This morning in San Mateo, some idiot decided to park a car on the Cal Train tracks just before 7:45am… hilarity ensued for many Bay Area commuters who ride Cal Train, as this caused over a hour and a half delay for the rail system.
At 7:45 this morning a car traveling from Laurie Meadows road crossed Old Country road in San Mateo, and proceeded to jump the berm and land flat on the rail tracks between Hillsdale and Belmont stations.
Map of area
Mind you now, both roads he was traveling from and to are only 25 MPH roads. No skid marks from emergency stopping could be seen.
After the car landed on the tracks the driver proceeded to leave the car. Moments later a train traveling south bound proceeded to give the car a love tap, as shown in the pictures here. Emergancy crews used pure human muscle to slowly push the car down off the tracks towards El Camino Real.
No injuries were reported.
All Images Are Property of Warren Ahner.
Ask any Blogger, the number one nuisance with running a site in this day and age is comment spam. Before email was popular, no one had to worry about spam, it just didn’t happen, but the days of old are gone, and much the same is true with Blogs and spam. With more mainstream availability of CMS programs such as WordPress, which powers iFooBar, the market for comment spam is now ripe for the picking.
WordPress comes with some very crude tools for helping to combat unwanted comment spam. WordPress out of the box gives you two options; force everyone to register prior to posting (ouch annoying) or totally disable comments. If you ask me, neither of those choices seems to offer a good solution, enter the world of third party plug-ins.
Over the past two months, I have been experimenting with many different plug-ins for WordPress that were designed to aid in the war against comment spam. After a few days or weeks, depending on how obvious the results, I would move on to next plug-in trying desperately to find a solution that offered the best mix of user friendliness, spam detection, and least amount of false positives. Below are some of the results I experience, please note your mileage may vary depending on your content, your host, and the demographic of your readers.
Bad-Behavior - “Bad Behavior, conceived in 2005 as a fingerprinting method for HTTP requests, has proven, as one user called it, “shockingly effective” at identifying and blocking malicious activity, including blog/wiki spam, e-mail address harvesting, automated cracking attempts, and more. It does all of this looking only at the HTTP request headers; for POST data, the content of the spam is not analyzed at all. “
Truth be told about Bad Behavior… it is bad, real bad. It is a great idea; it just does not work very well (or at all).
Multiple Tools Based On Questions or Captchas - No one likes to read them, no one likes to move their hands off the mouse to the keyboard, and no one can stand the weird lines and tricks they use to dodge OCR. The internet has evolved from the eBays and Hotmails of 1997.
Akismet - My distaste for this plug in, knows no bounds. I am currently using a virtual private hosting account and it is great. I do not have to administer, patch or monitor my box at all. Unfortunately I also am unable to change specific security settings that my hosting company has deemed best for fellow box sharers and myself. Akismet is dependent on talking to servers at WordPress and at Akismet. In order for it to reach out and validate content with the rest of the Akismet community, Akismet must validate your WordPress session. In order to achieve this, Akismet makes use of your WordPress API key (you have to create an account to get one, you must keep it private, as it is similar to a password).
The connection to WordPress’s API server is established through a series of named servers, how does one find a named server? DNS. Unfortunately this is where my hosting company and I clash, they block outgoing DNS requests. This does not prevent my server from reaching out to the Internet; it just prevents it from going there with a standard coded URL. By going into the code, we can quickly correct this problem by changing all the named URLs into IP based requests.
I must say, Akismet was by far one of the best options for spam control, it worked fast, it was unobtrusive to guests, and caught about 95% of all comment spam. There is one slight problem with Akismet, I found most of my real comments, had to be rescued from the abyss that has become of my spam folder.
Home Brew – Now we enter the most interesting area of the discussion. What can we build ourselves? Lets talk about what we know about spam bots.
Taken from Wikipedia “A spambot is a program designed to collect e-mail addresses from the Internet in order to build mailing lists for sending unsolicited e-mail, also known as spam. A spambot is a type of web crawler, that can gather e-mail addresses from Web sites, newsgroups, special-interest group (SIG) postings, and chat-room conversations. Because e-mail addresses have a distinctive format, spambots are easy to write. A number of legislators in the U.S. are reported to be devising laws that would outlaw the spambot.” … “Another type of spambot surfs the web, looking for forms to submit, and it submits spam e-mails to these web forms, often with OCR technology to bypass any CAPTCHAs” … “There are also spambots used to post spam links to guestbooks, wikis, blogs, forums and any other web forms to boost search engine ranking.”
So what did this snippet tell us?
1.) Spam bots are programmed for a very specific task, to crawl and assimilate.
2.) CAPTCHAs are not always a sure thing. How ever, more advanced and confusing CAPTCHAS keep appearing to help prevent this.
3.) Spammers want to go for quantity not quality.
This last fact is very useful, what it means is, if you make yourself a harder target, chances are you are not worth their time.
The Million Dollar Question… How?
