Brain Storming on Blocking Bad-ads

September 6, 2009

I’m just jotting down some notes about using the Google Safe Browsing API to prevent a site from serving malicious/bad ads.

Problem Defined

  • Ads are put on a site via javascript by calls as simple as “getad(‘adposition1’)”. JavaScript is executed via the client’s browser after the page is served.
  • Those calls don’t touch any of our servers, they go from the client to the Google/Glam/Whatever Ad Server. So we don’t see the ads before they appear on the customer screens.
  • The ads being served may be malicious
    • Any ad that is served can link to a site that has been infected. We will want to block this.
    • Any ad that is served can “take over” the page and redirect the page to a site that may or may not have malware. We want to block ALL take over attempts.
    • There may be other types of ads that we wish to block.  Potentially we might wish to block specific ads on specific sites (i.e. a sexual connotations in ads on pre-teen audience sites). This may be beyond the initial scope and/or incur unwanted execution expenses.
  • Serving a malicious ad can get a site listed as “infected” even though your server has had nothing to do with ANY of the ad content.

Obstacles

  • Any extra calls WILL slow the page load process.
  • Each page load MUST call the ad serving script again
  • If an ad can be identified as bad, some other type of content must be served in that position to ensure page integrity.
  • The request for ad content HAS to come from the customer side because many ads are geo-specific and the customer’s IP determines what ad shows at what time.
  • You don’t want to set up a system where the site itself can submit a site as “bad” as anyone could sniff that info and seed our black list with bad data.
  • The results of the first getad() call could result in more javascript which must, in turn, be processed by the browser to produce the final ad. Potentially, several layers of JS could exist before the real ad is served. (e.g. 2 layers of indirection before ad: Google Ad Manager JS —serves—> Glam Ad embeded JS call —serves—> JS call to 3rd Party Ad Server —serves—> Ad). This pattern is real and happens often.

Possible solutions

  • Status Quo: As problem sites are reported to us, determine which ad is bad, report it to the ad server & hope they fix it before google sees it and lists the site as a dangerous site in it’s tool bar and in chrome.
    • Unless you are “lucky” you don’t get the badad.
    • Once you get the badad, it is hard to determine the initial JS that caused the problem
  • Embed everything JS with its own iframe
    • Will block take overs
    • May or may not prevent Google from listing the site, probably not.
    • Will break ads that are contextual based
  • Check the ad entirely on the client side via a black list: GSB API (http://code.google.com/apis/safebrowsing/) or PhishTank (http://data.phishtank.com/data/online-valid.xml)
    • This Good/Bad check could be done with a single call with the API call
    • Calls to external servers are dependent upon the health/bandwidth of that server
    • This could also be done via downloading the black list and checking off of that: http://code.google.com/p/jgooglesafebrowsing/wiki/Quick_Start_Guide
    • Blacklist downloading would cost time and would have to be updated periodically.
  • Implement a hybrid solution where a call is done to our servers to see if the an ad is good or bad.  (Server side base code: http://lampsecurity.org/php-google-safe-browsing-api )
    • Ad call is processed in JS eval (Will have to be checked for nested JS calls)
    • MD5 of ad is sent to the server. The results are Good/Bad/Unknown.  (Pass the url?)
    • If the result is Good, ad is served and process exits
    • If the result is Bad, either go to step 1, or serve place holder/known good ad & exit.
    • If the result is Unknown, send the JS to the server for verification. The server processes the code and returns a Good/Bad result.
    • If the result is Good, ad is served and process exits
    • If the result is Bad, either go to step 1, or serve place holder/known good ad & exit
  • Other solutions?

Reading

Anyway, I had this going through my head and wanted to get this all written out. So I can have a place to check back on this tomorrow…

Posted by Brian | Filed Under Random thoughts | Leave a Comment 

How to batch resize images from the Linux CLI

August 18, 2009

You might find this little command useful, it allows you to create thumbnails for all the files in a particular directory:

find . -maxdepth 1 -name *.jpg -print -exec convert "{}" -resize 80×60 "thumbs/{}" \;

 

This should work on any server with ImageMagick installed and in the path.

