Tag Archives: Rants/Humor/Satire

There is Something Terribly Wrong With Windows 7 and svchost.exe / wuauserv

I recently purchased six (6) Dell Latitude E7000 series laptops with Windows 7, which are very nice by the way, but they all came fresh from the Dellcrosoft factory with one glaring showstopper. Straight out of the box, you lose about a quarter to half of the performance, operating time and battery life that you paid for as soon as you power them on.

Why’s that you say?

It’s because a core Windows 7 process called svchost.exe eats 25% of the CPU constantly:

You might think “this is a temporary issue, it’ll pass on it’s own”. No it won’t. We’re talking all day, everyday; this thing just keeps going and going. If you check that process with a tool like Process Explorer to see what internal service is chowing down on system resources, 9.5 times out of 10 it is the wuauserv service which is Windows Update.

Continue reading

WP-OAuth Is Not Vulnerable to SpoofedMe Social Login Exploit

The SpoofedMe social login exploit is a known weakness of the OAuth2 “spec”. The OAuth2 spec doesn’t define strict implementation standards, so developers have free reign to come up with some pretty wild implementations, or hack together a few libraries until it works. And that’s where the problem lies. There is no standard. Furthermore, social login is something that is normally built on top of OAuth2, and there’s no standard for that either. Some folks are trying to standardize social login with OpenID Connect (I like to think of this as “OAuth2-Strict”), but until then we will be facing issues like SpoofedMe because developers are not gods.

The SpoofedMe exploit is actually similar to this one, from a Google security advisory earlier this year:

“An attacker could forge an OpenID request that doesn’t ask for the user’s email address, and then insert an unsigned email address into the IDPs response. If the attacker relays this response to a website that doesn’t notice that this attribute is unsigned, the website may be tricked into logging the attacker in to any local account.” –Link

Thankfully, I read the spec and decided not to implement this gaping security hole in WP-OAuth to begin with. Properly identifying users to perform the account match was one of the biggest design challenges that I encountered because not only were there numerous docs and specs to work through, there were a lot of existing implementations that did it wrong. I had to start from scratch.

A Major Google Analytics Problem is Brewing with Referer Spam (Semalt, buttons for website, 7makemoneyonline, darodar), and They’re Doing Nothing About It (TM)

I’ve noticed the same problem that others have been experiencing with Google Analytics lately – an influx of botnet referer spam from domains semalt.combuttons-for-website.com, darodar.com and 7makemoneyonline.com (the list continues to grow), making their way to the top of your “Top Referrals” list. This traffic is throwing off analytics and may have long term SERP implications. From the sound of it, most users are either having a difficult time filtering (excluding) the domains and traffic through Google Analytics, and/or resorting to blocking the domains via their .htaccess file.

This is a public service announcement.

DO NOT USE THE
SEMALT OPT-OUT FORM!!!

Instead, offer them a clue about what orifice they can stuff that form in.

While I’m not the best SEO guy around, I’d have to say this looks like a traffic stealing campaign where somehow, they are using an opt-out form to phish/harvest backlinks and/or SERP rankings from your domain, or upsell you on better analytics software.

Furthermore, it seems that users are being scammed by what I would call social engineering agents who work for Semalt and lurk on public forums to point users towards an opt-out form run by them, effectively phishing users through Google Analytics. You might say that Google Analytics has been compromised. And what better way for Semalt to sell their own analytics software than to game their largest competitor’s software and lure users away from it? Semalt is literally using Google Analytics for free clicks and advertising, completely bypassing Google’s own pay-per-click advertising model. Instead of the phishing scam hitting your email inbox, it’s hitting your analytics report.

Some of the referer URLs contain my own Google Analytics ID. For example – forum.topicXXXXXXX.darodar.com – where XXX is your Google Analytics ID. I’d say they are using a script to iterate through all Google Analytics ID’s starting with 0000000, effectively generating traffic and analytics records for every site on the web that uses Google Analytics. But that’s not all, once you visit that referer URL with your Google Analytics ID in it, you’ve just told the spammers that your Google Analytics account is alive and well. It’s probably the same thing Semalt is doing with their opt-out form.

