G-Star RAW World Chess Challenge: Carlsen vs. Everyone Else

Clothing company G-Star is sponsoring the RAW World Chess Challenge, wherein participants around the world (the “World Team”) will have an opportunity to play collectively against Magnus Carlsen of Norway, who at 19 years-old is currently ranked number one in the world.

The match will take place on 10 Sep 2010 and will be a vote match hosted by Chess.com, wherein World Team members vote moves up or down.  The World Team will be guided by a panel of three Grandmasters selected by Gary Kasparov:

This will be interesting.  Staying in a match against a player of this caliber is going to require a cohesive attack strategy, which seems unlikely to materialize via simple online collaboration.  The guidance offered by the grandmasters will certainly be key to the team’s success (or failure).

Share This
Posted in Sports & Recreation | Tagged | Comments Off

Tumblr: Sharing your password(s) with the world since 2010!

Tumblr is all over the news today: The New York Times published two pieces on the service, which by mid-morning had landed on the front pages of Techmeme and Hacker News.  For kicks, I thought I’d sign up and see what it was all about.

The premise is that you create a “tumblelog,” which Jason Kottke describes as a “quick and dirty stream of consciousness.”  Tumblr allows the user to achieve this by posting long-form, quotations, links, and a variety of media.

This type of service is generally more fun/useful if one’s friends are involved.  Thus, the likely sequence of events for new users is:

  1. Find Tumblr.com via link or Google.
  2. Follow “Sign Up” or “Log In” links on Tumblr home page.
  3. Submit/create an ID and password to access your dashboard.
  4. Find and invite friends by allowing Tumblr to “Look up your contacts”–this imports contacts from your mail service of choice (Google, Yahoo!, Hotmail, etc.), which requires that you provide Tumblr with the username and password for said service[1].

There’s just one problem: At no point did it occur to the folks at Tumblr that they might want to encrypt form submissions.  Both the Sign Up and Log In links on the home page send the user to an unencrypted page, and post information in the clear [login.pcap][2].

Assuming that they notice and care, end-users can log in via an encrypted form, but this requires that they know to edit the URL by hand prior to entering data [video].  It is recommended that Tumblr subscribers bookmark the following URL if they wish to log in: https://www.tumblr.com/login.

And it gets better/worse . . .

Once the user logs in and visits the Goodies page, Tumblr offers to locate friends by importing contacts from a personal mail service.  Tumblr accepts the (arguably more sensitive) username and password for these services, and transmits these in the clear as well [import_contacts.pcap].

Oddly enough, an end-user attempting to submit this information via an encrypted form will be thwarted by a redirect, sending them back to the unencrypted page prior to data entry [video].

One would think that an observant end-user would catch one or both of these gaping security holes, but my guess is that the overwhelming majority of their six million or so users haven’t noticed or don’t care.  Then again, one would also think that that at least one person on the Tumblr engineering team would consider safeguarding user data in transit.  Alas, collective fail.

UPDATE01: It’s bad enough that they knowingly implemented the service in this manner, but Tumblr was made aware of this by an end-user Mar 2010.  Aug 2010: No change.

UPDATE02: Another concerned user reported this to Tumblr in Jan 2010.

UPDATE03: A brief survey of popular social sites indicates that Tumblr and Digg appear to be the only two that knowingly take your Google (Gmail) account credentials and pass them in the clear.

———————-

[1] Many web sites offer this type of temporary contact import, but do so safely.  Lesson: “Trust but verify.”

[2] Many HTML forms on unencrypted pages POST to encrypted URLs, protecting the data in transit.  That is not the case here, thus the packet captures for validation.

Share This
Posted in Privacy and Security | Comments Off

Errors importing iCal data (iCalendar) into Google Calendar

While attempting to import iCal export (.ics) files into Google Calendar, I’ve encountered the following errors:

  • Failed to import events: Unable to process your iCal/CSV file. (Google, Bing)
  • HTTP/1.1 403 Google Calendar doesn’t support storing of “To Do” (VTODO) components (Google, Bing)

It appears as though Google Calendar is choking on both the VTODO and VALARM stanzas within the export file.

VTODO data is easy to remove, as it will appear near the end of the export file.  Find the first instance of “BEGIN:VTODO,” and remove all data beginning with that line and ending with the final “END:VTODO” instance (take care not to delete the “END:VCALENDAR” line, as it will invalidate the export).

VALARM data is problematic, as it is nested within each VEVENT stanza.  Depending on the size of the export file, it could easily contain hundreds or thousands of these.

The fast and dirty solution is to remove these elements from the iCal export file, and then import the “clean” version into Google Calendar.  Note that imported events in the target Google Calendar will no longer contain alarms–these events will need to be updated manually, if desired.

Following is a simple Python script that will remove these stanzas and produce a new file that should import properly.  After downloading, be sure to edit the INFILE variable at a minimum.

Head on over to Code for the latest version (iCal-to-GCal).

It’s worth noting that this script can be used to quickly remove data from any file that contains similarly-formatted information.  Just update the TAGS list accordingly.

UPDATE01: Wondering whether the integration of Tasks into Google Calendar will alleviate the VTODO handling issue?

Share This
Posted in Hardware & Software | Tagged , , , , , , , | 9 Comments

E-mail items to Instapaper

I use Instapaper every day, as a means of saving off pages that I come across but don’t have the time to read/evaluate immediately.  And when I’m working on a computer this is all well and good–the Instapaper bookmarklet allows me to save pages quickly and move on.

The problem arises when I’m viewing content on my mobile phone, as the concept of a bookmarklet in any mobile browser that I’ve had the pleasure of using does not exist.  To make matters worse, I’m one of the five or six people on Earth who does not own an iPhone.  So, the surely-pleasant Instapaper apps are dead to me.

For some time, I’ve been using the “Send this Page” functionality built in to my mobile browser to e-mail pages to a mailbox for further processing.  Some simple mailbox rules and a short list of known source addresses make this a viable solution.  Unfortunately, viable is never good enough.

To scratch this itch, I’ve thrown together a small collection of scripts that will:

  1. Retrieve messages from an IMAP mailbox (this needn’t be a dedicated inbox–a specific folder, Gmail label, etc. will suffice).
  2. Validate senders using a whitelist.
  3. Extract things that look and smell like URLs from message bodies (should handle crappy HTML messages, too).
  4. Submit URLs to Instapaper.

Surprisingly, it works (for me).  Requires Python 2.5+ (haven’t tested with 3.X, but should work), and an IMAP-enabled mailbox of some sort.

Head on over to Code for the latest version (IPMailer).

Share This
Posted in Hardware & Software | Tagged , , | 2 Comments