Archive for February, 2007

Reason #32768 why Myspace sucks: Paranoid session validation gone wild!

Ok, so I figured out (one of the reasons) for my long-held assertion that “MySpace.com doesn’t work in any browser”. Short story: On first visit, the site records your browser version and other information. If any of this information changes while you’re surfing, they kick your ass out! Naturally, due to some fun toys on my browser, this info changes constantly ;-)

(Read on for a long and entertaining MySpace rant…)

For the last seven years or so, I’ve run a sweet Internet crapfilter program known as The Proxomitron. This is a powerful pattern-matching engine that intercepts and rewrites HTML before it gets to the browser, allowing such things as:

  • Stop windows that pop-up, pop-under, or pop-over
  • Stop those un-closable endless banner chains
  • Stop pop-up JavaScript message boxes
  • Remove web-branding and other scripts tacked on by “free” web providers.
  • Convert most ads and banner pictures into simple text links
  • Freeze all animated gifs
  • Strip out background MIDI songs (or stop them playing automatically)
  • Disguise your browser’s identity and version from JavaScripts
  • (and much, much more!…)

I was enjoiying the Web without blinking things, popups, float-over ads and unkillable Flash animations long before browsers added their own pop-up blockers… I was also fed up with sites pulling this “this site requires Nutscrape v4.1 or higher!!” crap, so I added a filter rule that always reported my browser version as “Mozilla/8.0” (a very capable, futuristic browser, especially 7 years ago ;) . And as long as I was faking my browser version, I also had it add on a random quote to the version info with each request. This way, when vain webmasters generated statistics for their web sites (how many hits per day, what browsers, OSes, etc.), all the quotes* would show up in it. E.g.:

Mozilla/8.0 (compatible; MatrixViewer 1.0; There is no spoon.)
Mozilla/8.0 (compatible; Oh, and the next .com I catch referring to a personal website as ‘Content’ gets a boot up their ass.)
Mozilla/8.0 (Aww fuck. Now they want my license and registration.)
Mozilla/8.0 (compatible; but we can fix that… ; The BASTARD GEOCITIES SYSADMIN FROM HELL LIVES!!)
Mozilla/8.0 (compatible; If you’re searching for the meaning of life; this isn’t where to find it.)
Mozilla/8.0 (compatible; Quit looking here and get back to spanking your monkey.)
Mozilla/8.0 (compatible; Woo-hoo, I’m in a famous site’s Web log. HI MOM!)

Now all Web sites just magically worked (no matter what old-ass browser I was running on my old-ass computer back then), and I kind of forgot about it.

Fast-forward to the not as distant past, and I come across a couple sites that act just plain broken, notably MySpace. I had some friends on it begging and hounding me to create an account, so I did… and I tried to like it, I really did. And I tried to use it, I really did. But not only was the site guilty of breaking every rule in the HTML book and being impossible to navigate, but I’d log in, click on a link, and…

“Sorry… You Must Be Logged-In To Do That!”

So, grumble, re-log-in, click a link…

“You Must Be Logged-In To Do That!”

Okay, this site’s fuckin’ broken. Maybe it works in IE. Load up Microsoft Idiot Exploiter, login, click a link…

“You Must Be Logged-In To Do That!”

A few iterations of this and I wrote this site off as unusably defective. “Meh, maybe I’ll try back in a year or so and see if you’ve got it fixed.” I might have been tempted to email them to report this defectitude, but never did, most likely because I had to be Logged In To Do That.

Recently, someone linked me to a video hosted on Myspcae. Page loaded, video started playing, and after about the first three frames I got auto-redirected to a page to the effect of “An unknown error occurred.” Ah yeah, I remember those. Reload, and same thing. Now, the page had already downloaded completely, rendered, loaded the flash video player, and started playing. At that point, there’s no possible error that can occur – everything that needs to happen in the HTTP stream has already happened. It would be like getting up in the morning, doing your morning routine, driving to work, sitting down at your desk and then being told apologetically that your car didn’t start. This “error” can only mean that some scripted monkey-business is afoot.

So, why would a noisy, flashing ad-laden site like Myspace try to intentionally kick me out after the fact? A handful of commercial sites, paranoid that somehow, somewhere, a user is not making them money, try to detect these “sour users” according to some conditions, redirecting viewers to an error page if they detect one. Not accepting our cookies? Bamf, go away. Blocking ads? Yerrouttahere. No JavaScript? Piss off, mac.

As a quick experiment, I disabled the Proxomitron and tried again. No error redirect; everything worked fine. Re-enable, error message. Further investigation reveals that the difference was not even in the ads that were blocked, but the random quote in the User-Agent field. It turns out that the site, in some paranoid effort to catch (unspecified riff-raff), saves your browser version and similar info, checking it on every subsequent request to kick you out if it changes!

