LordElph’s Ramblings

Ever made an intricate diagram in a Google Doc only to find it hopelessly pixellated when you print it?

It seems Google take the nice vector image you’ve created and render it as a 600 pixel wide bitmap. That’s always going to look bad in print.

After a document I was writing got bitten by this, I figured out a way to fix it. You do need a little familiarity with HTML, so here goes:

1. Go to Edit -> Edit HTML

2. Find the img tag which corresponds to the image you want to modify, it will look like this:

3. That URL can be modified to return an image wider than 600px with more detail in it. So triple it and set the w and h parameters to 1800

Now this image would be too big for the page, so we add a width=”600″ attribute so that Google docs makes it fit the page width

4. Job done! You should see the improvement on screen and in print!

Congratulations to Jeroen, who is the new owner of pastebin.com. Many thanks to everyone who expressed an interest in taking it over.

The site is now running on vastly improved hardware, and I’m sure Jeroen is going to do a fantastic job in taking the idea forward.

You can track future news and updates by following @pastebincom on Twitter.

End of era for me, but I wish Jeroen the very best of luck!

I have a need to shed various side projects to free up my time, so I’m looking for anyone who is interesting in purchasing pastebin.com and developing it further.

I created the site way back in 2002, and it’s more popular now than ever with usage steadily growing. Now is a great to time to hand over to someone who can develop the idea further – something I’ve struggled to find the time to do.

Don’t delay though, as some good offers have already been made. Watch this space for more news.

(Edit – sold!)

If you’ve ever worked on localizing an application or website, you may be familiar with the .po files used with GNU gettext and compatible tools.

I’ve written a script which can take a .po file and translate any untranslated strings with Google Translate. This may not be a ‘release quality’ translation, but does speed up the job of a real translator, who can simply proof read and correct the machine-translated entries.

See it in action here: http://pepipopum.dixo.net

I’ve released the source under the Affero GPL too, so you can tweak or host it yourself. The version hosted above does have a one second delay between translations, so if you want to go faster you’re encouraged to do exactly that!

Hope someone else finds it useful.

In the past few days, pastebin.com has been cited in a wide variety of high-profile news sources regarding a “leak” of email account passwords.

This brought a huge surge in visitors, and ensuring I kept the server functioning took up all my available spare time. I wrote a short blog entry which attracted a lot of comments. Things are a little calmer now, so I’m writing this longer post to explain what happened.

This looks like a long post, just tell me my email account wasn’t compromised…

• I do not have copy of the list
• and….I do not have a copy of the list
• just to be clear….I do not have a copy of the list

Microsoft investigated and have frozen the affected accounts on their systems and if you find yourself locked out of your account, fill out their recovery form to regain control.

Aside from that, if you’ve ever entered your email login details into anything but your providers web page, then I recommend you change your password. It’s likely that the leaked list came from a much larger set – just seeing the published isn’t enough to be sure your details have not been compromised.

So, even if you are just a bit concerned, just change your password. Go on. I’ll wait.

All done? Now read on for the gory details….

Sometime prior to October 3rd 2009…

…some unknown bad guys start collecting email addresses and passwords.

We can be pretty sure that they didn’t “hack into” Microsoft or any other major email provider to obtain the passwords. These companies should not actually store your password, they just store a fingerprint of it (what developers call a cryptographic hash).

To extend this analogy to the real world: if you emailed me your fingerprint, I couldn’t tell what you looked like, i.e. I could not reconstruct you just from that fingerprint. However, I could verify your identity if I met you by taking your fingerprint and comparing to the one I had stored.

So, when you log in and send your password, they take the fingerprint of what you entered, and compare with the fingerprint stored in their database.

So if they didn’t hack into a provider, where did they get them?

The most likely, and perhaps surprising, answer is that they simply asked the users for them. For example, they could create an authentic, safe looking site which promises to tell you who has blocked you on MSN Chat – all you need to do is enter your MSN account details.

Some researchers have also suggested the details were harvested by infecting PCs with keylogging software.

Oct 3rd, 04:00 UTC – Bad guys post 10,000 passwords on Pastebin.com

For reasons unknown, our miscreants post a set of hotmail addresses and passwords on the pastebin.com website.

A sharp eyed user spotted the posting, or found it via a Google search, and it reached the attention of a tech news blog called Neowin.