 

ImageMagickLogoImageMagickLogo


Enjoy!

Posted by Brian | Filed Under Random thoughts | Leave a Comment 

WordPress/WordPress mu Merge Definitively Confirmed

June 4, 2009

There’s been rumor and confusion over the last week about whether WordPress and WordPress mu were merging as Matt seemed to imply at WordCamp SF. The announcement was so shocking that the true meaning was uncertain. For example, the avid WordPress evangelist Lorelle was left with the impression that WordPress.org would become a community site. Thankfully, Donncha, WordPress mu’s lead, gave the conclusive word on the subject this morning:

Basically, the thin layer of code that allows WordPress MU to host multiple WordPress blogs will be merged into WordPress. I expect the WordPress MU project itself will come to an end because it won’t be needed any more (which saddens me), but on the other hand many more people will be working on that very same MU code which means more features and more bugfixes and faster too.

Donncha, I would view this with the honor it does you. It is not much of a stretch to say that with your work on mu, you’ve made a lasting contribution to the shape of world and how people get information and will relate to each other over the upcoming years. More and more and more sites are run on mu, while the whole buddy press/bbpress/mu paradigm is taking off and will change the shape of the web. The adoption of the mu’s features into the WP core is a signal of what is to come and it will be an exciting ride!

Congrats guy!

Posted by Brian | Filed Under Random thoughts | 2 Comments 

SxSW Wow!!!

March 2, 2009

A New Look

You may notice that there are a few things different around here! I am approaching the three year anniversary of The Code Cave and have decided to spice things up a bit. The site is now sporting a new theme on a new web host, its own VSP. And I’ve got a number of posts lined up to be published. The first of which is this one. My entry into the Blog World and New Media Expo Free Ticket to South By South West Interactive contest.

Sham WOW!

Now, I have to admit I was inspired by an infomercial that you simply can’t get around seeing these days. It’s Vince Offer’s Sham Wow product:

Now if you haven’t seen that, surely you’ve seen the “Slappin your troubles away” Slap Chop. The excitment Vince shows for his favorite past time, of selling products everyone could use, is infectious.

I’m not the first to be inspired by his exuberance. Rhett and Link have given the commercial their full treatment and created this video:

And now… SxSW WOW!

My reaction ( major hat tip to http://twitter.com/markjaquith ) to Blog World and New Media Expo giving away a free ticket to SxSWi was simply WOW! and stare at the screen for screen for a while waiting for my brain to turn back on and finish processing every thing it had been ignoring from my eyes for the last 5 minutes. SxSW wow! And that was it! the vision was born within minutes of reading the article.

I shot some even fancier footage from my motorcycle showing the excitement of the 20 hour drive down to Texas, if that’s how I went (And yes, I would live stream the whole way). And had some other ideas to include, but the priorities fell to 1. Get the site transferred to the new host. 2. Make the site pretty enough to host the video 3. Get the blasted thing DONE!

So without any more ado, whatever that is, I present you with “SxSW WOW!” (uploaded at March 01, 2009, 10:43 PM PST):

I do need to thank my loving wife Denise Layman (aka Sorka) of knitting fame at KnitChat.com for all of her help filming with MS Movie Maker tips as I’d never used it before. Thanks Love!

Download hi res 600mb

Mentioned in the Video

Tim Bourquin founder of New Media Expo – who seems like a really nice guy And as far as I know he’s never consumed 20 times his weight in ANY type of liquid
Rick Calvert – Co-Founder of Blog World Expo who I know is a really nice guy
Jim Turner – aka Genuine, who is an excellent write of no little fame. I noticed that he happened to be the author of the contest post! And as far as twitter is concerned, yes, I’m pretty sure he is following me!

