Category Archives: Gimpy internet nonsense

vivianjames

Spot the difference competition

Pictured:
1) Vivian James, an embarrassing stereotype of outdated social attitudes and behaviours;
2) Vivian James, an Australian writer.

If you’ve no idea what I’m talking about, then you’ve probably missed #gamergate, the latest example of of socially inadequate men attempting to drive women out of ‘their’ space of video gaming.

Here is an excellent short version and here is an excellent extremely long version.

Twitter won’t kill the general feed, cos that’d kill Twitter

Long-time Twitter users, myself included, value it mostly for the general feed (everyone you follow, live and in chronological order) and the ability to replicate the general feed model for specific lists you’ve made of people you follow and for specific search terms and hashtags.

They need the cash to settle this guy's image rights suit
They need the cash to settle this guy’s image rights suit

At the same time, Twitter is a confusing experience for novices and newbies – and to keep the venture capital taps flowing, the service needs to demonstrate growth.

So this week Twitter-the-company has talked about taking something that resembles its existing “discover” feed, which shows some highlights from the last couple of days of a user’s interactions, their friends’ interactions, and paid-for commercial content, and steering new users towards this ahead of the general feed.

This has cause a bunch of people who mostly should know better to lose their shit (sample lazily pulled from the article above):

There is a tiny flaw in their reasoning: it is bollocks.

Why? Well, you need to remember that Twitter’s value – to users and advertisers alike – is completely different from Facebook’s.

Facebook collects detailed demographic information and combines that with your interactions with the site to create a scarily tailored advertising profile. That’s what it’s for. At work this week, I bought a Facebook advert to reach people in Perth, WA who are interested in space exploration. This would have been simply impossible before Facebook existed.

It's difficult to manage a wide group of stakeholders
It’s difficult to manage a wide group of stakeholders

Twitter doesn’t. It provides a direct, unmediated platform for anonymous people, pseudonymous people, named people, famous people, and brands, to all interact on the same level. It doesn’t collate demographic information; the demographic profile data it shows to advertisers is based on surveys of people and the networks they use, not on the information they provide to the site.

But the demographic profile it has is extremely valuable: Twitter’s users are older and richer than the users of any network other than LinkedIn. They are also stroppy as hell, as the storm over this issue (not to mention every other issue that there is in the world) has confirmed.

Twitter-the-company has a balancing act to run, trying to bring in new users so it doesn’t get Kiss of Death growth headlines that deter people from putting up money, but at the same time making damn sure it doesn’t alienate its existing users to any degree beyond that which is necessary to sell advertising, because that would also deter people from putting up money.

The way it deals with this balancing act will, absolutely and definitively, not be by turning into a version of Facebook with the targeting data that makes Facebook into Facebook removed.

So stop worrying. It’s not going to happen.

Spiritus in coelum

Ad me quiescam et requiescent cum moriar
Qui optimus in locum ire
Mori cum cubabo
Spiritus in coelum ascendere ad
Spiritus in coelum ascendere ad
Ibi ego ire cum moriar
Ad me quiescam et requiescent cum moriar
Qui optimus in locum ire

Scio te oportet praeparare
Obtinuit amicus Iesu
Ut scias, cum morieris
Ille agnus commendo
Quod spiritus hominis in caelo
Agnus commendo
Quod spiritus hominis in caelo
Illic es amet ire cum morieris
Et cum te ad mori
Qui optimus es agnus dei ire ad locum

Numquam ego peccator peccare
Jesus amicum habeo
Cum moriar, ut scias
Cum me ille agnus
Et spiritus in caelo
In caelo, cum spiritus me O
Ibi ego ire cum moriar
Ad me quiescam et requiescent cum moriar
Et ascende ad locum qui est optimus
Et ascende ad locum qui est optimus

(Nordmannis Lignum Viride fit a Medicus et Medici)

CBA’s Netbank platform was never vulnerable to Heartbleed

The suggestion has been doing the rounds, at least at the more paranoid/self-fancying end of the technology spectrum, that the Commonwealth Bank of Australia (CBA)’s Netbank online banking platform might have been vulnerable to the Heartbleed vulnerability.

TL/DR: it wasn’t.

