Poisoned Google Image Searches Becoming a Problem 262
Orome1 writes "If you are a regular user of Google's image search, you might have noticed that poisoned search results have practically become a common occurrence. Google has, of course, noticed this and does its best to mark the offending links as such, but they still have trouble when it comes to cleaning up its image search results."
web 101: don't run unknown javascripts (Score:4, Insightful)
From TFA: "it displays another script - this time it's a JavaScript one - that redirects the browser to another compromised site that serves malware."
By 2011, it should be considered "web 101" to not run javascripts unless you have a reason TO run them. Most people seem to just run any old javascripts by default, without having the first clue what it might be doing. There can't be much debate that it's a stupid course of action, given how many people's machines are jacked by exactly that attack vector (albeit possibly using another as well).
Yeah, yeah, I know, you need javascript for your bank. That's great: whitelist your damn bank. But run only javascripts on your *whitelist*, not any thing any random yahoo from a site you've never heard of before wants you to run. Would you treat your physical possessions that way? Would you let a drug gang in eastern europe borrow your car with your permission? If not, why would you allow them to use your computer?
I swear that the reason I haven't had a malware in my entire PC using history, and others seem to have them on a weekly or monthly basis, is because I don't completely shut off my brain once the words "... on the computer" appear in a sentence.
Use an alternative search. (Score:4, Insightful)
At this point, I feel SEO poisoning is so bad on Google that I find myself using other search engines more since they don't seem to be as big of a target.
Altavista, Ask and Bing have just been giving me more relevant search results lately. Google seems to like to show more SEO sites, forum reposters that just repost the same forum entries over and over and "Meta Search" sites such as software informer and alibaba.
Image search Rogueware poisoning is yet another reason to start looking somewhere else for search results.
Re:web 101: don't run unknown javascripts (Score:5, Insightful)
By 2011, it should be considered "web 101" to not run javascripts unless you have a reason TO run them. Most people seem to just run any old javascripts by default...
This is not going to happen. Many major websites, many of the highest traffic websites involve hundreds of JS scripts to make a single page function. Web 2.0 and all...
The *average non-techie web surfer* is simply NOT going to turn off JS.
Will not happen... So, it's not realistic or productive to waste time discussing such an option.
Sad, but true.
Re:web 101: don't run unknown javascripts (Score:5, Insightful)
It's 2011, there should not be anything a Javascript can do that is harmful to your computer.
a couple add ons that help (Score:5, Insightful)
If you haven't tried these, do it and be amazed at how many sites load without stylesheets, pictures etc. It's amazing how badly shit is implemented - zero thought about graceful degradation.
no script [noscript.net]
requestpolicy [requestpolicy.com]
Re:web 101: don't run unknown javascripts (Score:5, Insightful)
I tried running with Javascript disabled. Five years ago you could get away with it. Now so many sites, especially with jQuery being so pervasive, simply don't work with JS disabled or you get an ugly broken thing.
I hear the claim, "Well you can run it on trusted sites". What has the site done to earn my trust? Why couldn't a malicious site appear interesting enough to prompt you to turn JS on and thus be attacked. Only a little social engineering can defeat NoScript. Whitelisted sites can become compromised as well.
Re:web 101: don't run unknown javascripts (Score:4, Insightful)
Re:a couple add ons that help (Score:4, Insightful)
Re:web 101: don't run unknown javascripts (Score:5, Insightful)
They will after their machine has to be taken into the shop again for maintenance due to being infected by drive-by exploits like this.
You might think, but there is a lot to suggest that what you suppose is not the case.
The fact is, the average non-techie user values "interactive" over "secure". Those in the business of servicing PCs on the consumer level will tell you this.
Re:Mac is vulnerable too (Score:5, Insightful)
It did not download and execute, it downloaded and opend the installer. Your wife would have had to go clicking through a an installer, and provided her admin credentials, in order to have installed/run something.
Sorry, I'm not a Mac expert. All I know is that it automatically downloaded something, and automatically executed something. I'm not technically knowledgeable enough about OS X to know that, even though we immediately exited the malware installer, that nothing bad could possibly have happened.
And I'm still not convinced the malware installer didn't do something bad before it popped up its first GUI window. I'm not accusing you of being a liar, but my wife uses her Mac to access our bank accounts and such. I have no choice but to nuke the site from orbit (reinstall OS X). I'd like to trust that because someone on the Internet said I'm safe and not to worry about it, that I can just plain not worry about it, but I just can't take that risk.
At the end of the day, Apple/Safari's amazingly fucked up defaults burned us good and hard. It'll take me days to fully reload and reconfigure her machine.
Thanks, Apple...
Re:web 101: don't run unknown javascripts (Score:4, Insightful)
Why sad? THe ability to have portions of the page refresh without round-tripping to the server for a whole new page is only one of the highly useful functions provided by JS.
It's useful when used correctly. But when all of the links are JS and I can no longer middle click to open in new window I get annoyed.
Re:web 101: don't run unknown javascripts (Score:4, Insightful)
I find it hard to understand why this whole article is a problem...
Re:web 101: don't run unknown javascripts (Score:2, Insightful)
The trouble is that you likely get a substantially degraded experience on some sites.
Ironically I consider all that AJAX-javascript-navigation stuff complete and utter bullshit. That right there degrades experience, not the other way around.
Before Javascript you could navigate sites in a "standardised" way, i.e. open links in tabs, use back and forward buttons and so on. All sites worked the same. Javascript broke that. Now sites have to reimplement this functionality in their own unusual way; most just don't do it. So navigation gets a lot harder WITH your fancy javascript.
I get it, as a developer you love fancy new technology. However as a visitor/customer it's a usability nightmare.
Re:web 101: don't run unknown javascripts (Score:4, Insightful)
Because browsers allow 3rd party Javascript to run as if it were 1st party. This makes advertisers happy.
I've been complaining about this for years, but so long as the new economy demands that browsers be supported through sponsorships and ads, security just won't become a priority.
Hell, reading a PDF can infect your PC with a virus? I've got a great idea... let's build a PDF reader right into the web browser, and for bonus point, you can't disable it. It's okay, we built a sandbox for it, and made JavaScript twice as fast for good measure. Oh, but we still won't include support for [insert FOSS codec of choice here] because it will make the browser too bloated.