Hack me!

Open invitation - I am using Microsoft Outlook 2003. This is an open invitation to you, the Internet populace. I dare you to send me an email message (rgautier@cox.net) that infects my computer with a virus/trojan/malware through my email client. Obviously, I won't be clicking on any attachments...so if you're going to prove that Outlook is such a security risk, you'll have to do it without my help. Prove me wrong - show me why I'm an idiot by using Microsoft Outlook - send me a virus that will execute just by my receiving it. Make it as in-your-face as you want - format my hard drive...go ahead...
Now, if you haven't just sent me that email - SHUT UP about Outlook being an insecure mail client. You are just repeating rhetoric and you don't really understand the issues. Why do I use Outlook? Because I can - safely...and it lets me easily do what I want to programmatically. I like it - it's a nice interface, and it does what I need it to do. And Bob? I didn't mean you buddy.

Wonderful Helpful Outlook - NOT!

I use Outlook 2003, and Im not ashamed to admit I use Microsoft products. Sure, I'm a geek, a programmer, a Unix guy and all things Slashdot and Fark, but it boils down to usefulness. I have to say that I've never been infected by a virus or trojan because I use Outlook. I keep my system patched and I don't run executables that people send me - I'm a safe emailer.
Now, with that out of the way - the saga begins. As some of you know, I play chess at the Free Internet Chess Server (FICS). One of the options at FICS is to email your games to you in PGN format. I had briefly discussed this here on my blog, and I wrongly blamed the FICS software for sending me corrupt PGN games. Last night, user DAV at FICS helped me find the root of the problem, and it wasn't FICS at all. It was Microsoft Outlook trying to be helpful. As usual, good intentions lead to bad results. The solution is to tell Microsoft Outlook not to help you...
Microsoft Outlook seemed to feel that any line of the chess game that started with a check (+) in the first move of a word-wrapped line needed to be cut twice and the move repeated. Don't ask me why...who knows who wrote the stupid line wrap-insertion code for Outlook or what drugs they were on at the time. Suffice it to say that inserting extra moves into the middle of a chess game is not conducive to computerized analysis.
The solution is to tell Microsoft Outlook not to help you, by unclicking an option in the mailer called 'Remove extra line breaks in plain text messages' - which, by the way is NOT what it's doing, since there ARE NO LINE BREAKS in the pgn file that FICS sends out. To set this, go to Tools|Options|Email Options and uncheck the box about a third of the way down labeled [Remove extra line breaks in plain text messages]. Now, this will appear to corrupt all of your game emails without the option to repair them with the manual [Restore line breaks] option. To make it effective, close Outlook and re-open Outlook.
Amazingly, all of your emailed games will now be magically fixed. This was important since I wanted my Outlook to automatically process this inbound mail and send it to Crafty for analysis, and post it automatically to my website when it was done. Now I'll be able to complete that little project.

Everything is the Same

It all runs together after a while. Especially after 38 years, and I suspect it'll run together even more as I get older. When I go to the movies, it is rare there is anything new or unexpected in the plotlines. When I listen to music, it is very rare that I hear anything truly unique. As I read other's blogs on the 'net, they all begin to look the same.
People all shop at Walmart, Sears or Kohls for their clothes. Men's suits and slacks all look alike. Even bikinis are all extremely similar, and I'm beginning to wonder about my sanity because even the bikini fillers are all the same ole thing.
Perhaps I have an innate need for new things because of my desire to always be learning something new. The world isn't so much letting me down as it is pandering to the young blood. Everything old is new again - to them, the next generation. Meanwhile we old people have seen it all before. My son, now 11, is ga-ga over Metallica and Black Sabbath songs from the 1970's era. To him, this stuff is brand new. He's learning to play electric guitar, and this is just the coolest stuff. To me, it's nostalgic.
If you're reading this, I hope I'm not boring you. I know that I can get into a funk and that it rubs off on the blog.....I'm just trying not to feel so old....and I could ramble on for a real long time here....but what's the point? I'm sure if you go back in my 5 years of archives, you'll find a similar rant...there hasn't been anything truly new or interesting since the invention of the World Wide Web.

