Security, Social Networking

Twitterank – celeb or peon? @t_rank

6 Comments

my Twitterank is 9999.99 http://twitterawesomeness.com/

Just a short post to remind users to be careful with their online credentials.

Twitterank appears to have grabbed the limelight (tonight, GMT) as one such web application that relies on folks wanting to be popular…or at least find out how popular (or not) they are in comparison to some metric that ranks them over other users.

However it’s basically a user-name and password harvesting mechanism. I have a suspicion that it’s a social experiment and all those passwords that were collected will not be used for anything dodgy. Whatever the truth, in the wrong hands the possibilities are endless – here are a couple to worry you: @blowdart and @camurphy

camurphy: @blowdart @dacort – true evilness would be to post random tweets from random victims…did I just say that out loud?

blowdart: @CAMURPHY @dacort Stuff like “I’m wearing my sister’s panties”. DO IT!

If you have received a Twitterank, my advice to you is that you change your Twitter password immediately. Once you’ve done that, any other places that you use that same password for, change it there too.

A safe parody of the site can be found here, courtesy of @dacort.

There’s more here:
http://blogs.zdnet.com/collaboration/?p=163
http://mashable.com/2008/11/12/twitterrank/
http://www.louisgray.com/live/2008/11/twitterank-can-have-my-password-no.html
http://www.guardian.co.uk/technology/blog/2008/nov/13/twitter-password-security

If you must rank yourself, check out twitter.grader.com – it doesn’t need your password to give you some feel-good factor!

Oh, @t_rank, I’m still waiting for reply to this polite request!

Developer Events

Announce – DDD Scotland 2 – 2nd May 2009

1 Comment

What/When/Where:
Following the success of DDD Scotland in May 2008, I’m pleased to announce that DDD Scotland 2 will be held on the 2nd of May 2009 in Glasgow.

As usual, DDD Scotland will follow the same pattern as the highly successful DDD events held in Reading.

Barry Dorrans wins a prize for the most humourous announcement so far – check out his post over here! Barry’s use of McDDD, whilst possibly stereotypical, has made a few folks laugh over at Twitter! I’m not so sure about JockDDD, but I’m laughing anyway!

Technorati Tags: , , , , ,

Opinion, Rants

How to Talk to (Geek)Girls Online…Etiquette (link through)

3 Comments

Via Twitter (@UMLGuy), I found myself reading a blog post by Dana Coffey (@crazeegeekchick)

Now, even if I wasn’t married, I wouldn’t dream of doing any of the crazy things that Dana mentions in her blog entry. It’s just not the done thing.

Take Dana’s rule of all rules as an example:

It never ceases to amaze me that men online feel perfectly comfortable asking me about my sexual proclivities or describing their own – and they don’t even know the color of my eyes.

Come guys, whoever you are, wherever you are: please take heed of Dana’s advice…you’re letting the side of decency down.

Here’s the full blog post: How to Talk to (Geek)Girls Online– Social Networking Etiquette

On blogging, Security

Cleaning up after the WordPresz 2.6.4 incident

4 Comments

As many of you are probably aware, earlier this week I noticed that my trusty WordPress blog was duping me into downloading and installing an essential security upgrade to version 2.6.4. At the time, I was running version 2.5.1. You’re possibly wondering why I had not already upgraded to an authentic WordPress 2.6.x release…I am after all, supposed to be setting an example. Well, a number of factors delayed the upgrade – most notably lots of travel and a few time-consuming home-life issues meant the upgrade was back-burner-ed. Via The Register, Sophos picked up on hack, classifying it as Troj/WPHack-A. I managed to record a short video of the dashboard hack, notice that I’m at WordPress 2.6.3…

That being said, a small part of me always prefers to wait a while before upgrading, i.e. I don’t like to upgrade immediately. If memory serves me, I recall a WordPress upgrade that caused me a few minor problems because I upgraded the moment it came out – it was soon followed by a further release. Anyway, I’m digressing.

