• (disco)

    Yay! Badged unlist before in 4!

  • (disco) in reply to Tsaukpaetra
    Tsaukpaetra:
    Badged unlist before in 4!

    :no_entry_sign: :badger:

    :-P

  • (disco) in reply to Tsaukpaetra

    @boomzilla, @PJH, @abarker, @Yamikuronue, @aliceif


    The ERV is cute.

  • (disco)

    My first time posting before unlist!

  • (disco)

    Seems their obfunscation worked, the cutesy in this script is over 9000!

  • (disco)
  • (disco)

    Just, wow...

  • (disco)

    I don't know whether to be appalled, impressed, or some wretched conglomeration of the two.

  • (disco)

    so...... no one is going to tell them that eventually a XMLHttpRequest is going to have to be constructed to get the video and that needs the unobfuscated URL?

    or that any decent browser's development tools are going to track URLs and their requests allowing you to find the direct link to the resource you want.....?

  • (disco) in reply to accalia
    accalia:
    so...... no one is going to tell them that eventually a XMLHttpRequest is going to have to be constructed to get the video and that needs the unobfuscated URL?

    Why would you want to tell them anything? Why ruin all the fun?

  • (disco)

    (╯°□°)╯︵ ┻━┻

  • (disco)

    Some people have too much time on their hands.

  • (disco)
  • (disco)

    Is that JavaScript code, or a badly-formatted list of text emoji?

  • (disco)

    Didn't someone post that, or something similar to that, in the article comments for the previous JS abomination?

  • (disco) in reply to accalia
    accalia:
    or that any decent browser's development tools are going to track URLs and their requests allowing you to find the direct link to the resource you want.....?

    QFT. Another pointless exercise in "security."

  • (disco) in reply to RaceProUK

    Is that JavaScript code, or a badly-formatted list of text emoji?

    Yes.

  • (disco) in reply to Onyx
    Onyx:
    Didn't someone post that, or something similar to that, in the article comments for the previous JS abomination?

    RTFA

  • (disco) in reply to caerphoto
          Is that JavaScript code, or a badly-formatted list of text emoji?
    

    Yes.

    APL?

  • (disco) in reply to Onyx

    Here you go:

    https://what.thedailywtf.com/t/bidding-on-security/54755/24?u=ixvedeusi

    The code in TFA is quite a bit longer but has the same beginning and end, so I'd suppose it's been generated with the same "tool" linked in that post.

  • (disco) in reply to RaceProUK
    RaceProUK:
    Is that JavaScript code, or a badly-formatted list of text emoji?
    You're looking at the new format of my posts!
  • (disco) in reply to aliceif

    There was no link, I didn't remember the name, and searching is work I didn't have to do since now someone else did :trolleybus:

  • (disco)

    My frist reaction on seeing this was "Interesting I didn't know there was an APL browser plugin"

  • (disco) in reply to kt_
    accalia:
    or that any decent browser's development tools are going to track URLs and their requests allowing you to find the direct link to the resource you want.....?

    Front-End developers lack of knowledge about the wider world of computers & networking should never surprise. I mean, we have people who have made careers out of doing everything on port 80. And I mean everything.

  • (disco) in reply to NTW
    NTW:
    I mean, we have people who have made careers out of doing everything on port 80. And I mean everything.

    .... how would someone excrete through port 80..... wait, no. i decided i'd rather not know the answer to that one.

  • (disco) in reply to accalia
    accalia:
    how would someone excrete through port 80
    Isn't that typically handled as a `POST` or a `PUT`? I sure as Brighton wouldn't want to `GET` :mask:
  • (disco) in reply to accalia
    accalia:
    how would someone excrete through port 80

    Well, first, you need a WSDL file.

    I'm imagining some attributes relating to the Bristol Stool Scale.

  • (disco)

    We have a responsibility to our submitters, to protect their identity and anonymize the details of their stories.

    It doesn't work. I am sure you have posted a few from my project and I have a fairly good idea who submitted it :D.

  • (disco) in reply to RFoxmich

    Yeah, same for me

  • (disco) in reply to accalia
    accalia:
    how would someone excrete through port 80

    I've seen lots of excrement passing through port 80...

  • (disco)

    One can decode it with:

    http://cat-in-136.github.io/2010/12/aadecode-decode-encoded-as-aaencode.html

  • (disco) in reply to NTW

    https://ooze.ninja/javascript/poisonjs/ also works.

