Related Posts

1. Parent-Child DropDownList Controls In ASP.NET Web Forms (VB.NET) (25.1)
2. Automatically Hash Tagging Text With ASP.NET Web Forms (VB.NET) (24.2)
3. Displaying Selected YouTube Data API Thumbnails On A Web Page Via ASP.NET Web Forms (24.2)

The numbers inside parentheses are relevance scores. Scoring is based, in order of priority, on title, category, content and tags. The higher the score, the more likely that post relates to this post. ]]> Received in my email today:

Hi

say your blog and thought you might help.

strsql = “SELECT StaffID, DesignationID, StaffName, Password, ShopID from staffT where StaffName =” & UserName.Text & ” AND Password =” & Password.Text & “”

from the string, the username.text and password.text are form controls. what is happening is there are passing null values regardless of what you input in the text boxes resulting in a system error.

“System Error Object reference not set to an instance of an object”

Am using Mysql as the database.

I’m always glad to answer such questions, especially when the questioner is flirting with disaster, as much as this questioner is.

A trained eye can immediately spot the problem with the SQL statement above, aside from the problem of NULL values tossing errors. Namely, it’s wide-open to SQL injection. (And an even keener eye will note that the values for user name and password aren’t delimited with single-quotes.)

So here’s my reply email to the questioner:

Your SQL statement has three problems.

1. It is wide open to injection attack. See http://www.unixwiz.net/techtips/sql-injection.html for examples.
2. As you noted, when nulls are passed in, the expression fails.
3. It appears you have not delimited your text inputs with single quotes.

Assuming you are using ASP.NET, and that your user names and passwords are only alphanumeric, the direct fix to your problem is this:

Dim strUser As String
If String.IsNullOrEmpty(UserName.Text) Then
	strUser = String.Empty
Else
	strUser = UserName.Text.Replace("'", "''")
End If

Dim strPass As String
If String.IsNullOrEmpty(Password.Text) Then
	strPass = String.Empty
Else
	strPass = Password.Text.Replace("'", "''")
End If

strsql = "SELECT StaffID, DesignationID, StaffName, Password, ShopID from staffT where StaffName = '" & strUser & "' AND Password = '" & strPass & "'"

That should get you going, but you should employ the following best practices fixes:

1. Use stored procedures with paramerterized input values. This serves to automatically sanitize your queries for data type.
2. Use RequiredFieldValidators and RegularExpressionValidators to ensure that you receive some sort of input for each field, and that each does not contain an effort to inject your code with SQL.
3. Impose some sort of control that limits multiple login attempts.
4. Better yet, use the built-in membership provider in ASP.NET, which can be used with MySQL, and has already resolved many potential attack vectors.

Hope this helps.

Additional Thoughts And Clarification

The guidance I gave the emailer, instructing him to escape single quotes, is a bare-minimum escaping sequence. As a practical matter, he should sanitize his inputs against additional MySQL sequences, such as double-dashes and semicolons, as well as reserved SQL statement words, such as DROP, ALTER, DELETE, etc. There’s an HTTPModule example over at the ASP.NET forums that does this automatically for an application.

Using parameterized queries / stored procedures to combat SQL injection is a primary recommendation from both Microsoft and MySQL (pdf).

In addition to securing data type, query parameters limit the ability of an attacker to inject SQL by fixing the form of the query implicitly. In other words, it’s harder for him to mangle a parameter than it is to mangle a string.

All links in this post on delicious: http://delicious.com/dougvdotcom/the-basics-of-avoiding-sql-injection-attacks-in-asp-net-web-forms

Related Posts

1. The Lessons We Should All Relearn From HBGary (5)

The numbers inside parentheses are relevance scores. Scoring is based, in order of priority, on title, category, content and tags. The higher the score, the more likely that post relates to this post. ]]> Last week I logged on to Tumblr and was confronted with this abomination:

Missing e notice from tumblr. Way to encourage API development, guys.

Needless to say, this is pretty disturbing, and I wonder what Tumblr is thinking by posting this.

Background

Some background: Tumblr is a blogging site, with social media overtones. Basically, you can easily follow other bloggers’ posts through a dashboard / search posts via tags, and it’s quite easy to repost material you find on other blogs.

Like most other major providers, Tumblr maintains an API. Until last year, it was mostly restricted to retrieving and submitting posts; it was recently expanded to allow some manipulation of blog settings and managing followers.