In doing so, these spammers would have the ability to sway traffic one way or another throughout the entire Google Analytics ecosystem without wasting botnet resources on inactive or retired Google Analytics accounts.

Shouldn’t Google be upset about that? This is not just a new type of spam or black hat SEO, it is a new type of marketing warfare or analytics malware. Continue reading

Google Chrome’s New Bookmark Manager Offers Nothing New For Power Users

It’s November, 2014. Bookmarks look a bit different than yesterday.

“Oh boy”, you might say, “the new Bookmark Manager for Chrome has finally arrived!”

Let’s see what has improved since the “old” version. Clicking the Star (Add to Bookmarks) gives us a new popup:

chrome-bookmarks-1

Ok…let’s navigate into Add to folder. Here’s where things start to get prickly…

Continue reading

Dell: Repeat It Using Phonetics

“Dell Notebook” image courtesy of Break.com

Fun encounter with Dell tech support today. I called in with a service tag and the agent simply stated:

“You have to read it to me using phonetics.”

Woah there buddy, I speak English and if you can’t understand me then perhaps you should read back what I just said to clarify? My brain doesn’t enter military speech very easily; I cannot conjure up alpha bravo charlies at your discretion.

After converting what I could to phonetics, he just said the same thing:

“You have to read it to me using phonetics.”

Now looking like a fool myself, I just hung up on the guy. Dude, I just got Dell’t.

Can We Stop AT&T From Acquiring T-Mobile?

Bell SystemBig news the other day, AT&T is about to acquire T-Mobile. Internet rage ensues. It was only a matter of time before someone started a petition, one of which made it to the front page on reddit.com:

Please sign the petition to actively stop AT&T from becoming a huge monopoly and saving our right to choose

Short history debrief: First AT&T was Ma Bell, then the Federal government broke that up into several companies which created fierce competition in the market. Many of those companies grouped together again under the same umbrella, in one legal way or another. Several years later and the Ma Bell antics are in full swing once again; in 2005 it was announced that Cingular Wireless, a joint venture between AT&T and BellSouth, would be sold under the AT&T name. And now AT&T is after T-Mobile.

If history taught us anything, wasn’t it that we can’t allow corporations to monopolize an entire industry?

AT&T

Continue reading

Board Warriors Tell Us How Great It Is To Be Rich

A long time ago, I created this idea called Verbal Reckoning where I would collect the most absurd claims and arguments from the web and comment on them myself in a thorough, very critical, insulting and sarcastic way…like policing internet trolls (a contradiction in itself). But mostly it was for humor’s sake, entertainment for the soul. This project idea faded quickly as I took interest in other things, but there was one relic from this ancient endeavor which I recently found on my FTP server and still hold close to my heart…

Continue reading

What Is The Cloud?

Office SpaceWhat the hell? How did this \\heaven\HP4650 printer get added to my system at login!?

Enter Google Cloud Print.

“By connecting your printer with the Google Cloud you will be able to print to your printer from any computer or smart phone, regardless of where you are. Just activate the Google Cloud Print connector in Google Chrome and your printer will automatically be available to you from Google Cloud Print enabled web and mobile apps.”

The Google Cloud? The Cloud? Cloud Computing? In the Cloud? Google Computing? In the Google!? AAAGGGHHH SHORT CIRCUIT….

Utterly confusing. This is simply the American way, re-branding old $hit for profit. So Google has their own Cloud in the sky. I guess the way they see it, different Cloud-based providers will have their own “Clouds” (read: data centers) where they host and provision software, services and resources on the web.

But how is Google Cloud Print any different than setting up Internet Printing Protocol on your HP Color LaserJet 4650 or Canon iR5000 printer? I’ll tell you the glaring differences:

  • Requires Google Chrome on the computer that will be sharing the printer.
  • Requires Google Cloud Print-enabled apps to print from, such as Gmail, Google Docs, and Chrome OS. There aren’t many alternatives at this point.
  • Works with just about any printer attached to your computer.
  • You now rely on Google as a middle man between your internet device and your printer at home.

Continue reading