Slashdot Mirror
Google 302 Exploit Knocks Sites Out
clsc writes "The exploit: Redirect via 302 to another page of your choice, then watch as the URL of your redirect script replaces the URL of that carefully selected page in Google's search results. Once this happens, feel free to redirect any visitor that is not Googlebot to any other page of your choice. Also applies to other search engines as well (not Yahoo! though)."
Web wide malware. The return of Goatse cannot be far behind... Pun intended.
Kindness is the language which the deaf can hear and the blind can see. - Mark Twain
#15) Optional: For mischievous webmasters only: For any other visitor than "Googlebot", make the redirect script point to any other page free of choice.
heh. tubgirl abounds!
1. post how to generate more traffic to one's website by exploiting a flow in google on /.
...
2. show a "random" ad (336px by 280 px) promoting 'google adsense' clearly stating "how to turn your website into a revenue generator in minutes" at said post.
3. $$$
SELL SELL SELL SHORT!!!!
boy, sending me to the wrong page is such a scary and horrible thing to do. Luckily my browser came equipped with the special "back button" anti-malware plugin.
"Weapons should be hardy rather than decorative" - Miyamoto Musashi
I think that goes for OS's too
Insert MS blame here
Yessir, whatever you say sir. I don't think Slashdot should be so commanding; we're going to have a legion of nerds who actually think that CmdrTaco wants them to do this because of the way it's written. Hehe.
Against stupidity the Gods themselves contend in vain.
sure. Do some 302 redirect-statistic-hack. Make money. Cheat your customers. No it's no excuse that other ones are doing it as well, bad attitude.
We are the Borg of LiarMarketing. Resistance is futile, human.
come on - get a life, be straight.
"First they ignore you, then they laugh at you, then they attack you, then you win." -- Mahatma Gandhi
Oracle 9iAS and 10gAS are VERY heavy on the 302 redirects (as a way to moderate traffic using mod_oc4j).
/foo, you'd see a redirect from http://www.example.com/foo to http://www.example.com/foo/, but I can see this product borking up search results as its use becomes pervasive in the enterprise.
Most of the redirects are innocuous, for example with an application whose context-root is
Since the product can't be changed, I'd probably change Google's behavior.
Three Step Plan:
1. Take over the world.
2. Get a lot of cookies.
3. Eat the cookies.
It's an exploit if you can't prevent someone from misusing 302, or to filter out malicious uses of 302 from legitimate ones.
You see? You see? Your stupid minds! Stupid! Stupid!
Hey look! Someone forgot to RTFA!
You use 302 to hijack someone else's page in Google's search results. Your bogus ad infested page shows up instead of the actual content the user was searching for (and thought they were going to see), while the real website that you hijacked doesn't get any more Google traffic. That's the exploit.
Dumbass.
How is this hijacking? How is this any different from me simply adding the text and title of the other page to my page? Sure, I can change the redirect later, or change it for anyone except for googlebot, but I can do that with the content just as easily (more easily, in fact).
Furthermore, I suspect google has at least a few bots which don't announce themselves as googlebots just to check for such discrepancies.
Seems like all the hackers are struggling now-a-days. There are no "good" exploits coming out anymore. No directory Unicode transversals.. No Code Red, No Nimda. Not even SQL Slammer...
We haven't had a good exploit/0day in how long? Since the Webdav exploit? Or the RPC DCOM? Now we have to use Google, phishing techniques, and URL redirection. We are scraping the bottom of the barrell apparently.
In the article is says:
/. I'm sure that would create attention!
"For this to happen, we need to put some pressure on the search engines."
Such as posting it on
Warning, comments may not have been passed by the sanity department of my brain.
The use of the exploit isn't just to childishly send people to Goatse - it's about money. What happens when you go to your bank's website and get redirected to an identical-looking website that steals your information?
A site registered and hosted using stolen funds from my credit card is still online following phoned and faxed demands for revocation and refund sent to the registrar/host. Can I somehow use this to send an entire domain to a black hole until the hosting/domain are revoked? It wouldn't be hacking, but it would make me feel a lot better to see the scammers knocked offline. If no one can get to them on google, they can't get any scam income. And what are they going to do -- sue me? That just would result in my slapping them with *criminal* charges as well as a motion for dismissal and a countersuit.
i am a soviet space shuttle
Maybe its just me, but if the 302 is to a different domain, do you have to assign it across?
I see lots of 302s used for country shifts e.g. a French visitor is shifted from www.foo.com to fr.foo.com, but its under the same domain foo.com.
For the ones shifted to other domains, does it matter if you ignore the 302 and take visitors directly to fr.foo.com?
In the Google example shown in TFA, its "easy" to spot a hijack by looking at the URL. But if Google or other search engines were to support IDN (Internationalized Domain Names), then it would be even easier for a criminal to hijack a bank's login page with the IDN browser exploit.
Two wrongs don't make a right, but three lefts do.
Sheesh. What a description. Couldn't he just say:
Create page that, when accessed by Googlebot, creates its own HTTP connection to a different, highly ranked page, and returns its contents to the Googlebot, but retuns your contents to everyone else than Googlebot.
Ooops - no 302 needed? Houst^H^HGoogle, we have a problem.
Wow. That's a fun exploit... I can't wait to go tell my boss why our site links to a pron site on google.
All kidding aside this could be a major problem for some of the more controversial websites. Akin to the Googlebombing that was just mentioned yesterday this could be the next major attack scheme on the net. Imagine a pro-life site subverting a pro-choice site, Neo-nazi's subverting a site intended for Jewish children, the US government subverting Al Jazera...