I like Tumblr a lot. I’ll go on a couple of times a day, and like most other Tumblr blogs, my blog is mostly reposts; it’s where I’ll dump links / reposts of things I see on the Web that I want to share.

Missing e has been around for a while. It’s a browser add-on for Webkit-enabled browsers; as its name implies, it leverages the API with some neat features that aren’t directly available through Tumblr itself.

For example, Tumblr has a lot of image posts. Missing e includes a magnifier feature that lets one see a full-sized image right from his dashboard, rather than having to engage in the several clicks it takes to see a full-sized image. Missing e also lets me more easily reblog items (including the automatic addition of tags to reblogged posts), manage my post queue, and otherwise make Tumblr easier to use.

I should note that I don’t know the developer of this plugin personally, nor have I spoken to him about this notice. (I have read his response to this outrage, however, and I find it remarkably calm, fair and responsible.) I don’t know if Tumblr has contacted him about its concerns or tried working with him on those issues (reading the developer’s responses, it sure sounds like they haven’t).

I also haven’t contacted Tumblr about this. I’m not interested in hearing whatever nonsense they intend to proffer as justification. I know what I read and I know how I feel about it as an API developer.

To Tumblr’s credit, they haven’t cut off API access to the plugin, which was certainly an option others might have pursued. It wouldn’t surprise me if a number of Tumblr users can’t tell where Tumblr ends and missing e begins, and thus they are swamped with support requests they can’t do much about. And it does make sense to me that missing e uses a lot of resources to accomplish its tasks.

A Completely Wrong-Headed Approach

That’s where my empathy for Tumblr’s plight ends.

First, Tumblr’s reliability, both in terms of its primary service and its API uptime, rivals Twitter for embarrassingly inadequate. (At least Twitter has the common sense to not blame third-party developers for their failure to stay up.)

That’s on Tumblr alone. It’s up to them to keep their service running.

I especially find odious the insinuations contained in this notice. While missing e is, in the base definition, a “hack” of Tumblr, the tone of this message suggests that the plugin isn’t well-written and may be up to no good.

Well, you can go to GitHub and look at the code yourself. Yes, it sends data to intermediary servers. Yes, it is technically possible for missing e to steal a user’s Tumblr credentials, to track Tumblr users’ activities, to obtain personally identifiable information, etc.

Let me be clear: I agree with another user that missing e in no way compromises user information right now. However, it could do so, by virtue of being a browser add-on; to that extent, the notice Tumblr posted is accurate, as they don’t directly accuse missing e of privacy violations, but do note it is possible for browser plugins to capture information a user never anticipated having captured.

Absent proof that there is an intention behind missing e to do that specifically, and to use such information for nefarious purposes — evidence Tumblr clearly could provide, if it existed — I find the tone of this note beyond insulting; it’s chilling.

My interpretation of this notice is, “We don’t like missing e. We’d just as soon ban it. But that’s not very Web 2.0 and it’s likely to generate PR static. So we’ll scare you, push you toward getting rid of it, then continue to serve those who want to use it.”

That’s being a dick. That’s being lazy. That’s being stupid.

A Proper Response

Were I in charge at Tumblr, we’d be going about this in an entirely different way.

• The first thing we would have done is offered the guy who wrote missing e a job.
• If not that, we would have offered to buy missing e outright.
• And if that didn’t pan out, we’d ask missing e users to rate its features, then build those into our platform.

Because what does Tumblr’s approach to this issue say? It says, “We aren’t interested in the reasons why missing e is a problem for us. We don’t care about our end users and why so many of them are using this plugin. It’s not that our product is inferior, and someone has made it better; it’s that we have what we have, and even though it can clearly be better, we’re more interested in the status quo.”

Or, as I’ll coin it, The MySpace Response: “Do what you like, so long it fits in our picture of our service.”

You saw how well that worked out for them.

I don’t suspect this blog post will cause any change whatsoever in Tumblr’s approach. I simply want to lament what is an absurd and insulting response to a relatively minor problem by a company that I expected knew better than that.

If Google brought you here because you’re worried about that notice, suffice it to say that I looked at the missing e code and, as of this writing, I see nothing there to be concerned about.

I do, however, see a lot to be concerned about in Tumblr’s handling of this matter.

