[Home page](/) [Latest blog](../all.html)
# slef-reflections on Bad Technology
* Bad Solutions
* Billing
* Crackers
* [Plumbing](environment#plumbing) moved to environment page
* Scammers
* [Spam](spam) moved to its own page
* Spam Bloggers (Sploggers)
* Stupidity
* [Google](../2006/google)
* Links
* * *
## Stupidity
This is a section for all the 'surely no-one ever thought it was a feature'
pieces of bad technology.
### MSN Santa Sex Scandal
##### Posted by mjr 2008-01-03 (permalink)
I missed this one when it happened earlier last month, but I'm still putting
it on my 2007 page of Bad Technology. Thanks to a colleague for pointing it
out.
Apparently MSN's Santa-bot made inappropriate comments to children and was
exposed in [Microsoft's sex-obsessed RoboSanta spouts filth at children | The
Register](http://www.theregister.co.uk/2007/12/03/santa_filth_outrage/)
After that, it was almost inevitable that it would be taken off-line, even if
just for a short while, so I think the next headline could have been
predicted:- [Microsoft kills Santa Claus | The
Register](http://www.theregister.co.uk/2007/12/04/microsoft_kills_santa/)
What surprised me was the ham-fisted PR attempt described in [Microsoft
accuses kids of bullying Santa into sex chat | The
Register](http://www.theregister.co.uk/2007/12/06/microsoft_santa_lies/)
If it was a mistake, then admit it. How did it happen? Unruly programmers
wanting [easter eggs](http://foldoc.org/?easter+eggs) at Christmas, or did
someone make the Santa-bot by modifying a porno-bot, or was it a learning bot
finally corrupted by all the abuse it was sent - like Arnold on UEA/tsw's
#pubfood IRC?? Truly bizarre.
* Comment on this
### PHP's Standard Sub-standard Approach to SQL
##### Posted by mjr 2007-11-30 (permalink)
I'm just fixing another customer web site where the reported bug was something
like
> "when I put a customer password that includes an apostrophe into the web
form, the site returns an error message"
and in the PHP source code I found something roughly similar to
> "insert into customers values ($id,'$username','$password')"
(no, I didn't write the site - I'm doing ad-hoc support on it).
Now, I realise that there are times when you want to send particular SQL
instructions to the database and I know there are 1001 modules for tieing
databases to variables, but it is still a problem that PHP's basic standard
approach to SQL is to shove strings around and even today, with the dangers
well-known, many PHP coders will interpolate unsafe user-submitted variables
into them. It's enough to make a [meltdown
imminent.](http://blogs.awesomeplay.com/elanthis/index.php/archives/2007/11/29/432/)
Surely no-one ever thought it was a feature?
* Comment on this
[Pierre](http://blog.thepimp.net) wrote:
> "Every language did it like that and many still do. However, if you use
pgsql (or some other), you can take a look at the prepare methods. Or if you
use php5, pdo supports prepared statement or the notions of query arguments.
>
> The short version is, that's not really a PHP way of doing things. Every
language in the world has a way to pass raw queries to DB layer (raw queries
== string) and we can't fix brains =)"
So why does it happen so often in PHP? Partly because PHP doesn't have easy
mysql prepare()s before version 5, MySQL is most PHPer's first database and
when they change database, they take their old bad habits with them.
Yes, it's ultimately a programmer brain problem, but it's a problem that PHP
helped to encourage.
By the way, the original developer was given access again and tried to fix it
by liberal sprinkling of addslashes() without telling anyone, which would have
caused double-escaping of some characters if we hadn't spotted it when merging
his change. Thank $DEITY for revision control.
* Comment on this
### Email Newsletter Links
2007-08-09 (Permalink): Automatically-generated links in email newsletters are
usually ugly because they contain tracking data, to measure response to each
individual copy of the newsletter.
If your links are ugly, I think it is stupid not to override them when you
launch a link-shortening service.
The FON MOVIMIENTO Newsletter: August 2007 contained:
> "With FON GET SIMPLE you can convert all of those long, impossible-to-
remember URLs into short, easy-to-remember URLs that make your Internet
travels simple. https://fon-
en.custhelp.com/rd?1=AvcE~wolDv8SWivzGhIe~yL~Jvkq~_3~&2=118 "
Oops.
* Comment on this
### Online Banking Authentication
I'm registered with three online banking systems. (Actually, I'm probably on
more, but I only use three.) Two of them use similar authentication systems.
The third one uses some similar details but adds a random alphanumeric user ID
and a load of restrictions on passwords **and so, I just locked myself out
again** which has annoyed me somewhat, as well as blocking my access to some
of my money.
