Geek stuff – Page 138 – a sibilant intake of breath

GMail security hole

As people who read techie news pages like Engadget and Slashdot already know, a somewhat serious security flaw in GMail has recently been uncovered. Specifically, when you are logged into GMail in one browser window or tab, any other site you visit can grab your entire contact list. Whether that is a serious leak or not is a matter of perspective. Certainly, it exposes all of your friends of even more spam than they already receive.

Read the following carefully before you click anything. If you want to see the script that grabs contact lists at work, follow this link. Engadget says it’s “non-malicious,” but the risk is yours. The bug arises from the way in which GMail stores your contacts as a JavaScript file that can be requested by other websites. Google claims they have fixed the bug but, as the link above will prove, they have not.

Plausible attacks

A site that wanted to be really sneaky could exploit this information in many ways. At the very least, it could be used to very easily identify many of the people who are visiting. Knowing someone’s contact list might help in the launching of phishing attacks. It could, for example, make it easier to work out what company someone works for. You could then find out who does their information technology and send spoofed emails that seem to come from the IT department, asking for passwords or other sensitive information.

If it is a site that contains content that many people would not want others to know that they view, it could grab the email addresses for people with the same last name as you and threaten to send them information on your surfing history. A less complicated ploy would be to use emails that seem to come from people who you know to get through spam filters. Because of email spoofing, it is very easy to make messages seem to be coming from someone else.

Implications

As someone with 1037 MB of data in my main GMail account – including 14,410 emails and more than 1500 instant message conversations – I am naturally very concerned about GMail security. There is tons of stuff in there that I would be profoundly opposed to seeing on a public search engine, as has already happened in at least one case with private GMail data.

Contrary to their own assertions, Google had analysed and indexed all e-mails processed through their mail service. Due to a mistake made by an administrator, a database of the highly secret project was mirrored onto the external index servers, and as a result, the private mails of thousands of GMail users could be accessed via the search front-end for at least one hour.

Source

Clearly, it would be preferable if GMail started using durable encryption on their archived messages. This would both protect the messages from hostile outsiders and keep Google from doing anything undesirable with them. Even a passphrase based symmetric-key encryption system (perhaps based on AES) would be an improvement. I bet all the students at Arizona State University, which had turned to GMail to provide all their email services would feel likewise, if they knew.

[Update: 8:30pm] This article by Brad Templeton, the Chairman of the Electronic Frontier Foundation, makes some good general points about GMail and privacy.

[Update: 11:00pm] According to Engadget, this hole has been fixed. It’s good that it was dealt with so quickly, but there are still reasons to be concerned about GMail security in general.

[Update: 2 January 2007] The mainstream media has caught up with the story. CBC News: Teen exposes Google security flaw.

[Update: 18 July 2008] GMail just added a very useful ‘Activity on this account’ feature. It tells you (a) whether any other computers are logged into account and (b) when and where the last five logins took place from. This is excellent.

A variety of spices in life

Two things that I did not know previously about spices, but learned while eating white peppercorns purchased at the Spice Bazaar in Istanbul, during a break from reading this evening:

The difference between black and white peppercorns is somewhat similar to the differing means by which white and red wine are produced. Black peppercorns are the dried fruit of Piper nigrum, a flowering vine. The colour is the product of browning enzymes released from the fruit’s flesh through the application of heat, after picking and before drying. The important odour-contributing chemicals present in black pepper are part of a class of molecules called terpenes. White peppercorns, by contrast, are the product of fruit that has been soaked, decomposed, or otherwise removed – leaving only the seed to be dried.

This strikes me as somewhat similar to how red wine is produced from juice that includes skins, seeds, and stems – whereas white wine has such elements filtered out. The chemical result of their inclusion (called maceration) produces the tannins that give flavour to red wine. Those who are restricted to the appreciation of the cheaper examples of both varieties might find it useful to know that red wines contain more congeners than whites, and thus are more likely to leave you feeling rotten the next day (though the relevance of these molecules to the situation seems to be disputed; some argue that hypoglycemia, dehydration, and vitamin B12 deficiency are more to blame). Red wines also include tyramine, an additional metabolic toxin absent in whites.

One molecule mentioned frequently on this blog is capsaicin: the hydrophobic, colorless, odorless that makes chili peppers spicy. It does this by virtue of stimulating vanilloid receptors of subtype 1, normally sensitive to heat and abrasion. I thought that normal table pepper relied upon the same substance, but it actually depends on a molecule called Piperine, potentially notable for the fact that it interferes with biochemical pathways relevant to drug metabolism.

The X-Files in retrospect

Unproductive pre-Christmas days are reminding me of evenings long forgotten. Specifically, those taken up in watching The X-Files and being terrified about all the pseudo-scientific content therein. These days, I am more appreciative about the opportunities the series provided to the emerging film and television industry in Vancouver, as several of my friends could describe on the basis of their personal experience.