New Skin Available

I put together a skin called Piano800 (a new stylesheet - use the skin selector drop down at the top of the blog.) The skin is designed for 1024x768 and 1280x1024 screens, which covers the majority of folks. The image isn't one that resizes well, so I didn't make it a resizable skin (like the default skin). I'm going to work on a skin that resizes through all of the dimensions next, probably. It's going to requires some planning. The skin is cool looking though if you have one of the afore-mentioned screen sizes....took me a few hours...working with the CSS to make it just right...and making the image. Much of the time was spent tweaking 5px here, and 5px there.

Deploying ASP.NET Apps with Integrated Security

At work we're in the midst of deploying an ASP.NET application using Integrated security (using impersonation - <identity impersonate ="true"\> is the tag, btw). This allows us to develop the application securely using Windows accounts, and make use of the security features of the Operating system, including integration with SQL Server 2000 and the Active Directory groups, etc... In deploying it to a new server, I was locking down the application directories to ensure that only the people who needed to access the application could get to it, and I found out something when I locked it down too far. and why are you using a domain controller as a web server, you naughty geek?!?
You see, ASP.NET needs to recompile the application into a DLL before it starts executing the code (it checks for things like changes to the aspx files before starting up). But if you're using Imersonation, the ASPNET account is not the account being used for this compile operation. Instead, it's the 'NETWORK SERVICE' account, which will need access to the entire application for checking for changed files, and write access to the binaries directory for writing out the .dll. The error you'll get if this problem applies to you is something along the lines of "Access Denied to .[your app path]\ web.config'. Failed to start monitoring file changes.". The fix is to permit 'NETWORK SERVICE' account (local account except on domain controllers - and why are you using a domain controller as a web server, you naughty geek?!?) read access to your entire web site, and write access to where the compiled code is.
Using Integrated Security for your web applications is a good way to build security deep into the site when using SQL Server or other integrated database product. It allows security to pervade the very core of your code, rather than provide only an entry mechanism to your web site. You can and should lock users out of things that they shouldn't have access to, even if your code doesn't allow them to execute code. New bugs, buffer overflows, viruses, and the law of unintended consequences will come back to bite you in the ass if you're not careful, and it's better to apply security at all levels of your design.

Putting it together with Duct Tape and Baling Wire

My new custom 404.ASP page reads <%
If Request.QueryString <> "404;http://www.richgautier.com:80/styles/null" Then
Set FileObject = Server.CreateObject( "Scripting.FileSystemObject" )
Set LogStream = FileObject.OpenTextFile (Server.MapPath ("/statistics")& "\-----,txt" ,8, true)
LogStream.WriteLine ("404 on " & Request.QueryString)
LogStream.Close

Response.Redirect "\index.asp"
End If
%>
as shown in the box. You see, in my stylesheets I added a hack to fix an Internet Explorer CSS Display bug wherein CSS floating elements slice themselves off to match the size of its neighbors when hovering over links in the parent element (div/span). The hack involves pointing to a background image, which forces a redraw....but I didn't want an actual image to be used, so I pointed it to 'null'...which generates a request back to the server for an image that isn't there. I guess that I could create an empty image called null, but that didn't occur to me while I was fixing the 404 redirect page. Oh well, I need a way to track 404's anyway, since GoDaddy.Com doesn't give me the ability to scan my raw log files for free. So, I use ASP to track session and application stats, and visits to my web page, including referers (sp?). Obviously, in the code I am posting here, I've changed the filename I track to -----------. You'll want to make this an actual file on your server if you use it. The 8 represents APPEND mode for opening the file.

Prime Number Algorithm Breakthrough?

In New Scientist Breaking News - Classic maths puzzle cracked at last the article discusses a breakthrough in congruence mathematics. At the end of the article, it mentions applicability to cryptographic algorithms currently in use on the Internet, and I am assuming that applicability is meant for the prime number algorithms used in public key cryptography. Already, weaknessed in SHA are showing up (well, after 30+ years). Combined with this, are we set to weather a new storm of cryptographic attacks on the underlying security of the 'net?
The article isn't clear, however, as to the applicability toward prime number computation. If any of you reading this know where I can get more information on the new discovery, or a laymen's discussion on its applicability toward public key crypto, please drop a comment and point us in the right direction.