Oct 3rd, 16:45 UTC – post is flagged as abuse

If users spot a post which appears not to belong on pastebin, they can flag it for attention. I check these flagged posts daily, and it’s a very rapid and streamlined process:

The software presents me the first 10 lines of the post, together with a link I can click if I think the post should be deleted. Generally it’s pretty easy to determine if something doesn’t belong, and a list of email addresses and passwords is obviously not going to make the cut.

So, someone spotted the post and flagged it. The next morning, Oct 4th, at 07:29 I saw the first 10 lines, and deleted the post in a heartbeat before realising the true scale of the list which subsequently caught media attention.

Oct 5th – Blog posts gather momentum

After Neowin posted their article on October 5th, interest in the story steadily grew.

Oct 6th – Mainstream media catches the story

I was up early on that day to check on the traffic and see if any special action would be needed. Having read the growing number of news articles I took the following action

• Added additional rules to the content filters on pastebin.com to ensure hotmail addresses could not be posted
• Began searching all existing posts to ensure no further copies remained

Traffic levels were so high that the search was running at a crawl, so I closed the site so the cleanup would complete, and left for my office.

I reopened the site late afternoon UK time, and continue to monitor the traffic to ensure it remained as usable as possible.

OK, so why didn’t you keep a copy?

Let me abuse Pulp Fiction for a moment:

• Jimmie: “Now let me ask you a question, Jules. When you drove in here, did you notice a sign out in front that said, “Email password storage”?”
• Jules: “Jimmie…”
• Jimmie: “Answer the question! Did you see a sign out in front of my house that said “Email password storage”?”
• Jules: “Naw man, I didn’t.”
• Jimmie: “You know why you didn’t see that sign?”
• Jules: “Why?”
• Jimmie: “‘Cause storin’ email passwords ain’t my fuckin’ business!”

Now, if it happens again, I may act differently. Security professionals at some large companies have expressed interest in helping their users if such a list could be made available to them. I’m more interested in enhancing the content filters on pastebin to ensure that text that looks like a list of email addresses is simply rejected.

Even if your email address wasn’t on the list, if you think you’re the kind of person who is prone to phishing scams, just change your password. If you didn’t understand that last sentence, just change your password.

The published list was likely much larger, since it seems it was alphabetically ordered and only got as far as ‘b’. Having possession of that list will not help you determine if your address has been not been compromised.

More links

• The Register wrote an article suggesting that this really wasn’t “news” – I quite agree.
• Researchers have analysed the list and found weak passwords are common (no surprises there) but also that a lot of Spanish names are in the top 20 passwords, suggesting that the credentials were captured from a Spanish-speaking community.
• How to regain control of a Gmail account

Can I ask a question?

Sure! As long as it’s not “is my address on the list?”

It seems that a list of 10,000 Hotmail usernames and passwords has been posted on pastebin.com in recent days.

Pastebin was created as a tool to aid software development, not to distribute this sort of material.

As a result of the interest this story is generating, pastebin.com is experiencing huge levels of activity – as a result I took it offline to ensure all the offending material has been removed, and have adjusted the abuse filters prevent re-occurence.

Edit: please don’t ask if you name was on the list. I have no way of knowing. Just change your password.

Edit #2: things have calmed down now, and I’ve written a longer post about the incident here.

I’ve had a DMCA takedown request sent in relation to a pastebin post containing the signing keys for a range of Texas Instruments calculators which, if I understand correctly, allow you to digitally sign a replacement operating system so that the hardware will accept it.

If you buy a piece of hardware, I firmly believe you should be able to do whatever you like with it, and people installing their own operating systems and *improving the damn product* is something TI should be happy about.

There’s a blog over at http://brandonw.net/ which is enthusiastic about this sort thing, and you can read wide and varied discussion about the issue on SlashDot too. (Edit: on 23rd Sep The Register weighed in with this article)

So, here is the DMCA takedown request Texas Instruments sent to me:

September 17, 2009
To Whom It May Concern:
Re: Illegal Offering of Material to Circumvent TI Copyright Protections
VIA: report abuse at pasetebin.com

It has come to our attention that the web site http://pastebin.com/f23af06b7, contains material and/or links to material that violate the anti-circumvention provisions of the Digital Millennium Copyright Act (“DMCA”). This letter is to notify you, in accordance with the provisions of the DMCA, of these unlawful activities. Pursuant to the safe harbor provisions of the DMCA, we request that you remove any whole or partial reproductions of and/or disable links to the following:

