int2e blog

Recently I’ve been working on TrackWarcraft. TrackWarcraft is a tool to quickly gather information about players in World of Warcraft. It’s great if you’re looking for PUGs, but want to make sure they have decent gear and have successfully completed the dungeon or raid before. Using the TrackWarcraft AddOn you can instantly look up everyone in LFG or anyone in chat.

The site is built on Google App Engine and I’ve built it to scale under load. The data is gathered from the official WoW Armory. When gathering the data, all URL fetch requests are in parallel, so it’s relatively fast — even when looking up 25 characters at once, resulting in 100+ URL fetches. To be nice to the Armory, all character information is cached and it will only request the same character at most once every 12 hours.

A feed is also created for each character. This feed lists new achievements, gear upgrades, new levels, guild changes, etc. You can see the feed for my character here. Now you can track any character’s progress in your favorite RSS or Atom feed reader, such as Google Reader.

Please check out TrackWarcraft and let me know what you think! http://www.trackwarcraft.com/

For my 20% time at Google, I’ve been writing code for Google Moderator. Moderator lets anyone submit questions, and users vote for and against questions. We’ve been using it internally for a while and now it’s released publicly for anyone to use.

To kick it off, you can submit questions for Matt Cutts, Guido van Rossum, Ken Thompson, and several other Google Engineers. Check it out and let me know what you think!

lcamtuf, from the Google Security team, just released ratproxy! It’s a web proxy that will automatically generate reports of potential XSS, XSRF, XSSI, charset, content type, and caching issues that it sees. Ratproxy is not only free, but also open source. I’ve had the pleasure of using it for the past few months and it’s definitely sped up my web security assessments.

Here’s a pretty screenshot of it in action:

Download ratproxy and try it out!

Greg Hoglund’s new book, Exploiting Online Games: Cheating Massively Distributed Systems, is being released this Friday. It talks about how to cheat at massively multiplayer online games, such as World of Warcraft and Second Life. While browsing Amazon today, it gave me the following suggestion:

(full-size readable image)

It appears Amazon is suggesting that we should read Greg’s book and then go hack Second Life.

The market for buying and selling vulnerabilities always grabs my interest. Charlie Miller wrote a great paper discussing his personal experiences selling two zero-day vulnerabilities:

Trading of 0-day computer exploits between hackers has been taking place for as long as computer exploits have existed. A black market for these exploits has developed around their illegal use. Recently, a trend has developed toward buying and selling these exploits as a source of legitimate income for security researchers. However, this emerging “0-day market” has some unique aspects that make this particularly difficult to accomplish in a fair manner. These problems, along with possible solutions will be discussed. These issues will be illustrated by following two case studies of attempted sales of 0-day exploits.

It’s refreshing to see an academic paper that discusses real-world experiences. Especially ones that most of us never get a chance to see, such as the selling of vulnerabilities to firms other than TippingPoint and iDefense. In one of his examples, he reportedly sold a vulnerability for $50,000 to a government agency. Charlie’s writing is also amusing. After discrediting an earlier paper, he calls for the author to buy him a beer. He also talks about how “it can be difficult for the researcher to verify the buyer’s intentions and avoid a trip to “Gitmo”.”

You can read his entire paper here: The Legitimate Vulnerability Market, Inside the Secretive World of 0-day Exploit Sales.

I’m still waiting for a zeroBay.

Just like our earlier Digg and reddit buttons, we’ve also created a Netscape voting button. The button will only display for users to your site that have already been to Netscape.com. That way for most of your traffic you can save screen space, not confuse non-Netscape.com users, and simplify your site. However, you’ll still be able to provide an easy-to-use Netscape button to your Netscape-savy visitors.

Here’s an example of our Netscape button in action:

If you don’t see anything here, visit www.netscape.com, return to this site, and then press Reload or Refresh. If you want to see for yourself that this button doesn’t display to non-Netscape.com users, bookmark this page, clear your browser history, close your browser, and then visit this page again.

How to use the button on your site
In order to use it on your site, include the following HTML code where you want the Netscape button to appear:

<script type="text/javascript">int2e_url = "[PermalinkURL]";</script><script src="http://int2e.com/tools/netscape-improved.js" type="text/javascript"></script>

You will need to replace [PermalinkURL] with the permalink to your post URL, such as http://example.com/post.html
Our button is based on, and displays, the original Netscape Syndicated Voting button.

How does this work?
The script only displays the Netscape button if www.netscape.com is in the user’s browser history. For details on how the script knows this, you can read our earlier post on the Digg integration script.

Compatibility
The script should work with anything that the original Netscape syndicated voting button works with, including Internet Explorer, FireFox, Opera, and Safari.

Similar to our earlier improved Digg button, we’ve also created a reddit button. The button will only display for users to your site that have already been to reddit. That way for most of your traffic you can save screen space, not confuse non-reddit users, and simplify your site. However, you’ll still be able to provide an easy-to-use reddit button to your reddit-savy visitors.

Here’s an example of our reddit button in action:

If you don’t see anything here, visit reddit.com, return to this site, and then press Reload or Refresh. If you want to see for yourself that this button doesn’t display to non-reddit users, bookmark this page, clear your browser history, close your browser, and then visit this page again.

How to use the button on your site
In order to use it on your site, simply include the following HTML code where you want the reddit button to appear:

<script src="http://int2e.com/tools/reddit-improved.js" type="text/javascript"></script>

You can customize the link by following the configuration directions for the original reddit button.

How does this work?
The script only displays the reddit button if reddit.com is in the user’s browser history. For details on how the script knows this, you can read our earlier post on the Digg integration script.