First of all, adding restrictions to passwords is stupid. It makes them easier
to guess by eliminating whole regions of the solution space. If I can send the
damn thing to the webserver, that should be all that matters. It also makes me
more likely to either store the crippled password or details of the crippling
somewhere. And it makes me more likely to lose access, like I just did yet
again.
How many more of the [Security Myths and
Passwords](http://www.cerias.purdue.edu/weblogs/spaf/general/post-30/) do they
need to follow? Just put the login in a GUI transmitted unencrypted and they'd
have a full house, I think.
Secondly, why the devil aren't our banks using things like certificates or
multi-site identity services yet? Our national government moves with the
efficiency of treacle in snow when it comes to web services, yet it has been
using both in [its government gateway](http://www.gateway.gov.uk/) for years.
It's not perfect, but they're working. Meanwhile, we're still waiting for
everyone to get on [the list of banks that work with
GNU/Linux](http://mjr.towers.org.uk/blog/2007/banking) and I've yet to find a
PGP- or S/MIME-ready bank. (Update 2007-09-27: [I had a PGP-signed email from
Nationwide](http://mjr.towers.org.uk/blog/2007/business#bankgpggood) )
Online banking authentication - stupid bad technology.
[Stephen Touset](http://devel.touset.org/blog/) commented:
> "The worst offender in my experience is the "Verified by VISA" program.
>
> They restrict you to a subset of characters (alphanumeric, if I recall
correctly) and even restrict the _maximum_ length!
>
> You know what the worst part of it is, though? If they were using a widely-
published, widely-analyzed, and widely-reviewed secure hash standard like
SHA-1, Whirlpool, or any number of alternatives, these restrictions wouldn't
be in place.
>
> This tells me that they're likely _not_ using a well-reviewed standard, and
instead have probably come up with their own bastardized password
"encryption"."
I'm a bit worried by this, but I'm moving my customers to Verfied by VISA and
Mastercard 3DSecure because of the carrot-and-stick used by the payment
gateways. Am I sleepwalking off the cliff here?
[Wouter's Eclectic Blog writes "My bank [Fortis] actually thought about this
stuff before implementing it."](http://www.grep.be/blog/2007/06/15/)
### CGI Scripts and Line Endings
Bad Tech: DOS using different line end character sequences.
Problem: CGI scripts uploaded with the MS Windows version of
[FileZilla](http://filezilla.sf.net/) over SFTP don't work until converted.
Either there's some FileZilla settings wrong by default, or it just doesn't
work.
Solution: Evilly, I made a perl^M symlink to stop having to convert users'
files. Surely there's a better way I'm not seeing?
Brett Parker suggested [educating all users about line-
endings](http://www.sommitrealweird.co.uk/blog/2007/03/03#200703030952-cgiscriptsbadlineendings)
\- sadly, I think there are more users than I have time to educate (even with
a web page that makes the basic point, I think there will still be lots of
questions) and also, I think stuff on the Windows side should handle their bad
decision - they came along last, didn't they?
[Jon Atkinson](http://jonatkinson.co.uk/) commented:
> "WinSCP deals with line endings properly, and is free software. It also has
a NC-style interface, which I prefer to the Filezilla interface.
[http://www.winscp.net/"](http://www.winscp.net/)
Thanks. I'll suggest that some users try WinSCP instead of Filezilla.
Ben Hutchings commented:
> "Version 4 of SFTP introduced the SSH_FXF_TEXT open flag, but OpenSSH is
still stuck at version 3."
Why no version 4 in OpenSSH yet, then?
### HD-DVD
David Berry wrote:
> "Spread this number 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0. [...]
>
> It's the HD-DVD Processing Key for most movies released so far. I was not
aware that a string of numbers and letters was copyrightable."
[Source post,](http://lists.okfn.org/mailman/listinfo/fc-uk-discuss) [more
explanation [etbe]](http://etbe.coker.com.au/2007/05/04/dmca-etc/) and
[Original](http://rudd-o.com/archives/2007/04/30/spread-this-number/).
### Government and Free Sofwtare
Apparently, yet another NHS IT project has tanked. Steve Purkiss wrote in:
> "I've just written an article on the latest debacle in our Government's long
line of software failures, and how a switch to Open Source would provide a far
better solution all round.
>
> I would be extremely grateful if you could help by digging it:
>
> Thanks!"
