I'm on a journal roll this morning.

VLC is often pointed out as a piece of software that's too geeky because it has a million and one options. It allows a level of customization that would more than satisfy even the most assburgerish nerd. But here's a handy one you might not have known about: global hotkeys. VLC allows you to set hotkeys that work even when the app doesn't have focus, in both Windows and Linux.

And it's so simple and useful you'll feel stupid if you haven't been using it already. You go to Hotkeys in the Simple interface, and click the table cell under Global for the command you want and hit the key you want to assign. When you're done, hit Save at the bottom (important!) and restart VLC.

My desktop and laptop both have Next/Prev/Play&Pause/Stop keys so I assigned those. I also assigned the Volume Up and Down (VLC's own volume control with preamp that can be cranked super high, a godsend for videos of unusual volume) to Ctrl-Next and Ctrl-Prev. Very handy, now when I'm playing music I never have to bring up the VLC window!

So this morning I logged into my Gmail and got a "login from unusual location" warning that happened sometime yesterday. Yesterday, I only logged into Gmail from two usual places, no unknown wifi APs or proxies, and here is a login from some US address (ubiquityservers.com:108.62.174.66).

I advertise my email on Slashdot, making it easy for potentially pissed-off hackers to have a crack at it, and it's secured to stand up to this. It has a very strong password and a recovery question that requires you to hash the original password with some extra characters. IMAP and POP3 access are disabled. 95% of the time I browse with anti-MITM and cert-checking plugins. Needless to say I don't have malware on any of my computers. So understandably I was stunned and incredulous that this account had been brute-forced, but to be safe I had to reset it so I mashed the keyboard for a long random password, saved it to a couple computers on the network (important! :-P but I had never saved the old password anywhere, now I have to come up with a new memorable strong password, D'oh!!!), set the Gmail password to it and updated the recovery password (because changing the recovery password without changing the recovery question would be a very clever way to keep a second shot at access).

All of my personal web accounts are registered to this email so I'll have to keep an eye on them. Still I think this must be due to some vulnerability in Gmail, there's just no freaking way that password was brute-forced, especially considering that Gmail has a brute force limiter.

UPDATE: Found a possible explanation

Someone who knows only my Gmail address (which I advertise freely) could have broken into my account under "scenario A" in the study, and presumably changed the password and recovery challenge if they wished to. Pretty scary.

For quite some time I've wanted to isolate my Google web services from my other usage - when you're logged into Google, they track your searches, what results you click on, what videos you watch on Youtube, and the new single privacy policy only allows more of this inter-service sharing I don't want. I was thinking that if Firefox could have a concurrent private browsing window, as Chrome can, I could sign into my Google accounts in there, thus keeping my Google cookies confined to the window with only Google services in it.

Firefox can't do that. What it can do, with the Multifox plugin, is open a new window with a separate identity. And they survive session restores too, handy! So it's like having a separate browser installed, just minus all the hassle that makes that a PITA solution.

So the list of sci-fi books I plan to read has been building up, because recently I just haven't had the time. I usually just blow through books when I'm on vacation but otherwise can't get much reading done, that's why I still haven't finished proofreading mcgrew's latest Paxil Diaries compilation (sorry!). I figured I better write them down before I forget them (which is something I can do very easily) and why not share the list while I'm at it?

So here they are in no particular order:

REAMDE by Neal Stephenson

Ready Player One by Ernest Cline

Daemon & Freedom by Daniel Suarez (better finish them before the movie comes out)

Lacuna: Demons of the Void by David Adams (Slashdotter-written & available DRM-free)

The Moon is a Harsh Mistress by Robert Heinlein (I know, not having read this is terrible for my geek cred)

The Ship who Sang by Anne McCaffrey (only heard of this one in the thread on her death...my dad is a big McCaffrey fan but it's hard for me to get into fantasy/soft sci-fi mixes)

Second Cousins by Douglas Roberts (also Slashdotter-written & available DRM-free)

Fallen Dragon by Peter Hamilton

Rx by Robert Brockway (available DRM-free)

Today I was reading this article and suddenly the steps to running a successful Web 2.0 startup became clear:

1. Come up with the most dystopian perversion of social networking your imagination is capable of.
2. Make it real.
3. Profit!

Many of these services are created with the intention of making themselves "gatekeepers of reputation": most prominently Reppify and Klout (mentioned above) and Angie's List. Others have become de-facto "gatekeepers" over time (LinkedIn and to a lesser extent Facebook), but these have been created with the nearly explicit intention from day one. Quite a worrying trend, we already have credit scores to worry about, the last thing we need is more privately-controlled worthiness metrics that we have to build up by appeasing our corporate overlords.

Since journals are now apparently editable with no time limit, I figured I'd provide the public service of listing the active shill accounts I come across on Slashdot. Keep in mind that many employ negative marketing, where they sling mud at competing products and companies rather than promoting their own, and of course posting some balance of personal non-shilling posts is a good way to reduce suspicion.

Here the shills will be listed by the company they are shilling for along with some comments. I'll link to their user pages to make it convenient for you to see their comments and submissions and judge for yourself.

Microsoft

Microsoft shilling has really flared up over the last couple of years and MS is currently running the overwhelming majority of astroturf campaigns on Slashdot. It is suspected that the company running the campaign for MS is
Waggener Edstrom (thanks anon!). Recently there's been a shift towards negative marketing, where the shills say bad things about Google products while subtly plugging MS products. They often call anyone who says anything bad about Microsoft an anti-MS zealot who's stuck in the past.

