Comments for Jason Priem http://jasonpriem.com Sun, 20 Dec 2009 21:10:43 -0600 http://wordpress.org/?v=2.8.4 hourly 1 Comment on Obfuscate no more: why your email address should go au naturale by Bobby http://jasonpriem.com/2009/05/stop-obfuscating-email/comment-page-1/#comment-6607 Bobby Sun, 20 Dec 2009 21:10:43 +0000 http://jasonpriem.com/?p=228#comment-6607 I'm extremely inexperienced in javascript and web programming in general, so forgive me if this sounds dumb, but what do you think about using a text field and emailing yourself whatever text the user has entered? Is there a way to make this method more impregnable (as far as maintaining email address secrecy is concerned)? I know it doesn't take much to write a bot that spams such a system with messages, but methinks this presents a more controllable environment. On a different note, is there some way to use raw IP addresses instead of URLs that could throw a bot scanning for "x"@"y"."z" off balance without overly confusing a desirable emailer? Another possibility is the use of email aliasing. Maintain a single account for which you keep the direct address secret. Create an alias on an email server and use that alias "au naturale" in your sites, forwarding messages sent to it on to your central account. When you start to get too much spam through that alias, create a new one and repeat. Is this a reasonable solution, or am I misunderstanding some easy-to-foil step in this process? Finally, a comment: I notice you keep mentioning that even the most complex obfuscation methods are easily discovered and routed if someone just looks at the code. Well... since there are so many possibilities, any spammer (hell, any programmer) would be hard-pressed to write a bot that could break them all by automation. A spammer would have to look at the code personally for each potential address to be certain of even (I'm guessing) 50% success... why bother, when the spammer could just look at the email address directly as the browser renders it on the page? What I'm trying to say is, I don't see how "they can figure out how your code works by looking at it" is a reasonable argument against javascript-powered address obfuscation. The goal of obfuscation is to necessitate a human individual's involvement in the identification of your email address with minimal confusion to that individual... methinks a sophisticated javascript obfuscation method accomplishes that goal. I’m extremely inexperienced in javascript and web programming in general, so forgive me if this sounds dumb, but what do you think about using a text field and emailing yourself whatever text the user has entered? Is there a way to make this method more impregnable (as far as maintaining email address secrecy is concerned)? I know it doesn’t take much to write a bot that spams such a system with messages, but methinks this presents a more controllable environment.

On a different note, is there some way to use raw IP addresses instead of URLs that could throw a bot scanning for “x”@”y”.”z” off balance without overly confusing a desirable emailer?

Another possibility is the use of email aliasing. Maintain a single account for which you keep the direct address secret. Create an alias on an email server and use that alias “au naturale” in your sites, forwarding messages sent to it on to your central account. When you start to get too much spam through that alias, create a new one and repeat. Is this a reasonable solution, or am I misunderstanding some easy-to-foil step in this process?

Finally, a comment: I notice you keep mentioning that even the most complex obfuscation methods are easily discovered and routed if someone just looks at the code. Well… since there are so many possibilities, any spammer (hell, any programmer) would be hard-pressed to write a bot that could break them all by automation. A spammer would have to look at the code personally for each potential address to be certain of even (I’m guessing) 50% success… why bother, when the spammer could just look at the email address directly as the browser renders it on the page? What I’m trying to say is, I don’t see how “they can figure out how your code works by looking at it” is a reasonable argument against javascript-powered address obfuscation. The goal of obfuscation is to necessitate a human individual’s involvement in the identification of your email address with minimal confusion to that individual… methinks a sophisticated javascript obfuscation method accomplishes that goal.

