I just arrived in Atlanta for Georgia Tech University hack day and the weather is awesome. I spent the day in the sun in cafes writing my slides for the Mix10 conference next week and now I am going through my feeds. So time for another TTMMHTM:

• YouTube is changing its URLs – this didn’t really make me happy but it means I know why some people cannot use Easy YouTube at the moment and I know now that it is easy to fix.
• Google released a Public Data Directory taking government data and running it through the visualization API to allow you to directly embed charts into your pages. The Guardian’s World Government Data collection is still much more detailed but well done Google.
• The Humunga Stache Dog Toy makes me wish I had a dog to mess with.
• Carsonified/ThinkVitamin released my article on GeoExplorer and using Yahoo’s geo technology
• Creative people rock: 45 robots build with everyday trash
• Packrati.us is a service to automatically add URLs you tweet about to del.icio.us – this saves me some time!
• RadarVirtuel is a live map of aircraft and where they are right at this moment, where they came from and where they are headed.
• What do you suggest? takes a seed from you (or gives you something random) then guides you on a journey through language and the collective lives of Google users.
• GestureCons are a set of icons for touch-screen devices. My favourite is the two finger slide which in England doesn’t go down well as it also is the two finger salute

Following the link on ReadWriteWeb to the Chrome Developer Blog I downloaded the beta for Mac and tried it out.

The result, using the GeoPlanet Explorer shows that navigator.geolocation works:

In order to enable geolocation on Chrome you need to start it from the Terminal – for example in OSX:

/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --enable-geolocation

Good times ahead. Now ship it, Google!

All of these links sooner or later redirect to firemicrosoft.net which is owned by someone in Russia and hosted by GoDaddy.

Don’t make folders writable to the world

What happened is that I had a very old guestbook script I had written once still running in this folder. The trick back then (and advocated by a lot of PHP tutorials as it is much easier that way) was to chmod a folder to 777 (read/write/execute permission for all) to store flat files in it. That was good enough for me back then (around 2000) and guess what? It was good enough for the spammers to store their blog.

Static page generation – in bulk

The blog was set up quite craftily in terms of SEO: Search Engines love static pages, so instead of accessing a DB – which wasn’t compromised – they simply created static pages for all the search queries that came in. After all this is about showing links and Google juice, not about delivering content. In the end, I found that I had 23487 HTML files advertising spam. Thank god for SSH access as this would have taken some time to delete over SFTP.

I investigated last night and I am happy to say that this is all that happened. If I found a folder to store whatever I pleased into I’d have also tried to read other files, including the wp_config.php for example.

Google Reader as a whistle blower

The interesting part about this is how I came to find out about it: Google Reader. I have a Google blog search RSS feed in my reader that notifies me every time someone links to http://wait-till-i.com – I found this much more useful than trackbacks which seem only to be used by spammers these days anyways:

In this feed I got a lot of posts from http://vancouverisawesome.com/:

I thought at first that this is because of http://winterolympicmedals.com – after all it is timely for that. When I looked at the source code of this site, however, I found that just before the closing BODY tag spammers had injected links to different sites advertising OEM software:

<b1><div style="position:absolute; left:0px; top:0px; 
width:100%; height:20px; z-index:1; visibility: hidden">   
[... lots of links interspersed with random HTML ...]
</div></b1>

At first I sniggered about them linking to a folder on my site I know that doesn’t exist but when I clicked the link and found the blog my smile vanished quickly.

See the whole stuff on pastebin – as you can see, all in all eight sites were attacked the same way.

What I find curious is that the links on vancouverisawesome are hidden and seem to still be indexed by Google – I remember being almost kicked out of AdSense once for absolutely positioning ads. Also, the links might be on the top of the screen but in the document are way down the tree, and vancouverisawesome is quite packed with links already.

I’ve cleaned up my server and I have contacted the maintainers of the other seven sites (and got a lot of “thank you” for that). I also contacted vancouverisawesome about them having spam links in the bottom. This is a pretty common attack (we had it on Ajaxian.com, too) targeted at Wordpress installs.

How to avoid all this (and how to detect it)

So in order to make sure that this doesn’t happen to you:

• Do not leave folders writable to the world – if a piece of software tells you that you need to do this tell them to change it – it is inviting spammers like a dog turd invites flies.
• Do monitor your incoming links – if I hadn’t had the blog search RSS feed running I probably wouldn’t have found the blog until it really showed up in my traffic stats.
• Always upgrade your WordPress install – this is automated now and takes a second – there is no excuse not to.
• Redirect or – in the most extreme case – delete old things on your server that you don’t maintain any longer.

Well, this morning I got a chance to have a go at his request and here’s the GeoPlanet Explorer interface for you. Check the following screencast to see it in action:

Building the interface wasn’t magic – I used YQL to access the data, write a few lines of PHP to display it in a nested list and then added a few lines of YUI3 JavaScript to collapse and expand the location details.

Notice that the whole interface uses progressive enhancement throughout. If you have no JavaScript at your disposal you get a static map and all the information in one single page. The lat/lon links open in Yahoo Maps and you can see the location there.

If you have JavaScript enabled the interface collapses and the map is Ajax and will be refreshed every time you click on a lat/lon link.

The source code of the GeoPlanet Explorer is available on GitHub and it can give you a few pointers how to use the GeoPlanet API with YQL for your own solutions.

• WinterOlympicsMedals.com is live – I was busy this weekend creating this search interface from the open data provided by the Guardian.
• The LG logo has a hidden meaning that is full of win
• The BBC have a great little test analyzing your web behaviour. Apparently I am a web ostrich, but I also buggered the game with the chocolate bars as I was tweeting instead of reading the instructions properly.
• On March the First, there will be a funeral procession for IE6 in Mountain View, CA.
• Missing kids map and Missing Adults Map are both helping to find people who have been reported missing. Both have an API - if you call read.php with the state name you get the information as XML - for example missing kids in California
• Map Compare allows you to see different maps next to each other to compare their quality
• ProForma is a paper to create 3D models rapidly from a video recording
• Unicons is a bookmarklet to add UTF-8 characters depicting images into any text field.
• If you are building a racing site there is an awesome free Formula One API available and its design puts the commercial ones to shame.