Wordpress is really effective if you’re looking to create a blog, or something very similar to a blog. (We, for example, use Wordpress at ARSON-News.com.) If you want to create your own social networking site it’s going to be pretty hard, and it’s not the fault of the people at Automattic.

In conclusion, I leave you with what is probably the stupidest statement I’ve read about why Wordpress is bad:

“Wordpress, because it is designed as a blogging platform from the ground up, it doesn’t lend itself to people who want to build a website without a blog.”

Please stop using the acronym “lol” when you’re not actually laughing. Seriously, nine of ten times I see the phrase lol used, there’s no way the person would have actually laughed out loud. I present you with a list of phrases which can be used instead, in ascending order from not that funny to very funny.

1. “haha” (feel free to repeat as many times as you want, more “ha”s mean more humor)
2. “loi” - laughing on the inside.
3. “lqtm” - laughing quietly to myself.
4. “lol” - laughing out loud, to be used only if you actually laugh out loud
5. “rofl” - rolling on the floor laughing, funnier than lol, still misleading if you didn’t actually get on the floor
6. “rofl-isiagotf” - “rolling on the floor laughing - I’m serious, I actually got on the floor.”

In conclusion, don’t say “lol” if you don’t really laugh out loud. Also, stop adding extra letters to the end of words likeeeee thissssss. It’s really annoying.

These one-time links, as you can probably guess, allow a user to take the survey only once. However, I have always been suspicious of such tactics, and so a while ago I decided to take a look. (Disclosure: I’m working on a free, open-source voting system. I promise not to let that skew my results.)

[Photo credit: Daquella Manera]

I started with a paid Zoomerang account (well, okay, no I didn’t - it’s $600! I borrowed a login from an online friend with an account) and set up a sample survey based (well copied word-for-word, actually) on a template. I then used the one-time link feature to send a plethora of links to my Gmail account. In total one hundred, though I’ll present just a short sample of them below:

http://www.zoomerang.com/Survey/?p=U2A8NMF9ASLG
http://www.zoomerang.com/Survey/?p=U2A8NMFAASM4
http://www.zoomerang.com/Survey/?p=U2A8NMFBASMP
http://www.zoomerang.com/Survey/?p=U2A8NMFCASNB
http://www.zoomerang.com/Survey/?p=U2A8NMFDASNW
http://www.zoomerang.com/Survey/?p=U2A8NMFEASPJ
http://www.zoomerang.com/Survey/?p=U2A8NMFFASQ5

The more observant of you will have noticed that some things aren’t very random. In fact, only three characters change frequently, highlighted below in italicized bold:

http://www.zoomerang.com/Survey/?p=xxxxxxxXxxXX

These changing portions do appear to be random (well as random as a computer can produce, at least). However, there are still only four characters changing between links! The characters are limited to uppercase letters and integers. This means there are 36 possible combination for each character (10 digits + 26 letters). With three positions for the random data, there are only 36³ possibilities! Okay, so that’s 46,656, which is a pretty big number.

However, the problem comes when we realize that there are about 1,600 people in attendance at my High School (I don’t remember the exact number, but it’s somewhere around there).46,656 / 1,600 is 29.16. So for every 29.16 guesses I make, odds are one of them will be a working link. However we can reduce that even further! The first random character seems to just be a hexadecimal counter (0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F). I have no idea why this is, but it continues throughout the data.

Factoring this in, I was able to write a combination of PHP and Perl applications which can, in essence, conduct election fraud. They come in three parts, and use Amazon SQS to communicate between each other. This allows for the application (with the exception of the first script) to be run on many servers at once.

The first, a Perl script, takes one known survey URL as it’s parameter, then guesses the rest of them in order of probability. It is actually in two parts, one calculates the URLs and passes it to the second to send to SQS, that way the network is not the bottleneck, the second is multi-threaded. It sends its results to the second script, which issues HTTP requests to see if the links exist. It changes proxies every 100 links. It then passes it’s results to the PHP script which POSTs the votes specified by the attacker to the survey, using a new proxy each time. The proxies are a pre-compiled list based on various resources.

Okay, so this is kind of noticeable, because legitimate users trying to vote will be locked out. However, this does work - this is not just an idea, I have done it using a test survey. Renting one hour of computing time, on four servers from Amazon EC2, one (8-core) machine to calculate the URLs, two machines to check them, and then a final machine to POST the fraudulent data.

