d00dism

I wrote about Digg, the social news site, a while back. However, for all the cool stuff it affords, it’s also beginning to show some signs of the pitfalls of a fast growing site.

Wikipedia notes a few criticisms, the worst of which seems to be recurring stories. Wikipedia doesn’t note what I think will become an overwhelming problem in the very near future: Digg spam.

I’m not talking about traditional spamming by bots that submit URLs to porn sites, debt consolidation, or poker. It seems like Digg’s staff has that quite well in hand. Rather, Digg spamming (or Damming) for my purposes is a practice by wherein the author of a blog signs up on Digg and submits every single article they write. Sound familiar? It should.

That’s what Pinging is. The difference here is that those services provide the weblog ping API. They want to aggregate any and all blog articles. This is Technorati’s forte.

Digg doesn’t offer this capability. Nor should it. Imagine if you will, trying to pick articles out of Technorati to digg. Digg moves fast enough with user submissions (and will move faster as the user base grows). If it starts to move too fast, interesting stories won’t get the number of diggs necessary to move them onto the front page. The cream will stop rising to the top because the milk is getting poured too fast.

Further, most people’s blog entries simply aren’t worth of a digg, which is the whole reason someone else doesn’t submit them. For this reason, I’ve never submitted one of my own articles. Of course I find them interesting. I wrote them. The real question is if some else does. It’s Digg’s first filtering mechanism for the web. Slashdot requires editors to approve stories. That’s also a downfall as the news gets flavored by the editorial staff’s taste. Because Digg relies on users to approve stories to the front page, such flavoring is avoided. While this is a positive thing, it may not be the best method to avoid Damming.

My theoretical discussion of this issue can only go so far though. A more intuitive understanding can be developed through the use of a concrete example. I’d like to single out the user that exposed this type of abuse to me by doing it so repetitively. macaquentosh is perhaps the worst example I can find.

A quick glance yields that nearly all of his submissions are for a single site, one called TopMac (I refuse to link it, but if you want to see it, add “.blogspot.com” to the name). I’ve seen it before, most notably it was being spammed into many threads in Macworld’s forums, so when I saw it again, I knew it was worth looking into. Not all of his submissions are for that site though, which may throw you until you notice that the other sites are run by the same guy. Surprise, surprise, one of his sites is all about credit cards and other types of credit. I know that will come as a huge shock.

Maybe I’m being too harsh though. Maybe he has some original, interesting content of his own that he’s sharing. At least then he’s contributing something. Unfortunately, he fails that test too. He’s copying, verbatim, in their entirity, articles from other websites. He’s not adding his own commentary or anything. He’s just copying the text for publication on his own site. Plagiarism anyone? He at least attributes the text to the originating website in the format “Souce: Macworld” where “Macworld” is a link. Is it a link to the article on that site or the main page of that site? Nope. It’s a link to one of his other sites. Huh? Is this guy also trying to skew Google’s search results?

This guy has no shame, so maybe no one should be surprised. However, what he’s doing at Digg is detrimental for other reasons. For one, he’s submitting articles to Digg that are actually copied from other sites, so he’s getting diggs that should be for those sites. Additionally because of this, he’s adding to the problem of duplicate stories (which right now is the most significant problem on the site).

My proposal to Digg would be to automatically review users that consistently submit stories from the same domain, particularly the free blogging domains. This kind of shameless self-promotion will destroy the usefulness of the site if they’re not careful.

Update: Mark Hasman (aka macaquentosh) is now using two usernames so he can dig the stories that his other pseudonym posts, artificially bringing the number of digs to 2. I’ve also reported his plagiarism to Macworld and Mac Observer.

Update 2: Digg has removed Mark’s usernames from the system.

A couple weeks ago, Gallery 2 was released. I’ve been using Gallery as my photo gallery software on this site for a long time. I probably would use it a lot more if Flickr weren’t so addictive.