American Culture at its Best

MSNBC reports that Monster swine 'Hogzilla' was real, experts say. That's right - National Geographic has confirmed that an 800 pound wild hog did indeed exist in Alapaha, GA - a small town at the intersection of RT129 and RT82. One of the things that makes America great is the ability of its residents to make money off of practically any occurence, natural or unnatural that they come across. One of the things that makes America great is the ability of its residents to make money off of practically any occurence...With access to two major highways, the exit for the huge hog should bring in plenty of tourist cash once the locals capitalize on the giant pig. I already feel the urgent need to stop at the new exit that I can imagine them building, and picking up an "I heart the giant hog" T-shirt...a perfect slogan, if I do say so myself. They've already held a festival for the big piggie, so I know they're on the right track. American road trips are nothing unless you stop at the tourist traps along the way, and I still have a trip planned to see the World's Largest Ball of Twine. Someday.....

Blog Skinning

Ok, I'm working on skinning my blog so that I can play with different stylesheets on the fly. One of the results of doing this is the addition of cookies to my site that will remember which skin you choose, so that all of the pages pick up the new skin. I found a lot of useful references on the web, but no one site was more helpful than the next. Most places that I looked at used server-side scripts to skin their blog. Instead, I am choosing to use multiple stylesheets with Javascript to switch between stylesheets.
To do this, you place link tags in your header that load in the different stylesheets. Then, there is Javascript linked to the option box (top right of this page) when the value is changed. It uses DHTML to switch the active stylesheet to the one that is chosen. A List Apart had the necessary Javascript code for switching the stylesheet on the fly. I'll work on some stylesheets that are actually attractive (as opposed to the only alternate that is up there now).
One thing that this work is doing is helping me to understand page layout more and more, as well as understand some of the nastier CSS bugs in the Internet Explorer display code.

We went for a walk

I dragged the boy out for a walk (he would rather stay home) and the wife grabbed the dog. We walked for about a mile and a half, and back again. Now that we're back and tired, thought I'd stop and post a pic of the dog from the walk. We didn't see anything interesting nature-wise other than funny looking trees and some squirrels. I'd hoped to be able to get a picture of a large bird I'd seen out there before, or maybe a deer, but no such luck.

Mandarin Design. Web and Blog Design and Development

I want to thank Mandarin Design's website for some of the CSS tricks that I'm now using on my website. They have a lot of neat CSS tips and tricks that help your layout be more magazine-like. I've been working out different CSS classes than can be applied easily when I want to add these elements to my posts. Mandarin Design Like this nice pull-out text class in this post. All I have to do in Blogger while posting is assign a span or paragraph and give it the proper class name 'class=whatever'. And of course, changing the stylesheet automagically updates all of my posts...I'm beginning to really understand the allure of CSS. I don't think I'll ever go back to table layouts ;)

Check Engine Lights and Stupid Computers

The check engine light went off in my Dodge Neon (2000). This always causes a small swell of panic. After all, what kind of failure could you imagine would be associated with the Engine? Thrown rods and leaking head gaskets flooded my mind as I drove home on the highway at just barely the speed limit, fearing the worst was going on under the hood.

...all I can think is that it's going to cost me a new car.

The same car has been in a bad accident. It was a few years ago, and my wife got sideswiped by a van trying to make a right turn from the middle lane. It was pretty bad, but the car was mostly fixed up. I found out way too late that the alignment in the front end was permanently damaged, and there's not much I can do about it, save having her frame-pulled. Since I have no way to attribute this particular failure to the accident, I'd end up paying for it myself. Add to this that the hand-brake light has been turning on every time I accelerate from a dead stop and that I hadn't yet gotten my yearly inspection.....all I can think is that it's going to cost me a new car - and Im still paying for the wifes'.
I took her into the shop yesterday (note for others - it seems Firestone doesn't DO check-engine lights on the weekend, although I don't know why, since that's when people WANT their cars to be worked on.) and it costs $79.50 for them to pull the code out of the computer and look it up [probably on the Internet, for all I know]. They said the code represented a failure in a torque or acceleration sensor or something like that, so they removed and tested the sensor....which passed muster.
The car passed inspection, the brake light was an easy fix (low on brake fluid) and they turned off the code on the computer. Everything's fine and dandy with the car, except for that alignment thing on the front-left wheel...crisis averted...for now. Computers are great, except when they cost you money when they wrongly report a failure. The shop guy suggested that maybe the sensor just had a disconnect and replugging it in fixed it...we'll see. Stupid computer...at least it forced me to have the inspection and brakes done.