All links in this post on delicious: http://delicious.com/dougvdotcom/tumblr-mangles-developer-relations

Related Posts

1. Hacking WP-PluginsUsed To Remove Plugin Version Numbers (14.6)
2. Displaying The Correct Time For World Cities With AJAX / JavaScript / DOM (13.8)

The numbers inside parentheses are relevance scores. Scoring is based, in order of priority, on title, category, content and tags. The higher the score, the more likely that post relates to this post. ]]>

flickr /compujeramey

This is nitpicky, and I certainly don’t mean to take lightly the seriousness of the matter. But I do want to clarify that the News of the World wasn’t technically “hacking” voicemail in its scandal. It was engaged in social engineering.

For those of you who missed the headlines (and for the benefit of posterity): News of the World was (until July 10, 2011) a Sunday tabloid; like most British tabs, it’s best known for printing racy pictures of women and sleazy stories.

News of the World  hired a private investigator to help it research stories. That contractor gained access to a number of voicemail accounts, including those of a murdered 13-year-old girl, several soldiers killed in the Middle East conflicts, and royal family members.

All the shoes involved here haven’t yet dropped, but as of this writing the scandal has closed the paper after 168 years of publication; threatens to bring down Prime Minister David Cameron; has led to several arrests and may well result in additional restrictions on Great Britain’s press. (Even overwhelmingly reasonable pundits, such as The Economist, are calling for a mucking out of British journalism’s stables.)

The entire affair is loathsome, no question about that, even for the British press, nefarious for its “chew people up and spit them out” appetite. It’s also caused other world press outlets to term what News of the World did “phone hacking,” needlessly worrying people who have taken reasonable steps to secure their voicemail that they, too, might be targeted.

So I want to clear things up. If you’ve changed your voicemail password (PIN), you almost certainly can’t be violated in the way News of the World violated its victims.

Hacking means “to alter a system to perform differently than intended.” Hacking isn’t necessarily a malicious act. In fact, it’s often a good thing. I am 100 percent in favor of hacking, provided the thing you are hacking is yours or you have permission to hack it.

Cracking means “to compromise the security of a system.” While there are legitimate reasons to crack, it’s never an appropriate thing to do with property that doesn’t belong to you.

(I realize this is only one interpretation of “hacker,” and that other definitions exist, which also encompass what I term separately as “cracking.” I reject definitions of hacking that assume malice or nefarious intent. Hackers don’t aim to cause harm to, or violate the rights of, others; crackers do. Period.)

Social engineering (also called “blagging”) is the act of exploiting human behavior to achieve an end, usually without the tacit understanding of the people targeted that they are being exploited.

That’s what News of the World was up to: Exploiting people who were ignorant of, or indifferent to, basic voicemail features and security.

As explained at this excellent article at sophos.com, a lot of people don’t change the default password for their voicemail. Additionally, most users don’t understand that the convenience of being able to access voicemail from a different phone is a security risk that should at least be managed, if not disabled. (Admittedly, a number of phone providers don’t give you the option to disable remote access to voicemail.)

Simply put, News of the World’s private investigator gambled that the victims of his snooping didn’t bother to change their voicemail passwords from default values, and didn’t disable (if they even could disable) remote voicemail access.

Again, I am not suggesting what News of the World did was OK. That people don’t protect themselves from being violated does not make it OK to violate them.

My point is that what News of the World did is not hacking; at no point did anything not perform as designed. It also isn’t cracking; at no point was any procedure undertaken to circumvent the built-in security of the voicemail systems in question. The victims’ misunderstandings and inaction were exploited. That’s social engineering.

All links in this post on delicious: http://www.delicious.com/dougvdotcom/news-of-the-world-wasnt-hacking-voicemail-it-was-blagging

Related Posts

1. Sorting Your MySQL Results Set In PHP Using jQuery (And A More Traditional Approach) (17.4)
2. A Simple Page Click Count System Using PHP And MySQL (17.2)
3. Multilingual Web Pages Via PHP, Arrays And MySQL (16.4)

The numbers inside parentheses are relevance scores. Scoring is based, in order of priority, on title, category, content and tags. The higher the score, the more likely that post relates to this post. ]]> My recent work on the Google Reader to Twitter interface led me to recognize a serious shortcoming of such a basic system: A lack of support for hash tags.

For those unfamiliar with Twitter, hashtags are basically words proceeded by a hash mark (#). When a word is “tagged”, it becomes a hyperlink to content also containing that term.

Tagging isn’t unique to Twitter. It’s integral to WordPress, Tumblr and many other blogging platforms; Google uses tags (which they call “labels”) in most of their major applications, including GMail and Google Documents.