The problem is that Gallery is software and not a service. Therefore, I have to supply the storage space and bandwidth. I do have well over 5 GB of storage space and 120 GB of bandwidth at my disposal (thanks Dreamhost, which recently added unlimited domains to all their plans). I probably couldn’t consume that much space and bandwidth, but when I can upload up to 2 GB per month for $25 a year (note to web services: this is a good price point) and the photos can be dowloaded unlimited times, Flickr wins out.

That said, Gallery 2 is extremely slick. They’ve moved up to using a database backend instead of a patchwork system and the install process is like butter. It’s interface is also a lot friendlier to people that simply want to browse photos. Also compelling is that you can give accounts to people, allowing them to upload on their own. You don’t have to force them into getting a Flickr account (and then set up a group/use a common tag/some other kludgy solution).

I’m thinking about adding a gallery for readers to post pictures. Anyone have any other ideas?

My HP Deskjet 5150 suddenly decided to stop printing the other day. It reported a “Pen Failure”. The little ink light on the front of the printer started blinking as well.

It happened just before I went to print out some driving directions, so it was rather inconvenient. I decided I’d try HP’s website to explain the error, because it’s rather cryptic, even for me.

That was totally fruitless. I resorted to fruitless Google searching. A couple people complained about it, but no definite answer was found. The best I could find was an ink module issue.

I pulled out my black ink cartridge and it stopped the blinking. My Powermac also stopped giving errors. I went down to Wallyworld and bought a new model 56 print cartridge. I put it in and all was well. Apparently the solution to a “Pen Failure” is a new print cartridge. Too bad HP doesn’t explain this.

First, Security Update 2005-08 fixes the so-called Safari Image of Doom. Can we all move on now? Thanks.

That’s fixed by:

ImageIO

CVE-ID: CAN-2005-2747

Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2

Impact: Viewing a maliciously-crafted GIF image may result in arbitrary code execution.

Description: By carefully crafting a corrupt GIF image, an attacker can trigger a buffer overflow in ImageIO which may result in arbitrary code execution. Several components of Mac OS X utilize ImageIO including WebCore and Safari. This update addresses the issue by performing additional validation of images.

I’m more concerned by the arbitrary code execution than the crashing aspect (which is relatively harmless).

Other fixes:

Mail

CVE-ID: CAN-2005-2746

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.2, Mac OS X Server v10.4.2

Impact: When using auto-reply rules, Mail.app may expose the contents of encrypted messages.

Description: Mail.app includes the contents of messages when processing auto-reply rules. If a message being processed was encrypted, the automatically generated response will include the decrypted message contents. This could allow an attacker to intercept the message. This update addresses the issue by ensuring that unencrypted responses to encrypted messages are not generated. Credit to Norbert Rittel of Rittel Consulting for reporting this issue.

Mail

CVE-ID: CAN-2005-2745

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9

Impact: Using Kerberos Version 5 for SMTP authentication Mail.app may disclose sensitive information.

Description: When using SMTP authentication with Kerberos Version 5, Mail.app may append un-initialized memory to a message. This update addresses the issue by updating Mail.app. Credit to the MIT Kerberos team for reporting this issue. This issue was resolved in Mac OS X v10.4.2 by Security Update 2005-007.

malloc

CVE-ID: CAN-2005-2748

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.2, Mac OS X Server v10.4.2

Impact: Insecure file handling may result in local privilege escalation.

Description: When certain environmental variables are set to enable debugging of application memory allocation, files with diagnostic information are created insecurely. This could allow a malicious local user to alter arbitrary files. This update addresses the issue by disallowing malloc debugging in privileged programs. Credit to Ilja van Sprundel of Suresec LTD for reporting this issue.

QuickDraw Manager

CVE-ID: CAN-2005-2744

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.2, Mac OS X Server v10.4.2

Impact: Viewing a maliciously-crafted PICT image may result in arbitrary code execution.

Description: By carefully crafting a corrupt PICT image, an attacker can trigger a buffer overflow in QuickDraw Manager which may result in arbitrary code execution. Several components of Mac OS X utilize QuickDraw Manager, including Safari, Mail, and Finder. This update addresses the issue by performing additional validation of images. Credit to Henrik Dalgaard of Echo One for reporting this issue.