    FWIW, deobfuscated with the "secret" string: window.vr='https://openload.co/stream/0A7tR46pxvA~1457207699~83.248.0.0~icQhbWiO?mime=true';window.vt='video/mp4';

  • (disco) in reply to isthisunique
    isthisunique:
    > We have a responsibility to our submitters, to protect their identity and anonymize the details of their stories.

    It doesn't work. I am sure you have posted a few from my project and I have a fairly good idea who submitted it :D.

    I think it's mainly about googleability by people not familiar with this site.

  • (disco) in reply to RaceProUK
    RaceProUK:
    Isn't that typically handled as a POST or a PUT?

    Makes me wish for a DEPOSIT verb…

  • (disco) in reply to dkf

    Then scammers would also ask for WITHDRAW and then where would it end?

  • (disco)

    Apparently they have never heard of this thing called Wireshark. If someone wants the video bad enough, you can't prevent them from getting it. As Raymond Chen once said (paraphrasing) "they could use the camera on a cell phone" - in this case to record from the screen.

  • (disco) in reply to BrianB_NY

    Back in the day I "downloaded" many a video by using opera:cache in my browser. It was actually pretty easy to find any cached file and copy it wherever you wanted.

  • (disco)

    I have written APL code more cryptic than this. But usually more compact. This looks like it could be Facebook written in APL.

  • (disco) in reply to BrianB_NY
    BrianB_NY:
    As Raymond Chen once said (paraphrasing) "they could use the camera on a cell phone" - in this case to record from the screen.
    Not if we mandate that every camera in the world be able to recognize the special "copyrighted content" watermarks embedded in every video and refuse to film.

    See, all you computer people refusing to see the easy solution.

  • (disco)

    Yikes.

    And here I thought that that JsF* thing was merely a (bad) joke cooked up on a Friday afternoon after sharing a crate of beer with some fellow nerds.....

    That someone would actually use it for something in production is beyond me!

  • (disco) in reply to BrianB_NY
    BrianB_NY:
    Apparently they have never heard of this thing called Wireshark.anything below Layer 7 in the OSI model

    :wink:

  • (disco) in reply to NTW

    It's even more basic than that: if you want someone to run a program or view some content on their machine, you have to give them the data and whatever keys are necessary to unlock the data. You can't hide anything from the machine running it/showing it, or it won't be able to run/show it.

    Since you don't control the machine, you can't control that they don't access the de-obfuscated/un-encrypted/unlocked content. You can add hoops to jump through, but ultimately it only takes one person bothering to crack your protection for everyone to have access.

  • (disco)

    Well, I can pretty much guarantee that Randall used something rather less insane and rather more secure to obscure the location of all the 1190 image files. (If you have to ask, you're not an OTTer)

  • (disco)

    MOTHER OF GOD! [image]

  • (disco) in reply to BrianB_NY
    BrianB_NY:
    Apparently they have never heard of this thing called Wireshark. If someone wants the video bad enough, you can't prevent them from getting it.

    Unless they're using SSL/TLS, then you'll have to resort to man-in-the middle.

  • (disco) in reply to accalia
    accalia:
    no one is going to tell them that eventually a XMLHttpRequest is going to have to be constructed to get the video and that needs the unobfuscated URL?

    They'll just cause the server to scrape the video and stream it down to the browser.

  • (disco) in reply to anonymous234
    anonymous234:
    Not if we mandate that every camera in the world be able to recognize the special "copyrighted content" watermarks embedded in every video and refuse to film.

    Then people can start wearing clothes that will cause them to be invisible on security camera footage. (c.f. Ghost In The Shell) Let the fun begin.

  • (disco) in reply to David_C
    David_C:
    Then people can start wearing clothes that will cause them to be invisible on security camera footage.

    Then people will make security cameras exempt from the “must not record” rules.

    Then people will use security cameras to record copyrighted content.

    :popcorn:

  • (disco) in reply to dkf
    dkf:
    David_C:
    Then people can start wearing clothes that will cause them to be invisible on security camera footage.

    Then peopleNSA will make security cameras exempt from the “must not record” rules.

    Then people will use security cameras to record copyrighted content.

    :popcorn:

    Actually, they'll require a backdoor in the watermark. Wouldn't want the hackers to have to work too hard.

  • (disco)

    Am I the only one so immature that I saw Remy's "feelings on this" down the bottom as a pair of bewbs? I would want to feel some of those too, if I had to work with that.

Leave a comment on “JavaScript Obfuscation”

Log In or post as a guest

Replying to comment #:

« Return to Article