The reason is simple: People tend to organize information in terms of categories, so interrelating content by linking items that belong to the same categories to one another makes it easier on us to find and process that information.

So here’s a quick and easy script that lets you take keywords / tags / labels / categories / what have you from a MySQL table, run those terms over a string / subject text, and automatically tag that string with those terms.

(In a later tutorial, I will describe how to add new terms to the database.)

An HTML Form To Input A Subject String

We need a simple way to get our subject string (that is, the text we want to have tagged). Here’s a form to do that; you could, of course, alter this script to open up a file, or retrieve data from some other store, as your subject text.

I am also including an echo statement, just before the form, that will show the autotagged text once the form has been submitted.

<p class="notice"><?php echo $content; ?></p>
<form id="tform" name="tform" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
	<textarea id="ttext" name="ttext" cols="50" rows="3"><?php echo $_POST['ttext']; ?></textarea>
	<br />
	<input type="submit" name="submit" id="submit" value="Submit" />
</form>

A MySQL Table To Contain Terms

We need to have some sort of data store to hold the terms. Eventually, we’re going to put these terms into an array, so you could simply hard-code your terms as a PHP array. Also, you could use an XML file, JSON, a CSV or other text file, etc. to hold your terms.

In my case, I am storing terms in a MySQL table. Here’s the code for my table:

CREATE TABLE IF NOT EXISTS `php_auto_hashtag` (
  `term_text` varchar(255) NOT NULL,
  UNIQUE KEY `term_text` (`term_text`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8;

INSERT INTO `php_auto_hashtag` (`term_text`) VALUES
('adsense'),('amazon'),('android'),('aol'),('api'),('apple'),
('bing'),('canvas'),('cbs'),('chrome'),('cloud'),('comcast'),
('darpa'),('eff'),('facebook'),('firefox'),('google'),
('hacker'),('hackers'),('hacking'),('html'),('html5'),
('http'),('https'),('ie9'),('ietf'),('intel'),('internet'),
('ios'),('ipad'),('ipv6'),('javascript'),('kinect'),('malware'),
('microsoft'),('mozilla'),('mvc'),('nokia'),('pentagon'),('php'),
('ps3'),('rackspace'),('safari'),('silverlight'),('sony'),
('stuxnet'),('symbian'),('tablets'),('twitter'),('vb'),
('verizon'),('virus'),('windows'),('xml'),('youtube');

Note that we don’t have a primary key. That’s because we have a unique key. We don’t want the same term in the database twice, and that’s what a unique key does: prevent duplicate entries. As a result, a primary key isn’t necessary for tuning / optimization if we have a unique key, since their purposes in indexing are similar.

A PHP Function To Retrieve Terms From The Database

To get the terms out of the database and into a PHP array, I’ll make a function. The reason why I am doing it this way will be noted shortly. The function returns false on an error, an array on success.

The function assumes the database table contains at least one term, but if it doesn’t, it’s not a fatal error (but will show a warning to the end user).

Finally, you’ll note I am using globally defined constants for taking in database credentials. This isn’t really elegant, but I want I want this script to work out-of-the-box for those who have limited programming skills; by defining DB variables globally, an end user can simply plug in the right values and use this script out of the box.

//your database server variables
define('MYSQL_HOST', 'localhost');
define('MYSQL_USER', 'db_user');
define('MYSQL_PASS', 'db_password');
define('MYSQL_DB', 'db_name');
define('MYSQL_QUERY', 'SELECT term_text FROM php_auto_hashtag');

function at_get_terms() {
	//retrieve terms from database
	//returns Boolean false on failure, array of terms on success

	if(!$link = mysql_connect(MYSQL_HOST, MYSQL_USER, MYSQL_PASS)) {
		trigger_error('function at_get_terms: Cannot connect to database server. Please check your host name and credentials', E_USER_WARNING);
		return false;
	}

	if(!mysql_select_db(MYSQL_DB)) {
		trigger_error('function at_get_terms: Cannot select the database. Please check your database name', E_USER_WARNING);
		return false;
	}

	if(!$rs = mysql_query(MYSQL_QUERY)) {
		trigger_error('function at_get_terms: Error parsing query. MySQL error: ' . mysql_error(), E_USER_WARNING);
		return false;
	}

	if(mysql_num_rows($rs) == 0) {
		trigger_error('function at_get_terms: No terms found in database', E_USER_NOTICE);
		return false;
	}

	$out = array();
	while($row = mysql_fetch_array($rs)) {
		$out[] = $row[0];
	}
	return $out;
}

A PHP Function To Autotag The Subject

We can now create a function that does the autotagging. It takes as arguments the subject text and the array of terms we want tagged; it returns false on an error and the tagged subject string on success.