Not a whole lot of fun IMHO. I trust google to return what I search for, if this changes I and a whole lot of other nerds are going to be left wandering aimlessly around the net.
well i guess this could be good news for the blogging google bombers..... http://slashdot.org/article.pl?sid=05/03/15/003522 5&tid=217&tid=1
they might actually get something done about the spam.
The main thread about this on WebMasterWorld is over 500 posts now.. lots of good info there.
This sig all sigs devours
R I P k l e r c k
start satire /. has been pre-monitored as a troll trying to manipulate stocks. You are now being redirected to an SEC website. You can either enter your confession in the text box or the FBI will be coming to your house immediately . . . end satire
Your post to
For this to happen, we need to put some pressure on the search engines. What i did not tell you above is that this problem has been around for years. Literally (see, eg. bottom of page here). The search engines have failed to take it seriously, and hence their results pages are now filled with these wrong listings. It is not hard to find examples like the one i mentioned above.
/. !
Nothing puts on pressure like a good
http://www.sandstorming.com
It doesnt replace the URL at all. My reading is that google simply adds a new page in the database for the url you gave it. In this regard, how is this any different to a wget --mirror on the attempted "hijacked" site? Maybe more efficient but the net result is you are just trying to blag google hits of someone else's content.
PageRank _should_ sort this out as I'm sure lots more people will be linking to news.bbc.co.uk than to r.example.tld/foo/rAndoMLettERS (from the example).
Storm in a [child's] teacup.
Everyone is interesting about something.
It is when they get greedy that they start to suck.
This means that you can't reliably hijack the page unless you have a higher PR than it. But if you have a higher PR than that page then could just as well copy its content, then wait till you're spidered, then substitute for whatever you want.
In other words, this is nothing more than another way to exploit two existing problems: (a) that you can steal anyone's content on the web (though see this for a way to detect it) and (b) you can cloak your site for the search engines (though I'm sure they notice that too).
In summary, there is nothing new in this whatsoever.
...a webmaster can redirect people on his own site? Wow, the horror. (You can't place redirects on someone elses pages)
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
Yeah, but that's not what the exploit is. The exploit replaces the victim's URL with your own in the google search results.
Cloaking: providing a different content to search engines bots in order to get a better rank
You can achieve this by looking at the UserAgent string or, more surely, at the remote IP.
Anyone that wants to steal your traffic can take advantage of this. Nearly all the sites that I have created in the last year have been purposely hijacked by this and don't show up in any Google rankings. I've learned to live with it despite contacting the jerk responsible who pleaded innocent and said he wasn't very technical and didn't know what was going on.
Historically, good content meant good search engine placement. Now that this little trick is being more publicized, it just decreases the amount of time required for someone to hijack your entire site and remove it completely from the search engine results.
I'm a big tall mofo.
Google, of all sites, really isn't subject to a regular Slashdotting. Though it uses quite a different methodology, it's not too far to say that Google is a "Beowulf cluster of search engines".
500GB of disk, 5TB of transfer, $5.95/mo
I wonder if someone could redirect that Wikipedia Online Poker article to point to something else...
"It is better to risk sparing a guilty person than to condemn an innocent one." - Voltaire
Human-yfied computer terms, Now that's the way to a non-nerd heart!
Do you mean this is not www.kuro5hin.org ??
BoD
Google's been aware of this problem for months. 20000 geeks aren't going to be what will make them change it. It's when a Fortune 50 company is a victim long enough to sue.
500GB of disk, 5TB of transfer, $5.95/mo
You decide - watching grass grow ... ;-)
Hulk SMASH Celiac Disease
...if I COULD get to the page. But it's being redirected with a 302. ;P
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
I've seen this effects of this first hand and it's a slightly nastier problem than people realise.
It's not uncommon for search engines to penalise sites for duplicate content, i.e. identical content on multiple domains. So with this problem all it takes is a couple of other sites to link to you, completely innocently with a 302, and *bang*, your site disappears down the listings.
I've noticed that a lot of my google searches get redirected to an Ebay search page even though the displayed url in the search results is a non-ebay url. I checked the Google cached result and it was not the same as the re-directed page.
It's very annoying as I haven't been able to figure out what is going on. The same Ebay search results show up under dozens of urls in the Google search results
Windows firewall.
Windows firewall apparently put the rubber on any bugs out there spreading rapidly. Don't lose all hope though there's plenty of viruses that can spread the old fashioned way, through email and MSN. Not even by exploiting vulnerabilities, just by suckering people.
"Visit this URL and download and run this cool file"
I expect a nasty IM virus someday.
It is hijacking because you can switch any page (i.e. the page ranked #1 for 'online poker') with the URL of your choice. i.e. your URL will be in the #1 position.
Given the difficulty in getting a story posted on the front page, how does this exploit compare, in terms of ease of implementation, to the /. exploit for knocking sites out?
In C++, friends can touch each others private parts.
Et tu, Google?
This is NOT what the article is about. Take some time to read the article before you post disinformation that might cause harm to others.
That said, I really fail to see what the big deal about this article is. It sounds roughly as bad as copying the content of a foreign page, getting pagerank pretending to be that foreign page, and then replacing that page later. This sounds like far more of a human problem than a technical problem to me.
Be the Ultimate Ninja! Play Billy Vs. SNAKEMAN today!
There seems to be a lot of confusion as to why exactly this is such a big deal. A lot of people saying there's no problem or that this is nothing... basically just not understanding the issue. Let me explain:
Suppose you have a small business under the domain http://xyz.com/, and search engines bring you a lot of traffic because you rank high for keywords in your market. You have a lot of people out there linking to you, a lot of satisfied customers, good content on your site. You're always in the top 10 somewhere when people search for "xyz widgets".
