I wanted to give my brain a little bit of exercise, and try to get my PHP OOP fu woken up. So I decided to try and write a little program that looks at all the images in its present directory, then using the PHP's built in image functions tries to mash them into one cohesive block. I'm not aiming for the most efficient method (to be honest, I think that might be a graduate thesis worthy project) I'm just going for something that ends up looking decent.
I've made some progress (after managing to accidentally allocate 2.6GB of ram trying to create a ridiculously large image and crashing my server) so far, but I think I'm about to go back and use a different placing algorithm.
You can see what I've got so far here: http://example.preinheimer.com/imageBoxer/
It shows the steps as it places the file. That's a static page, no point in loading the server unnecessarily.
I sit here, watching The Princess Bride, and the classic line "I do not think it means what you think it means" seems strangely appropriate when it comes to the "Uninstall" feature packaged with software these days.
When I think of "Uninstall" (why I insist on placing that word within quotes should become clear in a moment) I think of the opposite of Install. You use Install to take a program, spread it around your hard drive, registry and the like, as such "Uninstall" should do the exact opposite. It should seek out all of those files and registry entries the Install program threw around and remove them. In my idealistic world the state of a computer before installing a program should be identical to the state of the computer after installing then uninstalling the program. This belief isn't entirely naive. Think of Undelete, you've accidentally deleted a file, so you undelete it, the file is now available you've effectively reversed the delete process. The dictionary is even on my side (emphasis mine):
un-2
pref.
To reverse or undo the result of a specified action: unbind.
To deprive of or remove a specified thing: unfrock.
To release, free, or remove from: unyoke.
Used as an intensive: unloose.
By my understanding, "Uninstall" should reverse or undo the result of Install.
It does not.
What "Uninstall" actually does is this: It removes the shortcuts you originally used to access the program, it deletes a selection of the files it placed on your computer, it optionally decides you should be punished for removing it and instructs you to reboot. Meanwhile, it leaves a slew of registry entries kicking around God knows where in the messy tangle that is the Windows registry, it rarely removes the folders it created in the Program Files directory, it also leaves behind the directories it created in the hidden Application Data folder under a particular user account (or the all user account, or the administrator account), finally it probably leaves a smattering of unneeded library files anywhere it damn well pleases. I "Uninstalled" Norton Anti-Virus probably at least a year ago, I found a whole slew of registry entries still kicking around when I ran a registry cleaner last week, then today while digging through the depths of my machine I found a series of folders and files in various other locations. Get Out!
I do not think the way in which I expect "Uninstall" to function is too onerous for software developers. You wrote the install program (or at least scripted it to do what you want), you know where in the registry you added keys, and you know what other files you created after the application was installed. Just reverse the process and remove it all. If, for some reason, you feel that the user might want to retain some of those files (high scores, custom palates, etc) ask them in a clear and concise manner. Good: "Would you like your high scores to be left on your hard drive for future use?" Bad: "Will you be re-installing application X at a future date?". The user must have the option of removing the software totally and completely from their machine. I make a single exception, trial or demo software installed may leave one file or registry entry on my machine representing the fact that the trial has either expired or has been partially used.
Please?
Most of you probably remember the preponderance of "hot or not" sites that made the rounds a couple years ago. I just saw a new one, this one's for your cat
.http://www.kittenfaceoff.com/
A little while ago I posted about a new message I received upon visiting my bank's website. Upon contacting them for further information I was informed that they were very sorry, but my machine had been infected with spyware. Until I rid my machine of this infestation I should avoid using any secure website, and should change all my secure passwords through an alternate path (e.g. a phone call) immediately.
I knew this was a load of bull, I have two anti-spyware packages installed locally, I run them with some regularity, and the attack vectors spyware vendors can use to attack me are far smaller than average (I don't download much/at all, and I use a niche browser). Additionally, the amount of information available to a website about the visitor is actually very small, even when coupled with client side scripting like JavaScript and Flash (both of which are sandboxed) they simply don't have enough information to make an informed decision about the state of my machine.
