McWireless

mcdonalds-wifi.gif Ariella and I are at McCafe on El Camino Real in Palo Alto. She’s preparing materials for a lecture she’s giving this week, and I’m writing annual performance reviews for my team. If you buy a coffee drink (I got an Americano for $1.45) you get a free hour of wireless internet access. 802.11b/g network is provided by WayPort.

According to the Bandwidth Place’s Speed Test, I’m getting 316 kilobits/second. Not bad.

I am pleasantly surprised to report that the coffee is pretty good, too. And their baristas don’t seem to have the same angst that I expereience so frequently at Starbucks. And they even bring the coffee directly to your table!

I’m not thrilled about giving my business to McDonald’s (they have a bad track record for being vegetarian-friendly) but I just can’t complain about this place. Their Chipotle mexican fast food chain is also quite good.

Open HTTP redirectors

There has been much discussion about open e-mail relays, but very little about open HTTP redirectors. An open redirector is hosted by foo.com, but will unintentionally send you to bar.com. This can have interesting effects on PageRank or can trick users into clicking on something that isn’t what it seems.

After many months of abuse by spammers, the rd.yahoo.com redirect server is now closed.

Yahoo! has used a redirect server for a long time for tracking clicks from one Yahoo! website to another.

http://rd.yahoo.com/example/?http://travel.yahoo.com/

Last year, spammers started using rd.yahoo.com in email messages to trick unsuspecting users into thinking that they were clicking on a Yahoo! website. They started sending out emails with links that looked like this:

http://rd.yahoo.com/example/?http://204.92.99.152/

Users saw the yahoo.com domain name and figured it must be some official Yahoo! site, not realizing that the server would redirect to another IP address. So we started blocking those types of URLs (easy to do since we’d never use a dotted-quad for anything legit). So the spammers switched to something a little more clever:

http://finance.yahoo.com:80@204.92.99.152/

The trick here was a misuse of the clear-text “username:password@server” authentication feature. It made it look like you were accessing a yahoo.com URL, but in fact were going somewhere else. These were particularly insidious, since they didn’t even go through our redirect servers, so there was nothing we could do to block them. Microsoft got rid of the problem for us with an update to Internet Explorer 5 and 6 that simply disabled the feature altogether. Mozilla followed suit by displaying a warning dialog box when this type of URL is used:

You are about to log into the site “204.92.99.152” with the username “finance.yahoo.com,” but the website does not require authentication. This may be an attempt to trick you.

Is “204.92.99.152” the site you want to visit?

So the spammers went back to abusing Yahoo!, but this time with actual hostnames:

http://rd.yahoo.com/example/?http://www.online-casino.com/

This not only tricks email users, but when used on the web can (in theory) also influence PageRank-type algorithms.

We had no choice but to either maintain a whitelist (lots of server-side state to manage) or implement a digital signature algorithm. We went with the digital signature approach. So now you can safely click through to partner sites:

http://rd.yahoo.com/example/SIG=10knc8oqv/?http://www.hp.com/

But if you try to recycle the same signature with a different URL, you’ll get a 403 Forbidden:

http://rd.yahoo.com/example/SIG=10knc8oqv/?http://www.online-casino.com/

Finally, rd.yahoo.com does what it’s supposed to do and nothing else. Frustrated spammers out there have probably already started to abuse someone else.

http://www.google.com/url?q=http://204.92.99.152/

http://www.google.com/url?q=http://www.online-casino.com/

:-)

What Will Happen When We’re Always Connected?

brown-univ-logo.gif Brown University VP of Research avd will be moderating a talk on Monday April 26, 2004 at 6pm entitled “What Will Happen When We’re Always Connected?” The forum will be held at Macromedia Inc. in San Francisco, but there’s also going to be a web simulcast.

Many people know Andy as co-author of the classic CG textbook Computer Graphics: Principles and Practice. I know him as the charismatic Computer Science professor who convinced me a decade ago that med school wasn’t the right path for me.

PayPal fraud, part two

[PayPal Donate] I mentioned last week that I received a strange payment via PayPal that appeared to be fraudulent. I rejected the payment, and then the buyer decided to send me $1.20 instead of $0.20. I accepted that payment just to see what would happen.

Sure enough, it was fraud. I got email from PayPal today confirming my suspicion.

Dear Michael Radwin,

It has come to our attention that you may be the recipient of potentially fraudulent funds. We have initiated an investigation into this event. In the meantime, we have placed a pending reversal on the funds in question until the investigation is complete. This pending reversal will show as a deduction in your available balance. In the meantime, you are free to continue transacting using your PayPal account.

Transaction Date: Mar. 8, 2004 21:03:59 PST

Transaction Amount: $1.20 USD

In the past couple of weeks I’ve received several of these transactions (more recently they seem be sending $1.00 instead of $0.20), and many have the distinguishing feature that the person sending the money’s name is spelled out in CAPITAL LETTERS only.

KENT CORZINE

SHAWN STINGEL

MIHAIL NEHOROSHEV

DONALD BIGGS

Moreover, all of them have @yahoo.com email addresses. If you’re going to try to commit fraud, you’ve gotta do a better job of looking like a legit user.

$0.20 PayPal fraud?

[PayPal Donate] Recently I’ve been receiving a number of $0.20 PayPal donations via the Jewish calendar website that I maintain. I think this has got to be part of some sort of fraud.

Since PayPal charges up to $0.30 in fees, these donations don’t make me any money. Luckily, I’m not losing 10 cents apiece (PayPal is generous enough to charge only a 20 cent fee on these transactions), but it’s essentially a waste of my time if the donation is less than $1. I’ve been processing refunds manually, but I’m wondering if I need to go thru the effort to set up IPN and automatically reject them.

Would you believe an ID phishing scam like this?

I just got an identity theft lure via e-mail today:

Dear_ Citibank Cardholders,

This EMAIL was se-nt by-the Citibank server to

veerify your_ _EMAIL address_.

You must cptleome this pcseors by clicking on_the_link

beloww and enntering in the litlle window_ your CITI_bank

Atm_ card number and _PIN that _you use on_the Atm machine.

That is done for-your poterction -w- becouse some_of our

memebrs no lgoenr have acecss to their email adesedsrs

and we must verify it.

http://www.citicards.com:%7a%78%74%5a%4c%5a@%61%67%71%71%71945%64%2e%64%61%2e%52%75/%3f0%43%4c%41%4c%56

To veerify your _e-mail_ addres and accees your CITI_bank

account, click on_the link _bellow_.

tuyzlpqUo

Of course it looks completely fake (what bank would send out official email like this with so many misspellings?) yet American consumers lost $5 billion last year to ID theft [Public Enemy No. 1: Identity Theft, Wired 12.02, pp. 44-45].

There may be some good news. The latest IE 6 patch released by Microsoft this week disables the http(s)://username:password@server/resource.ext syntax in URLs. They shoulda done that years ago.