Sham WOW! Script

Since I had this file on my desktop I figured I’d share my script with you. Here are the original and new lines I used from the commercial:
O: Hi It’s vince with Sham Wow!
N: Hi it’s Brian and I’ve got a SxSW Wow! from Blog World Expo!

O: I’ll be saying wow, everytime I use this ticket.
N: You’ll be saying wow, every time you use this towel.

O: It’s like a shammy it’s like a towel it’s like a sponge.
N: It’s like a party, It’s like a confererence, I’ll be like a sponge, YAY ME!

O: Sham wow holds 20 times its weight in liquid.
N: SxSW attendees absorb 20 times their weight in liquid! Just ask Tim Bourquin

O: Look at this it just does the work
Why do you want to work twice as hard
N: Look at this, I’m doing work!
Why would I want to be working at home?

O: Made in germany. You know the germans always make good stuff
NOT USED: This is a gift from blog world expo, you know Calvert always makes good stuff…
REPLACED: Every SxSW Wow! comes pre-Rick rolled by (Rick) Calvert himselfs

O: Here’s some cola, wine coffee cola pet stains
Not only is your damage on top but
There’s your mildew. that is gonna smell you see that?
N: Here… here is my anxiety of how to get to SxSW. My sweat, my tears, my embarrassing stains,
Not only is it on top
But it’s down deep man

O: Were gonna do this in real time
Put it on the spill, turn it over
without even putting any pressure 50% of the cola right here. Following me camera guy
The other 50% the color starts ta come up.
N: I’m gonna stream this live
I put my SxSW Wow! on top and roll it
No Pressure man, No pressure and suddenly 50% of my worries are gone!
All that remains is the fun of getting there. You followin me (Jim) Turner, you followin me?

O: No other towel is gonna do that
It works like a vacuum.
N: And look at that
It works like a Valium.
No other ticket is gonna do that!
SxSW Wow!

O: See what I’m telling you.
Sham wow – you’ll be saying wow every time
N: See what I’m telling you.
SxSW Wow! – I’ll be saying Wow! all the time!

THANKS BLOG WORLD EXPO!

Posted by Brian | Filed Under Random thoughts | Leave a Comment 

Neither a borrower nor a lender of bandwidth be

January 5, 2009

“Neither a borrower nor a lender of bandwidth be; And this above all, to thine own site be true…”
William Shakespeertopeer – The Renaissance Man’s Guide to the Internet. – Chapter 1 verse 12

Yet here, readers! aboard, aboard, for shame!
Google sits in the shoulder of your site, And you are stay’d for.
There; my blessing with thee! And these few precepts in thy memory

See thou character set. Give thy tongue a name,
and no unproportioned content to his act.
For search engines shall look for UTF-8 and EN or DE
And provide translations thereof.

Be thou familiar, but by no means vulgar.
For so shalt search engines stop, after discovering
Repetition of the evil seven.

Those friends thou hast, and their adoption tried,
Grapple them to thy site with links, trackbacks and pings;
For it is by the number of links to your site, that you are judged.
And it is through external links that you will grow.

But do not dull thy blog with trolls and spammers
Of each new-commenter, unfledged comrade. Beware
Links to their sites, are being in their name,
Bear them to Akismet that others may not burden thee.

Give every man thy ear, and seek their voice;
Take each man’s censure, by reserving your words.
Make thy habit to leave ideas for the voice of readers,
For participation, will buy their loyalty;

Choose a theme optimized for SEO as well as appearance,
For the apparel of a site oft proclaims the man,
And they in Google, of the best rank and station,
Are of a most select and generous chief in that.

Neither a borrower nor a lender of bandwidth be;
For loan of text oft weakens site rank,
And borrowed images dull load time,
Cease and desist will be their cry,
And DMCAs will be sent to thee.

This above all: to thine own site be true,
And it must follow, as the night the day,
Thou canst not then be false to any man.
Farewell: my blessing season this in thee!

