Irish iPhone users — you may find this useful. I’ve written a web scraper which takes a couple of the more useful pages on Met Eireann’s website — the regional forecast and the rainfall radar page — and reformats them in an iPhone-optimised style. Enjoy:

• iPhone-Optimised Weather Forecast for Ulster
• iPhone-Optimised Weather Forecast for Munster
• iPhone-Optimised Weather Forecast for Leinster
• iPhone-Optimised Weather Forecast for Connacht
• iPhone-Optimised Weather Forecast for Dublin

(updated: supports all the provincial forecasts now)

Tags: iphone, ireland, scraping, weather, web

Regarding Google Wave’s similarity to Lotus Notes, which is a meme I’ve heard from several angles — David Jones hits the nail on the head:

Well, I used Notes from 1994 to 1999. It did have a database backend for e-mail and a rich collaborative editing model. But it didn’t have realtime shared editing, or instant annotation.

And it was shit. No-one in their right minds would have wanted the future of the web to have been Notes. Even though, and I completely agree, it did things that the web is now only just getting round to.

+1 to that!

Tags: collaboration, google, history, lotus, notes, wave, web

A good post from Joshua Schachter about URL shortening services.

For what it’s worth, I ran into the unwanted-interstitial risk. At one stage, before I’d bothered registering jmason.org, sitescooper.taint.org or my other domains, I used a URL-shortening service to provide a memorable, short URL for an open-source application I wrote — http://zap.to/snarfnews/.

At some point a few years down the line, the forwarding process started accreting ads; eventually they became soft-porn in content, and I was forced to apologise to users for the forwarding I could no longer control!

By now, 10 years down the line, it seems to hijack the page entirely, returning a page in Cyrillic I can’t even read :( (apparently it’s a page of Flash games; thanks, Alexandr Ciornii, for the interpretation!)

Anyway, lesson learned.

Tags: redirects, sitescooper, url-shortening, urls, web

IBM Zone Trusted Information Channel (ZTIC) — ‘a banking server’s display on your keychain’.

IBM has introduced the Zone Trusted Information Channel (ZTIC), a hardware device that can counter [malware attacks on online banking] in an easy-to-use way. The ZTIC is a USB-attached device containing a display and minimal I/O capabilities that runs the full TLS/SSL protocol, thus entirely bypassing the PC’s software for all security functionality.

The ZTIC achieves this by registering itself as a USB Mass Storage Device (thus requiring no driver installation) and starting a “pass-through” proxy configured to connect with pre-configured (banking) Websites. After starting the ZTIC proxy, the user opens a Web browser to establish a connection with the bank’s Website via the ZTIC. From that moment on, all data transmitted between browser and server pass through the ZTIC; the SSL session is protected by keys maintained only on the ZTIC and, hence, is inaccessible to malware on the PC [...].

In addition, all critical transaction information, such as target account numbers, is automatically detected in the data stream between browser and ZTIC. This critical information is then displayed on the ZTIC for explicit user confirmation: Only after pressing the “OK” button does the TLS/SSL connection continue. If any malware on the PC has inserted incorrect transaction data into the browser, it can be easily detected by the user at this moment.

This seems like quite a nice implementation, I think.

However, key management will be problematic. Each server’s public key will need to be stored on the ZTIC, and not be writable/modifiable by the possibly-infected PC, otherwise the “bad guys” could simply insert a cert for a malware proxy server on the PC and perform a man-in-the-middle attack on the TLS session. But for that to be viable, the SSL certs need to change very infrequently, or some new secure procedure to update the certs from a “safe” machine needs to be put in place. Tricky….

Tags: banking, fraud, ibm, security, ssl, tls, web, ztic

• Hitwise and Compete: the user data ISPs do sell : it’s true, the “clickstream” companies are getting away with almost the same shit that Phorm, NebuAd et al are being pilloried for. use HTTPS where you can
  (tags: clickstream privacy nebuad phorm hitwise compete http security web)

• Hochbahn U4 : explore the innards of a gigantic tunnel-boring machine in plan projection, using an astonishingly good Flash visualization. brilliant, in a very German-engineering way
  (tags: german engineering projection plan technical-drawing flash visualization tunnel boring machines cool ui)

• Dr. Nicholas and Mr. Hyde : the insane bacchanalia of Broadcom CEO Henry Nicholas, who built a massive hookers-and-coke-filled dungeon under his Laguna Hills mansion, and spiked his customers with Es. great article from Vanity Fair (via My Pepys)
  (tags: dungeons broadcom omgwtfbbq bizarre laguna-beach orange-county bros ecstasy dot-com)

Tags: bizarre, boring, broadcom, bros, clickstream, compete, cool, dot-com, dungeons, ecstasy, engineering, flash, german, hitwise, http, laguna-beach, machines, nebuad, omgwtfbbq, orange-county, phorm, plan, privacy, projection, security, technical-drawing, tunnel, ui, visualization, web

• Symantec buys MessageLabs : hope this works out well for Matt and the guys
  (tags: messagelabs anti-spam consolidation buyouts mergers symantec)

• There is NOTHING “overplayed” about privacy concerns : great rant opposing Symantec CEO’s wittering about how online privacy is a lost cause
  (tags: privacy online internet web symantec rants)

• S3rsync : ‘Full Rsync layer to Amazon S3 storage’. preserves file perms, symlinks, partial files. commercial, charged at 5 cents per hour of rsync time used
  (tags: rsync s3 amazon aws storage backup sync)

