Everything, Everything - October 2007

2021: January
2020: J F M A M J J A S O N D
2019: J F M A M J J A S O N D
2018: J F M A M J J A S O N D
2017: J F M A M J J A S O N D
2016: J F M A M J J A S O N D
2015: J F M A M J J A S O N D
2014: J F M A M J J A S O N D
2013: J F M A M J J A S O N D
2012: J F M A M J J A S O N D
2011: J F M A M J J A S O N D
2010: J F M A M J J A S O N D
2009: J F M A M J J A S O N D
2008: J F M A M J J A S O N D
2007: J F M A M J J A S O N D
2006: J F M A M J J A S O N D
2005: J F M A M J J A S O N D
2004: J F M A M J J A S O N D
I'm A Geek
Wednesday 31st October, 2007 11:11
Clearly, as I thought this was really interesting: Funny Vista Tricks with ASLR.
User Input
Wednesday 31st October, 2007 11:04
Microsoft's ACE Team (what a terrible name!) posted First Line of Defense for Web Applications - Part 3, an article with suggestions on how to filter malicious content/unexpected input. This is a good thing to do, as you shouldn't rely on IIS6's built in techniques (e.g. ASP.NET's viewstate with a MAC to avoid tampering) - Microsoft frequently state things like: "Do not rely on ASP.NET request validation. Treat it as an extra precautionary measure in addition to your own input validation". But the recommendations in this article aren't particularly good ones. They talk about two techniques: looking for known values in the input (white list) or looking for a known list of values that shouldn't be expected from the user (black list). For example, if you're expecting a name or line in an address, it's unlikely that someone has the name <script or onmouseover, so you could consider using them in a blacklist. But this approach isn't perfect. A better approach, where practical, is to use a whitelist. This could be a list of expected values, such as the numbers 1-31 that are used in a PHP script as part of a date handling application, or it could be a fairly predictable pattern.

These are just a few of the inputs she will need to look out for:

User Input Expected: First Name

Regular Expression: (&lt;|&amp;lt;|%3C)(%20|\\s)*(script|applet|embed|))

The black list strategy is a weak protection mechanism because you cannot brain storm all the bad characters attackers will use for a particular attack. We all know security is an ever changing landscape. Black list comes heavily dependent on attacker’s next moves and therefore has to be continuously updated and changed. As new attack techniques come out, this list becomes outdated and requires constant monitoring.

It probably doesn't help that their example only lists a few of the inputs, this is pretty much saying "here's a really bad implementation of a poor technique". They move on to the whitelist:

The white list strategy compares foreign user input to specific input that will be treated as acceptable. For example:

User Input Expected: First Name

Regular Expression: [a-z A-Z-]

The above is a White list of all known good inputs, e.g Only Caps A to Z and small a- z will be allowed. All other input is discarded as evil.

This is fine, unless your name contains a special character (e.g. Sian, Chloe, but I guess most of them are used to writing their names like that). This regular expression is pretty useless if you have a foreign name, and even worse if you're using a completely different alphabet. To make matters worse, this regular expression can't be used for Surname, at least not if your name is something like O'Neill. It's amazing how many websites use JavaScript to stop users from entering the apostrophe into fields, in a misguided attempt to avoid things like SQL injection. Lastly, I'm pretty sure the regular expression should be [a-zA-Z] if you're only allowing 52 characters. If you'd like to allow a few more (English language) characters in your ASP.NET application, such as the apostrophe, try reading this far more useful article on MSDN - How To: Use Regular Expressions to Constrain Input in ASP.NET, which even gives examples.

What's the best approach? There isn't a hard and fast rule, but if you know every possible option, it's not a bad idea to present the user with a drop down list (or series of radio buttons) of those options and pass back a reference (e.g. positive integer value) that's easy to validate (if there are 12 options and someone submits "16" or "-1" or "abc" then reject the input). If you're not expecting HTML to be entered, make sure you HTML encode characters that could be abused (such as < > " '). Be aware of how the input will be returned to the user, if it's always part of the content then you have different things to worry about compared to returning it as a value in a text input field, and be very very careful if you're returning the information as part of some JavaScript of XML, as they encode things slightly differently.