]]> Comment on Prezi: presentation junk 2.0 by Henrik Kryger Pallesen http://jasonpriem.com/2009/04/prezi-presentation-junk-20/comment-page-1/#comment-6603 Henrik Kryger Pallesen Fri, 18 Dec 2009 19:37:23 +0000 http://jasonpriem.com/?p=214#comment-6603 I'm partner in the Prezi competitor Ahead www.ahead.com, and would like to argue why the online zooming approach has it's advantages apart from being stunning. 1) It's online, hence you can share and embed your presentations anywhere on the web. Try that with a PPT 2) PPT is essentially built for text-based communication. Ahead (and Prezi) are built for communicating visually (which has proven to be the most effective way to comunicate) 3) You can present your information in a wider spatial context. Zoom out to get an overview, zoom in on to look at a detail. Ahead is mostly used by architects, designers and photographers and neither Keynote nor Powerpoint give them an adequate way of presenting visual content in the detail and richness that they require. That said, I totally agree that for the left-brained business world PPT is still the best and safest bet, and probably will be for quite some time. But for right-brainers the spatial approach Ahead & Prezi offers is far superior. I’m partner in the Prezi competitor Ahead http://www.ahead.com, and would like to argue why the online zooming approach has it’s advantages apart from being stunning.

1) It’s online, hence you can share and embed your presentations anywhere on the web. Try that with a PPT
2) PPT is essentially built for text-based communication. Ahead (and Prezi) are built for communicating visually (which has proven to be the most effective way to comunicate)
3) You can present your information in a wider spatial context. Zoom out to get an overview, zoom in on to look at a detail. Ahead is mostly used by architects, designers and photographers and neither Keynote nor Powerpoint give them an adequate way of presenting visual content in the detail and richness that they require.

That said, I totally agree that for the left-brained business world PPT is still the best and safest bet, and probably will be for quite some time. But for right-brainers the spatial approach Ahead & Prezi offers is far superior.

]]> Comment on Obfuscate no more: why your email address should go au naturale by Rory http://jasonpriem.com/2009/05/stop-obfuscating-email/comment-page-1/#comment-6587 Rory Mon, 14 Dec 2009 11:11:29 +0000 http://jasonpriem.com/?p=228#comment-6587 Another thumbs up for gmail. On average a lottery win or african millionaire only gets through about once a month and to my knowledge (i do check my spam folder periodically), I have not missed any valid emails. Another thumbs up for gmail. On average a lottery win or african millionaire only gets through about once a month and to my knowledge (i do check my spam folder periodically), I have not missed any valid emails.

]]> Comment on Obfuscate no more: why your email address should go au naturale by Carter Cole http://jasonpriem.com/2009/05/stop-obfuscating-email/comment-page-1/#comment-6486 Carter Cole Fri, 13 Nov 2009 15:04:56 +0000 http://jasonpriem.com/?p=228#comment-6486 and the fact that foo@cool.com auto links as a mailto: anchor really helps... and the fact that foo@cool.com auto links as a mailto: anchor really helps…

]]> Comment on Obfuscate no more: why your email address should go au naturale by Carter Cole http://jasonpriem.com/2009/05/stop-obfuscating-email/comment-page-1/#comment-6485 Carter Cole Fri, 13 Nov 2009 15:04:03 +0000 http://jasonpriem.com/?p=228#comment-6485 with gmail any address that has periods in it are ignored as well as anything after the plus (+) so c.a.r.t.e.r@cartercole.com is the same as carter.@cartercole.com is the same as c.a.rter+spam@cartercole.com so i can filter or send any form of my address to spam and know where it was harvested from to get around this you could find addresses with gmail domain and remove everything after the + and the periods so its the clean version (unless the normal address has a period like carter.cole@dadada.com) with gmail any address that has periods in it are ignored as well as anything after the plus (+) so

c.a.r.t.e.r@cartercole.com is the same as
carter.@cartercole.com is the same as
c.a.rter+spam@cartercole.com

so i can filter or send any form of my address to spam and know where it was harvested from

to get around this you could find addresses with gmail domain and remove everything after the + and the periods so its the clean version (unless the normal address has a period like carter.cole@dadada.com)

]]> Comment on Zotero: the best open-source app you’ve never heard of. by Use Zotero in a separate window - Jason Priem http://jasonpriem.com/2008/05/zotero-the-least-known-triumph-of-open-source/comment-page-1/#comment-6279 Use Zotero in a separate window - Jason Priem Fri, 25 Sep 2009 21:05:42 +0000 http://jasonpriem.com/?p=10#comment-6279 [...] I’ve written before, I love the free citation manager Zotero.   And the group and sharing features that just dropped [...] [...] I’ve written before, I love the free citation manager Zotero.   And the group and sharing features that just dropped [...]