Officially, your browser version or similar information (IP, etc.) should rarely change during a session. Maybe Firefox installed an automatic update while you were browsing, etc., but that doesn’t happen often, right? Not quite… there are several legitimate reasons why this info could change frequently, and why it’s Bad Practice to try and validate sessions on it. Not just wiseasses like me having fun – anonymizers will constantly fake which browser gets reported (oh, you don’t want anonymous users?), various proxy servers will load-balance requests out from different IPs, and various toolbars and other junk users install (knowingly or not) will insert their own crap in these fields, sometimes on a per-request basis. Finally, users may use tools like User-Agent Switcher to fake MSIE because your site, or another just like it, really is broken.

Using the User-Agent field as part of session validation in this manner will do absolutely nothing** to impede actual riff-raff (spammers, etc.). They’ll just pick the most generic browser name and version, and then NOT CHANGE IT, just like a normal user. Spammers try as hard as possible to disguise themselves as normal user traffic, not do things to intentionally stick out like a sore thumb. Yet, I still see shite like this on production web sites. I’ve found that the Simple Machines Forum software also does this by default. Taken from the source code (/sources/security.php):

// Verify that they aren't changing user agents on us - that could be bad.
if (... $_SESSION['USER_AGENT'] != $_SERVER['HTTP_USER_AGENT'] ...)
$error = 'smf305';

is the cause of mysterious “Session verification failed!” errors for logged-in users who have something diddling their User-Agent string. (A hidden setting called ‘disableCheckUA’, accessible only by hand-editing the SMF database, disables this misfeature.)

Thus ends another long and winding ex-web-developer rant. Tune in next week for “Thou Shalt Not Advertise On 404 Pages, Fucking Eyeball Theives”.

* and my personal favorite (used only briefly), for having fun with overly vain webmasters looking at their site statistics:

Mozilla/8.0 (compatible; <script>alert(“You are the 10064th victim of the Browser String Virus! \n\n Now, to tackle that darned hard drive…”);</script>) . Most stats packages of the time didn’t expect these fields to contain stuff like HTML and Javascript, and so didn’t filter it.

** Technically, if the site has uncorrected, wide-open security holes and can’t find them, re-validating the IP address / User-Agent / etc. on every hit is a stopgap measure that can catch most session-hijacking attempts (at the expense of also locking out many legitimate users, of course). If a user’s authenticated session ID is stored in a cookie, and a vulnerability allows a malicious user to remotely steal the authenticated user’s cookie (e.g. via cross-site scripting exploit), the malicious user could spoof the logged-in user by presenting the hijacked cookie (until the authenticated user logs out or session expires). But if you check the UAgent too, the spoofer also has to know the user’s exact browser version. (Of course, if the spoofer can steal cookies via XSS, he already has this information, so it’s down to checking the IP address.) So, validating sessions on UAgent and IP can mask some gaping security holes and let you get rid of most of your bathwater… just depends how many expendable babies you have.

TranceVibe Take Two: So, what are they doing that I’m not doing?

After getting busy with all kinds of other stuff for…heh, a year…, I started thinking back on the Drmn’ TranceVibe project. My grandmaster plan was to “mass” (qty: 20 or so) produce them and see if they’d sell. Anyway, since the original design, a few small cost and manufacturability enhancements have been made: smaller SMD oscillator clocked down to 4MHz (cheaper, sucks less current, and most importantly doesn’t poke through the board where the PIC goes), programming jig (eliminates program connector with same pokeybit problem*), smaller (less flash memory) PIC (I’m still only using a fraction of it), so now the whole thing could theoretically be reflow soldered. The board is still original, since I got a batch of about 30 of them and haven’t really used any. They still need to be cut by hand.

Sort of by chance, I also stumbled on OpenDildonics, which has a photo of the original ASCII vibe’s innards. Holy overdesign Batman! I don’t know whether to laugh, cry, or buy one off Ebay so I can figure out just what the hell it’s doing. Unless it serves double duty as a trance vibrator and some bizarre harmonic mind-control device, there are far too many parts on this board.

Actually, it looks like they’re putting out the 1-byte “how much vibration” level, converting it to an analog value and driving the motor linearly. I can’t think of why they’d take this approach over a simple PWM controller (which is what the Drmn’ Trance Vibe does) except to avoid the recurring voltage kickback as the motor power is switched on and off, but this can easily be snubbed with a fast diode (indeed, most FETs, including the ones used on the DTV, have a built-in body diode). Maybe microcontroller technology hadn’t advanced to that point by then where they could just run a PWM loop and handle the USB port at the same time.

* note to self: beer and CAD do not mix.