It's nice to see the ACE Team making an effort and raising awareness, but sometimes you need more than a high level overview. Especially one that doesn't link to articles that cover specific areas in more detail.
Mixing Your Drinks
Tuesday 30th October, 2007 15:31
I have a very fizzy bottle of Sprite, and I have a cold cup of decent coffee. And a small part of me is tempted to pour the Sprite into the coffee to see what fizzy coffee would be like to drink. I'm pretty sure it'd taste disgusting and be a waste of two drinks (I can still drink cold coffee, unlike some people). But I might give it a try when there's only a little bit of each left. Has anyone else already tried it?
Windows Fanboy
Monday 29th October, 2007 20:57
Forgive me for laughing at other people's misfortune, but it's nice to see so many people having trouble upgrading OS X and Ubuntu (to Leopard and Gutsy Gibbon respectively). It shows that Microsoft aren't the only ones to have compatibility problems. Software isn't perfect, and it can't reasonably be tested for every possible eventuality. it's unreasonable for everyone to expect upgrades and updates to install without any problems, especially given the complexity of modern operating systems. So forgive Microsoft for the quirks in Vista, please forgive Apple if you're having trouble installing Leopard, and give Gutsy Gibbon a chance (even if it doesn't really look any different to the old version).

I think I'll stick with Slackware and Windows, but that's probably because I've grown up with them. Familiarity breeds contempt, but it also builds understanding and loyalty. I have a love-hate relationship with every OS that I use. Always have, always will.
Saturday 27th October, 2007 10:48
No wonder I'm so cold, the thermostat indicates that it's 10 degrees here, so I've turned on the central heating.
Tuesday 23rd October, 2007 15:27
Following on from a previous post, why is spam email still so prevalent?

Mohamed D. Burks 2:56 pm + [SPAM: 35.7/5.0] Prepare yourself for your new s'e_xual ...
Mohamed V. Burks 2:56 pm + [SPAM: 35.4/5.0] This offer will make your s'e_xual dr...
Mohamed F. Burks 2:56 pm + [SPAM: 30.9/5.0] Bigger penis won't be on TV but in yo...
Mohamed T. Burks 2:56 pm + [SPAM: 34.6/5.0] Your s'e_xual life will be more than ...

Not only did it all get flagged as spam, but the almost identical sender name makes it easy to spot. I also got two emails a few minutes apart allegedly from Lloyds TSB about my online account, I can't imagine them sending out two so close together, with different subject lines but almost identical bodies (the headers suggest that a polish mailserver [based on surgemail] was being abused, possibly acting as an open relay). On the off chance that email gets past the server's spam filtering, Outlook's filtering tends to catch the rest. Occasionally one or two will get through, typically short ones that are meaningless. I guess spammers think that the odd person will receive just one spam and then go on to buy a product. I don't know how many people still fall for these things, but presumably it's enough to explain the hundreds of emails that try to clog up my inbox. The good news is they appear to be getting desperate, and have started to ditch textual spam (images, PDF, Excel files) and moved onto poor quality audio files. Hopefully it's only a matter of time until people give up on from spam email.

