net stuff

I check in with Wikipedia every day, and try to be a good steward of the articles I’ve contributed to.

Wikipedia is a funny thing. It’s easy for two people of good intent to have very different ideas of what’s appropriate content, and to get into a fight over what belongs and what doesn’t. In situations like this, the “right” thing to do isn’t very clear-cut. In some situations though, there is a clear right and wrong. Commercial links and self-links are explicitly discouraged.

So it felt a little awkward for me today when I discovered someone I kinda-sorta know had inserted links to his own site in many articles. This is a little like cussing in church.

I reverted all his insertions.

I’ve seen a sudden upsurge in a particular kind of spam over the past day or so. All of them come with a (Windows) executable attachment.

Several of the messages read as follows:

From:     Admin@cia.gov
Subject:  Your IP was logged
Date:     21 November 2005 22:07:31 CST
To:       [my e-mail address]

Dear Sir/Madam,

we have logged your IP-address on more than 30 illegal Websites.

Important:
Please answer our questions!
The list of questions are attached.

Yours faithfully,
Steven Allison

++++ Central Intelligence Agency -CIA-
++++ Office of Public Affairs
++++ Washington, D.C. 20505

++++ phone: (703) 482-0623
++++ 7:00 a.m. to 5:00 p.m., US Eastern time

Call me crazy, but it seems like a really, really bad idea to use the CIA—the same organization known to torture prisoners—as the Joe in your little joe-job phishing expedition.

later: Apparently I’m not the only one getting these.

I was trying out the new Yagoohoogle and of course, had to search on my name to do a double-barreled egosurf. The first result from Google not only pinpoints me (as opposed to the other Adam Rices out there), it cobbles together a one-line synopsis of who I am and what’s going on at my site.

Freelance Japanese-English translator living in Hyde Park. Includes a weblog, recipes, trip diaries, and rants.

This sentence doesn’t appear anywhere on my site. Fragments of it do. I tried typing in the names of some friends who also have websites and distinctive names, but didn’t come up with anything equivalent for them. I wonder where this came from. I know that Google News has some kind of magical news-story synopsizer–I wonder if they’re starting to apply that technology elsewhere. It’s obviously not perfect–although I do have a few recipes posted on this site, they’re hardly as prominent as other kinds of writing. And rants? Moi?

Later: I think I found the source of that bio. Dmoz. Should have guessed. Presumably written by a human, though it isn’t clear who the category editor is. Some other Google results for fellow bloggers seem to be culled from this listing, which could do with some editing. My name given as “Adam Rice,” David Nuñez’ as “Nuñez, David,” and many other people listed under the title of their blog, rather than their name (and no, I am not volunteering to edit this).

I’ve run across a new phishing exploit–new to me, anyhow. This one is especially pernicious because it actually uses a legitimate bank’s website against itself.

Take a good look at the following URL:

http://www.charterone.com/ legalcenter/do_not_solicit_confirm.asp? name=%3Ciframe+ style%3D%22top%3A120%3B+ left%3A0%3B+ position%3Aabsolute%3B%22+ FRAMEBORDER%3D%220%22+ BORDER%3D%220%22+ width%3D900+ height%3D650+ src%3D%22http%3A%2F%2Fwww.totallyfreebanking.biz%22%

I’ve broken it up and highlighted the salient portions in red. I’ll break down what is happening here. Apparently, Charter One uses (or used–see below) a frame-based interface where the contents of a frame could be specified through the URL. What the scammer has done is set up a mimic site (www.totallyfreebanking.biz) that looks like Charter One’s, and loads in a frame of Charter One’s, but isn’t a part of it, and send the phished data back to the scammer. So even a person who is generally aware of phishing scams might look at this URL and say “Oh, it really is from my bank, it has their URL, it must be OK.”

I visited the page in question, and Charter One seems to have defeated this already.

I don’t want this to be a “frames are bad” rant, because I do think frames have their uses. And in fact, using URLs to specify frame contents goes a long way towards addressing the problem of frame-addressability. But anyone who can’t afford to have an outside party insert content into a frame needs something more subtle–perhaps a javascript detector in the framing page to prevent outside pages appearing in a frame.

So everyone is talking about Google’s new “suggest a phrase” feature, which is almost psychic. But it’s also fun for language buffs–it gives you a cheap and easy way to see fixed phrases in action. Here’s an obvious example.

We’ve come so far, and yet, we have so much farther to go.

When I set up my first website, all my HTML coding was manual. Creating a new page meant opening up a copy of an empty web-page template I had created, writing the page, saving it, uploading it by FTP, editing my local copies of any other pages I wanted to link to it, saving them, and uploading them (and any graphics that might be involved). Using Japanese at all was fraught with peril, because there wasn’t a single browser that could handle the three prevailing encoding methods for Japanese (Shift-JIS, New JIS, EUC). There were some primitive web tools that allowed you to edit pages directly on the server via the web browser, but the browser provided a miserable interface, and I didn’t have the cash or the technical chops to install one of these.

