Stuff - 3

About a year ago when gas prices in Canada have started to rise rapidly my friend and I were trying to guess when they will exceed the $1 per liter mark. After some discussion we've mostly agreed it would not happen till 2006 at the earliest. Alas our predictions were proven false, as the picture below shows today, August 13, 2005 the $1 mark has been surpassed.

Given that $1 for a liter is a physiological marker for many people, it would be interesting to see what impact it would have on the quantity and type of cars seen on the road. Perhaps it would finally reduce the need for city dwellers to purchase giant fuel guzzling SUVs and similar type vehicles, but only time will tell.

One thing's certain however, fuelling up your car will be much more of a hit on your wallet, just a month ago I could relatively easily fuel up for mere “0.80” cents a liter. A 20% increase in such a short time is highly noticeable and most unwelcome.


**NOTE**
For those of you who don't use the metric system or don't know latest conversion from US to funny money (Canadian Dollars) here are some stats.

1 liter = 0.264172051 gallon
1 USD = 1.1971 CAN

Spent the entire Sunday at the Molson Indy in Toronto, here is the
photographic evidence.

For the most part it was a rather enjoyable show, the main regret is the fact that this year another layer of netting was put up keeping the regular folk like me even further from the track, a closer look, costs $160+ a pop. Interestingly enough the best spot to see the most difficult track is from a non-paying zone on a little hill. Some of the latter photos were taken from there.

A few days ago a friend of mine sent me a URL to an online store with a product he found interesting. When I went to the site, aside from the aforementioned product I saw a nice "Hacker Safe" logo, with the date (current date) which was supposed to assure me as a consumer that this site is "safe". Clicking on this logo took me to a page of a security company specializing in "helping sites protect you (the customer) from identity theft and credit card fraud", sounds good, I feel much safer already.

Curios about the truth of the site's hacker-safe claims, I decided to do a very basic test for Cross Site Scripting (XSS) by adding a small HTML string in the place of one of the parameter values in the get query. Imagine my surprise when rather then rejecting the clearly bogus value (number was expected, but non-numeric string was supplied), my input and the HTML tags found within were displayed verbatim. This little oversight would allow anyone to inject arbitrary content to be displayed as part of the store’s front end and if it contained HTML/JavaScript have it be parsed and executed. For example it would be trivial for someone to inject some JavaScript capable of stealing the current user's session and use it for their own gain. Identity theft here we come…

Once the initial novelty of finding a trivially exploitable XSS bug in a fairly large online retailer, I've decided to send them an e-mail detailing the problem and its possible consequences in the hope they would fix it. Two days later, which goes to share just how much they care about security, I received a response, which goes like this:

Thanks for your e-mail.

Although what you've sent us is certainly interesting, it would definitely not qualify as a hacker attack.

Apparently in today's security world session theft via XSS only classifies as interesting, I suppose only a full blown trojan or a virus would constitute a hacker attack. Deciding that perhaps a brush off was just that and the problem was fixed I went to site and entered the same XSS string as before. Lo and behold the bug is still there, even a day later, 4 business days since the initial report the XSS is exploitable as ever. It would seem that adding a simple input validation check is beyond the capability of the store's web development department, nor are "trivial" things like XSS detected by a supposedly reputable "anti-hacker" firm.

Which leads me to the question, do people really care about security or are they simply interested in a token logo, which somehow supposed to make their customers safe and give them somebody to blame when things go wrong? With this attitude in place is it all surprising that every week there is yet another report about a large compromise in one company or another…

A few days ago I read an interesting blog entry on Chris Shifflet's blog about Google Web Accelerator (GWA) and how it affects PHP applications. The purpose of the GWA is to accelerate the web page loading speed and thus improve user experience. This is done through a series of techniques which involve different caching mechanisms, periodically downloading copies of frequently accessed pages and prefetching.

The prefetching works on a basis of a premise that when you load a web page you will not view just this page, but also click of a few links from that page. So, rather then waiting for you to click those links, while you are reading the current page, the browser is prefetching the content of the linked pages in the background. By the time you decide to click on the next link, its content is already sitting in browsers cache and can be loaded instantly. Pretty neat trick, right?