Since Monday, I have upgraded to WordPress 2.6.3, twice. Naturally I used the definitive link for getting my hands on the 2.6.3 zip file. On both occasions the WordPresz 2.6.4 upgrade advice was still appearing in my dashboard. I’ve also been liaising with the good folks over at WordPress and have followed as much of their advice as I can at this stage. Huge thanks to the WordPress chaps for picking up on this issue – whilst it hasn’t affected me, I’m sure some folks have accidentally installed the fake 2.6.4 release.

My second install of 2.6.3 saw me cleaning out the various wp-admin, wp-includes, folders and then FTPing a fresh 2.6.3 set of files. I then started poking around in the WordPress database – table wp_options caught my attention. Themes tend to leave a lot of fingerprints in wp_options, as do a number of plug-ins. I cleaned out around about 40% of the wp_options records that were related to themes I no longer have installed.

After further searching, I found the field dashboard_widget_options:

As you can see, the WordPresz 2.6.4 injection text, or at least part of it, is in there. In order to remove it from my dashboard, I simply removed the entire contents of the dashboard_widget_options field, i.e. its content is empty – I did not delete the entire record. WordPress was kind enough to recreate the contents of this record.

Further poking around in wp_options revealed an RSS record: rss_412e29f6467d015b137ccc293b42bdff. Its contents were familiar:

O:9:”MagpieRSS”:17:{s:6:”parser”;i:0;s:12:”current_item”;a:0:{}s:5:”items”;a:1:{i:0;a:4:{s:5:”title”;s:43:”High risk vulnerability for WordPress users”;s:11:”description”;s:132:”High risk vulnerability for WordPress users, we wanted to get an update out immediately. 2.6.4 is available for download right now.”;s:4:”link”;s:21:”http://wordpresz.org/”;s:7:”summary”;s:132:”High risk vulnerability for WordPress users, we wanted to get an update out immediately. 2.6.4 is available for download right now.”;}}s:7:”channel”;a:7:{s:5:”title”;s:43:”High risk vulnerability for WordPress users”;s:4:”link”;s:21:”http://wordpresz.org/”;s:11:”description”;s:29:”Just another WordPress weblog”;s:13:”lastbuilddate”;s:31:”Thu, 30 Oct 2008 02:29:53 +0000″;s:4:”docs”;s:34:”http://backend.userland.com/rss092″;s:8:”language”;s:2:”en”;s:7:”tagline”;s:29:”Just another WordPress weblog”;}s:9:”textinput”;a:0:{}s:5:”image”;a:0:{}s:9:”feed_type”;s:3:”RSS”;s:12:”feed_version”;s:4:”0.92″;s:5:”stack”;a:0:{}s:9:”inchannel”;b:0;s:6:”initem”;b:0;s:9:”incontent”;b:0;s:11:”intextinput”;b:0;s:7:”inimage”;b:0;s:13:”current_field”;s:0:””;s:17:”current_namespace”;b:0;s:19:”_CONTENT_CONSTRUCTS”;a:6:{i:0;s:7:”content”;i:1;s:7:”summary”;i:2;s:4:”info”;i:3;s:5:”title”;i:4;s:7:”tagline”;i:5;s:9:”copyright”;}}

I elected to remove (delete) that record (rss_412e29f6467d015b137ccc293b42bdff and rss_412e29f6467d015b137ccc293b42bdff_ts – I would imagine your field names might look a little different to mine).

My WordPress 2.6.3 install is now looking a little healthier. However there are still a number of unanswered questions. How did the 2.6.4 information make its way into the wp_options table? Was it a WordPress or a MySQL exploit or was it something else? Has my MySQL database password been comprised in some way? What about my FTP password? Was a malicious theme responsible for this compromise? I am very close to developing a theme myself, hopefully that learning curve will help me find answers to some of these questions. Who knows the answers to these questions? Hopefully over time the truth will out, I would certainly like to know.

Whatever the case, my blog hasn’t been visibly owned as yet…I suppose time will tell. In the meantime, password changes are aplenty!

On blogging

Blogging frequency: affected by [business] travel

2 Comments

As some of you may know, I’ve been doing some stats recently – there must be something in the air!

