A few days ago I received the following email from Sedo: -

Dear Sedo Member,

Our advertising provider has notified us that a significant portion of the traffic associated with
your domains has been deemed “spam” traffic and is therefore ineligible for Sedo’s parking program.

As part of Sedo’s responsibility to our advertising partners ensure that traffic participating in our
parking program meets quality standards, Sedo compiles data on traffic from a variety of sources,
including our advertising partner. During this data review, we have no choice but to block the domains
that are presented to us by our partners.

In many cases, our members have purchased domains from sellers who may have promoted those
domains in the past, and the new owners are unaware of any prior promotion that may have taken place.
This decision does not imply that any action was taken on your part to violate the Terms of Sedo’s
parking service. However, in order to protect advertisers and consumers, we must maintain high quality standards.

To maintain the integrity of click prices and the quality of Sedo’s parking program, your account was suspended, your domains have been removed from the program, and the accumulated click balance generated
by these domains has been forfeited in accordance with our Terms of Use.

Best Regards,Best Regards,

Your Sedo Team
Customer Support - UK/International

Being the total air-head that I am, I’d totally forgotten about the domains that I had parked on the Sedo name servers, so I respond: -

I have no idea what you guys are talking about. I don’t have any domains
parked with Sedo.

The next day I get the following response from Sedo: -

Hello,

Thank you for your email. I checked our database and saw that you have an account associated with the email address <Email address removed>, and associated with the username <Username removed>. This account has 9 domains listed, and was created in 2007.

If you require further clarification please let me know.

Sara Beninato

Ahhhhh… Cogs turn slowly in my head, and I go off to DynDNS.com to check the name server settings on my domains. OK, as I said earlier, I’d forgotten all about those domains. Anyway, I change the name servers to point at one of my servers, and set about monitoring the alleged “spam” traffic. I respond to Sedo: -

Yeah. Sorry, I’d forgotten all about those domains.
I monitored those domains today, and between the lot of them they didn’t
even receive 10 hits. So where does the nonsense of “spam” traffic come
from? If Sedo is dedicated to quality, in the fashion in which you
claim, perhaps you’d do well to investigate the validity of reports
before suspending people’s accounts?
Mike Kroger.

Today I receive the following from Sedo: -

Hello Mike,

Thank you for your email. I apologize, as our advertising provider does not provide us with more information in regards to this matter.

If you would like, I can reopen your account for buying and selling purposes.

Please let me know how you would like to proceed.

Sara Beninato

Senior Security & Compliance Specialist

Take careful note that Sara claims to be a Senior Security & Compliance Specialist!

From Sara’s reply, it’s plainly obvious that Sedo react to “fraud” reports without making any attempt whatsoever to validate the claims made in the report.

My final response to Sedo: -

Sara,

Don’t worry about it. The way that Sedo has treated me quite clearly demonstrates their attitude towards their clients. As far as I’m concerned, I really don’t need people like Sedo in my life. Thanks.

Mike Kroger.

Posted by Mike on 6 August 2010 at 1:45 am under Stuff.
Comment on this post.

Ever since my spat with the “Firefox security experts” in November 2009, Wizz RSS has been using two levels of HTML sanitation. This has been due to the fact that nsIScriptableUnescapeHTML.parseFragment() doesn’t perform as advertised. According to people like Wladimir Palant, nsIScriptableUnescapeHTML.parseFragment() is the only way to ensure that HTML, rendered within the Chrome context of Firefox, is free of any potentially malicious code.

While it is perfectly true that nsIScriptableUnescapeHTML.parseFragment() will sanitize HTML that looks like this - <img src=”x” onerror=”alert(’Do bad stuff here!’);” alt=”Malicious code” />
It will not sanitize HTML that looks like this - &lt;img src=”x” onerror=”alert(’Do bad stuff here!’);” alt=”Malicious code” /&gt;

Now as far as I’m concerned, both of the fragments shown above are HTML, the only difference being is that one fragment uses HTML entities, and the other doesn’t. If it is claimed that nsIScriptableUnescapeHTML.parseFragment() is the only way to ensure that HTML, rendered within the Chrome context of Firefox, is free of any potentially malicious code, then surely both code fragments should be sanitized in exactly the same way… Right?

So basically the problem boils down to this: a person developing Firefox add-ons assumes, quite rightly so, that HTML pumped through nsIScriptableUnescapeHTML.parseFragment() will be safe. Wrong!

In the case of the 1st fragment I have listed, nsIScriptableUnescapeHTML.parseFragment() will totally remove the onerror event handler, which is totally cool, and is exactly what a Firefox add-on developer would expect.

In the case of the 2nd fragment I have listed, nsIScriptableUnescapeHTML.parseFragment() does nothing to the string! If the Firefox add-on developer now displays that “sanitized” HTML in any context that actually renders the HTML (Rather than simply displaying it as text), we have a problem.

