I make no claims about whether he actually did it or not, but it's certainly a plausible explanation. As both a computer professional and a very out gay man, I find this believable enough to think Amazon committed no acts of bigotry. Their web application security standards could use a review, though. Even if this particular Bad Guy didn't do it, someone else very easily could have, using a technique similar to what he described.
Let me translate the Bad Guy's post...
1) First, he wrote a small program to get a list of all LGBT books on Amazon. This is pretty easy to do. Imagine going to a page that lists their "Gay and Lesbian" section, writing down the ID number of all the books you see, and repeatedly hitting "next".
2) Amazon has a "community moderation" system. If an Amazon user thinks a book is objectionable in some way, you can flag it. But there's a problem with their system. It's vulnerable to something called an "cross-site request forgery", or "XSRF". Imagine if Amazon had a webpage that let you donate $5 to Lambda Legal. Normally, Amazon wants people to be given a confirmation page before they actually do the donation. But imagine you can short-circuit that, and get people click on the "submit" button, without going through the confirmation page. If I can make that short-circuit look like a regular link, and mail that to a million people, some percentage of them will click the link, not knowing what it is, and have money donated without the confirmation page.
There are a couple of ways to force people to go through the confirmation page. Amazon apparently didn't do that for the community moderation "report something as objectionable".
3a) Bad Guy then notes that he has a friend who works at Alexa.com, a high-traffic website that generates reports on web page traffic. They're sort of like what AC Nielsen does for TV. Lots of people go to Alexa.com every day. The bad guy's friend inserts what's called an "invisible iframe" on some Alexa pages. When an innocent user like me is signed in to Amazon, and then we go to the Alexa page with the iframe, it fetches the Amazon community moderation link automatically. There's nothing nefarious about iframes per se- many other things are fetched automatically when you visit a page, like picutres. The problem is that the link in this iframe does the "report this randomly selected LGBT books as inappropriate" action. Because the confirmation page at Amazon isn't required (that's what makes this an XSRF), I never realize that I just flagged as objectionable a book on LGBT couple legal advice (and I totally love legal advice for me and my husband!).
3b) As an extra step, Bad Guy also hires a bunch of people in China and India to create a whole bunch of fake Amazon accounts for him. They send him the usernames & passwords, and Bad Guy again writes a little program that logs in as those fake accounts and start to flag all the LGBT books as objectionable.
3a & 3b do exactly the same thing, he just did them both to get more books flagged, and faster.
4) GUESS ON MY PART: An Amazon customer service rep starts getting complaints about all the LGBT books being flagged. The rep checks one or two books in question, sees that they've been flagged due to community moderation, and sends the form letter response.
I want to be happy, I really do, but I'm not. I'm not just a gay man, I'm also an atheist. And I strongly disapprove of any official religious presence or hoo-ha at a governmental function. Call me scrooge, call me a big meany, call me out of touch with 90% of the country. Whatever.
The MacFUSE guy at Google wrote drivers for a whole bunch of old unix filesystems - like v7, the filesystem in unix 32/v (first support of 32-bit virtual memory), and various dump types.
While Amiga's filesystem is not supported (and thus I'm sure Furr will give a big "bah humbug"), I still like it!
Why my home wireless network is wide open to everyone [I started this as a comment in a friends-only post in someone else's journal, but it got too long. The context is that he just got a wireless network at home, but is slightly anxious about the security implications.]
Don't sweat it! The single most important thing you need to do is change the administrative password to something totally non-obvious. That's the password to log in to the router's web interface and make changes, not the password you need to simply use the wireless (and will thus be giving out to random guests who stop by). I presume you're using very different passwords for both of those things.
