Ugh!!’s Greymatter Honeypot

One thing I haven’t quite perfected at home is how I watch video I’ve downloaded off the web. Don’t get me wrong, every year I end up with a better and better solution but I’m still not where I want to be. At the moment I use bitTorrent to download videos, then burn them to a rewritable DVD and play them in my DVD player (which plays DivX and other formats). A step in the right direction would be getting something like a networked media player; one of whichI saw on Gadget Advisor. The one I saw reviewed was the DIVCo TViX M-6500A which effectively allows your TV to play videos directly off your network, off a USB device or off its internal hard disk. This would allow me to play videos directly off my computer after having downloaded them. Just perfect.

I’ve only come across Gadget Advisor recently but it seems to have a growing collection of reviews and news about hardware, software and all sorts of gadgetry. So if you’re after that perfect universal remote or looking for some way to backup online; then pop down and have a look. You’ll be sure to find what you’re looking for.

Interesting news this morning that YouTube has announced that they are going to start featuring full-length movies and episodes which will include in-steam video ads to keep the broadcasters happy. This seems to be a move directed to counter the threat that Hulu affords them, particularly as they have launched similar features to them in the recent past. It seems that shorter videos will still be ad-free, but the full-length features will need to be monitised to support the model they have pursued with their advertisers.

So, down I popped to give it a try and here’s what I get:

Hmm, seems like they’ve decided to omit 95% of Internet users by restricting usage to just one country. I’m hoping that this is for scaling/trial reasons rather than something their broadcasters are insisting on (which is probably the case). The reality is, if they restrict access to this material, then it will just drive users to seek out other services and this will really prevent users from adopting their services.

So, before you throw away your TV, invest in some new modern furniture and high speed satellite internet and a new giant monitor for your computer, check if the service works in your area. You may be disappointed, I know I was.

Hmmm I just noticed that my car (the Jaguar not the BMW) isn’t taxed at the moment as the tax expired at the end of September. The problem is that I need to show my car insurance to get my new tax disc. And my insurance doesn’t get renewed till next week. Bit silly really, but I think I’ll just wait till next week and tax it properly. I’m sure there’s an easier was to check if I have valid car insurance than having to dig up last year’s certificate (that’s assuming I still have it)

I suppose insurance is a pretty great innovation because it minimises the worry you may have about losing something or having it lost. You can insure practically anything nowadays, the other day I saw an advert by a company that specialises in insuring mens wedding rings, I wonder if that’s because they lose them more often then women do I wonder. Do you reckon you can get insurance quotes for a website? There are quite a few risks you probably would like to mitigate against, including your site getting hacked and any unscheduled downtime you may have. I’m pretty sure you can insure against anything, but does anyone know of any website insurance?

Well, it’s my birthday next week and Camille is getting me a new compact camera to replace my old Minolta (which is now 5 years old). To tell you the truth, 3.2 megapixels is still great for online photos, but it’s slow, doesn’t give any control over exposure time and the battery really doesn’t last long. So, I’ve been looking around for what to get and here are my choices:

• Samsung NV100HD - Specs look impressive, boasting a 14.7 megapixel sensor a a wide array of features. Some of the reviews suggest that the quality of the photos doesn’t do the camera justice, so not sure about this one.
• Sony Cybershot DSCW120 - I really really like this camera. It has a whole bunch of features I love, but I’m not too fond of Memorysticks to store images on. I’m a bit of an SD man I guess.

I’m a bit torn between the two, but I think the Cybershot is the one that might win in the end.

There’s a new model out too that seems just perfect for me, but it’s a touch more than I wanted to spend. It’s the Sony Cybershot T700 and has some amazing features. It’s ultra-slim, does everything all the other cameras seem to do, has a massive touch screen on the back and even have 4Gb of internal memory. Check out the review here.

I like the fact that it’s super-slim and super-fast and I love all the gadgetry like face recognition and even smile recognition (yup, it won’t take a photo until you smile). The battery life looks amazing and the touch screen on the back just simply superb. As I said though, I was trying to keep it under £200, so this might be a touch to pricey. I might just go for it’s smaller brother.

The question is .. which one would YOU go for?

