Unspecific

Lost Blogs

November 10th, 2009 Posted in Unspecific | No Comments »

This is a blog post that has been removed due to strong-arming by Microsoft (or so the story goes).

I’ve never bought anything using Bing Cashback, but the balance of my account is $2080.06. Apparently, I placed two $1 orders on January 24th of this year, and spent another $104,000 on October 24th. Let’s see how these transactions might have “accidentally” got credited to my account.

First, we need to try to figure out how transactions get into Bing Cashback. Microsoft posted some documentation here. The explanation of how a merchant reports transactions to Bing starts on page 20. Merchants have a few options for reporting, but Bing suggests using a tracking pixel. Basically, the merchant adds a tracking pixel to their order confirmation page, which will report the the transaction details back to Bing. The request for the tracking pixel looks something like this:

https://ssl.search.live.com/cashback/pixel/index?
jftid=0&jfoid=<orderid>&jfmid=<merchantid>
&m[0]=<itemid>&p[0]=<price>&q[0]=<quantity>

This implementation, while easy for the merchant, has an obvious flaw. Anyone can simulate the tracking pixel requests, and post fake transactions to Bing. I’m not going to explain exactly how to generate the fake requests so that they actually post, but it’s not complicated. Bing doesn’t seem to be able to detect these fake transactions, at least not right away. The six cents I earned in January have “cleared,” and I’m guessing the remaining $2080 will clear on schedule, unless there is some manual intervention.

Even if Bing detects these fake transactions at some point in the future, the current implementation might have another interesting side effect. I haven’t done enough work to say it with confidence, but a malicious user might be able to block another user’s legitimate purchases from being reported correctly by Bing (I only tried this once, but it seemed to work). Posting a transaction to Bing requires sending them an order ID in the request. Bing performs a reasonable sanity check on the order ID, and will not post a transaction that repeats a previously reported order ID. When a store uses predictable order ID’s (e.g. sequential), a malicious user can “use up” all the future order ID’s, and cause legitimate transactions to be ignored. Reporting would be effectively down for days, causing a customer service nightmare for both Bing and the merchant.

Based on what I’ve found, I wouldn’t implement Bing Cashback if I were a merchant. And, as an end user and bargain hunter, it does not seem smart to rely on Bing Cashback for savings. In our next blog post, I’ll demonstrate some other subtle but important reasons to avoid using Bing Cashback.

NINE WORDS WOMEN USE

November 3rd, 2009 Posted in Unspecific | No Comments »

As received form my fiancé… words of warning or advice.

1 ) Fine: This is the word women use to end an argument when they are right and you need to shut up.

2 ) Five Minutes: If she is getting dressed, this means one-half hour. Five minutes is only five minutes if you have just been given five more minutes to watch the game before helping around the house.

3) Nothing: This is the calm before the storm. This means something, and you should be on your toes. Arguments that begin with nothing usually end in fine.

4 ) Go Ahead: This is a dare, not permission. Don’t Do It!

5 ) Loud Sigh: This is actually a word, but is a non-verbal statement often misunderstood by men. A loud sigh means she thinks you are an idiot and wonders why she is wasting her time standing here and arguing with you about nothing. (Refer back to # 3 for the meaning of nothing.)

6) That’s Okay: This is one of the most dangerous statements a woman can make to a man. That’s okay means she wants to think long and hard before deciding how and when you will pay for your mistake.

7 ) Thanks: A woman is thanking you, do not question, or faint.. Just say you’re welcome. (This is true, unless she says ‘Thanks a lot’ – which is PURE sarcasm and she is not thanking you at all. DO NOT say ‘you’re welcome’ — that will bring on a ‘whatever’.)

8 ) Whatever: Is a woman’s way of saying F– YOU!

9 ) Don’t worry about it, I’ve got it: Another dangerous statement , meaning this is something that a woman has told a man to do several times, but is now doing it herself. This will later result in a man asking, ‘What’s wrong?’ For the woman’s response, refer to # 3.

SSL-Cipher-Check v1.6

October 21st, 2009 Posted in Computers, Software, Unspecific | No Comments »

SSL-Cipher-Check v1.6 (http://unspecific.com/ssl/) Released. Bugfix for SSLv2 incomplete handshake causing false positive.

Steven Andrés (of Special Ops Security) pointed out a flaw and gave me a fix.
” For some cipher combinations, OpenSSL will return a “verify return” command but then later on fail with the “no cipher list” error. Since you check the former and not the latter, you false positive on these ciphers. ”

His patch has been applied and all is working well.

Chaos

October 18th, 2009 Posted in Unspecific | No Comments »

011000100110100101101110011000010111001001111001001000000110100101110011
001000000111010001101000011001010010000001100101011100000110100101110100
011011110110110101100101001000000110111101100110001000000110111101110010
01100100011001010111001000001010