Personally, I leave my access point wide open. Further, my SSID is "417 Fulton #1, 510-717-4190", our address & my cell phone number. Anyone who walks by on the street is free to use it. If there's a problem, they know where it is and who to call about it. Why would I do such a crazy thing? A whole bunch of reasons. Go read this:
Bruce Schneier is a well-respected computer security expert. I pretty much completely share his opinion on this. There are three major reasons why you'd want to restrict access to a WLAN:
1) Security of the computers on the net. They're vulnerable to attacks by things on the local net, so you need to trust every computer on the local net, so you tightly control who can be on it. The problem is that most wireless-using computers are laptops, so you're going to be using them at public wifi points anyway (like Starbucks or airports). Your computer is infinitely more vulnerable here.
2) Theft of service. If I'm paying $50/mo to Comcast/ATT/whoever for my net connection, it's not nice for some jerk to come along and freeload. If someone's just checking their mail now and again, I don't care. If a neighbor's net connection is down for some reason and they're waiting to get it fixed, it's only neighborly to offer them a free cup of wifi. Now this can become abusive at times (and once or twice it has), and someone will start downloading lots of stuff and my own service gets super slow. When that's happened, I'll kick the freeloaders off my net (see: MAC address filtering) for a few hours, and then later lift the restrictions. It's never been a chronic issue.
3) Legal liability. Terrorists or people into kiddie porn or script kiddies might use my net connection, and then the lawyers will attack. I'm so not worried about that. It's a risk, but not a significant one as far as I'm concerned.
5th anniversary and wedding rings! Today is our 5th anniversary of our first date. The wedding was in July (due to prop 8 paranoia), but we deferred getting the rings until our date anniversary. Here's what we got:
Currently, my LJ friends list (via the regular boring web interface) is my RSS feed aggregater. I want to replace it with a feed (RSS+LJ+facebook+twitter+xyz) reader with the following characteristics:
* MUST be web based. MAY use that newfangled AJAX. MUST not suck on non-IE browsers. * MUST display stuff in chronological order, rather than reverse-chronological. When I go to read stuff, I repeatedly hit the "previous 25 entries" link until I see something I recognize, then keep browser back-arrowing till I hit the most recent, then hit reload to see what's come in since I first hit the front page. LAME. * MUST have a temporal bookmark sort of feature. SHOULD let me explicitly indicate at some point in the timeline that I've read up through here, and next time I hit the main page, the firehose of feeds displays from then on. MAY use some other magic "he's read this already" technology, if it doesn't suck. * MUST be able to display friends-only entries from LJ/twitter/facebook/whatever. MAY require that I trust this 3rd party with my service-specific passwords. * SHOULD have some auto-truncating feature on all entries over N pixels long. I love thornyc's long photo entries (e.g., the super-recent gay Life magazine photos from the early 70s), but I don't always want to scroll through the whole darn thing.
I really don't want to write this myself. But what are my options?
Oddly enough, I saw this on slashdot, rather than Bruce Schneier's blog or Daily Kos.
I'm totally thrilled. Optic-scan paper ballots are the absolute right solution for this problem. There's an audit trail. You can do fast tabulation. Spoiled ballots are detected while the voter is still there. It's cheaper than touch-screen machines. It keeps the election day lines shorter.
The only thing I'm bummed about is that they're still using touch screens next week. Ah well.
book page 56 meme * Grab the nearest book. * Open the book to page 56. * Find the fifth sentence. * Post the text of the next seven sentences in your journal along with these instructions. * Don't dig for your favorite book, the cool book, or the intellectual one: pick the CLOSEST.
While Chief of Police for the Community College District, I worked hard to improve campus safety and emergency preparedness at the institution and to bring about a high level of cooperation with our neighbors.
Carl Koehler, from his printed statement as a candidate for the SF Community College Board. The book is the San Francisco Voter Information Pamphlet/Sample Ballot - November 4, 2008 - Ballot Type 27.
For the record, this pamphlet has 272 pages. It's the City and County of San Francisco pamphlet, *NOT* the one for the State of California. That one should be in the mail shortly.
Despite the bazillion ballot measures, I still like these pamphlets. I vastly prefer getting them (here in California) to not getting them (back in Pennsylvania).
And I just did the first sentence, not seven, because I'm lazy.