Heartbleed only hit sites that use certain versions of the OpenSSL secure toolkit, with its Heartbeat function enabled. Netbank runs on SAP for Banking, implemented by Accenture. SAP for Banking is not affected by Heartbleed, which you’d expect given that it runs on Microsoft IIS (“Microsoft” and “open” go together like anchovies and custard). This isn’t a great surprise: no major western-world banks’ online banking platforms were ever vulnerable, because of the massively proprietary, as well as security-crazy, way in which online banking software is developed.

So why all the derp? Well, CBA’s non-transactional Commbank.com.au website does use OpenSSL, was apparently vulnerable to Heartbleed, and was apparently patched after the Heartbleed news broke. You don’t use your Netbank credentials to log into Commbank, it isn’t linked to your secure data, and it uses a different security certificate from Netbank.

This created some scope for confusion – and the scope was fully brought to reality by the combination of utterly stupid PR people, and self-satisfied circle-jerking techies happy to spread unjustified fear among CBA customers.

CBA published a blog post that completely failed to explain the difference between the two platforms, and then responded to comments asking for clarification with a meaningless copy-paste of the original post. Rather than doing the basic research that went into my post here, a whole bunch of tech folk who should know better then went crazy with the “WE DON’T KNOW IF OUR NETBANK PASSWORDS ARE SAFE OR NOT, WOES!!!!!!” line.

Stop it. Your Netbank passwords are safe. Someone in CBA’s PR department needs a long walk off a short pier, is all.

(thanks very much to Johnny and Chris for pointing me towards technical details here. Any screw-ups in this post, of course, are solely my fault.)

Content filtering is stupid, but you are stupider

There’s been masses and masses of fuss over the last couple of days about the implementation of opt-out content filtering for porn in the UK.

As everyone sensible argued in great detail at the time the PM promised it following a Massive Stupid Media Panic, content filtering is pointless: it’s easy to bypass, provides a false sense of security, leads to false positives so that sex education sites get blocked, and puts the infrastructure in place for a more Daily Mail-friendly government to run wider censorship modes.

However, and unfortunately, most of the last couple of days’ Twitter chat about content filtering has involved gibbering idiots who know fuck all about fuck all talking embarrassing nonsense.

O2, one of the UK’s larger ISPs, has thoughtfully provided a tool so you can see how your website is categorised.

Here’s this website:
Untitled

Like all websites, it’s allowed on the opt-in “open access” feed (where you tick the “I am a dirty whoremonger” box). Like nearly all websites, it’s allowed on the default “default safety” feed (if you leave the “I am a dirty whoremonger” box unchecked). And, like nearly all websites, it is blocked under O2’s opt-in-only under-12 filtering scheme, whose aim is to create a walled garden of whitelisted CBeebies-ish tiny-friendly sites which won’t produce unfortunate results when your kitten-loving sproglet searches for “i love little pussy”.

Because people are monumentally stupid, and crowds even more so, the fact that almost all websites show up as blocked under the under-12 filtering scheme has led to claims that they are blocked under the default filters. Which they aren’t. Almost every tweet today about a website being blocked has been a fuckwit claiming that a website is blocked under the default filter, when it’s actually blocked only on the whitelisted kiddy-friendly filter.

This is not to say that the default filter isn’t problematic. It is problematic. Because it focuses on sex, it is inevitably going to fail hardest at the areas of sex where young people (especially LGBTQ young people) most need information and resources. But if you’re wanking on about how your blog or Wikipedia or the Guardian or basically anything non-sexual has been blocked, then you are a fucking idiot and you are not helping and you should shut up.

Pharma hackers gonna pharma hack, 2013 edition

I was Googling for an old Banditry post yesterday, as part of a discussion about that new ‘people lie about their drinking’ study. Eventually I found it, only to discover that I’d linked to a (London) Times article, and that therefore the paywall had ruined the whole thing (curiously, even though the Times now shows unregistered users the headline, lede and first sentence for new articles, it completely screws up on old ones). So I more or less gave up on the post [*].

While Googling, I was rather surprised to discover the amount of content that I’d apparently written about the availability, acquisition and applications of various medicinal substances (link will hopefully die in a few weeks as Google updates itself). I briefly considered the possibility that in a fit of poverty and/or drunkenness I’d decided to set up my own online pharmacy, then remembered that I’m based in the country with some of the tightest controls on prescription drugs in the world so that would be rather silly. Rather, I’d been hacked.

I’ve been blogging for more than a decade now, so this isn’t the first pharmaceutical spam I’ve experienced: but it is the most insidious.