Here is a link to an RSS feed that demonstrates the problem: - http://www.wizzrss.com/vutest8.xml

If you use Feed Sidebar 4.4.1 to read the feed I have listed above, and click the link in the sidebar

rsssidebar.jpg

the “sanitized” title from the feed will be rendered as HTML, and the onerror event will fire. BAD!

For the paranoid: while the malicious potential of this test case is plainly obvious, be assured that the test case doesn’t actually do anything malicious. The code, when it executes, will access the Firefox Login Manager, and, assuming that you have saved passwords, will display the password and domain name of the 1st entry it finds.

Some of you might think I’m being irresponsible publicly publishing an exploit for this vulnerability. Well I disagree! I hope that publishing the exploit gets some of the arrogant Firefox prima donnas off their butts!

Posted by Mike on 22 July 2010 at 2:31 pm under Stuff.
Comment on this post.

private int getPR() {
    Random generator = new Random();
    int pr = generator.nextInt(11);
    return pr;
}

Posted by Mike on 13 July 2010 at 5:39 pm under Stuff.
2 Comments.

So there I was, waddling around the Internet in my usual fashion, when I stumbled upon one of my own websites. Yeah, I run so many that I kinda forget about some of them… Airhead!

It wasn’t surprising that I stumbled upon one of my own websites, but what did surprise me was the Google Page Rank of some of the pages!

Since putting Wizz RSS News Reader for Firefox into moth balls almost a year ago, I haven’t paid much attention to the Wizz RSS site. Actually, to be perfectly honest, I’ve never really paid the Wizz RSS site much attention. The content is stale, and many of the links don’t even work.

So, the surprise?

Well I almost fell off my chair when I saw that the Wizz RSS home page has a Google PR of 6! Many years ago it had a Google PR of 7, but that was a long time ago. And, as we all know, Google changes their PR algorithm like a Hollywood bimbo changes boyfriends (or girlfriends - Depending on their sexual preference).

Shock! A PR of 6?!

I cruised around the site a bit. Even more amazing, many of the other pages have a PR of 5. A few have a PR of 4, and two or three have a PR of 0. So how do pages on a site, that has been pretty much totally neglected for over a year, get Page Ranks like that? What of the “Content is King” phrase that one most often associates with getting good PRs on Google? Seems to me that it might just be a load of bull, along with 95% of the other crap we hear from the so called “Google experts.”

Posted by Mike on 13 July 2010 at 4:38 pm under Stuff.
Comment on this post.

Over the last week or two I’ve been inviting various establishments to add themselves to Plak. Most people seem quite able to read and understand the instructions in the online help, but one or two require some additional help. Some request additional help via email, but most simply contact me via Skype, where I can talk them through whatever problem they might be experiencing.

On Friday 19 June I got an email from Stacie van Vuren at Thaba Phuti Safari Lodge requesting additional help. As is quite normal, I referred her to the online help - This is always my 1st step in the “additional help process,” because I know that most people just don’t bother to read the online help.

This morning, 20 June, I received the following email from Stacie: -

Dear Mike,

We have already read the help section and did not find a single thing to help us in the event of the property not being on the map at all.

Please could you delete our registration with immediate effect.

Regards,

Stacie van Vuren

Stacie seems to think that every map of South Africa should have large red arrows pointing at Thaba Phuti Safari Lodge. Anyway, I reply: -

Hi Stacie,

I have no idea what you mean by your property not being on the map. Every single GPS location in the entire world is covered by the Plak map. You just have to add your property at the correct location.

I put a Flash video online last night that might help you understand how Plak works - http://plak.co.za/helpflash.php?vid=5

Regards

Mike

Will Stacie now understand? Errrmmmm… Seems not :(

Unfortunately, we are a very busy 5 star luxury safari lodge and we do not have time to sit and watch videos.
We are in a rural farming area and there are no landmarks for us to judge by. When the map comes up on our computers (we have tried on two different ones) there is nothing to show what particular GPS co-ordinates the cursor is pointing at, so there is no way for us to know if we are looking at the correct spot.

I simply cannot afford to spend anymore time on this.

I ask again, please delete our registration with immediate effect.

Stacie van Vuren

I wonder how Stacie found her way to work before GPS was invented, and obviously in Thaba-Phuti-Safari-Lodge-land they don’t have roads.

Yes it’s true! Click the Satellite button, and hey presto! A satellite image, including roads that may not appear on the map. Oops! Sorry I forgot about the Google plot against Thaba Phuti Safari Lodge, where Google have nefariously removed all detail from satellite images in that part of the world.