Of the 900 links I sent out to an email address silently discarding them (and the one sent to my own) I was able to guess 400, more than 40% of the total possible votes. Even if everyone voted, so long as the people being voted for are not idiots there’s a very good chance they will win.

My total cost throughout this: less than $2!

Now at this point I’d like to point out that the protection provided by Zoomerang is probably good enough for most surveys. However I would not trust higher-risk data collection to them. You may think it’s impractical to conduct such an attack, but teenagers today are always looking to mess with people. The scripts took me less than 10 hours and everything I need to know, I learned from books available at the library and Google searches.

Because I actually have an interest in who wins the election this upcoming year (they don’t seem to have much effect either way, but some of the people who won this past year are people I consider neither nice nor good leaders) I’m not going to release the exploit scripts until safe to do so - either after the elections, or if the school decides not to use Zoomerang to manage them. Bookmark this page and it’ll eventually be here, probably. I suppose if I post it, the nice people at Zoomerang will try to sue me, though this would be baseless and mostly an effort to get me to take it down through legal force. Whether it remains up, in that case, depends on whether or not the EFF is willing to defend the right to post exploit scripts for the sake of fixing problems.

This ridiculously long post was brought to you by ARSON News, a site I update no more frequently than this one. :-/

The tagline used by the company is “bringing blogging to the masses” (implying that they are a feed-reader/mashup site). Most bloggers, however, should be able to see in short time the true purpose of the site - making money on the content of others. Yep, it even uses the same trick used by all other splogs, feed scraping.

Well, why don’t you consider this a feed reader? The site does not function much like a traditional feed reader. Everything posted copied there is public - it’s not in any major way custom to a user. Everyone will see the same posts - even spiders - as if fav.or.it is the originator of the content.

Which leads me to one of my main problems with fav.or.it, it looks to spiders, as though they created the content. The full-text of the article is hosted there, and contains one link-back that, at the moment, is rel=no-follow’ed. Meaning that, to spiders, it seems that fav.or.it is the one which created the content. Seeing as fav.or.it has a higher PR than most small blogs, this may even lead some search engines to blacklist the actual blogger when they see the duplicate content.

My second problem with fav.or.it is one of attribution. They provide one link - one very small link - at the top of the post. When I say small, I mean one 10px by 10px icon. This icon is strategically placed right next to another link. This is, in my opinion, done to trick users into thinking the two links lead to the same place, at which most users would not be careful to where they’re clicking.

One really obvious problem that is probably evident by the previous two points is that fav.or.it does not hold the copyright to any works they repost on their site, nor do they check to see if submitted feeds are licensed under any license which would allow them to repost it.

Personally, this makes me upset. I’ve contacted their abuse team, and asked them to blacklist my feed. I’ll update this post if anything happens. In the meantime, I’d like to make one thing clear: reposting my content on a site with ads for your profit is not covered under this license.

Is your site infected?

Use this tool to check:

So, here’s my contest. It’s actually pretty cheap, but whatever.

The Contest

Between now and July 6, 2008, 01:00:00 GMT (my birthday) leave a comment on this post with some sort of intelligent comment so I can tell you’re not a spammer. Your name and email address must be filled in. One commenter will be selected randomly (see Selection of Winners at the end) to receive one free domain name.

The domain will be hosted at my registrar of choice, and I will set the name servers to whatever you’d like. If you don’t have your own name servers and don’t want to use any of the services out there, I can also add some records for you on my own name servers.

But wait! That’s not all!

If you fill in the Website field of the comment, you’ll also be entered to win a free link in my Blogroll for one year. TylerM.info is a PR3 / PR4 site (it seems to go back and forth a lot) with somewhere between 50-500 unique views daily, which - at the least - will help your ranking in Google a little bit. It can either be a text or image link. (Image must not be much bigger than the IconBuffet image I have there now.)

You cannot win this prize if:

• You’re blacklisted by Google
• Your site contains content unsuitable for all ages
• Your site uses “black-hat” SEO techniques
• You provide information on helping people spam blogs

If your site later violates these conditions, the link will be removed, though it can be replaced or changed for another one later at your request.

Selection of Winners

Winners will be selected on July 8, 2008. Beforehand, all comments will be reduced manually to one-per-commenter, so multiple comments will not improve your chances.

