B10[m|g]

Last Friday, I received a call by a friend who invited me to an Endstille gig. He asked me why I didn't reply to his mail. Odd, I thought, for I did reply within 10 minutes after receiving. A day or so later, still no email, so I decided to do a little testing.

I opened up a hotmail test account and just tried to mail it. The hotmail mail server positively told my server that the message was accepted, but the mail was no where to be found. Not in the Inbox, Junk folder or any other place. It simply disappeared.

After a few struggles, I found a way to contact the postmaster(s) and quickly after mailing them my complaints, I received a canned answer back. The sophisticated SmartScreen filtering technology made my messages disappear in thin air. Smart indeed and thanks for not informing the sender of this block.

The fun part of the mail, I'll quote:

I am not able to go into any specific details about what these filters specifically entail, as this would render them useless.

Right! So they're so sophisticated that there's probably an easy way to get around them. Security through obscurity...

The friendly canned mail also suggested I'd use SPF, a technique to specify in DNS records who is allowed to send out emails on behalf of the domain. Great ... but I've been using that for a long time, so it wouldn't help.

Maybe I'm on some RBL? Nope, can't find it. A quick search however turned out that I'm not alone here. And based on the time stamp of that document, this problem exists for over a year already.

So, as of yet, I can't send out mail (or reply) to my friends with a hotmail account. Tough luck. If you want to reach me, use a different Reply-To header.

hotmail, SmartScreen, microsoft, mail, spf

This weekend, fellow blogger BOK and I decided to launch a new blog. Blom + BOK = BLOK, and being two geeks, geekblok was the best name we could come up with.

Within 24 hours, the blo[gk] was launched and the first post was made. Keep an eye out for web2.0/technical posts on there!

At this moment, the blog is still in development, so if you get some errors, please try again later.

URL: http://geekblok.com/

blog, geekblok

The web is getting one big social spot where we can define our friends (read: complete strangers) over and over again. Luckily for those who are terrible at remembering names, the ability to upload a picture or avatar is usually given.

But what happens when you don't want to upload a picture and want to remain semi-anonymous? You'll get the default image! The all look very similar (well, most of them), yet all slightly different.

I've scanned a few sites and looked for their way of giving the anonymous user a face. Here are 15 examples (all scaled down to 48×48 pixels).

43things.com	digg.com	facebook.com	flickr.com	friendster.com
gofish.com	jumpcut.com	last.fm	myspace.com	newsvine.com
technorati.com	vox.com	Y! Answers	Y! Movies	youtube.com

Can't we get one global symbol for mr/mrs Anonymous?

social, web2.0, avatar, anonymous

Sometimes, little Perl modules on CPAN can bring you to nice websites. In this case the website of reCAPTCHA.

The website opens bravely with the tagline STOP SPAM. READ BOOKS. In this day and age of text message (SMS) language where everything has to be as short as possible, reCAPTCHA scores fairly well with their motto. But if you do take the time to look a little further than that, you see the great concept behind the website.

What is a CAPTCHA? reCAPTCHA defines it as:

A CAPTCHA is a program that can generate and grade tests that humans can pass but current computer programs cannot. For example, humans can read distorted text [...], but current computer programs can't.

The term CAPTCHA (for Completely Automated Turing Test To Tell Computers and Humans Apart) was coined in 2000 by Luis von Ahn, Manuel Blum, Nicholas Hopper and John Langford of Carnegie Mellon University. At the time, they developed the first CAPTCHA to be used by Yahoo.

In the past, I have shown my disagreement with the whole CAPTCHA movement on this blog, for I still believe CAPTCHAs are horribly annoying. But since they are everywhere now, why not use it for a good cause? reCAPTCHA just did that!

reCAPTCHA will show you an image they received out of an OCR process. This word, unidentified by the OCR, is fed to the user and this way, the user is helping to digitize a book. This is in short what they do. Please do read their learn more page and see why this is a really awesome concept!

CAPTCHA, ocr

De Telegraaf is by some considered as a trustworthy source of news. It's a website from one of the biggest newspapers in the Netherlands and, like so many other big websites, not XSS-safe.

After showing my new co-workers my eBay XSS adventure, I thought it would be nice to go see what else is out there. Heck, it's been almost a year!

My first try was this newspaper and boom, there we go. Within minutes I had some of my own text on the website and after fixing a thing or two, it also worked in Microsoft's Internet Explorer.

Since the newspaper is in Dutch, I figured my article had to be in Dutch as well and I basically copied the Webwereld article which talks about the eBay exploit (which was way more nasty and fun, but oh well).

Roughly it's talking about a Dutch guy finding the XSS leak in the website, while complaining about the security of this big "professional" website. And of course, it'll show you your telegraaf.nl cookie(s).

Click on the image to see the full size (and I apologize, for I don't know how to capture the Flash advertising on the site ;-)

The live version, if the site is still unpatched, can be viewed through my not too nicely crafted URL.

Update: the URL above is no longer working, for the Telegraaf patched it. Unfortunately, a patch was preferred over a full solution, for the XSS hole is still open!

And welcome Webwereld readers!

Update: Finally the Telegraaf is encoding user's input on search queries! It seems like they've closed this XSS hole now.

Too bad they did not respond to my email at all. A simple reply like "we're looking into it" would be nice. Guess I'll have the police at my door soon ;-)

telegraaf, XSS, exploit