—————————

Adhering to the GPL, here, you find the original:

LORD POLONIUS Yet here, Laertes! aboard, aboard, for shame!
The wind sits in the shoulder of your sail,
And you are stay’d for. There; my blessing with thee!
And these few precepts in thy memory
See thou character. Give thy thoughts no tongue,
Nor any unproportioned thought his act.
Be thou familiar, but by no means vulgar.
Those friends thou hast, and their adoption tried,
Grapple them to thy soul with hoops of steel;
But do not dull thy palm with entertainment
Of each new-hatch’d, unfledged comrade. Beware
Of entrance to a quarrel, but being in,
Bear’t that the opposed may beware of thee.
Give every man thy ear, but few thy voice;
Take each man’s censure, but reserve thy judgment.
Costly thy habit as thy purse can buy,
But not express’d in fancy; rich, not gaudy;
For the apparel oft proclaims the man,
And they in France of the best rank and station
Are of a most select and generous chief in that.
Neither a borrower nor a lender be;
For loan oft loses both itself and friend,
And borrowing dulls the edge of husbandry.
This above all: to thine ownself be true,
And it must follow, as the night the day,
Thou canst not then be false to any man.
Farewell: my blessing season this in thee!

Posted by Brian | Filed Under Random thoughts | Leave a Comment 

A winter walk…

January 4, 2009

I thought I would share some pics from 3 hour hike the other day. I hope you enjoy

I’ll post some videos tomorrow when I return to civilization and have the bandwidth to upload them…

Posted by Brian | Filed Under Random thoughts | 1 Comment 

Simple web rules beginners & pros all break- Rule #1

January 3, 2009

Yes, this applies to you.  I’ve even changed the title of this series because if I named it “7 simple HTML rules beginners & pros all break” some readers would say “HTML” that’s coding stuff. That doesn’t apply to me. But almost everybody who surfs the web writes HTML.  They may not know it, but they do.  If you have a blog, I can almost guarantee you written HTML AND you’ve broken one or more of these rules. If you are a professional blogger or coder, I’d wager that you still break one or more of these rules on a regular basis.  So… enough build up…

Here we go:

Rule 1: Everything has a beginning and an ending

So, if you want to add a blank line to a post or comment, the code is pretty simple right?  You add <BR> and you have a new line. Right? WRONG! You’ve just broken rule number one.  ALL HTML TAGS MUST HAVE AN OPEN AND CLOSE.  So to write this correctly you would say either <BR></BR> or use the short cut <BR />.  That shortcut with a trailing / is the correctest way to add a break. It opens and closes the tag within itself.  Another example of a common place this rule is broken is within the IMG tag.  You will often see code like

<IMG SRC=”me.bmp” alt=”A picture of me”>

when it is more properly written as:

<IMG SRC=”me.bmp” alt=”A picture of me”/>

Why does this rule matter?

Perhaps the most visible side effect of this is seen on blogs that don’t have a sidebar or have all the text after a certain point bolded or centered. This is most frequently caused by an unclosed <DIV> tag. Each <DIV> is a division or an invisible box that is in a specific area of a web page. The center column of a website is a common example of a <DIV>. If you don’t have the write number of <DIV> and </DIV> your web page will tell the browser, “The center column starts here” and it is never told “Now it has ended”.  So your sidebar can become part of your center column.  The most common cause of this is copying and pasting text from another website into your post. You will catch all of the open <DIV>with your copy but often miss a close div or two and that confuses the heck out of the browser.  This happens so often that I’ve made a short video about how to manage these things for the bloggers on the b5media network.

The other reason this matters is that most browsers have a “Site didn’t follow the rules” or “Compatiblity” mode which is turned on when there are errors on the page.  When this mode is activated, the browser starts loading the page in the simplest way it can in order to guess at what you really meant.  I’ve over simplified this and you can find out more by searching “Web Standards” in Google.  Put briefly, if you want your page to appear as you intended, close all your tags.