* Comment on this
* Start of this section
* Start of this page
* [All topics](../)
* * *
## Spam Bloggers (Sploggers)
### What are you doing with pingback splogs?
##### Posted by mjr 2007-11-15
Is anyone else getting pingbacks from sites consisting entirely of formulaic
posts like
> "/foo/ /posted-phrase/ today on /title/ - here's a /summary-phrase/ :
/quote/"
? I've been rejecting that style of comments because I think sooner or later
those sites will be identified as sploggers (spam bloggers) and get penalised
in site ranking systems. Another alternative is that once they build enough
links, they'll start linking to their paymasters or replace the site with less
mundane content.
It's a tough call - I've only been seeing such sites for about a month and I
usually like the idea of turning spammers to our own ends and these do
increase a site's comment count and relevant link network - but I'm a bit
worried how these will turn out.
Have you seen this style of comments? What are you doing with them?
* Comment on this
[Josef Assad](http://www.DonAssad.com) commented:
> "When I had trackbacks, I was moderating them. For comments, a simple math
captcha is doing the trick.
>
> This is drupal."
Yeah, but what trick is it doing? I just tried leaving a comment on [the qmail
PD story:](http://sancairodicopenhagen.com/joe/qmail_public_domain)
> "The original thread is on the web with replies at
>
> Maybe the much-satirised default error/warning replies will get replaced at
last!"
but it replied
> "* Invalid CAPTCHA token. * The answer you entered for the CAPTCHA was not
correct."
I have a degree in maths. I'm pretty sure I added 4+1 correctly.
Maybe that CAPTCHA is testing **something** but it's sure as hell not testing
for spammers. See my previous message on this topic:
[Russell Coker](http://etbe.coker.com.au/) commented:
> "Most of those summary splogs don't correctly attribute the author. When
they mis-attribute my work to someone else I file a DMCA take-down request
with their ISP."
[Shane](http://www.hackosis.com) commented:
> "I have been getting track backs from one particular site.
>
> I was accepting them at first, but then after concluding that the site was
automating the content, now I am just deleting them. Although it is kind of
strange..."
[Vid](http://www.svaksha.com) asks:
> "What do you do with Incoming links like these:- loanbankcredit.org/category
/credit-card-application/167/credit-card-fraud-in-the-making/ and
>
> I moderate the comments, but incoming links ...??!"
I think there's not much you can do about toxic links, other than refuse to
reciprocate and hope that search engines and social bookmark sites will get
clue about them.
* Comment on this
* Start of this section
* See Also: [spam: nixforce.com](spam#sploggers)
* Start of this page
* [All topics](../)
* * *
## Bad Solutions
### Get Safe Online and security through obscurity
##### Posted by mjr 2007-11-12
This is mainly a comment on [the BBC report of the Get Safe Online
campaign](http://news.bbc.co.uk/1/hi/technology/7090096.stm) \- the campaign
seems to have some good advice, such as securing wireless networks (WPA at
least now!), and their website is more useful than other gov.uk ones I've
seen, but some comments in the report just seem strange, like "a date of birth
and address details were enough for someone to set up a credit card in another
name" - if that false credit card would affect us, then we need to fix the
credit card issuers, not stop posting details online!
Trying to hide details is well-known as security by obscurity and it's not
much security at all. I'm disappointed if that's a major focus of Get Safe
Online's message. What about trust and encryption advice?
Also, many people don't have a choice whether our details are posted online.
They are already posted by government agencies like [Companies
House](http://www.companies-house.gov.uk/) and then that information is bought
and republished by private companies. So, we're not adding much to the risk by
using social networking.
Finally, it's rather amazing that some Secured Web Browsers can't access much
of the content on www.getsafeonline.org because of their careless use of Flash
and client-side scripting on their site. Are they safe themselves?
Get Safe Online will be travelling around the country offering advice on how
to stay safe and secure when using the internet. [They're in Bristol
tomorrow](http://www.getsafeonline.org/nqcontent.cfm?a_id=1463) \- if I don't
feel [nearly as bad as this](http://kernelslacker.livejournal.com/97543.html)
any more, maybe I'll go visit them and see if the reports are accurate.
* Comment on this
### BBC iPlayer - thanks to the unique way it's funded, by selling landmark
buildings
##### Posted by mjr 2007-10-24
I read [Interview with Mark Taylor, Pres. of UK Open Source Consortium, by
Sean Daly on
Groklaw](http://www.groklaw.net/article.php?story=20071021231933899) and
lurking near the end are these points:-
> "[The Times] said that there were £130 million pounds spent to develop the
Windows-only iPlayer over the past four years.
>
> [...] I was reading in the Financial Times a couple of days ago that they're
selling one of their prime locations in central London, one of the sort of
landmark BBC sites, and the estimation of its value is between £100 and £200
million. Now, the iPlayer has cost them one of their landmark head offices."