Anyway, as part of another stats gathering exercise, I found myself looking at a list of blog entries that I had made over the past 12 months to October 2008. Looking at the list, it was obvious that there were a couple of significant dips and the odd peak. The dips were typically the result of [business] travel to London. The peaks were the result of a Microsoft product launch and the use of a single post to capture “my week” – largely to document the trials and tribulations of business travel, but occasionally to capture other more interesting events!

Security

WordPresz 2.6.4 – fake?

72 Comments

When I logged into my admin account for my WordPress blog, I was surprised to find this waiting for me in the dashboard:

UPDATE 07/11/2008: Watch a short (less than 60 seconds) video demonstrating the dashboard hijack.

UPDATE 08/11/2008: Cleaning up after the WordPress 2.6.4 incident. Note that I did not install the fake 2.6.4, so it’s not a clean up for that scenario.

Wordpresz.org appears to be a spoof of wordpress.org. With the exception of the download link and one or two others (Facebook link, etc.) all the pages lead back to the front/home page.

I’ve just downloaded the wordpresz 2.6.4 offering to see what’s different. If I find anything, and if time permits, I’ll update this post.

22:26 UPDATE
Just looking at the respective home pages for WordPresz.org vs WordPress.org, a few differences jump out – check out items 1, 2 and 3 below.

Item 1 – the download size is too round and is incorrect, it should be about 1.4mb in this case.

Item 2 – these are randomised over at WordPress.org, but are static at WordPresz.org.

Item 3 – The real WordPress.org has a “Showcase” link included.

Indeed, the source for both home pages reveals that WordPresz.org is simply an earlier snapshot of WordPress.org.

Looking at domain data for WordPresz.org, there are a few holes here. Google hasn’t indexed this site? What about the Alexa ranking?

Whereas, WordPress.org is pretty popular with Google and has an Alexa ranking.

23:59 UPDATE
Via Clayton, this may well be part of the problem. There’s further comment on the WordPress support forum too. I’ve since upgraded to 2.6.3 via the WordPress.org download.

The moral of this story: keep on top of WordPress updates and security fixes.

**

Images grabbed using TechSmith‘s SnagIt – an essential tool for developers and bloggers alike. With thanks to Betsy Weber

Technorati Tags: ,

.net, Development, General, OpenXML

Open XML – Resources

4 Comments

This post serves as a placeholder for my Open XML links, resources, etc. I will update it from time to time.

History
04/11/2008 – I’ve updated the demo code to include the code used in my screencast demonstrating Word 2007 Content Controls.

03/11/2008 – I’ve updated the demo code to include examination of the customXML file that is populated by the content control example (ContentControl.docx). Demo 5 shows how we can inject our own XML into the content controls.

Demo 6 presents the few lines of code required to extract the XML (as populated by the content controls) into an XmlDocument. Once the customXML is in an XmlDocument we are free to access the nodes as required.

Thus we are now in a position were we can create a document with custom data present, pass it to a user, the user can amend the custom data, save the document and send it back to us. We can then extract that custom data for subsequent processing. I will prepare a short screencast to demonstrate this – watch this space.

28/10/2008 – Posted pre-VBUG Newcastle inaugural delivery of An Introduction to Open XML. Download the slides and Visual Studio 2008 / Open XML SDK 2 CTP1 demo code. It’s likely that I will update this code to reflect further CTP releases.

**

Eric White’s blog entry about the first CTP of the Open XML SDK V2.

Microsoft’s primary Open XML portal, OpenXMLDeveloper.org.
Microsoft’s on-line forum for Open XML

OpenXML Code Snippets (for Visual Studio 2005) (Managing code snippets)

Blogs
Brian Jones
Mauricio Ordonez
Doug Mahugh
Kevin Boske
Erika Ehrli
Gray Knowlton’s OpenXML content

Product/Technology Blogs
XPS
Word
Excel

Videos
Open XML File Formats

Using Word 2007 Content Controls
Matthew Scott: Application Development using the Open XML File Formats
Matthew provides an excellent explanation of Word 2007’s content controls and customXML parts. Before OpenXML you probably found yourself using Word bookmarks to leave placeholders inside a Word document – content controls essentially replace those.

