Geek Blogs

A slip of the tongue (or pen) that reveals the unconscious mind.

The misuse of words.

The worship of words: regard for the letter while ignoring the spirit of something.

I still like my last start-up idea about converting MP3 music collections to be legal and cleaning up mangled/ugly filenames. As Amazon and others start to sell MP3s, a startup could easily offer some interesting services. For example, I just saw that a new product called TuneUp will clean up your filenames, metadata, and cover art. That’s cool stuff that fixes a real problem a lot of people have.

Ready for another idea? This one is simple. Make an Android or iPhone app for people who need a taxi. Imagine: you’re in another city, and you just learned that from your hotel to dinner is not walkable. You’re standing on a street corner. What do you do? WHAT DO YOU DO!?

Answer: you fire up “Call me a Cab” on your app-enabled phone. Your phone automatically senses your location and (anywhere in the world) gives you 3-4 suggestions for local cab companies, with phone numbers. That’s the base functionality, but that’s still a huge step forward. When you’re standing on a street corner you don’t often have a page like this in front of you:

Now how would you make the app even better? In some places (like, say, these cities) the app would show you where the closest cab is, call it, and get an “estimated time of arrival” as you watch the cab get closer on a map. Something like this page, but on your phone:

How would you make money? Maybe you sell a premium version of the app that does more (more features, or checks for buses or other public transit nearby). Or maybe taxi/cab companies would be willing to advertise in the app just like they advertise in the yellow pages. Maybe you’re a taxi company and you offer this app for free to make your cabs more efficient or to build a brand (most people think of taxis as a commodity right now). And it doesn’t always have to be about the money, you know. Maybe you do it to build awareness about your software startup and unlock future opportunities down the line.

Once you get GPS + cool sensors + the ability to run an application on a phone, there’s a ton of exciting apps you could write. Sure you could find nearby friends, but why not write a GPS-enabled celebrity spotter? Or an “Am I Speeding Right Now?” app that you can use in your car.

If you need other good ideas, I recommend reading through Paul Graham’s list of suggested start-up ideas. I’m a big fan of #3 (finding “New News”), #13 (online learning), and #28 (fixing email overload). Or for that matter, just think about things around your house or business that are messy or annoying and solve that problem.

I still like my last start-up idea about converting MP3 music collections to be legal and cleaning up mangled/ugly filenames. As Amazon and others start to sell MP3s, a startup could easily offer some interesting services. For example, I just saw that a new product called TuneUp will clean up your filenames, metadata, and cover art. That’s cool stuff that fixes a real problem a lot of people have.

Ready for another idea? This one is simple. Make an Android or iPhone app for people who need a taxi. Imagine: you’re in another city, and you just learned that from your hotel to dinner is not walkable. You’re standing on a street corner. What do you do? WHAT DO YOU DO!?

Answer: you fire up “Call me a Cab” on your app-enabled phone. Your phone automatically senses your location and (anywhere in the world) gives you 3-4 suggestions for local cab companies, with phone numbers. That’s the base functionality, but that’s still a huge step forward. When you’re standing on a street corner you don’t often have a page like this in front of you:

Now how would you make the app even better? In some places (like, say, these cities) the app would show you where the closest cab is, call it, and get an “estimated time of arrival” as you watch the cab get closer on a map. Something like this page, but on your phone:

How would you make money? Maybe you sell a premium version of the app that does more (more features, or checks for buses or other public transit nearby). Or maybe taxi/cab companies would be willing to advertise in the app just like they advertise in the yellow pages. Maybe you’re a taxi company and you offer this app for free to make your cabs more efficient or to build a brand (most people think of taxis as a commodity right now). And it doesn’t always have to be about the money, you know. Maybe you do it to build awareness about your software startup and unlock future opportunities down the line.

Once you get GPS + cool sensors + the ability to run an application on a phone, there’s a ton of exciting apps you could write. Sure you could find nearby friends, but why not write a GPS-enabled celebrity spotter? Or an “Am I Speeding Right Now?” app that you can use in your car.

If you need other good ideas, I recommend reading through Paul Graham’s list of suggested start-up ideas. I’m a big fan of #3 (finding “New News”), #13 (online learning), and #28 (fixing email overload). Or for that matter, just think about things around your house or business that are messy or annoying and solve that problem.