Well, this issue with Google makes it very easy -- incredibly easy -- for someone to knock your site out of the rankings entirely. And I mean for *everything*, to where searching for your own company name in quotes literally buries you hundreds of pages deep in the results. We're talking sites going from getting 1000 unique hits to 10 overnight.
And here's the kicker: It requires absolutely no technical knowledge, no time investment, and is perfectly legal...
All I have to do is have another domain handy that is roughly as popular as yours. And I make a "links" page, like one of those directory services, that lists your website. But instead of being a normal hyperlink, it's a CGI (or PHP or ASP or whatever) script that generates a 302 redirect to your domain... Now, these are very simple, common scripts. One-liners that you can download from cgiscripts.com and stick on your server. The original intent of these scripts is to track which links are being clicked on your site. But now they've found a new use, because when Google gets that 302, all hell breaks loose.
See, according to the HTTP spec, 302 is a *temporary* redirect, which means Google is supposed to interpret whatever content it finds at the 302 target (your site) as really belonging to the URL of the source (my site). Google is just obeying the spec strictly here, and with devestating results. Why? BECAUSE THE DUPE FILTER NOW KICKS IN! You see, Google has a "dupe filter" that says if the same exact content is found for two unique URLs, then one of the URLs is obliterated in the rankings. Because after all, searchers don't want to be finding the same content over and over. If that happens, they'll start using a different search engine. But Google, sticking strictly to the HTTP spec, doesn't know who the content really belongs to when it gets a 302.
So Google essentially flips a coin. And if it comes up tails, say bye-bye to your domain in the rankings. Your *entire* domain. Because the dupe filter isn't limited to just the page that the 302 is pointing to -- it applies across your entire domain.
These 302 "exit-link-trackers" are all over the web. They've been used by webmasters for years. But it's just recently that Google has started treating 302 this way, so it didn't have any bad effect before. But now it kills you.
The funny thing is, the solution seems pretty simple: Just stop treating 302s this way if they point to a different domain. But for whatever reason Google isn't listening. Hopefully the press that's being generated now will give them the kick in the ass that they need.
I Googled "Hillary 302 redirect legislation children" and it linked to http://www.luxpro-corp.com/ and I wound buying this coolio device called the Super Shuffle.
I don't get it. This is all just sensationalism to me. If you play with 302 redirects, something bad might happen, but there's no way to predict it (as per the article, it's an arbitrary choice based on pagerank and other internal mechanisms). To me this is just a Google equivalent of terror alert orange.
Well, I knew about the 302 bug (in fact, it's been known for months in professional webmaster circles).. so, I did an allinurl:mydomain.com/mypage.htm search on Google to find the culprit. Low and behold, it was some blog page about one PR below my page with a script that redirected through a 302. The catch was that this redirect script ONLY worked if you clicked on it from the blog itself - if you clicked on it from the Google SERPs you got a 500 server error.. so in effect, Google misidentified the redirect page as my actual page and then subsequently tried to spider it from the URL directly and got a 500 error.. the result being that I was dropped from the index. Was this malicious? Hardly - the webmaster had compiled a small list of cool, useful links - not knowing that his buggy redirector was killing those sites off.
So whaddya do? I tried emailing the webmaster but everything bounced. It looks like he was out of the country. I tried giving Google feedback, but frankly that's just like offering up a prayer to the Great Google God - so I also used the BASE HREF trick mentioned in the article, and after a few days the page came back in the index as normal. So, either that trick worked or the Google God answered my prayers. I'm guessing at the former.
Never email donotemail@WeAreSpammers.com
This "exploit" isn't very interesting and the author really doesn't seem to have a good grasp of the HTTP protocol design, the end-to-end model, or the internet in general.
I'd be very careful before I blindly changed all my redirects to 301s. The semantics behind a 301 and 302 are VERY different and unless you want people to replace the original URI with the target in your 301s, forever, you might be entering a world of hurt.
From RFC 2616 -- HTTP/1.1 :
10.3.2 301 Moved Permanently
The requested resource has been assigned a new permanent URI and any future references to this resource SHOULD use one of the returned URIs. Clients with link editing capabilities ought to automatically re-link references to the Request-URI to one or more of the new references returned by the server, where possible. This response is cacheable unless indicated otherwise.
10.3.3 302 Found
The requested resource resides temporarily under a different URI. Since the redirection might be altered on occasion, the client SHOULD continue to use the Request-URI for future requests. This response is only cacheable if indicated by a Cache-Control or Expires header field.
This is a common theme in the high-tech world; Joe Hacker figures out a problem and a 'solution'. Problem is, they don't understand all the implications of the solution. That doesn't stop them from yelling loudly about the solution. Without a comprehensive explanation of the impact of the 'solution' you might be just causing yourself harm in other areas down the road.
Education and thorough analysis are always a good idea when you are dealing with complex systems that might have emergent behaviors. This is certainly one of the bigger pet-peeves at the IETF and with the IESG.
as can be seen in this thread on webmasterworld:
I have two sites, one is the main site which we'll call www.widgets.com and one is a site with a catchy name that automatically diverts to www.widget.com, we'll call this site www.widgetscatchy.com.
Kind of confused that www.widgetscatchy.com site had a PR5 so checked the incoming links and for some reason when I check the links to this site is shows www.widgets.com's links instead of it's own. Even when listing the site Google states 'Searched for pages linking to AYdabadfa:www.widgets.com/' instead of 'Searched for pages linking to AY4cSZStU-0J:www.widgetscatchy.com/'
The sites are using the same hosting company but they're both two completely seperate accounts and have completely different content.