]]> Comment on Obfuscate no more: why your email address should go au naturale by jason http://jasonpriem.com/2009/05/stop-obfuscating-email/comment-page-1/#comment-6142 jason Mon, 14 Sep 2009 00:02:04 +0000 http://jasonpriem.com/?p=228#comment-6142 Elton, I agree with you that "once the email is out there everyone can harvest it." In fact, my point is that we should be trying to make it easy to get. Most obfuscations challenge users more than spambots. I also agree that, for the time being, Javascript-based obfuscation holds the most promise. It's not a silver bullet, though, as I discuss in my post. The ATG product you mentioned (and <a href="http://www.pjapplications.com/software-antispam-mailto-tag-generator-email-obfuscator.php" rel=nofollow rel="nofollow">sell on your site</a> as a downloadable exe) is a good example. Let's take a look at what ATG cranks out: <code> <script type="text/javascript"> function SLMEJMBF(A){ var S = String.fromCharCode(109,97,105,108,116,111,58,116,101,115,» 116,64,101,120,97,109,112,108,101,46,99,111,109); A.href = S; } </script> <a href="#" onmouseover="SLMEJMBF(this);" onfocus="SLMEJMBF(this);">mail example</a> </code> For starters, if the client has javascript disabled, it breaks completely. That means tough luck, <a href="https://addons.mozilla.org/en-US/firefox/addon/722" rel="nofollow">NoScript</a> user: no email for you. This isn't an insurmountable problem, though; check out <a href="http://pipwerks.com/2009/02/01/obfuscating-email-addresses-revisited/" rel="nofollow">Philip Hutchison's</a> gracefully-degrading script, for example. Second, the "encryption" you use is pretty trivial. You rely on Javascript's "fromCharCode" method to read the munged address--<em>so can the harvester</em>. I added a simple function to my <a href="http://jasonpriem.com/obfuscation-decoder" rel="nofollow">de-obfuscator demo</a> to show how easy this is (it's example 11). If I can break this munge with a 10-line function in a few minutes, trust me: someone else already has. Granted, this gets a lot harder to beat if you get just a little trickier; for instance, you might try breaking the address down into 10 strings and then concatenate them out of order--now a simple regex isn't enough. But the basic problem hasn't gone away: your server dishes out your unencrypted Javascript to anyone who wants it, no questions asked. That makes it a fundamentally bad place to put secrets. Thanks for your comment, and good luck with ATG! Elton, I agree with you that “once the email is out there everyone can harvest it.” In fact, my point is that we should be trying to make it easy to get. Most obfuscations challenge users more than spambots.

I also agree that, for the time being, Javascript-based obfuscation holds the most promise. It’s not a silver bullet, though, as I discuss in my post. The ATG product you mentioned (and sell on your site as a downloadable exe) is a good example. Let’s take a look at what ATG cranks out:

<script type="text/javascript">
function SLMEJMBF(A){
var S = String.fromCharCode(109,97,105,108,116,111,58,116,101,115,»
116,64,101,120,97,109,112,108,101,46,99,111,109);
A.href = S;
}
</script>
<a href="#" onmouseover="SLMEJMBF(this);" onfocus="SLMEJMBF(this);">mail example</a>

For starters, if the client has javascript disabled, it breaks completely. That means tough luck, NoScript user: no email for you. This isn’t an insurmountable problem, though; check out Philip Hutchison’s gracefully-degrading script, for example.

Second, the “encryption” you use is pretty trivial. You rely on Javascript’s “fromCharCode” method to read the munged address–so can the harvester. I added a simple function to my de-obfuscator demo to show how easy this is (it’s example 11).

If I can break this munge with a 10-line function in a few minutes, trust me: someone else already has. Granted, this gets a lot harder to beat if you get just a little trickier; for instance, you might try breaking the address down into 10 strings and then concatenate them out of order–now a simple regex isn’t enough.

But the basic problem hasn’t gone away: your server dishes out your unencrypted Javascript to anyone who wants it, no questions asked. That makes it a fundamentally bad place to put secrets.

Thanks for your comment, and good luck with ATG!

