Slashdot Mirror
A Medireview Approach To Stopping E-Mail Attacks
dcsmith writes: "This article at the Need To Know web site reports that the free(as in beer) e-mail arm of Yahoo has been replacing certain words in messages received by yahoo.com e-mail accounts. In an apparent attempt to forestall cross-site scripting attacks, 'mocha' becomes 'espresso' and 'free expression' becomes 'free statement'... My personal favorite - since medieval contains the text "eval", it is altered to 'medireview' ... Check Google for the number of web sites containing medireview." Kwelstr points to this story at New Scientist as well.
I think that Yahoo shouldn't be changing any words in e-mails unless the users specifically choose to turn that "feature on". I mean if i send anyone a e-mail i expect it to arrive as i sent it. What is the point of a global mail that picts what you can and can't write about.
Dan Mayer: my blog, essays, art, etc
I emailed my yahoo.ca account, cut and pasted the /. story text
Nothing got changed, did anyone even verify this?
it prevents scripting attacks because you can't email someone malicious javascript, for example, as the keywords will be replaced.
james
Absit Invidia
I can't believe it...a slashdot editor actually spelled "medieval" correctly.
"Teachers leave us kids alone
Even if there's some great effect, wouldn't it be easy to replace the word only if it appeared in a script? Or does IE extend it's baffling type guessing to parts of documents as well?
This seems like a clumsy, low brow solution, not to mention the fact that they're causing their own kind of information corruption. So, if I'm search for medieval, now I have to sit and write down the variations on the them. The four letter combination eval pops up in thousands of words (my guess). It seems to me that this is creating one problem to try and solve another.
What the original poster of this article failed to mention was that this affects HTML-encoded mail only. Plain vanilla ASCII e-mail is not affected.
--
http://www.aikiweb.com - AikiWeb Aikido Information
Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.
Yes, this is real. I sent a short HTML message to my Yahoo account that included the words medieval, mocha, and expression. All three were changed just like the article. You can do this too, just make sure you send an HTML mail.
Eval is a commonly used javascript command (duh).
An interesting one. Mocha is the old name for what became Javascript.
Obvious
Breaks most javascript embedded in HTML email.
As above.
Breaks most vbscript embedded in HTML email.
Another old name for Javascript.
However, this seems the most retarded possible way of cutting out scripts in HTML emails.
Better, would be a regexp something like .*? and targetted removal of a few other tags.
if the email contained embedded javascript, replacing key parts of the javascript syntax would render it useless. javascript like any other (programming) language relies on the syntax of the code being precise... in the English language 'eval' and 'review' have similar meanings but in javascript 'review' means nothing.
When questioned about the filter, Yahoo claimed the filter was "double plus good".
Source Message:
<html>
<body>
m o c h a: mocha <mocha>
free e x p r e s s i o n: free expression <free expression>
m e d i e v a l : medieval <medieval>
</body>
</html>
Result:
m o c h a : espresso, free e x p r e s s i o n : free statement m e d i e v a l : medireview
Oh, and since NTK is slashdotted already, you might want to read the original politech message to see what we're talking about.
314-15-9265
Appears to have been /.'ed, here's the relevant bit:
Nice to see, in the midst of all these scandals, Yahoo turning a healthy profit. But as other companies fiddle the figures, Yahoo's been busy instead with fiddling its own users' private correspondence. In a fantastically clumsy attempt to prevent cross-site scripting attacks, the free e-mail wing of the sprawling giant has long been replacing complete English words in the text of HTML mail sent to its users. Mention "mocha" in an HTML mail to a friend with a @yahoo.com account, and your choice in coffee will be silently switched to "espresso". Talk about "free expression", and your recipient will think you said "free statement". Here's the full list of swaperoos:
http://www.ntk.net/2002/07/12/yahoo.txt
- try not to mail it to your friends
This fiddling has been going on now for over a year year (the ever vigilant RISKS digest noted it back in March 2001). But because of Yahoo's underhand methods, very few people have spotted the turnabout - certainly far fewer than if Yahoo had done the sensible thing and, say, "**"'ed out the vowels in the word, or, God forbid, written a smarter parser. But the sneakier you are, the wider the damage spreads. The word "medieval" (since it contains the javascript command "eval") is converted in Yahoo mail to "medireview". Google now shows over 640 sites (and 1,150 separate instances) of the word "medireview" being used as a synonym for medieval. University papers, bibliographies and book reviews, Indian newspaper columnists, and endless enthusiast sites drop it unseen into texts. People have begun to ask where it originally came from, and does it have a subtler meaning beyond "medieval"? Is Yahoo ever going to fix its filters? Or is it time we pushed to get the first regexp-obfuscated word into the Oxford English Dictionary? http://catless.ncl.ac.uk/Risks/21.34.html - does anyone still at Yahoo even know how to turn it off?
http://www.google.com/search?q=medireview
- NTK now entirely filled with google links
Of course, the next hack will be to produce e-mail that becomes a cross-site scripting attack (or criminal/tortious in some other way) after passing through Yahoo's filter. Who's going to bear the liability for that?