Why has Google amalgamated these two sites links? I'm just slightly worried that Googlebot will drop the pair of the sites from the index if it decides that the two sites are the same.
*waves hand*
"This isn't the webpage you are looking for."
A quick search on Google gave me this link:
t ra cker2php_pag_1.htm
http://www.tonyspencer.com/mt/archives/2004/12/
This has clearly been documented before. I'm surprised it has not been fixed after all this time. The slashdot post and the clsc.net page gave me the impression this was something new.
Just another case of the bad effects of developers (search engines in this case) dumbing down things too much for users. If you don't know how this is such a case, then you're probably one of the users this has been dumbed down for.
How is this any different than simply serving copies (via proxy prior download) of someone else's content when Googlebot requests it? Sure, search engines could choose not to follow redirects or not to follow redirects across sites, and perhaps they should. But I'm not sure that would do much to protect against users trying to fool search engine robots.
...from time to time. It helps to balance out all of the humor impaired moderators like the one who modded me "Off Topic" above. Come on humpy... admit it... it WAS a funny post.
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
/we're #2, we try harder
--
"Open source is good." - Steve Jobs
"Open source is evil." - Microsoft
Probably.
But nevertheless, this is a good excuse to post this snippet from my .htaccess:
I'm glad there was an article to click on, because that description was poorly written.
Tired of having search results hijacked to other web portal search engines or what-not, I have pretty much resorted to previewing my search results. I tend to skip over pages that, for one reason or another, do not have a link to the cached page.
To-do List: Receive telemarketing call during a tornado warning. Check.
The real issue is; unlike unnamed software firms, will Google fix this before posting on this topic is closed? My bet is yes.
Of course, I'm only willing to stake an old install CD of Win95 on it...
Is it me or is the yahoo indexer more upto date
:) ).
;) hehe
and encompassing than google these days.
I've done many obscured searches that have turned up no results on google, but many on search.yahoo.com
(accurate results to boot too..
Could this be related?
I guess the one trick pony is up for some rough riding
PS: I do work for yahoo, but not in the search or any other related group, so take my comments with a grain of salt.
Cheney did it in his debate:
e y_ soros/
http://money.cnn.com/2004/10/06/technology/chen
To all the brilliant people who'd rather mouth off than RTFA check this out:
t tp%3A%2F%2Fwww.pr10.darkseoteam.com&btnG=Search
http://www.google.com/search?hl=en&lr=&q=link%3Ah
Those backlinks look familiar?
They should - they belong to Google.
Get it now?
http://search.yahoo.com :)
But it looks like MSN also has the same problem so we can insert them into the picture.
It would be nice if someone did something like this to the CherryOS "developers".
I saw the same thing the other day. A couple of non-eBay URLs in a set of Google results were redirected to the same eBay page. I didn't look at the cached pages though, I just assumed it was a deliberate redirect.
From what's described, it seems the exploiter can simply serve identical contents as the targeted page to have it droped by duplication filter of a search engine without redirecting search bot to the targeted page at all. Or, am I missing something here?
>> show a "random" ad
No ads on that page. Not even a random one. Sorry about that - now, how do i get to step three?
There are a couple of major differences.
1. Spoofing DNS is, like, hard, and stuff. This is just easy gruntwork.
2. Spoofing DNS is illegal in the US. This isn't. (probably.)
Don't tell me - he slipped in the shower?
- better?
Google redirects the listing for the target page to a script of yours, not even to a page.
Think about it: From search results straight to script, and the user thinks he's going to visit some page that will be relevant - how much easier could it be?
I had a really hard time understanding this attack from the linked description, but I think I figured it out, and I think I can explain it better. Please correct me where I err.
The basic problem is the way in which Google handles "302" response codes. So, first, you have to understand what those are and what they're intended to be used for.
HTTP response code 302 means "Temporarily Moved". Suppose you're running a web server and for some reason you need to move your content to another system temporarily. Suppose, for example, you're being slashdotted, and you can't handle the traffic, but you have a buddy who can. So you ring him up and he agrees to host the movie of your latest attempt to implant your iPod directly into the back of your skull. You transfer the file to him, he puts it on his web server and gives you the URL, and then you instruct your web server to return a 302 to any request for the movie, specifying the URL on his server as the location. Problem solved, very nicely. Until you change your server config, the demands on your bandwidth will be very low, but any existing links to your site will work fine because the users' browsers will take care of the redirection.
So what, then, should Google do when it comes across this situation? Well, what you really want is for Google to index the content at the redirected location but to associate it with *your* URL, not the one where the data actually is. That's because it's only moved *temporarily*, so the index should send searchers to your site, in case it's been moved back (or in case you've now moved the data to yet another site after your former friend got pissed off at the massive bandwidth bill and you wouldn't pay it).
Okay, so with that understanding, here's what is happening here, as I understand it:
We have site bigsite.com that has lots of great content, tens of thousands of pages around the world link to it, and it has a fairly high page rank (meaning it often comes at or near the top of Google search results). Suppose that I really like bigsite.com, so I want to link to it from my home page, along with a bunch of other sites I like. But I also want to know how often that link gets used, and if I just use a normal hyperlink, I'll never know that. So instead, I link to a URL on my own site, and there I put a script that increments a counter and returns a 302 redirecting the user to the destination site.
Now, when Google indexes my site, it does the same thing, associating the content with the site that sent the temporary redirection, rather than the final destination. But Google also indexed the same content by going directly to bigsite.com. So now Google has two different URLs that go to the same content. The problem is that under some circumstances, Google chooses my URL as the "right" one, and it's my URL that shows up on searches that should find bigsite.com.