While it is a neat trick, it does present several serious problem that affect both the webmasters and the users themselves. Let's start with the webmasters, since after all that's a bit closer to heart
Continue reading "Google Web Accelerator and the dangers of prefetching"

Finally got of my ass and installed phpMyGallery, so my amazing photography can be shared with the world .

The first "vicitim" is the PHP|Tropics conference.

This weekend I was returning from the Montreal PHP conference, which as usual was a great deal of fun. In fact I was having so much I made back to my hotel room at about 5:30am in the morning, approximately 2 1/2 hours from my scheduled departure time to the train station, needless to say I had very little sleep.

The adventure begins right at the checkout, which took about an hour since the hotel had conveniently lost the payment confirmation from the conference organizers. Consequently a great deal of time was spent searching through computer & paper records and eventually leading to an early phone call to Damien Seguy (conference organizer). By the time the problem was resolved it was about 9:00am leaving me with just shy of 40 minutes to get to a train station and board my train.
Continue reading "Fun Trip"

A rather educational article came to my attention today reflecting the thoughts of some US citizens about Canada on public television in what one may consider to be major news outlets.
While I can only hope this is the opinion of a small minority, even that is a little alarming.

It would seem that good things come in two, this was proven yet again by the Postman who had delivered my two latest toys. These are the IDE to USB 2.0 adapter

and my USB 2.0 laptop hard-drive case


These Hong-Kong arrivals allow me to safely transport my 80 gig laptop drive, which has been "creatively" dubbed as the "Movie Drive". I am especially happy about this case as it does not require any external power, instead leeching off the needed power from my USB port which makes that much practical to use when I am on the road.

The IDE to USB is a welcome arrival as well, as it will finally let me make use (I don't know what for yet, but that does not matter ) the various IDE drives I got lying around the house/office.

It seems like the winter in Canada is going for an early start, this morning while enjoying my mandatory cup of coffee I've was a witness to the 1st Canadian snow fall of the year (in the Toronto area). It lasted only for a few minutes and within a few moments all evidence of this event melted, but non the less it was yet another reminder that the days of good weather are numbered .

Yesterday I've upgraded the wireless card in my laptop from the basic Intel Centrino Wireless capable for B/G to an Atheros 5004 based card. While I had seen this card work on a friend's laptop I was non the less seriously impressed by it's performance. First of all Atheros implements something called Super A/G, which allows the card to reach 108mbit speeds on A or G protocols. This allows the card to use more then one channel when communicating with the routers, effectively doubling the “pipe” capacity. Additionally the card also pumps more power then Centrino Wireless, for B/G it's maximum transmit power is 100mw (that's milli not mega ), which you can reduce via the driver when battery life needs to be preserved. The card also has something called eXtended Range (XR) technology that supposedly makes the card more sensitive. Normally I would skeptical towards techno-bable of this nature, but I can now pickup and use my neighbors open MSN wireless access point, which is at least 60 meters away. With Centrino I couldn't even see it other then an occasional blip on Network Stumbler.

As far as the transfer speed, which what I was seeking to improve with this upgrade, I went from 1.7-2.0megs/sec on Centrino to 4.2-5 megs/sec on Atheros. As you can imagine I am quite happy with this $60 (USD) upgrade and would recommend this card to anyone looking to improve performance of their wireless.

Even on a regular G networks where the router does not support super G, this card averages 500-700 kb/sec faster transfer rates then a regular Centrino.

As far as drivers go they are bit hard to find but they are available and the card is supported on both Linux and FreeBSD and unlike the centrino driver which is a wrapper around an Intel binary actually contains source code .
You can get the drivers here: http://www.phoenixnetworks.net/atheros.php

After a long break from this blog due to an overwhelming number of projects and "real life stuff" I've been neglecting this little corner of the net . I my long absence spammers have discovered this site and on a daily basis have been spamming the comment system with ads.
This is hopefully now a thing of the past thanks to the upgrade of Serendipity, which now uses Turing tests to prevent automated tools from posting messages. And the older spam has been manually removed.
Now that my schedule is more or less back to normal, I expect to be able to rant more often, something I am sure those of you who read this blog can wait for hehehe.