• why you shouldn’t believe companies when they play down data leaks : in 2006, T-Mobile lost data on 17m customers, but noted that they could find no evidence of misuse or compromise, so made no public announcement — until last weekend, when _Der Spiegel_ discovered this data for sale online. so much for keeping it quiet. another argument for compulsory breach disclosure
  (tags: der-spiegel t-mobile deutsche-telekom privacy security breaches breach-disclosure via:pogowasright germany leaks)

• macvim – Google Code : ‘a port of the text editor Vim to Mac OS X that is meant to look better and integrate more seamlessly with the Mac than the older Carbon port of Vim’ (thanks MinHee Hong!)
  (tags: vim macos mac editors porting tools applications)

Tags: amazon, anti-spam, applications, aws, backup, breach-disclosure, breaches, buyouts, consolidation, der-spiegel, deutsche-telekom, editors, germany, internet, leaks, mac, macos, mergers, messagelabs, online, porting, privacy, rants, rsync, s3, security, storage, symantec, sync, t-mobile, tools, via:pogowasright, vim, web

• Dabble DB : looks like a web-based version of good old Filemaker
  (tags: dabble-db databases web db spreadsheets analytics groupware)

• retrocomputing hackers reminisce about the 1541 diskette drive : skip to the comment thread, it’s fantastic. I used to know lots of this stuff (via Donncha)
  (tags: via:donncha commodore-64 hacks 1541 disks copy-protection drm hardware hacking history retro c64)

• MPLC racketeering Irish playschools : the ‘Motion Picture Licensing Company’ sent a letter to 2,500 Irish playschools, demanding a fee of EUR3 per child to cover license fees for the kids watching DVDs. However, it seems they themselves hadn’t registered as required by law, so were acting illegally in issuing demands… oh the irony
  (tags: mplc racketeering law ireland dvds movies mpaa licensing copyright legal children kindergarten playschools)

• Komplett’s new Dublin pick-up point is open : routing around the Irish couriers and An Post’s brokenness by allowing customers to pick up their items directly. a shame this is necessary
  (tags: an-post delivery couriers dublin ireland komplett components pc hardware)

Tags: 1541, an-post, analytics, c64, children, commodore-64, components, copy-protection, copyright, couriers, dabble-db, databases, db, delivery, disks, drm, dublin, dvds, groupware, hacking, hacks, hardware, history, ireland, kindergarten, komplett, law, legal, licensing, movies, mpaa, mplc, pc, playschools, racketeering, retro, spreadsheets, via:donncha, web

• Tech Bubble 1.0 Stars: Where Are They Now? : wow, who the hell are these people? totally forgotten
  (tags: web1.0 interwebs via:nishad trivia history)

• YA Mac apps list : bookmarking for more crufting of the OSX laptop
  (tags: macos mac applications todo)

• Franklin Street Statement on Freedom and Network Services : a definition of a “Free Service”, an open-source form of SaaS. uses the Affero GPL
  (tags: saas cloud-computing software open-source gnu gpl affero web floss fsf freedom free-software)

• The Risk of ePassports and RFID – THC Blog : hacker group THC release an RFID-passport cloning/modification tool, noting that e-Passports are fundamentally insecure due to their trust of self-signed certificates. Also raises the Smart-IED attack danger: ‘A Smart-IED waits until a specific person passes by before detonating or let’s say until there are more than 10 americans in the room.’
  (tags: via:schneier security terrorism risks rfid e-passports certificates pki)

Tags: affero, applications, certificates, cloud-computing, e-passports, floss, free-software, freedom, fsf, gnu, gpl, history, interwebs, mac, macos, open-source, pki, rfid, risks, saas, security, software, terrorism, todo, trivia, via:nishad, via:schneier, web, web1.0

• Cisco home page FAIL : for 2 hours, all instances of the letter “t” in the cisco.com home page’s HTML were missing, resulting in a broken page and lots of “Abou Cisco” and “Regiser” links
  (tags: cisco fail funny inept web html regexps oops)

Tags: cisco, fail, funny, html, inept, oops, regexps, web

• A unique place for creating and preserving knowledge : swan song for Iona Technologies. as an ex-Ionian, all I can say is +1; great place to work in the ’90s
  (tags: iona dublin ireland software business 1990s)

• Deletionpedia : ‘an archive of about 63,556 pages which have been deleted from the English-language Wikipedia.’
  (tags: wp:vfd deletion wikipedia archives web)

• Michelle Malkin » The story behind the Palin e-mail hacking : Yahoo!’s password recovery feature is pretty trivial to defeat: ’seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)’
  (tags: yahoo passwords security web sarah-palin 4chan)

Tags: 1990s, 4chan, archives, business, deletion, dublin, iona, ireland, passwords, sarah-palin, security, software, web, wikipedia, wp:vfd, yahoo

Looks like I’ve been longlisted for Best Technology Site in the Irish Web Awards 2008, twice, both for taint.org and twit.ie. Cheers to whoever nominated me — I’m honoured!