Furthermore, I really don’t remember asking Stacie to spend any of her precious time on Plak. She was the one who asked for help, and I provided it. I suspect that this is another case where people, using some crumby Internet connection, powered by rubbing two sticks together, blame me for their inability to see Google maps. Anyway, feeling a bit pissed off at Stacie’s attitude, I respond: -

Then why did you waste my time asking for help?

I was looking forward to a good reply: -

That is extremely rude. If that is the attitude with which you speak to people then I am very surprised you do business at all.
We asked for your help as we expected to actually get help. It is called customer service and you should learn how to provide it.
If potential customers ask for help and you not only do not provide it, but respond in such a disgusting manner, it reflects very poorly on your “company”.
As for telling potential customers that they have wasted your time by requesting something as simple as assistance with a badly designed system; that is shocking. We had actually already recommended your site to several other places in our area as it seemed to be a great idea. But do not concern yourself, as we have now instructed them not to waste your time.

Stacie van Vuren

Obviously Stacie didn’t notice my two previous attempts to help her?

Potential customer? Please correct me if I’m wrong, but don’t customers usually pay for stuff? No one pays for Plak! It’s FREE! I provide it as a FREE service to any one who wants to use it, and if it doesn’t work for you, no one is forcing you to use it. Of course Thaba Phuti Safari Lodge probably fall into the corporate greed category, “Hey! It’s for free, so take two!” And when they can’t work out how to use the free service, they blame me!

It also never fails to amaze me how people get uptight when they have their own attitude thrown back at them. My reply: -

Business? Errrmmmm… It’s for FREE!

You asked for help and I provided it. It isn’t my fault that you don’t have time to watch the instructional video… Is it?

Of course this is a typically South African attitude, everything that goes wrong MUST be someone else’s fault.

Thank you for instructing them not to waste their time, because if they are anything like you…

Thankfully, there has been no further correspondence from Stacie :)

Posted by Mike on 19 June 2010 at 3:56 pm under Stuff.
Comment on this post.

Once again I’ve been busy trying to drum up some interest in the Plak website. I’ve sent out about 1000 “invitations” to people who own hotels, B & Bs and guest houses, inviting them to add their establishments to Plak. So far the response has been overwhelmingly positive, but I just can’t manage to get my head around it these: -

1. I’ve taken the time and made the effort to put help online. I think that the online help describes reasonably well how to use Plak, yet very few take the time to actually read it! People would rather email me, or Skype me, asking for help. READ THE FRIGGIN’ HELP! THAT’S WHAT IT’S THERE FOR!

2. The Plak database provides 65 000 characters of description for every single establishment, yet many think that something like “Frikkie’s B & B” is a sufficient description. It’s no wonder these people can’t get business! I mean what more can you expect from something that has the imagination of a retarded tadpole?

3. So, 65 000 characters to describe an establishment, and it’s full of spelling mistakes?! I’m damn sure that’ll make a wonderful impression on potential visitors!

4. Why, with tears in my baby blue eyes, do they want to type everything in upper-case? Why? Why? Why? Will someone please explain to me! Why?

5. There are fields specifically for phone and fax numbers, yet for some weird reason, people want to put those numbers into the description of their establishment! Why?!

6. There is a field specifically for providing the URL of a website related to the establishment. So why do people put that URL into the description of their establishment? With the URL in the description, it isn’t clickable! If you simply provide the URL in the correct place, a clickable link will be displayed to anyone viewing your information!

7. Obviously many South Africans don’t understand the simple fact that Afrikaans is not a language spoken by the majority of beings on our planet. Helloooooooo! If you are wanting to talk to an international audience, please try using a language that they are likely to understand!

8. Being given a free tool that could potentially bring more business, why is it that many of these people expect me to do the work for them? I have provided you with a pretty good framework, and I done that for free! All you need to do is hang your information on that framework! Yes! That means you might have to get off your butt and do something for yourself!

9. The selfishness and narrow-mindedness: Plak allows anyone to add as many places as they’d like to add. There is no limit! Yet Frikkie, when adding his B & B, is too selfish to add a Plak for the local golf course, even though the local golf course might attract business to his B & B! In the description he might say, “Close to lovely beach and shopping centre.” So add a Plak for the beach and the shopping centre so that people can see where they are in relation to your establishment! Sigh… I’m no marketing expert, but surely if you are wanting to market something you’d try to make full use of a free tool that has been given to you?

Sometimes I really wonder why I bother.

Posted by Mike on 21 May 2010 at 10:39 am under Stuff.
Comment on this post.

I got this email from Will Dormann at CERT today. So… Errrrmmmm… File format fuzzing? What the fark is that?

Hello Mike,

We’ve been working in the areas of vulnerability discovery, with a
focus on file format fuzzing. One of the tools that we have been using
is a fuzzing framework to perform mutation fuzzing of Linux
applications.

Any vendor producing software that processes data should be fuzz
testing that application. Mutation-based file format fuzzing is a
simple form of fuzz testing, however it may not be obvious how file
fuzzing can effectively be performed.