This sort of linking equivalent values puts the extortionate costs of
[DRM/TPM](http://drm.info/) and hidden taxpayer-funding like the BBC, or [our
Police being used as Big Music's private
army](http://news.bbc.co.uk/1/hi/england/tees/7057812.stm) into stark context.
The BBC's use of DRM/TPM has [cost the nation one of our national heritage
buildings.](http://news.bbc.co.uk/1/hi/entertainment/7050440.stm) What will
DRM/TPM cost your country before you act against it?
* Comment on this
### Stuffing Standards Bodies and Network-unlocking iPhones
2007-09-04 (Permalink): Here are link-summaries of two interesting topics
which have developed while I was away: the OOXML vote-buying scandal and the
iPhone unlocking:-
[Microsoft accused of rigging OOXML votes - ZDNet
UK](http://news.zdnet.co.uk/software/0,1000000121,39288959,00.htm)
A good summary of the start of this problem, in a complaint from FSFE. Fairly full description of the Swedish incident and suggestion that it's happening elsewhere. One Paid Partnership Programme One Vote, anyone?
[SIS declared its own vote
invalid](http://www.groklaw.net/article.php?story=20070830155109351)
The Swedish standards body will not vote, due to a technical failure in the Microsoft-stuffed ballot.
[New Zealand OOXML rejection 'not final' - ZDNet
UK](http://news.zdnet.co.uk/software/0,1000000121,39289033,00.htm)
It looks like opponents of OOXML are negiotiating surrender. Worrying.
[ NJ 17 year old Kid creates hack for the Apple iphone opens carrier network
access beyond AT&T | open4.org - create. share.
earn.](http://www.open4.org/blog/wisdomviewstrategies/nj-17-year-old-kid-
creates-hack-apple-iphone-opens-carrier-network-access-)
It cracks me up that the iPhone was cracked, even if it did take him over 500 hours. I read it first on open4, which does the right thing and links both of George Hotz's sites.
[BBC NEWS | Technology | Teenage hacker unlocks the
iPhone](http://news.bbc.co.uk/1/hi/technology/6963696.stm)
Slightly more information, but fewer links, from the BBC. They don't even seem to link the blog which is cited as a source. Very strange approach to the web from the BBC.
[ VOIP IP Telephony: iPhone hacker saga continues! Hotz gets $30000 for the
phone](http://snapvoip.blogspot.com/2007/08/iphone-hacker-saga-continues-hotz-
gets.html)
Then the iPhone was traded for a car...
[Code to unlock iPhone
cracked](http://www.cnn.com/2007/TECH/09/01/apple.iphone/index.html)
Finally, this morning, I saw CNN report that a software-only crack is available. Network-locked phones are so 1990s anyway.
* Comment on this
### One-eyed iPlayer
2007-07-06: So iPlayer, the BBC's on-demand 7-days TV download service,
launched as Microsoft-only, despite the feedback to the trial service. They
come along to events like
[hackday](http://backstage.bbc.co.uk/news/archives/2007/06/hackday_london.html)
pretending to be our friends, but they're really not. It's more BBC Backdoor
than BBC Backstage.
My [IMDB-listed](http://www.imdb.com/name/nm1279160/) friend Martyn Drake
[estimates the cost of using iPlayer](http://www.drake.org.uk/2007/06/the-
cost-of-usi.html) as at least £215 for GNU/Linux users and you can't do it
with free software. It seems to be even more expensive for a Mac.
> "The BBC should remain impartial, but they're currently having hot patootie
with Bill Gate and his chums in Redmond. They continue to use OUR license fee
regardless of our objections to their dimwitted decision to use DRM, and now
say they'll review the situation is six months.
>
> Thanks, BBC. Thanks a lot. Can I get some of my license fee back to afford
these additional costs, please?"
No wonder [the Open Source Consortium says they'll complain to the European
Commission](http://news.bbc.co.uk/1/hi/technology/6236612.stm) \- it's blatent
bundled sales. TV has got away with worse in the past (for example,
Channel4-satellite requires you to buy Sky), but the BBC's TV-tax-funded
services had been getting progressively freer. This latest reversal of that
makes me wonder whether Freesat will be fully-viewable with free software.
Also, they're up against another big problem: given a choice between the
expensive and inconvenient legal iPlayer and the free and easy illegal
torrents (which I'm told have US imported shows earlier), which will users
choose? Surely not even the BBC's advertising power will overcome iPlayer's
200 quid bundled sale and auto-delete?
Let them know it won't: [petition the Prime Minister to open
iPlayer.](http://petitions.pm.gov.uk/iplayer/) The BBC is a Royal Charter
Corporation and should act in the public interest.