Or Everthing that begins must eventually come to an

Posted by Brian | Filed Under Random thoughts | 2 Comments 

Not Quite 52 books in 52 weeks..

January 2, 2009

I still think I may have met the challenge…
But I can’t prove it yet.

I’ve collected 36 of the books I read in the last year, but I am drawing a blank on there rest… I THINK I’ve read more than this this year and I probably met the goal but I am sure drawing a blank on them. Part of the problem is that reading The Song of Ice and Fire took a loooong time. They are good books but DANG the are complex. I’ve never read any other books that did so many point of views for so many different characters. But they were enjoyable. Also I tried to read a non-fiction history of the ivory coast twice, but I never made it through to the very end of that one.

Anyway… here’s the first 36. When I get access to my desktop computer again (I’m travelling atm), I will see if I can find more to ad to my list when I get back home.

Have YOU read any of these:

Armageddon’s children
Artemis Fowl (novel) (2001) Eoin Colfer
Artemis Fowl: The Arctic Incident (2002) Eoin Colfer
Artemis Fowl: The Eternity Code (2003) Eoin Colfer
Artemis Fowl: The Lost Colony (2006) Eoin Colfer
Artemis Fowl: The Opal Deception (2005) Eoin Colfer
Artemis Fowl: The Time Paradox (2008) Eoin Colfer
Dragon Harper Todd McCaffrey
Dragons of the Highlord Skies Margaret Weis
Ender in Exile Orson Scott Card
How to eat fried worms
I robot
Linkspell Cornelia Funke
Island of the Blue Dolphin
Magic Street Orson Scott Card
Mars Ben Bova
Metal Swarm
Phantom Terry Goodkind
S is for Silence Sue Grafton
Shadow of the Giant Orson Scott Card
Starwars Revenge of the Sith Stover, Matthew
The Elves of Cintra
The Friday night Knitting – Jacobs, Kate
The Gypsy Morph
A Game of Thrones (1996)
A Clash of Kings (1998)
A Storm of Swords (2000)
A Feast for Crows (2005)
I Am Legend and Other Stories
Dune Frank Herbert
Foundation Isaac Asimov
Second Foundation Isaac Asimov
Foundation and Empire Isaac Asimov
Foundation and Earth Isaac Asimov
Foundation’s Edge Isaac Asimov
The Light of Other Days Arthur C. Clarke

Posted by Brian | Filed Under Random thoughts | 1 Comment 

Now on Wordpress 2.7

December 11, 2008

Almost Harmless!

8 sites updated this morning, all without a hitch. VERY NICE!

Posted by Brian | Filed Under Random thoughts | 4 Comments 

header location: $_SERVER["PHP_SELF"] security vulnerability

November 28, 2008

I thought I would share this section of code I found in the Zend Framework.  It truncates PHP_SELF at the first embedded new line in order to prevent unwanted code being inserted into the headers.

// Carefully construct this value to avoid application security problems.
$php_self = htmlentities(substr($_SERVER['PHP_SELF'], 0,  strcspn($_SERVER['PHP_SELF'], "\n\r")), ENT_QUOTES);

header(’Location: ‘ . $php_self);

The long and short of it is that if you include ANY unfiltered, unclean variables when you construct your header, you’ve opened a security hole.

Cleaning user supplied variables part of the basics.  I just haven’t been all that careful with the use of PHP_SELF before now.

To quote the Zend Documentation "The treatment of the $php_self variable in the example above is a general security guideline [..] You should always filter content you output to http headers."

Just thought I would share…

Posted by Brian | Filed Under Random thoughts | 1 Comment 

Next Page »

Cave Drips...

  • So the question is "Is your site at Something.wordpress.com or do you have your own URL?" If they pay for a custom URL, they will know that. 1 day ago
  • Rotating icepack and heating pad. Stupid Porch. Think I'll finally hit the doc up about my knee... #fb 1 day ago
  • More updates...

