Category Archives: security

LinkedIn (maybe) just leaked your password, won’t tell you; change it now

I’ve posted a few times over the years the … disappointing … state of LinkedIn’s engineering. But this takes the biscuit: it appears they were storing deliberately insecure passwords, and someone leaked the list:

(that page has links + info on how to check if your own password is in the mega list)

How bad is this?

  1. Many people have checked their personal, unique, passwords, that they claim to have only ever used on – and they’ve hit matches in the file.
  2. LinkedIn hasn’t told its users about the possible leak, more than 24 hours after it happened
  3. Many users re-use their passwords on other sites; any hackers could easily have stolen many accounts on other sites by now

How unlucky is LinkedIn?

This file is unsalted. That’s about as smart as locking your front door and then leaving the key under the mat – on the outside.

  1. Every tutorial, book, “newbie guide”, etc about using databases and writing login pages tells you never ever to do what was done here
  2. For any tech team, it is easy to check if this is what you’re doing, and tell your boss “uh, we need to fix that”
  3. It only takes a few *minutes* to prevent this problem, permanently. It’s not difficult

If LinkedIn were a small site, with a few hundred thousands users, I’d accuse them of laziness. But with 165million users, and a public company, you’d be looking at stunning incompetence by the tech wing of the company (the CIO and CTO never bothered to audit their own security?), or wilful negligence (no-one knew? really?).

Here’s hoping it’s a hoax…

Ruby on Rails dead. All sites p0wned. GitHub shoots the messenger?

Two things here: if you run any Rails site, check out the security hole ASAP if you haven’t already. You might be safe – but given that even GitHub wasn’t, I’d double check if I were you. (The Rails community seemingly isn’t patching it – and there’s nothing recent on the Security list. Which leaves me going: WTF? The evidence is right there on GitHub of how bad this is right now, in the wild).

Secondly … what just happened? Apart from doom and gloom and “the end of every unpatched Rails site on the planet”, there’s a fun story behind this one. As someone put it “it’s the whitest of white-hat attacks” (i.e. the “attacker”‘s motives appear extremely innocent – but foolish and naive)

It seems that GitHub got hit by the world’s nastiest security hole, in Rails – trivial to take advantage of, and utterly lethal. The hole appears to allow pretty much anyone, any time, to do anything, anywhere – while PRETENDING to be any other user of the system. So, for instance, in the attack itself, someone inserted arbitrary source code into a project they had no right to.

Hmm. That’s bad. It effectively destroys GitHub’s entire business (it’s already fixed, don’t worry)

But it gets worse … it’s a flaw in the RoR framework, not GitHub itself (although apparently GitHub’s authors were supposed to know about the flaw by reading the Rails docs, as far as I can tell from a quick glimpse at the background). Rails authors have (allegedly) known about it and underestimated how bad it is in the wild, and left Rails completely open with zero security by default.

So, allegedly, the same attack works for most of the web’s large Web 2.0 sites – any of them that run on Rails.


Who was the perpetrator of this attack? Ah, well…

made an impossible issue, a post that GitHub’s database believed was created 1,000 years in the future.

Classy. Dangerous (high risk of someone calling the police and the lawyers), but if people won’t believe you, and *close* your issues, claiming it’s not that important, what more amusing way to prove them wrong?

Whoops, shouldn’t have done that

I can’t state this strongly enough: never attack a live system. Just … don’t.

Any demonstration of a security flaw has to be done very carefully – people have been arrested for demonstrating a flaw allegedly *at the owner’s request*, because under some jurisdiction’s it’s technically a crime even if you’re given permission. In general, security researchers never show a flaw on a real system – they explain how to, and do it on a dummy system, so no-one can arrest them.

(why arrest the researcher? Usually seems to be no reason beyond ass-covering by executives and lawyers, and a petty vindictiveness)

Homakov appears to have been ignorant of this little maxim, hence I’m writing it here, let as many people as possible know: never attack a live system (unless you’re very sure the owners and the police won’t come after you)!

GitHub’s response

On the plus side, they fixed it within hours, on a weekend. And then proceeded to tell every single user what had happened. And did so in a clever way – they put a block on all GitHub accounts that practically forces you to read their “here’s what happened, but we’ve fixed it” message. They could have kept it quiet.