Today, we’ve got content-management systems and blogs that handle most of these tasks. Modern browsers have tolerable editing interfaces and are vastly smarter about international characters (and in any case, we’ve got Unicode). Right now I’m typing this in a small program that runs on my computer and talks to my blog’s software to upload my posts.

But some people want more. They want an editing tool that gives them smooth control over HTML and CSS, and somehow gets out of their way to make this all transparent. Something like Microsoft Word for the web. Well, that’s a poor analogy, because Word is terribly intrusive. Like how it goes and creates bulleted lists for you when maybe you don’t want one (unless you go to considerable trouble to get Word to cut it out). Interestingly this kind of thing is considered a useful feature in blogging tools, which may say something about the state of editing tools, or the difficulty of writing HTML. I’m not sure.

Back in the bad old days of personal computing, word-processing for paper output was about as bad as writing HTML is today: you had to type tags or special codes to make text bold, italicized, or centered. With the exception of some hardcore XyWrite enthusiasts, WYSIWYG was acclaimed a great leap forward for word-processors.

So great has been WYSIWYG’s hold on our imagination that it is promoted as a worthy format for web-writing tools. It ain’t. Although my handy-dandy blogging tool will do a tolerable job of wrapping <p> tags around my paragraphs, it can’t do much more than that, so there’s clearly room for improvement. But how do you deal with hyperlinks wizzywiggily? Or the clever abbreviation above, that shows its full expansion when you hover over it (in a decent browser)? There’s no way. HTML is not presentational, it’s structural. You need a way to show the structure of the document as you write. For presentation, we’ve got CSS, which determines the presentation of content for different media: screen, paper, even speech-synthesis. In the land of print, you might have a rule that document titles are always 24-point bold and centered. In the land of HTML, all you know is that a chunk of text tagged as <h1> is at the top of the document hierarchy (and there’s room for dispute on that). That same chunk of text could have completely different forms of presentation because HTML is not tied to any form of output; it contains different forms of meta-data that will often be presented identically (but might be useful to search engines), and contains some that simply isn’t meant to be viewed by humans.

So we’ve got to deal with HTML, content, and CSS. I can imagine a writing program that lays things out like this:

Perhaps there would be popup menus in the Tag and CSS columns, or perhaps some intelligent prediction that writers can override (when we get intelligent prediction in the Content column, watch out).

Of course, even this is still too simplistic. In terms of HTML handling, this model is OK for block elements, but does nothing for inline elements. Dealing with nested elements could be tricky. For CSS, it gets very hairy. CSS is complicated: styles can reside in the tag, in the head of the document, and in other documents, all pulled together in different ways. Styles may apply to a tag universally or contextually. So this putative tool would need to analyze the document structure to determine which contextual CSS rules to show. And if the author serves pages dynamically , or uses dynamic includes to assemble a page from multiple fragments (as I do), it will need to take that into account.

I don’t see an easy way out. A program that is easy to use and allows fine-grained control and generates smart, well-formed HTML and CSS will be a serious challenge for interface designers and coders.

This, I think, is a new one.

I have received a piece of spam (sent via an insecure host in Ukraine) that appears to be an innocuous request by one blogger to exchange links with other blogs. The problem is that the sender is nobody I’ve ever heard of, and the blogs aren’t particularly on the same subject as stuff I write about (if anyone figures out what subject I’m writing about, please let me know).

The blogs in question appear to be legit blogspot-hosted blogs–and they have on-topic content–except that the sidebars are obvious link-farms, as is the website associated with the sender’s e-mail domain.

So what we have here is an attempt to get people to act as part of an unpaid link-farm. More polite than comment-spamming, I guess.

CSS is endless fun for the geek–it can be perverted in so many amusing ways. Take table layout, for example.

Back in the old days (you know, like 1998), HTML authors used table tags to lay out web pages. Gradually, a certain sub-community of web developers came to criticize this: HTML is meant to describe the page’s structure, not appearance, and tables were being used to lay out text matter, not tabular matter. “Save tables for, you know, spreadsheets.” they said. “Look, we’ve got this lovely thing called CSS that provides all kinds of layout flexibility.”

Many old-school web developers have been uncomfortable with this. Table tagging is familiar and predictable; CSS uses a completely different model for laying out the page. Or does it?

The fact is that CSS provides a complete set of tools for styling tables. It even lets you use tabular display tricks for text matter. So you can have your nice, semantically correct HTML, and in the CSS twist it to be displayed exactly as if you had marked it up with table tags.

Tim Bray comes up with a plan for spam that is similar to my previous idea–paying to send e-mail–but doesn’t require any architectural changes to the Internet.