I had a hunch that they were examining the User-Agent HTTP header, and comparing that value against a white list of 'supported'& clean browsers. Some types of spyware (referred to by the industry as browser plugins, and as hijackers by the rest of the world) modify your User-Agent header to advertise their presence. So this seemed like a good place to start. Visiting the TD Canada Trust website with each the three web browsers I had installed seemed to back this up, the message was raised in Opera but not in FireFox or Internet Explorer. The wording of the message reads "spyware was detected on your system", all three web browsers are installed on the same system, so the message is either misleading, or the searching algorithm is flawed.
In order to test my User-Agent hypothesis I would first need to obtain the full set of headers used by my three web browsers (Opera, FireFox, and Internet Explorer) so during testing I could imitate each of them to determine under which circumstances the image would appear. The headers I used for my investigations are as follows:
Opera:
User-Agent: Opera/8.51 (Windows NT 5.1; U; en)
Accept: application/x-shockwave-flash,text/xml,application/xml,application/xhtml+xml,text/
html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,text/
css,*/;q=0.1
Accept-Language: en
Accept-Charset: windows-1252, utf-8, utf-16, iso-8859-1;q=0.6, ;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0
Connection: Keep-Alive, TE TE: deflate, gzip, chunked, identity, trailers
FireFox
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Internet Explorer
Next, I would need to determine what code was being used to raise the warning image when appropriate. After some examination I determined that the line of code responsible for raising the warning image was:
<SCRIPT LANGUAGE="JavaScript1.1" SRC="http://blog.preinheimer.com/servlet/com.td.banner.servlet.LoginValidationServlet?LOC=en_CA"></SCRIPT>
So, with the aid of PHP and cURL I set out to request the document available at that URL, with the three different browser request headers.
With the Opera fingerprint I obtained:
With the FireFox fingerprint I obtained:
With the IE fingerprint I obtained:
Obtaining the .gif image available at that URL confirmed hypothesis, the image directed to Opera users was in fact the warning image, while the image directed to FireFox and IE users was a blank placeholder.
At this point, I had only proven that the HTTP Headers were responsible for determining which URI was returned, not the User-Agent header specifically. To confirm it was in fact the User-Agent header, I swapped the User-Agent around between the three different header sets (using the Opera User-Agent header with the FireFox headers, then the IE Headers, as well as vice-versa) and confirmed that the warning image was only returned when the Opera User-Agent header was included.
Conclusions
TD Canada Trust is using User-Agent matching against a local whitelist in an attempt to determine if the user requesting the login page is infected with spyware. Users who present a User-Agent header not present in their whitelist are presented with an image informing them that their machine is infected with spyware, and that they should remove it before continuing.
This whitelist matching combines an in-effective test that not only raises false positives for users not using a browser in the list, but is also unable to detect a wide range of malicious programs (including hijackers that do not modify the User-Agent header, and malware that operates independently of the browser). In short, they are needlessly scaring the crap out of people not infected with anything, while doing nothing to warn people who are (infected).
Caveats:
TD Canada Trust does provide a list of "Supported Browsers" at
https://www.tdcanadatrust.com/ebanking/sup-br.jsp, though the concept of purposefully supporting only a subset of the browsers able to effectively communicate with your site is laughable and outdated.
Within an hour of concluding my tests I was contacted by a staff member at Brandimensions Inc. informing me that my website was being used to conduct a phishing attack against TD Canada Trust and it's customers. While the in-effective malware test disappoints me, the speed of their response with this alleged phishing attack is encouraging.
I knew this was a load of bull, I have two anti-spyware packages installed locally, I run them with some regularity, and the attack vectors spyware vendors can use to attack me are far smaller than average (I don't download much/at all, and I use a niche browser). Additionally, the amount of information available to a website about the visitor is actually very small, even when coupled with client side scripting like JavaScript and Flash (both of which are sandboxed) they simply don't have enough information to make an informed decision about the state of my machine.
