taint.org: Justin Mason’s Weblog

Since it’s been turning out to be really quite useful, here’s a Firefox extension version of the Stretch-to-fit Textareas Greasemonkey user-script I wrote a few weeks back. In other words, Greasemonkey not required!

Tags: extensions, firefox, hacks, mozilla, textareas, ui

Here’s a Firefox Smart Keyword to search your GMail:

https://mail.google.com/mail/?search=query&view=tl&q=%s

Usage example, assuming you use ‘mail’ as the keyword: (CTRL-L) mail whatever

Tags: firefox, gmail, google, mozilla, smart-keywords

Here’s a new Greasemonkey user script which fixes a minor annoyance in the Bugzilla user interface. When viewing the ‘Create a New Attachment’ page, this will transclude the previous comments onto the bottom of that page, for reference while editing: bz_see_earlier_comments.user.js

Thanks to Jesse Ruderman for the nifty AJAXish iframe-transclusion trick it uses.

Tags: bugzilla, firefox, greasemonkey, javascript, mozilla, userscript

Security: A very interesting security paper — Understanding Data Lifetime via Whole System Simulation. It combines virtual machines with data-flow tracking (a la perl’s ‘taint’ mechanism, after which this site is named ;)

By modifying the Bochs VM to support tracking ‘tainted’ data, they found several cases in popular apps (Mozilla, emacs, and MSIE) where passwords entered from the keyboard are retained in memory, and thereby wind up on disk due to swapping.

This has been a known issue for a long time — see the source for passwd.c from the ’shadow’ package — but aside from security-naive developers, several other factors have made it more complex recently:

• recent too-smart compilers will optimise away memset()
  • buffer-zeroing unless you’re careful (oops!)
  • Input buffers and event queues are a problem; password data from the keyboard will often persist in the kernel, window system, and application event queue buffers.
  • Abstractions cause many needless copies of tainted strings. Mozilla’s abstraction layers even include a string-copy to the heap to perform a string comparison operation, ouch ;)

In general, they suggest more use of buffer zeroing, even for low-level buffers that might not seem to require it (such as the X server’s event queue, and the kernel input buffers).

BTW, a similar system they didn’t mention is the Sidewinder firewall appliance, which uses what they call ‘Type Enforcement’ – effectively, tainting the data based on which network interface it arrived on.

Overall, a very nifty paper. I wonder if Tal Garfinkel is related to Simson? ;)

Oil: a MeFi gem: expert opinion on depletion of the oil reserves. ‘Simmons, Campbell, even the Iranian Bakhtiari agreed that the real situation of Saudi reserves is very bad. … Not a rosy picture, even for optimists.’

Patents: Transcript of the rms talk from a couple of weeks ago.

Tags: event, input, kernel, keyboard, mozilla, oil, paper, queue, security, system

Web: Donncha notes that Mozilla Firebird has been renamed ‘Firefox’. Retro cruddy 80’s Cold War movie reference? check!

I like it. In fact, I’m looking forward to Linux kernel 2.6.2 ‘Red Dawn’.

BTW, my current favourite Firebird^H^H^H^Hfox extension: Session Saver. Load and save the current list of open tabs, and have them automatically saved when you quit the browser. Given that I often have a few tabs on stuff I’m researching, leaving them until I’m a bit less busy (which can take days!), this fits perfectly with my modus operandi.

Funny: This is GREAT!

And if that’s too much product placement for you, there’s Students for an Orwellian Society: ‘Because 2004 is 20 years too late.’

Tags: cold, cruddy, donncha, firebird, firefox, movie, mozilla, reference, retro, war, web

Patents: New Scientist reports that IBM have applied for a patent on “an electronic password ‘wallet’ that securely stores all your passwords, with overall access via a single password. The wallet pops up on screen whenever you are asked for a password. You enter the master password and the wallet then answers the online request by pasting in the appropriate password for that site.”

This should be familiar to anyone who’s used Mozilla’s Form Manager feature, which fits the patent claims perfectly. That page notes that the Mozilla feature was created in 1999, just under 3 years before the patent application. Let’s hope the USPTO remember to do a Google search this time!

Tags: access, feature, ibm, mozilla, new, password, patent, patents, scientist, screen, wallet

Mozilla Firebird has this feature that obviously seemed like a good idea, but unfortunately isn’t really — automatic image resizing.