Unfortunately, trying to fight comment spam and contact form spam is a lot more difficult, and is something that I can see increasing over time (to make up for the decline in email spam). Susan Bradley made a post about spam that she was getting, allegedly from people with GMail accounts (that's Google Mail, if you're in the UK like me). From my point of view, and Susan's, it's easy to spot the pattern. But it's a bit more complicated for a computer, and even if they were to start recognising patterns (such as now###@gmail.com), what can you do if the bots/spammers generate random prefixes to the gmail.com/hotmail.co.uk accounts? You can't necessarily block by IP address if too many people use a contact form in a short space of time, because some users might be going through a proxy (adding this sort of detection combined with a "captcha" won't work too well either: aside from the obvious accessibility issues, bots are starting to beat the systems). And even if you come up with something clever, how do you easily add that to existing applications? Or even to future ones? Even if you could add something clever for contact forms, you can't exactly add it to forum posts (some places do try and stop people from posting within a minute or so of the last one, but those sort of restrictions often annoy me) or similar places that frequently accept user input from the same user. And even if you tried to slow someone down, what happens if they start using something else to distribute their actions (e.g. the application uses a session id to track the user, but the flood protection mechanism is based on source IP address)? Or do you end up storing the time of the last action in with the session information and give weightings to each web page that accepts POST data to try and combat spam?

If people thought email spam was tricky to detect and stop, wait until comment spam really picks up.
Old Lady
Monday 22nd October, 2007 09:30
I was reading this article about how the deputy mayor of the Indian capital Delhi has died a day after being attacked by a horde of wild monkeys. It's tragic, and sounds bizarre, but apprently there's a plague of monkeys, which invade government complexes and temples, snatch food and scare passers-by. The High Court demanded the city find an answer to the problem last year, and one one approach has been to train bands of larger, more ferocious langur monkeys to go after the smaller groups of Rhesus macaques.

Did they learn nothing from the Old Lady?!?

There was an old lady who swallowed a cow.
I don't know how she swallowed a cow!
She swallowed the cow to catch the goat...
She swallowed the goat to catch the dog...
She swallowed the dog to catch the cat...
She swallowed the cat to catch the bird ...
She swallowed the bird to catch the spider
That wriggled and jiggled and wiggled inside her.
She swallowed the spider to catch the fly.
But I dunno why she swallowed that fly
Perhaps she'll die.

So they've trained larger and more ferocious animals how to kill. What will they do to get rid of the langur monkeys? Train an ambush of tigers? And then get humans to kill the highly trained ferocious tigers?
Strange Visitors
Sunday 21st October, 2007 15:01
Apologies in advance for a very geeky post. I spotted a series of pages had been visited on my site. Ordinarily, this isn't anything too unusual, as people do tend to read backwards through my blog, but this time it pretty much started with January 2007 (one of the first links) and headed to July (classic signs of a web spider), all in the space of 4 minutes (some spiders are faster, some are slower so as not to affect the performance of rubbish or overloaded web servers):

1:00 pm July 2007 Read
Computer: (
Browser: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

12:59 pm June 2007 Read
Computer: host-173-159-remedium.igloonet.pl (
Browser: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

12:58 pm May 2007 Read
Computer: (
Browser: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

12:58 pm April 2007 Read
Computer: 220-135-104-31.hinet-ip.hinet.net (
Browser: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

12:58 pm March 2007 Read
Computer: ohta112203.catv.ppp.infoweb.ne.jp (
Browser: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

12:58 pm February 2007 Read
Computer: (
Browser: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

12:56 pm January 2007 Read
Computer: host-173-159-remedium.igloonet.pl (
Browser: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

12:56 pm Read
Computer: (
Browser: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

12:56 pm Read
Computer: (
Browser: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