### Ban the Net
It's the [Fourth Safer Internet
Day](http://europa.eu.int/information_society/activities/sip/news_events/events/si_day/index_en.htm)
which is fine in itself, but it also seems to be an excuse for politicians and
journalists to say stupid things about the internet.
Example 1: [Interior Minister John Reid suggests making sex offenders register
all email addresses and internet
nicknames](http://www.24dash.com/news/57/16142/index.htm) \- seems fine at
first reading, but then you realise that anyone can have an infinite number of
email addresses and nicknames and wonder how the hell the police will cope
with a denial-of-service attack that enumerates each address and nickname in
turn. a@mydomain, b@mydomain, ... z@mydomain, aa@mydomain, ab@... you get the
idea?
Example 2: [BBC Five Live asks 'Should websites that promote anorexia be shut
down?'](http://www.bbc.co.uk/dna/mbfivelive/F2148564?thread=3863692) which was
also subject of [an ITV news programme called 'thinternet' yesterday
evening](http://www.itv.com/news/tonight_b3fe3bfd5c07d0b6a2b7da3a376c7578.html)
\- There are practical problems shutting down any web site (the internet views
censorship as damage and routes around it) and if it's not on the web, it will
be passed from person to person. It's shameful that [Eating Disorders
Awareness
Week](http://www.b-eat.co.uk/NewsEventsPressMedia/EatingDisordersAwarenessWeek)
is getting hijacked by this futility.
Can someone get these people to realise that banning and controlling things on
the internet is about as easy as controlling radio waves? The radio laws are
mostly unenforced against small offenders because they are mostly
unenforceable without a huge police force. The solutions will come from
addressing the problems (sex offences, eating disorders) not the symptoms
(email addresses, web sites).
* Comment on this
* Start of this section
* Start of this page
* [All topics](../)
* * *
## Scammers
### Data Protection Racketeers Jailed
[PDF press
release](http://www.ico.gov.uk/upload/documents/pressreleases/2007/yorkshire_bogus_agencies_june_07.pdf)
saying
> "The Information Commissioner's Office is again reminding businesses across
the UK not to be misled by bogus agencies that send notices demanding money to
register under the Data Protection Act 1998 (DPA). The warning comes after
Leeds Crown Court sentenced three men to prison on Friday 8 June for their
involvement in fake data protection agencies."
They earned £62,575 before they were closed (that's a lot of £135-a-time
victims) and got up to two and a half years in jail (tip to
[PL&B](http://www.privacylaws.com/) for emailing me).
I feel this type of scam only works so well because most of the official
advice is vague and unhelpful, while [the most useful notification
page](http://www.ico.gov.uk/what_we_cover/data_protection/notification/do_i_need_to_notify.aspx)
is three-clicks deep in a section that few businessmen would choose unless
they already knew about it.
* Comment on this
* Start of this section
* Start of this page
* [All topics](../)
* * *
## Billing
### edf energy and npower
There's a stupid system in England for utilities billing. In theory, you have
the freedom to choose who supplies your electricity and gas. There are supply
networks, maintained here by [Wales and West
Utilities](http://www.wwutilities.co.uk/) and [Western Power
Distribution](http://www.westernpower.co.uk/default.asp?categoryID=30) which
are the same for all suppliers, but your supplier has to put the amount that
you use into their network. [More info at Energy
Watch](http://www.energywatch.org.uk/help_and_advice/index.asp)
In practice, when you move home, you have no freedom to choose. You can't even
keep your existing supplier. The supplier of the previous occupier writes to
you and tells you that you are on a "deemed contract" which is a funny sort of
contract which they reckon is valid even though you have no choice in the
matter.
Even if you tell the suppliers of your choice on the day you move (as if you
didn't have enough to do), you're screwed. There are long notice periods, even
for deemed contracts. With gas, you're doubly screwed, as they can make daily
standing charges even if you use no gas. [Nasty deemed contract supplier
npower](http://www.npower.com/) refused to negotiate and then billed for
nearly 50 quid, thanks to their standing charge.
You might avoid paying the home's previous electricity supplier by giving them
a zero reading. As long as they're not silly about it, they shouldn't send a
bill. There doesn't seem to be a daily charge for electricity.
[Silly edf energy](http://www.edfenergy.co.uk/) sent a 16p bill. 16 pence.
0.16 pounds. The printing and posting probably cost them another 16p. I paid
it at a post office counter, which I'm told pays the post office 12p. It just
cost edf about 28p to receive 16p. Why the devil didn't their billing system
write it off?
