Searching for code injection

Oh wow, code injection is fun. Especially in the Encyclopedia Britannica!

Look at this for a hyperlink URL: [link].

If you just look at the first part, you see http://www.britannica.com/. Great, fine, dandy, everybody feels safe following a link to the Encyclopedia Britannica site.

Uh-uh. Nope. It’s actually abusing the Britannica search page to inject JavaScript code into the search results page. The moment you land on the Britannica site, you’ll be wooshed off to some dodgy pharmaceuticals vendor!

I hadn’t seen this kind of shenanigans before. It reminds me of a few years ago, when every two out of three sites running SQL databases would succumb to ‘SQL injection’ attacks. Those were cooler, because they injected code into the server and could earn the attacker money, while the present method just annoys people.

But then think about a website like Lifehacker. When you post links in the comments section on one of their articles, the link is abbreviated to just the website name. So, the link above would be shortened to www.britannica.com. Most folks wouldn’t know they were visiting some dodgy third party site until it was already happening!

EDIT: This blog has ‘Snapshots’ enabled, so when you hover your mouse over a hyperlink, it gives an image preview of the site you will visit next. When you mouseover the magic link above, Snapshots still shows you Encyclopedia Britannica. Yet when a human actually clicks on it…

Compare this behaviour to what happens when you search on Wikipedia: [link]. Wikipedia just turns around and says, “ask a silly question, get a silly answer”. No redirection for you.

It just goes to show that the Encyclopedia Britannica is poor by comparison to Wikipedia.

+1 Net-SNMP

I tried out Net-SNMP today. It’s a great set of command-line utilities for monitoring your SNMP devices.

In my case, I used it to monitor bandwidth usage on my Linksys AG241 broadband modem. If you like the command-line, as I do, then you’ll enjoy the no-nonsense, functional approach of Net-SNMP’s tools.

Plus there’s a handy wiki full of tutorials, how-tos and other information to get you up and running!

Start with snmpwalk, which lets you query a device for all the information it can give you. You can use that to find the names and numbers of network interfaces, for example.

Once you have the object identifiers (“OID” in SNMP-speak) for the data you want, use snmpget whenever you’d like to grab that info. Use snmpwalk and snmpget with grep, awk and perl to periodically poll the data you need, and:

  • record it in a database,
  • create a graph,
  • alert you when bad things happen (e.g. too much downloading in one day), or
  • anything else you could possibly want!

SNMP is great, and Net-SNMP is a great implementation.

Analyzing the word ‘analyse’

Tantalizing fact: -ize is the actual English way to spell! Read More »

FIXED: Thunderbird re-downloaded all my Yahoo mail!

Thunderbird connected to my Yahoo email account and, rather than just giving me the new messages, proceeded to download ALL 14591 OF THEM!

The problem is somewhere in Yahoo’s server. Again and again, I am faced with tens of thousands of “new” emails from 2002. It’s really irritating!

The solution, while really only a Band-aid, was to put all the old messages in a new “folder” on the Yahoo mail website. As a result, Yahoo won’t offer those messages for download through the POP3 facility. Yay!

Problem solved!

I’m not liable for anything at all.

If you look at the Microsoft Windows XP Professional EULA (“End User Licence Agreement”), there’s a lot of text there. But how much is necessary? Read More »

Installing Windows: love, hate and mashed potatoes

I bought new hard drives, and installed Windows XP again. Ugh. They make it hard! I spent hours playing with nLite, trying to “slipstream” the right drivers for my mirrored disks (i.e. add the necessary files to the Windows CD and burn a new copy). Created two nice coasters. Well, they were fully functional Windows XP CDs, and they actually have my serial number embedded in them, which is not ideal I suppose, but most disappointingly they don’t have the drivers I needed.

Eventually, it worked. Getting the rest of my system set up now.

Some software makes it easy! Read More »

Maybe Blackle isn’t total garbage. According to Dan’s Data, there is as much as 10 watts of difference in power usage between an LCD screen showing all white and the same screen showing all black! However, you can save another 40 by turning down your brightness setting.

Now that’s an LCD screen. Think about many more watts a CRT sucks down, and imagine the difference between black and white for one of those chunky chaps.

So what does that tell us, from a practical perspective? It means you should turn down the brightness on your computer screen!

And if you feel like saving five cents a year on electricity, make Blackle your home page.

Check In With Clients To Avoid Problems: Internet circle of trackbacks and molten pancakes

Oh Lifehacker, sometimes you totally shit me, other times you rock my bocks. In this case, you hit something better than the middle.

It’s so important to stay in touch with clients! I know from experience at my company that letting clients go for months without any interaction leads to nothing. And you want something from your clients, not nothing!

iPhones are locked for a reason

Why are iPhones locked? Joshua Gans knows why they shouldn’t be.

So why are they locked? What’s the real story?

AT&T is really a branch of the US National Security Agency. Gay people are generally more trendy than straights, and thus more likely to use an iPhone. The government there wants all iPhone calls to go through its systems, so that it can monitor and oppress communications by minority groups. It’s all about the Republican agenda.

You just wait until the Latino Phone comes out. It, too, will be locked to a military industrial complex-controlled corporation. It’s all about the Republican agenda.

Drag and drop to upload! Firefox add-on


Let me show you a Firefox extension to upload files, simply by dragging files from your computer and dropping them into a file upload form.

Read More »