Tags: irish-web-awards, iwa2008, meta, sites, twit.ie, web

• non-PC devices increasing browser share : .5 – 1.5% of visitors to Warner music sites are now coming from games consoles and smartphones. bad news for Flash sites (via Torrez)
  (tags: flash web browsers via:torrez warner-music os)

• full(4): always full device : ‘Writes to the /dev/full device will fail with an ENOSPC error. This can be used to test how a program handles disk-full errors.’ – that’s nifty. I can’t believe I’m still finding useful new UNIX features after 18 years
  (tags: devices unix linux testing disks errors edge-cases enospc manual-pages)

Tags: browsers, devices, disks, edge-cases, enospc, errors, flash, linux, manual-pages, os, testing, unix, via:torrez, warner-music, web

• The Evolution of Pre-Launch Gmail In Screenshots : fascinating! They really did a good job improving the UI, early revs were quite uninspiring
  (tags: gmail google history email web ui)

• SealSkinz : waterproof socks and gloves — come recommended by Dublin’s cycle-couriers to avoid wet feet in all this bloody rain. lots and lots of good testimonials
  (tags: dryness feet comfort clothing rain weather cycling outdoors socks gloves)

Tags: clothing, comfort, cycling, dryness, email, feet, gloves, gmail, google, history, outdoors, rain, socks, ui, weather, web

Malwebolence – The World of Web Trolling holy crap, those /b/tards are fucked up

Tags: /b/, 4chan, culture, griefers, nyt, trolls, web

ZSFA — I Want The Mutt Of Feed Readers Zed recommends Newsbeuter. must take a look

We Want A Dead Simple Web Tablet For $200. Help Us Build It. having worked on a project to do just this, believe me, this is doomed. DOOMED

Science Clouds ‘compute cycles in the cloud for scientific communities .. allows you to provision customized compute nodes .. that you have full control over using a leasing model based on the Amazon’s EC2 service.’ Wonder if they’d like to give SA some time ;)

Tags: appliances, apps, atom, cloud-computing, ec2, feeds, grids, hardware, linux, news, newsbeuter, oh-dear, open-source, rss, scaling, science, software, spamassassin, tablets, techcrunch, virtualization, web, zed-shaw

O2 Leaking Customer Photos (updated) the JBoss/Tomcat install leaks the “secret” URLs through it’s default status page. this is the 3rd helping of FAIL for O2’s web team; 2 previous occasions in the last year exposed customer data through “secret” URL manipulation

Avant Window Navigator “a ‘dock-like’ (cough) navigator bar for the Linux desktop” (via Danny, again!)

trickle ‘user-space bandwidth shaper’, ie. like nice(1) for network bandwidth (via Danny)

RFC 5218 – What Makes For a Successful Protocol? ‘Based on case studies, this document identifies some of the factors influencing success and failure of protocol designs.’ (via spicylinks)

Tags: bandwidth, collaboration, cool, dock, fail, gnome, http, jboss, kde, linux, mms, mod_jk, net, networking, nice, o2, protocols, rfcs, security, software, standards, tcp, tomcat, traffic-shaping, ui, urls, via:danny, via:spicylinks, web

Twitter has this nasty habit — if you come across a tweet in your feed reader containing a URL, and you want to follow that link, you can’t, because Twitter doesn’t auto-link URLs in its RSS feeds. Instead, you have to click on the feed item, itself, wait for that to open in the browser, then click on the link in the new browser tab. That link will, in turn, open in another new tab.

Here’s a quick-hack Greasemonkey user script to inhibit this second new-tab:

twitter_no_popups.user.js

Tags: greasemonkey, hacks, software, twitter, userscript, web

Joey Hess suggests that current discussions about the superfluity of DVCS systems have a parallel in how the internet protocol world, circa 1993, played out:

I’m reminded of 1993. Using the internet at that time involved using a mishmash of stuff — Telnet, FTP, Gopher, strange things called Archie and Veronica. Or maybe this CERN “web” thing that Tim Berners-Lee had just invented a few years before, but that mostly was useful to particle physicists.

Then in 1994 a few more people put up web sites, then more and more, and suddenly there was an inflection point. Suddenly we were all browsing the web and all that other stuff seemed much more specialised and marginalised.

I would disagree, a little. Back in the early ’90’s, I was a sysadmin playing around with internet- and intranet-facing TCP/IP services (although in those days, the term “intranet” hadn’t been coined yet), so I gained a fair bit of experience at the coal-face in this regard. The mish-mash of protocols – telnet, gopher, Archie, WAIS, FTP, NNTP, and so on — all had their own worlds and their own views of the ‘net. What changed this in 1993 was not so much the arrival of HTTP, but TimBL’s other creation: the URL.

The URL allowed all those balkanized protocols to be supported by one WWW client, and allowed a HTML document to “link” to any other protocol –

The WWW browsers can access many existing data systems via existing protocols (FTP, NNTP) or via HTTP and a gateway. In this way, the critical mass of data is quickly exceeded, and the increasing use of the system by readers and information suppliers encourage each other.

This was a great “embrace and extend” manoeuvre by TimBL, in my opinion — by embracing the existing base of TCP/IP protocols, the WWW client became the ideal user interface to all of them. Once NCSA Mosaic came along, there really was no alternative to rival the Web’s ease of use. This was the case even if you didn’t have a HTTP server of your own; you could still access HTML documents and remote URLs.

In essence, HTML and the URL were the trojan horse, paving the way for HTTP (as HTML’s native distribution protocol) to succeed. It wasn’t the web sites that helped the WWW “win”, but embrace-and-extend via the URL.

For what it’s worth, I think there is an interesting parallel in today’s DCVS world: git-svn.

Tags: dvcs, git, history, html, http, internet, protocols, web, www

Back in 2006, I wrote a script I called “goog-love.pl”; it used Google’s now-dead SOAP search API (thanks, Nelson!) to figure out which Google queries your web site was “winning” on. Unfortunately, Google shut down new signups for the SOAP interface later that year.