This gets really nasty, of course, if I'm not just an innocent blogger but someone who actually *wants* to hijack bigsite.com's traffic. An malicious person can choose to reply with the 302 when Googlebot comes knocking, but to provide completely different data when anyone else comes in.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Why don't they just make their spider lie about its identity, the same way that mozilla and konqueror can do? I just don't see why a website should need to know that a spider rather than a browser is looking at it, and in fact this type of exploit is kind of obvious (ok, ok, with hindsight). But websites should send spiders exactly the same as they would send to IE or 'zilla, so there is surely no reason for their user-agent strings not to mimic the user-agents provided by IE.
"'I pass the test,' she said. 'I will diminish, and go into the West, and remain Galadriel.'"
- JRR Tolkien.
Easiest way to fix it is to not follow 302's since 302 means "The requested resource resides temporarily under a different URI."
.
I would imagine that this could cause a problem with getting a website into the listing that is in the process of moving, but if Google simply waited until it's an actual 200 status code, then redirections would get ignored (since they're not
From the W3C document:
The temporary URI SHOULD be given by the Location field in the response. Unless the request method was HEAD, the entity of the response SHOULD contain a short hypertext note with a hyperlink to the new URI(s).
Again, and since even the temporary URI doesn't have to be given, 302's should be ignored. Even 301's and 303's are not acceptable since the new URI doesn't have to be given.
The harder way to fix it is to only accept 3xx response codes that give the new URI in response. Even then, I assume it's possible to still fake a 200 response code if you modify the http daemon, and make a transparent redirection... thus fooling the search engine in every respect.
In my opinion, I don't see a way around it unless you include signature files or such... but even if you used and SSL connection, it's probably still exploitable.
I guess you're damned any way you look at it.
This "exploit" is so old it is even documented in this book about Search Engine Optimization. Check the chapter about Page Jacking.
So *that's* why I couldn't find the damn magazine! I had to find a manager and demand that they put out the latest SI Swim Suit Edition so I could squeeze off a quick one during my lunch break. Talk about annoying!
I saw this months ago. I run a redirect site for ham radio callsigns as a hostname in the domain "ham.org". I had chosen to use "302 found" initially. This ran like this for a couple years. Finally a got a complaint from a ham operator complaining that his web site was showing under the ham.org URL in a google search. He was right, it was. I subsequently changed the redirect to "301 moved". But I still feel that "302 found" would be more appropriate. But having "ham.org" URLs show up in Google with other site's content was not the intent. I reported this to Google and all they would say was to use "301 moved", so they clearly are aware of it. I replied back that this would be a way for someone to exploit Google, but they dismissed the notion. IMHO, if the browser changes the displayed URL when visiting, then search engines should show that same redirect target URL. And this applies to both 301 and 302.
now we need to go OSS in diesel cars
I do a redirection of http://CALLSIGN.ham.org/ to a ham radio operator's web site. I used 302 because I wanted this to be a means for the ham operator to move their site. Google indexed it under http://CALLSIGN.ham.org/ and that has made at least one site operator angry (at me, because he thought I stole his content). Google should not present it as content belonging to http://CALLSIGN.ham.org/ but rather to the redirected to site, but with a notation of where to find the site if it moves (e.g. the ham.org URL the redirection came from).
Of course this is exploitable to some extent. People can flood Google's indexing with copy-cat sites, without actually doing the copying. That's not good, but it's really a Google issue; it doesn't otherwise break the referenced site ... unless visitors are not properly redirected.
now we need to go OSS in diesel cars
without unhealthily raising your expectations for real world women,
If a woman is lousy in bed, why is that the porn's fault? If women can't meet the expectations set by porn, they should TRY HARDER!
Or in the very least, stop expecting me to meet the "unhealthy" expectations set by romance movies.
paintball
since when was it assumed a website would provide the some content to all viewers?
most sties do -- static pages.
however we do get some very basic changes -- like flash animation or not depending on if you can see it
however, there is no reason at all to assume that the information a site provides one vistor (the googlebot) will be the same content they serve other visitors.
as we (humans) get more savvy about IT, it will be commonplace for information sources to provide completely different information from an assumed (or explicit) model of the viewer. think: financial status, role in society, known needs of the viewer, history of ad clicks, installed software, etc. etc. etc.
it's coming
Google "do no evil" motto is just a bunch of hot air. G$ is broken and they don't seem interested in fixing it.
I have a page that redirects visitors to a randomly selected site (I use it as my start page).
Before I added a robots.txt blocking all crawlers from indexing it, I saw lots of hits from people who had been doing google searches.
At one point, it looked as if it had redirected to a movie bit torrent index when the crawler had hit it, because within a day or so I saw a few thousand people hit the page from google with search terms such as "Constantine Torrent".
Have you really kept your eyes open and actually examined your partner during sex?
I have...
It wasn't the same person as it was in the dark. Not even close.
No matter what the poets say, sex is not a beautiful thing, but it sure is fun!
I think the general idea is to get good links with appropriate anchor text (words in the link) from other sites (e.g. spamming blogs) for stuff you might buy, say, "Nikon SLR Digital" but include your ebay affiliate code in the link.
I've never looked into the ebay affiliate program, but I guess it must be relatively profitable since a lot of people buy Google Adwords (at a minimum cost of 5c per click!) for various shopping items.
Who are you and what are you doing on slashdot?
Excuse me, but the last time I checked, the general divorce rate was 1 in 2 marriages, but the divorce rate among those who were married in a church were something along the order of 1 in 1000. The stats may have changed to something like 1 in hundreds now, but it's clearly contrary to what you just said.