I suggest that customers of 'no-negotiation npower' or silly money-wasting edf
energy should look for a new supplier. Probably not British Gas: [Martyn
Drake](http://www.drake.org.uk/) has some British Gas horror stories, but he
recently reset his web site (google!). I'm sure another BG rant will be along
shortly, though. One of my uncles has had trouble with them too, but I don't
think he's on the web yet.
[Chris Cunningham](http://blondechris.com) commented:
> "Errr, standing charges on gas are pretty rare now. British Gas abolished
them years ago, for instance. Standing charges for electricity are generally a
good idea if you use any reasonable amount of electricity though.
>
> The single best piece of advice I can hand out for saving money on utilities
is to take meter readings every month. Not only does this make it _much_
easier to negotiate re-estimation of poorly-calculated start/end reads, it
also gives you an immediate idea of how much you're using.
>
> I'm rather surprised that you didn't take the opportunity to rail against
the evils of privatisation which led to this situation. Deregulated utilities
are a bit of a nightmare in the UK, speaking from experience working for one."
Standing charges may be pretty rare, but they are still allowed and npower put
them on so-called deemed contracts. I can see why that makes sense to a
company like npower. It seems a good way to make sure you can bill a customer
who hates you.
Reading your own meter is a good idea. Doesn't really help if you've only just
moved in, though. npower still argue that the absurdly low meter reading
they're using for your start value (which would mean a bigger bill) was the
final reading given by the previous occupier.
I can't really comment on the evils of privatisation: I never interacted with
the public utilities. Interestingly, the "deemed contract" problem seems to
come from the regulations. Gas Act 1995 Schedule 2B section 8 creates the
deemed contracts and doesn't explicitly handle the situation where someone
moving in has an existing gas contract and doesn't want the deemed contract at
all.
This seems a misregulation bug as much as a deregulation one.
* Comment on this
* Start of this section
* Start of this page
* [All topics](../)
* * *
### Links
* 2007-02-02:
["Guidelines for the Secure Operation of the Internet"
(RFC1281)](http://tools.ietf.org/rfc/rfc1281.txt)
Read it and weep.
[ Techblogging: DoSing
spammers](http://blog.drinsama.de/erich/en/linux/2007011401-dosing-spammers)
I've done this in the past, by having a CGI rabbit-hole in a semi-hidden link near the start of the page which just generated 1000s of invalid email addresses. For bonus points, use addresses with MX servers which will never be online again, or maybe with a MX that tarpits and rejects all mail eventually. Get enough points and the spammer will either stop scanning your site or waste a lot of time on you.
[ Google scanned by spammers
[Techblogging]](http://blog.drinsama.de/erich/en/2006121102-spammers-listen-
for-your-blog-pings)
I don't use pingomatic, but a few of my pages are ranked high enough to attract spammers every time I update them. I think blog spammers probably are using subscription tools to find the most active/most syndicated sites to spam. Can we redesign the tools to defeat them?
[BBC News | Technology | UK Edition: Ads help Google profits
triple](http://news.bbc.co.uk/go/rss/-/1/hi/business/6319031.stm)
But hey, why should Google care about spammers when their externalisation to date is making Google rich?
[ Techblogging: Web 2.0 security issues
incoming](http://blog.drinsama.de/erich/en/2007010401-web20-security-issues-
incoming)
I dislike Web 2.0 so far because it is often inaccessible - this suggests it's often insecure too.
[Software Patents Petition](http://www.davidpashley.com/blog/2007/01/03#swpat-
petition)
Need more brains... come on, sign the petition, even if it has a bit of hyperbole/invective and a typo or two. Last I heard, it's behind adopting Spandau Ballet's Gold as national anthem, for crying out loud!
[The Irascible Professor-commentary of the day 06-07-06. Calculator
dependence.](http://irascibleprofessor.com/comments-06-07-06.htm)
Parents, don't let your children grow up to be calculator junkies!
[ Zugschlusbeobachtungen: Which kind of software
suspend?](http://blog.zugschlus.de/archives/400-Which-kind-of-software-
suspend.html)
I think I heard Matthew Garrett give an interview somewhere (LUG Radio?) which summarised the suspend situation as something like "it works well except when it doesn't." My computer usually software-suspends, but sometimes it crashes and sometimes is often enough to deter me from suspending it often. I really ought to debug it, but it's not a priority yet.
