Tuesday, 23 June 2009

Javascript munging broken? Here's a solution

As pointed out in this slashdot article, Google has broken javascript email munging as suggested by projecthoneypot.org.

Of course, there are a few easy ways around this, and lots of not-as-easy methods.

  • Since Google obeys robots.txt, move the munging javascript to obfusmail.js and add it to the disallow list in robots.txt.
  • Use onmousemove or onmouseover on the body or even on an image displaying the email to swap said image or a blank text area for the email in question.
  • AFAIK google doesn't use cookies when spidering; store a randomly generated piece of data in a cookie, and xor the the password with it on both sides.
  • Use an ascii font to display the email. Dynamically, if you feel like really having fun with it.
  • And so on and so forth...

So the short version? Swap the most naive js mungers for something a bit smarter. An extra five lines of code or of annotations. It's not the end of the world. And when that gets beaten... move to the next solution. There will always be problems with usability for the visually impaired, for those who refuse to use js or cookies, and so on, and that's why you have a separate direct contact form. Right?

Wednesday, 28 January 2009


Without further ado, I present to you... the creepcam

Yes, that IS a camera in a stuffed dog's nose.

Tuesday, 13 January 2009

SANS' top 25 errors

SANS' top 25 list of coding errors is chock-full of rudimentary mistakes. It should be required reading for second year students in CS, or second term students in IT/CS diploma programs. Now, there are a couple of things that a half-decent programmer might miss - exploiting unspecified encoding, race conditions in underlying code - but if you're passing sensitive data in plaintext, or not validating and parsing user-supplied data, or not sanitizing your *&^%# SQL, you need to be educated. And it'd be better to have that happen in class than on the job.

Bits of the article are amusing, too: "all your code are belong to them," indeed.

In short: people still make these kinds of mistakes? Needless and frightening. Your information online is not secure, and at this rate it never will be.