Personally I think a better approach would be to nuke all , and tags.
The use of these words have also been catching on due to this behavior:
"retrireview" (retrieval): 333 matches at google.
"prreviewent" (prevalent): 41 matches at google.
I'm still confused as to how this has affected so many web sites out there. Are people simply seeing these words in e-mail and then use them on their own thinking it's proper? Or are many webmasters cut and pasting their content from HTML e-mails or something?
Still, it would be enormously funny if one of the largest E-mail providers would actually do such a thing, as well as the consequences. "Medireview" indeed. Apparently, Yahoo! programmers don't even know about /\beval\b/. It's under "perldoc perlre".
I find it's often a error between the keyboard and the chair. I would surmise that someone has a Spell Checker set to 'Don't ask, Don't tell' Perhaps we are attributing a program glitch in the sender's client to Evil Intentions. Gee, like that's the first time its happened here.
Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23
Why not just give the user the option to STRIP OUT ALL THE FUCKING HTML IN EVERY EMAIL? I for one HATE html email - hate it with a passion - hate the slow loading and the crashing browsers and the cookies/images loaded without my permission. Add that feature and this problem goes away.
sulli
RTFJ.
Instead of being good at anyone thing, it's horrible at all things it does. Want tosearch? Go to Google. Want to see stock quotes? Hit Etrade. Want weather? Go to weather.com. Want nice categories? Hit dmoz.org.
Why anyone continues to care about Yahoo these days is simply beyond me.
Method of processing duck feet
Instead, I say they should improve it!
They should also correct all of the mail sent by script kiddies, tHoz tHat tYp LiKe Thiz, to something more logical.
please excuse my apathy
original message:
Have a mocha, or perhaps medieval is enough for you...
rec'd message:
Have a espresso, or perhaps medireview is enough for you...
::.. check out some Cell Phone Reviews
This strange neologism "midireview" has crept into many serious, even scholarly websites.
..." (book review).
"It was the great Barbara Tuchman who pointed out the capital difficulties of writing about the Middle Ages: that medireview chronology is very hard to pin down, that contradictory facts are perpetually turning up in the sources
"The medireview/Renaissance theme must be adhered to at all times to ensure the success of our event." (Renaissance fair rules
"Lectures on the Crusades and medireview society." (college course sylabus
It makes one long for the Dark Ages.
That joke might have been funny if it wasn't already in this story's headline.
When they're replacing random (or not so random...) words with either 'smurf' or 'fnord,' THEN it's time to worry.
Vintage computer games and RPG books available. Email me if you're interested.
Come on Yahoo. When parsing a block of text how hard is it to strip white spaces and evaluate each token individually?
Replacing a key phrase even though it is part of another word seems like an amateur mistake don't ya think.
The way this should have been done is to coerce the HTML into w3c-valid HTML4, and then only pass whitelisted tags, attributes, and URL schemes.
... but they're the ones Yahoo!'s been making deals with lately) will see the potential here for interfering with dissident speech.
It might distort non-well-formed HTML, but if the HTML isn't well-formed to begin with all bets are off anyway.
I realize that would require quite a few more server resources to implement. Too bad. As it is this ill-thought-out scheme appears to stand a real chance of permanently distorting the English language.
One does wonder if the Chinese government (or any government, really
DNA just wants to be free...
This would not be as much of an issue if everyone used PGP signatures on email. It will tell you if the message has been modified in transit.
More info in the PGP faq
Also, for an excellent GPLed implementation of OpenPGP, use GnuPG.
Using your sig line to advertise for friends is lame.
_Originally_ from comp.risks 21.27 in 2001
...
(google for it - I can't be bothered to translate all the lts and gts by hand, so the followig will be munged a bit, this is the explisit mention of medireview from comp.risks 21.34)
Date: Mon, 2 Apr 2001 22:00:13 -0400
From: Kirrily Skud Robert
Subject: More on Yahoo mail's anti-virus attachment translation Further to "Yahoo! Mail translates attachments" in RISKS-21.27, I saw
the following e-mail on a mailing list which discusses medieval cookery: From:
Subject: (OT) "Medireview" ???
