Updates from brsmith RSS

  • RadioTown servers blacklisted

    Brian 3:36 pm on April 1, 2010 | 0 Permalink | Reply

    Recently one of our sites had implemented a web form that allowed users to forward a post onto a friend by e-mail. The form asked for their friend’s e-mail address and for a custom message. It didn’t take long for bots to catch wind of this amazing new form and start sending out e-mails pleading for money from our servers.

    Since we received word that our servers were being blacklisted for spam, the form was removed and I set forth battling the blacklisters to reinstate RadioTown’s good name. After the better part of a day’s worth of form filling out, e-mailing and explaining the situation, we seem to be back in the good graces of the e-mail postmasters of the world.

    I received the list of blacklisted mail delivery services by looking through the bounced e-mail logs, and here is a short list of the major clients that we are no longer blacklisted by (not including the normal third party blacklist sites):

    Yahoo, AOL, Google, Live (MSN), proofpoint, verizon, comcast, rr

    This is just a good reminder to be careful about what kind of forms we are placing on our sites, and to think about the functionality that we implement from a “how can this be abused,” standpoint.

     

  • Data Integrity wants you! (to protect against SQL injection)

    Brian 1:12 pm on February 18, 2010 | 2 Permalink | Reply
    Tags: , SQL

    In my first blog post, I talked a bit about the ability to use client side software to edit forms and submit data that might not be expected from a server side script. Well now I am back, and like the kool-aid dude, I am bursting through your screens with knowledge; OH YEAH!

    Okay, now that we have the comedy out of the way, time to get to the important stuff.  This post is going to be all about SQL injection attacks. Of all the possible exploits that can be done against a server, this is certainly in the top 5 most scary in my book (yes, I check under my bed for the SQL injection monster).

    (More …)

     

  • Adobe — making our lives easier one app at a time.

    Brian 1:57 pm on October 21, 2009 | 0 Permalink | Reply
    Tags: Adobe, browser, BrowserLab, Crossbrowser, css, style

    There are a few litmus tests for determining if one is a geek; I used to sit in math class programming my Texas Instruments calculator, I have camped out to see the new Star Wars movie (and subsequently felt personally insulted by Lucas), and I know who people are talking about when they refer to “The Woz” (Steve Wozniak for those of you playing along at home). As if those weren’t enough, I have stumbled upon a newish application developed by Adobe and I am genuinely excited about it.

    https://browserlab.adobe.com/index.html

    Adobe’s BrowserLab is, as Adobe puts it a, “web designers exact renderings of their web pages in multiple browsers and operating systems, on demand.” To which I say, “FINALLY!” This cool little application allows you to view what your styles are looking like (including javascript parsing!) in a wide variety of browsers and Operating Systems. It will even give you semi-transparent overlays of your page to allow you to more easily pinpoint those pesky single pixel problems, which Adobe calls “Onion Skin View.”

    Unfortunately this application is in it’s testing phase, so it is only allowing a limited number of users to register for it, and I am assuming it will be bundled into an Adobe product later, but for now I would say try to get an account and let it save you some time with cross-browser testing.

    As an aside, there are certainly techniques that one can use to reduce the amount of cross-browser compatibility style issues that come up in general. A lot of it can come down to preference, but I find that using a css reset file like Reset Reloaded puts all browsers on a more level css playing field.

    Happy Stylin’ Y’all

     

  • I can’t e-mail a page at all!

    Brian 3:18 pm on July 31, 2009 | 2 Permalink | Reply
    Tags: 1thing, balance, CAPTCHA, e-mail

    Hey all, just wanted to give a quick update on all of the balance and 1 thing sites:

    Some of you may notice that on the individual content pages you can no longer e-mail the page to a recipient. This functionality has been disabled for the time being as there are concerns about the possibility of e-mail spam being sent from those forms.  This same problem was noticed a couple of weeks ago, so reCAPTCHA was added to the form, though it has seemed to pop up again.

    This realization bothered me quite a bit. I have read articles in the past about how reCAPTCHA had been hacked, but it is pretty much understood that with any popular service there is a constant battle between the maintainers of the service and those that would see the service brought to it’s knees (especially when the service in question is security related).

    In doing some more research I have found that there are “companies” that actually provide outsourced manual labor for solving CAPTCHA problems.  So, imagine a large warehouse that looks kind of like you would imagine a calling center looking like in China or India, now imagine that all of those people are answering CAPTCHA’s all day long. This means that for $0.01 cents USD (approx) someone spamming can send an e-mail that subverts a CAPTCHA widget.  So what is the e-mailer’s ROI? Well in many cases and entire ID and credit line. So if someone sends out 1000 e-mails for $10 USD and they fool a single person in filling out information about themselves it becomes quite clear that there is quite the profit opportunity there.

    So why not just shut down all of these warehouses of CAPTCHA crackers? Well, for one we don’t exactly have jurisdiction, but more importantly you don’t need a warehouse. One of the more popular trends now is to make viewers of adult content do that for you.  A very popular adult site model right now is to force a would-be viewer to fill out a CAPTCHA response before allowing them to view a video. I guess they figure that people are more apt to deal with a minor inconvenience of typing a couple of words over paying for their content.

    So what does this all mean? Generally, the fact that reCAPTCHA can be subverted isn’t a huge deal because most scripts don’t allow the end user to actually type in the e-mail address of the recipient. I will be looking for some other solutions next week to get this functionality back into the sites.

     

  • I just got $100 for buying a T-Shirt!

    Brian 5:27 pm on July 21, 2009 | 0 Permalink | Reply
    Tags: HTML,

    Okay, that didn’t really happen to me, but it is a legitimate security concern for a web developer. Nobody wants to get a call asking why someone was able to purchase a t-shirt from their form and not only get the t-shirt but also receive a $100 credit.

    This really comes down to secure development and making sure that any user input is properly sanitized to and validated to ensure that the values that were submitted aren’t malicious attempts at ruining your month. It is easy to see why one would need to sanitize user data coming from a text field on a form, but let’s explore what may be a less obvious situation and why one would want to sanitize data from a drop down select.

    (More …)

     

c
compose new post
j
next post/next comment
k
previous post/previous comment
r
reply
e
edit
o
show/hide comments
t
go to top
esc
cancel