Here are some of the applications that I’m trying out right now:

What applications do you like on the iPhone 3G?

Here are some of the applications that I’m trying out right now:

What applications do you like on the iPhone 3G?

Sometimes people think that the Google Toolbar led to Google indexing a page. Here’s a recent such story, for example, which speculates how urls with the substring “mms2legacy” got indexed. Here’s where I started to disagree:

The reason for this [supposedly unlisted urls getting crawled --Matt], explained Ken Simpson, CEO of anti-spam company MailChannels, is that one’s Google Toolbar may be configured to pass URLs that one visits to Google for indexing. “If you run Google Toolbar, it knows pages you visit,” he said.

Sorry, but if Ken Simpson is implying that the Google Toolbar led to these urls being crawled, then he’s mistaken. Let’s take the first result from the [inurl:mms2legacy] query given in the article. The first url in that result set that I saw was http://mediamessaging.o2.co.uk/mms2legacy/showMessage2.do?encMmsId=F1ABCF6D326A3F65 . Well, if you take the string F1ABCF6D326A3F65 from that url and search for that then you’ll find multiple references to that url. In the cases I looked into, we found these pages via someone publishing a link on http://my.opera.com or other places around the web. I can definitively say that all the urls I looked into were discovered via crawling regular old links.

Folks with great memories may remember that I’ve talked about this before. Back in 2006, both Philipp Lenssen and Google OS did controlled experiments by visiting unlinked deep pages with the toolbar, and both concluded that the toolbar did not lead to those urls being indexed.

It’s good to reiterate this every couple years though, especially as Google has gotten better at finding new pages as it crawls. We get questions like this often enough that we have an FAQ answer about it:

Why is Googlebot downloading information from our “secret” web server?

It’s almost impossible to keep a web server secret by not publishing any links to it. As soon as someone follows a link from your “secret” server to another web server, your “secret” URL may appear in the referrer tag and can be stored and published by the other web server in its referrer log. So, if there’s a link to your “secret” web server or page on the web anywhere, it’s likely that Googlebot and other web crawlers will find it.

Security through obscurity is not a great way to keep a url from being crawled. If you don’t want your content in Google’s web index then we provide a ton of advice on how to prevent that content from getting into Google.

Sometimes people think that the Google Toolbar led to Google indexing a page. Here’s a recent such story, for example, which speculates how urls with the substring “mms2legacy” got indexed. Here’s where I started to disagree:

The reason for this [supposedly unlisted urls getting crawled --Matt], explained Ken Simpson, CEO of anti-spam company MailChannels, is that one’s Google Toolbar may be configured to pass URLs that one visits to Google for indexing. “If you run Google Toolbar, it knows pages you visit,” he said.

Sorry, but if Ken Simpson is implying that the Google Toolbar led to these urls being crawled, then he’s mistaken. Let’s take the first result from the [inurl:mms2legacy] query given in the article. The first url in that result set that I saw was http://mediamessaging.o2.co.uk/mms2legacy/showMessage2.do?encMmsId=F1ABCF6D326A3F65 . Well, if you take the string F1ABCF6D326A3F65 from that url and search for that then you’ll find multiple references to that url. In the cases I looked into, we found these pages via someone publishing a link on http://my.opera.com or other places around the web. I can definitively say that all the urls I looked into were discovered via crawling regular old links.

Folks with great memories may remember that I’ve talked about this before. Back in 2006, both Philipp Lenssen and Google OS did controlled experiments by visiting unlinked deep pages with the toolbar, and both concluded that the toolbar did not lead to those urls being indexed.

It’s good to reiterate this every couple years though, especially as Google has gotten better at finding new pages as it crawls. We get questions like this often enough that we have an FAQ answer about it:

Why is Googlebot downloading information from our “secret” web server?

It’s almost impossible to keep a web server secret by not publishing any links to it. As soon as someone follows a link from your “secret” server to another web server, your “secret” URL may appear in the referrer tag and can be stored and published by the other web server in its referrer log. So, if there’s a link to your “secret” web server or page on the web anywhere, it’s likely that Googlebot and other web crawlers will find it.

Security through obscurity is not a great way to keep a url from being crawled. If you don’t want your content in Google’s web index then we provide a ton of advice on how to prevent that content from getting into Google.

A queen reigning in her own right, as opposed to one having a royal title by marriage. Also known as queen regent.

