of a
BSD or equivalent -licensed implementation of a motif/kde/gnome drag &
drop library, I would love to hear about it.")
shows the demand for such a thing.

I mean one way is to say the Developers are willing to keep everything open and free for linux - which is a good thing in my opinion. But on the other hand someone can say: " let us try to make Linux a wide spread system with tons of software - most of them open source and free."

For this purpose BSD-license gives company the opportunity to contribute to linux and to make a profit by selling software.

I am really interessted in this license-things and i would be glad to read about discussions between open source devellopers (BSD and LINUX).

These question plus the question about different packageformats (openpackage.org) and about differents paths (redhat vs suse for example) are IMHO main topics for the future devolpment for linux.

cu
migis

by Navindra Umanee (not verified)
by waht (not verified)

it's up to 1.5 now, it's great.