My_beloved__do_you_know.doc.prn.ps.prn.ps.pdf

My dearest MS Word,

Thank you again for a wonderful day. You know I've always loved your little quirks, like having to

ADelete all but the first character of a paragraph I’m replacing, then when I’m finished go back and delete the first character, because as punishment for deviating from this sequence you will change the entire paragraph to an arbitrarily-selected combination of size and font, which is 1) not the style I have currently selected, 2) not any of the registered styles, 3) not the Word default. Also, being careful to resist the temptation to press delete at the end of the paragraph where I just know all these stray spaces are hiding, because doing so will fuck up either this or the next paragraph’s formatting in weird ways and for reasons unknown to mortal men. You’re a harsh Mistress, Madame Winword. Thank you, may I have another?

But today, when I was trying to put together a short whitepaper for a project at work, you reminded me throughout our time together of how much I still mean to you after all these years. Typing over that bi-column text of someone else’s whitepaper from another project from two years ago (I’ll figure out how to do that myself someday, honest… I’m still working on my six-year Doctor of Using Microsoft Office’s Advanced Formatting degree), carefully preserving the paragraphs and their headings as described {Insert->Cross-Reference->Numbered Item->include-above-below} above), deftly making my incision into the paragraph with my cursor, replacing one character after another with ninja-like surgical precision. Carefully restoring the formatting when you decided to munge it anyway, clicking away those lovely little windows asking if I’d prefer the default action of destructively overwriting the style currently selected in the drop-down menu with the bizarre combination of three different fonts and justifications you’ve chosen for the currently selected sentence, rather than the option of forcing said sentence’s formatting back to said currently-selected style in said drop-down menu. Fond memories of sanitizing tri-format text by cutting it, pasting it into Notepad, then copying it back to Winword as glorious plain old ASCII text.

I remember the text was long enough to just barely spill onto the last page, resulting in maybe four lines of text on the left followed by three lines on the right, looking like total ass. Even Jeff, when I asked him to run eDocPrinterMaDealy on it to generate the .pdf, commented on how much it looked like ass: “Dude, this little thing spilling over onto the last page looks like total ass.” So I cut, scrimped, optimized until the paper ended on the last line of the third page. It was a work of art. So, back to Jeff’s machine to run the eDocDealy magic. It grinds for a moment and spits out a beautiful .pdf, except for a big blank fourth-page-from-out-of-nowhere containing a company header, a footer, and NO TEXT (since the text ends on page three). Smack myself on the forehead, jump to the last visible character of the Word doc and hammer on the delete key until all the invisible tabs-spaces-linebreaks-control-characters at the end are gone, page 4 disappears and the last paragraph drops two points of font size and becomes left-justified, then “undo” once because I’ve clearly forgotten Rule #1 above*, and been reprimanded for it. Page 4 still gone. Save. Page 4 still gone. Print to the eDocPrinterDealy again. WTF? Blank Page 4, pop! Back with a vengeance.

So now it was a logic puzzle, and being engineers, we would rise to the challenge. Jeff and I spent probably a good twenty minutes printing the document to various real and virtual printers, experimentally determining which ones would cause the blank page to come back when printed to. HP 8150, no. HP color laser, yes. HP 9000 PS, no. eDocPrinter, most definitely yes. The act of printing should not change the file! Now, maybe there are some fiddly differences between printers that would cause text to reflow slightly differently on the pages they print, but those differences should not cause modifications to crawl back down the printer cable and be back-ported into my friggin’ document, which then asks me if I would like to save my “changes”.

Enable display of hidden control characters, none to be found. Continuing the experiment, maybe if I delete more text, it’ll stop happening. One line. Two lines. After deleting about six lines from the last (righthand) column, an orphan first-line-of-paragraph from the left column jumps to the beginning of the righthand column as part of some automagic orphan-control voodoo (nevermind that this misfeature is not actually enabled), and now no Page Four is generated, no matter which printer is printed to. But fuck you Word, no way am I shortening six more lines out of my paper to make you happy. I decided maybe if I printed to a known-good “No Page 4” printer but captured the output to a PostScript file on disk, and run GNU pdfwrite on the file, it would work.

So, Winword, it seemed your submissive microserf was getting all high and mighty, and you had no choice but to accept. But as a last act of defiance, you pre-filled the PostScript file output dialog with *.prn, even though it was a PostScript file (*.ps). “.prn” in a filename makes me cringe, because this has been a reserved console keyword since about DOS 1.0, and in the DOS/Win9x days filenames containing these (CON/PRN/etc.) were a recipe for hard-crashing-freezing-locking-up-hung-wedged disaster. (Ah, the glory days of embedding “file://CON/CON” links into web pages to insta-bluescreen any unpatched Win9x machine that tried to view it…) So I changed it to blabla.ps, and hit save. Out comes blabla.ps.prn to my desktop, four pages long.