Which is all rather wonderful and reassuring.

On the minus side, IMHO they rather misrepresented what actually happened, portraying it more as a malicious attack, and something they fixed, rather than what it was – the overspill from an argument between developers on some software that GitHub uses.

And they initially reported they’d “suspended” the user’s account. Normally I’d support this action – generally it’s a bad idea to let it be known you’ll accept attacks and not fight back. But in this case it appears that GitHub didn’t read the f***ing manual, and the maintainers apparently (based on reading their tickets on the GitHub DB) refused to accept it was a serious problem – and apparently didn’t care that one of their own high-profile clients was wide open and insecure. The attack wasn’t even against GitHub per se – it was against the Rails team who weren’t acting. IF it had e.g. been a defacement of GitHub’s main site, that would have been different, both in impact and in intent. Instead, the attack appears to be a genuinely dumb act by someone being naive.

Seems that GitHub agreed – although their reporting is a bit weak, it happened days ago, but they never thought to edit any of their material and back-link it.

“Now that we’ve had a chance to review his activity, and have determined that no malicious intent was present, @homakov’s account has been reinstated.

…and it’s pleasing to see that their reaction included a small mea culpa for being unclear in what they expect (although anyone dealing with security ought to be aware of this stuff as “standard practice”, sometimes it’s not security experts who find the holes):

“We haven’t been as clear as we should have been on how to responsibly disclose security problems, and for that I’m sorry. To prevent future confusion about security-related account suspension, and to make explicit our stance on responsible disclosure, we have added a section entitled Responsible Disclosure of Security Vulnerabilities to our Security policy.”

Rails’s response

I’d expect: shame, weeping, and BEGGING the web world to forgive their foolishness. I’m not sure, but it’s going to be interesting to watch. As of right now, the demo’s of the flaw are still live. I particularly like one commenter’s:

drogus closed the issue 5 days ago

kennyj commented

5 days ago

“I’m closing it (again).
@drogus was close it, but it still open.
github bug?”


kennyj closed the issue 5 days ago

“github bug?” LOL, no – massive security flaw :).

Scamming under the name “Liverpool Embassy”?

UPDATE: I’ve had a followup email from them that suggests it’s legit, and we were just mis-targetted (I’d guess they’re using a call-list they got from somewhere that’s not great on its filtering).

Strange email exchange this morning:

Subject: contact [sic – no capitalization, no sentence]

Could you kindly supply me with your Business address and telephone number for the purpose of our database please?

Kind Regards,


Elisa Sullivan
Liverpool Embassy
2nd Floor
New Broad Street House
35 New Broad Street

What? Why? Who are you? Why do you want our phone number?

And, most bizarrely, why are you asking for info that’s – by law – published for free on the Companies House website?

I smell something fishy(ing attempt)…

I sent a couple of followup emails: “what database?”, we’ve never heard of you, what’s this for?, etc.

Responses were all dodging the question, and then she gave up with:

Ok thanks for your help Adam , sorry for any inconvenience caused.

So, yeah. Probably a scam. If you get an emails from “”, I suggest you trash them.

(and if they’re a bona fide outfit, then … wow. They really don’t use email much, do they?)

ModSecurity updated anti-spam marketer rule

After a little tweaking, my rule is growing, and proving extremely effective:

# bad websites: domains which regularly or overwhelmingly feature spam
SecRule REQUEST_HEADERS:REFERER “http://[^/]*(yijiezi|yourhcg|lukejaten|squidoo|answerbag|jvlai|chaohuis|cledit|bait|lukejaten)” “t:lowercase,deny,nolog,status:500”

# porn and gambling: they make much cash out of random visitors
SecRule REQUEST_HEADERS:REFERER “http://[^/]*(holdem|poker|casino|porn|girlz|pussy|penis|babe|exposed|sex)” “t:lowercase,deny,nolog,status:500”

# fake / illegal designer clothing and luxury goods
SecRule REQUEST_HEADERS:REFERER “http://[^/]*(shop|store|cheap|gossip|handbag|money|deluxe|sunglass|chanel|replica|buy|sale|furniture)” “t:lowercase,deny,nolog,status:500”