]]> Comment on Obfuscate no more: why your email address should go au naturale by Elton Hoxha http://jasonpriem.com/2009/05/stop-obfuscating-email/comment-page-1/#comment-6140 Elton Hoxha Sun, 13 Sep 2009 16:48:35 +0000 http://jasonpriem.com/?p=228#comment-6140 Just like everyone else I got attacked by unwanted emails on a daily bases, so I went on a quest to find a solution to stop it. Part 1 The first step I took was jumping on the other side of the river and think like a spammer. I started to search for software that does the harvesting of emails on the internet. Using keywords such as "emails, harvest and extract" on Google and I ended up looking at hundreds of software listings, offering an easy way to attack unprotected emails in a few steps... I picked up software, called EmailSpiderGold to test. Within a couple of hours I ended up in harvesting 15000 webmasters emails to use on my discretion. Along the way I learned that, on the open are several ways to verify that those emails are active as the very developers also offer Email Verifiers which along many characteristics it checks the validity of recipient's e-mails addresses by connecting to SMTP-servers and simulating the sending of a message and they work pretty smart too as they disconnect as soon as the mail server informs the program whether the address exists or not. On this conclusion we end up thinking that once the email is out there everyone can harvest it and use it without discretion for their own purpose. Part 2 Solutions... I came across to several solutions being offered to prevent the emails from harvesting campaigns. Amongst them I found some interesting ones using java scripts to obfuscate the coding on the page. Strangely, I didn’t come across with anyone using their own encryption to publish their email on the web page. Their lack of confidence was the answer for me. Accidentally I got in touch with an old time software developer that shared the same frustration named Peter Johansson; together we joined forces and experiences to develop a shield to the issue. Only recently we had a winner called ATG, an Anti-Spam Tag Generator with advanced features that hides the real address from robotic harvesters. We tested it and it has proved to work. E.Hoxha Just like everyone else I got attacked by unwanted emails on a daily bases, so I went on a quest to find a solution to stop it.
Part 1
The first step I took was jumping on the other side of the river and think like a spammer. I started to search for software that does the harvesting of emails on the internet.
Using keywords such as “emails, harvest and extract” on Google and I ended up looking at hundreds of software listings, offering an easy way to attack unprotected emails in a few steps…
I picked up software, called EmailSpiderGold to test. Within a couple of hours I ended up in harvesting 15000 webmasters emails to use on my discretion.
Along the way I learned that, on the open are several ways to verify that those emails are active as the very developers also offer Email Verifiers which along many characteristics it checks the validity of recipient’s e-mails addresses by connecting to SMTP-servers and simulating the sending of a message and they work pretty smart too as they disconnect as soon as the mail server informs the program whether the address exists or not. On this conclusion we end up thinking that once the email is out there everyone can harvest it and use it without discretion for their own purpose.
Part 2
Solutions…
I came across to several solutions being offered to prevent the emails from harvesting campaigns. Amongst them I found some interesting ones using java scripts to obfuscate the coding on the page.
Strangely, I didn’t come across with anyone using their own encryption to publish their email on the web page.
Their lack of confidence was the answer for me.
Accidentally I got in touch with an old time software developer that shared the same frustration named Peter Johansson; together we joined forces and experiences to develop a shield to the issue. Only recently we had a winner called ATG, an Anti-Spam Tag Generator with advanced features that hides the real address from robotic harvesters. We tested it and it has proved to work.

E.Hoxha

]]> Comment on FeedVis dev by jason http://jasonpriem.com/feedvis-dev/comment-page-1/#comment-6133 jason Tue, 08 Sep 2009 21:53:45 +0000 http://jasonpriem.com/?page_id=62#comment-6133 Sorry about that download link; it got messed up in some server houskeeping I was doing. It should work fine now. Sorry about that download link; it got messed up in some server houskeeping I was doing. It should work fine now.

]]> Comment on FeedVis dev by R-Yeah http://jasonpriem.com/feedvis-dev/comment-page-1/#comment-6130 R-Yeah Tue, 08 Sep 2009 13:28:27 +0000 http://jasonpriem.com/?page_id=62#comment-6130 Hi Jason! This tool looks great! I want to download the source and install in my server but the problem is the that download link is down. Any other link i can grab the source code? thanks! Hi Jason!
This tool looks great!

I want to download the source and install in my server but the problem is the that download link is down.

Any other link i can grab the source code?

thanks!

]]>