Well, while surfing about looking at the next-gen Bluecurve screenshots, I came across a screenshot with a link to linuxart.com, which had a top tip:

• type ‘about:config’
• scroll down to browser.automatic_image_resize, double click, change to ‘false’

Hey presto!

Tags: bluecurve, com, feature, firebird, idea, image, link, linuxart, mozilla, screenshot

Googlebot using open proxies? Somehow, I doubt it. An interesting snippet from the access logs again. (Some details rewritten to avoid boosting PageRank.)

220.73.165.14 - - [25/Jul/2003:04:42:14 +0100] “GET /someurl/foo HTTP/1.0″ 2147483647 0 “http://www dot gay-sex-men dot net/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
220.73.165.14 - - [25/Jul/2003:09:04:17 +0100] “GET /someurl/foo HTTP/1.0″ 2147483647 0 “http://www dot gay-sex-men dot net/” “Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)”
220.73.165.14 - - [25/Jul/2003:09:15:28 +0100] “GET /someurl/foo HTTP/1.0″ 2147483647 0 “http://www dot baitbus dot ws/” “Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)”
220.73.165.14 - - [25/Jul/2003:09:18:11 +0100] “GET /robots.txt HTTP/1.0″ 200 130 “-” “GoogleBot”
220.73.165.14 - - [25/Jul/2003:09:27:57 +0100] “GET /someurl/foo HTTP/1.0″ 2147483647 0 “http://www dot blowjobs-cumshots dot net/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)”
220.73.165.14 - - [25/Jul/2003:13:18:04 +0100] “GET /someurl/foo HTTP/1.0″ 2147483647 0 “http://www dot hot-legs dot info/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90)”

Tags: digext, foo, googlebot, http, jul, mozilla, msie, snippet, someurl, windows

So, it seems the referrer-log spamming is getting worse. The earlier attempts all used a limited set of IPs; probably the real source machines.

However, the latest crop are now relaying through open proxies. Out of a sample size of 10 random IPs, every one was a proxy listed in the OPM blacklist.

The URLs being spamvertised are all pr0n; lots of .ws and .biz hits with pretty colourful names. Take a look here, under any of the top 5 hits. They’re outnumbering the legit hits by about 20 to 1.

BTW, it’s now pretty clear the practice of referrer-spamming is intended to gain Googlejuice; plenty of other sites have noticed it too. It’s worth noting that in my case, it won’t work — my log pages are all off-limits to the Googlebot for quite a while, but the referrer spammers haven’t figured this out yet…

Some notes:

• the spamvertized URLs include perlcoders.com, openproxies.com,
  • cgifactory.net, so steer clear of those sites.
• the User-Agents are randomised, similar to spamware’s randomised X-Mailer headers. Some samples include:

  • Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MSN 6.1; MSNbMSFT; MSNmen-ca; MSNc00; v5m)

  • Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SC/5.10/1.14/Telenor; .NET CLR 1.1.4322)

  • Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

  • Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Wanadoo 5.6)

    My guess is they just took a large list of legit user agents, and used that.

• I’ve now left them a few little surprises ;)

Tags: com, crop, ips, legit, mozilla, msie, set, source, urls, windows

This is very cool. It’s a fully browser-based RSS aggregator, no installation required; it just runs in your Mozilla or Firebird browser window. Nifty.

Found via a referrer link on Jeremy’s blog — there are no secrets where public referrer data is involved ;)

Tags: aggregator, browser, firebird, found, installation, mozilla, nifty, referrer, rss, window

308 referrer hits from www.xxxstoryarchive.com, 282 from amateur-porn.us, 282 from nude-lesbians.us, etc. Somehow I doubt it. All the hits are 404s, looking for e.g.

nn.nn.nn.nn - - [12/Jan/2003:18:52:13 +0000] GET /pics54754-96 HTTP/1.1 404 284 http://www.celebrity-nude-pics.com/ “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)”

Hits from hosts at AT&T WorldNet Services and an SBC PPPoX pool. They’re all MSIE 6 on Windows, and it’s been going on for a month or so.

Theory: sounds like MSIE’s download-to-’view’-offline functionality has bugs; when it hits a 404, maybe it requeues that request but then sends it to entirely the wrong IP.

Alternative theory: it’s a pathetically underpowered DDoS. ouch!

Anyone else seen this?

Tags: com, http, jan, mozilla, msie, net, referrer, theory, windows, www

Mozilla fans (and people who want to see how anti-aliasing is doing getting into Mozilla HEAD) may find Chris Blizzard’s blog worth tracking.

Tags: blog, head, mozilla, tracking