The Heavy Duty DDR Dance Pad

We ordered on Ebay a heavy, metal-encased Dance Dance Revolution dance pad for the Playstation 2. It came today, dual boxed and brand new. It works GREAT! It doesn't move around the floor (it weighs about 20 pounds or more...), and it takes my weight (almost 200#) just fine. It's so much better than the normal game pad you buy in the stores. Ebay is fantastic! You can buy anything on the 'net. My son is having a ball with the new pad. He can pass challenging mode on the stupid game. I leave it on beginner, and about 3 songs wears me out completely at that slow speed. I'm so jealous..

A Rousing Read

I finished reading American Roulette. If you like reading first-hand accounts of criminal enterprises or books about con games and/or con men, this book is one for you. The book has only one slightly boring chapter, when the author goes back in time to look at the origins of their con games. Apart from that chapter, the book is engrossing and pulls the reader gently through the book. The only thing that I found irritating about the book is that the author doesn't show any particularly redeeming qualities. There's nothing in the book that would bring you over to his side and after reading the book, you may find yourself wondering just what makes him so special that he should be able to get away with cheating the casino for 25 years when you can't even exceed the speed limit once without getting a ticket. I'm a fan of crime non-fiction and con man stories because I like learning about the cons themselves. I'm a bit of a puzzle freak, so getting raw information like that is enjoyable for me.
Next on my list is Shadow Counter. I finished Chapter 1, and it seems to be an interesting story about a blackjack card counter. It's an older book that I've just never gotten around to reading. We'll see how it goes, and if it has enough raw information in it to keep me aroused (no pun intended here, but feel free to write your own joke).

Kasparov Retires from Chess

I'm a little late with this 'news', but wanted to wish him well - Garry, you're one of the greatest chess players in history - may your life continue to be long and prosperous - Guardian Unlimited | World Latest | In a Surprise Move, Kasparov Retires. That's right - Chess's public champion Garry Kasparov is retiring at the ripe old age of 41. Well, retiring from chess anyways.

SurfJunky Update III

Surf Junky appears to be non-operational this morning. Last stats I received was last night:

Activity Points: 96
Payment rate: $0.45 per hour
Hours spent surfing: 158.63

Your earnings: $71.42

This morning - image links on their server are not working and their home page states that "Surf Junky is experiencing some unexpected downtime." If I were a gambling man - I'd give 50-50 odds that they're gone (they should not have had to disappear until 15Apr before not paying us......so thats why 50-50 odds). No more Surf Junky updates until at least 15 Apr...I'll let you know if I get paid, but don't hold your breath, I'm not going to...

UPDATE: Update to the update - they appear to be back online this afternoon...

From the -Holy Shit, That's Cool- Dept.

From: Wired News: Need a Building? Just Add Water:

Soon, there will be such a method. A pair of engineers in London have come up with a "building in a bag" -- a sack of cement-impregnated fabric. To erect the structure, all you have to do is add water to the bag and inflate it with air. Twelve hours later the Nissen-shaped shelter is dried out and ready for use.

It's nice to know that computer technology is not the only place that people are making strides. There are many, many problems facing our earth, and it's good to know that people are out there in other fields working at solutions. Too often, people think that computers are some kind of magic solution to all of their problems, applicability be damned. Well, computers don't build buildings, well - not yet....

Tuesday is Choose Day

Thanks to Tuesday is Choose Day for this meme:
Would you rather:
1. be responsible for an oil tanker crash off the coast of alaska OR cause a rebellion in a developing nation? That's an easy one. Human suffering is much more preferable to animal suffering. After all, animals are innocent creatures. After the Valdez incident, I've had a lot of pent-up emotion over just what we did to the wildlife in that region. Also, the rebellion would obviously benefit SOMEONE, whereas the oil tanker crash would hurt everyone in the region.
2. get locked out of your house while naked OR throw up all over yourself in the middle of an important meeting? Another soft ball. Throwing up on yourself is the most disgusting, sickening thing I can think of. Getting locked out of your house is something we've all done (or will do), and being naked is no big deal. I think I'd definitely be able to laugh about it later...but I wouldn't even be able to THINK about throwing up on myself without a recurrence.
3. wake up to find your feet have grown two sizes OR hair all over your back that grows back every night? A woman wrote this question, right? I'm a man, of COURSE I'd rather have 2 more shoe sizes to contend with.
4. eat nothing but cheese for a week OR only chinese food for two months? I think I've done this - or at least something similar. I was in the military for a few years, and ate the same food day in and day out at the mess hall at several locations. Who doesn't love Chinese Food? (Well, I'm originally from New York, so maybe that has something to do with it...?)