Why would you want to avoid the temptation of sex? This is where organised religion these days (well, most of them) really infuriates me. And why America as a whole gets my goat - there is lots of encouragement for punishment (esp the US 'punishing' anyone) but lots of 'you mustn't have sex because it is bad!' nonsense.
Sex is good that is what it is for. It feels great. Attaching guilt to it just fscks people up. It should be encouraged and taught properly - you never know, if teenagers were having more sex they'd have less time to shoot each other and take drugs.
Everyone - just go out and fuck! You know it's a good thing (tm)
The semantics behind a 301 and 302 are VERY different and unless you want people to replace the original URI with the target in your 301s, forever, you might be entering a world of hurt.
Okay, let's try that:
Replace the original URI: www.hijacker.com/script.cgi?id=12345
With the target: www.right-url.com/right-page.html
See? See? While your assumptions are right you did overlook the essential part. Also, as others have noted, this is not the recommended fix, just a precaution that some webmasters might wish to take, entirely on their own behalf.
--------
This "exploit" isn't very interesting
I take it that you are not a webmaster out to make easy bucks, implement spyware, virii, hoaxes, or generally cause harm to others -- otherwise your view would probably be the opposite. May you live long and prosper and may your camels always find water.
...is that the search engine result page point directly to a script that is under the control of the hijacker. No middleman, and the searcher is in good faith. Think about it.
I started writing a spider way back when I first found out about the internet (1995ish) as a learning experience and have continued to tweak it over time, although it is not yet a commercial product.
.html...
.com/index.php
/ecommerce/index.php identifying itself as the true identity of that page. If at some point, you change from php to to the next great scripting language, the change to the base href will pick that up. I would HOPE that the Google duplicate detection considers the BASE URI to be authoritative as long as it matches the domain, and drops all other identical pages.
The problem the spider has to deal with in trying to organize and rank the results is that there is an inherent problem with the way web servers handle default web pages for a domain or a directory:
http://www.xyz.com/ actually pulls up http://www.xyz.com/index.html (because apache or the web server has been told to use index.html if no page component is in the URI) - but there is no requirement to communicate the "index.html" page name to the client, and very few servers actually do that (if they do, you'll see the URL change in the browser)
Some of the incoming links point to just the doemain, other links point to the fully qualified URL. More than likely, your spider will eventually follow both and then receive web pages that are nearly identical.
At some point, xyz.com discovers php (yea!)... but they have traffic and page rank associated with index.html. They put up a 302 redirect to point index.html -> index.php
Or they symlink index.html to index.php and tell php to parse index.html even though the extension is
So from google's perspective:
http://xyz.com/
http://www.xyz.com/
http://xyz.com/index.html
http://www.xyz.com/in dex.php
http://www.xyz.com/index.html
http://xyz
all return identical content and the web has links pointing to every one of those names (and those links almost never go away or are corrected once created). From the Search Engine's perspective, which is the "real" URL/URI for the page?
Google (and the visitor) generally would like the answer to be
http://www.xyz.com/
Using the BASE URL tag tells Google the actual page name and clears up any ambiguity, which is why using one partially fixes the problem in some cases.
<head>...<base href="http://www.xyz.com/index.php"></head>
Now, let's make it uglier:
Ecommerce web site is installed in subdirectory, but wants its main page to be the "default" page for the domain - referral tracking and cookie management depends on this - however the web pages rely on the package existing in a subdirectory of the document root:
Actual URI is http://www.xyz.com/ecommerce/index.php
How do you get to that page as the default without confusing the search engines or losing the referring URL? Possible answers:
1) Use a meta refresh - doing that loses tracking information, as the landing page becomes the referring page. Google will also not be happy as this looks like a doorway page, and the redirect page itself has no real "content" to index
2) Use a 301 redirect - Bzzzzt - wrong answer - if you do this, you'll telling the world that http://www.xyz.com/ no longer exists in all perpetuity.
3) Use a 302 redirect - clears up tha ambiguity, however confusing Page Ranking at least temporarily - since your incoming links mostly point at http://www.xyz.com/, not http://www.xyz.com/ecommerce/index.php
4) Use a Base Ref on
5) Have the web server return a content-location: header. This is similar to the base URL, except it is done at the http level not within the HTTP. content-location: can either be relative to the request or absolute. It isn't authoritative, but could be helpful. In general, a cross-domain content-location header would have to be ignored, otherwise you would have the same exploit... you request
Final 2006 "Proof of Global Warming" US Hurricane Count -> 0
Just leave SSL out. The only way anybody would notice the site isn't encrypted/signed is if they looked for the little lock in the corner and it wasn't there.
How many people know to do that?
As your reward, you can now be ridiculed on the internets!
fish and pipes
It's all a matter of how you think of it. If you think of it as just a long string of numbers, then no, you can't know all of it. But try thinking of it as "the integral of 4*sqrt(1-x*x)) on [0,1]". That's a notation of it to infinite precision, in terms of finitely many well-defined quantities. So here we are, knowing PI with absolute precision.
Another instance: not only can we not measure our ability to use our human imagination, we cannot even conceive of a yardstick that would allow such a measure. We are limited in our ability to comprehend this core part of our nature.
What's stopping us from experimenting? We could select a set of random words from the dictionary and ask people to make a sentence using all of them and explain a context in which it would make sense. Then we look at the average percent of the time people can do it. And I'm sure a psycologist or someone who had any training could come up with better experments.
This post written under Gentoo-linux with an SCO IP license.
I guess my question is where you got your statistics. Or if, like 70.023% of statistics out there, they were made up on the spot.
This sig has absolutely no significance and serves only to take up screen space and waste the time of the reader.
