Category Archives: Internet

Comment spammers try to get clever

On my personal blog, on a post about the Melbourne public transport smartcard Myki, this comment popped into the moderation queue:

I found another very uefsul behaviour this morning.I don’t touch off when I get home at night. While, this seems weird how do they know I got off in Zone 1 (for which I have a pass) and didn’t travel into Zone 2 (for which I should be charged Money)? But, the fare manual says that if you have a MyKi Pass and you touch on in a zone for which that pass is valid (Parliament in my case) then there is no default fair.So, every morning when I touch on, it tells me deducting fare for previous trip . Which is $0.00. Cool.This morning I forgot to touch on some power issues on our line, got to chatting with the Station Hosts, just forgot. When I got to Parliament, I fully expected the gates to deny me egress and I’d have to do the silly thing where you act exasperated and they just wave you through the end gate even though you’re holding nothing but a wallet in your hand (MyKi works while in the wallet).BUT, it let me through. Seems that it’s happy enough that I started a trip (at Parliament) last night, spent 16 hours travelling and ended my trip back where I started. So it let me out basically a touch off of the trip home last night.Bizarre. But uefsul.

At first glance, it looked on-topic. But I was suspicious because the user link was to facebook.com/profile.php?id=XYZ (I’ve removed the ID) — and it came in the middle of a bunch of other (less-relevant) comments linking to similar URLs.

Googling around for key words in the comment, I found that it’s a copy of a comment from a completely different blog, with various misspellings inserted, and paragraph breaks removed. The original:

I found another very useful behaviour this morning.

I don’t touch off when I get home at night. While, this seems weird – how do they know I got off in Zone 1 (for which I have a pass) and didn’t travel into Zone 2 (for which I should be charged Money)? But, the fare manual says that if you have a MyKi Pass and you touch on in a zone for which that pass is valid (Parliament in my case) then there is no default fair.

So, every morning when I touch on, it tells me “deducting fare for previous trip”. Which is $0.00. Cool.

This morning I forgot to touch on – some power issues on our line, got to chatting with the Station Hosts, just forgot. When I got to Parliament, I fully expected the gates to deny me egress and I’d have to do the silly thing where you act exasperated and they just wave you through the end gate even though you’re holding nothing but a wallet in your hand (MyKi works while in the wallet).

BUT, it let me through. Seems that it’s happy enough that I started a trip (at Parliament) last night, spent 16 hours travelling and ended my trip back where I started. So it let me out – basically a touch off of the trip home last night.

Bizarre. But useful.

It seems the spammers are trying to get a bit more clever at sneaking their comment posts past moderators.

I still don’t know why, given WordPress has used NoFollow on their comment links for about ten years now.

Stay paranoid, stay safe

Interesting read: How to Protect Yourself from NSA Attacks on 1024-bit DH

TL;DR: 1024 bit DH keys can be broken, so you should configure your browser not to support them in SSL/TLS.

(via Andrew)

Spam from Cotap

Subject line: “You’ve been added as a contact on Cotap”

Email text: “Cotap is a secure texting app for teams. View the [company name] directory. [link]

“Are you using WhatsApp, GroupMe, or iMessage to text your coworkers? See why Cotap is better for work.”

Yeah, no, this is spam, and it sounds like quite a few people are getting them.

Cotap was formed by former Yammer people… there’s speculation that when they left Yammer, they took a copy of the Yammer email list with them.

Beware of the @CoTap spam emails. Nobody invited you. Pretty shameful way to get people to use a product… #emailspam #spam

— Andrew Hammond (@andrhamm) April 10, 2015

@andrhamm Do you use Yammer as well? I wonder if there's a connection between using Yammer and getting spam from the ex-Yammer @cotap guys.

— Klaus Silberbauer (@silberbauer) April 15, 2015

…

@andrhamm Very interesting. The email-address used by Cotap was the one I used for Yammer. And its not registered anywhere else.

— Klaus Silberbauer (@silberbauer) April 15, 2015

In any case, don’t fall for their trap. Don’t do business with spammers.

In fact, why on earth would you trust your business messaging to spammers?

Unhelpful web help

Just… just… wrong. So wrong.

Firstly, note the error message “Enter a valid email addresss”. Where, pray tell, ought I do this? Why do I need to upload any attachment again? Why do I have to prove I’m a human time-after-time, when all I’m doing is wrestling with your completely broken attempt at a web form?