# celebrity gossip and trying to make money out of children, I guess
SecRule REQUEST_HEADERS:REFERER “http://[^/]*(miley|bieber|pokemon)” “t:lowercase,deny,nolog,status:500”

# side-effects of Republican America?
SecRule REQUEST_HEADERS:REFERER “http://[^/]*(health|dental|pills|treatment|seller)” “t:lowercase,deny,nolog,status:500”

# side-effects of weakly-regulated investment markets?
SecRule REQUEST_HEADERS:REFERER “http://[^/]*(forex|realty|invest|loans)” “t:lowercase,deny,nolog,status:500”

# the people that created this problem
SecRule REQUEST_HEADERS:REFERER “http://[^/]*(seo)” “t:lowercase,deny,nolog,status:500”

# webhosting and bodybuilding: apparently, these industries are as commoditized as porn and gambling – LOL
SecRule REQUEST_HEADERS:REFERER “http://[^/]*(download|hosting|videos|bodybuilding|bodybuild)” “t:lowercase,deny,nolog,status:500”

Incidentally, I looked into using wordlists for this, but they don’t work. The most effective anti-spam is to look at the domain-names – these sites are trying to get good rankings for their domains, not for specific pages. Apart from the spam-friendly sites, where it’s a combination of both.

So .. sadly … we need the regexp so that we can target the domain-name specifically. If ModSecurity were better (documented) I’m sure it could easily do that. I’m suspicious it *does* do that, but with their shotgun approach to documentation, it could take days or weeks to discover it if so :).

Safe login on OS X: using an SSH key from a USB key/thumbdrive

I like computer security to be EASY and SECURE.

I hate passwords, and I use them rarely if at all. Instead, I use digital keys as much as possible (i.e. something based on a physical key stored on a removable USB drive that I take with me wherever I go). Like using a physical key, it’s much easier.

Sadly, OS X has a version of SSH that tries to be “too clever” while actually being “annoyingly unhelpful”. If you attempt to use a key from a removable drive, you get this error message:

Permissions 0777 for ‘login-key-for-tmachine.ssh’ are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: (key-name)
Permission denied (publickey).

(emphasis mine).

While it’s delightfully verbose, and tells you exactly what’s happened, it’s also a bit misleading. It says “WARNING” when it actually means “ERROR”, since the ssh system at this point deliberately stops itself. But, more importantly, it’s an error that you cannot evade under OS X. With OS X, all removable media has “Permissions 0777”.

Fortunately, there’s a workaround. Using this good but not-quite-detailed-enough article, I got most of the way there.

I had two problems, things that article omits.

Firstly, you are no longer “allowed” to edit /etc/fstab on OS X. Don’t try it. Instead, there’s a new command-line editor called “vifs” (hmm. vi-for-fstab, perhaps? :)) which works fine.

Secondly, the USB Drive I’m using has a space in the Label name. /etc/fstab uses spaces as a reserved character (I knew this), but … what do you write instead? (I didn’t know this).

I tried (and failed with):

  1. “My Drive”
  2. My\ Drive
  3. My Drive

…and with some creative googling, eventually found an example fstab with spaces in a label name. Aha!

  1. My\040Drive

i.e. replace spaces with “\040” (I’m guessing because it’s so low-level they’ve decided to “assume” unicode in all escape sequences)

…and now it all works as intended. Yay.

Identity theft, exploitation, and Gravatar

There’s a growing problem right now with Facebook Connect: it can silently log you in to websites that you *don’t want* to share your private data with. I saw a funny example last month where a porn website had integrated Facebook Connect … so when you visit the site, one miss-click and you’ll broadcast to all your work colleagues your embarassing love of HardCoreGrannies.

But there’s another example right now that may be worse, and is definitely food for thought. Facebook doesn’t broadcast your data – not to protect your privacy, but to prevent competitors getting access to data they are currently making money out of themselves. By contrast, there’s Gravatar: these guys take your private data and give it away to everyone – and they refuse to stop doing it (I’ve asked, directly, and they refused. They had no reason to refuse – they knew my identity, they knew my request was valid, and I believe under UK / Europe law it would be *illegal* for them to refuse. But … they’re American, and I guess all they care about is money).

