Reshmonu.com hacked

Got a call from Reshmonu a few days ago to examine his website which was acting up. Turn outs that it got hacked. The hackers trashed his Flash index file, and left a message indicating their anti-Israel sentiments. Thankfully he still had access to the server, and we helped him to put up a quick message as an interim measure.



The machine hosting his website is a shared Windows server, running Frontpage extensions. It's very likely that the intrusion was caused by a weak FTP password.

Security issues like these are a constant threat to any web presence, irrespective of its scale. For small websites (e.g. FTP-based on shared servers), I would always recommend sticking to the following policy:

• Never trust anyone else with passwords
• Always change your passwords (bimonthly at the very least), and keep them random
• Use a tool like Password Safe to keep track of your passwords
• Never transmit passwords via voice/email/IM -- if you have to transmit passwords to someone else, opt for one-way SMS
• Never transmit the username and password (and other credentials) together -- always transmit the password independently

While we're on the subject of passwords, it's interesting to note one of Bruce Schneier's postings on passwords:

From a list of 100,000 passwords for a German dating site, we learn that 123456 works 1.4% of the time and that 2.5% of all passwords begin with 1234.

If you're in the mood for more reading material, check out the comprehensive Wikipedia article on weak passwords.

How I hacked Friendster with CoComment

Update: Just received an email from Stephanie Booth of CoComment acknowledging the bug. She indicated that the CoComment team is working on a fix - kudos to them for the quick follow-up! (I'm guessing they made the quick discovery with CoComment on this Techcrunch conversation - bravo, definitely a worthy app despite the bug)

---

I just stumbled upon an interesting loophole with Friendster using CoComment which allows me to see a list of sent messages belonging to other users, presumably those that are also registered with CoComment, and are keeping track of their sent messages using the form on the default Friendster Send Message page (http://www.friendster.com/sendmessage.php)

Here's how it happened:

• I received a private message in Friendster from a friend.
• I clicked on reply, and chose to keep track of the conversation with CoComment.
• Moments later, I receive a notification from CoComment that the conversation has been updated.
• I log on to my CoComment conversations page, and notice that it's a message sent by mrblinky, who happens to be another user that has signed up with CoComment and has chosen to keep track of his/her Friendster messages

Messages from mrblinky to honeybear won't change the world, but this is definitely a privacy loophole. And it's creepy because now everyone else on CoComment will be able to see my Friendster sent messages! You can bet that I'm going to stay away from replying to any Friendster message until this is fixed.

The following screenshot shows my sent message amongst 97 other sent messages that do NOT belong to me:




The screenshots below shows the message in my Friendster inbox which I replied to. The reply form is hosted on http://www.friendster.com/sendmessage.php:




Relevant links:

• Articles on CoComment by Techcrunch
• Techcrunch > CoComment: Tracking Your Blog Comments
• Friendster
• CoComment

One-nil to the Arsenal!

The Gunners just invigorated their campaign with a 1-0 win against Manchester United. But why did channel 81 (ESPN) on Astro get cut off 10 minutes from the final whistle? It may have been a problem with the transmission coming out of the UK, as I couldn't get channel 93 (BBC World) either.

The tension was terrible -- imagine: 1-0 up, we took Adebayor off for Flamini, and MU were pounding us for an equaliser. Then my telly gets hit with "Service is not available". Astro should seriously consider posting technical interruption updates & a formal apology on their website. One can only assume that they're going to close an eye on this one.



Worth a link:

• One-nil to the Arsenal & lots of other Arsenal chants
• Man Utd 0-1 Arsenal: Gunners snatch first win

The all-new Yahoo! sign-in seal

Came across this new security feature when logging into Yahoo! today. It's what they call a sign-in seal to prevent phishing attacks. If it takes off as planned, we may see similar security measures across the web on other websites. Kudos to Yahoo! for making the first move in this space.

Here's an extract from their help guide:

A sign-in seal is a secret message or image that you select to help protect your account from phishing -- a scam that tries to steal your password or personal information by spoofing a legitimate web site.