I had a hunch that they were examining the User-Agent HTTP header, and comparing that value against a white list of 'supported'& clean browsers. Some types of spyware (referred to by the industry as browser plugins, and as hijackers by the rest of the world) modify your User-Agent header to advertise their presence. So this seemed like a good place to start. Visiting the TD Canada Trust website with each the three web browsers I had installed seemed to back this up, the message was raised in Opera but not in FireFox or Internet Explorer. The wording of the message reads "spyware was detected on your system", all three web browsers are installed on the same system, so the message is either misleading, or the searching algorithm is flawed.
In order to test my User-Agent hypothesis I would first need to obtain the full set of headers used by my three web browsers (Opera, FireFox, and Internet Explorer) so during testing I could imitate each of them to determine under which circumstances the image would appear. The headers I used for my investigations are as follows:
Opera:
User-Agent: Opera/8.51 (Windows NT 5.1; U; en)
Accept: application/x-shockwave-flash,text/xml,application/xml,application/xhtml+xml,text/
html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,text/
css,*/;q=0.1
Accept-Language: en
Accept-Charset: windows-1252, utf-8, utf-16, iso-8859-1;q=0.6, ;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0
Connection: Keep-Alive, TE TE: deflate, gzip, chunked, identity, trailers
FireFox
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/
png,*/;q=0.5Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Internet Explorer
Accept: /
Accept-Language: en-us
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Proxy-Connection: Keep-AliveNext, I would need to determine what code was being used to raise the warning image when appropriate. After some examination I determined that the line of code responsible for raising the warning image was:
<SCRIPT LANGUAGE="JavaScript1.1" SRC="http://blog.preinheimer.com/servlet/com.td.banner.servlet.LoginValidationServlet?LOC=en_CA"></SCRIPT>
So, with the aid of PHP and cURL I set out to request the document available at that URL, with the three different browser request headers.
With the Opera fingerprint I obtained:
document.write('<img src=/servlet/com.td.banner.servlet.LoginValidationServlet?image=3 border="0"> ');With the FireFox fingerprint I obtained:
document.write('<IMG SRC=/servlet/com.td.banner.servlet.LoginValidationServlet?image=0');With the IE fingerprint I obtained:
document.write('<IMG SRC=/servlet/com.td.banner.servlet.LoginValidationServlet?image=0');Obtaining the .gif image available at that URL confirmed hypothesis, the image directed to Opera users was in fact the warning image, while the image directed to FireFox and IE users was a blank placeholder.
At this point, I had only proven that the HTTP Headers were responsible for determining which URI was returned, not the User-Agent header specifically. To confirm it was in fact the User-Agent header, I swapped the User-Agent around between the three different header sets (using the Opera User-Agent header with the FireFox headers, then the IE Headers, as well as vice-versa) and confirmed that the warning image was only returned when the Opera User-Agent header was included.
Conclusions
TD Canada Trust is using User-Agent matching against a local whitelist in an attempt to determine if the user requesting the login page is infected with spyware. Users who present a User-Agent header not present in their whitelist are presented with an image informing them that their machine is infected with spyware, and that they should remove it before continuing.
This whitelist matching combines an in-effective test that not only raises false positives for users not using a browser in the list, but is also unable to detect a wide range of malicious programs (including hijackers that do not modify the User-Agent header, and malware that operates independently of the browser). In short, they are needlessly scaring the crap out of people not infected with anything, while doing nothing to warn people who are (infected).
Caveats:
TD Canada Trust does provide a list of "Supported Browsers" at
https://www.tdcanadatrust.com/ebanking/sup-br.jsp, though the concept of purposefully supporting only a subset of the browsers able to effectively communicate with your site is laughable and outdated.
Within an hour of concluding my tests I was contacted by a staff member at Brandimensions Inc. informing me that my website was being used to conduct a phishing attack against TD Canada Trust and it's customers. While the in-effective malware test disappoints me, the speed of their response with this alleged phishing attack is encouraging.
What started off as a simple investigation into the scary messages I noted earlier has somehow snowballed into me writing a HTTP Proxy in PHP. I'm not really sure how it happened. On the plus side, I now know I'm capable of writing a HTTP Proxy in PHP with header re-writing on the fly and automatic URL re-writing to ensure proxy use, including proper path resolution for relative/absolute paths. I even ended up re-writing java script re-redirects as header re-directs.