[ 'Cheap and tacky' wedding email that went global - 19 Nov 2006 -
National](http://www.nzherald.co.nz/section/1/story.cfm?c_id=1&objectid=10411458)
"The marquee company's CEO, Klaus Jorgensen, said he had sacked the employee responsible - who turned out to be his wife"
[NoDaddy.Com - Exposing the Many Reasons Not to Trust GoDaddy with Your Domain
Names](http://nodaddy.com/)
"They didn't give me a chance to dispute or resolve the problem \-- just a voicemail saying my domain was “scheduled for suspension”, followed up by a Domain Suspension Notice exactly 52 seconds later. Note that neither of these included a phone number for the abuse department or a reason for the shutdown."
[The 'Ow' starts now / freedom bits / greve / Fellows / The Fellowship -
Fellowship of
FSFE](http://www.fsfe.org/fellows/greve/freedom_bits/the_ow_starts_now)
FSFE's Georg Greve won't be upgrading to Vista, which I saw called "Windows Fista" on the BBC's site - disgruntled journo, over-aggressive MS PR or typo?
[ BBC NEWS | Have Your Say | Will you be getting Microsoft
Vista?](http://newsforums.bbc.co.uk/nol/thread.jspa?threadID=5388&&&&edition=1&ttl=20070130142550)
Nearly 2000 comments, most "No" AFAIS
[Microsoft files for patent on "modular operating
system"](http://arstechnica.com/news.ars/post/20070129-8728.html)
Microsoft patents Linux?
[Hacking gadflies: Marechal, ``A dystopian
future''](http://www.cs.grinnell.edu/~stone/weblog/reading/00991.xhtml)
Another comment on the MS patent.
[BBC NEWS | Technology | Triple threat targets Word
users](http://news.bbc.co.uk/1/hi/technology/6196213.stm)
While I'm boggling at Microsoft, I hope all their customers saw this little Christmas present from 20 December.
[BBC News | Technology | UK Edition: Sony CD compensation
agreed](http://news.bbc.co.uk/go/rss/-/1/hi/technology/6314443.stm)
No Christmas for Sony, remember? They pay out a year or so late.
[ BBC Trust - On-demand Services'
consultation](http://www.bbc.co.uk/bbctrust/consult/open-
consultations/ondemand_services.html)
A remarkable consultation that includes a question "How important is it that the proposed seven-day catch-up service over the internet is available to consumers who are not using Microsoft software?", but the questionnaire doesn't work in all browsers. Do you think this biases the responses? Yes, yes or yes?
[ Digg - Pressure the BBC to embrace open standards, not just Microsoft
technology!](http://digg.com/tech_news/Pressure_the_BBC_to_embrace_open_standards_not_just_Microsoft_technology)
Digg is the new slashdot. Just add hot grits.
[BBC News | Technology | UK Edition: Vista has speech recognition
hole](http://news.bbc.co.uk/go/rss/-/1/hi/technology/6320865.stm)
"for the flaw to be exploited the speech recognition feature would need to be activated and configured and both microphone and speakers would have to be switched on." Well, my speakers are embedded in the screen, my microphone doesn't have an on/off switch and I leave it switched on in the mixer so that I can answer the softphone quickly... I doubt I'm the only one who doesn't switch the mic off after every use. Are Microsoft living in the real world any more?
* 2007-03-02:
[NTL blocking web
sites?](http://www.andrewsavory.com/blog/archives/001271.html)
Is ntl blocking access to thepiratebay or was ntl's Norwich cache broken? (Is this ntl Virgin Media now?)
[BBC NEWS | World | Europe | Gorbachev wades into piracy
row](http://news.bbc.co.uk/1/hi/world/europe/6332441.stm)
How not to make friends and influence people, the Microsoft way. With the result that:
[BBC NEWS | World | Europe | Piracy case collapses in
Russia](http://news.bbc.co.uk/1/hi/world/europe/6364953.stm)
Well, that was always going to happen!
[ Microsoft standards bid faces failure -
Computeract!ve](http://www.computeractive.co.uk/personal-computer-
world/news/2174199/microsoft-standards-bid-faces)
and while I'm grumbling about Microsoft (which I don't do very often, but I may have a pop at Vista in a week or so), here's Open XML failing to get fast-tracked.
[Denmark mandates open standards by
2008](http://permalink.gmane.org/gmane.org.fsf.europe.discussion/1486)
...but they've still got friends in Denmark's standards body.
[Random thought: Roomba
scare](http://liw.iki.fi/liw/log/2007-02.html#20070205b)
Self-improvement for Vacuum Cleaners! Now that would be bad tech.
[This is a multi-part message in MIME
format.](http://www.davidpashley.com/blog/2007/02/06#mime-format)
I always sign up for plain text if it's available. HTML-only is a big discouragement. HTML with a useless plain text part like that is nearly always deleted unread. Protx, this means you!