The new iPhone 3G camera seems to work pretty well. Here’s a test shot with me, two cats, and a laptop:

The iPhone 3G still doesn’t work great for close-ups on very small stuff, but it seems to work well in the four to six foot range.

The new iPhone 3G camera seems to work pretty well. Here’s a test shot with me, two cats, and a laptop:

The iPhone 3G still doesn’t work great for close-ups on very small stuff, but it seems to work well in the four to six foot range.

A very large sum of money.

Of or relating to a marriage between two people of different social ranks such that the spouse of lower rank and the children do not share the titles or possessions of the higher-ranking spouse.

I know what you’re thinking: “Matt, I hacked my original iPhone. Now I want to share in the iPhone 3G fun, but I’m worried that something horrible will happen if I upgrade to the iPhone 3G.”

Buck up, fellow iPhone hacker. I’ll tell you how to upgrade from your hacked Apple phone and keep all the settings you love from your original iPhone. The good news is that it’s not hard and there’s a set of five steps that will combine the comfort of your old settings with the joy of the new 3G iPhone. I’ll lead you through the steps.

1. Upgrade iTunes and sync your old hacked iPhone

Upgrade to iTunes 7.7 (or whatever the latest version is). Plug your hacked iPhone into your computer and make sure that you sync. When you sync, a backup of your iPhone’s settings data is stored in iTunes. Recharge the power in your old hacked iPhone and turn it off. If you want to be ultra-safe, see my post about how to backup iPhone data.

2. Buy an iPhone 3G

This step is time-consuming, but not hard. Apple has a page for its stores and after 9 p.m. you can check the Apple iPhone availability to find a store that has the new iPhone 3G. Hint: if there are multiple stores in your area, call each to see which has the shortest wait. When you buy the iPhone 3G, you don’t need to mention to the salespeople that your previous phone was hacked. Just buy the iPhone 3G and let them activate the phone in the store.

3. Restore the backup of your hacked iPhone to your iPhone 3G

(If you decide to “start fresh” with your new iPhone 3G and don’t want to restore contacts, bookmarks, music, etc. from your old phone, skip this step.)

Resist the temptation to start immediately customizing your iPhone 3G. You’re just going to override any changes when you restore your old iPhone’s settings anyway. In particular, make sure you keep the passlock (where you have to type a PIN to unlock your iPhone) off for the time being. Go home and plug your new iPhone 3G into the same computer with iTunes 7.7 where you did a sync on your old iPhone. iTunes will ask if you want to register your iPhone. I registered my iPhone, but I don’t think it was necessary -- looking back, I think iTunes asked me to register to get permission to send me email offers. Next, iTunes will ask if you want to try 60 days free of MobileMe. I didn’t want that, so I declined. Only after those two offers did iTunes ask if I wanted to set up the new iPhone 3G as a new phone or restore from a backup. The choice looks like:

Choose to restore from a backup and the last sync of your old hacked iPhone should be offered as a choice. Let iTunes restore the backup data and settings from your hacked iPhone to your new iPhone 3G. Once it’s done, pretty much everything should be like it was on your hacked iPhone. The iPhone 2.0 firmware adds some new options, so make sure you explore the settings menu and set any new options the way that you want. Also, if your iPhone is configured to fetch email, your email passwords on the new iPhone 3G will be empty. You will need to re-enter your email passwords.

Finally, if you want to use the Apple App Store, you may need to add a credit card or authorize your computer to purchase things, even if you only want to download free applications. I have a personal policy not to put my data where I can’t get it back out, so I tend to buy MP3s instead of buying music with proprietary Digital Rights Management (DRM) from the Apple Store. As a result, my computer had never been authorized to buy things from the Apple Store. To authorize your computer, in the iTunes program click Store->Authorize Computer... and enter your Apple ID. Once your computer is authorized, you might need to click Store->Check for Purchases... if you tried to download an application from the App Store before your computer was authorized.

4. Upgrade your old iPhone to firmware version 2.0

The iPhone running software version 2.0 has been hacked, so there’s no need to keep running old firmware on your old hacked iPhone. Plug your old hacked iPhone into the computer running iTunes 7.7 and make sure that iTunes is running. Under the “Devices” entry on the left hand side of iTunes, when you click on the iPhone device, you should see a screen with a “Check for Update” button. Click that button. I was running firmware version 1.1.1 and at first it offered me firmware version 1.1.4. So I exited iTunes, restarted iTunes, and clicked “Check for Update” again. Then it offered me firmware version 2.0. Click to install firmware version 2.0 on the old hacked iPhone.