12:55 pm October 2007 Read
Computer: corporat190-025224157.sta.etb.net.co (
Browser: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Notice how the browser string is the same, but the source IP address is different. The pattern makes it quite obvious that it's the same person (no one else was reading the diary.php page at that time), and you even start to see hosts repeat themselves (e.g. host-173-159-remedium.igloonet.pl). But there's a different IP address, which is weird. A quick search of using Google reveals that this IP address is associated with a few spam comment posts on websites, so this could explain the spider-like requests as it searches for places to spam. But is it a host going through something like The Onion Router (TOR) to hide its identity, or is it a clever botnet that distributes the requests amongst compromised PCs to hide itself from server logs? I don't know. Which also means I don't know how to block it.
Firefox Turnaround
Friday 19th October, 2007 16:01
Microsoft are frequently criticised for taking a long time to patch things. Firefox is now out. Complete with a fix for onUnload Tailgating (that's what Mozilla are calling it). Published back in February, patch announced yesterday. Eight months. Nice.
Friday 19th October, 2007 10:01
I upgraded my graphics card drivers last night and was happy to see that Vista did a quick flicker on the screen and then everything came back up and running. With the exception of the video I had been watching at the time; but I opened the file again and everything was fine. Much better than the old way of doing things, like on Windows XP, where you had to restart the computer. This is the advantages of moving things from kernel mode to user mode, and one of the many good reasons why it's worth upgrading to Vista (if you've got the hardware to support it). I'm really looking forward to Server 2008, but I suspect the next version of Windows could be far more exciting! Although I wish they'd sort out the user's side of things instead of trying to improve an already pretty good kernel.
Free Pizza!
Thursday 18th October, 2007 12:49
One of my bosses briefly popped in and out of the office to give me some pepperoni pizza (presumably they ordered too much for their meeting). Aside from being a bit cold, it tastes delicious.
They're Stealing My Ideas Again
Wednesday 17th October, 2007 23:35
See: http://www.dailymail.co.uk/pages/live/articles/news/news.html?in_article_id=488109&in_page_id=1770&ito=1490

The minimum driving age could be raised to 18 to combat soaring numbers of road deaths caused by novice motorists, the Transport Department revealed today.

It will be looking at the "costs and benefits" of increasing the present age of 17 and of forcing learners to undergo a 12-month training period.

The move, which would bring the UK into line with most other European countries, will form a key part of a new consultation document

I wrote back in May

Increase the age you can learn to drive from 17 to 18. This would also put things in line with the things mentioned above, and studies suggest that most motorists would support a move to 18. Research by Robert Isler, director of the traffic and road safety research group at the University of Waikato in New Zealand, concludes that the brain doesn't mature until the age of 25. He told an international road safety conference that the brains of younger motorists predisposed them to more dangerous driving.
Modern Fashion
Wednesday 17th October, 2007 16:47
Is it just me, or do these watches look a lot like criminal monitoring ankle bracelets? I wonder who is silly enough to pay £60-100 for something that's hard to read and looks awful.
Tuesday 16th October, 2007 23:28
I'm so happy! I got a shiny new TV card for Christmas last year and brought it back to my flat in January. Before fitting the card, I noticed that my TV reception had suddenly gotten worse on the TV in the flat. I tried it with the new TV card and discovered that BBC2 and Channel 4 couldn't be picked up automatically, and Channel 5 was barely watchable (actually, it's barely watchable even when there's perfect reception, except for when they air good American shows like House). And I've put up with it for 9 months because I don't really watch that much terrestrial TV.

But I was watching the new series of Spooks tonight (Jo, what have you done to your hair?!?) and it looked pretty good. Surprisingly good. And so did ITV, and so did Channel 5. So I did another scan and it picked up BBC2 and Channel 4. At that point I should have been happy, but my TV card also supports digital TV, so I decided to give that a go. At first it found nothing, then it told me it had found 6. Then a few more, then up to 28, and finally settling on something like 68 channels! And being digital, I can watch widescreen shows in widescreen. And I can finally watch BBC Three (without having to visit my parents). The best bit is I managed to do all this in about the half hour break between episodes of Spooks, so I only missed the first few minutes.

Feeling very chuffed. And for those of you that are wondering, the music on the advert for Spooks that the BBC have been showing up until recently is Chemistry by Unkle.