The post located on http://pastebin.com/f23af06b7

Texas Instruments Incorporated (“TI”) owns the copyright in the TI-83 Plus, TI84 Plus and TI-89 operating system software. The TI-83 Plus, TI-84 Plus and TI-89 operating systems use encryption to effectively control access to the operating system code and to protect its rights as a copyright owner in that code. Any unauthorized use of these files is strictly prohibited.

http://pastebin.com/f23af06b7 is distributing or providing links to information that bypasses TI’s anti-circumvention technology. By providing copies of or offering links to such information, http://pastebin.com/f23af06b7 has violated the anti-circumvention provisions of the DMCA at 17 U.S.C. §§ 1201(a)(2) and 1201(b)(1).

Please confirm to the undersigned in writing no later than noon on September 18, 2009 that you have complied with these demands. You may reach the undersigned by telephone at (xxx) xxx-xxxx or by email at xxxxxx@ti.com. TI reserves all further rights and remedies with respect to this matter.
I hereby confirm that I have a good faith belief that use of the Illegal Material in the manner complained of in this letter is not authorized by the copyright owner, its agent, or the law, that the information in this letter is accurate, and that, under penalty of perjury, I am authorized to act on behalf of TI, the owner of the exclusive rights in the TI-83 Plus, TI-84 Plus and TI-89 operating system software that are allegedly misappropriated using unlawful methods.
Texas Instruments Incorporated

XXX XXXXXX
Manager, Business Services
Education Technology Group

I live in the UK, and pastebin.com is hosted in the UK, so hitting me with a DMCA takedown request is rather pointless. However, I do remove copyrighted content on request, so much as it pains me to do so, I’ve deleted that post for now.

It’s no biggie, if you want the keys, just check wikileaks or do a Google search for 82EF4009ED7CAC2A5EE12B5F8E8AD9A0. That’s just a long hexadecimal number. Pretty sure I’m free to express that number in any form I like.

Can you say “Streisand Effect”?

Edit: Interesting post here on dealing with these TI DMCA notices. Persoanlly, I’m not interested in fighting to keep the post on pastebin.com as it is widely available elsewhere. I have a copy of the keys should I ever wish to actively distribute them though…

Edit#2, Oct 14th 2009: The Electronic Frontier Foundation have written the following about this issue: EFF Warns Texas Instruments to Stop Harassing Calculator Hobbyists.

I run pastebin.com, and maintain it daily. I check for abuses of the service, block IP addresses of serial offenders and try to ensure it provides a speedy and useful service.

I make the software available for others to use and improve upon too.

pastebin.org is one such site, but I’m starting to get emails from people who’ve used that site and are now infected with the Win32/Alureo trojan virus. In addition, the site seems to have been compromised in other ways, with extra advertising banners and popups.

I’m not responsible for that site. I’ve tried to make contact with the registrant listed in whois records, but not had a response.

The moral of the story: if you want to stay safe, stick with pastebin.com!

Last October I found a bug in PHP’s SOAP module. It was pretty obscure bug in the way PHP used Digest authentication. As it was a showstopper for me, I submitted a bug report and wrote a patch to fix it.

It took a while, but my patch has finally been merged into the 5.* and 6.0 sources!

I’ve been using PHP for ten years, and so it’s perhaps a little surprising it’s taken me this long to give anything back. Truth is, this was the first time I’ve come across a bug which halted my development work.

It’s a tiny fix, 6 lines of code, but it makes me happy that after all this time, finally, there’s a bit of me in PHP! Hurrah for open source software!

Geograph.org.uk has been offline all day, there seems to be a problem with a router which connects the Geograph servers with the rest of the Internet.

At the moment we don’t have a definite ETA but I think it could be Monday before we get this resolved. Enjoy the excellent bank holiday weekend weather!

Edit: We’re back! As suspected it was a router issue, our thanks to the sterling folk at Fubra who resolved this late on Sunday night.

Edit #2: …and on Thursday morning it seems we’re down again. Seems to be the same issue, should not be down for long….

Edit #3: We’re not having a good week. An entirely unrelated issue has brought the site offline again on Monday 1st June. This one is within our control but proving tricky to fix….

Edit #4:Our hosting provider have provided a full account of the network problems experienced in the past week, largely due to a complex sequence of upgrades. It seems we should now be entering a period of calm and unparalleled uptime! Touch wood…