[ VOIP IP Telephony: Skype dumps you BIOS info and sends
home!](http://snapvoip.blogspot.com/2007/02/skype-dumps-you-bios-info-and-
sends.html)
Yet another way that Skype is evil. See also:
[pagetable.com » Skype Reads Your BIOS and Motherboard Serial
Number](http://www.pagetable.com/?p=27)
Internet phones have a lot to answer for, including my imminent router upgrade:
[Bagel Belly Blog: Future
proof](http://www.andrewsavory.com/blog/archives/001278.html)
The browser-awkwardness of the current router's web interface is another reason [I'm looking at OpenWRT-like replacements](http://mjr.towers.org.uk/blog/2007/software#openwrt).
[FastMail.FM weblog: More greylisting details](http://blog.fastmail.fm/?p=566)
Greylisting seems good, but xbl is a terrible blacklist. I don't know how it works and it has often listed new ISP mail relays (which were not open relays or exploited). Avoid xbl.
[ debian.org and SPAM -
MadBlog](http://blog.madism.org/index.php/2006/03/25/79-debianorg-and-spam)
Using RBLs to trigger greylisting seems like a good idea to me.
[Sue them all.](http://www.pumuki.org/?p=44)
Finally, this would be funny if it wasn't so silly. Advertisers: be careful of your music placements or you might start a bomb scare. Although, musical bombs? Wouldn't that be a bit of a Hollywood film stunt?
* Comment on this
* Start of this section
* Start of this page
* [All topics](../)
* * *
## Crackers
I'm installing [Paul Martin's iptables ssh-rate-
limiter](news:slrneuaj0e.jfn.pm@thinkpad.nowster.org.uk) on the public
machines that I run, to reduce the amount of logfile rubbish that ssh-scanning
crackers produce. I've also added an iptables-restore line to the pre-up of
the relevant sections of /etc/network/interfaces
So far, there doesn't seem to be any disadvantage to doing this. Is there one?
If not, why doesn't everyone do this?
### Evil Mambots and a com_extcalendar exploit
A couple of hours of today (early May) went on dealing with the effects of a
big spam attack on a managed server. One user had installed the Joomla ExtCal
component on their web site, while another reported that email was running
slowly.
The attacker was exploiting com_extcalendar/admin_events.php to send spam and
trying to send 9000 emails meant they hit the maximum permitted sending rate
quite quickly. As soon as I spotted it, I shut down outgoing mail, killed the
sending process, disabled the exploited site and component, cleaned the spam
from the queue and restarted mail.
I'm searching the rest of the server for any other com_extcalendar
installations and then I should contact the other exploited servers I've seen
during this attack. It looks like there's an entire class of evil "Mambots"
out there, using exploitable Mambo and Joomla sites to crawl in search of
others.
I don't think the exploited site's owner will be billed for the clean-up,
because I can't find a security advisory for this. Neither [the mambo
site](http://www.mamboserver.com/) (whose site search doesn't work for me) nor
[the joomla site](http://www.joomla.org/) seems clear about security alerts. I
didn't find a third-party advisory that was clearly about this (but there were
a few maybe-relevant ones). [The homepage at
Mambo](http://mamboxchange.com/projects/extcalendar/) last released in 2005
and doesn't mention this in its release notes, while [the homepage listed by
Joomla](http://extensions.joomla.org/component/option,com_mtree/task,viewlink/link_id,1069/Itemid,35/)
404s (and I don't enjoy using the Joomla site because, [as it
says,](http://help.joomla.org/content/view/805/60/)
> "we are aware, and regret, that our website does not comply with many
WCAG/508 requirements"
).
If you are using com_extcalendar on your site, check whether it's safe, or
replace it with a better calendar.
* Comment on this
* Start of this section
* Start of this page
* [All topics](../)
* * *
[Comment form for non-frame browsers](../../comp/respond.pl).
Comments are moderated (damn spammers) but almost anything sensible gets
approved (albeit eventually). If you give a web address, I'll link it. I won't
publish your email address unless you ask me to, but I'll email you a link
when the comment is posted, or the reason why it's not posted.
* * *
## Spam
Items that used to be here, including:-
* [Digital Parts](spam#digitalpartsspam)
* [futuregate aka Mindcom Internet Limited](spam#jonospam)
* [Jigsaw Insurance Marketing](spam#spamjigsaw)
* [nixforce.com](spam#sploggers)
* [Sun via Kingpin](spam#sunkingpinspam)
* [Total Language Solutions Limited](spam#tlsspam)
* [What does akst spam mean?](spam#akstspam)
are now listed on [their own page](spam).
This is copyright 2007 MJ Ray. See fuller notice on [front page](/).