In this case, we’re using preg_replace to do the tagging. There’s a lot of argument as to whether str_replace or ereg_replace is faster / better than preg_replace, but I find such arguments to be counting angels dancing on the head of a pin. I use preg_replace because it works quickly enough, regular expressions are an elegant way to find text, and PCRE is PHP’s preferred regular expression processing extension.

function autotag($input, $terms) {
	//tags $input with $terms
	//returns false on error, tagged string on success

	if(strlen(trim($input)) < 1) {
		trigger_error('function autotag: string to be tagged is empty', E_USER_WARNING);
		return false;
	}
	if(!is_array($terms)) {
		trigger_error('function autotag: terms is not an array', E_USER_WARNING);
		return false;
	}

	$tmp = array();
	foreach($terms as $term){
		//matches will be terms exactly as in database,
		//followed by space or newline
		$tmp[] = "/($term)(\s|$)/i";
	}
	$out = preg_replace($tmp, '#$0', $input);
	return $out;
}

Note the second argument in the preg_replace call, above. # is just the hash mark, which in the case of Twitter will be turned automatically into an tag link. $0 means, in regular expressions, the entire part of the subject text (the third argument) that matched the pattern (the first part of the argument).

So, if you wanted to use hyperlinks instead of hashtags, and use the found terms as querystring variables to a page named term.php, your preg_replace statement would be something like this:

	$out = preg_replace($tmp, '<a href="term.php?term=$0">$0</a>', $input);

(Always sanitize your querystring variables before using them in your PHP code. You have been warned. Don’t come crying to me or pointing fingers in my direction if you fall victim to an XSS or injection attack. Sanitize your variables.)

Get The Terms And Tag The Target String

We now have everything we need to autotag the target string. It’s as simple as a single-command if statement:

$content = "Enter text in the textarea below, then click Submit. The text will be automatically tagged with terms contained in the database. ";

if(isset($_POST['submit'])) {
	$content = "<strong>Hashtagged string:</strong> " . autotag(htmlspecialchars($_POST['ttext']), at_get_terms());
}

And that’s all there is to it. You can see a working demo here: http://www.dougv.com/demo/php_auto_hashtag/

You can also download the source code. I distribute this code under the GNU GPL version 3.

All links in this post on delicious: http://www.delicious.com/dougvdotcom/automatically-hash-tagging-text-with-php-and-mysql

Related Posts

Related Posts

1. LastPass: A Great Way To Protect Your Actual Internet Privacy (18.6)
2. New England GiveCamp 2010: What A Great Experience (17.4)
3. Google Search Results Encourage New Wave Of Negative Customer Service (9.4)

The numbers inside parentheses are relevance scores. Scoring is based, in order of priority, on title, category, content and tags. The higher the score, the more likely that post relates to this post. ]]>

Federal postal authorities with Vitaly Borker after they arrested him on Monday at his home in Brooklyn. Robert Stolarik for The New York Times

The headline to this post is via Chris Rock, who repeats that line during his “Never Scared” comedy special (link very NSFW!), speaking about the difference between being rich and being wealthy.

It means that significant, lasting wealth is often created by exploiting something new, or using some means to circumvent the kind of behavior most people would consider fair or reasonable. The patron of the exhaulted Kennedy clan made his fortune from bootlegging and insider trading before the 1929 stock market crash. Rockerfeller, Vanderbilt and Morgan were the great robber barons of the U.S. industrial revolution.

I mention this because Vitaly Borker, proprietor of decormyeyes, was arrested today on federal charges of “mail fraud, wire fraud, making interstate threats and cyberstalking.”

Borker, as you will remember from this blog, discovered some time ago that Google’s PageRank algorithm didn’t consider whether the mentioning of an online store was positive or negative. (Google claims this is no longer the case.) Therefore, Borker took a extremely combative approach to customer complaints, intentionally stoking animosity, so that his online store would appear in multiple online complaints, often at very reputable, PageRank-enhancing Web sites, such as Get Satisfaction.