Creepy crawling

The hacked pages are tainted only to Google’s crawler – if you or I or anyone in the world who isn’t Google’s crawler click through to them, then they appear as originally intended, both in the browser and in the source code. So the spam-merchant gets to benefit from my PageRank without doing suspicious things to my traffic stats or making suspicious links appear on my actual site, which has been the giveaway for previous hacks. They also, cleverly, didn’t go  for an out-and-out hack of all pages, so if you google for “johnband.org” or search the site for a specific term that isn’t drug-related, then you’ll get the correct result, with no indication that some of the pages (mostly tag pages, category pages, and monthly archives) exist to Google only as pharmaceutical billboards.

Conveniently, Google has a funky-cool Fetch As Google tool, described here by their engineer Matt Cutts, which allows you to see exactly what the Googlebot sees when it crawls any page on your site. Sticking the affected pages into the tool confirmed that Google was still seeing them as pharmaceutically compromised. And that they’d been this way since last July-August.

So, I junked my evening plans and settled in for a night of Fun With WordPress, PHP, MySQL, Unix Permissions And Google. Which is my favourite sort of fun, obviously.

Hope, cruelly dashed

The top Google hit on the pharma hack, from blogger Chris Pearson, was an extremely well-written summary which described an identical problem to mine. “Result!”, I thought. So I followed Chris’s steps, only to discover that absolutely none of them worked. The trouble is, the pharma spammers are cleverer bastards than I’d thought: once the tricks of your trade are readily visible with a quick Google, you’re at a disadvantage. And Chris’s post dates from April 2010. Three years of malware evolution later, although his macro-level points are still worth a read, the actual techniques described were way obsolete.

Bugger.

So I Googled a bit more, mostly finding sites that repeated Chris’s solution, but eventually happening upon a couple of write-ups that were closer to my problem – at least, in the sense that they also found none of the things Chris describes, nor any of the obvious hacks I’ve experienced before like a doctored .htaccess file or dodgy-sounding access permissions, nor any changes to the main WordPress database… at least, none of the changes that anyone has noted online.

The most comprehensive, although perhaps the least comprehensible unless you’re ultra-techie, was a post from Shaun Green from February 2012. Short version: the current version of the hack creates php files with names that sound like they should be real WordPress files, and distributes them throughout your WordPress install but especially in the wp-includes folder so that they’re almost impossible to find and tell apart from real WordPress files without doing extremely nerdy things.

I’m not really a deep-level coder, so following all of Shaun’s steps sounded rather painful. And my install didn’t contain the specific filenames he lists (https.php and class-sftp.php), so I would have had to literally retrace his steps rather than just following his conclusions.

Instead, I went for a slightly lower-tech option. Everything in the wp-includes folder is a standard WordPress file, which shouldn’t have changed since installation. The same is true for everything in the wp-admin folder, and for everything in the WordPress root folder except for wp-config.php (which I’d already checked to make sure it wasn’t compromised). So I downloaded a vanilla version of WordPress 3.5.1, deleted everything from my install except for the wp-content folder (where themes, plugins and pictures are stored) and wp-config.php, and then copied the untainted files across.

One quick check on Fetch As Google later and – hurrah! – the pharmaceuticals had all disappeared. Now all I need to do is wait for Google to update its cache, and everything should be back to normal.

Gone forever?

While the problem was solved in the short term, it clearly wasn’t solved in the long term: I’d started with an uncorrupted WP installation, and someone had managed to corrupt it. So – after doing the basic password changing things, obviously – I installed Wordfence and Better WP Security. If you host your own WordPress blog (anything that isn’t on wordpress.com), then so should you. Wordfence is the equivalent of an antivirus program for your WordPress install; Better WP Security automates a whole bunch of handy lockdown and obfuscation tricks. Wordfence threw up a few vaguely suspicious files associated with some of the themes that were installed, so I deleted them; everything was then fine.

I’ve also set up Google Alerts that notify me if any new content appears on johnband.org containing various spammy keywords (the usual suspects), which obviously won’t be much use until the current spam-buggered content is removed, but will then allow me to kill any future infections before they’ve completely ruined my search results. I’ll update this post in the event that anything else occurs. If I remember, I’ll update it in a couple of months if nothing else has occurred, since zero is sometimes a helpful data point.