Compatibility
The script should work with Internet Explorer, FireFox, Opera, Safari, and most alien technology.

Want to make a site similar to our World of Warcraft Google Maps mashup? The process has two main steps. First you’ll need to create properly formatted images for the map. Then you can integrate the images in to a map using the Google Maps API.

Creating the Images
Although you probably have your map as one large image file, we’ll need to cut the large image file up in to many smaller images so that it can be used with the API. We’ll also have to create different images for each zoom level of the map. MapWoW is composed of over 300,000 image files.

Each image file has to be 256 pixels by 256 pixels. Each image when zoomed in to the next zoom level represents four images at the next zoomed in level. For example, the image below of an A at zoom level 0 is one 256×256 image:

At zoom level 1, the same A now spans four images, each of which are 256×256 images:

This process of zooming in or out on the original image, and then cutting the zoomed image in to smaller images it typically automated. An example script for automating this process is available at Mapki.

Creating the Map
Starting with a typical map created with the Google Maps API, you’ll need to add three main sections of code. First you’ll have to create a custom tile layer, then you’ll have to define the custom getTileUrl function, and finally you’ll have to add the tile layer to your map.

The following line of code will create a new GTileLayer object:
var tilelayers = [new GTileLayer(copyCollect,0,15)];
In this case 0 is the most zoomed-out level and 15 is the most zoomed-in level available.

Next we’ll have to define the function that tells the GTileLayer object where the custom images are located:
tilelayers[0].getTileUrl = function (point, zoom){
return "/images/"+point.x+"-"+point.y+"-"+zoom+".jpg";
};
The values point.x and point.y do not refer to latitude and longitude values, but rather to the image tile numbering used by the Google Maps API. point.x increments going East, and point.y increments going South.

Now that we have our customized GTileLayer object, we’ll use it to create a custom GMapType and add it to our GMap2:

var custommap = new GMapType(
tilelayers,
new GMercatorProjection(16),
"MyCustomMap",
{errorMessage:"No Data Available"}
);
map.addMapType(custommap); //map is your GMap2 object

The argument to GMercatorProjection, 16, is the total number of zoom levels.

Further Reading
Mapki, a wiki on the Google Maps API, also has a tutorial on creating your own custom map. Mike Williams also discusses a few things to watch for while creating a custom map. In the future, we’ll also be posting some advanced tips on how to improve your Google Maps mashup so that it can withstand high loads and lots of visitors. You can subscribe to our blog if you’d like to read our future advanced tips.

Earlier today Matt Cutts wrote:

My site has been acting a little slow and weird today. I checked my logs, and I’m seeing a lot of GET requests causing strange errors. Most of the requests have escaped Unicode characters, but they don’t appear valid. Sorry that the site is kinda slow; I’m going to be away from the computer until around late Monday, so I don’t have time to check it now, but I’ll try to track it down when I get back.

It looks like Matt was seeing some attacks coming in. At least one of those attacks appears to have been successful:

It appears that only his blog, and not his entire site have been defaced. Last night he upgraded from WordPress 2.0.x to 2.1.x. I wonder if there are known security issues with the current version of WordPress, or perhaps with some of the plugins he’s using.

On the defaced page, there’s the quote nous sommes le proprietaire de toi which roughly translates in to “we are the owner of you”, or perhaps simply pwned. In the defacement there are some odd nicknames for popular SEO bloggers. Here are a few that I’ve figured out so far:

• pentazilla = Quadzilla
• RandomFish = Rand Fishkin
• Shchoeoe = ShoeMoney
• lejackalgris = Graywolf

Which other ones have you figured out? Feel free to post below.

P.S. The main question is, was the attack really an interesting GET request with Unicode-encoded characters, or is it an April-1st-based attack? Matt claims he’ll be out of touch until April 2nd, so we’ll just have to wait and see.

Many of you probably already have yellow “digg this” buttons on your websites. I’ve improved the standard “digg this” script, and now you can use the improved version on your own site.

Every time any user visits your site, including users that have never heard of digg, they see the big yellow box. I’ve improved the original “digg this” button so that it will only be visible to visitors to your site that are familiar with digg. That way for most of your traffic you can save screen space, not confuse non-digg users, and simplify your site. However, you’ll still be able to provide an easy-to-use digg button to your digg-savy visitors.

Here’s an example of the improved “digg this” button in action:

If you don’t see anything here, visit digg.com, return to this site, and then press Reload or Refresh. If you want to see for yourself that this button doesn’t display to non-digg users, bookmark this page, clear your browser history, close your browser, and then visit this page again.

How to use the button on your site
In order to use it on your site, simply include the following HTML code where you want the “digg this” button to appear:

<script src="http://int2e.com/tools/digg-improved.js" type="text/javascript"></script>

You can customize the colors, style, and link, by following the configuration directions for the original Digg integration script.

How does this work?
The script only displays the “digg this” script if the user has already been to either digg.com or www.digg.com. It uses a method for browser history detection described by Henrik Gemal. I first read about this technique on Jeremiah Grossman’s blog.

The script tells if a user has visited digg.com by first creating an invisible link on the page to digg.com. It then reads in the color of the link. If the color of the link matches the color for already visited links, then the script knows that the user has already visited digg.com. Even if the user has configured non-standard colors for their links, CSS is used to set the color of the invisible links to a known value.

Compatibility
The script has been tested with Internet Explorer, FireFox, Opera, and Safari. If anyone tests it with any other browsers, please let me know if it works for you.