Why is this the big money question? Simple, anyone can build a navigation system into a website that will add so many levels of complexity to a post, it would confuse even the most elaborate spam bot, but it will also upset your users. There has to be a balance, of usability (which should be almost seamless in the 98% range of users) and effectiveness.
In order to achieve this, we need to play our cards just right for the time being. Spam bots are pretty much fancy little Perl (the spawn of Lucifer himself) programs that scan for what they know, in our case (Post Comment action links). Thanks for the wide adoption of WordPress, building a Spam bot that is able to find what it needs, in order to do its dirty deed is easy. Thanks to all the sites using the same software back end, the programmer will know exactly where to find what (what page should have our comment link -> what should be on the comment post page to actually build a comment).
What can the average web browser do that a spam bot can’t? A lot, but for this I am only going to focus on two things:
1.) Render HTML
2.) Effectively run JavaScript
(I know my geek readers are already raising an eyebrow at #2)
Prior to the finish of this article I was able to sit down and enjoy a beer with one of my best friends Ryan, and we talked about a few of the problems we have ran into with spam bots and some of our solutions. As it turns out over at Snarfed.org Ryan has been combating spam in a very similar way using some functions of PyBlosxom, his CMS system.
FireFox and other Mozilla based browsers use a rendering engine called Gecko, which supports JavaScript.
Safari, Apple’s web browser, also supports JavaScript
Internet Explorer, Microsoft’s web browser, which is preloaded into most modern versions (since 1998) supports JavaScript.
Opera, a third party web browser also supports JavaScript.
All these browsers support JavaScript, but they do host an option to disable JavaScript, primarily for security reasons. Luckily for us, less than 1% of the internet’s traffic (that we are concerned about) is incompatible with JavaScript, either because of the browser (Some smartphones) or because it is disabled.
Given these facts, I have developed a JavaScript and PhP based engine to combat spam.
What happens:
- When you first visit a comment page the php engine Generates two random number
- The random numbers are parsed into a page via apache and fed to the web browser on the client end
- JavaScript code in the web page is executed on the client side
- JavaScript modifies these two numbers and feeds them back as part of the submitted feilds
- PhP on the server side examines if the returned value is what was expected
IF the returned value was correct >> We will accept the post and immediately commit it to the database
Else The post did not return the correct values, so we can assume it probably is a spam bot, or a bad robot
Bad-Robots are defined as robots whom do not follow instructions left in the robots.txt file on your website, explaining how they should behave
We have our solution. There are some problems with this, what if someone doesn’t have JavaScript, should we really omit them totally? For iFooBar, I am not concerned with this small minority of the internet I have just discriminated against; unfortunately when you are in the business of the internet, you can not do this.
So what can larger companies who need that 1% to also be happy do? They can default to another method of spam protection, either with a CAPTCHA, or a third party spam detection system.
In order to allow for this default detection system to work, we can not wait until the Comments page to detect the presence of JavaScript, as it will make the process either a step longer (if it fails send them to a CAPTCHA screen) or we might hang the apache session waiting for a third party daemon to run processing. Prior to entering the comments page, we need to run a small JavaScript detection scheme on the main page of our site, in order to know which processing engine to generate the following comments page with.
This is what it will look like
Main Content Page (Probably a article )
TEST::Is JavaScript Enabled?
TRUE >> If this session tries to post, take them to our JavaScript comment page, this will be smooth and unknown to the user, and a warm experiance.
FALSE >> If they try to post, take them to a different comment page, which will include legacy support.
The best option I can determine for Legacy support is to have a second comment page, that will have a CAPTCHA object embedded in it. Now there is some debate on using a CAPTCHA for the second page, it still will omit people running all text browsers like Lynx, but in all honesty if they are running Lynx, they are probably not interested in any thing on this site. A better method would be to use a spam detection engine, unfortunately because iFooBar is powered on WordPress I feel this is a bad idea. Many people have great success running third party detection systems with WordPress, but I feel it just adds excess CPU time, and opens up Pandora’s box with having to typically connect to an outside server to process the post. WordPress is very unstable when it comes to connecting to it’s own local database, I do not feel it is a good idea to temp faith by trying to communicate to a remote database every time a comment gets submitted, it could lead to more 500+ database internal connection problems. I would just like to give my site a better fighting chance against being /.ed or Digged.
Following a survey Dell put out over a month ago to consumers, “What features do you want on your Dell?”, the company is taking action. Dell found out from community feedback that people want Linux, not only do they want it, they want it installed, with Driver and Hardware support (who really wants to mess with ndiswrapper, and mod probe and all those other joys of trying to get 802.11g windows wireless cards to work in linux).
Now that Dell knows what consumers (or at least the ones savey enough to find and use their site) want, they want more details.
Everyone who has interest in Linux and the open source community, I urge you to go and vote at (it is totally anonymous):
http://www.dell.com/content/topics/survey.aspx/ss?ssid=OeAjvuto67E~&s=corp
One major concern of the community, even if you don’t want one, is that Dell might go with a Novell SUSE Linux, which is just another form of Microsoft evil.
