dsandler.org/wp

Just received this on the CS graduate students mailing list:

> **Subject:** [cs-grad-l] FW: Found iPod
>
> I found an iPod in Duncan hall on the third floor. […]
> If you can identify the color and make of the iPod, I will get it
back to you.

This is the standard proof-of-knowledge test applied in lost-and-found situations: Can you describe the appearance of the item in a way that uniquely identifies you as its owner?

In the case of an iPod, this sort of works: there are many different models spread out over several generations (multiplied again by a variety of colors). But what if the lost object had been, say, an iPhone? There are just a few of those, and a betting man (or woman) would guess “iPhone 3G, black??? and have just under a 50% shot at it.[^3G]

[^3G]: I mean, who’s got an original iPhone still? *Seriously.*

OK, you could drop it off with AT&T (or O2 or Rogers or whatever) and allow them to find the proper owner via SIM, IMEI, and so forth. But an iPod touch lacks these identifying features, as do many other portable (and lose-able) gadgets.

I argue that there’s still an effective way to identify the original owner, even in situations where the exact specifications of the device are easily guessed by anyone. It’s afforded by the increasing _personalization_ of these gadgets: They may all look alike on the outside, but on the _inside_ they’re totally different.

So, if I were to come across a lost iPod, I would instead issue this challenge:

**“If you can identify 5 albums, podcasts, or games on this iPod, it’s yours.???**

I’m no expert on sneaking things through airport security, but apparently I’ve been endangering passengers for a couple of trips now with my dangerous prohibited items.

TSA agent: Sir, is this your bag?

Me: Yes…?

TSA agent: What do you plan to do with your Swiss Army knife?

Me: [immediately flushed] Uh…leave it here, I guess.

Indeed, my tiny pocket knife (a gift from Jeremy—well, he was throwing it away and I salvaged it it—visible at left in this photo), was in my bag, and the TSA agent had spotted its tiny profile on his screen.
It had been living in the bottom of my pencil/pen case for quite some time; it tucks away there perfectly—being smaller than most multitools—and I can’t count the number of times it’s come in handy for:

• Gently prying apart seams on electronics (using the large blade)
• Extracting stubborn jumpers (w/ tweezers)
• Clipping/cutting clothing tags, zip-ties, twist-ties, etc (scissors)
• Assorted screw-driving
• Other tasks that require both urgency and a small blade: breaking down boxes, opening envelopes, dispatching errant threads

(Apparently, Victorinox could just leave off the nail file.)

I really had forgotten that I’ve been carrying it there—in fact, I hadn’t been able to find it in the last few weeks, so I wasn’t entirely sure where it was. (This prompts me to consider a new use for the TSA screening process: locating lost items. “Uh, mister X-ray technician, can you tell me if my flash drive is in there somewhere????)

Conclusions:

1. BWI TSA agents are careful and thorough.
2. IAH, not so much.
3. This corroborates the findings of the Atlantic article: preventing contraband from entering an airplane is, at best, probabilistic, like any kind of random audit.
4. I am not a terrorist—and what’s more, I didn’t even realize I had the knife with me—so I can guarantee that the plane was no safer without my particular contraband than with it.
5. If, on the other hand, your goal is to confiscate knives, then that’s pretty much the best way to go about it.
6. I guess I’m in the market for a new pocket knife.

[This information originally appeared here, where I also included an inert copy of the attack code.]

Fig. 1. A common sequence of tweets this morning.

Quick explanation of today’s “Don’t Click??? attack

This viral Twitter prank uses a pretty standard
trick to get you to post something to Twitter, using no JavaScript and only a very little bit of CSS. It requires only that you’re first logged in to twitter.com
(and that your browser’s fonts are pretty close to
standard so that things line up correctly).

Fig. 2. The “Don’t Click” page.

The attack page creates a button labeled “Don’t Click” that does nothing at
all, but it also loads twitter.com in an
<IFRAME> directly on top of the button. That
IFRAME is then made completely transparent using CSS.

Fig. 3. The hidden IFRAME, exposed.

When you click the button, you’re actually clicking on the (now invisible) ‘Update’
button on Twitter’s web interface instead; assuming you’re logged in
to Twitter, you’ll immediately post whatever’s in the form input box.
Thanks to Twitter’s ?status= URL feature (that allows Twitter
to be pre-loaded with a message), it’s very easy for the attacker to
drop the following message in:

Don’t Click: http://tinyurl.com/amgzs6

That TinyURL expands to http://www.umoor.eu/blog/yes-we-can.php, the
attack page; in this way your followers are also enticed to propagate
the “attack” (which has proven
quite successful).

No accounts were compromised by this prank; you
don’t need to change your Twitter password.
For more information, check out the source to this page, which
includes the attack (but makes the Twitter IFRAME partially visible so
you can see it; it also puts another <DIV> on top
of it to protect you from accidentally clicking the “Submit” button).

See also: an explanation (en Français) by the author of this attack, originally launched in January 2009. (There is some speculation that the code was taken directly from James Padolsey’s proof-of-concept, owing to the similarity of the code.)

As of 1:40PM EST, twitter.com is using some
JavaScript to try to detect when it’s being loaded in an
IFRAME:

if (window.top !== window.self) {
    window.top.location.href
= window.self.location.href; }

If you try to load Twitter in an IFRAME you’ll find the
browser
redirected to Twitter automatically (in this case, you’ll
never have an opportunity to click on “Don’t Click”).
I’ve therefore removed the attack from this page, but you can still see
it if you view source.