Atrophy of the Mind

Atrophy - That's the word I was trying to remember. My mind feels as though it is undergoing atrophy (did I use that right?) I'm unable to remember words. They sit on the tip of my tongue, and I think it's because I haven't done any real writing (see, the word for the type of writing - not free - creative, I think, just slipped out of my mind.) It didn't flow, like it might have years ago.
I think I'm seeing the limits of my own intellect, and I'm not happy about the limitations. Studying chess, piano, CSS, ASP.NET, HTML and writing, along with handling day to day life, the rigors of my job and family, are too much for my little brain to handle.
Perhaps I need to read more. In that vein, I'm halfway through a book I picked up in a discount book store - American Roulette. It's the first-hand account of a man who made his living cheating casinos at roulette, craps and blackjack over a period of 25 or 30 years. Let's see if reading helps. I'm going to try to read more books for enjoyment.

Corporate Memory (Internet History Lesson)

Many of the people reading this blog don't know what Usenet is. Oh, they may have heard of Google Groups, and they may even use it to their advantage when they're looking for technical answers (btw: This tip alone will make you seem smarter than your peers...). And even those who do know what Usenet is, some portion of them have never heard of the Usenet Oracle. The Usenet Oracle is an anonymous, cooperative email(message) system for creative, humorous writing. The home page of the Oracle says it's been around since 1989. I don't recall exact dates of when I ran into the Oracle for the first time, but that sounds about right. [I've been on the Internet since 1986. Well, ARPANET anyways.... And even before then, I was active in the online community through local dial up bulletin board systems (BBSs) and FIDOnet.] The Oracle is a 'personality' that existed on shared message systems. You ask it your question, and some random person gets your question and answers it, usually humorously, and demands your sacrifice in return. Some of the funniest stuff I've ever read on the Internet was at the expense of the Oracle's question-asking public. If you have a moment, check it out. Or ask it a question. I promise you it'll be worth your time.

The True Enemy

For those of you who don't know, I'm 38 years old. I'm not old enough to be called old, and I'm not old enough to be called young. I'm just now approaching my mid-life crisis, even though I'm nowhere near middle-aged (well, ok a little close). I am just now reaching a point in my life where things that were clear to me are now fuzzy, and things that were fuzzy are now clear; and while I didn't mean my eyesight, that applies too.
I have found the true enemy of man - it is Time. Or perhaps it is a sign of the times or the world in which we live that it has become such a pronounced enemy. There are so many things that I want to do, that I want to make time for, but there are not enough hours in the day. And each moment that I spend giving time to one pursuit, the rest of my pursuits slip away neglected.
I'm feeling this way because this weekend I spent a lot of time with my son. I love spending time with him. We went to play laser tag at LaserQuest near Potomac Mills mall. I always win (see scoresheet - I'm BlackHat - he's Ace), and he idolizes me begrudgingly. That's the part I like. The old man still has something on his son. I'm still the big guns in the family, and don't you forget it bub!
At the same time that we were at LaserQuest, at the movies (Robots), and walking 2 or 3 miles through the park today, things weren't getting done...my taxes, piano practice, chess practice, badly needed blog redesign work, coding study, picture taking (well, ok I took some at the park), book reading, bill paying, research for new business, playing with the dog (we took him to the park too...), needed indoor repainting, needed outdoor repainting, and so on ad infinitum.
Do others feel the crunch of time as I do? Or am I poorly out of tune with what the world expects of me and I've become overly self-indulgent? The older I get, the more things I have to do, and the more un-completed things I leave behind. For each hobby I have kept over the years, there are numerous ones I've not garnered enough steam on starting. I look at what others have completed in less time on the earth than I, and I am sincerely jealous at their hard work and perserverance. If I had the focus and drive to be as successful as people like Michael Dell or Bill Gates, would I have the other good things in my life? Is it all a trade-off, and have I made the right trades?
Maybe I'm not approaching a mid-life crisis. Maybe I'm smack in the middle of one. As Elizabeth Forsythe Hailey said "Time is a cruel thief to rob us of our former selves. We lose as much to life as we do to death." And Mason Cooley said, "Regret for wasted time is more wasted time." So I guess I'll stop wasting time and move on to the next task. Till tomorrow....