GPLJonas: A brand new user comes on and his very first post (which is a first-post itself) gushes about the wonders of Windows Server while making factually inaccurate negative statements about Linux. Uh huh. Funny enough, part of the post was plagiarized from an entry in PedXing's blog. These shills can't even do an honest day's work for an honest day's pay. Seems like the shills took a break for the 2011 holiday season and now they're back at work.

InsightIn140Bytes: Recent shill account, more subtle than the last wave.

nepka: another standard-issue MS shill. I notice a lot of the political comments these guys make are heavily pro-establishment. Just an odd trend.

andresa: Standard-issue negative-marketing shill, the type most commonly employed by Microsoft as of mid/late 2011. With these more recent accounts they seemed to have stopped bothering with posting a balance of personal material.

ge7:Older shill account, seems to be inactive now. This account is from a time when MS was trying hard to keep their shills credible, with nearly half of their posts being non-shilling neutral posts.

Viablos: Old shill account I dug up from my email.

Apple:

noh8hrz/noh8hrz2: Apple shills are damn near impossible to distinguish from their fanboys, but I'm pretty sure this one's a shill.

Getting rid of shills

The best way to get rid of shills is intense public shaming. They'll at least start new accounts when one is caught and shamed, and that will cost them karma and slow them down. Busting shills will cost you some karma, both from uninvolved and apathetic Slashdotters who don't like your off-topic comments and from other shills who want to keep shill-busting comments modded down (you'll notice most shill accounts have the "spent all my mod points" achievement). But what's karma for if not to spend it, and why not spend it on something positive? ;)

If anyone has any more to add to this list then please comment. I know there are many but I'm just adding the few that I can remember.

Update: SharkLaser turned out to be a troll. Partly I feel better because trolling for lulz isn't as bad as shilling for cash, but on the other hand that means there's a troll submitter with a better approval rate than me.

Take a look at this. This is what controversy in science really looks like. And what happened in the end? A cover-up? A genius dying in poverty? No, the guy who was right won a freaking Nobel prize and made his critics look like total morons. This is the reward that rightly awaits any scientist who can disprove the status quo. Later I will have to do a proper write-up and submit it to Slashdot, the AGW denialists must see this.

The discussion on the recent article on JS' problems inspired me to make this, but I've also made it with solutions to the CA problem, client apps, and multimedia tech like Flash/Silverlight/WebGL in mind.

I'll take suggestions on what to add to this form, so make some.

So, thought you were safe from all the tracking systems out there with your browser locked down like Fort Knox? You've got your scripts, cookies, Flash objects & storage all working on a whitelist system, your browser's geolocation API disabled, and maybe even more. And all the tracking & analytics systems out there rely on Javascript and those other "higher functions," right?

Not really. Facebook's doing it old school. It's a long story you can read here, but a peculiar effect caused by my menagerie of security plugins brought my attention to a new form of tracking that Facebook's been using over (at least) roughly the last week. In a Wired.com page, I found that Facebook is using a small iframe that fetches a page with a URL such as:

In this case the basic URL of the page this was found on being http://www.wired.com/autopia/2011/08/no-public-transit-no-job/

This iframe actually renders the Like button.

This form of tracking will work with the most basic of browsers with all client-side scripting/application systems and web-facing APIs disabled. Upon doing more research I found that Lynx is actually safe as it doesn't display frame contents, but rather converts them into hyperlinks.

From this tracking iframe Facebook can get, at a bare minimum, the following info:

- The page you've just viewed
- Your IP address
- Your browser agent info (which, by default, contains far more detail than you might think - right down to your machine's CPU architecture).

It should also be possible, on a permissive browser, to use cookies, run Javascript from this iframe (which it does include) to get access to much of the info shown in the Panopticlick project, access HTML5 storage, Flash storage, and the geolocation API.

The only surefire way to block it would be to blacklist all connections to any Facebook domains - and the domains of any other tracking services that deploy similar systems in the future.

I was considering posting this to Slashdot's firehose but some more research has shown that Facebook has been offering at least some sort of iframe method for inserting Like buttons since at least April 2010, so I'll just post to my journal for now rather than potentially making a fool of myself.

So today I ran across an interesting feature of Tor. You probably know about .onion sites, basically a freenet-like feature. Well there's another special Tor domain called .exit. This allows you to directly access a peer over the Tor network (so you could, say, access their FTP server (if they've made the port available over this service) over Tor when it isn't open to the Internet otherwise or is blocked from your country) and it also allows you to specify the exit node that your traffic goes out through, by going to something like http://google.com.peername.exit.

You can see the problem with this, right?

Normally when you connect to Tor your exit node changes randomly every few minutes. With the ability to specify which node your traffic exits through, you could do a large number of illegal things through a single exit node, destroying the exit node operator's plausible deniability that it was some random guy. Or even just one very illegal thing done through a node could ruin the exit node operator's life - uploading child porn to a government web site for instance. This feature is poorly documented and not many people know about it - it's on the Wikipedia article about .onion sites but not mentioned in the Tor documentation as far as I can tell!

Even if its existence were better-known, it increases the risk of running a Tor exit node, and there's apparently no way to disable .exit access through your node entirely. Cycling peer names and disabling the published contact email will make it harder for someone to pin you down but isn't a surefire countermeasure.

After all this gloom and doom about Tor I should mention that I also found a potentially useful little-known feature: the Bridge Relay setting. This allows you to help the Tor network somewhat without putting yourself at any legal risk whatsoever or risk of being banned from sites that ban Tor exit nodes. When set as a bridge relay, your node will act as an intermediary between other Tor nodes only. Not as useful as running an exit node but it could be a good option for many people, businesses could even safely allow bridge nodes to run after hours. So anyone who's been afraid to run an exit node but wants to help the network, at least do this.