That was actually pretty funny
If Dr. Evil setup one of these redirector thingies to point TO GOOGLE, googlebot would shortly come to understand that THE ENTIRE INTERNET is just a mirror of Dr. Evil's Magnificent Website (tm). Dr. Evil becomes the top ranked site for every keyword. Google wakes up and stops following "temporary" (i.e. 302) redirects.
I suppose there's not much point in saying that I put my belief system into what God says rather than the Maryland constitution. But there, I said it. However, I'd rather read the North Carolina constitution first, than maybe the US constitution. Maybe I'll get to Maryland's after I finish Louisiana's constitution.
Isaiah 43:19 (NCV)
Look at the new thing I am going to do. It is already happening. Don't you see it?
No troll. A thousand years ago was kind'a rough though. At that point, the church was so kind as to keep the Bible away from the unwashed masses. It wouldn't do to show them that the Bible is full of choices. That Adam and Eve were made and given the ability to accept or reject God Himself, just as you were. That Joseph could choose to forgive his brothers for selling him to the local trade caravan. That Jesus' own father was free to choose to accept Mary even though it was his complete right, at the time, to allow her to be killed. That Peter could choose to reject Jesus three times in an evening. That God could choose to die brutally on a cross in order that we might be able to choose Him even when we were sinful and living under the cloud of Adam's choice.
... Commerce?
Yes, repugnant times back then. No, I'd rather live now.
However, are we free to make our own choices? Was I free to make that decision to avoid temptation? Would you take away my right to be offended by the moral trash displayed there? Or must we refuse Government and Church rules and instead follow those of
I made my choice. I make it each day. I choose God. He gave me that choice in what is surely the supreme example of love. He could have made us like the angels, but he didn't. He gave us choice. I've heard that the angels might be amused by that decision of God's. However, that might be Hollywood playing with my mind.
Isaiah 43:19 (NCV)
Look at the new thing I am going to do. It is already happening. Don't you see it?
If you are offended by material a store is selling how about not shopping there anymore, if enough people do it the store will go out of business.
I agree with you. I certainly "vote with my feet" and with my wallet. I know others who do the same. However, sometimes a stronger stance can be made. One well placed comment might just accomplish more than 25 people refusing to buy. My angle is to be a bit more activist. Blowing things up is way extreme, and outside of God's law, but careful consideration on how to best present the point of view so as to change action by the store might bear greater results.
Your first sentence did make me laugh a bit. Your last sentence contradicted your entire post. You want me to stop imposing my morality, but aren't you doing the same?
Isaiah 43:19 (NCV)
Look at the new thing I am going to do. It is already happening. Don't you see it?
You are correct, of course, in this last sentence. I am a sinner. Do I have the sin of Pride in these postings? Of Arrogance? I hope not, but as I cannot see my post from all points of view, I concede that someone (you and/or others) might see it that way. I regret that. I do not want my actions to reflect negatively on God. He IS perfect, and I am far from perfection.
I do follow a moral code. I do so because I want to and not because I have to. My comments here are designed to show how I took offense to the idea that you espoused in your initial post:
Why is it so hard for some people to acknowledge the simple fact that young people of all ages have sexual feelings that are natural. And to repress those feelings and smother them in guilt is a very very damaging thing to do.
I agreed that it was natural for young people to have sexual feelings. I further agree that repressing those feelings is damaging. To those original thoughts I add:
There is a choice beside repression or action: diversion. This is a valid choice and falls in line with my beliefs.
I might further add that the remaining choice, action, often results in much more serious problems. Relationships can be damaged, lives can be ruined, and minds can be warped.
Repression is obviously fallacious because it implies that we might later not need to repress. Further, it can also have many of the same effects as action.
Yes, I believe in the Bible and in God. I believe that the Bible is correct and I choose to base my moral code and conduct based on what it says rather than on my own feelings. I fall short much of the time, but I keep trying.
Stating this, the obvious conclusion is that I believe that my God is right and that there are no other viable religions short of Judaeism, with whom God has worked out separate arrangements. I am not mindless, not a Borg, nor am I trying to impose my will. I am trying to resist the imposition of someone else's morals onto me. Madison Avenue and Hollywood in the case of the SI, and you in the case of tolerance for religious freedom.
If you truly feel that all religions are equal, then examine these fundamental beliefs of Christians:
br> * All have sinned and fallen short of the glory of God.
* There are no righteous persons on this Earth.
* Jesus says that no one comes to the Father except through Him.
* Jesus says that no one can attain Heaven via his own actions.
* God's nature is such that he cannot/will not tolerate sin/unrighteousness/immorality.
* Jesus died on the cross as a sacrifice for us so that our sins might be forgiven and we might be made righteous, thereby allowing us heaven.
* Also, you shall have no other gods before Me.
These specific views of Christians are quite contrary to other religions. Regardless of your belief in them or not, these tenants say that those who do not accept Jesus do not attain heaven. This viewpoint is in direct conflict with other religions. Yet you say that respect all religions equally. It seems as if you might be tolerant of all religions, but a little less tolerant of Christians.
Lastly, as to your attacks on my person, I can think for myself. I choose God and forsake all others. It is my choice and I have not made it because it was forced on me. I made it because I realized that a loving God truly wanted me to be with Him and that His love for me is beyond my understanding. My actions as a Christian are reactions to His overwhelming love for me, and are not done as a requirement and not done because I am forced to.
I believe that Christianity is one of the few religions that have no requirement for admittance into heaven/nirvana/afterlife. It may be the only religion to do so, I'm not sure. You simply accept Jesus as the way to God, accept that He died for you to allow you to be with him forever. No pilgramages, no mandatory church, no scourging, no killing others, no converting others, no nothing. Indeed, there is nothing you can do to attain heaven but to only accept the gift. Repressive? "My burden is easy and my yoke is light."
