Baxil [bakh-HEEL'], n.
[Recent Entries][Archive][Friends][User Info]
My Sites
[Tomorrowlands]
[The TTU Wiki]
[Photos]
View My LJ
[By Tag]
Below are the 3 most recent journal entries recorded in the "Baxil" journal:
|
06:06 pm
![[User Picture]](http://l-userpic.livejournal.com/32112278/240226) [Link] |
WARNING: Google has broken Javascript spam munging
Cruising through my mailbox just now, I happened to glance at a piece of spam before deleting it, and did a double-take:
![[Headers for spam to the address kawaii@tomorrowlands.org]](http://www.tomorrowlands.org/images/kawaii_spam.png)
The reason I was startled is that the kawaii address (for feedback from my "Chibi Jesus" page) is one that I exempted from spam filtering about a year back. I chose an unused address at my domain, did not use it for any purpose or attach it to any outbound mail, and published it nowhere except for a single web page, where it was protected from spam filtering by the Javascript munging recommended by Project Honey Pot.
Here, as of a month ago when it wasn't being spammed, was the only reference (WARNING: HIDEOUS MIDI MUSIC) to that address on the Web:
<SCRIPT LANGUAGE="JavaScript">
// thx to http://www.blazonry.com/javascript/js_hiding.php
var rhs = "tomorrowlands";
var tld = "org";
var lhs = "kawaii";
function print_mail_to_link()
{
document.write("<a href=\"mailto");
document.write(":" + lhs + "@" + rhs + "." + tld + "\">");
document.write(lhs + "@" + rhs + "." + tld + "<\/a>");
}
<b><script language="JavaScript" type="text/javascript">print_mail_to_link()</script></b>
<noscript>
<i>(An e-mail link here has been hidden in Javascript. If you have Javascript turned off, please use the contact form linked at the bottom of the page.)</i>
</noscript>
Should be pretty freakin' bulletproof, right? After all, as Project Honey Pot noted with no apparent sense of irony, "It should be noted that both of these techniques are likely to remain sound for some time to come. Harvesters that interpret the Javascript on every page they encounter would face a substantial risk of getting stuck in infinite loops or crashing due to malformed Javascript. ... This is likely beyond the current computing power of a legitimate company like Google."
The problem is that, if a legitimate company like Google does apply the computing power to it, the spammers don't have to expend the effort: they merely have to crawl the Google results.
And, alarmingly, this seems to be what has started to happen.
At first I thought that the address had been either guessed or else reposted somewhere, and I ran a Google search for kawaii@tomorrowlands.org in order to explore this. The only result to pop up was my own page, and the text summary of the page read:
The source code of the Google results page shows the address bare: "<em>kawaii@tomorrowlands.org</em>"
The source code of the Google-cached page is identical to mine (i.e. no raw address; the Javascript is preserved); the cache was taken May 12, 2009. It appears that the caching itself doesn't break the munging. There must be something about the excerpting process that does the trick.
At first I couldn't believe my eyes. Was this coincidence? I went through my recently deleted e-mail and rechecked all of the spam headers.
I have a similar whitelisted-and-munged address I use only for WikkaWiki announcements, that has only been posted on my own wiki, protected similarly. It has also started receiving spam, and investigation turned up the same results. At this point the evidence is pretty damning.
The first spam I still have for kawaii was on June 8; it's likely that Google's behavior change dates from before then, and the spammers are only now beginning to take advantage of this new potential. The spam started slowly and is now up to several messages per day -- word is probably spreading amongst the bad guys.
So.
Webmasters: Time to re-spamproof your site. A damn useful tool has just dropped out of the toolbox.
PLEASE NOTE: I have disabled the e-mail address referred to by this post. To contact me regarding this post, please write to [the first three letters of this journal name] [the dash symbol, '-'] [mail] [at-sign] tomorrowlands [dot.] org, or leave a comment below.
UPDATE: Two pieces of additional information I'd like to pull out from comments:
1. Even though the sample search I provided was for the compromised e-mail address, the spammer does NOT need to previously know your e-mail address in order to Google it. They just have to search for things shaped like e-mail addresses and skim the cream of the results. [*]
2. There is anecdotal evidence that pages which pull their decode function from a separate .js file have not been broken. (Yet.)
UPDATE 2: Welcome to /. readers! More discussion in the Slashdot thread.
Current Location: ~spiral
Current Music: Jim's Big Ego, "WTFMFWTFAYT?"
Tags: geekery, my brain now hurts, privacy, technology
|
|
10:18 am
[Link] |
The death of privacy
As a follow-up to my post on the death of personal privacy earlier this year ... I finally found it again. The link I mentioned in a footnote. The really brilliant essay that summed it all up.