It appears that exploitation of the public's paranoia is not unique to us, North Americans, it's something our Trans-Atlantic friends in the UK have adopted as well. According to a recent article I've read on BBC Federation Against Copyright Theft (Fact) in UK is launching a new anti piracy campaign under the slogan that Movie piracy supports terrorists. They claim that illegal movie copies are being distributed by IRA and Afghans Sikhs to sponsor their insurgency activities. They even made a nice poster.

It would appear they hope that capitalizing on the public's somewhat irrational fear of bad man hiding behind every corner they will accomplish what all other methods have failed so far. Good luck to them...

It would seems that some good does afterall come from the rampant paranoia in the United States. The recently created Department of Homeland Security, through it's mouth piece, CERT has recently made a recommendation that people consider alternate browsers to IE. It seems someone in the US government has finaly realized that the whole IE infrastructure is flawed and frequently rushed fixes from Microsoft are nothing more then bandaid solution for a dam that's about to burst (some may argue it has already burst).

This the first time a US government agency went out and publically recommended an alternative to a Microsoft product (to the best of my knowledge), could it be that MS slush funds are not getting to the right hands and perhaps not enough of them?

Ultimately, this is a good thing from just about all respects, first of all it'll hopefully convince people to switch to Mozilla, Opera, etc... which offer greater standards compliance, security and other neat features like tabs and popup blockers. There is also a slim chance that this move will force Microsoft to restart IE development (preferably from scratch) which will not only resolve security issues but also bring up IE's standards compliance up to par. However, given past Microsoft history that seems unlikely, the likely recourse is more band-aid solutions, FUD and silly suggestions such as "don't click hyperlinks". However, that's fine too since that'll lead to further user frustration eventually forcing them to switch to a different browsers. Perhaps once they come with Microsoft's unwillingness to properly address the problem face to face, they'll realize that this is a company with whom they'd rather not deal and that may spill into decisions affecting usage of other MS products.

Today I have discovered that Gmail (Google's E-mail service, to those living under a rock) had decided to increase their user base by allowing secondary (referred by existing members) to invite up to 3 of their friends to Gmail. The popularity of the service still seems high despite the privacy issues some people choose to be panicky about as my 3 invites were gone in a matter of minutes. Although Google was clearly not ready for the influx of the new users, since all of the people whom I sent the invites reported seeing an error message saying that the service is temporarily unavailable. This was further confirmed by few other people who got invites from other people.
This however is not really the the most interesting thing. What is quite interesting is that 2 premier free e-mail (and pay?) providers, Yahoo and Hotmail (MS) have blocked Gmail invites. At first I was a little sceptical of this, despite the long thread on this topic on Slashdot, however when I sent one of my friends a Gmail invite to a Hotmail account even after a few hours he didn't have anything, while a regular e-mail arrived almost instantly. It seems like a pretty stupid decision on behalf of Y! and Hotmail since not only does it generate bad publicity for them but it also gives Gmail free publicity and credibility (since apparently the big guys are afraid of it). You really gotta wonder what's going through the minds of marketing drones at Y! and Hotmail who made this decision.

In recent days I've noticed some very strange referral URLs on my top referrals link list. A few sites who definitely have no links somehow appear to have sent me a noticeable amount of users. How is this possible you ask? Well, it seems someone had figured out that blogging software does not perform any validation on the referrals (such as check if the link in present on the sending site) and with trivial scripts generate fake hits that quite easily get said site to appear on the top referrals list. Blocking such things is quite difficult since the scammers fake genuine browser signatures and in some cases even setup dummy pages that have the link back to the original site. More over @ least one of those scammers seems to be using anonymous proxies to prevent IP filtering. Quite frankly outside of manual referral validation or a referral whitelist I see no fool proof way to prevent this from happening. Since I don't have the time or interest invest time into manual validation or creation of whitelists, I am going to turn off "Top Referrals" perhaps someone with more free time then I will implement a whitelist for this purpose.
As far as the reason why people are doing this, well beyond getting perhaps a click or two from curios visitors of my site it helps their rankings on search engines (Google) that determine search result position based on the number of links to a site. Given that those same search engines can be used to find sites displaying such link lists it becomes trivial to design a simple script (heh could be a PHP script) to get a list of victims and send them a bunch of referrals. Given the growing popularity of blogs it seems to be a fool proof way to get lot's of attention. More over it does not appear to violate any laws, so for now it's seems like spammers/scammers have found safe haven.