Andrew Coates has some excellent information about using Content Controls in conjunction with Matthew’s Word Content Control Toolkit (available on CodePlex).

Technorati Tags: , , , , , , , , , ,

Security, Social Networking

The Fake Sarah Silverman Show @sarahsilverman @fake_sarah_silv @imKM

7 Comments

The Internet is awash with security issues, none more so than the social networking sites that so many users place considerable amounts of trust and belief. Today, users can sign up on such sites as Facebook and Twitter (to name two that I use) without any form of secondary credential check, i.e. you can sign up and be whoever you want to be. Evidence of this kind of impersonation can be found in my earlier blog entry where I discussed the “celebrities” who appear to be on Facebook.

From social networking to micro-blogging, the impersonation continues. During October the Twitter community was delighted to see Stephen Fry appear in the “Twitterverse”. Our delight continued when Stephen chose to follow a vast horde of us. John Cleese enjoyed similar celebrity status. However, Stephen and John were accepted into the Twitterverse without a second thought regarding their authenticity. It didn’t take long to spot that Stephen and John were standing on the “I am who I say I am” side of the fence. Their writing style is most eloquent and is rather recognisable.

Enter Sarah Silverman…on Twitter:

I read the Twitter stream reasonably carefully, checking a few things along the way. The stream mentioned London as a destination – true – the real Sarah Silverman did a gig at the Hammersmith Apollo last Sunday. A few other things checked out. What caught my eye was the fact that she was riled by the fact that she had lost a follower…so I suggested a web-site that might help her in the future. At that point the fake @sarahsilverman started to follow me, I was 1 of 23 folks she was following. And I remained 1 of 24 folks she was following whilst her followers grew from a handful to over 600 – this is most odd and served as a clue to something fishy.

The clue trail…
There’s not much to report about the profile picture or the user-name. Over the course the period 23/10/2008 to 26/10/2008, @sarahsilverman used at least two profile pictures – these were probably sourced from a variety of on-line photo repositories. If there were any clues to be found in the profile picture, I didn’t spot them.

Next up, the Biography and web-site details:

This is where it gets amusing. Silverman’s TwitterJacker made every effort to make the biography as real as possible. She (or he, more about why I say this shortly) even provided a link back to the real Sarah Silverman’s “Unofficial” web-site: http://sarahsilvermanonline.com/. Ironic, but still nothing hugely obvious there – anybody could obtain this information and set it up as it was here. However, even before I started following @sarahsilverman, I had my doubts about the authenticity of the textual content and writing style. I took the liberty of questioning the authenticity of celebrities in general. This prompted a rapid change in the biography text, previously it didn’t contain the text “and omfg i’m not going to say if i’m real or not”. OK, not really clues, however the use of “i’m” is a small clue. As is the use of “not” twice – the second “not” should really be replaced with “otherwise”.

I took the bait “Leaving for a bit. again! ~ as said ~ you should follow @imKM … see… isn’t that weird.” Prior to that bait finding its way on to the fake @sarahsilverman’s Twitter stream, a request for follow @imKM had arrived via a direct message: “…twitter friend ~ imKM?” What I found interesting about this approach was @imKM’s background image. I can’t be sure, but it does look like Sarah Silverman is in the background of this photograph:

I don’t know, perhaps @imKM happened to be using the cash point ahead of the real Sarah Silverman and decided to grab a photograph? Who knows for sure? Whatever the truth, when I mentioned this to the fake @sarahsilverman in a direct message, she responded “Yes, people say Photoshop but, he corrected me. It is actually faded with “LiveQuartz”. neat huh. say. are you not following my best… “

Connected to the background image challenge, during 25/10/2008, as the truth started to unfold, this tweet was a further clue to feathers being ruffled:

@imKM needs to stop using my photoshoped image. [http://www.youtube.com/videosbykm] he set it as his background.