5. Erase the settings and data on your old iPhone

One nice thing about the iPhone’s firmware version 2.0 is that it adds a “secure wipe” that attempts to erase all data completely from your iPhone. That means you can sell the old iPhone or give it to a friend without worrying about all those crazy pictures you took, the 1-900 numbers in your contacts, the SMS messages that reveal things you want to keep private, etc. Here’s how to erase everything on your old iPhone. Eject the phone in iTunes, disconnect the phone from the computer, then press Settings, then General, then Reset, then Erase All Content and Settings, then Erase iPhone. You may have to confirm a couple times that yes, you really want to wipe your iPhone. The process takes about an hour, so I connected my iPhone to a cable that was plugged into a power outlet to ensure that the iPhone wouldn’t run out of power in the middle of wiping it.

When the iPhone is finished erasing itself, it’s suitable for giving to a family member or selling on eBay or whatever.

I know what you’re thinking: “Matt, I hacked my original iPhone. Now I want to share in the iPhone 3G fun, but I’m worried that something horrible will happen if I upgrade to the iPhone 3G.”

Buck up, fellow iPhone hacker. I’ll tell you how to upgrade from your hacked Apple phone and keep all the settings you love from your original iPhone. The good news is that it’s not hard and there’s a set of five steps that will combine the comfort of your old settings with the joy of the new 3G iPhone. I’ll lead you through the steps.

1. Upgrade iTunes and sync your old hacked iPhone

Upgrade to iTunes 7.7 (or whatever the latest version is). Plug your hacked iPhone into your computer and make sure that you sync. When you sync, a backup of your iPhone’s settings data is stored in iTunes. Recharge the power in your old hacked iPhone and turn it off. If you want to be ultra-safe, see my post about how to backup iPhone data.

2. Buy an iPhone 3G

This step is time-consuming, but not hard. Apple has a page for its stores and after 9 p.m. you can check the Apple iPhone availability to find a store that has the new iPhone 3G. Hint: if there are multiple stores in your area, call each to see which has the shortest wait. When you buy the iPhone 3G, you don’t need to mention to the salespeople that your previous phone was hacked. Just buy the iPhone 3G and let them activate the phone in the store.

3. Restore the backup of your hacked iPhone to your iPhone 3G

(If you decide to “start fresh” with your new iPhone 3G and don’t want to restore contacts, bookmarks, music, etc. from your old phone, skip this step.)

Resist the temptation to start immediately customizing your iPhone 3G. You’re just going to override any changes when you restore your old iPhone’s settings anyway. In particular, make sure you keep the passlock (where you have to type a PIN to unlock your iPhone) off for the time being. Go home and plug your new iPhone 3G into the same computer with iTunes 7.7 where you did a sync on your old iPhone. iTunes will ask if you want to register your iPhone. I registered my iPhone, but I don’t think it was necessary -- looking back, I think iTunes asked me to register to get permission to send me email offers. Next, iTunes will ask if you want to try 60 days free of MobileMe. I didn’t want that, so I declined. Only after those two offers did iTunes ask if I wanted to set up the new iPhone 3G as a new phone or restore from a backup. The choice looks like:

Choose to restore from a backup and the last sync of your old hacked iPhone should be offered as a choice. Let iTunes restore the backup data and settings from your hacked iPhone to your new iPhone 3G. Once it’s done, pretty much everything should be like it was on your hacked iPhone. The iPhone 2.0 firmware adds some new options, so make sure you explore the settings menu and set any new options the way that you want. Also, if your iPhone is configured to fetch email, your email passwords on the new iPhone 3G will be empty. You will need to re-enter your email passwords.

Finally, if you want to use the Apple App Store, you may need to add a credit card or authorize your computer to purchase things, even if you only want to download free applications. I have a personal policy not to put my data where I can’t get it back out, so I tend to buy MP3s instead of buying music with proprietary Digital Rights Management (DRM) from the Apple Store. As a result, my computer had never been authorized to buy things from the Apple Store. To authorize your computer, in the iTunes program click Store->Authorize Computer... and enter your Apple ID. Once your computer is authorized, you might need to click Store->Check for Purchases... if you tried to download an application from the App Store before your computer was authorized.