When you create a sign-in seal for your computer, you can be sure you're on a legitimate Yahoo! site each time you use this computer to sign in to Yahoo!. Just look for the custom text or image you set up on this computer. If it's not there, you might have landed on a "spoofed" site.

Your sign-in seal is saved on the computer you created it on. If you use more than one computer or browser, you may want to create a sign-in seal for each one.

Screenshot of the setup process (choose between a text or image seal):


Screenshot of the login page with an image seal (circled):

Run Forrest, Run

I'm finally putting my Nike Running training log to good use with a training schedule set up for the 10k I'm taking part in this December (Singapore Marathon).



I started using Nike's training log back in January 2004, but stopped after a while as it required some discipline to log details of the run (time, pace, mood) after each run. Well, let's hope I get through the next 3 months as planned. The 10k is scheduled for December 3rd, and I'm pumped.

Kudos to Nike for this excellent Flash-based app. It recommends schedules for various types of competitive runs based on goals: walk to run, 5k, 10k, half marathon (13.1 miles) and a marathon (26.2 miles). My 10k (6.2 miles) training schedule will take 12 weeks to complete.

The training schedule contains instructions on how to treat each run, e.g. run 5 miles on a hilly route. It also makes use of the RPE-scale (Rate of Perceived Exertion), which ranges from 1 (very light challenge) to 10 (maximum challenge).

The various schedules were put together by the Nike Coaching Team which consists of Bob Williams, Alberto Salazar and Marc Davis.

Give it a shot - even if you're not planning to run, just keeping track of your shoes through the app is good enough an incentive :)

Styrofoam != polystyrene

Prashant's got an interesting piece on Styrofoam and generic trademarks.

Read on: http://prashant.lifelogger.com/227054

MSN spits out error 80072efd

Can't seem to get on to MSN from Kuala Lumpur. Seems to be spitting out Error Code: 80072efd.



The last thing I need now is to decipher some hex string. Thankfully Microsoft has a decent explanation on their site:

How do I fix error 81000365, 8100035b or 80072EFD?

If you can't sign in to MSN Messenger, the connection settings in MSN Messenger might be preventing you from connecting to the Microsoft® .NET Passport or Microsoft® .NET Messenger Service. The MSN Messenger Connection Troubleshooter can often find and fix these problems. The Connection Troubleshooter starts automatically if MSN Messenger encounters a connection problem. If you choose not to use the Connection Troubleshooter, or it does not solve your connection problem, try the following:

Read on for the full step-by-step guide: http://messenger.msn.com/Help/#LQ4

If you're facing similar problems, I'd suggest just waiting for this to fix by itself. It's probably just some network congestion (too many turtles perhaps?). Go get yourself a coffee and start admiring (or analysing) baby Suri instead.

Perempuan Melayu?

A quick post of some Gmail screenshots depicting sponsored links I came across today. These are supposedly targeted/contextual depending on the user's geographical location and email contents.

The following was crafted in Bahasa Malaysia. Translated to English, it reads: "Malay Girls: chat with sexy Malay girls. Lots of photos. Join for free."


The following looks like a very dodgy MLM programme based in Malaysia.


Well, I clicked on both these ads out of curiosity; so that translates to a successful conversion for the marketing wizards! It definitely caught my attention. It's obvious that the key to winning the text-ads battle is to keep the message concise and direct. Kick out the fluff, and plaster a simple yet strong call for action!

Social software for the busy professional

Ryan Carson has put together an insightful piece on the current state of the social software landscape and how it correlates with the typical nature of a busy professional. Indeed, I too face the problem where I seem (read: relative) to have a million things to do while battling to keep an empty inbox and minimising the number of subscriptions in my Google Reader. If that's not enough, over in Kuala Lumpur, we grapple with managing the 12-16 hour time differences with the pace setters over in the USofA (imagine conference calls at 10pm on a Friday night!)

I'd recommend reading Ryan's piece, and the thread of comments. Here's a relevant excerpt:

The most successful social sites right now are ones that have engaged a largely younger audience that is now growing up with tagging, online identity issues and blogging. Maybe the upshot of this is that in ten years’ time MySpace will be the new LinkedIn. One thing'’s for sure, in my experience once you get to the '“career stage'” of your life everthing changes. You'’re looking to simplify your life and solve your current problems. In a way, you have to become more selfish with your time. If something doesn'’t directly help you, your family, or those you love, it'’s probably going to fall to the bottom of your priorities.