It seemed to work well, and I admired the ingenuity behind it, if not the tactic itself. Seems now, however, that Borker will be a test case as to whether anti-service, and preying upon the gullible / lazy, is at an end. (I might also note that this is further proof that for all the caterwauling, good journalism isn’t dead; if anything, it’s more valuable than ever.)

All links in this post on delicious: http://www.delicious.com/dougvdotcom/behind-every-great-fortune-is-a-great-crime

Related Posts

1. Google’s Web Browser Has Its Problems, Too (13.7)
2. It’s All Chinese To Me: Reader Has Google Translate Built-In (13.5)
3. LastPass: A Great Way To Protect Your Actual Internet Privacy (5)

The numbers inside parentheses are relevance scores. Scoring is based, in order of priority, on title, category, content and tags. The higher the score, the more likely that post relates to this post. ]]> A fascinating article in today’s New York Times examines the case of DecorMyEyes, an online eyeglasses retailer who’s found an interesting exploit in Google’s search rankings.

Noting that Google’s PageRank algorithm doesn’t determine if a linkback to a Web site is positive or negative, store owner Vitoly Borker games that system simply: He fights every customer complaint bitterly, with verbal abuse, counter-complaints, and what some construe as overt threats of violence.

This aggressive, seemingly destructive behavior is so over-the-top, it leads disgruntled customers to complain everyplace they can online, including at such massive entities as Get Satisfaction.

The long and short: Lots of mentions and links to his Web site, plus lots of mentions of the brands he sells, all in context, often on high-traffic Web sites, means searching for a specific pair of eyeglasses often leads to Borker’s Web site being listed first in a Google search.

Borker effectively preys on the inexperienced online shopper. “If you’re the type of person who reads consumer reviews,” says the Times, “Mr. Borker would rather you shop elsewhere.”

He gets away with it via a combination of apathy and obeying the letter of the law.

His previous hosting company and eBay (from where he buys glasses for resale)  ignored scores of complaints until the Times inquired about his accounts. The confusion law enforcement has over Web-based commerce crime, including the IC3, means police have largely been absent, even in the face of obvious violations of the law.

Borker carefully monitors Visa and MasterCard complaints, making sure he doesn’t go past the monthly complaint limits. After MasterCard closed one of his merchant accounts, he opened another:

“There is no such thing as shutting someone down on the Internet,” he said during our initial telephone interview. “It isn’t possible. If Visa and MasterCard ever shut me down, I’d use the name of a friend of mine. Give him 1 percent.”

Most interesting, Borker sells on Amazon.com’s Marketplace, and doesn’t employ any nastiness there, because Amazon has a very low tolerance for customer complaints, according to the Times.

The Genius Of Borker

Let me be clear, right up front: What Borker is doing is awful. No decent human being can endorse any of it. But one cannot deny the genius behind it, especially using arrogance to game arrogance.

Anyone experienced with a large Web host knows, they generally have no interest or incentive to discontinue any but the most odious of Web sites. Unless a site is getting a host thrown into a black hole list; is generating actual lawsuits, warrants or court orders; or is generating loads of negative publicity, most Web hosting providers ignore complaints.

Usually, that’s a good thing; not liking a Web site’s message is seldom reason to have it removed, and admittedly, anyone who puts in any due diligence would never buy from DecorMyEyes. That said, there’s a very good point about being a good corporate citizen, and there’s no question that what Borker is doing is exploitation at its worst.

Anyone who’s been on eBay for any period of time also knows how arbitrary both its rules and its rules enforcement prove. Simply put, only repeated and egregious violations get one in trouble.

There’s really only three ways to get kicked off of eBay: never pay for anything, never ship anything you’ve sold, or don’t pay your eBay fees. Even then, one can simply sign up with a new e-mail address / under someone else’s name.

Anyone who’s had the misfortune of dealing with local law enforcement knows how little most police understand the Internet, and how most don’t care to prosecute such crimes because of jurisdictional questions.

I have had two occasions to deal with Internet harassment over the years. In one case, it took several overt threats from an e-mailer to get the police to contact the person involved and tell him to stop. In the other, it took scores of spam messages and extensive evidence that it was all coming from a specific, out-of-state IP address in the same neighborhood as someone with whom I had an eBay dispute to get police in his home state to issue him a warning.

Similarly, there is zero incentive for Visa and MasterCard to intervene with vendors who ship defective or fraudulent merchandise. Some percentage of victims won’t complain at all. Another percentage won’t fight a refusal to reverse charges. Practically none will sue. In the end, it’s more profitable to look the other way on occasional fraud.

