Michael J. Radwin

Tales of a software engineer who keeps kosher and hates the web.

Currently Viewing Posts in The Web Sucks

How to consume RSS safely

Excellent reading for web engineers: How to consume RSS safely.

Mark lists 10 HTML elements that must be stripped to safely display HTML from an RSS feed. He mentions stripping style attributes from RSS, but fails to mention an even more imporant set of attributes: the JavaScript event attributes.

Sure, you’ll want to leave <img> tags in the RSS feed, but what about those nasty onmouseover="..." attributes?

Economic cost of the support@microsoft.com virus

Those wacky virus people have done it again. The big@boss.com virus (W32.Sobig.A@mm) has mutated into the support@microsoft.com virus (W32.Sobig.B@mm).

Ariella and I were chatting about this over lunch. She suggested that if the government simply bought the rights to distribute Norton Antivirus and legislated that it be installed on all computers, we could do the economy some good. Congress would probably be a little reluctant to write a check for $8 billion (back-of-the envelope calculation: ~200 million Windows PCs times $40 a copy), but it would probably pay off over the long term. The Slammer virus alone apparently cost $1.2 billion in lost productivity. And that was just in the first 5 days alone!

Think about it. The US Postal Service checks our snail mail for Anthrax. Why shouldn’t the government check our e-mail for viruses?

In the meantime, perhaps we should invest in some SYMC.

Mikel Maron: Reactive Links

A superb idea today from Yahoo! alumnus Mikel Maron:

Reactive Links. Anytime someone click-thrus on these redirect links, the service records that action… more active links could be big and red and quiet links could small and blue, or whatever you like. These links change their character depending on their usage. [Brain Off]

It reminds me of a little bit of internal visualization our data mining group did where a modified version of the Yahoo! homepage showed a click-percentage count next to each hyperlink on the page. You could pretty easily see that people were always interested in clicking on certain elements on the page (such as the word “Free”) and that you could also induce users to try different Yahoo! services by occasionally highlighting one of them (by displaying them in bold or with a background color).

Changing the size of the links is another interesting visualization technique, but it can throw off the page layout so much that it becomes distracting and less helpful.

Hebrew Computing on Mac OS X

mac-osx-1.gif We’re thinking about buying a Mac.

One of the things that has been holding us up is lack of support for Hebrew software. Until Mac OS X 10.2 was released, the operating system didn’t even offer native support for Hebrew. However, we’re still waiting for some important applications (such as NisusWriter) to come out with OS X native releases.

Last week I saw an email to the hebrewcomputing Y! group which listed off a list of some good Hebrew software for “real Hebrew computing” on Mac OS X.

  • Mellel for word processing (full Hebrew support)
  • OS X Mail app for Hebrew email
  • Safari and Camino for Hebrew web browsing
  • iChat and icy juice for instant messaging in Hebrew
  • iCal for calendar with Hebrew support
  • OS X address book with it’s built in Hebrew support
  • Keynote with the Hebrew template and direction services for Hebrew presentations

Now all we need are OS X editions of the Gemara and Tanach.

Investment advice

I’ve gotten about 5 or 6 copies of this spam message today:

Date: Mon, 5 May 2003 20:28:48 -0700

From: Administrator <Admin@CorporateKiller.com>

To: <admin@r...>

Subject: Corporate Killer COOL


you must invest money in http://www.corporatekiller.com/

This good!!!

Very good!

Admin of


After such a persuasive argument, I’d be intersted in making an investment. Corporate Killer, I’ve got my checkbook ready!

Another tech industry recovery indicator?

I wrote back in March about the fact that Yahoo! is hiring and wondered aloud if that means that the tech economy is starting to recover.

I just got an email from a headhunter looking to hire a Senior Software Engineer in Menlo Park, CA.

We are seeking an experienced software engineer to build web based applications and backend services. The ideal candidate combines expertise in object oriented software development using C++ and Perl along with a strong background in web based technologies like XML, XSLT, etc.

Hey, if headhunters are starting to make cold-calls (or cold-emails), I guess this is a good sign…

I almost fell victim to an identity-stealing scam

I got this email today, and I almost believed it. It’s a typical http://user:password@hostname/ trick. In this case, the user is tricked into thinking that http://www.paypal.com:secure-verifyaccount968ktz642@p9.da.ru/ is a PayPal URL when in fact it’s actually a website served up by http://p9.da.ru/

Here’s the full source of the email message:

Return-Path: <anonymous@m1.netfirms.com>

Received: from m1.netfirms.com (m1.netfirms.com [])

by netspace.org (8.11.6/8.11.6) with SMTP id h410rTR11497

for <webmaster@hebcal.com>; Wed, 30 Apr 2003 20:53:29 -0400

Received: (qmail 48211 invoked from network); 1 May 2003 00:53:51 -0000

Received: from unknown (@

by m1.netfirms.com with QMQP; 1 May 2003 00:53:51 -0000

Date: 1 May 2003 00:53:51 -0000

Message-ID: <20030501005351.31268.qmail@cgi1>

To: "" <webmaster@hebcal.com>

From: "PayPal Staff" <staff@paypal.com>

Subject: PayPal System Update *Urgent Please Read*

Content-type: text/html

X-Spam-Status: No, hits=3.7 required=5.0




X-Spam-Level: ***

<P>Dear PayPal User,</P>

<P>Today we had some trouble with one of our computer systems. While

the trouble appears to be minor, we are not taking any chances. We decided to

take the troubled system offline and replace it with a new system. Unfortunately

this caused us to lose some member data. Please follow the link below and log

into your account to make sure your information is not affected. Account

balances have not been affected.</P>

<P>Because of the inconvenience this causes we are giving all users that

repair their missing data their next two incoming transfers for free! You will pay

no fees for your next two incoming transfers*. </P>





Thank you for using PayPal!</P>

<P><BR>* - If fees would normally apply, you will not pay anything

for the next two incoming transfers you receive. </P>

<P>PayPal Security</P>

<P>PROTECT YOUR PASSWORD<BR>NEVER give your password to

anyone and ONLY log in at PayPal's website. If anyone asks for your

password, please follow the Security Tips instructions on the PayPal


I don’t know who has the power to do this, but p9.da.ru should be shut down ASAP.

In the meantime, I’m going to crank up the score for HTTP_USERNAME_USED in my SpamAssassin user_prefs file.

Hebcal by Voice is going away

Got this email from Tellme today:

Date: Thu,  3 Apr 2003 01:10:11 -0800 (PST)

From: Tellme Studio <developer@tellme.com>

To: michael@...

Subject: Tellme Studio program change

VoiceXML Developer,

Tellme has made many investments in VoiceXML over the past four years.

One of these investments was in the Extensions program, with the goal

of making VoiceXML a more utilized public standard. Now with VoiceXML

well on its way to standardization in the W3C and with hundreds of

thousands of VoiceXML applications in production,  it is clear that

investment has paid off. It is time for us to retire the Extensions

program and invest in other areas. As of Wednesday, April 9th we will

no longer host Extensions on 1-800-555-TELL or

http://studio.tellme.com. Developers can continue to build VoiceXML

applications on Tellme Studio.

Thank you for your individual contribution in making VoiceXML the most

widely-used and successful voice standard in the world.

The Tellme Development Team

Damn, that sucks.