Graffiti

Recently Stored

viagra 50 mg indian version of viagra cialis cheapest viagra india online viagra cost comparison viagra for sale without prescription generic tadalafil online buy viagra in korea indian levitra discount cialis online viagra prescription over the counter vardenafil cialis otc cialis no rx cialis 30 mg viagra ranbaxy buy levitra in uk cialis low price tadalafil tablets 10mg cheap viagra fast shipping cheap generic levitra cialis discount cialis 5mg viagra discount prices buy levitra without prescription vardenafil online generic levitra canada viagra professional price cheapest sildenafil citrate indian version of cialis viagra lowest price viagra online prescriptions tadalafil 10mg levitra over the counter levitra prescriptions online buy viagra without a prescription liquid tadalafil citrate buy viagra prescription online tadalafil 20mg india india viagra generic sildenafil citrate for sale vardenafil hcl 10mg cialis discount coupon buy levitra australia viagra over the counter in canada liquid sildenafil tadalafil price comparison viagra cost in india cialis mail order sildenafil sales buy vardenafil cialis offer cheap vardenafil generic cialis no prescription viagra tabs generic indian names viagra price canada vardenafil hcl 20 mg generic viagra without prescription viagra by scilla biotechnologies buy generic cialis free viagra viagra over the counter viagra pills kamagra 100 mg cialis from india tadalafil australia tadalafil 20mg tablets tadalafil soft tabs sildenafil pills viagra no prescription required generic viagra paypal tadalafil online indian viagra cost tadalafil online pharmacy generic soft viagra sildenafil soft tablets viagra generic names buy viagra in ireland levitra without prescription levitra online purchase cialis pill indian tadalafil levitra 5mg cialis cost per pill tadalafil oral jelly sildenafil no prescription vardenafil price generic cialis 10mg cheap cialis no prescription order sildenafil citrate indian generic viagra blue viagra buy cialis usa apcalis 20mg tablets viagra overnight delivery sildenafil india purchase viagra without a prescription viagra prescriptions order viagra without prescription viagra with no prescription levitra for sale purchase viagra canada discount levitra viagra 200mg cheap viagra 100mg cialis overnight delivery buy sildenafil online viagra made in india cialis tabs 10mg viagra indian pharmacy viagra for sale in ireland viagra uk prices buy viagra in europe generic cialis india levitra online viagra for sale india buy viagra in dublin generic cialis soft tabs viagra 50mg cost generic sildenafil 100mg tadalafil generic viagra super active 100 mg kamagra 100mg sildenafil 100 mg tablets cialis no prescription viagra low price online cialis suhagra tablets buy cialis daily use tadalafil sample cialis prices viagra prescription online buy cialis pill kamagra from india cialis online levitra mg vigora india vardenafil 10 mg sildenafil citrate 100mg buy viagra in india buy cialis professional viagra in india buy viagra in singapore generic revatio viagra substitutes sildenafil canada viagra no script cheap kamagra viagra retail price cheap lovegra order viagra uk buy cialis in mexico viagra prescription price purchase cialis online without prescription online cialis prescription ranbaxy caverta buy viagra in hong kong sildenafil price cialis mastercard buy viagra in england viagra mail order canada cialis tablets for sale order cialis cialis soft tabs generic levitra india tadalafil prices cheap sildenafil citrate tablets cialis online prescriptions cialis 5 mg daily levitra prices prescriptions viagra viagra over the counter alternative cialis 20 mg tablets cialis generic india cialis prescribing cialis 20mg daily sildenafil 50 mg viagra drug prices tadalafil generic india cialis sale viagra prices buy viagra 50 mg levitra pharmacy buy viagra generic viagra prescription drug cialis daily cost vardenafil uk viagra soft tabs online buy viagra super active cialis 10mg price 25mg viagra silagra 100mg online viagra prescriptions cialis prescription cheap cialis india revatio 20 mg indian equivalent of viagra tadalafil india viagra capsules cheapest viagra buy cialis without prescription tadalafil overnight cheap tadalafil online purchase viagra online no prescription