Isaiah 43:19 (NCV)
Look at the new thing I am going to do. It is already happening. Don't you see it?
I'll gladly be a fool for Christ.
Isaiah 43:19 (NCV)
Look at the new thing I am going to do. It is already happening. Don't you see it?
fish and pipes
If you and I cannot agree on the terms of communications, ie, I say God and you say fairytale, then what point is further communication?
I can admit that there is much deception about God. Can you admit there might be (some) truth in the tale?
Isaiah 43:19 (NCV)
Look at the new thing I am going to do. It is already happening. Don't you see it?
For the record, it was actually the Bible I was referring to as a collection of fairytales. No, scratch that, it's the oral tradition of modern Christianity I was criticising. Half the stuff that Christians claim to believe isn't even in the Bible.
I could. It's entirely possible that there was a historical Jesus around which the legend grew. But why expend the energy to admit the possibility when it's far more likely that there was not? The tendency of secular society to allow the pretense that Jesus existed gives the Christians power. People who've always heard Jesus treated as historical fact are ripe for recruiting. Once recruited, they will further the Christians' political agenda of authoritarianism, censorship and the suppression of science.So, yes, I could take the easy road and admit that Jesus might have existed. But if I do not stand up for the Truth, it will be taken from me. If I love Truth, I am morally bound to state there was no Jesus.
fish and pipes
Ah, see, a step forward in communications. And we're not yelling :)
Let's see if we can step closer together...
I concede that much is done, and way too much has been done, in the name of God and Christianity, that is cruel, inhumane, and definitely not what God intended. What part of "Thou shalt not kill" do we not understand?. I believe that these actions and the people who use them to further political agendas are reprehensible.
Could you admit that there may be movement within the Christian faith that is good, true, and pure. That follows the command to "Love thy neighbor as thyself." That doesn't support censorship or the surpression of science.
It is truly unfortunate that Christianity has received the miserable reputation that it has in the eyes of so many. But as with any organization, how we choose to see it depends on who we are looking at and how we feel about them. There is much more positive that is never seen because, that too, is a belief: To God be the glory not to me.
We are called to social activism, I believe, thus my request to have offensive material removed. However, I wouldn't dare impose on your right to view the material. That's not my responsiblity as a Christian, in my view.
Isaiah 43:19 (NCV)
Look at the new thing I am going to do. It is already happening. Don't you see it?
So how about turning this around and setting up a site that 302s the scripts that are 302'ing legitimate sites? You could then build up PageRank and then use this "power" to 302 the hijackers and then use Google's flaws to 404 or 500 these scripts/sites and take them out using the same techniques. Google could then see the benefit of using such a site and ensure that this site doesn't become the victim of 302 redirects by ring-fencing it some way.
Or shall I go back to drinking the anti-freeze?
I totally agree. In fact, when I was growing up, I thought pretty much all Christians were like that. I viewed them as lovable eccentrics. In those days, there was often some bishop on the TV saying entirely reasonable things (that would probably have got him crucified as a liberal in the US).
The Bible is a mixed bag, but I have to admit there's some good stuff in there. "Love thy neighbor as thyself." is sheer genius. All the world's problems solved in 5 words. Of course, following it through is the difficult part!
I found deep meaning in "It is easier for a camel to go through the eye of a needle, than for a rich man to enter into the kingdom of God." Any time I buy anything, I become a little more complicit in an endless global chain of oppression. Every coin in my wallet is stained with suffering. It is nice that Christians have a solution, ie. forgiveness, that works for them. Pity about all the baggage that comes with it.
I would not call it unfortunate, so much as inevitable. Authoritarianism runs through the very core of the religion. Even modern American Christians, who have somewhere acquired the surely blasphemous notion of a "personal relationship with Jesus", still fall back on authoritarian language of "obedience".
On the other hand, resistance to authority is a core human virtue. Conflict is inevitable.
From authoritarianism comes a hierarchical church. Those at the top will struggle to maintain their position by resisting change. Those at the bottom will mostly obey them. Hence, conservatism.
People like me hate conservatism because we have seen the future, and it is way cool. People with no vested interests want change, because it can only bring good. Conflict is inevitable.
What I can't say is why the Church of my boyhood, which was ever so reasonable, respectable and inclusive, has mutated in a few short years into a savage right-wing bulldog. Has the Church caught rabies?
This is disingenious. If you and a million others succeed in persuading stores not to stock the swimsuit issue, it will lose money, and Sports Illustrated will stop running it. The people who want to view it will not be able to, because it will no longer exist.
Look at Hollywood movies. Pro-censorship pressure groups have successfully made the NC-17 rating commercial suicide, so any major motion picture can have at most an R rating. Full frontal nudity without sexual content will generally earn a "12" rating in the UK, except that this almost never happens because by the time films come to the UK, they've already been censored by the MPAA!
What's worse is that films made anywhere in the world targeting a broad international audience will be censored to American standards with the hope of selling into the huge US market. In places like the UK, it's not even viable to produce a film purely for the domestic market. The net effect is that US pressure groups have effectively managed to censor the entire global film industry!
The usual response to such complaints is "well, if you want to see naked ladies, why don't you just watch porn?" I don't want to watch porn. Porn is crap. I want to watch good films. No, I want to watch great films. I want to be surprised. I want to be delighted. I want to be moved to tears by the beauty of it all. The only tears you'll get from a porn film are tears of despair.
I would not shed a tear i
fish and pipes