Have they noticed that no-one is submitting help requests via this form, what with its refusal to accept said requests?

Dear Flickr: stop sucking balls.

Where did I take that photo?

I couldn’t find anyone extracting out the geolocation geotagging EXIF data from their photographs so they could pull it up on something like Google Maps. There are stand-alone programs with embedded maps, but the bits and bobs lying around on the average system ought to be enough to just generate a URL to a mapping website. The following bash script echoes the URL that geolocates your JPEG. Because my camera doesn’t emit it, I couldn’t be bothered dealing with the seconds part of a location, but I did detect that you don’t have a camera the same as mine. Drop a line if you’ve used this and fixed it.

#!/bin/bash
# emit a hyperlink to google maps for the location of a photograph
declare Seconds=""
Seconds=`exif -m --ifd=GPS --tag=0x02 $1 | grep -oP "[\d|\d\.]+$"`
if (( $Seconds=='0' ))
then
  Seconds=`exif -m --ifd=GPS --tag=0x04 $1 | grep -oP "[\d|\d\.]+$"`
fi
if (( $Seconds!='0' ))
then
  echo
  echo "Script does not support seconds being specified"
  exit
fi
echo -n "https://maps.google.com.au/?q="
declare NorthSouth=`exif -m --ifd=GPS --tag=0x01 $1`
if [ "$NorthSouth" == "S" ] 
then
  echo -n "-"
fi
echo -n `exif -m --ifd=GPS --tag=0x02 $1 | grep -oP "^[\d|\d\.]+"`
echo -n "%20"
echo -n `exif -m --ifd=GPS --tag=0x02 $1 | grep -oP "(?<= )[\d|\d\.]+,"`
declare EastWest=`exif -m --ifd=GPS --tag=0x03 $1`
if [ "$EastWest" == "W" ]
then
  echo -n "-"
fi
echo -n `exif -m --ifd=GPS --tag=0x04 $1 | grep -oP "^[\d|\d\.]+"`
echo -n "%20"
echo -n `exif -m --ifd=GPS --tag=0x04 $1 | grep -oP "(?<= )[\d|\d\.]+(?=,)"`
echo

Gmail: wrong messages ended up in deleted/spam folders

Anybody else get this warning?

This article has some more detail — it appears to have only affected GMail mobile/iPad apps.

I’ve checked — nothing seems to have accidentally fallen into the Bin/Trash or Spam folders.

Just goes to show, even GMail/Google ain’t perfect.

Can’t copy address bar from Google Chrome

I’ve had periodic problems with Google Chrome on Windows (Version 32.0.1700.102 m, but this has also happened occasionally in the past); sometimes it will refuse to copy the address bar.

Instead of copying, it will clear the clipboard.

Copying from other places, such as a web page (content or using Right-click / Copy Link Address) works fine.

Not sure if it’s an environmental issue — only seems to happen on my work machine; I haven’t seen the same at home.

Very odd.

Blogging it here because I can’t see any mentions of it online (which might be because it’s just me). Will post back if I find the solution.

Again I seem to be having trouble copying web addresses from @GoogleChrome's address bar. Version 32.0.1700.102 m. Anyone else? #geek

— Daniel Bowen (@danielbowen) January 30, 2014

Update 2014-01-31: I uninstalled and reinstalled Chrome… it seems to work again, for now.

Update 2014-02-05: The problem seems to have come back. Very odd.

Update 2014-02-20: Some old posts on a related problem seemed to suggest it might be a Chrome Extension causing issues, so I removed all of mine. The problem seems to still be intermittently occurring.

Postscript: As per the comments, if you have Remote Desktop running, try shutting it down.

ANZ: The rodeo clowns of online security

For years now I’ve been… less than impressed with the ANZ bank’s concept of how a secure banking website should work. Finally they’ve taken steps to harden their site. They’ve introduced “secret questions”, like “who was your best friend in high school”, “what’s your partner’s nickname” and “what’s your nickname for your youngest child”. At last, my money is now safe from thieves who will never guess that my my partner’s nickname is Cathy, my best friend in High School was Robert, and my youngest’s nickname is Marky. Oh, darn! I accidentally disclosed the answers to those secret questions! It’s as if that information would be widely available to any thief who took the time to look me up on Facebook (don’t bother, I’m not on Facebook).

Because in providing answers to these questions the security on my account was going up, not down, I couldn’t possibly be allowed to opt-out, with dire warnings about being liable for losses if someone found out the answers. To these most basic of questions.

