New Phishing Attack and How To Read The Domain In A URL

Aza Raskin from Mozilla Labs has come up with a new type of phishing attack based on tab browsing. When the user clicks away from an innocent looking page on the phishing site to a different tab the malicious code waits a few seconds and then changes the page to a phishing page – his example is a googlemail login screen.

It’s worth noting here that’s it’s always worth checking the URL in the browser. Before clicking a link it’s worh checking the acual URL of the link. It’s very easy to make a link look like it goes one place but sends you somewhere else (for example: http://www.youtube.com/). In my browser (firefox) the URL is previewed in the status bar at the bottom.

So which bit is the domain? It should be after “http://” and before the next “/”. If the URL looks messy or uses a numeric IP address instead of a text domain name then you might want to not trust it.

Here are some examples of evil code and I’ll explain how to read a domain from a URL. Suppose we bank with mybank.com:

http://www.mybank.evilcode.com/

http://www.mybank.com@evilcode.com/

http://www.my.bank.com/

http://www.my-bank.com/

What’s wrong with these?
First of all, it’s best to read a URL from right to left and break up the domain at the dots. The most important stuff is on the right.
So, in the first example we have the “.com” top-level domain, next we have “evilcode.com”, then we have “mybank.evilcode.com” – that’s a sub-domain of “evilcode.com”.
In the second example, again reading from right to left you’ll realise that it’s an evil site. The part of the URL before the “@” will be passed as a username to the site. Most modern browsers have protection against this (you are using a secure modern browser aren’t you, ps Internet Explorer=fail).
Number three and four are simply miss-spelt but are totally different domains and so not to be trusted.

Go Volvo!

Blimey, I cycle everywhere. I really don’t want to share the roads with people who have automated braking systems. Even if they did work:

New version of Ubuntu out tomorrow!!!

I had a crisis of confidence in Windows recently after reading about people having their stored passwords stolen after their computer had been compromised. Since I’m responsible for a few other people’s websites I just can’t take any risks like that. On top of that I had a problem with my mobile broadband connection and decided to test in Linux in case there was a driver problem in Windows and since it’s easier to work out what’s going on in Linux since it has a great command line interface where you can really find out what’s going on.

So I downloaded the Ubuntu 10.4 Beta (eventually, using Azureus to download from a torrent since my connection died repeatedly) in the hope it had decent support for mobile broadband (it did).

You can run Ubuntu without installing, so I did. It recognised my USB mobile broadband device and I was up on the web in no time (unfortunately the connection kept dropping – it turned out that the local mobile phone mast was dodgy). I’ve used previous versions of Ubuntu (8.4 to 9.10) but this is a massive improvement. It’s just so nice and friendly. I loved it so much that I hit the install.

And there I was, browsing the web and writing emails and I realised that this is how operating systems should be – they should let us get on with our life. Let me make it clear in case you missed it – I was installing a new OS and was happily writing an email at the same time (this is equivalent to upgrading from Windows XP->Windows 7 and still being able to use your PC)

Since I installed I’ve done several updates of the OS and applications (oh yeah, one single button click to update all the applications installed and the OS! No more stupid application update programs eating all your bandwidth/processor when you don’t want them).

And if you want to install a new application? – just search by name under the package manager and hit the install. I had all the applications I needed to install up and running in less than an hour when I’d expected to be at it all day. I even realised that some of the apps I’d need to install after a Windows re-install I wouldn’t have to do (such as music/video players and CD burners) since Linux doesn’t cripple all it’s software with DRM.

Even though it’s a Beta version it’s been really stable. So far it’s only locked once during shutdown (oh by the way, shutdown time is about 5 seconds – versus about 30s in Windows) and I powered off with no ill effects but considering I use it as a development machine that’s not bad. This is only about the 5th time I’ve EVER seen Linux crash and I couldn’t begin to estimate the number of times I’ve seen Windows crash, certainly hundreds (I’ve used Linux and Windows for probably an equal number of hours). Using Windows 95 as a development we’d see it crash about once an hour. Windows has got much more stable since then I’ll admit (but you would have to admit it’s not much more secure).