Side note: I had the privilege of meeting and chatting with Ryan at a one-day workshop (Building Enterprise Web Apps on a Budget - How We Built Flickr) presented by Cal Henderson and organised by Ryan's Carson Workshops. Excellent chap! They've got a bunch of interesting workshops every now and then - great opportunity to meet some of the best minds in the industry.

Relevant links:

• Why I don'’t use social software by Ryan Carson
• What I learned from Flickr
• Cal Henderson on "How We Built Flickr" by Tom Coates
  

Irwin's Turtle

You're probably already aware of Steve Irwin's tragic death. It's all over the web, and here in Kuala Lumpur, it received significant coverage especially over the airwaves. The primetime radio talkshows used it as a main talking point, and JJ & Rudy (Hitz.FM) even went to the extent of giving out prizes on air using the untimely death as their theme for the morning quiz (JJ & Rudy's Top 5 Ways to Find Out If You're Cool Quiz - what a mouthful!).

Late this evening I noticed a trend which I believe must be developing over the Net, or at least on some parts of the MSN network. A bunch of my contacts on MSN have modified their nicks (a.k.a display name) to include the turtle (tu) emoticon as a prefix. The screenshot below depicts part of my contacts list.




I'm not sure why the turtle was chosen, nor do I know who initiated it. A possible theory is that the MSN emoticons list does not include a crocodile which is what Steve was best known for (Crocodile Hunter). The next closest associated animal is probably the turtle; after all, he had a turtle named after him - Irwin's Turtle a.k.a Elseya Irwini.

It's interesting to note the way we pay tributes to those we recognise and respect. This particular case may just be a fad, but it does indicate that the Net has a strong viral effect that can snowball towards generating phenomenal awareness of certain events and issues.

Some interesting reads:

• Notable quotes from Steve Irwin
• The Crocodile Hunter - the popular wildlife documentary television series
• 176-year-old ‘Darwin’s tortoise’ dies in zoo
• MSN Messenger emoticons - including a bunch of secret emoticons
• The culture of participation by Erick Schonfeld (thanks Dinesh!)
  
• Viral marketing

Goldwynism

This came up on my Gmail Web Clips this morning:

I had a monumental idea this morning, but I didn't like it.

- Samuel Goldwyn

Interesting fact: Samuel Goldwyn was formerly known as Samuel Goldfish. He had his name changed after forming Goldwyn Pictures Corporation with Edgar & Archibald Selwyn. He was never part of the eventual studio that became Metro-Goldwyn-Mayer.

Read on for more Goldwynisms.

Crisis management 101

Crisis management 101, the Dell way (full article here):

OK, so I know your next question: "If you're so careful then how on earth do you wind up having to recall millions of batteries?"

Considering that a majority of their target audience is Internet-savvy, a blog is simply the best way to communicate their thoughts and sway the various market perceptions on the recent battery recall nightmare. Read the full piece on Direct2Dell - one can only imagine the massive effort required to contain this crisis for Dell.

By the way, here are some interesting stats from Dell (full article here):

As reported in a Dow Jones story yesterday, the battery recall rolls on. Data from earlier this week shows we’ve received about 150 million page hits on the battery recall site, well over 800,000 battery requests. A good percentage of those have also shipped to customers.

Read on:

• Battery Recall Update
• Lithium Ion Battery Overview
• Dell's dedicated battery recall site

Dell's green recycling options

Insightful piece by Tod Arbogast of Dell on their recycling programmes. I was scouring the web for details on their recycling options when I came across this posting on their official blog - well worth a read. According to the blog entry, Dell's the first to offer free recycling options for consumers - bravo!

It's also worth mentioning that Dell offers the following recycling options:

• Home users: donate it to non-profit organisations OR recycle it
• Business users: their Asset Recovery Services provides logistics & disposal services to simplify the entire process

Here's a previous entry on this subject: How do I recycle a fried modem?