dsandler.org/wp

I noticed this afternoon that I’ve been silently banned from my favorite shiny-things-on-the-intertubes website, reddit.

Last night I came across something that I thought the programming.reddit.com crowd would enjoy: The Future of Vim on the Mac, a survey of the fractured state of the Mac OS X Vim port. There are lots of OS X geeks and vim geeks on Reddit, so it seemed a natural thing to post. +1 Informative.

This morning I went to check programming.reddit (to see if my article had spurred any discussion), and didn’t see it in the first couple of pages of “hot??? stories. Not so hot a topic, I guess. I went to my list of links and comments to see what the score was: zero. OK, nobody cares.

On a whim I decided to dig through the list of all programming articles by date to see what other stuff came up around the same time. After all, if my story lost the popularity contest, it lost to something else, right?

It’s not there.

I skimmed back about 10 pages before satisfying myself that it was simply nowhere to be found. So I deleted the link from Reddit and re-posted it. About an hour later, its score is still at 0 (didn’t these things originally start at +1?) and it’s still not anywhere on the site. Not hot, not new, “rising” or “all.” Zilch.

As you can see, I posted a handful of other links (submitted both to programming and reddit proper) to see if I could get anything to show. The answer, friends, is no.

Any other members of the reddit silent minority out there? No? Just me?

title="Daring Fireball: More on the Amazon MP3 Store">
In fact, the tragedy is that Amazon could have built this store 10 years ago — the music labels simply wouldn’t allow it. What’s happened now is that the music label executives — at least at Universal and EMI — have finally gotten it through their thick skulls that it’s the iPod that drives iTunes sales, not the other way around. Apple’s FairPlay DRM isn’t (at least primarily) some sort of lock-in scheme to force people to buy iPods; FairPlay was a requirement stipulated by the labels, without which they would not have allowed Apple to sell their music at all.

By the way, if you install the amazonmp3 downloader, you get a free Apples in Stereo song to (a) test that the downloader works correctly, and (b) force you to walk through the process of buying an amazonmp3 track for the first time. Objective (b) is enormously effective in lowering any residual cognitive barriers to buying tracks over the Web (as opposed to the iTMS). Minor gripe with the process: Even though the track is free, Amazon will demand that you supply a credit card and billing address (presumably this is because the amazonmp3 store is US-only at the moment, as enforced by those bits of info).

Over on erinmak: Between the Rockets and a hard place.

Officially, I’m offended by this. I like how Adelman’s going to “try??? to get some basketball knowledge into our pretty little heads. […] As a fan, it’s hard to pass up.

Time for another forgotten classic from the vast Again With the Comics archives. Here we present Dostoyevsky Comics, originally printed in Drawn and Quarterly #3 (2000), and currently out-of-print, as far as I know. Crime and Punishment, originally written by Fyodor Dostoyevsky, was brilliantly adapted here by R. Sikoryak, as seen through a Dick Sprang Batman filter. This marriage of Classic Russian Literature and the Caped Crusader of Gotham also serves as further proof, if any were needed, that everything is better with Batman.

“The first thing you have to do when remediating a gas station,??? the daughter of an environmental lawyer said to me, “is take out the underground gas tanks.???

I think it looks like a hatch out of “Lost.??? Or a breaching sandworm.

[taken at the defunct Conoco, San Jacinto at Alabama]

(With apologies to the Fireball.)

A couple of years ago I worked on a TrackBack Validator which identified and rejected TrackBacks posted on your blog from sites that didn’t actually link to your blog.

In our 2006 tech report on the subject (co-authored by my advisor and a number of undergrads in his computer security class), we speculated that—given sufficiently widespread use of inbound-link validation—spammers would be forced to either (a) close up shop, moving on to some other exploitable technology, or (b) start actually linking to their victims. To wit:

cite="http://seclab.cs.rice.edu/proj/trackback/papers/taking-trackback-back.pdf">

Spammers who wish to overcome our mechanism
are forced to indefinitely maintain reciprocal links from their own
web sites, effectively increasing their necessary investment of time
and resources. Furthermore, the spammer’s site, by linking to its
victims, will actually benefit the victims’ search engine rankings by
sharing part of the spammer’s ranking with each of its victims.
Best of all, if the spammer is effectively publishing a list of its
victims, that list would provide compelling evidence that could be used
against the spammer in legal proceedings.

In the limit, we are effectively pushing spammers to run
“legitimate??? weblogs. If spammers’ weblogs are following the TrackBack
protocol correctly and are legitimately providing reciprocal links,
then we face a more fundamental question: is such a TrackBack message
actually spam? If a “real??? blog is linking to the victim, regardless
of any spam-like content it might contain, then the
TrackBack the victim receives could well be defined as “legitimate.???
At that point, the issue is not one of spam vs. non-spam, but rather
one of relevance.

Well, we were right and not right. I just received some TrackBack spam (probably not coincidentally, on a
blog post about trackback spam) that fooled the Validator and yet can’t really be considered to be legitimate.

The inbound link is included, but hidden from the user with CSS tricks! Here’s an excerpt of the source of the page:

  <style type="text/css" media="screen">
    .trackback { position:absolute; top:0px; left:0px; visibility:hidden; }
  </style>
  <div>
    <div class="trackback">
    [...]
  	<p>
  	  [...] far out site now comment this synopsis
  	  <a href='http://dsandler.org/wp/archives/2005/11/14/trackback-spammers-upping-the-ante'>http://dsandler.org/wp/archives/2005/11/14/trackback-spammers-upping-the-ante</a>
  	  and give comments [...]
  	</p>

As you can see, all the inbound links are surrounded with irrelevant content, but what’s more, they’re children of the <div class="trackback"> and hence invisible to readers. In our paper we point to readers as one of two “last resorts??? to help weed out irrelevant but otherwise Validated TrackBacks; obviously they won’t be able to help here. (The other technique, which would still work in this case, is the same sort of statistical classification currently used for email; see §5 of the TR for details.)

In the end, this “break??? of the Validator may not yield much for this spammer aside from the satisfaction of successfully defacing my blog. Google has been known to apply a PageRank penalty to websites with large regions of hidden text, so the currency gained by inbound links may very well be more than offset. What’s more, like most modern blogs and CMSes, dsandler.org applies rel="nofollow" to any links found in comments or TrackBacks, so the spammer gets zero Google-juice in this situation.

But since spam is so cheap, the spammer probably doesn’t care. That’s why the Validator was so important: it proved remarkably effective at reducing the “collateral damage??? of spam, namely, blog defacement. In order to continue to be effective against this sort of attack, it would probably need to include some sort of CSS/DOM interpreter.

(Yuck.)

For more on all these icky edge-cases in TrackBack (and other forms of Web) spam, read the report. (It’s just a six-pager.)