4. Upgrade your old iPhone to firmware version 2.0

The iPhone running software version 2.0 has been hacked, so there’s no need to keep running old firmware on your old hacked iPhone. Plug your old hacked iPhone into the computer running iTunes 7.7 and make sure that iTunes is running. Under the “Devices” entry on the left hand side of iTunes, when you click on the iPhone device, you should see a screen with a “Check for Update” button. Click that button. I was running firmware version 1.1.1 and at first it offered me firmware version 1.1.4. So I exited iTunes, restarted iTunes, and clicked “Check for Update” again. Then it offered me firmware version 2.0. Click to install firmware version 2.0 on the old hacked iPhone.

5. Erase the settings and data on your old iPhone

One nice thing about the iPhone’s firmware version 2.0 is that it adds a “secure wipe” that attempts to erase all data completely from your iPhone. That means you can sell the old iPhone or give it to a friend without worrying about all those crazy pictures you took, the 1-900 numbers in your contacts, the SMS messages that reveal things you want to keep private, etc. Here’s how to erase everything on your old iPhone. Eject the phone in iTunes, disconnect the phone from the computer, then press Settings, then General, then Reset, then Erase All Content and Settings, then Erase iPhone. You may have to confirm a couple times that yes, you really want to wipe your iPhone. The process takes about an hour, so I connected my iPhone to a cable that was plugged into a power outlet to ensure that the iPhone wouldn’t run out of power in the middle of wiping it.

When the iPhone is finished erasing itself, it’s suitable for giving to a family member or selling on eBay or whatever.

The first-person plural pronoun used by a king or queen to refer to himself or herself, for example, "We are not amused," a line attributed to Queen Victoria.

Yup, I’m about to do another blog post where someone says that a website is clean but it doesn’t look like it to us. I did a very similar post in January 2007, and in that post I said

I’ve checked out a quite a few “we don’t have any malware” reports at this point, and I’ve yet to see a false positive — the sites in question have each had some malware on them.

Would you believe that a year and a half later, that’s still true for me? It may be possible that our malware flagging system has false positives, but I can’t recall a single case that I’ve seen where there wasn’t some security hole or malware that was a true issue for the website owner. If you want to know why, read Google’s white paper about how we detect such stuff -- it’s called The Ghost In The Browser Analysis of Web-based Malware and it was written by Niels Provos and several other Googlers.

In fact, just last week I handled a very similar case where Google proactively reached out to a website that had a scripting flaw security. The deja vu from my January 2007 post plus the situation last week made me want to write a generic malware debunking post. Are you ready? Here we go:

$ACCUSER = Brett Glass
$FORUM = Dave Farber’s Interesting People mailing list, specifically this email.
$LONG_ACCUSATION = (I’m going to quote Brett’s whole email here, just for context)

Everyone:

Google has been a strong supporter of the agenda of Free Press, an
inside-the-Beltway lobbying group which has spent hundreds of
thousands of dollars lobbying for regulation of the Internet under
regime known as “network neutrality.” While some of the tenets
included in this agenda are not reasonable, one of those that IS
reasonable is the notion that large corporations such as Comcast
should not block content with which they disagree.

However, Google -- itself a large corporation -- appears to be
blocking a site which expresses opinions with which it does not
agree on this very issue. When one does a search for the terms
“neutrality” and “site:pff.org” (the link

http://www.google.com/search?hl=en&q=neutrality+site%3Apff.org&btnG=Google+Search

will perform this search for you), many of the pages and documents
on the site -- in particular, white papers expressing views with
which Google disagrees -- are tagged with a warning that “This site
may harm your computer.” One cannot click through to the documents
and pages in Google’s search results without cutting the URL from
the page and manually pasting it into one’s browser.

The Web site, operated by a group known as the “Progress and
Freedom Foundation,” does not appear to contain any malware. When
one queries Google as to why the site was blacklisted, it claims
that “Part of this site was listed for suspicious activity 1
time(s) over the past 90 days.” Yet, we could find no malware or
other exploits in the blacklisted PDF files, some of which contain
very well presented and cogent arguments against the agenda which
Google has been actively supporting.

Could it be that Google (whose motto is, reportedly, “Don’t be
evil,”) saying, “Do as I say, not as I do?”

