* Posts by Webfreelancer

5 publicly visible posts • joined 30 Mar 2015

UK contractors planning 'mass exodus' ahead of IR35 tax clampdown – survey

Webfreelancer

Here speaks a man with no business knowledge. The point of a limited company is to limit your risk.

Its not about the tax.

As a self employed individual, they can come after your house, your family, your assets. A limited company is a legal entity in its own right, a firewall between you and 'shit happens'

Webfreelancer
Pirate

Reality starts to bite for banks, A contractor role previously @ 600pd outside IR35 now 710 inside.

How long before other banks cave and the hiring frenzy begins because projects have been on hold for 2 quarters now

Adobe Flash fix FAIL exposes world's most popular sites

Webfreelancer

Re: Not just the seedy side of the web...

This is a really old bug, if you read security bulletin from Adobe issued at the time.

'SWF files that were created without using Flex (such as files created in Adobe Flash Professional) are not vulnerable. '

'Most applications built with Flex 4.x that were compiled in the default way (specifically, using RSL linkage) aren't vulnerable. However, there are rare cases in which they are vulnerable.'

'Applications built using any release of Flex before 3.0 are not vulnerable.'

Most Flex developers who knew their stuff would compile to use RSL's since it gives very small apps calling a cached set of linked libraries. The slides shown exploit a feature of the player using flash vars in the page to do a redirect, this is no different from using Javascript and CORS to do a cross origin call. For ever Flash exploit I can think of 3 ways to do a similar thing in javascript. The answer browse with scripts turned off? Oh wait my new shiny HTML 5 app won't work with Javascript turned off, bummer!

No flash developer who understands security use Flash vars if he can avoid it. A correctly formatted cross scripting policy file should also solve cross scripting stuff (that has been around in Flash since Flash Player 7 as a security device) the player will not load content from another domain, unless it is specifically given permission via the Cross Domain Policy XML file on the server

Webfreelancer

Is the cure worse than the bug

Has it occurred to anyone that this might be an exploit?

The authors of this so called 'bug' expect sys admins to download and run a Jar

If you go to the Git repo, you can't see whats in the source, its in a zip.

Neat way to get an exploit onto a load of servers if you ask me !!

"Just because I am paranoid, does not mean that they aren't put to get me!!"

Webfreelancer

Any real Flex developer would have strangled this bug at birth

Any flex developer who knew his stuff would never use the methods outlined in the slides.

This was a known issue amongst Rich Internet Application developers at the time. All HTML and Flash code should be treated as insecure code.

The solution a java jar to scan your network. Seriously, in the bank I worked at the sysop would be fired on the spot.

Would you really want as a sysop to run a jar inside your network?

Correctly designed applications build in Flex would never have been vulnerable to this.

Whats with flash haters? For years it was a form of p*&*s envy, the flash dudes could do cool stuff. whilst HTML programming made you want to gouge your eyes out with a spoon.

In its time Flash was an incredible tool for pushing the envelope in a way javascript could not.

That is starting to change but the browser as a platform Web 3.0 if you like is still quite a fragmented patchwork of technologies. This creates challenges for building large HTML applications, what do you do if one of your large corporates is still using IE 6?

When Flash dies, as it will, the browser as a platform will become a major point of hacking attacks, this creates a maintenance headache for companies creating Web apps, every time the evergreen browser updates will you need to retest your app?

Now we have new sets of tools in javascript, what is interesting is that it is still the mindset and knowledge of the developer that sets excellent work apart from crap. I currently see some real crap built in Javascript, committing far worse sins that Flash ever did, but I am not screaming for canvas and javascript to be banned.

Criminals will built malicious sites and will find ways to attack your javascript, in fact it is far easier to do than it ever was in Flash. Why? all your code is downloaded to the client and can be read or reversed. If you think minification of uglify gives you security you are delusional. Accept that client side code and the web is intrinsically insecure and that is you starting point for security