Does anyone know why certain Web sites and mail servers change the word
"medieval" to "medireview" without any warning? Have I missed something?
So the 'original' story is only a few days less stale than the NTK one.
Early 2001, come one, get a grip. News should be _new_.
FatPhil
Also FatPhil on SoylentNews, id 863
One of the favorites on the WWII Online bulletin board is the replacing of "cum" with "body fluid".
:)
Under some cirbody fluidstances, it's quite amusing.
It's a good thing. Perhaps this will push people away from yahoo mail.
I'll admit, when I first signed up, it was a pretty good system. Unfortunately many bad changes have been made... pop & smtp are fee-based. Javascript is now required (this really pisses me off!). You can still only send 3 attachments! Their interface is rather lacking... And you are limited to a small number of filters. Now that e-mails are getting screwed-up, it's the last straw for me, and hopefully for many others as well.
The next step... Does anyone know of a free service that provides secure IMAP? I'll sign-up right away.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
If it's a FREE service, then why, oh, why do we need HTML mail anyway? Plain text is perfectly adequate!
Frankly, the only HTML mail I ever get is spam anyway. They should just not render html period.
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
You'd think the folks at Dominican would be smart enough to catch something like that... or maybe medireview is a real word?
Under capitalism man exploits man. Under communism it's the other way around.
Do a search on these too:
reviewuation (evaluation)
dreviewuation (devaluation)
dreviewue (devalue)
"eval mocha expression javascript jscript vbscript livescript evaluate retrieval link script object embed body iframe layer applet meta form"
This is what arrived in my inbox.
"review espresso statement java-scriptj-script vb-script live-script evaluate retrireview link script object embed body iframe layer applet meta form "
I paid the $30 to get POP3 access for a year, so it isn't just the free(beer) accounts.
It's curious that only some of the words were changed, but not all the ones listed in the article.
I sent an HTML email to my yahoo account and the words were changed as described. However, when I forwarded the changed email back to my work address, the changes disappeared and I had the original email back, "eval" and all.
Sorry, I should have said remove the elements, not remove the tags. Though, as has now been pointed out to me, this in itself is not enough, certain otherwise safe elements have attributes that are problematic.
Medireview ? :(
I paid the $30 to get POP3 access [from Yahoo, I presume] for a year, so it isn't just the free(beer) accounts.
I paid $35 to get my-domain-name.tld hosted by Yahoo! This included: five addresses @mydomain.tld, Yahoo! advertising on every outgoing mail, and Geocities web space with ads and whatever absurd bandwidth limit a free Geocities site has. Then Yahoo! told me I'd have to pay $30 to continue having POP3 access.
So I transferred my domain to hostica.com, and for $25 bucks got: another year of registration, as many email addresses as I want (albeit forwarded to one POP3 account), 5MB of space, and 10GB/month of bandwidth, with the option to add services from an a la carte pricing menu. And did I mention? No ads!
(I have no financial interest in hostica, I get no referral fee, no consideration of any sort for this post. This ain't no ad, and it's not even that I don't think you could do as well somewhere else. It's more than you can do a lot better than Yahoo, for not much money. It's just a matter of doing the math -- $65/annum for less, or $25/annum for much more -- and preferring better service.)
Opinions on the Twiddler2 hand-held keyboard?
"Medireview" has even made it into someone's resume (PDF); that must seriously reduce his chances of getting hired. Other references seem to have gotten into scholarly works. This is just the latest in a long string of stories about automatic (or semi-automatic) computer correction having serious consequences.
When I was at college, one student ran his doctoral thesis through the spellchecker one last time before submitting it to the binders, and thence to the Board of Graduate Studies. Unfortunately, he inadvertantly selected the "silently accept all suggestions" option, and failed to check the results. The manuscript he submitted was almost incomprehensible. After that, the University added a one-page warning to the spellchecker output (yes, it was in the days of mainframes).
Unfortunately, it appears that the well-known story about "in the black" becoming "in the African American" is only partly true; it was a deliberate practical joke in the newsroom.
So does 'reevaluate' become 'rereviewuate'? What a good word!
telnet mailserver.example.com 110
+OK InterMail POP3 server ready.
user exampleuser
+OK please send PASS command
pass examplepass
+OK exampleuser is welcome here
list
+OK 1 messages
1 719
.
retr 1
+OK 719 octets
I send you this message in order to have your advice.
.
dele 1
+OK
quit
+OK exampleuser InterMail POP3 server signing off.