I was just looking through Google’s Webmaster Tools page for taint.org, when I came across the Statistics / Top search queries page:

This is exactly what goog-love.pl produced. hooray!

Tags: google, keywords, meta, search, searching, web

Latest Google curiosity… I hadn’t spotted this before: it appears Google is now including ‘Code Snippet’ results in the results for its normal search. For example, a search for XSLoader gives this result:

The results highlighted on the page are for a local variable in a Java module, rather than the much more common XSLoader perl module. I guess ‘Code Snippet’ search is case-sensitive.

Tags: google, search, web, xsloader

jwz has, incredibly, resurrected home.mcom.com, the WWW site of the Mosaic Communications Corporation, as it was circa Oct 1994.

Edmund Roche-Kelly was kind enough to get in touch and note this link – http://home.mcom.com/home/whatsnew/whats_new_0993.html:

September 3, 1993

IONA Technologies (whose product, Orbix, is the first full and complete implementation of the Object Management Group’s Common Object Request Broker Architecture, or CORBA) is now running a Web server.

An online pamphlet on the Church of the SubGenius is now available.

Guess who was responsible for those two ;)

I was, indeed, running the IONA web server — it was set up in June 1993, and ran Plexus, a HTTP server written in Perl. IONA’s server was somewhere around public web server number 70, world-wide.

The SubGenius pamphlet is still intact, btw, although at a more modern, “hyplan”-less URL these days. It’ll be 15 years old in 6 months… how time flies!

Tags: archaeology, history, mosaic, nutscrape, web, www

The New York Times yesterday had a great article about modern news consumption:

According to interviews and recent surveys, younger voters tend to be not just consumers of news and current events but conduits as well — sending out e-mailed links and videos to friends and their social networks. And in turn, they rely on friends and online connections for news to come to them. In essence, they are replacing the professional filter — reading The Washington Post, clicking on CNN.com — with a social one.

“There are lots of times where I’ll read an interesting story online and send the URL to 10 friends,” said Lauren Wolfe, 25, the president of College Democrats of America. “I’d rather read an e-mail from a friend with an attached story than search through a newspaper to find the story.”

[Jane Buckingham, the founder of the Intelligence Group, a market research company] recalled conducting a focus group where one of her subjects, a college student, said, “If the news is that important, it will find me.”

In other words, as Techdirt put it, this generation of news readers now focuses on sharing the news, rather than just consuming it — and if you want to share a news story, there’s no point passing on a subscription-only URL that your friends and contacts cannot read.

What newspapers need to do to remain relevant for this generation of news consumers is not to hide their content behind paywalls and registration-required screens. The Guardian got their heads around this a few years back, and have come along in leaps and bounds since then. I wonder if the Irish Times is listening?

Tags: grauniad, ireland, irish-times, news, newspapers, openness, registration, subscription, web

A couple of weeks ago, WebSense posted this article with details of a spammer’s attack on Google’s CAPTCHA puzzle, using web services running on two centralized servers:

[...] It is observed that two separate hosts active on same domain are contacted during the entire process. These two hosts work collaboratively during the CAPTCHA break process. [...]

Why [use 2 hosts]? Because of variations included in the Google CAPTCHA image, chances are that host 1 may fail breaking the code. Hence, the spammers have a backup or second CAPTCHA-learning host 2 that tries to learn and break the CAPTCHA code. However, it is possible that spammers also use these two hosts to check the efficiency and accuracy of both hosts involved in breaking one CAPTCHA code at a time, with the ultimate goal of having a successful CAPTCHA breaking process.

To be specific, host 1 has a similar concept that was used to attack Live mail CAPTCHA. This involved extracting an image from a victim’s machine in the form of a bitmap file, bearing BM.. file headers and breaking the code. Host 2 uses an entirely different concept wherein the CAPTCHA image is broken into segments and then sent as a portable image / graphic file bearing PV..X file headers as requests. [...]

While it doesn’t say as such, some have read the post to mean that Google’s CAPTCHA has been solved algorithmically. I’m pretty sure this isn’t the case. Here’s why.

Firstly, the FAQ text that appears on “host 1″ (thanks Alex for the improved translation!):

FAQ

If you cannot recognize the image or if it doesn’t load (a black or empty image gets displayed), just press Enter.

Whatever happens, do not enter random characters!!!

If there is a delay in loading images, exit from your account, refresh the page, and log in again.

The system was tested in the following browsers: Internet Explorer Mozilla Firefox

Before each payment, recognized images are checked by the admin. We pay only for correctly recognized images!!!

Payment is made once per 24 hours. The minimum payment amount is $3. To request payment, send your request to the admin by ICQ. If the admin is free, your request will be processed within 10-15 minutes, and if he is busy, it will be processed as soon as possible.

If you have any problems (questions), ICQ the admin.

That reads to me a lot like instructions to human “CAPTCHA farmers”, working as a distributed team via a web interface.

Secondly, take a look at the timestamps in this packet trace:

The interesting point is that there’s a 40-second gap between the invocation on “Captcha breaking host 1″ and the invocation on “Captcha breaking host 2″. There is then a short gap of 5 seconds before the invocations occur on the Gmail websites.

Here’s my theory: “host 1″ is a web service gateway, proxying for a farm of human CAPTCHA solvers. “host 2″, however, is an algorithm-driven server, with no humans involved. A human may take 40 seconds to solve a CAPTCHA, but pure code should be a lot speedier.