So, for instance, I just had one of my online identities ruined by Gravatar. A website that I rarely use recently “upgraded” and implemented the gravatar system – and immediately took a private account and publically broadcast that I was the owner. They didn’t ask me, they just went ahead and did it. Like many web developers, I’m sure they had no idea what they were doing – few seem to be aware of the scam that underlies Gravatar.

Fortunately, I’m not going to lose something massively important, like my job / marriage / life (c.f. the news stories when Google Wave launched), but the website owners had no way of knowing that. They’ve just unleashed this upon their hundreds of thousands of users; what are the chances that one of them will be affected?

(incidentally, if you’re a website owner, I strongly recommend you think twice before adding Gravatar (or any of the clones) to your own site. I don’t know if anyone’s been sued for it yet, but I’m sure it’ll happen eventually)

There are two halves to the problem. Gravatar is fundamentally a violation of privacy: they take your data and give it to *everyone* without you knowing. So what? That’s the whole point of the service! Yes, the Gravatar author is a little incompetent (c.f. OpenID for how he *should* have implemented it), but otherwise there’s no problem, is there? In theory … if you voluntarily sign-up for it, it’s all OK. Isn’t it?

Well … maybe not. They won’t let you (the user / owner) control that flow of data. What happens if you change your mind – can you delete their data? Nope. Why? I’m not sure, but I would guess: If you did that, you’d undermine their ability to make $$$ out of you. You can (theoretically) set your pictures back to empty. But …

…But there’s a second half to this. I believe most people are on Gravatar because WordPress “gave” the user’s private data to Gravatar. That’s a nasty mess right there; what does WordPress’s privacy policy say? Again, when they acquired Gravatar, they apparently didn’t ask their users what they wanted, they just forced this privacy violation on them. Back then, it didn’t have much effect (Gravatar itself was relatively unknown / little used), but as Gravatar gets used more widely, the problem becomes more acute.

And here’s the rub: Gravatar’s staff refuse to adhere to privacy requests because (precising / summarising): “you have to use your account”. What if you don’t have one? “you must have had one in the past and we won’t help you. Go away, and stop bothering us”.

Meanwhile, WordPress refuses to send password details to anyone, ever. A wise security decision in some ways (e.g. many people use the same password on multiple sites. Doh!). Your only choice is to delete the password and recreate it.

Is that a problem? Sadly, yes. Because (due to some very short-sighted / stupid marketing decisions by the WP folks) there are lots of admin systems – e.g. anti-spam – that are run off people’s WordPress accounts. So far as I can tell, no reason exists for this *except* to harvest email addresses and try and lure people onto paid plans. Further, WordPress uses an archaic password-based system (instead of e.g. Yahoo’s permission-based API – which, again, is how WP should have implemented this) – so if you change your password, all those websites will break.


These services are a nice idea in theory, but when you get terrible implementations like Gravatar, combined with lazy / stupid staff, the user does pretty badly. They get screwed, they get patronised (just look at the FAQ; they’ve cleaned it up in the last 12 months, it’s no longer so actively offensive as it used to be, but it’s still pretty bad), and many times they don’t even know about it until the violation is widespread.

And, ultimately, any website that uses this system is in danger of losing badly if it goes to a court-case. I’m not a lawyer, but when there are industry standards for user-controlled privacy (OpenID), and specific laws demanding that Gravatar honour the requests it currently refuses (UK Data Protection Act, for instance), I suspect a court is unlikely to look favourably on a website claiming innocence. Ignorance isn’t generally a valid legal defence.

But how much damage do these systems do to themselves? If Automattic were a little less greedy, or a little less selfish, would a lot more people embrace the idea of sharing their identity openly? Will OpenID provide a gravatar-replacement that doesn’t shaft the user, and will that take off much bigger than the original?

Personally, I look at recent events like Google Wave, and Blizzard’s “forum identity = credit-card name” – and the s***storm of angry users in both cases – and I suspect these privacy issues are much more damaging than corporates expect. Which is good news: the world appears to be slowly waking-up to the abuses inflicted upon them in the digital world, and the importance of keeping certain things (passwords, email addresses – and now, finally: identity) sacrosanct. And that is definitely a good thing…

HOWTO: Prevent SEO scam Referrer traffic … AND … Install Mod-Security on Debian

UPDATE: there were several bugs in my original version – by Debian standards, ModSecurity is damn hard to configure correctly, mainly because the Debian packager has left out so much that’s essential! This version is fully tested and working…

Mod Security is an awesome, open-source product for Apache that will protect your webserver against attackers, using a custom rules-language that lets you easily filter for any kind of website attack. Even better, it comes with a pre-built (and regularly updated) set of “official” default rules for cutting out the majority of common internet attacks.