QuickTime for Java

CVE-ID: CAN-2005-2743

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9

Impact: An untrusted applet may gain elevated privileges.

Description: The Java extensions bundled with QuickTime 6.52 and earlier allow untrusted applets to call arbitrary functions from system libraries. This update addresses the issue by limiting these calls to trusted applets. Systems running QuickTime 7 or later are not affected by this issue. Systems running Mac OS X v10.4 or later are also not affected by this issue. Credit to Dino Dai Zovi for reporting this issue.

Ruby

CVE-ID: CAN-2005-1992

Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2

Impact: Ruby applications utilizing the xmlrpc module may be vulnerable to arbitrary code execution.

Description: The Ruby xmlrpc/utils module utilizes the method Module#publicinstancemethods to determine which methods may be invoked remotely using XML-RPC. A change between different versions of Ruby caused this method list to unintentionally include methods that may be used to execute arbitrary Ruby code. This update addresses the issue by updating the xmlrpc/utils module. This issue does not affect systems prior to Mac OS X v10.4.

Safari

CVE-ID: CAN-2005-2524

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9

Impact: Maliciously crafted web archives could potentially allow cross-site scripting.

Description: It is possible to view web archives served from remote sites in Safari. Maliciously crafted web archives may be rendered as content from sites they did not server them. This update prevents remote web archives from being loaded. Safari web archives were introduced in Safari 2.0. This issue was resolved in Mac OS X v10.4.2 by Security Update 2005-007.

SecurityAgent

CVE-ID: CAN-2005-2742

Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2

Impact: A user with physical access to the system may be able to bypass the “Require password to wake this computer from sleep or screen saver” setting.

Description: Under certain situations, the “Switch User…” button may appear even though the “Enable fast user switching” setting is disabled. This could cause the currently logged-in user’s desktop to be displayed without authentication. This update prevents the “Switch User…” button from appearing when inappropriate. This issue does not affect systems prior to Mac OS X v10.4. Credit to Luke Fowler of the Indiana University Global Research Network Operations Center for reporting this issue.

securityd

CVE-ID: CAN-2005-2741

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.2, Mac OS X Server v10.4.2

Impact: Malicious users may grant themselves rights to manipulate arbitrary files or perform other privileged actions.

Description: Authorization Services allows unprivileged users to grant certain rights that should be restricted to administrators, which may lead to privilege escalation. This update addresses the issue by adding restrictions to which rights unprivileged users can grant themselves.

I find it interesting that many people are given credit for discovering these security issues. They went straight to Apple with it instead of immediately broadcasting it and even threatening to tag web pages with an offending image in order to get their attention. Just sayin’.

Apple bumped .Mac’s storage to 1 GB (1024 MB for those wondering if they’d correctly count). They also released Backup 3.

I’ve been keeping my email allotment steady at 100 MB, but that’s been feeling a bit constricting, especially when Gmail is now allowing more that 2.5 GB and my web host gives me 5 GB. However, I really like using Apple’s Mail.app (Gmail does have POP, but that’s not adequate because I can’t do server side email management that way) and my web host’s webmail package, SquirrelMail, isn’t all that bad, it’s just not all that good, or at least not as good as .Mac.

Now that I can allocate 400 MB for email, I feel confident that I can stay within my limit (at least until it gets bumped again). This upgrade might also explain why the email has been going down pretty regularly for me. Hopefully now that the upgrade is complete, the rock solid reliability will be back (yes, I said rock solid; I don’t share the experiences of a select vocal few).

Backup 3 looks like a worthy upgrade to an originally very mediocre piece of backup software. Of particular interest to me is the suggestion that backup can be used to synchronize documents between computers. I’ve been mostly storing things on my Powermac and using file sharing to access them on the Powerbook, but this might solve that problem.

As usual, you can order both the regular and family pack versions of .Mac off my Amazon shopping page. You can buy it through Amazon for both new and renewing accounts. As an added bonus, the single user version of .Mac is a mere $77.99 (more than $20 off Apple’s online price).