His idea can be taken a step further: once you’ve established friendly communications with someone, you could set up your mail filters to accept unpaid e-mail from that person.

Got my first piece of ICQ spam this morning. Sheesh.

Chip has been doing a good job of beating the drum on Verisign’s offensive “typojacking” (great word) of all unassigned domain names on the Internet. Meaning, for example, if you accidentally type “corssroads.net” into your browser, you are taken to a Verisign page that tell you “perhaps you meant one of these pages.” Prima facie, that actually sounds helpful, but there are serious problems with it. The architecture of the Internet depends on the ability to check whether a domain name is valid or not. This trick stymies that ability. It’s also sleazy, because Verisign can monetize your typos: rather than pointing you to the most likely correct spelling, they can suggest you visit sponsoring sites that seem like likely hits.

And finally, simply by visiting Verisign’s website, you are agreeing to their terms of service. There may have been a tattered fig leaf of respectability for that stunt when you had to intentionally go to their site, but that fig leaf is completely gone now. One harassment tactic that geeks could take would be to write them, saying “I came to your site completely by accident, and I do not agree to your terms of service. Please make it so that I can no longer accidentally violate your TOS.”

In fact, now that I think about it, I wonder if we can write up a sort of “reverse-TOS”–that is, we could file a TOS (hidden in a locked filing cabinet stuck in a disused lavatory with a sign on the door saying Beware of the Leopard) reading something like “responding to any HTTP GET or POST requests originating from my computer constitutes acceptance of these terms of service,” which might include terms like free ice cream delivered daily for the next year.

I haven’t been monitoring the amount of spam that gets nailed by spamassassin (it’s a lot), but in the past two weeks, 114 pieces of spam have slipped past it. Of those, I find it amusing that 10 are offering anti-spam software.

Friendsurfer. How many of these things are there–excluding the numerous parody sites?

This one caught my eye because it shows a fire-twirler in its banner graphic. Friendster has been notably popular among my fire-freak friends–I wonder if there’s any connection.

Paul Graham suggests that when your spam filter identifies a message as probable spam that it automatically ping any URLs mentioned in the message–perhaps repeatedly–to drive up the spammer’s web-hosting bandwidth costs. If lots of people do it, spam suddenly gets much more expensive to send. I like this–it fights fire with fire.

I posted a lazyweb request concerning the creation of foaf files a couple days ago. One of the guys who appears to be the prime movers in the world of foaf, Jim Ley, whipped together a little converter that takes tabbed data and spits out the “knows” portion of a foaf file. You’ll probably want to use the foafamatic to create a shell foaf file with your own data and maybe one friend , then export your contact data from whatever dark cave you store it in into tabular form and run it through Jim’s widget, and finally merge the two. A little clunky, yes, but a big improvement over what we had before.

Once your done, check out your handiwork in the foaf explorer.

Making good FOAF files is a pain. There’s the foaf-a-matic web page, that lets you type stuff in and formats it for you, but who wants to re-type all that data? There’s a Java-based successor, but that’s overkill, and still doesn’t have any way to import data, as far as I can tell.

Thanks to Address Book Exporter, it’s easy for me to extract data from my address book in a tabular form. I suspect that most people interested in using FOAF probably already have their data typed in somewhere, and would be able to extract it in this form if needed. From there, it would be pretty easy to use GREP to mark up the file into a usable FOAF file, except for the sha1 e-mail address encoding (which is not required, but is the responsible thing to do). And not everyone would be comfortable writing a GREP pattern, for that matter.

What we need is a little web utility that ingests tab-delimited text files and spits out FOAF files. I know it can be done–it’s just out of my reach.

I recently discovered that some spam was being sent with my address as the return address–the bounces were coming to me.

Other than pissing me off, I wasn’t sure what those smegma-sucking spamming scumbags hoped to accomplish by doing this. Now I have an idea: it may be to undermine challenge-response spam-blocking systems.

These challenge-response systems are a klunky way of dealing with spam: if Alice sends Bob an e-mail, and she’s not on Bob’s whitelist, the system sends Alice an automated response asking her to visit a web page and prove that she’s a real human being worthy of Bob’s valuable attention. This usually involves looking at a graphic showing distorted text, and typing the text into a box.

Even if this all works according to plan (and there are plenty of reasons why it might not), it’s very annoying. But as soon as spammers start sending out e-mail purporting to come from real people, it really goes to hell:

• If I am already whitelisted with a C/R service, the spam gets a free pass.
• If I am not already whitelisted with a C/R service, the challenge comes to me. Maybe I’ll respond correctly, in which case the spam gets a free pass
• Or maybe I won’t respond, or (acting mischievously or perversely) respond incorrectly, in which case the spam is blocked, but so is any e-mail I might want to send to any person using that system in the future.