Entries Tagged 'Security info' ↓

Hotlinking is when somebody uses an image that isn’t theirs in another page by linking directly to the image url.

It’s a form of stealing. They don’t have the right to use that image, as it belongs to somebody else. But they are also “stealing bandwidth”. When an image loads, the domain that is hosting it pays for the bandwidth out of their bandwidth limit. If people are visiting your site and seeing your image when they look at your page, then it is worth it to you. But if somebody else puts your image on display elsewhere without telling you, and it loads a lot, you can end up having to pay a big premium or get shut down by your host for exceeding their bandwidth limits.

The only way to find this out is to look at your server records. If you see a lot of hits from some site you don’t have a link on, and the page you have loading is actually an image, you’ve probably found a hotlinker.

One girl found a hotlinker this way. Some meathead had found a full-size image on her site of two girls kissing and was using it as his avatar in an Irish soccer forum. Many forums will upload an image off the web and resize it. This one just resized the image using height and width tags. So the full image was loading for every forum post he wrote, for every viewer who looked at any page he had a post on.

I think a couple of us joined the forum and posted that he did not have the right to do this. He was pretty arrogant about it. And this guy was a moderator! So she changed the name of the photo on her server and replaced it with an advertisement. I sent an email to the admin, who sent me back an apology. I guess there was going to be an email going out to forum members on that.

So first, the image must be hosted on your server so you have control of image names. This won’t work with any other image hosting, as they generate unique image names that you can’t change.

Here’s an image somebody might be using as a background:

Upload a new image you have chosen specially for the thieves. Change the link on your own webpage and rename the original image to match it. Now change the name of the special image, and your chosen image will appear on the site where the hotlink appears.

Like this:

The fun part is that you can put anything you want in there. Somebody who right-clicked your image url to use it may very well not have used height and width tags on that image. So you could substitute a gigantic image for a small one.
Like this:

If the original image is a .gif rather than a .jpg image, you can substitute an animation, which can really get the attention of viewers.
Like this:

Here’s a link to a blog post where the writer got tired of people stealing his content. For him, the issue was not images, but text that other people were stealing. What he did was make a tiny clear .gif image and include it in the code. It did not show, so if somebody stole his text and didn’t realize they were getting an image, they might end up unwittingly hotlinking to it.

Most content thieves don’t do that, but eventually one did. It’s pretty funny when they do. All the author had to do was switch out the tiny, transparent image for one that got his message across.

If you catch someone like this and pull this switcheroo, make sure you take a screenshot so you can show everyone. And if you substitute an animated one, try to get a video screen capture.

There are a lot of means of “protecting” your photos, text, or site itself that can leave you vulnerable, thanks to the fact that anyone can click “View => Source” in just about any browser. Now if your security measures include javascript, commonly used to disable the right click menu—among other things—the surfer can still look at your source code to see what you’re hiding. Some people will be made more curious by the fact that you’re obviously hiding something, even though they might have right-clicked on a photo just to see who your image host is.

Also, keep in mind that javascript only works when it is turned on. Most scripts have no effect when the user turns off javascript, as many users do.

Anyway, anyone who wants your phots badly enough can always take a screenshot of your page to snag your images.

It’s best to prominently watermark all photos of any size, so at least if anybody saves them, your character name, website, contact info, etc, will always be with the photos.

Here’s a little tale of a website which had a javascript login protecting its membership area. It was a simple issue for someone with even half an idea of how javascript works to look at the code and figure out how to get in. Having a security method which is useless like that is worse than having none. Clearly they put things in the private area thinking they were secure, rather than completely accessible to anybody curious enough to look.

HACKED!

Lots of people are just getting started on Wordpress, installing their first blog on their site or getting a free blog somewhere. They’ll soon learn about blog comment spam.

Readers can comment on your blog entries. If you write interesting or controversial blog entries and you have a lot of readers, you can sometimes get some lively discussions going in the comments.

Blog comments are good. Blog comment spam is bad.

What is blog comment spam?

It is everything from links to free porn, drugs, spyware, trojans, dialers, and scams to otherwise legitmate affilate links. These are spammed to your blog in massive numbers, thanks to the fact that Wordpress blogs share a common comment entry form, which bots have been designed to recognize and spam.

Obviously, the reason they’re doing it is that people do click those links and get suckered in. It’s a dirty secret that corporate America makes big bucks when their affiliates spam anyone and everything hundreds or thousands of times.

You could easily get hundreds of spam comments a week on a popular blog.

Wordpress’s answer to this was to give you a moderation list of terms to put certain comments into a moderation queue in your admin area, and a blacklist to send comments containing certain words into oblivion. I tried this, but it was of limited usefulness, as spammers got sneakier and came up with new ways to fake out the blacklist.

So what can you do?

First of all, you have to moderate your blog comments. A blog with unmoderated comments will rapidly get buried in spam comments, and nobody will want to wade through them to try to read your blog, even if you try to remove them as soon as possible after they arrive.

Go to Options => Discussion. Select the first two options from this menu:

Make sure you resave the page.

So now your comments will form a queue in your admin area, and you will have to approve or delete them. This gets old really fast if you get a lot of spam. It’s easy to miss the real thing when you’ve got hundreds of comments to inspect and maybe only a few that are really comments.

The next thing I did was to install Akismet, a Wordpress plugin which uses a database of known spam to detect suspected spam and put it in its own moderation list. Not bad, at least at first, but you still have to moderate them. And once in a while, Akismet does catch real comments in its snare. After you reach a certain threshold, Akismet is not enough, like here:

No kidding.

I was getting really annoyed at the situation. Next I installed Bad Behavior, which observes behavior to separate out the people from the bots. I also added Spambam, yet another anti-spam plugin that does a delaying tactic before accepting comments.

I don’t have a spam problem anymore on any of my blogs. If I do have a problem, I’ll let you know how I deal with it. There are plenty more plugins out there where these came from.

In case there’s any question in your mind, here’s one I got today. I used Opera to view it, which gave it those nice little popups.

I got a ‘Paypal’ phishing email. Hopefully most everyone is familiar with these, but just in case, I’m posting here.

They send you a random email saying there has been suspicious account activity, and helpfully suggest you click the link provided to login and verify your account.

Not always, but often the emails look very official. This one came to the address I actually use for Paypal, but I have also received them at almost every active email account I have ever had.

First of all, notice that nowhere does the email have my account name on it, which official emails do. Also, look at that little yellow box. In Opera, when you move your mouse pointer over a link, a box like that will pop up and tell you where the link actually is going to send you. In other browsers, this link will show up at the bottom of the page.

That link doesn’t look anything like any official Paypal url you have ever seen.

If you were to actually click the link, it would probably take you to an official-looking login page. Were you to login, whoever sent you this would not only have control of your Paypal account, but they would probably also be installing all kinds of malware and viruses on your computer.

If you ever have any question as to your account status at Paypal, Ebay, or anywhere else, type the url into your address bar and go there normally.

Update 02-27-08:
Here’s another Paypal phishing email I just got today. This email said my account had been suspended for endangering all of Paypal. Look where this link would take you!