Viraptor's dev-log

Message to all the people, who protected their email by changing “@” to AT and “.” to DOT. Thank you for making it easier to find.

Typically large number of emails are hard to find through google / other search engines. Thanks to email “protection” it’s just fun now. Why? Searching for “@gmail.com” on google will be probably the same as searching for “gmail com”, because special characters are stripped. You would expect to get many pages containing gmail addresses, but instead you get lots of pages talking about gmail.

Now that you’ve protected your email and it looks like “abcd AT example DOT com”, I can just google “at example dot com” and get your precious address. It’s great, because I’m sure it’s not a trap - why would you protect a trap address? Posting “abcd-(At]-example={doT)com” won’t help you either, as google ignores special characters - remember?

Now some stats from google:

• 2,100,000 for “at gmail dot com”
• 2,650,000 for “at gmail com” (thanks to pipermail!)
• 85,900 for +at “no spam” “dot com” and 255,000 for +at nospam “dot com” (you’d like to hide - wouldn’t you?)

These numbers are not very accurate of course. Some addresses will be duplicated across many pages and some pages will have multiple addresses included. Anyways - these are big numbers.

All modifications are of course easy to cancel - change at to “@”, dot to “.”, delete “no spam”, or “cut” written in any possible way, delete spaces and you’ve got a great email for spamming. Next time you try to protect your address (or even worse - my address) - please think what you’re doing. Thanks.

Jeroen Frijters discovered lately a bug in .NET 2.0 on Windows platforms, that allows to execute any code from a “verifiable and partially trusted C# application“. That sucks really. Now every .NET code running from browser can also exploit the system. Ok - security problem - that happens to everybody and we should’ve already learnt to forgive that.

Not this time. Bug was known already, as it was “reported by someone else in August” and “bug was subsequently fixed in September“. Patches only made it to Vista and rest will get patches through Windows Update “sometime in the next few months“. Only thing you can really say is WTF? Two guys independently reported this bug already.

Who knows, how many know about it, but didn’t report it and how many run into it and know they can crash the system with that, but can’t make a real exploit? Once again I think POC should be released now. Seriously - one month was enough to patch it in Vista and 4 months weren’t enough for XP? MS - you don’t release patches when you like it - you release them, when they’re needed. What can change this policy? Someone owning MS developer’s machine with this bug and stealing Vista code? Owning Balmer’s desktop with 0-day and publishing his private mail?

It’s a pity that this exploit would be too valuable in real-world to waste it on “it’s a bad patching cycle” propaganda. Maybe one day…