Nice to have a (relatively) safer browser.

I use Firefox/Adblock/Noscript, which might be why I never noticed anything when I went visiting on Thursday. Of course, I might have just missed the time they were redirecting people. Was it a good porn site?

[half-arsed plug mode]

However, I've noticed that a lot of "problems" that other people have don't seen to affect those who use this browser combination. Having doubleclick.* mapped to 127.0.0.1 also helps. I also don't tend to see advertising unless it's unobtrusive and well done (something that anyone using doubleclick seems incapable of), and I certainly don't let just any javascript run on my browser. Perl.com has so far resisted making javascript mandatory to visit their site, for which I thank them.

Various clients have commented on this easier browsing on several occasions, especially when I switch them from MSIE or Safari to this combination. Every so often they go back to their old browser and are shocked with what they used to put up with. Firefox is getting more and more bloated and buggy with each release, and their bookmark manager sucks farts from dead goats (in 3.0 beta as well damnit), and I'm not saying it any more or less "secure" than other browsers, but my experience is that the Firefox/Adblock/Noscript combination certainly makes browsing a lot more user friendly.

I still missed out on the porn site though.

@ BKB

So the fact that someone else's javascript that pulls content from a third party site, continues to pull content from that same site after the site changed hands, means that Perl is somehow unsafe or insecure ?

Even though perl the language itself has nothing to do with it ?

I think you have another agenda.

re: BKB

I've never seen Perl claim to be the securest form of web programming. Neither has this incident reflected on the security of Perl as a language for anyone who understands what happened.

@yeah, right re. Firefox bookmarks

I found that the "Flat bookmark editing" add-on improved the bookmark manager a lot. Try it: https://addons.mozilla.org/en-US/firefox/addon/117

Do none of you RTFA?

"Considering Perl's claim to be the securest form of web programming, this incident doesn't make them look good. Incidentally Google's cache of perl.com still contains the grepblogs stuff at the time of posting this."

Ok, I've never heard perl refered to as the "securest form of web programming". However, this has NOTHING to do with Perl, It was just a cock up by the admins not keeping track of who adertised on the site.

"Is there a list of the porn sites responsible? Give us that list and we'll DDoS the fucking bastards off the web!"

Woah there, take a few deep breaths. This isn't a targetted attack its just a typosquatter (Who are a real problem, we'll run out of domain names if they don't change the way the system works) who got lucky.

@BKB

Your view might seem less ridiculous if you'd only scuttle off and read the article but I suspect you've already tried - so instead, just scuttle off and learn to read.

Re: RTFM

Taint checks are a optional feature of Perl. If you weren't so intent on taking the quote out of context, you might have noticed that even if they were being used, it wouldn't have helped in this case.

Though, from the second paragraph, I suspect even if Perl.com had been running on IIS, written in C# talking to a SQL Server back end, you'd still say it was somehow the Perl community's fault.

This has nasty implications

If it turns out that grepblogs had expired and then been registered by the pr0n industry, we could see others re-registering a domain name of an expiring site that feeds other sites banner ads or other material like javascript. More bang for your buck. What if the material contains a virus, or a keylogger, or creates a botnet? Why have one compromised site when you can have hundreds or thousands for the same work and cost? Online software is replacing home/work based software at an increasing rate, this could turn out badly.

I first wrote about expiring names being used by the pr0n industry back in 2001 (if interested go to ICANNWatch.org and type 'xxx-piring' in the search box at bottom of home page). I brought this to the attention of ICANN's then Chair Vint Cerf and then CEO M. Stuart Lynn and the DNSO-GA. Nothing has changed in the meantime except for the worse. I'm not a purist who says retire expired names forever, but an expired name could and should be washed by keeping it out of circulation for six months and then release it through a randomizer set for +/- 10 days. Dropped telephone numbers aren't immediately reassigned, they are washed for a few months so as not to cause chaos, which is what we have here. The registrars/registries/ICANN want the money NOW. -g

Way off topic: @ Alex Forbes

Last I checked Opera (admittedly a long time ago) they were pathologically opposed to decent ad blocking. Have they changed their tune?

Guess I'll have to get the latest version now and take it for a spin. If they have decent (as in easily managed and unobtrusive) ad blocking and per-site javascript managing then I might jump ship. At least for a little while.

Off topic continues: Opera

Just tried Opera. To say that it sucks doesn't begin to describe it. In 20 minutes, the latest "official, non beta" version has succeeded in crashing twice. This is the same system where Firefox manages to run for days on end. The rest of the time Opera was often (estimate 30%) "unavailable", as in stuck in some busy-wait loop somewhere, usually while I looked at the bookmark manager. Something right dodgy there methinks.

The bookmark manager isn't any different from Firefox (actually, it looks identical. I wonder who copied whom, and if it really matters?). The Javascript handling is marginal as far as I could see when I could access it. Don't know about the ad blocking, never got that far. Probably won't either.

Sigh. Back to Firefox.

@BKB

I'm curious - do you distinguish at all between Perl.com - O'Reilly's site for selling Perl related books and conferences, and the Perl community?

And, it is possible to write a Perl script to check that one's web page hasn't been hijacked. Of course their page hadn't been hijacked - it was a trusted third party.

To anticipate your next statement, I'm not sure that it is, in general, possible to prevent scenarios like this. Advertisement brokers tend to require that a site link the scripts etc. directly from the broker's server, essentially bypassing the content provider.

This is done so the broker can update the scripts whenever they need to, and can help protect against content providers gaming the system.

However, once they are out of the loop, content providers have little ability to control what is displayed.

This problem has happened once in approximately 10 years, and yes, it is embarrassing for O'Reilly Media, but I can't really see what could be done within the current model of advertisement serving.

(off topic continues) @ Coward re: 2 Comments

Actually, NoScript allows you to configure what javascript gets run by domain or sub-domain. So I'm not barred the pleasure of using Google maps, because I have the option of allowing javascript along with the pleasure of denying other sites access to my browser in that fashion. It's been incredibly useful these past few years.

re: html is not code

It's still code. It isn't a programming language, is what you mean.

I don't know if perl could check for hijacking

Although I suspect it could be loosly done why checking for a percentage of changed content against a cached version, but in this instance it certainly would seem possible to disable links based of Whois registration expiration or ownership changes pending administrative review.

I'm just starting to learn Perl since it was dumped in my lap at work and know nothing of Java. So please excuse any ignorance of Perl or Java on my part.

@Graham Wood

Er. Good point. Thank you Graham.

"Perl necklace"

Obvious perhaps, but absolutely classic. Made my day.