TL/DR: Was quite painful, could have been much worse. If this happens to you I definitely recommend the “for every folder which shouldn’t have changed since WP was installed, delete the folder and reinstall” approach, although do check the database and fix any issues there first. And set up the security things even if this hasn’t happened to you yet, because it probably will.

[*] Short version of post I was going to write: epidemological studies into alcohol-related harm are also based on self-reported consumption, so while it’s likely that everyone drinks more than they say, it’s also likely that alcohol is correspondingly less bad for you than those studies have shown, by about the same margin – unless we can come up with valid reasons why people would underestimate in one sort of study but not the other. Also, News Corporation are still unimaginably bad at digital strategy.

An open letter to Roy Wood

Dear Mr Wood –

For your information, in all known dialects of English, the phrase ‘snowman’ refers to a figure of a man which is made from snow (something like a statue, sculpture or perhaps golem), rather than a man who delivers snow.

I understand there is room for confusion here, when considering examples such as ‘milkman’, ‘postman’ and pizza boy’. However, ‘snowman’ is very much in the style of ‘wicker man’ (which is not a term for a gentleman who delivers baskets) or ‘iron man’ (which is not a term for either a gentleman who delivers ferrous metals, or a gentleman who works in a laundry).

Before seeking to write a song that seeks to summarise the Anglophone world’s Christmas traditions, one might have thought you would have done the most basic research into what these traditions actually were. I can promise you that none of them involve a snow delivery gentleman “bringing the snow”.

I look forward to this error being corrected in future releases of your popular chart hit.

Yours sincerely,
John B

PS Happy Christmas!

Artificial John B Impersonator

The text below is the output of my phone’s AI autocomplete app (SwiftKey), based on its knowledge of the things I say and do. My only interaction was to choose between the three suggestions it offered.

I have been made to the park. I am not going anywhere, and I will not receive the item is faulty, but the most important things. The only way I could have a good idea. The problem isn’t with the loan companies, who is a good film, but the subway. I am a real Zeus, and I am not sure what to expect.

The problem is that it is not a good idea. The only thing I have been a bit of fun. I have been a while, but I can confirm that you can get round to the zoo tomorrow, zoo tomorrow. And I know that analgesics, and I am not sure what to expect. I have a glass of wine. I have a glass of wine. The only way I could have a great day and the Machine, but it is. It has an appointment. The quality is the most of my own.

We have to do it. I have a glass of wine.. I don’t vividly the best. If I identified and then I will have the same. Federalism the best. The only problem is the first place to find a job, but the best way of organizing emails into the address below and click the Help section for the next few days ago.

It was a bit of a fine example of the most important thing. But it was a very long time to get the latest version, and the Democrats are total pansies who are not responsible for any reason. I have a glass of wine.

The quality of life and I am not sure what to expect. I don’t think it’s a good time to do it. It is a bit of a new member. I don’t vividly recall his own words. The problem isn’t a problem with your friends, but I guess the queen plays by her own rules.

K is technically right here at the moment. The quality is not a good day and night and then the next day or night. The only way to get a quote from you soon as possible to make a decision on the phone and the other side of things to come and see if you are looking for a few weeks, but it doesn’t matter how much I love you so that.

I have a glass of wine.

Slightly worried that in the reasonably near future, my phone will replace me.

Shot by how many sides again?

Everything is retro is coming round again, and so on. In that vein, I’ve dragged some offensive old blog or other from the depths of my spare hard drive. My foreword to the reprint may provide context. Dive in, if that’s your thing.

You’d probably do better just to watch this, though:

Fans of Sharpeners will like this

All the content from the long-defunct Sharpener group blog (formerly at thesharpener.net, before pirates stole the domain name) is now available at sharpener.johnband.org. The formatting’s basic, and categories have been lost; this may improve in future.

That was the easy-ish task, building a new WordPress 3.3.1 site based on a fairly arbitrary selection of obsolete MySQL databases (while junking all actual blog skins etc because they were compromised by virus-injecting malware types over the years). The next task, which will be super-exciting for fans of masochism, will be to set up a WordPress 3.3.1 blog and then import a whole bunch of tables from a non-standard, custom-built Access database into it.

Fans of controversy and excellence, and/or readers of my last post, may be able to guess which particular Holy Grail of magazine-titled Internet history will be revived as if by Dr Frankenstein at the end of this process.