And again, their incentive is in having more sellers, not fewer, so there’s little reason for them to strongly vet new applications, to ensure those who ultimately profit weren’t previously banned.

So yes, what Borker is doing is loathesome. But it’s a product of the compromises we’ve made to keep the Internet an open and free place to operate.

Ultimately, I believe that those who have done business with him only have themselves to blame, given that the ease of finding his store is equivalent to the ease of discovering what a shady operator he is. It’s not only caveat emptor, it’s “freedom isn’t free.” Protect yourself at all times in the ring.

Related Posts

1. ASP.NET Crypto Exploit Patch Ships Tuesday, Sept. 28 (58.8)
2. Microsoft Urges URLScan Implementation To Combat Crypto Vulnerability (21.1)
3. FAQ Released For Microsoft ASP.NET CryptographicException Attack (19.1)

The numbers inside parentheses are relevance scores. Scoring is based, in order of priority, on title, category, content and tags. The higher the score, the more likely that post relates to this post. ]]> Scott Guthrie announced yesterday that the hotfix for the ASP.NET cryptographic padding oracle exploit is now available on Windows Update / Windows Server Update Services.

Points of note:

• Persistent authentication cookies will need to be reset after applying the patch. In other words, if your site uses Forms Authentication, all your users will need to log in again after you apply this patch.
• You will still be able to persist Forms Authentications sessions across versions of ASP.NET. In other words, if you have multiple applications, running multiple versions of ASP.NET, on a given domain, one Forms Authentication login will work for them all, provided they share the same data store for authentication.
• If you run a web farm, all versions of ASP.NET must be the same in that farm, and the patch needs to be applied to all machines.

All links in this post on delicious: http://www.delicious.com/dougvdotcom/asp-net-crypto-exploit-patch-now-available-through-windows-update

Related Posts

1. Microsoft Urges URLScan Implementation To Combat Crypto Vulnerability (27.4)
2. FAQ Released For Microsoft ASP.NET CryptographicException Attack (24.2)
3. Major Security Hole In ASP.NET Requires Error Redirect Workaround (22.6)

The numbers inside parentheses are relevance scores. Scoring is based, in order of priority, on title, category, content and tags. The higher the score, the more likely that post relates to this post. ]]> Scott Guthrie noted on his blog that Microsoft will ship, on Tuesday, a hotfix for the ASP.NET cryptographic padding oracle exploit. It is to be released at 10 a.m. PDT; that’s 1 p.m. EDT / 17:00 GMT.

Guthrie says the patch has been fully tested and, once installed, removes the need for the previously published workarounds. As in, after you install this patch, you can turn off custom errors or use custom error files for specific errors.

Glad Microsoft worked this out so quickly. Don’t fail to get and apply this patch.

All links in this post on delicious: http://www.delicious.com/dougvdotcom/asp-net-crypto-exploit-patch-ships-tuesday-sept-28

Related Posts

1. FAQ Released For Microsoft ASP.NET CryptographicException Attack (24.4)
2. Live From The Microsoft Launch 2010 Event In Boston (17)
3. Major Security Hole In ASP.NET Requires Error Redirect Workaround (11)

The numbers inside parentheses are relevance scores. Scoring is based, in order of priority, on title, category, content and tags. The higher the score, the more likely that post relates to this post. ]]> In a further update on how to combat the ASP.NET CryptographicException hack, Microsoft is now urging webmasters to use the URLScan utility to further thwart oracle attempts.

In a blog post on Friday, Scott Guthrie, corporate vice president of .NET at Microsoft, said the step — which removes aspxerrorpath as an allowed querystring variable — “prevents attackers from distinguishing between the different types of errors occurring on a server – which helps block attacks using this vulnerability.”

URLScan is an Internet Information Server (IIS) extension. If you manage your own IIS server, you should follow the instructions at Guthrie’s blog post to download, install and configure the workaround.

If you are on shared or managed hosting, check with your Web host’s tech support department to see if they have implemented, or will implement, this step for you.

Again, this is a serious threat that is fully scripted, meaning any malcontent — including one with no practical programming skill — can exploit a site with widely available tools.

All links in this post on delicious: http://www.delicious.com/dougvdotcom/microsoft-urges-urlscan-implementation-to-combat-crypto-vulnerability