I remember evenings after the point where my paternal grandfather replaced our television with one three times the size, in order to watch the World Cup – an event that had less than zero significance for me at the time and has not much more now – when I would watch new episodes of the X-Files and be unusually unable to sleep before the school days subsequent.

It is interesting how The X-Files was concerned to the point of paranoia about the dangers of government secrecy, whereas television today has largely embraced the mindset of the ‘War on Terror.’ 24 is an example that is shamefully compelling.

World’s best geeky songs

Now that I am using a text editor that colour codes things based on which programming language you are using, I feel free to unleash a bit of geekishness upon you all.

In that spirit, what verse from a song can compete with the following? (Naturally, it is sung to the tune of “I am the Very Model of a Modern Major General.”)

There’s antimony, arsenic, aluminum, selenium,
And hydrogen and oxygen and nitrogen and rhenium
And nickel, neodymium, neptunium, germanium,
And iron, americium, ruthenium, uranium,
Europium, zirconium, lutetium, vanadium
And lanthanum and osmium and astatine and radium
And gold, protactinium and indium and gallium
And iodine and thorium and thulium and thallium.

That is from Tom Lehrer’s “Element Song” which, unfortunately, is no longer up to date. Readers who prefer their science delivered in musical format should also try to find copies of the following:

“Photosynthesis” by Moxy Fruvous

I will be the first to admit that this is not the most musical song in the world (though it is a far cry better than the Monty Python “Oliver Cromwell” song). That said, it will probably teach you something about the most essential chemical process for the maintenance of life as we know it on earth. Not something you can say about Bach or Britney Spears.

“The Galaxy Song” by Monty Python

Can’t remember the rate at which the outer spiral arm of the Milky Way which contains our sun rotates the galactic core? This song is for you. A shame that none of the measurements given are in metric.

“The Transcendental Deduction” by Paul L. Fine

Not scientific, per se, but decidedly educational. How can anyone deny the merit of a song that fits in the lyric: “Now, reason gives us concepts which are true but tautological; sensation gives us images whose content is phenomenal?”

“Doppler Shifting” by The Chromatics, from the album Astro Cappella

Unambiguously, the finest a cappella song about the Doppler Shift, this song will increase your understanding of highway speed traps, the nature of the universe, and much else besides.

Can you name a geekier song? If so, please leave a comment. Even better, send me a copy.

Home is where you edit your text

Prompted by numerous expressions of love and appreciation, I have decided to give the 30 day trial of TextMate a try, to see if it can turn my text editing world on its head and make me wonder how I ever got by without it.

So far, it reminds me of my experience with Emacs: “Well, this certainly seems powerful, but how do I save a file? No, really. I guess I will just boot back into Windows.”

Any true believers who want to show my why TextMate is worth the bother (as compared to TextEdit and WriteRoom, which I now use) are very much encouraged to do so. In particular, a straightforward page full of “look at the amazing things you can do with TextMate, and here’s how” stories would be ideal.

[Update: 21 January 2007] My TextMate trial expired today. While I liked the program quite a bit – it’s a big step up from TextEdit – I am not willing to pay forty Euros for it, given that I don’t use the coding features.

[Update: 24 October 2007] I finally caved and bought TextMate. I realized that it would have been worth the price just to have it between when I first pondered getting it and now. Being able to circumvent the (often slow and clumsy) WordPress web interface is worth it, in and of itself.

[Update: 1 November 2007] Integration between Fetch and TextMate is absurdly useful. It lets you edit HTML, PHP, htaccess, and all sorts of other files without needing to manually download and re-upload them through FTP.

[Update: 26 March 2011] It seems I decided back in November 2010 that TextMate is an ‘Essential’ Mac app, by means of an experimental process. So much has changed since we met!

[Update: 3 February 2013] TextMate remains one of my key tools: a program I use many times every single day, and my favourite place to enter text for all purposes from blog posts to academic essays to random personal notes to self. It is well worth the asking price.

[Update: 29 October 2014] TextMate is still my main text editor, and a program I use dozens of times per day. I use it a lot for typesetting LaTeX now.

Back in the UK

Back in the comparative warmth of Oxford, I am enjoying how it feels to be on a computer with a properly calibrated screen and a keyboard familiar enough to require no peeking. It is gratifying to see how much better my photos look when properly displayed.

Since this is my father’s last night in England, I am not going to spend the three hours or so that it will take to sort through my photos from Turkey, just now. You can expect my previous entries to start getting illustrated as of tomorrow, as well as additional batches on Facebook and Photo.net.