The winner of the first contest for the domain name will be selected with the following SQL query:

The winner of the second contest for the link will be selected with the following SQL query:

Note that this makes it possible to win both contests. If you see any problems with these statements, let me know beforehand.

Notification of Winners

Winners will be notified by the provided email address. Upon notification, you will be given 5 days to respond. If no response is received, your prize will be revoked and given to someone else, selected by the same statements. Emails will be sent from my Gmail address, as my mail server for this domain rejects emails from improperly configured mail servers and that should not be a reason to loose.

1. It’s more difficult then is fun, right from the start

   I enjoy difficulty in games, but TrackMania takes the concept way too far. To begin with, immediately after starting the game, I was provided with an incredibly difficult challenge. Now, I would no longer say it was hard, but typically games at least teach you how to play before putting you in a real win/loose situation.

   Portal, for example, spends the first 5 or 10 levels just teaching the players how to play; Audiosurf asks the player if they want to try a tutorial. Trackmania just puts you in a race right off, and it’s not even a specifically easy one.

   I got the hang of it, eventually, but it’s kind of odd being handed control of a car with no indication of how the controls work and then being told to try to win, ready. . . GO! There’s not really even a clear definition of how to win at the start, you’re kind of shown a platform with a giant gate. It’s kind of obvious you’re supposed to get to the gate, but given the physics involved in the first level it’s a bad way to start.

2. When you start playing the harder levels, they’re near impossible

   Okay, so eventually I got the hang of the controls, and passed all of the easy and medium levels. However, the hard levels fall just short of impossible. It’s been my observation that in all races, even the Endurance races (most races are less than a minute, whereas Endurance races can last 5 or more), winning a Silver medal (required to advance) means not touching a wall or letting go of the “forward” key. Ever.

   These are races that can last up to 7 or 8 minutes. 7 or 8 minutes without touching a wall, when you’re on a narrow track going 300+ miles per hour. More times than I can count I was more than 90% done, only to touch a wall, turn too sharply, or make some other small mistake, thereby being overtaken by the opponent. It’s crazy. The type of people that play this game are the type that don’t mind spend 2 hours trying to clear a 7 minute race.

   And I don’t even want to mention trying to get a Gold medal on higher levels!

3. It’s unrealistic.

   Don’t try to tell me it is, because it’s not. Let me give you an example, I got my car up to 323 miles per hour (I’ve gotten up to 900 before, that’s not all too realistic, either). Then I decelerated back to stopping. (See screenshots.)

   

   In just under 6 seconds. You would be at decelerating 53.3 miles per second, or about 85,778 meters per second according to Google. That’s a tremendous amount of force. Ignoring the huge forces on both the car and the driver, what kind of breaks can stop this fast?!

   Maybe it’s not supposed to be really realistic. Okay, it’s not supposed to be really realistic. But if you’re going to obey some basic laws of the universe, why not take the effort to make the rest of them at least partially realistic. I wasn’t going into this thing looking for hyper-realism, but that’s way off, even for this type of game, in my opinion.

Honestly, I had 5 reasons planned. I think you get the idea with these three alone, though.(Plus I have to go write a CMS and Wordpress is acting strange today.) Bottom line: Don’t buy this game. If you’re looking for something good, I just downloaded Audiosurf and it’s amazing.

This header could contain either “any”, “no-dynamic”, or a domain name. The first would allow scripts from any site to be executed. The second option would tell the browsers not to execute any Javascript or other dynamic content on the page at all. The final would allow the execution of dynamic content only from the specified domain (in the same format as is used in cookies, .domainname.com being a wild card).

Think of how many XSS scripting attacks this could prevent! Headers can only be modified with Javascript or an “http-equiv” meta tag, neither of which could be inserted into a webpage without the use of Javascript in the traditional XSS way. I suppose many people who don’t know or don’t care about XSS attacks wouldn’t bother with setting the header, however for the many who do care but don’t see a vulnerability, this would be helpful.

What are your thoughts on this? Do you see any loopholes? Obviously, there’s no protection against mirroring of your website for malicious purposes, and this would in no way lift the requirement to sanitize input because of compatibility issues. Still, I think it’s a pretty good start.

Is it wrong for Mozilla to preinstall addons? Or is the usefulness of certain addons worth giving up the “no pre-installed software” idea? (My opinion is “yes”.) Chime in below

(I can only imagine the feedback I’d get if this were about Adblock!)