Interesting to note that they’re running both systems in parallel, on the same data. By doing this, the attackers can

1. collect training data for a machine-learning algorithm (this is implied by the ‘do not enter random characters!’ warning from the FAQ — they don’t want useless training data)

2. collect test cases for test-driven development of improvements to the algorithm

3. measure success/failure rates of their algorithms, “live”, as the attack progresses

Worth noting this, too:

Observation*: On average, only 1 in every 5 CAPTCHA breaking requests are successfully including both algorithms used by the bot, approximating a success rate of 20%. The second algorithm (segmentation) has very poor performance that sometimes totally fails and returns garbage or incorrect answers.

So their algorithm is unreliable, and hasn’t yet caught up with the human farmers. Good news for Google — and for the CAPTCHA farmers of Romania ;)

Update: here’s the NYTimes’ take, with broadly agreeing comments from Brad Taylor of Google. (The Register coverage is off-base, however.)

Tags: captchas, farming, gmail, google, security, web, websense

The “cool hack to solve a maze using Photoshop” post got, in turn, posted to reddit, Make.zine, then Digg, then Waxy’s links, fazed.net, then Boing Boing, then StumbleUpon. Pretty popular!

If you’re interested, here’s my referrer graphs. Basically, Digg wins, in terms of quantity at least if not quality, with a massive 40,000 visits — there’s a real long tail in hits there…

Tags: digg, dugg, graphs, hits, meta, referers, web

Here’s a new trick used by the web spammers — attachments on a Moin Moin wiki. The taint.org/wk RecentChanges list illustrates it well:

2007-05-07  set bookmark
[UPDATED]       UserPreferences         04:17   Info    ?StepStep [1-21]

  #01 Upload of attachment 'big-cocks.html'.
  #02 Upload of attachment 'big-cock.html'.
  #03 Upload of attachment 'big-boobs.html'.
  #04 Upload of attachment 'big-ass.html'.
  #05 Upload of attachment 'bdsm.html'.
  #06 Upload of attachment 'bbw.html'.
  #07 Upload of attachment 'bang-bros.html'.
  #08 Upload of attachment 'bangbros.html'.
  #09 Upload of attachment 'baby.html'.
  #10 Upload of attachment 'asian-porn.html'.
  #11 Upload of attachment 'asian-girls.html'.
  #12 Upload of attachment 'anime-porn.html'.
  #13 Upload of attachment 'anime-girls.html'.
  #14 Upload of attachment 'angelina-jolie.html '.
  #15 Upload of attachment 'amature.html'.
  #16 Upload of attachment 'amatuer.html'.
  #17 Upload of attachment 'adult-videos.html'.
  #18 Upload of attachment 'adult-stories.html' .
  #19 Upload of attachment 'adult-games.html'.
  #20 Upload of attachment '69.html'.
  #21 Upload of attachment '3d.html'.

Great. Lots of spam. This first started appearing on Feb 27 2007, in a multi-upload attack on a single page (”FindPage”), from IP address 212.26.129.162; then reoccurred on Apr 27 and May 7 from the (insecure open proxy) proxy.drevlanka.ru.

Annoyingly my “subscribe to wiki changes” patch doesn’t catch this – these aren’t gatewayed through as “changes” via mail for review. I need to fix that in my copious free time. :(

Also, the RecentChanges RSS feed doesn’t list them, although the HTML form does.

So unfortunately, the only way I can see to block this is either to review by visiting the RecentChanges page in a web browser regularly (how retro!), and delete them retrospectively, or simply to turn off attachments entirely – which is what I’ve done, by editing “wikiconfig.py” and adding:

    actions_excluded = ['AttachFile']

It looks like quite a few other wikis around the web are running into the issue too :(

Tags: anti-spam, attachments, moin, moin-moin, spam, web, wiki

A useful Moin Moin anti-spam tip, via Upayavira at the ASF: adding ACLs to pages so that only certain users can edit them. This is an easy way to interfere with the wiki spammers who get past the existing (quite good) Moin Moin anti-spam subsystems. They tend to aim for the common Wiki pages, such as WikiSandBox, RecentChanges, and FrontPage, so if you make those pages uneditable, that’ll cause them more trouble — and hopefully cause them to move on to easier targets, instead of defacing your wiki. Here’s how to do it (at least for Moin Moin >= 1.5.1).

Open a shell on the machine where the Moin Moin software is installed. Edit your “wikiconfig.py” file (in my case this is at /home/moinmoin/moin-1.5.1/share/moin/jmwiki/wikiconfig.py), and change the “acl_rights_before” line to read:

    acl_rights_before = u"JustinMason:read,write,delete,revert,admin"

Replace “JustinMason” with your wiki login name, of course.

Create an administrative group of trusted users. Do this by creating a page called “AdminGroup” containing

acl All:read

These are the members of this group, who can edit certain restricted pages: * JustinMason

Now, for the sensitive pages (like FrontPage etc.), edit each one and add an access-control list line at the top of each page containing:

acl AdminGroup:read,write All:read

That’s it. Users who are not in the AdminGroup will no longer be able to edit those pages. That should help… at least for a while ;)

Update: you should also use this in wikiconfig.py:

    acl_rights_default = u'Known:read,write,revert All:read'

This blocks non-logged-in users from writing to pages.

Tags: anti-spam, moin, moin-moin, web, web-spam, wiki, wiki-spam

Apparently, Wikipedia has (possibly temporarily) decided to re-add the rel=”nofollow” attribute to outbound links from their encyclopedia pages.

There’s been a lot of heat and light generated about this, most missing one thing: there’s no reason why Google needs to pay attention.