But, pretty shocking … I tried 10 different tutorials / HOWTO’s for this, and each one was wrong. Out of the 10, 6 of them lead to fundamentally insecure / misconfigured systems.

Mostly it’s the vendor’s fault for providing huge long-winded webpages in place of basic install instructions. Partly, it’s the Debian packager’s fault for both mis-packaging, and also “forgetting” to document what they’d done (e.g most of the README’s are empty. Grr!). Whatever. Here’s my HOWTO for doing it correctly, and picking up the excellent default security rules, that *should* work with most installs of Debian.
Continue reading

FlickrEdit – looks like a virus?

IMHO, Flickr/Yahoo has one of the best user-authentication systems I’ve ever seen. I’m sure it’s no accident that Twitter (eventually) moved to a system that is extremely similar.

(NB: I don’t know if flickr copied if from someone else, but they were the first I remember seeing like this, many years ago)

You want sensitivity in your security? Yeah!

It’s so sensitive that it’s currently blocking FlickrEdit’s (bad, broken, buggy) implementation. Not just with an error; not even with a warning … but with giant red letters, a yellow background, and a warning icon:

I was pretty annoyed that the app was seemingly so poorly written it wasn’t doing the desktop-based auth that it should be – and that it popped-open a web browser and “told” me to login (Flickr’s auth-system is slightly more seamless than that, and a much better user-experience).

But I was very impressed that Flickr noticed it too, and decided to warn me that this might be a scam of some kind…

Leaving just one question…

…is this open-source project buggy, or has someone hacked the source and put in a virus? Hmm…

Well. I’ve contacted the project owners, and informed them. Interesting to see what they say.

In the meantime, I have so much faith in Flickr’s authentication system (e.g. I know that it doesn’t share passwords) that I’m happy to go ahead and use the application. There are very few systems where I’d do this, but flickr’s (approach) is one of them.

OS X: You don’t have permission to read your own files

Removing words isn’t always the best route to UX design. Here’s an example (that just bit me) of Apple’s obsession with “remove words, look pretty” making their systems/applications unusable:

“Copying 3,000 files…”
“STOP! One or more of these files you don’t have permission to read. Stop, Retry, Continue?”

Which one, Apple? (it turns out that there were precisely 2 files affected, out of the 3,000+ – although Apple wouldn’t share this info, I had to calculate it after the fact)

Oh, I see. You won’t tell me. I’m supposed to go and do “cmd-i” on every single file, until I find the one where OS X has incorrectly set the file permissions. (NB: selecting everything and trying to do a mass permission set … doesn’t change anything).

The cheap alternative design, as used by normal developers, would have been to give the names of the files. Apple won’t do that – maybe because it would clutter their “pretty” user-interface?

What caused this?

Severe bugs in OS X’s handling of “downloading files from the internet” and/or “receiving files via email”.

In a move reminiscent of the worst days of Microsoft, Apple assumes that you only have one computer, and that the internet doesn’t exist. If you transfer a file from one computer to another – even just download it from a website – then Apple will try and enforce the file permissions from the original computer.

Just to be clear, there is NO security benefit to this: the moment you sent the file over the internet, all security permissions were effectively faked/deleted/nullified anyway.

In this case, simply because the file was authored on a different OS X computer, Apple took away all permissions, marking the file “Top Secret” (only visible to one user on my computer – can’t even copy it over the network). Stupid.

I almost paid for Civilization 5, but Steam prevents me

Today, I *almost* bought Civilization 5. The temptation was strong…

…but they still won’t allow me to buy it. You go into a shop, and spend money, and they tell you you’re a pirate, that you’re a thief, and that unless you create a Steam account and connect the internet to your PC, you “won’t be allowed” to play the game you’ve just paid for.

Over Xmas, I think I’ll pirate it instead. Since they won’t let me buy it legitimately.