Still at 24/10/2008, I had confirmed that both the fake @sarahsilverman and @imKM were using Apple Mac’s for their tweets. Both Twitter streams exhibited over-use of the tilde character “~”. Via a direct message, I challenged the fake @sarahsilverman about the use of the tilde – oddly I am unable to lay my hands on that direct message, I can’t see it in my sent items stream. However, the fake @sarahsilverman replied: “or a creative thing”. It’s a small thing to notice, however two people who instant message each other a lot will pick up on each other’s habits. Or, a single person using two Twitter accounts will make the mistake of following the same habits.

On Sunday 26/10/2008, it became evident through a self-confession that @sarahsilverman wasn’t the real Sarah Silverman. Prior to the self-confession, a few blogs picked up on it, here and here. The @sarahsilverman feed vanished and was replaced with @fake_sarah_silv. The first post truthful post announced:

“My name is Sarah Ascher, friend of @imKM; not @imKM. I am sorry. This started as a joke, I guess people can’t take it.”

For a few minutes the @fake_sarah_silv continued to use the same Twitter background. This was probably an oversight as he or she was too busy undoing the web of deceit that had unfolded so rapidly:

Very soon after the confession tweet, @fake_sarah_silv finally changed the background image:

Of course, at the time of writing, it hasn’t been confirmed that Sarah Ascher even exists. As many Twitter users predicted, @fake_sarah_silv and @imKM could be the same person. Whatever the case, it was a shameful cry to drive traffic to @imKM’s content. KM himself (we must assume that it is a he!) eventually wrote a lengthy piece attempting to distance himself from the whole quagmire. Amusingly, @imKM was rather quick to quash any thoughts that he had a crush on the real Sarah Silverman! I must admit, the crush thing was first on my thoughts once the @imKM follow request appeared – that and the fact it appeared to be Sarah Silverman in @imKM’s background image.

Anyway, not surprisingly, it seems @imKM was somewhat disturbed by some of the tweets he was receiving:

I hope your parents have a good lawyer little boy.

heaven forbid your take responsibility for your actions

I don’t imagine that this will go away in a hurry, there’s probably a few more days of fall out to be had whilst bloggers and Twitterer’s around the globe pick up on it. In the meantime, @sarahsilverman is at 23:22 in the UK on 23/10/2008 is strangely still available. If the real Sarah Silverman reads this (hey, it’s possible surely?) perhaps it’s time you grabbed your presence on Twitter before somebody else does this all over again? Other micro-blogging sites are available.

Your take-away…
@imKM was attempting to drive web traffic to his blog and video site by relying on the hard work and goodwill of other folks. Whether you like the real Sarah Silverman or not, it had an effect: 600 followers for the fake @sarahsilverman within a short space of time. @imKM received a few extra followers, however now his reputation has taken a serious beating. Small mistakes, and failing to follow accepted Internet etiquette and Twitterquette led to the downfall being as rapid as it was. If @imKM was patient and exercised some care, he could have kept this charade running for weeks or months.

The moral of this blog post is still the same as it was when I wrote about impersonation last year. There are many places on the Internet where it is necessary to verify who you are and in some way prove that you are who you say you are (authenticity), however very few places actually implement them – even some of the big banks struggle to do this properly.

It’s difficult to offer any guaranteed advice that can help you spot fakes, hopefully this post provided a few things to look out for. In social networking and indeed, in micro-blogging situations, it’s always worth checking out the friends/followers of the person you are about to connect with. Take a look at the people that person connects with, do they look like the kind of people who would connect with each other?

Oh, 23:25 in the UK on 26/10/2008 and http://twitter.com/fake_sarah_silv does not exist!

Finally, it was lovely to write this blog post as if I was on first name terms with Stephen and John. I am, of course, not and I will convey my apologies to Mr Fry and Mr Cleese when I next meet them.

Images grabbed using TechSmith‘s SnagIt – an essential tool for developers and bloggers alike. With thanks to Betsy Weber

Technorati Tags: , , , , , , , ,

Craig Murphy: author, blogger, community evangelist, developer, speaker, runner