Google, or any other search engine, can treat links in the Wikipedia pages any way they like — including ignoring ‘nofollow’, applying extra anti-spam heuristics of their own, or even trusting the links more highly.

‘Nofollow’ has had pretty much no effect on web-spam, and now is generally festooned all over weblog posts across the internet, both spammed and non-spammed posts, at that. It’d be interesting to see if it’s yet flipped to mean a higher correlation with nonspam than spam content…

Update: It appears Wikipedia used ‘nofollow’ before, so this is not exactly new, either.

Tags: anti-spam, google, nofollow, spam, web, wikipedia

new-referrer-rss.pl – generate RSS feed of new referrer URLs from access_log

SYNOPSIS

new-referrers-rss nameofsite [source ...] > new-referrers.xml

DESCRIPTION

Given the name of a web site, and a selection of Apache combined log format ‘access_log’ files containing referrer URL data, this will generate an RSS feed containing the latest referrers.

The script should be run periodically with ‘fresh’ access_log data, from cron.

Tags: access_log, apache, referrers, scripts, software, web

peoplefeeds is cool.

I’ve been looking for something to can aggregate my Flickr, Wordpress blog, and del.icio.us feeds into one venue where I can look up items by tag, in a single page-load.

Suprglu was my leading contender, although they weren’t there yet since they didn’t seem to support importing my blog posts with tags preserved — pretty much everything wound up tagged as “uncategorized“. disappointing. :( so I was waiting for them to fix that.

This post by Richard MacManus pointed at another couple of options; 43Things and Peoplefeeds. I hadn’t actually noticed that 43Things was doing this kind of aggregation too; unfortunately as far as I can see, they doesn’t support tag preservation and browsing, so there goes my desired feature. shame.

However, Peoplefeeds was right on target, offering a ‘Unified Tagspace’ and a ‘Search All-Personal-Content’ mechanism. It works nicely, too. Here’s my personal aggregator, combining my Flickr feed, my weblog feed, and my del.icio.us feed into one — and with a unified tag-space; here’s my ‘hiking’ tag, hitting all 3 feeds. Perfect.

One other use for this — I’ve forgotten why I was looking for one of these, but I know I did want one ;) — it can be used to make a “private planet“. If you have 3 or 4 feeds that you need to combine into one, this provides a very easy way to do that; just set up a userid at Peoplefeeds for that purpose.

Tags: aggregation, feeds, peoplefeeds, rss, tags, web

So I’ve been using this for a few days now — and I’m loving it. A calendaring system that deals coherently with the web:

• good RSS integration
• publishing calendars, easily, via HTTP
• subscribing to third-party calendars via HTTP
• a URL API, allowing third-party sites and user scripts to add events to your calendar

I keep finding little things that make perfect sense, and just feel more logical than what I’ve used elsewhere. This rocks!

One thing still needs work, though: the links to Mapping fail spectacularly, for non-US addresses at least. But that’s pretty minor.

By the way, I have a feeling that Mac.com had parts of this, but really, you had to drink a lot of Apple kool-aid to use that, and I just didn’t go for that. Sorry Jobs fans.

Do you know what would be cool now? If Upcoming.org published venue/location-specific iCal feeds. Oh look, they do! Awesome…

Tags: calendar, gcal, google, hcalendar, http, ical, rss, upcoming, web

Planet Antispam now has a better URL — http://planet.spam.abuse.net/ . Much better!

Tags: aggregation, antispam, community, planet, planet-antispam, rss, web

This post on the Wikipedia/Seigenthaler spat at Corante.com contains this excellent comment from Wikipedia’s Jimmy Wales:

Imagine that we are designing a restaurant. This restuarant will serve steak. Because we are going to be serving steak, we will have steak knives for the customers. Because the customers will have steak knives, they might stab each other. Therefore, we conclude, we need to put each table into separate metal cages, to prevent the possibility of people stabbing each other.

What would such an approach do to our civil society? What does it do to human kindness, benevolence, and a positive sense of community?

When we reject this design for restaurants, and then when, inevitably, someone does get stabbed in a restaurant (it does happen), do we write long editorials to the papers complaining that “The steakhouse is inviting it by not only allowing irresponsible vandals to stab anyone they please, but by also providing the weapons”?

No, instead we acknowledge that the verb “to allow” does not apply in such a situation. A restaurant is not allowing something just because they haven”t taken measures to forcibly prevent it a priori. It is surely against the rules of the restaurant, and of course against the laws of society. Just. Like. Libel. If someone starts doing bad things in a restuarant, they are forcibly kicked out and, if it”s particularly bad, the law can be called. Just. Like. Wikipedia. I do not accept the spin that Wikipedia “allows anyone to write anything” just because we do not metaphysically prevent it by putting authors in cages.

Tags: social-software, steak-knives, web, wiki, wikipedia, workflow

Windows Live Local, with its isometric, Sim City, “bird’s eye” view, is quite nice.

However, what gets me is — do MS do this deliberately? I’m referring, of course, to the way it’s broken on Firefox 1.5, requiring you to drag twice to get it scrolling around the viewport, and the jumpy, clunky UI on that browser.

Pretty lame — and lazy, too. By now, it’s essential for a new fancy website to work under Firefox; even if only 20% of your users will be using it, a good proportion of those are the bleeding-edge, ‘taste-maker’ types who’ll be blogging about it, writing reviews for newspapers and news sites, and generally generating buzz for you, and thereby attracting the other 80%.