(for the record, *if* I pirate it, I will also go into a shop and buy the useless £50 box of plastic and DVD. I’ll do the morally right thing, despite their attempts to stop me)

For the apologists

I’ve often spoken in public about anti-piracy measures for games. My conclusion was to include online-only content that you needed to be authenticated for.

This is a single-player, offline game. There is literally no reason to make it “Steam required” – every offline player will get no benefit, and will be better off pirating it. This is (yet again) mindless stupidity from a games company (probably the publisher).

UK bank that *doesn’t* have stupid online verification?

On many sites, I can’t pay for things online any more, as Halifax/VISA has decided to make it even harder than ever. It used to be I could generate a new one-time password every time I bought something – now they require me to phone an expensive pay-by-the-second 0800 phone number every time I want to buy stuff.

Any suggestions for a UK bank that *doesn’t* force you to type in a stupid, COMPLETELY INSECURE password every time you want to buy something online?

(this is the VISA “we want all our customers to lose all their money” system, introduced a couple of years ago. So far as I can tell, the only purpose of the system is to make it easier for VISA to refuse to pay out fraud claims when it’s their fault. It has zero consumer benefit)

Obviously, none of the UK banks are smart enough to advertise this as a feature on their websites, so googling hasn’t helped me much :(.

Making MediaWiki secure (and fixing some config annoyances)

(this assumes you are running Debian on your server; if not, I suggest you switch)

Mediawiki. One of the world’s less secure wikis? Probably. I use and install it a lot, and it’s usually “the compromise wiki”: it’s weak at a lot of things, but it’s the “least worst overall” a lot of the time. Here’s my current standard fixes and tweaks.

Continue reading

A Spam a day keeps the madness at bay…

Every now and then I scan through my auto-spam folder and see what’s in there. Sometimes the subject lines are hilarious. Other times they teach you about new kinds of phishing attack that are being attempted.

Mostly, they just say depressing things about what it is to be a human in the 21st century.

All the following were yanked from spams I received in the last few weeks (I just did a subject line sort for what was left since the last mass-deletion). I have to say … the depressing, “makes you want to kill yourself if this is the kind of email you receive and respond to” ones have mostly disappeared, which is good. But the ones about MEGADICK that used to make me LOL have sadly faded away :(.

Lost in translation? (aka “WTF?”)

Be a bedroom business master!
Make your hose’s radius great
Fertilize your male tree
From now you don’t need a crane to lift your instrument up!
Come now, pay less!

Sounds painful…

Your manhood will come back to you like a boomerang
Load into her like a geyser!
With a bigger tool you can break not only hearts but splits
Hammer your pile in her
Pills of lion stamina
Make her your rod’s slave
Best doping for night monster
Replace your pant snake with python!

Someone call the cops?

Your drawbolt will go deeper in
Pound her, more and more
Make your love gun active and effective!
Good shells for your love gun
Find how to drill her better

There goes my self esteem

Your instrument is so tiny she barely finds it in bed?
You have no stamina any more to satisfy your loved one
Greatness is measured by the size of your manhood
This watch will add some elegance to your taste
Losing your popularity as a man?
Get a diploma for your career!
Masters degree with no efforts
Show your girlfriend that there can still be a lot of flame in your bed
Feeling unneeded in bed?
What does a frog want with you?
With a monster device you will feel like a man
From now you will be able to satisfy every size – queen!

Telling it like it is, man

Man empties gun at car, victim survives
Why lie? I need money
Bacterial infections are stopped by Amoxicillin

“Optimism” (aka “O, RLY?”)

We cure anything from headache to cancer
Worldwide delivery instantly to your home
Go here for guaranteed boner
If you can’t beat CEOs … join them


Free money
Wanna beer?
Sexually aroused
I can help you
We go to cinema tonight

… and threats

Fucking fill this form
I wanna worry you
Universal decision for men who want to stay men
We will not let your manhood die … call us
You are disqualified!
Get a degree
Suck it
List of conditions
Get your nice hair returned to you
Your friend in trouble
Click or cats gonna die

The men from UNCLE

Erase message after reading
We’ve found your car
Don’t settle for less than 15x power!
Respond, please
Medications that you need

Bad day

We canceled the exam
We canceled the conferences
Forgot keys, forgot phone

Story time

What’s this?
Shocking! Rihanna was cursed
A giant outside
Sitting by the well playing

To Much Information

That shit made my day
Celebrate independence day with a hard boner

PHP: Anti-spam CAPTCHA using photos

I’m just finishing up a quick PHP project at the moment, which allows anyone to register an account – so as the final step before launching it, I needed to add some form of CAPTCHA system. I tried a couple of 3rd party ones and source code ones and none quite worked for me. This post gives full source for a simple user-friendly photo-based CAPTCHA in PHP. Use at your own risk – but it’s short and easy to integrate.

NB: this was more a quick-and-dirty practice exercise than a serious attempt at a CAPTCHA. I don’t believe in CAPTCHAs, generally – but if you ARE going to use them, it’s best to have a lot of them in the wild, so it’s harder for crackers to do “crack once, spam everywhere”. See the section at the bottom for links to suggestions for other people’s CAPTCHAs that I reckon would be better for production use if you can get them to work :).
Continue reading

Dear weer001 @…

Please stop spamming the blog, not for me, but for yourself. There are multiple layers of spam filter (you may have noticed that none of your fake posts has got through so far), so I have the luxury of having the few “uncertain” hits emailed to me, because there’s so few. If that changes, I’ll just add another filter. I wouldn’t normally call one person out, but … your comments keep getting sent to me for moderation, and it appears you are actually *writing them by hand*.
Continue reading

EA DRM redux

(in case you hadn’t been following, this year EA has been putting some particularly nasty DRM on their most-hyped games such as Spore and the Crysis expansion; but unlike previous years, there’s been public outrage)

A couple of things of note here:

EA thinks it can get away with what many consider lieing and cheating – and then having the CEO publically insult the customers

  • Lies: they claim it’s all about piracy (the evidence suggests strongly that it’s about preventing 2nd hand sales while shoring up the artificially high prices that EA’s products retail for)
  • Cheating: EA’s PR people claim you can always get around their dodgy restrictive-use business practice by calling a phone line, that they own and operate (there’s no reason they need to keep that phone line open, and there’s no guarantees that they will honour the customer request)
  • Insulting: the new CEO, who came in on grandiose claims of reforming the company after the scandal of EA-spouse which revealed some very nasty internal practices of the company (apparently institutionalized abuse of its own staff), spoke to one of the largest trade-press websites and told them the people complaining were probably just pirates or stupid (*) (again, this is clearly not the case)

(*) “half of them were pirates, and the other half were people caught up in something that they didn’t understand” – see halfway down the article.

Apparently, little or no lessons were learnt with the public outcry over Spore

…in that the damage seems to be happening all over again with Crysis: Warhead, the same identical problems (c.f. the massive negative and ratings). I would have thought that a publisher the size and power of EA would have managed to prevent “another Spore” – if they had wanted to.

Maybe the fallout isn’t so bad this time? There aren’t quite so many negative reviews this time around, but then Crysis:Warhead wasn’t so big a game as Spore, either in marketing or in predicted sales figures.

Amazon changes it’s mind about its policy on user-reviews more often than a Politician trying to appease the electorate

They’re there! Amazon is full of negative User-Reviews!

They’re gone! They’ve all been deleted!

They’re back again! They’ve been reinstated!

(this happened with Spore. Fair enough. They weren’t sure what to do).

But … reading the comments and off-site commentary apparently it just happened all over again with Crysis: Warhead. Huh? Why? What’s going on over at Amazon HQ?

(I’m getting visions of engineers in a central control room fighting over the keyboard of a machine running an SQL database client, alternately deleting and reinstating the comments, while a prematurely-aged sysadmin huddles in the corner weeping to himself)

The customers are refusing to be tricked into damning themselves; what appear to be EA’s shills are being spotted and beaten at their own game

Witness this fascinating comment on review page for Crysis: Warhead:

C. Chapman says:
[Customers don’t think this post adds to the discussion. Show post anyway.]
I’m so glad to see Amazon has taken steps to filter out all of the useless nonsense being said by the DRM protestors.

Brian W. says:
Hey dude, Amazon just reposted all of the bad reviews and this game is down to the 1.5 stars it had a few days ago.

J. Schwarz says:
Don’t even bother responding to this troll Chapman, he is obviously a company man who is afraid that EA may go out of business. In fact he truly has something to worry about b/c the only other job he could get was shoveling the bs and for that he had to pass an IQ test which he failed.

WolfPup says:
I’m not sure which is more sad. Is Chapman an actual person, who honestly holds such crazy beliefs? Or is Chapman a corporate troll, who thinks that insulting non-crazy people will somehow make their activation DRM acceptable?

Either possibility is frightening.

Paul Tinsley says:
I think Chapman is employed to post. He does use a classic strategy that involves discrediting the thread by making the discussion descend to a personal level. He also attempts to alienate the protest away from the topic by declaring them to either be criminals or a small sector of the community that isn’t even a targeted customer. It’s textbook “digital” insurgency or deep strike, just choose your analogy and most will fit.

WolfPup says:
Interesting. I guess I just thought someone working for a corporation would be more professional about it or something, but…yeah…I probably didn’t think that through very well. They’re not above using any types of tactics.

I guess he’s still a corporate shill even if he’s not paid, but I’m leaning heavily towards him being paid after reading your post.

Paul Tinsley says:
Think of Chapman as a sort of “troubleshooter”. He’s not the sort to polish the company front line, he’s the clandestine stealth agent, sent forth to discredit the argument, to make people think they we can’t hold a solid debate without being personal and also to convince casual readers that our complaint is irrelevant. If Chapman was just another gamer like you or I, he wouldn’t waste so much time trying to make us all “look like idiots” as he might put it.

WolfPup says:
Yeah, you’re probably right. Unfortunately I have a pretty low opinion of how stupid and/or evil people can be, at this point in my life so I don’t really doubt there could be someone out there that clueless about these (or any other host of) issues :-(

Paul Tinsley says:
Well, I will be called delusional and paranoid for stating my opinion. Neither are true, as anybody who thinks that limited activations is better than no activations isn’t thinking like a consumer, they are working to a different agenda.

It doesn’t so much matter whether the OP was a shill or not, it’s the reaction that interests me.

I remember a time (“in the olden days, when I were a lad”) when the audience who A) cared and B) understood the issues were generally teenagers and a very narrow band (niche within a niche) of hardcore gamers with little experience of expressing themselves or dealing with sly cunning bastards. Those people would easily get sucked into tit-for-tat rants and regularly derailed (and sidelined) in such conversations. It was almost too easy. I was once one of them :).

Nowadays, I believe there are three differences.

Firstly, the audience who cares is much more mass-market (mostly IMHO thanks to the arrival of Playstation in 1995, and Sony’s successful marketing of it to young-professionals instead of just children), skews somewhat older (although still noticeably heavily biased towards young and male for many of the PC games, action PC games in particular), and is generally more experienced with the gamut of humanity and the tactics they employ.

Secondly, and this one surprised me, the subset who grok the issues seems to have massively expanded over the past 10 years. If you read through the negative comments, the arguments against DRM are often cogent, direct, and well-informed. Views that were once only understood and appreciated by readers of TheRegister seem to be (finally!) making their way into the mindsets of the public at large. I am beginning to think that we may yet manage to rescue ourselves and our futures (and those of our children) from the idiots who seek to make Copyright last 100 years, put a 10-year minimum jailterm on anyone who copies a *digital file*, and want to force everyone to carry compulsory, biometric, ID cards.

Finally, the audience of hardcore gamers themselves seems to be a lot more skilful at manipulation, especially the “people hacking”/social engineering skills. They are much harder to deceive, and much harder to defeat, compared to the days of Usenet (and here I’m very happy to accept I may just be deceiving myself with my own sentimental memories). If that’s the case, I believe it’s a direct result of the increased prevalence of online communities, especially out-of-game communities, and to a lesser extent in-game communities: these things have made people better at dealing with other people, in ways both good and bad.

RSA Conference 2008 (London)

I’m there now, drop me a line (see About page for email) if you’re around.

I’ve just given a quick presentation introducing the ENISA’s (European Network and Information Security Agency) whitepaper on “Security and Privacy in MMO’s and VW’s”. It’s free, and it’s fairly simple (aimed at everyone from consumers to governments), worth a read if you’re interested but relatively new to this stuff. Contributors include people from Sulake (Habbo Hotel), CCP (EVE Online), NCsoft, and people like Richard Bartle and Ren Reynolds.