PS. Both my iPod Shuffle and my USB flash drive picked up a few viruses over the course of visiting hostel and internet cafe computers. Thankfully, they are all viruses that only affect Windows machines. Travelers with laptops (or computers running Windows back home) beware. I do feel bad about spreading viruses between all those machines; no wonder they were so slow.

Irksome spammers

My spam problems have become very acute, with five or so spam comments appearing on commonly visited posts each day. In response, I have kicked up the sensitivity of Spam Karma 2 by a couple of notches. My apologies if this makes it more difficult to leave legitimate comments.

Judging by some of the search strings that are leading people to the site, I think blogs that use Spam Karma 2 are being specifically targetted. I may need to adopt a new system once I get back to Oxford on the 16th or 17th.

[Update: 29 December 2006] I am having two spam problems now. One is annoying and one is just odd. The first is that some spam comments are getting through Spam Karma 2, even with the Akismet plugin. They have karma values of over 1000, which I think must be the result of a clever hack. I changed the page footer with the number of spams caught, to make it less obvious that I am running SK2. The odd thing is that the number of spams caught figure just doesn’t go up anymore. I have no idea why, or how to fix it.

[Update: 31 December 2006] For no comprehensible reason, the spams caught count has started rising again: jumping immediately by forty points. The best thing to do seems to leave it alone.

[Update: 2 January 2007] For some reason, today involved a veritable cascade of comment spam. At midnight yesterday, my filters had caught 870 spam comments. 24 hours later, they have caught 1065. That is 22% of all the comments received thus far, all on a single day. I am impressed that my new combination filtering system (details top secret) managed to catch every single one, without catching any real comments by mistake.

[Update: 21 January 2007] Because of aggressive spammers, I had to disable the ability of people in general to register accounts with the WordPress installation for a sibilant intake of breath. People who want one should ask me by email, and I will set one up on their behalf.

[Update: 15 April 2007] I am surprised to see that I thought five spam comments a day was a large number, back in January. Now, I get more like 50. Thankfully, I have some better protections in place. As such, I am allowing user registration again. We will see how it goes.

Photo backup

I’ve copied the 160 or so digital photos that I have taken so far onto this internet cafe computer. Due to a less-than-zippy internet connection, it would take about ten hours to transmit the 155 megabyte file. As such, I have squirreled it away in a system folder, to return to when I can come back with my USB memory stick. The only alternative would be sacrificing all the music on my iPod Shuffle, which would hardly be wise with another noisy fourteen hour bus ride in a few days’ time. Simon & Garfunkel, along with my noise isolating Etymotic ER6i headphones, are the only reason I got any sleep last night.

The reason for burying the folder with my images is mostly an observation that dozens of people have left similar little caches of Turkish holiday snaps in more conventional places. There is some voyeuristic pleasure to be gleaned from skimming over them. They range from shots so professional that I am tempted to steal them to those that would prompt me to offer the photographer a few basic lessons.

With the sun down, it is now well and truly too cold to type in this unheated and open-doored cafe. Adieu until tomorrow.

Data protection

After another serious failure of a computer used by a friend or family member, I feel obliged to remind people that Oxford provides excellent free comprehensive data backups. If you are basing your entire M.Phil or D.Phil project on files in a (theft-vulnerable and breakable) laptop, this is something you really must do.

I already wrote about it here.

As a special bonus – prompted by passing the 40,000 visitor mark on the blog – I will personally configure the Oxford backup system for the first graduate student friend of mine who leaves a comment requesting it. Call that a special bonus for people who are reading the blog in syndication.

[Update: 22 January 2007] Bad news for people with Intel-based Macs: the TSM backup client for Mac OS does not yet support them. Supposedly, a new one is being released in February. Until then, keep making backups to external hard disks or optical discs.

New interface for comedic news

Comedy Central has rolled out a new interface for showing Daily Show and Colbert Report clips. The player seems to be rather more stable than the previous version, with no errors discernible in Firefox 2.0 and Mac OS X. The videos themselves are a bit bigger and seem to load faster. Perhaps the biggest improvement is that clip videos now play in sequence, in the order in which the bits were included in the actual episode.

The two biggest new problems are that the window in which the videos now play is very large and cluttered, and that video advertisements are now shown before the first clip you watch and sometimes in between them. For me, this is an acceptable price to pay for an improved viewing experience. It was very annoying to have to go through them one by one before, especially given how about one in three would encounter an error that prevented it from loading.

It would be better to just have it all on YouTube, but I can understand that Comedy Central needs to extract advertising dollars from we web-viewers. Of course, I won’t be de-activating my AdBlock extension or the Filterset G updater for it anytime soon. After a few weeks of using it, the web seems truly garish when viewed in a normal web browser. You need never be troubled by annoying banners again. Flashblock is also a godsend, since almost all the flash on the web is either advertising or potentially malicious.