Conspiracy Shmiracy

Just a quick rant: There is no right-wing conspiracy. There is no left-wing conspiracy. The conspiracy does not exist. It is in your mind, and I am sick of reading about it. Stop your belly-aching about the left or right 'wing' and buck up to the fact that there are people out there with a different outlook than you. Spend less time bellyaching about how 'they' are out to get you and ruin your life, and more time trying to understand their side of the issues. Instead of pointing to their faults, try looking for the faults in your own arguments for whatever issue you're proposing and try to come up with middle ground where you can both meet. For Crissake, you're both human, and both prone to being imperfect. Accept that there is another point of view, and address it instead of worrying about whether or not they have their underwear on straight or their tie is a four hand instead of a Windsor.

SurfJunky Update

SurfJunky Update: As of today, I have attracted at least one down-link at SurfJunky, that pay for auto-surfing website that started up last month. While no one knows whether or not we'll get paid, I just leave it up and running on my extra computer screen. - Stats to date:

Activity Points: 72
Payment rate: $0.45 per hour
Hours spent surfing: 120.67

Your earnings: $54.32

Keep checking back - I will keep you abreast of whatever happens with this. I am making sure not to cheat, use refreshers or anything that might get me banned. I'm following all their rules as best I can.

Blogger Is Getting On My Nerves

Blogger is really pissing me off lately. All this weekend, posting on Blogger has been like a lottery. You put together your post and hit the publish button. If you win the lottery, your post gets published on your blog. If you lose the lottery, your post goes into the Ether, never to be seen again (unless you hit the back button and cut and paste it into a more stable program, e.g. Notepad). I've wanted to try to play with the image posts I've been making lately to try to wrap text around the pics, etc...but I can't even get Blogger to behave enough to simply make a post, much less know what it's published or not. I've even seen some blogs where Blogger is posting 3 times, probably because their redirection code is screwed up, but the script is going ahead anyway.

Losing a Hard Drive Sucks Major <bleep>

I lost a disk drive this week. It had gone south on me before, just after the warranty ran out of course; but it lasted 6 months after the last failure. I'm pretty sure it failed while waking up from sleep one morning when I came down to check my email. It started making nasty noises and putting it in the freezer didn't help. I didn't have anything VERY valuable on it, but I did lose some pictures from my trip to Vegas that I hadn't yet burned to CD. Losing a hard drive sucks, especially one that was only manufactured 2 years ago.

Mystery Pic Revealed

Mystery Pic revealed: Ok, I can't hold it in till Sunday - the picture is of a pistachio nut. No winners this time - but I'll post another one soon(er or later) - maybe make it a regular feature.

Are you a fan of Wikipedia? I know I am - it's a fantastic extension of the Internet, allowing people to share information in a manner that makes sense, editing each other's works and offering some very solid research on important subjects. Well, BoyHowdy introduced me to the Uncyclopedia today, and it went right into my bookmarks list. Everyone has something they want to rant about, or otherwise spread disinformation about - (my favorite rant is Ikea so far). And here you can do it all to your heart's content. But forget about well researched articles. This site is all about disinformation, rumour and humour. So put on your 6th sense before visiting.

I would like to thank Peter Mack for The Perspective of the Day: Go to The Global Rich List and see where you lie on the grand scale of the world's wealth. I think I'll permanently bookmark this site so that every time I think I'm a poor shmuck without enough money, I can click on the bookmark and lighten my perspective on things.