I’m told it works great in IE, but there’s no way I’m starting Windows and opening up that app. If I want to be infected by 700 different malwares within seconds, I’ll ask. ;)

On top of that, coverage seems spotty — Ireland is AWOL, of course.

As a result, my one line summary would have to be: idea = cool, dataset = probably cool, execution = half-assed and crappy. I’m looking forward to Google doing a much better job with their implementation of the Sim City viewpoint.

Tags: google, mapping, microsoft, panopticon, simcity, web

I’ve been playing a bit of Urban Dead recently. Urban Dead is a very low-key, web-based MMORPG — you play a 3-minute turn once every 24 hours. It needs some rebalancing and some new features, especially given the organised nature of some of the bigger marauding zombie hordes, but I’m still finding it fun.

To scratch a couple of itches, I’ve written a Greasemonkey user script for UD called the Urban Dead HUD. It adds several nifty features to the user interface:

• keyboard accelerator access keys for the action buttons, and your inventory — very handy when you’re attacking an enemy repeatedly;
• an on-page long-distance map of the surrounding squares;
• a distance tracker, which tracks the distances to “important” locations for you

There’s screenshots on the download page, so you can see what I’m talking about.

Greasemonkey is a fantastic tool, as is Mark Pilgrim’s Dive Into Greasemonkey, which has repeatedly turned out to be an excellent, well-written reference while hacking this. Thanks guys!

Tags: games, greasemonkey, javascript, mmorpg, ui, urban-dead, web

Web: a while back, I posted some musings about a web service to help authenticate users as members of a private group, similarly to how TypeKey authenticates users in general.

Well, Flickr have just posted this draft authentication API which does this very nicely — it now allows third-party web apps to authenticate against Flickr, TypeKey-style, and perform a limited subset of actions on the user’s behalf.

This means that using Flickr as a group authentication web service is now doable, as far as I can see…

Tags: api, authenticate, authentication, draft, flickr, general, group, service, typekey, web

Web: i caught sight of (8 June 2005, Interconnected), on the geographical insularity of the dot-com boom. A good read:

The huge influx of cash at the turn of the millennium led to the whole Web being built in the image of the Bay area. The website patterns that started there and – just by coincidence – happened to scale to other environments, those were the ones that survived.

Lots to think about. He’s spot on, of course — many of the web’s big commercial success stories are almost shamelessly US-oriented, and if they work outside that, it’s purely by accident.

I’d love to see more web businesses that work well for other parts of the world, but that’ll take money — and from what I saw in Dublin, the money either (a) just isn’t there, or (b) frequently goes to the companies that talk the talk, but then piddle it away on ludicrous ‘e-business architectures’ and get nothing useful out the other end.

On both counts, Silicon Valley has an ace up its sleeve. The VCs are smart and well-funded, and the developers have experience, and know which tools are right for the job.

I’d be curious to hear how other high-tech hotspots in the US (Boston, for example) find this.

Tags: boom, influx, insularity, interconnected, june, money, read, sight, talk, web

Web: I link-blogged this, but it’s generated some email already, so it deserves a proper posting.

One thing you quickly learn about IBM where software patents are concerned, is that if IBM Research is making noise about a new software technique, they’ve probably patented it already. A few years ago, IBM was keen on HTTP transcoding — rewriting web content in a proxy, to be more suitable for display and access from less-capable devices, like PDAs and mobile phones.

So I probably should not have been surprised today when I came across USPTO patent 6,886,013, which is an IBM patent on a ‘HTTP caching proxy to filter and control display of data in a web browser’. It was applied for on Sep 11 1997, and finally granted on Apr 26 of this year.

The first claim covers:

1. A method of controlling presentation on a client of a Web document formatted according to a markup language and supported on a server, the client including a browser and connectable to the server via a computer network, the method comprising the steps of:

   as the Web document is received on the client, parsing the Web document to identify formatting information;

   altering the formatting information to modify at least one display characteristic of the Web document; and

   passing the Web document to the browser for display.

Notice that there’s actually no mention of a HTTP proxy there — in other words, an in-browser rewriting element, such as Greasemonkey or Trixie may be covered by that claim. However, the claim does indicate that the document is passed from the ‘client’ to the ‘browser’, so perhaps having the ‘client’ inside the ‘browser’ evades that.

It appears this really wasn’t original research even when the patent was applied for — there’s probable prior art, even if the patent itself doesn’t cite it. For example, WWW4 in 1995 included Application-Specific Proxy Servers as HTTP Stream Transducers, which discusses ‘transduction’ of the HTTP traffic and gives an example of ‘A “rewriting” OreO (transducer element) that encapsulates each anchor inside the Netscape Blink extension, making anchors easier to spot on monochrome displays’. On top of that, Craig Hughes notes that his ’senior project at Stanford in 1992 was an implementation of a content-modifying HTTP proxy. It re-worked HTML in http streams to add some markup to enable full navigability through touch screen or voice control, for screen-only kiosks.’

Add this to the ever-growing list of over-broad software patents.

Tags: browser, claim, client, display, document, http, ibm, patent, proxy, web

Malware: spotted on NANOG — Six PCs caused BigPond problems:

Disconnecting six compromised personal computers on Tuesday evening eased the difficulties caused by bogus requests which clogged BigPond’s domain name servers (DNS), slowing customer e-mail and Web site access, Telstra said.

A Telstra spokesperson said the carrier had narrowed the list of malware that could have infected the computers to three, adding the problem could have been caused by a combination of those viruses or Trojans. He declined to name the suspects.

He said the PCs generated 95 percent of the bogus requests which caused the problems that evening.

The ‘problems’ in question are described here :

One forum participant (on Aussie forum Whirlpool), who claimed to be a BigPond customer, said on Monday: ‘I’m in Canberra and it’s been almost unusable all afternoon. I’m snowed under at the moment and it is really driving me crazy. Three out of four links fail to load first time and sometimes take eight or nine tries before it does.’

Another said: ‘I am having problems loading Web pages, I get the 404 error. I have to retry five to 10 times to get some places.’

Petri Helenius, in a post to NANOG, notes:

Consumer ISP’s who don’t proactively take care of security/abuse usually end up with harvesting-bots which consume significant amount of DNS resources, typically doing anything from a few dozen to a thousand queries a second. A few hundred of these will seriously hamper an usually provisioned recursive server.

Interesting. It’s been a long time since I’ve relied on an ISP’s recursive DNS servers; in my recent experience (Comcast, Cox.net) they’ve always been overloaded, and take aaaages to give me answers. Maybe this is why.

It makes sense; most Windows machines will indeed use the ISP’s NSes, because that’s what DHCP tells you to do; and setting up a BIND or djbdns instance locally to query the roots directly is still a UNIX-only trick, as far as I know.

The upshot?

• 1. Yet another good reason why ISPs should proactively disconnect infected customers, as they deny service to other users of the ISP.
• 2. A good demonstration of yet another way the techie community’s experience of web surfing and internet use differs from that of the unwashed masses in the hinternet — that ’shanty-town of pop-ups and porn adware’, as Danny O’Brien puts it.
• 3. Sometime soon, if it hasn’t happened already, someone’s going to bundle up an ‘Internet Accelerator’ lump of shareware that sets up a local recursive NS on Windows which queries the roots, and it’ll become the latest popular Windows download. Then the load on the root servers will really start rising.

(PS: top tip — ever wanted a publically-queriable recursive nameserver, or a good IP address for pinging, that’s easy to remember? 4.2.2.1 is what you’re after.)

Tags: bigpond, customer, dns, evening, forum, isp, malware, nanog, telstra, time, web

Web: I’ve been doing a little thinking about group-based networking and services.

Here’s the situation. Let’s say you have a small group of people, and want to offer some kind of online service to them (like a private chat area, mailing list, etc. etc.) That’s all well and good, but maintainance of ‘who’s in the group’ is hard. You need:

• the ability to let other ‘admins’ add/remove people
• a nice UI for doing so
• a nice UI for people to request to sign up
• possibly, multiple groups
• privacy for group members
• possibly, some public groups
• decent authentication, username/password
• the usual stuff that goes with that — ‘I’ve forgotten my password, please email it to my listed address’
• did I mention a nice UI?

The traditional approach is to code all that up myself, in my copious free time presumably. Urgh, talk about wheel reinvention on a massive scale.

I’d prefer to use something like TypeKey, a web service that exposes an API I can use to offload all this hard work to. Initially, I was in the ‘ugh, Typekey 0wnz my auth data’ camp, but I’ve eventually realised that (a) they’re not quite as evil as MS, (b) they’re not quite as stupid as MS (deleting Passport accounts if you don’t log in to Hotmail, which is only one of the supposedly many services, including third party services? hello?!), and (c) it’s actually really convenient having a single-sign-on for weblog commenting after all.

Having said all that — TypeKey’s out. Unfortunately, it only does authentication, without dealing with group maintainance.

However, social networking services are all about groups and group maintainance.

Running through the options — LinkedIn, Friendster and Orkut are all grabby and gropy and ‘my data! mine!’, so they’re out immediately.

The next step was to take a look at Tribe.net, which seems kind of nice and had a good rep for open APIs — but as far as I can see, all they’ve got really in that department is FOAF output, and a simple server-side-include thing called TribeCast. I could list all the group members in a FOAF file, but without authentication, that’s pretty useless since anyone could claim to be one of the FOAFs.

That leaves Flickr, which has a great set of APIs. Using that is looking quite promising. If you’re curious, I’ve gone into detail on this at the taint.org wiki.

Tags: authentication, group, kind, maintainance, networking, password, service, situation, thinking, typekey, web

Web: Now this is very cool stuff: ‘Greasemonkey is a Firefox extension which lets you to add bits of DHTML (”user scripts”) to any webpage to change it’s behavior.’

In other words, you can rewrite any page viewed in Firefox, as it transits between the server and your client’s display; a form of transcoding.

Traditionally, transcoding is performed using a HTTP proxy which applies the transformation, or a specialised HTTP user agent which transcodes and outputs a whole new set of documents with the results.

That was all a little hacky for full-scale integration into your web browser, though, so Greasemonkey is a big improvement for that use-case.

Some good links:

• The Greasemonkey homepage
• The Greasemonkey script repository (wiki)
• Mailing list archives for greasemonkey users

And some demos:

• a good demo of using it to fix a Bloglines bug, by Michael Moncur
• an MSDN bug-fixing script
• a Boing Boing ad-blocking script
• truly awesome: persistent searches (think vFolders) in GMail!

Remember, these are single, sub-100-line JS scripts, running entirely locally in the user’s web browser. The last one gives you an idea of what coolness is possible…

My contribution: an ad-removal script for Metafilter. It took some 30 seconds of hacking to produce this — soooo easy. It’s a whole new world of site customisation and hackable filtering. You thought AdBlock was good, this is ever niftier ;)

Tags: boing, browser, extension, firefox, greasemonkey, http, script, stuff, user, web