I’ve only had to kill one application which locked up. You know what a hassle that it on Windows? Pressing Ctrl-Alt-Del for ages and waiting for it to respond. None of that on Linux! Misbehaving apps are closed immediately. Linux is obviously in control all the time (after all it was designed to work with multiple users and as a server too), responds straight away and has full control over the applications.

I’ve got a few grumbles – I record music and I haven’t figured out the audio side of it all. The HTML validator plugin for Firefox doesn’t work on Linux. There have been far more happy moments – I love the Music Player. It’s the only music app I’ve ever got on with. Chrome on Linux is gorgeous! The user interface is fab (multiple desktops – so handy!). And since I’m always buzzing around looking at and editing files all over my machine – a directory structure that makes sense!!! What the hell is going on with the Windows directory structure?

But overall I’m chuffed and I’ve rediscovered my love of the command line (equivalent to the DOS prompt to Windows but infinitely superior). It’s so useful. I’m doing web development. I can check the titles of all the html files in one directory:
# grep title *.html

Or check my webserver log files for how many mp3s were downloaded on the 22nd April:
# grep 22/Apr access-log | grep -c .mp3
(you can send the output of one command into another command [or the same command] using the pipe “|” – this strips out lines without “22/Apr” in them and then the second command counts the lines containing the string “.mp3″)

Or check my IP address and other network setup with “ipconfig”. Or restart my web server “/etc/init.d/apache2 restart”

Or a million other things. If you want a backup at 6pm every day you can do it.

The command line should have been embraced by Windows. It’s so useful. But instead they’ve tried to bury it under a graphical user interface which looks like it was made by Fisher Price with big friendly looking buttons and made it harder and harder to use (it used to have a built in help system but they ditched it years ago). You’ve seen the power of the command line yourself in those examples. And that’s very simple stuff.

I recently found Neal Stephenson’s excellent “In The Beginning Was The Command Line” online. It’s well worth a read.

I got sick of the Windows user interface changing every couple of years. Well, remember those commands I gave earlier? I was using grep for various tasks? I’ve been trying to find out how long that command has been around and I failed. My guess why is that the command has been around on Unix systems since before the Internet came along. It was even added to the Oxford English Dictionary in 2003. Those commands would look familiar (if not just run completely unchanged) on Unix systems in the 1970s. I expect to be using those same commands in at least 10 years time. How much Windows knowledge will still be relevant then?

Anyway, the new Ubuntu is due out tomorrow. Secure, stable, far better at networking than Windows and not prone to completely changing the user interface – like Windows does since they seem to rewrite the whole thing every few years because they haven’t got it right yet.

If you liked Firefox you’ll love Linux.

Pixel: creatures from the 8-bit console era invade New York

Fantastic piece of animation. Why go to the cinema when you can watch something this good online?

Warning: Google Vowel Outage

Ths prblm mght mk lf dffclt fr sm ppl tdy.

Google Translate for Animals

Google does it again! Another great technological breakthough:

Google Translate for Animals

myspace sucks

I’ve just cancelled my myspace account. They asked for a reason. “WTF”, I thought “why not”. Here it is:

“Worst. Site. Ever.

That would sum it up for me. I’ve been trying to customize a profile for a friend. What a f*** up. Your FAQs seem to bear no resemblance to the website.

I’ll knock him up a WordPress theme in an hour and it won’t be full of spam and sh*t animated adverts. Myspace is the only place on teh internets where animated gifs are not punishable by death^W^W^W frowned upon. It’s even inspired me to cancel my own account and to write a little feedback. Not that I’ve ever really used the account since I find the site insufferable.

No wonder myspace is heading down the tubes:
http://www.alexa.com/siteinfo/myspace.com
(select the dropdown menu and select ‘max’ for the big picture – scan eyes from left to right and make a long high to low whistling noise like an anvil falling in a cartoon for the best effect)

You want to compare and contrast with something?
http://www.alexa.com/siteinfo/facebook.com

Hmm, they must be doing something right. Can you spell ‘usability’?

Anyway, it’s not your problem, you’re just an employee. But if I was you I’d start looking for another job ASAP before myspace tanks.

Oh, look your CEO has already jumped ship:
http://techcrunch.com/2010/02/10/myspace-ceo-owen-van-natta-steps-down/

Rats.

Man the lifeboats! Abandon company! Women and children first!

Cheers! And good luck with your CV.”