One of our goals is to reduce the complexity for performing file
fuzzing.

We plan to publicly release a simplified version of the framework that
we have been using internally. The CERT Basic Fuzzing Framework (BFF)
consists of:

1) A virtual machine of a minimal Debian Linux installation that has
been configured for effective fuzzing. The virtual machine is VMWare
compatible (VMX + VMDK). Use with other virtualization products should
be possible, but may require conversion and/or other reconfiguration.

2) A configuration file and a few scripts that perform automated
fuzzing with the Caca Labs zzuf fuzzer.

The default configuration is to automatically perform a fuzzing run on
a very old version of ImageMagick. Performing fuzzing on an
application of your choice involves a few steps that are outlined in
the README file.

We are sending you this message to offer you a sneak-preview of the
BFF before it is publicly released. If you have an application that
runs on Linux, then you should be able to perform your own fuzzing. If
the BFF can find vulnerabilities in your application relatively
easily, then this will give you a chance to address the issues before
somebody else finds them.

The fuzzing framework is approximately 330 MB in size.

If you would like a BFF, please let us know. We can provide you with
download details.

Thank you,
Will Dormann

=============================
Vulnerability Analyst
CERT Coordination Center
4500 Fifth Ave.
Pittsburgh, PA 15213
1-412-268-7090
=============================

Posted by Mike on 17 May 2010 at 11:56 pm under Stuff.
Comment on this post.

A sneak preview of some of the new team members.

garden-gnome.jpg

Posted by Mike on 11 May 2010 at 3:15 pm under Stuff.
2 Comments.

I received the following in an email a few days ago. I think it’s worth sharing.

Ten men went out every day for beer and the bill for all 10 came to R100.
They wanted to pay their bill the way we pay our taxes. So it would have to
go something like this:

1. The first four men (the poorest) would pay nothing.
2. The fifth would pay R1.
3. The sixth would pay R3.
4. The seventh would pay R7.
5. The eighth would pay R12.
6. The ninth would pay R18.
7. The tenth man (the richest) would pay R59.

So, that’s what they decided to do. The ten men drank in the bar every day
and seemed quite happy with the arrangement, until one day, the owner threw
them a curve.

“Since you are all such good customers”, he said, “I’m going to reduce the
cost of your daily beer by R20.” Drinks for the ten now cost just R80.

The group still wanted to pay their bill the way we pay our taxes so the
first four men were unaffected. They would still drink for free. But what
about the other six men, the paying customers? How could they divide the R20
windfall so that everyone would get his fair share? They realized that R20
divided by six is R3.33. But if they subtracted that from everybody’s share,
then the fifth man and the sixth man would each end up being paid to drink
his beer.

So, the bar owner suggested that it would be fair to reduce each man’s bill
by roughly the same amount, and he proceeded to work out the amounts each
should pay! And so:

1. The fifth man, like the first four, now paid nothing (100% savings).
2. The sixth now paid R2 instead of R3 (33%savings).
3. The seventh now pay R5 instead of R7 (28%savings).
4. The eighth now paid R9 instead of R12 (25% savings).
5. The ninth now paid R14 instead of R18 (22% savings).
6. The tenth now paid R49 instead of R59 (16% savings).

Each of the six was better off than before. And the first four continued to
drink for free.

But once outside the restaurant, the men began to compare their savings.
‘I only saved a Rand out of the R20,’ declared the sixth man. He pointed to
the tenth man,’ but he saved R10!’
‘Yeah, that’s right,’ exclaimed the fifth man. ‘I only saved a Rand, too.
It’s unfair that he saved ten times more than I!’
‘That’s true!’ shouted the seventh man. ‘Why should he get R10 back when I
saved only two? The wealthy get all the breaks!’
‘Wait a minute,’ yelled the first four men in unison. ‘We didn’t get
anything at all. The system exploits the poor!’

The nine men surrounded the tenth and beat him up.

The next night the tenth man didn’t show up for drinks, so the nine sat down
and had beers without him. But when it came time to pay the bill, they
discovered something important. They didn’t have enough money between all of
them for even half of the bill!

And that, boys and girls, journalists and college professors, is how our tax
system works. The people who pay the highest taxes get the most benefit from
a tax reduction. Tax them too much, attack them for being wealthy, and they
just may not show up anymore. In fact, they might start drinking overseas
where the atmosphere is somewhat friendlier and the services they get for
their Tax work better.

For those who understand, no explanation is needed.
For those who do not understand, no explanation is possible.

Posted by Mike on 22 April 2010 at 9:39 am under Stuff.
1 Comment.

Click the ball to change its color!
Promise! It will change if you click it :)

Posted by Mike on 21 April 2010 at 9:50 am under Stuff.
3 Comments.

« Previous Entries