Quoting myself from three years ago, when I had the foresight to link it, albeit from a friends-locked post:
Danny O'Brien wrote a brilliant blog entry about this effect, which I stumbled across [in June 2004]. In brief, he points out that we have three different "registers" (types) of conversation: public, private, and secret, and we communicate in different ways in all of them. In particular, we guard ourselves strongly when "on the record" (in public) in ways that we don't when we're addressing friends or associates. "Private" conversation is not intended to be hidden, but we assume a context that random listeners might not have, and it's aimed only at the audience being specifically addressed.
"Ah," you might say, "so the private register is like an LJ friends list." But the insidious thing is you would be wrong. A friends-list post is secret. It is restricted to only the desired audience, as opposed to "private" conversation, which is at worst hidden by obscurity. The public register is a loudspeaker and a soapbox; secret is a closed-door meeting; private is dinner chat at a restaurant.
The loss of privacy doesn't mean the loss of the secret register (though that register is certainly shrinking, and that's frustrating too). The loss of privacy means the loss of the private register. The notion of being consistently either on the record or totally hidden.
Before the age of the Internet, the vast majority of our lives was on the private register. This is still the case to a large extent. As technology continues to improve, it won't be.
Humanity can live without a private register, but I (still) think our lives will be the poorer for it.
The piece's author, by the way, replied to my e-mail last night*; he says "If you liked it, I did a more wandering talk about the same topic you can download here."
(I also mentioned to him that, given four years of hindsight, I'm really not convinced that the shine has worn off of distant mockery for the masses. "No, me neither," he responded. "And my day job [at the EFF] continues to teach me that the interactions between privacy and free speech aren't done with yet." True dat.)
--
* Given that the entire purpose of this post is to lament the ever-widening reach of the public sphere, I really had to think about whether to post excerpts from a (secret-register) e-mail conversation. Yes, massive irony. But on balance I believe no harm is being done here; there's nothing actually secret in the two lines I quoted. The link can be found via a Google search already and Danny's bio is listed on the EFF staff page.
Current Location: ~/brainstorm
Current Music: Hazel Blue, "Bottle In Hand"
Tags: privacy, technology
|
|
06:26 pm
![[User Picture]](http://l-userpic.livejournal.com/4335707/240226) [Link] |
meanwhile
One of the most observant things I ever said was something I first pointed out four years ago: "There is no international crisis so major that it can't be interrupted by a small, stupid crisis close to home."
I wouldn't be surprised if a decent chunk of my friends list is devoting mindspace to Strikethrough 2007 right now (short summary: yes, LJ is actually deleting accounts based solely on their user interests; but before panicking, please click through the link and get all the facts).
Dealing with that is not a bad thing. It does hit close to home. It's something worth taking action on. I spent an hour or two reading up on it, and have taken a few protest actions myself.
But don't forget what's going on in the rest of the world.
And please take a moment of silence with me to mourn the age of personal privacy. It was a good age. We'll miss it.
This development by itself -- Google is apparently driving vans down the street, running cameras and getting still photos of individual buildings for Google Maps -- isn't going to singlehandedly destroy anything. But it is another line being crossed, another step down the slippery slope.
By itself it might mean little. But we're also in an age of YouTube'd cameraphone videos, overnight internet celebrities, personal blogs with global reach, archive.org, dirt-digging via search engine, ubiquitous surveillance, and terrorist watch lists.
I don't know who, for example, this guy is. But his face is already being passed around the internet (as for why, see the background of the photo. Worksafe but suggestive). Someone probably will ID him. And when he does, the odds are good that there will be bad consequences.
What stops that from happening to the rest of us? As of now, only sheer weight of humanity's numbers. There is nothing stopping random and equally embarrassing photos of me, or you, from being spread around the planet at the speed of light; all we can rely on is the fact that with so many targets out there, the odds of instant notoriety are about the same as that of winning the lottery.
Numbers will be a good defense for a while, but as the sheer amount of data and the computing power available to sift through it increases (never mind the development of increasingly sophisticated AI), even that cover will get stripped back. Fifteen to twenty years from now (assuming of course no energy crash, world war, imperial collapse, complete financial meltdown or technological singularity), I suspect we'll be at the point where basically everything we ever say, except in the most secret and encrypted spaces, will be available for endless scrutiny.*
--
* As opposed to now, where we can choose to put the things we say on the public record (such as here, in a public blog), but that's not the default choice for all of our communication. I read a great essay some years back -- and my google-fu is failing me at the moment -- about how the Internet was drawing a bright dividing line between hidden communication and exposed communication. It argued we're losing the ability to speak in "semi-public" space -- where we can speak up to those who want to hear without the rest of the world beating down the door to listen in. I need to find that essay again.
Current Location: ~calorg
Current Mood:  somber
Current Music: "Itsoweezee (Radiohead 'I Will' Remix)," DJ Panzah Zandahz
Tags: privacy, technology
|
|