I'll keep you posted.
I mailed a CD to my brother ExpressPost on the 31st of January, it was supposed to get there on the 1st of February. According to the website (and my tracking number) it did get there. We waited a day or two, it never arrived. I called Canada Post to complain and was basically told that they'd look into it, but I shouldn't hold my breath.
I logged onto their website today on a lark and punched in the tracking number, this is what it tells me now:
2006/02/11 04:19 STONEY CREEK, ON Item has been picked up and is enroute to the sortation plant
2006/02/01 AM LONDON, ON Item successfully delivered to Receiver's address
2006/02/01 08:48 LONDON, ON Item out for delivery
2006/01/31 16:20 WINDSOR, ON Item accepted at the Post office
Somehow, they managed to deliver the package in London, then re-discover it in Stoney Creek ten days later...?
Update
So, my package finally got delivered today. Someone from Canada Post called me to confirm my address (they're mailing me a refund) and apologize. I tried to gleam a few details on what had happened, but basically they had none. I tried to explain that my frustration surrounded not that they misplaced my package for 10 days, but that the tracking number I had indicated that the package had been delivered when it fact it hadn't. This distinction seemed to be lost on her, and she repeated the canned 'sorry we lost your package for a while then found it' response.
The final tracking information is:
2006/02/13 AM LONDON, ON Item successfully delivered to Receiver's address
2006/02/13 09:17 LONDON, ON Item out for delivery
2006/02/11 04:19 STONEY CREEK, ON Item has been picked up and is enroute to the sortation plant
2006/02/01 AM LONDON, ON Item successfully delivered to Receiver's address
2006/02/01 08:48 LONDON, ON Item out for delivery
2006/01/31 16:20 WINDSOR, ON Item accepted at the Post office
Mad props for delivering the same package successfully twice Canada Post.
I was about to login to my bank's website today, when I got a little message "Software has been detected on your system which may be allowing a third party to view, track or store your personal online banking information, including any IDs and passwords submitted. Click for more details".
I CAN NOT CLICK ON IT, it isn't a link.
Here is a screen shot: warning.jpg
Umm, what the heck?
Yesterday I started teaching my PHP Essentials class for PHP|Architect. The class assumes that the students have no prior PHP experience, and in just a few short weeks gets them well along the way to being competent PHP programmers. The nifty & difficult thing is the system. I've attended their free webcasts before (which use the same system), and as a participant I've really enjoyed them. The instructor speaks into a headset microphone from wherever they are, while using a flash application's version of power point slides to go through the material. Students and the instructor can interact in an IRC-like chat window in the top corner of the class. Students can also 'raise their hand' (small icon appears beside their name) to attract attention. Should a student have a more complex question the instructor can pass off control of the microphone (virtually) to the student, and after the question is posed, take it back.
The system is great from a participant/student prospective. You get a live expert teaching the material, classes are automatically recorded for future use, and it's far cheaper than trying to bring an expert in for on the spot training.
From an instructor prospective it's kind of weird or awkward. I sit at my desk for quite a while, talking to people I can't see or hear, just hoping they can understand what I'm saying to them. Apart from the whole weirdness of speaking continuously to no-one in particular, I really miss the non-verbal clues you get when speaking to people in person. People nodding their head when you make a good point, confused faces when you've skimmed something complex, etc. Sure people can raise their hands, or type messages into the chat window when something is amiss, but the immediacy is lost, along with any positive reinforcement when things go right.
I'll get used to it I guess.
First, let me be clear, this isn't a blog post. This is a public service announcement.
Do not under any circumstances, buy, rent, borrow or burn Flight Plan. It's the worst possible way you could spend 98 minutes of your life. If your choices are watching the paint dry or watching Flight Plan, the paint is the safe choice. If your choices are watching flight plan or gouging your eyes out with a fork, you really need to reconsider how much you're using your eyes anyways.