But Ghostscript let me select a page range to convert to PDF, so I could get rid of your nuisance blank header page from my final document. Nyaaarrr. Just goes to show, hon, that after all of our time together, we still get along as well as the day we met.

*tear* I love you, Mistress Winword. <3

-Tim

*Error! Reference source not found.

Only in New England…

me: “What idiot puts a PetCo and a PetSmart right next to each other?”
JR: “Maybe they’re across the street from each other.”
me: “Touche.”

(The directions to get to a particular restaurant on it include a “drive past the restaurant, go three miles, pull a U-turn and backtrack three miles” step because there is no way to get from one side of the street to the other, except at excessively rare and unwieldly intervals.)

Identification and Significance

Okay folks, so that day is coming up next week. Normally, I’d assault your eyes with one of my customary valentine’s day rants (or miscellaneous cheese), but instead…

This next week I am accepting applications* for a coffee date. For those who do not like coffee… too damn bad! I like coffee. Er, I mean, it just wasn’t meant to be. The successful applicant will experience a complete failure good-faith effort on my part at being romantic, and possibly flowers**. Oh yeah, and won’t spend the evening alone. That’s worth something, right? ;-)

*applicants should be free of crazy and/or stupid. Please note that applicants previously rejected are not eligible to re-apply. Women only, please.

** or a living plant which has the capability of producing nice flowers — not the cut kind. I still don’t believe expressing affection by killing something beautiful is the right message to send.

It’s Comcrapstic!

Yesterday I was going over to GJM’s house to play with some DS networking stuff, so I said “Let me just email you the latest libraries and stuff and I’ll come over.” As I sat waiting, and waiting for only a few megs’ worth of files to send, I realized it would have actually been faster to burn them onto a CD and walk over.

Our Comcast “high-speed internet” has gotten slower and slower as I’ve lived here, but they’re the only cable provider that can (for whatever regional-political-good-ole-boy reasons) serve Medford and we’re too far away from the phone central office for DSL. (So no, we can’t just hop onto the neighbors’ unsecured APs for better service because they’re stuck with Comcast too…)

In the year 64AH…

If I were president, I’d add a regular expression filter to the mass media that replaced every occurence of “In a post-9/11 world…” with “In a post-Hitler world…” as a simple demonstration of ridiculosity.

Example:

In this post-9/11 world…

becomes:

In a post-Hitler world, should we allow just any idiot with a radical idea to speak freely?

The Electric Slide: Considered Harmful

So, today I make myself some lunch after some mildly off-pissing car stuff, and figure I’ll read some Slashdot while I eat. Anyway, just idly following links, next thing you know I’m buried deep in PDFs of legal filings. Lawyers nuking security sites by going after their domain registrars with DMCA threats (they can’t lawyer them off their ISPs, because the sites haven’t done anything illegal, and ISPs kind of enjoy their common-carrier status); the registrar GoDaddy bowing to all sorts of other ‘requests’. Miscellaneous DMCA abuses. SLAPP attempts by media giants. The National Pork Board attacking a breastfeeding activist (seriously, wtf?).

Oh, and slightly off on a tangent, our marketing geniuses mentioned earlier are expected to each get five years in the slammer, equivalent to committing a 2nd degree sexual assault while selling old ladies fake prescription medications*. For sticking rude cartoon figures to a bridge. Yyyyyeah.

Now, the alleged creator of that old line dance, The Electric Slide, is nuking videos from peoples’ weddings, school dances, and other materials showing people performing the dance, off of Youtube and other places using DMCA (copyright) complaints. Highlighted in the CNN article is a takedown notice received by qdot (who I’m vaguely familiar with as a result of the TranceVibe project), for a videoblog he posted from a dance at a furry convention in San Jose**… I saw the video. In the grainy darkness you can vaguely make out that people in animal costumes are dancing, and with a bit of imagination you can see a few steps of Electric Slide in there, barely. Electric Slide Guy is also going after someone who danced a variant of it on stilts on The Today Show (and presumably, the Today Show itself), The Ellen DeGeneres Show, an associate professor of exercise science, and “several Hollywood companies” for featuring the dance somewhere.

So, let that be a lesson to “y’all”. Line dancing may be bad for your health. (Specifically, it could rip you a new one.)

* at least according to the only crime/time curve I could conveniently find, published by the Minnesota Sentencing Guidelines Commission. If sexual assault isn’t your game, you could commit an armed robbery followed by a nonresidential burglary. Yikes, this thing reads like a menu. puts away sentencing sheet and stops contemplating a life of criminal mayhem

** are ALL 2007 geek/scifi/anime/fringe/etc. cons going to have James Bond-themed logos? (guessing it’s the 2007 |grep 007 thing)