I can't wait until next week!
A Question Of Sport
Saturday 13th October, 2007 17:42
Kelly Sotherton's on it tonight, she's very attractive.
Exploits Of A Mom
Wednesday 10th October, 2007 17:11
Exploits Of A Mom

EDIT: I now have a signed copy of this one :)
Rocky, Rocky, Rocky!
Thursday 4th October, 2007 22:20
I just finished watching the Blu-ray version of Rocky Balboa this evening (looks great on my 30" 2560x1600 monitor) with surround sound audio (I love my 5.1 speakers, even though they're about 7 years old) and the lights off. It starts off a bit slow, but gets a lot better near the end (that running in the snow bit in the middle of the movie has to be a reference to Rocky IV, right?). I never got past that Peter Petrelli was his son (okay, okay, so he's Peter in Heroes, but in real life it's the actor Milo Ventimiglia). I wish I could lift those sort of weights.
Am I Becoming A Tory Boy?
Tuesday 2nd October, 2007 15:07
I posted several ideas that I had back in May, and it appears that David Cameron is pinching them. Okay, maybe he isn't, but his new policies sound a lot like some of my suggestions. I said back in May:

Raise the stamp duty land tax threshold. After it's been raised, make it follow the inflation/deflation seen in average house prices in the UK on an annual basis. To make up for the shortfall, charge stamp duty on all additional homes.

Cameron has pledged to scrap the tax for first-time buyers on homes worth under £250,000. I notice that everywhere is reporting it as "for first-time buyers", which sounds a little ominous, but is obviously to help get new people onto the housing market without helping out Buy To Let. I still prefer my idea, people with two or more homes are either greedy, rich, or running it as a business.

Scrap inheritance tax. If you've worked hard to get your money, probably paid 40% tax on a fair chunk of it, then why should you get punished 40% all over again?

It seems that they also want to cut inheritance tax, raising the threshold from £300,000 to £1 million. House prices are, on average, still something like £250k, so most people probably won't be affected by the new £1 million mark. The cuts would be paid for with a fee charged to business people who register abroad for tax purposes, although Labour claim that the £25,000 levy on those who register for non-domicile status would raise only a fraction of the £3.5bn needed. So I guess my plan to scrap it does open up a £3.5 billion+ hole in my budget, so maybe Labour and the Conservatives have a better plan by raising it instead of scrapping it. At least in the short term until they find another way to bring money in. Even scrapping the ID scheme won't fill that black hole. Although the Tory party plan on using that to... fund more prison places. Which is good. And will be needed if they also keep their promise to end the early release scheme. However, I can see a big flaw in his numbers (see, it's not just me that has flaws in their ideas):

The Conservatives are pledging to end the early release scheme which would see 25,000 prisoners freed from jail this year to ease overcrowding. Instead, a Tory government would fund 1,200 more prison places by scrapping ID cards. (BBC News)

Correct me if I'm wrong, but isn't 1,200 spaces a lot less than the 25,000 prisoners that will continue to require a space (in an already overcrowded prison system)? Also, what happens once the money from the ID scheme is used up? There must be maintenance costs involved with the extra facilities/spaces.

At least I was going to increase the amount of tax on petrol to make up for some of these things, and to coerce car drivers off the road or at least onto shorter commutes. I believe increasing the amount of tax by about 7.5p per litre would help raise the £3.5 billion that the Tory party want to make up for raising inheritance tax to £1 million. And you could always increase the amount of tax on spirits (and possibly lower it on beer). The tax revenue from spirits (around £2 billion?) is about half that of beer, and I believe beer sales have been falling (at the same time, the spirits sales have risen). The higher tax on spirits might encourage drinkers to drink lager or beer instead of shots of vodka and tequila, and the increased volume of liquid will slow the irresponsible (and usually teenage) drinkers down. They might end up puking a lot of liquid into the gutter, but at least they less likely to end up dead from alcohol poisoning or unable to stand, which would probably put less strain on the NHS (and therefore save some more money).

I don't think I totally agree with any party right now, but at least most of them are trying to do the right thing.
© Robert Nicholls 2002-2021
The views and opinions expressed on this site do not represent the views of my employer.