DANGEROUS NEW PHISHING ATTACKS: A new phishing email with the following URL is being sent around - it appears to use Ebay's own servers to redirect the user information to the hacker's PC.... Although the link in the email is expressed simply: https://signin.ebay.com/ws/eBayISAPI.dll?UpdateAgreement

Here's the code for the attacking link:

https://signin.ebay.com/ws/eBayISAPI.dll?
SignIn&UsingSSL=1&pUserId=&co_partnerId=2&siteid=0&ru=http%3A%2F%
2Fcgi4.ebay.com%2Fws%2FeBayISAPI.dll?MfcISAPICommand%3dRedirectToDomain%
26DomainUrl=http%3A%2F%2F127.0.0.1%2FeBayISAPI.php&pageType=1883
(hackerPC address changed to protect the stupid)

Note that the link sends you to Ebay's signin service! If you click on the link, you actually end up on Ebay's signin page! And clicking on the Certificate Info verifies that the actual SSL session is indeed being held with Ebay's normal signin service....so what's going on here?
The hacker is using Ebay's own scripts against them. Apparently the RedirectToDomain command is meant to pass the user credentials to the hacker's configured PC at 127.0.0.1 (real hacker address in the email!) where the script eBayISAPI.php is waiting for the user to arrive. Potentially, if eBay's login server is stupid enough, it will pass the user's credentials to the specified redirected URL.

This is a fairly sophisticated phishing attack. Potentially the hacker might not even end up getting your password. Maybe they get an internal authentication code for your eBay account that allows them to act as if they were logged in to your account, by passing those authenticated signals on to other eBay servers (in specially formatted HTTP requests).

While I've notifed eBay (at spoof@ebay.com), there's a lesson in secure web application design in how this email attack works, and web designers should pay heed to the weaknesses and vulnerabilities inherent in passing credentials from server to server in 'custom' login scripts/scenarios. At a very minimum, checks should be made to ensure the machine you're passing to is on a pre-approved list. A secure channel should be used if at all possible (client PKI certificates!)

In Other News: Got my butt handed to me during lunch today. A coworker and I play chess at lunch. He beat me hands down 2-0. Since I've been spending more time on HTML and div tags than studying/practicing chess, I'm beginning to lose the edge I had on him that was keeping us even. I'm going to have to buckle down and study if I want to win. Time to go check out the current version of Chess Position Trainer. That's a completely free practice tool for studying your repertoires and practicing against known positions. It's good software, and if you play chess, you should be using it.
If you haven't already - check out the 'What is this' contest two blog entries down - no one has gotten it yet ;)

Here we go again. For those of you who have been on the Internet long enough - Pay for Surfing is back. There is a service called Surf Junky making the rounds that will potentially pay you 45 cents an hour to leave a browser running on your computer. It's fairly obtrusive, but if you have two monitors (or two computers!) and frequently don't need the screen real estate, you can still work while ads scroll on your second screen. I've signed up and so far, my computer has supposedly earned $17+. Now to see if they end up actually paying me. Surf Junky may be old news already, but there's plenty of buzz about them already. They've already denied users of the Firefox browser access to their service because of the many plugin capabilities of the browser and the ability to use them to cheat the system into believing you are there when you're not. The way they did this was to turn off those accounts, with money in them, no less - raising the hackles of a large community of people yelling 'Scam!'. I'll report on what happens with my account right here on Randomblings, so keep your eyes peeled. I'll let you know when I bypass the $25 mark (sign up under my referral link if you want to help me get there quickly) and I'll let you know when or if I ever get paid via Paypal.

UPDATE: My Surf Junky total passed $25 today (3/8/2005). I have not used Firefox or cheated in any way. I'm going to leave it running until their 'payday'. Here are the current stats as of 12:55 EST:
Personal Earnings

Activity Points: 33
Payment rate: $0.45 per hour
Hours spent surfing: 55.64

Your earnings: $25.04

Guess the Closeup Contest: If you can guess what this is a picture of, you'll get a free outbound link on my blog page(s). It'll be over on the left side and show up on all of the pages in my site (pending no layout changes, of course):

Anti-Gravity Irish Dancers: Also seen at the St. Patrick's Day Parade in Alexandria today were these Irish Dancers testing their new anti-gravity parade float. As you can see, it was working perfectly:

Happy St. Patrick's Day! Today we went to the Alexandria St. Patrick's Day Parade (yes, I KNOW it's early for that, but they had one anyway.) I saw this little drummer boy in one of the marching bands:

I'll post more pics later - I'm still going through them all - the curse of having a digital camera - information overload - you can take pictures of EVERYTHING, but eventually you have to sort through them all.

The only good thing about being sent on travel is that you can sometimes get a really sweet rental car, like this one that had 3 miles on it when I got it: