December 2003 Archives

I'm getting fed up with the programming community's refusal to think like the enemy. Many web applications which have something to do with email (most of them) utilize techniques to obfuscate email addresses. Geeks also do it when they post to public forums thinking that it will protect them from spam. This whole canon of obfuscation is a total joke. Let me give you some examples of what people are doing and why it's dangerous. I say dangerous because a false sense of security is far worse than no security at all.

Movable Type

Movable Type utilizes a technology called spam_protect. It turns user@example.com into user@example.com. Those funny looking strings where the @ sign and . used to be are html encoded versions of the @ and . signs. The idea that this would prove to be anything more than a hiccup for a spammer is ludicrous. I'll just give you an example rule that a spam harvesting robot could use. If you find the string ".com" or ".org" or ".net" in a web page, search backward for the first space and capture that as an email address. Then either interpret the address through an html interpreter or simply do a search and replace for the two strings to turn them into @'s and .'s. I could write this in one line of code, and I can't program worth shit, definitely not well enough to write an efficient spam harvester.

php.net and every geek out there

So you've probably seen this clever technique where the @ sign is replaced with the word at and the . is replaced with the word dot. You'll find this on comments all over slashdot. This way the spam harvester can't merely look for an @ sing or a .com. I'm sorry, but this is never going to work. How often in normal text do you see any of these words being used. Dot, Com, Org, Net. Ok, net is probably common, but "dot". Looking for ".com" and looking for " dot com" seem about the same to me. Again, a harvester would bypass this trick with a single line of code.

Mailman and many other programs

The reason that this has come to my attention is two fold. One, I recently disabled the display of "obfuscated email addresses" through movable type, since a child could write around the obfuscation. I've just installed mailman for our mailing lists (a great program mind you), and it uses just as lame a system. This time it's combining the at for @ and dot for . with a mailto: tag with the full email address. This approach is the worst of all of them. When a human visits a page with email addresses they display as user at example dot com, but when a harvester views them (at an html level, not a viewable level) it has the full email address, user@example.com, right there with a mailto: tag in case it wasn't obvious enough that it was an email address.

I don't have a killer app solution here, but we need to get rid of this placebo shit and accept that we don't have an answer and that we're vulnerable. With the placebo it will just take that much longer for a real solution to be found and implemented.

So I've gotten the pubnight mailing list going. What does this mean you may ask. Well it means a few things.

1. Now its feasible for anyone to propose a plan for pubnight. I've wanted from the beginning for this not to be "my thing" but everyone's. And now that's a reality. Now anyone can send out a pubnight email by just sending it to pubnight at cementhorizon and everyone will get it. That cementhorizon is cementhorizon.com.
2. I won't have to worry about who I'm forgetting to email and who I'm emailing that's wishing I'd stop bugging them about this stupid pub night thing. Everyone can on their own opt in or out over the web. You can send a link to the pubnight webpage, so that others can get in on the fun. Now pub night will be like Dr. Emma Russell wanted cold fusion to be in the movie The Saint.
3. I won't feel guilty about sending out the invite hours before hand since anyone can send one out now. First one out wins.

Head on over to The Pubnight Mailing List page and sign up if you aren't already.

I took some pictures during the blackout in San Francisco the other day. Some 8 second and 30 second exposures in the dark. They came out neat.

Oh, and if I hear one more newscaster pronounce the "Robles" in Paso Robles like the word nobles, I'm gonna lose it.

So Jack just called me from ebay in San Jose. They just had a strong earthquake (6.5). Centered in San Simeon, it didn't even reach San Francisco. This is a weird world we live in that people can live and work so far apart that earthquakes don't affect both places.

So I've gotten briefly famous in the last few weeks for a program that I wrote. It's been inspiring to say the least. I wrote about mt-blacklist a few weeks ago. It's a very useful tool but was missing one piece so I decided to write a helper program to go with it. A few hours later I had mt-blacklist-autoupdate written and out on the net. I then installed it on cementhorizon, it worked great and I forgot about it. Since then people have been downloading it and using it. Here's some of the response (I'm glowing) :

• I’m running Gene’s PHP updater, and it appears to work perfectly.... Jay and Gene: thanks!
• Gene’s little program works a treat. I didn’t know anything about .php or what a crontab was - but I do now! Thanks Jay and Gene.
• It’s similar in it’s operation with Gene Wood’s updater... I’m indebted to Gene’s pioneering work and his Snoopy bugfix (which frustrated me for an hour until I took a closer look at his README file)

At this point another guy, Cheah Chu Yeow, wrote another updater partially based on my code. His program, MT-Blacklist Update uses lots of mine and looks to be pretty cool.

Anyhow, I'm just so proud to have my skills recognized and praised, not something that happens much in my life.

So I went to see Pinback last night at the Starry Plough with Allen and Sean. I started chatting with a guy from Texas who was there to see the opener, Aspects of Physics. I hadn't heard of them and didn't bother to ask what they were all about. They came on stage and had a number of laptops set up which I thought was odd. Pinback is a indy rock band + piano. AOP started out their set and it was undeniably IDM electonica ( Autechre, Aphex Twin, etc. ). It was fantastic, somewhere in between Boards of Canada and Autechre. Half music, half noise. A lot like Mark Gage. They plaid ( bad pun ) a short set and then Pinback came up. They played a good set as well, and I enjoyed them but I was too busy glowing from AOP. A great night all around.

Dear Whoever nocked over my bike this morning,

Firstly, I'd like to say, fuck you. It was so nice this morning to be awoken to the news that my motorcycle was laying on its side in the street. I would like to thank you for making the start of my day, just that much brighter. I'd also like to thank you specifically for neglecting to leave a note, even merely an apology after smashing my bike into the ground. I've spent the morning imagining how wonderful it would be to go up to your car and beat one side in with a sledge hammer. I'm so glad to be a motorcycle owner in San Francisco. This will now be the second time this year that one of my progressive thoughtful brethren in this wonderful city, has seen fit to cause just over 3200$ in damage to my only vehicle. Fortunately the first time my insurance covered the damage, but in doing so devalued the bike such that there would be no point to carry comprehensive insurance anymore. I'm really glad that I had my bike working for a solid 3 weeks before you came by and totally fucked it up. You're a coward, your blatant violation of the social contract that we all live under is appalling, and the fact the you most likely live no more than two blocks from me since who else would park in a residential area at night, makes me want to puke. I hope your parents and spouse die today in some karmic tsunami, and that your car gets stolen and driven off a cliff. Fuck you, you pathetic piece of shit.

Yours,
Gene Wood

I'm continually blown away by the fact that there are certain areas of my life in which I don't adapt. Time passes and I'm the same. The instance of this which brings it to mind is my good friend Jason. Jason is probably the kindest person I know, if it makes sense to use that word these days. He's great, and he probably has better interpersonal communication skills than anyone else I can think of. If I had to choose someone out of my peers to mediate Pakistan India peace accords, it'd be Jason.

Jason also swears a lot. Jason cusses like a sailor. Not your average sailor, but in a way that only Jason can. It seems to be part of a UPS lexicon, but I'm not sure. Classic examples are "Holy fuck on a shit strobe!", "Just last night I was at Erica's new "BLOOD OF THE DEEPEST RED" apartment and the fuckers upstairs were vacuuming at 10:30 at night, then again half an hour later.", "48 per fucking cent gay! ", " Erica! Congratufuckinlations!", "Holy Jesus! Those CNN reports are fake?".

Now the reason I bring this up is because every single time I read "Holy fuck on a shit strobe" it's like touching my tongue to the end of 9 volt battery. Not a big deal, but a shock none the less.

I don't understand it, I swear as much as the next guy. So I guess my finding is the following : props to Jason for bringing back the original kick that cussing had and we have now eradicated by overuse. Huzzah!