--Brett Glass

P.S. -- What’s especially interesting is that if one queries Google
using just the term, “site:pff.org” (you can use the link

http://www.google.com/search?hl=en&q=site%3Apff.org&btnG=Search

to do this query), one can see that the majority of the supposedly
dangerous site is not blocked. But most or all of the documents
expressing viewpoints on “network neutrality” are.

$SHORT_ACCUSATION = “Google blocked a site with opinions that it disagrees with. Worse, the query [site:pff.org] seems to show that only urls under pff.org/issues-pubs/ are labeled as potentially harmful, and that is the directory where many of the documents that disagree with Google are.”

Given what we have so far, my generic debunking would begin like “Dear $ACCUSER, I saw on $FORUM where you mentioned that Google is flagging a website as malware. You said that $SHORT_ACCUSATION. I wanted to give you a little more background and context to let you know that Google did see an actual malware attack via a real security hole. The other thing you need to know is that Google flagged the site because of the security hole, not because Google agrees or disagrees with any particular content on the site.”

Then I’d give a little background history on all the different ways that Google helps users and webmasters avoid malware. Most of the background would come from this overview post. Since that post was published in mid-2007, Google has done even more to protect users:

- Niels Provos and his colleagues published another technical report with more details about the malware detection framework and what it discovered (more info here).

- Google launched a Safe Browsing API so that third party applications can benefit from Google’s list of malware and phishing urls. If you appreciate that Firefox 3 has better security, one of the reasons is that Firefox 3 utilizes the Safe Browsing API.

- More recently, the anti-malware folks at Google launched a Safe Browsing Diagnostic page where you can enter a url and get a ton of really useful information.

The last one is especially impressive. For example, check out the Safe Browsing Diagnostic page for pff.org:

That page gives a ton of helpful info to site owners and anyone else who is interested in why a particular site or url was flagged as potentially harmful.

All that would go quite far to reply to people that had questions about their site being flagged for malware. But this post is getting quite long, so let’s get back to this specific report in this case. The original person who reported this situation had already noticed that not all of pff.org was flagged. If you do a site: query on Google, you only see warnings for pff.org/issues-pubs/ .

If you visit pff.org/issues-pubs/, you’ll see that it’s a web form. It looks like pff.org stored their data in a SQL database but didn’t correctly sanitize/escape input from users, which led to a SQL injection attack where regular users got exposed to malicious code. As a result, normal users appear to have loaded urls like hxxp://www.ausbnr .com/ngg.js and hxxp://www.westpacsecuresite .com/b.js

I never like it when people accuse Google of flagging a site as malware just because we don’t like it for some reason. The bright side of this incident is that pff.org will find out about a security hole on their site that was hurting their users (it looks like pff.org has disabled the search on the vulnerable page in the last few hours, so it appears that they’re responding quickly to this issue). Flagging malware on the web doesn’t earn any money for Google, but it’s clearly a Good Thing for users and for the web. I’m glad we do it, even if it means that sometimes we have to write a generic malware post to debunk misconceptions.

Yup, I’m about to do another blog post where someone says that a website is clean but it doesn’t look like it to us. I did a very similar post in January 2007, and in that post I said

I’ve checked out a quite a few “we don’t have any malware” reports at this point, and I’ve yet to see a false positive — the sites in question have each had some malware on them.

Would you believe that a year and a half later, that’s still true for me? It may be possible that our malware flagging system has false positives, but I can’t recall a single case that I’ve seen where there wasn’t some security hole or malware that was a true issue for the website owner. If you want to know why, read Google’s white paper about how we detect such stuff -- it’s called The Ghost In The Browser Analysis of Web-based Malware and it was written by Niels Provos and several other Googlers.

In fact, just last week I handled a very similar case where Google proactively reached out to a website that had a scripting flaw security. The deja vu from my January 2007 post plus the situation last week made me want to write a generic malware debunking post. Are you ready? Here we go:

$ACCUSER = Brett Glass
$FORUM = Dave Farber’s Interesting People mailing list, specifically this email.
$LONG_ACCUSATION = (I’m going to quote Brett’s whole email here, just for context)

Everyone:

Google has been a strong supporter of the agenda of Free Press, an
inside-the-Beltway lobbying group which has spent hundreds of
thousands of dollars lobbying for regulation of the Internet under
regime known as “network neutrality.” While some of the tenets
included in this agenda are not reasonable, one of those that IS
reasonable is the notion that large corporations such as Comcast
should not block content with which they disagree.

