theoddsock.comhome of the internaut

So there have been some serious Shenanigans over on the twitter website today. Bizarre text/black blocks that mysteriously have propagated themselves all over users’ streams. Cue mass hysteria and cries of I’ve been hacked! Virus! yargh!

But it is neither of those things. It boils down to this – presumably in their eagerness to roll out some fancy features for the new Twitter some �developer(s) were incredibly sloppy.

And this was exploited. The initial exploit used the javascript onHover event, which is triggered when your mouse hovers over something, like an image/weblink to, it seems, redirect you to some Japanese Porn. This was picked up on and persons unknown, who really ought to have known better, started playing around with this to make pretty text and then a blocked out message that is retweeted when hovered over, potentially propagating out of control some what akin to the Morris Worm.

Here is �a post on Sophos about the exploit.

This was a human propelled worm – not a virus on your machine and no one had hacked into your account, users of the website’s curiosity/bafflement were used against them.

It also only affected users of the website – as 3rd party client developers had already taken steps to limit what gets rendered/executed with in their applications, users of Tweetdeck have been likened to the ‘equivalent of the smug bastards in ponchos at a rain-soaked festival’ – @alrightit.

The most galling part of this is that it would appear that in the GitHub code respository for the twitter text processing there are changes awaiting deployment to prevent this abuse of the onHover.

It would appear that it is now safe to go back in the water…

The problem has since been addressed suggesting that either the fix was quick to come up with or the month old code mentioned above was hastily deployed.

I remember well when Javascript was considered a dirty work and script kiddies the bane of the internet. With the advent of Web2.0 and the amalgamation of technologies into the very buzzy AJAX, javascript has grown up, and like many of the classic hackers*, found a productive and valuable place in the world. But without adequate appreciation of what these technologies can do, especially now that the web is open to users not savvy , and rigours testing sites, networks and systems are still at risk, if not from corruption then from being rendered effectively unusable due to a proliferation of garbage.

*People like Kevin Mitnick who now advises firms on how to avoid being a victim of the kinds of attacks he perpetrated.

Update:

A 17 year old student in Australia has taken the blame for yesterday’s fracas, you can read the article here. However I believe it is unfair to single him out. The article does not suggest that he was the one who wrote the adapted version which retweets itself, a purely malicious piece of coding, the use of onMouseOver is particularly nasty as it is an event that is triggered without necessarily the explicit or conscious input form the user, unlike onMouseClick where the users makes a conscious decision to click on the link.

Still, at the end of the day, the people who need to hold their hands up and take the blame for this are Twitter who made a very basic mistake of �not validating the input to the site and not escaping data. The potential for the abuse of client side scripts is the reason why some free blog hosting companies, such as WordPress do not allow javascript to function; the code is escaped so that it can not actually be executed by the browser.

Back in early July my parents drove over to spend a week or so with us, although rather than slum it on the awful sofa bed up in Amelia’s room they stayed in the little hotel down the road. My mother comes over as often as her commitments to her teaching and thesis directing will allow but my dad makes it over somewhat less often.

With my dad comes their car, which is handy as I (as yet) still don’t drive. So we were able to finally get around to doing something we’d wanted to do for about as long as I’ve lived in England.

Some of my favourite books growing up were Lucy Boston’s stories Green Knowe set in a Norman manor house. I’d always known that the house was based on her own home, and had often attempted to recreate it in Lego. In my mind I always imagined it as looking similar to how it was portrayed in the BBC series in the mid 1980s.

Nearly 20 years later I moved to Biggleswade and at some point discovered that not only was the original manor house about 30 minutes away but pretty much at the other end of the B road we live on now.

When my parents came over this summer we finally got around to visiting, as it was something my mother and I had discussed ever since I found out how close it was.

Carved angel - an illustration by Peter Boston appears in The Children of Green Knowe

The day we visited the house was as far removed from the one on while Tolly arrives in the book. It was a gloriously sunny day with not a cloud in the sky and �while we waited on the other in the tour group to arrive Amelia enjoyed her self running about the lawn and making friends with Diana Boston’s dog.

The house was more compact that I’d imagined but in a way so familiar. The tour was fascinating as Diana Boston, Lucy’s daughter in law described the alterations made over the years since its building in the 12th century, by Tudor and georgian builders.

For me the highlight of the visit was Amelia being invited to sit on the rocking horse. Seeing her perched on their looking like the little scamp she is reminded me so much of Linnet that I really wish I had pushed harder for that name when Jon and I were in negotiations

On "Feste"