Most other banks have implemented two-factor authentication. Even G-mail has two-factor authentication. But not the ANZ, they’ve stepped things up a notch. They’ve eschewed two-factor, and gone for “You’ll never guess the name of my pet, which I post on Facebook all day long”.

So I took my standard defensive action: attack surface reduction and target-value minimisation. To reduce the attack surface, for each answer I mashed the keyboard – so thieves, remember my first Primary School was in the suburb of pwofkmvosffslkdflsifcmmsmclsefscdsfpsdfpefsdflsd, or something. To minimise the value of the target, I swept all the funds out of the account. What’s wrong the the technique of establishing identity by the production and examination of 100 points of identifying documents? Why do I need to have a favourite colour?

Cathy worked for the ANZ until recently, and the day she received her final paypacket she shut the account. Hated their account with a passion, but the ANZ is incapable of paying their employees through anything other than an ANZ account. Because, you know, banking is hard.

Allow more JavaScript, maintain privacy

I’ve long regarded JavaScript in the browser to be one of the biggest security holes in web-browsing, and at the same time the Internet works less and less well without it. In 2008 Joel Spolsky made the observation that for some people the Internet is just broken:

Spolsky:   Does anybody really turn off JavaScript nowadays, and like successfully surf the Internets?

Atwood:   Yeah, I was going through my blog…

Spolsky:   It seems like half of all sites would be broken.

Which is not wrong. Things have changed in the last five years, and now the Internet is even more broken if you’re not willing to do whatever random things the site you’re looking at tells you to, and whatever other random sites that site links off to tell you to, plus whatever their JavaScript in turn tells you to. This bugs me because it marginalizes the vulnerable (the visually impaired, specifically), and is also a gaping security hole. And the performance drain!

Normally I rock with JavaScript disabling tools and part of my tin-foil-hat approach to the Internet, but I’m now seeing that the Internet is increasingly dependent on fat clients. I’ve seen blogging sites that come up empty, because they can’t lay out their content without client-side scripting and refuse to fall back gracefully.

So, I need finer granularity of control. Part one is RequestPolicy for FireFox, similar to which (but not as fine-grained) is Cross-Domain Request Filter for Chrome.

The extensive tracking performed by Google, Facebook, Twitter et al gives me the willys. These particular organisations can be blocked by ShareMeNot, but the galling thing is that the ShareMeNot download page demands JavaScript to display a screenshot and a clickable graphical button – which could easily been implemented as an image with a href. What the hell is wrong with kids these days?

Anyway, here’s the base configuration for my browsers these days:

FireFox	Chrome	Reason
HTTPSEverywhere	HTTPSEverywhere	Avoid inadvertent privacy leakage
Self Destructing Cookies	“Third party cookies and site data” is blocked via the browser’s Settings, manual approval of individual third party cookies.	Avoid tracking; StackOverflow (for example) completely breaks without cookies
RequestPolicy	Cross-Domain Request Filter for Chrome	Browser security and performance, avoid tracking
NoScript	NotScripts	Browser security and performance, avoid tracking
AdBlock Edge	Adblock Plus	Ad blocking
DoNotTrackMe	DoNotTrackMe	Avoid tracking – use social media when you want, not all the time
Firegloves (no longer available), could replace with Blender or Blend In		I’ve have had layout issues when using Firegloves and couldn’t turn it off site-by-site

Tell us what you think!

Tell us what you think! DoNotReply@example.com

It doesn’t really work like that.

A week to go for Google Reader – and… why is Feedly taking liberties with Chrome?

G Reader shuts down in a week.

I’ve been trying Feedly, but and have been trying to love it, but it’s annoying in a couple of significant ways.

Firstly, after clicking on a feed, I want to use the cursor down or Page Down key to move through the items in that feed. Unlike G Reader, Feedly doesn’t put the focus in the right place. Drives me up the wall.

Secondly, it’s embedding itself in multiple places in Chrome. First it put an icon of itself in the bottom-right of every browser tab (which even shows up in print outs, would you believe?)… and just in the last few days it’s started creating its own tab, which doesn’t even have a close icon on it. Is this conceited or what?

Frankly this does not bode well for my future with Feedly, if they’re going to take liberties like this.

Perhaps it’s time to look at alternatives — even if they don’t have accompanying smartphone/iPad apps.

Anybody tried The Old Reader?

Any other good ones which are as close to Google Reader as possible?