However, Google -- itself a large corporation -- appears to be
blocking a site which expresses opinions with which it does not
agree on this very issue. When one does a search for the terms
“neutrality” and “site:pff.org” (the link

http://www.google.com/search?hl=en&q=neutrality+site%3Apff.org&btnG=Google+Search

will perform this search for you), many of the pages and documents
on the site -- in particular, white papers expressing views with
which Google disagrees -- are tagged with a warning that “This site
may harm your computer.” One cannot click through to the documents
and pages in Google’s search results without cutting the URL from
the page and manually pasting it into one’s browser.

The Web site, operated by a group known as the “Progress and
Freedom Foundation,” does not appear to contain any malware. When
one queries Google as to why the site was blacklisted, it claims
that “Part of this site was listed for suspicious activity 1
time(s) over the past 90 days.” Yet, we could find no malware or
other exploits in the blacklisted PDF files, some of which contain
very well presented and cogent arguments against the agenda which
Google has been actively supporting.

Could it be that Google (whose motto is, reportedly, “Don’t be
evil,”) saying, “Do as I say, not as I do?”

--Brett Glass

P.S. -- What’s especially interesting is that if one queries Google
using just the term, “site:pff.org” (you can use the link

http://www.google.com/search?hl=en&q=site%3Apff.org&btnG=Search

to do this query), one can see that the majority of the supposedly
dangerous site is not blocked. But most or all of the documents
expressing viewpoints on “network neutrality” are.

$SHORT_ACCUSATION = “Google blocked a site with opinions that it disagrees with. Worse, the query [site:pff.org] seems to show that only urls under pff.org/issues-pubs/ are labeled as potentially harmful, and that is the directory where many of the documents that disagree with Google are.”

Given what we have so far, my generic debunking would begin like “Dear $ACCUSER, I saw on $FORUM where you mentioned that Google is flagging a website as malware. You said that $SHORT_ACCUSATION. I wanted to give you a little more background and context to let you know that Google did see an actual malware attack via a real security hole. The other thing you need to know is that Google flagged the site because of the security hole, not because Google agrees or disagrees with any particular content on the site.”

Then I’d give a little background history on all the different ways that Google helps users and webmasters avoid malware. Most of the background would come from this overview post. Since that post was published in mid-2007, Google has done even more to protect users:

- Niels Provos and his colleagues published another technical report with more details about the malware detection framework and what it discovered (more info here).

- Google launched a Safe Browsing API so that third party applications can benefit from Google’s list of malware and phishing urls. If you appreciate that Firefox 3 has better security, one of the reasons is that Firefox 3 utilizes the Safe Browsing API.

- More recently, the anti-malware folks at Google launched a Safe Browsing Diagnostic page where you can enter a url and get a ton of really useful information.

The last one is especially impressive. For example, check out the Safe Browsing Diagnostic page for pff.org:

That page gives a ton of helpful info to site owners and anyone else who is interested in why a particular site or url was flagged as potentially harmful.

All that would go quite far to reply to people that had questions about their site being flagged for malware. But this post is getting quite long, so let’s get back to this specific report in this case. The original person who reported this situation had already noticed that not all of pff.org was flagged. If you do a site: query on Google, you only see warnings for pff.org/issues-pubs/ .

If you visit pff.org/issues-pubs/, you’ll see that it’s a web form. It looks like pff.org stored their data in a SQL database but didn’t correctly sanitize/escape input from users, which led to a SQL injection attack where regular users got exposed to malicious code. As a result, normal users appear to have loaded urls like hxxp://www.ausbnr .com/ngg.js and hxxp://www.westpacsecuresite .com/b.js

I never like it when people accuse Google of flagging a site as malware just because we don’t like it for some reason. The bright side of this incident is that pff.org will find out about a security hole on their site that was hurting their users (it looks like pff.org has disabled the search on the vulnerable page in the last few hours, so it appears that they’re responding quickly to this issue). Flagging malware on the web doesn’t earn any money for Google, but it’s clearly a Good Thing for users and for the web. I’m glad we do it, even if it means that sometimes we have to write a generic malware post to debunk misconceptions.

A document or a law recognizing basic rights and privileges.