We haven’t had a honeypot in some time, so here’s a chance to catch up on some great links to keep you nice and distracted:

• How to network: Excellent advice on how to get out there, make friends and build business contacts
• Twittex: Here’s how to resume your Twitter-SMS service in the UK
• AVS Video Converter: Free tool that lets you rotate and flip video
• A tale of love: Great gadgety video
• Save My Boys: Help Jenn and Carolyn get their boys back
• E: Is this the future of social networking?
• SuperPress: Get your mitts on the theme I’m using for this site
• Tater Titan: Some people just have too much time on their hands

Enjoy!

I’ve posted before about Clickjacking and how scary this is for most Internet users, regardless of which browser you’re using or whether you have Javascript turn on or off. There’s more information about the threat on the Interweb today, including a demo of how the exploit works and some advice on how you can avoid it. First of all, what is clickjacking? There’s a great writeup on Securoris that explains it quite succinctly:

Clickjacking allows someone to place an invisible link/button below your mouse as you browse a regular page. You think you’re clicking on a regular link, but really you are clicking someplace the attacker controls that’s hidden from you. Why is this important? Because it allows the attacker to force you to interact with something without your knowledge on a page other than the one you’ve been looking at. For example, they can hide a Flash application that follows your mouse around, and when you go to click a link it starts recording audio off your microphone. We have protections in browsers to prevent someone from automatically initiating certain actions. Also, many websites rely on you manually pressing buttons for actions like transferring large sums of money out of your bank account.

There are two sides to look at this exploitation- user and website owner. As a user, if you visit a malicious site (either a bad guy site, or a regular site that’s been hit with cross site scripting), the attacker can force you to take a very large range of actions. Anytime you click something, the attacker can redirect that click to the destination of their choice in the context of you as a user. That’s the important part here- it’s like cross site request forgery (really, an enhancement of it) that not only gets you to click, but to execute actions as yourself. That’s why they can get you to approve Flash applications you might not normally allow, or to perform actions on other sites in the background. As with CSRF, if you are logged in someplace the attacker can now do whatever the heck they want as long as they know the XY coordinates of what they want you to click.

As a website owner, clickjacking destroys yet more browser trust. When designing web applications (which used to be my job) we often rely on site elements that require manual mouse clicks to submit forms and such. As Robert (Rsnake) explains in his post, with clickjacking an attacker can circumvent nonces (a random code added to every form so the website knows you clicked submit from that page, and didn’t just try to submit the form without visiting the page, a common attack technique).

Clickjacking can be used to do a lot of different things- launching Flash or CSRF are only the tip of the iceberg.

It relies heavily on iFrames, which are so pervasive we can’t just rip them out. Sure, I turn them off in my browser, but the economics prevent us from doing that on a wide scale (especially since all the advertisers- e.g. Google/Yahoo/MS, will likely fight it).

Clickjacking is very difficult to eliminate, although we can reduce its risk under certain circumstances. Because it doesn’t even rely on Javascript and works with CSS/DHTML, it will take a lot of time, effort, and thought to eliminate.

If that sounded scary, have a look at a video showing one application of the exploit:

If you want to study that further, you can actually run it through it’s paces here.

So, what can be done about this? First of all, it’s worth realising that while it’s a powerful threat, the risk of it happening isn’t that high at the moment. Vendors have started recognising the threat and coming up with solutions for dealing with it. Adobe has come up with a workaround and NoScript has released ClearClick to help address it. It’s only a matter of time before this is quashed too (won’t be easy though)

We’re almost there! Hyder and I have been working on a massively exciting theme for WordPress which will be unveiled very very soon. I’m using it on this blog as well as on WordPress Guru and you can tell just how customisable it us but looking at the differences between the two sites.

There’s a superb feature set sitting behind the theme and it’s a culmination of many hours of work from both of us. I’ve even managed to lose weight by skipping meals to work on the theme! It has tons and tons of options and some really exciting unique features (I love my media manager for example)

I’m not going to talk any more about the Super WordPress theme, just want to mention that you can win a free copy of the theme by signing up at our contest here

Keep an eye on the blog, more news soon!