Tim
Omnia vestra castrorum habetur nobis.
When viewing an HTML mail in Yahoo, it does the translation before it displays the mail for you. However, if you 'export' or download the message, it still looks fine. Thus, it looks as if the messages are not being changed when sent or received, they are only modified when being displayed through Yahoo's HTML webmail. Granted, based on the google searches, it is still causing lots of problems for users.
Instead of this "medireview" stupidity, and the even worse monstrosity "reviewuate", why couldn't they have simply changed a letter to a digit? Then they'd get medieva1.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
From http://www.multum.com/SubscribeRx.htm
"MediReview: is our comprehensive, patient-specific drug summary that includes dosing recommendations, drug interaction and allergy alerts, side effects, and pregnancy and lactation warnings. Providers and patients can use MediReview to tailor a patient's medications to their specific medical history--and proactively reduce ADEs."
This is so amusing!
This poor academic dude tryed to cite his paper "Vagabonds and Little Women: The Medieval Netherlandish Dramatic Fragment De Truwanten," Modern Philology, 65 (1968), 301-306" in his curriculum vitae (i.e. academic resume) and it shows up instead as "Medireview Netherlandish..."! There are a couple other instances of the word in the same CV--so much for the slick (heh) PDF presentation. Poor shmoe. Somebody ought to email him. I can't bring myself to.
But some of us prefer the more traditional spelling...
[from the Latin, medius middle + aevum age]
deus does not exist but if he does
This is really old news. I first noticed this last year when my wife complained about it. (She used medieval in a sentence, and someone asked her what "mediereview" meant. Mediereview?) I mentioned it here once and people didn't even believe me.
Steps to reproduce:
1. Open a Yahoo mail account if you don't have one, and log on to it.
1a. Uncheck the checkboxes on the privacy policy page.
2. Click on "Compose", to compose a message.
3. Look for a link on the "compose" screen that says "Add Color and Graphics", and click on it.
4. Your screen should now have a link (in the same place) that says "Switch to Plain Version". You will also see a pretend MS-Word-type toolbar for bold, italic, background color, etc.
5. Type a one-line email to yourself (meaning send it to your same Yahoo account). Type in something with "medieval" and "expression", e.g.
Her expression was medieval
6. Go back to your inbox, and click on "Check Mail".
7. Read the email. The above sentence becomes
Her statement was medireview
8. Optionally, forward it from there to a real email account. The message will have no body, and it will come with an attachment. Open the attachment, and you will see it back in its original form:
Her expression was medieval
What if your name is Chevalier? Check out the 4th link from the Google search for Chreviewier. It looks like somebody's geneological search is going to be that much harder.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
Does anyone know of any documented cases of servers being exploited through specially formatted emails? (besides buffer overflows)
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.
Huh? That is, essentially, what is going on. Mine never went so far as to reject the message, it only removed the offending code. Removing the code was the easy part--it was writing the actual html parser that was the challenge. Like I said before, it isn't that it can't be done and done well. It is just not a simple task, so implementing a shitty solution (ala Yahoo's global replace) is much much easier and immediately effective, even if it does piss of your users. Not that I agree by any means (I was the reason my last employer chose to "do it right"), but I certainly can understand.
Perl - $Just @when->$you ${thought} s/yn/tax/ &couldn\'t %get $worse;
I'm going to laugh when Starbucks sues the shit out of Yahoo when they order 100,000 units of mocha and get shipped 100,000 units of espresso.
Fucking idiotic.
Hey Taco! Looks like you're using the "infinite monkeys and typewriters" scheme to generate Ask Slashdots again...
Yahoo has been doing this for a really long time. (Over a year, I believe.) I find it hard to believe that no one else has noticed it before. My mom did and she (1) doesn't use Yahoo mail and (2) wouldn't know Javascript from Assembly.
I just cut-and-pasted this story and sent it to my Yahoo account. No words were changed. You know why? Because I use text for email. Can someone explain why on earth you would use HTML for email anyway? I have never understood that.
My beliefs do not require that you agree with them.
No, I've only got one. I've had one for some time, but a few years ago I said I was thinking of getting another, and since then some people have called me "Two Sheds"...
More...
Anyone would have thought you knew that already :-)
Absit Invidia
Of course, sensible users of browsers will have turned off javascript and all other scripting tools.
Ya gotta be really innocent to allow random strangers to run code on your machine.
Yeah, it's true that some web pages won't work without javascript or vbscript. But do you really want such pages running on your machine? Those are exactly the sites that you should be blocking.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
I'm surprised that they'd do this. It's so dumb.