VML Vulnerability

A new vulnerability in IE's VML engine has been reported. While VML is rarely used, this vulnerability is critical because:

  1. any website can exploit the hole by embedding VML inside HTML.
  2. any email sender can send HTML email with hostile VML

This one is serious enough for me to take action without waiting for a patch from Microsoft and I suggest you do the same by choosing one of the workarounds listed here.

Since none of my tools rely on VML (AFLAX does but I am not using AFLAX yet), I chose to disable VML by unregistering VGX.dll with following command:

regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"


p dir=”ltr”>To restore VML later, use the same command without -u.


Four Years of Blogging

I didn't realize until today that my fourth blogging anniversary passed last month. Wow. After four years, I am still impressed by how blogging enables a person to influence the world around him.

While bloggers tend to think in terms of link counts, I think it's interesting to see how far our words travel. For example, the term 'visual spoofing' now has 13,600 mentions. Terse words don't travel as far though. 'dog-shit-girl' has only 625 results while 'dog-poop-girl', media-friendly version from Washington Post, has 17,100 results.

Well, maybe some rapper will use the original version cuz it rolls off the tongue better.

Dog-shit-girl, o, dog-shit-girl

Kick her booty cuz she so snooty

Dog-shit-girl, o, dog-shit-girl


p dir=”ltr”>Hehe.

Welcoming Mark Lewis to Blogosphere

I just noticed that Mark Lewis, EMC's Chief Development Officer (huh?), started blogging Monday, the day EMC completed its acquisition of RSA. Since RSA is a client, I thought I should be welcome Mark to the blogosphere by sending him some google juice although I doubt he'll need it if he keeps his blog interesting instead of using it as an unofficial PR outlet.

Welcome Mark!

Striking HP Off My List

Now these CNET articles on HP are really creeping me out:

HP began tracking the phone records of CNET News.com reporter Dawn Kawamoto on Jan. 17, Kawamoto said she was told on Tuesday. That was about a week after a January strategy meeting for directors and executives, but six days before News.com published its Jan. 23 story about the meeting.

News.com reporter Tom Krazit also was told by investigators that his personal phone records were accessed on Jan. 20, the same day he called HP spokesman Robert Sherbin for comment about the board meeting.


p dir=”ltr”>I am not into ragging on and on about a topic. When something creeps me out, I deal with it and move on. Short of turning myself into an activist, I am going to just exercise my rights as a consumer/investor: refusing to buy. So I am just going to strike HP off my shopping list and not invest in HP stock regardless of how cheap it looks until the word 'HP' no longer disgusts me.

I am now done with this topic for at least a year.

Goodbye RSAS

It's funny how a stock symbol can disappear just like that. I knew the EMC acquisition was happening sometime this month but I've been busy so I didn't know it happened over the weekend. I checked the market as usual this morning and noticed RSAS was gone. Poof. Not a trace.

So long RSAS. You've been good to me.


I hereby propose that all anchor tags marked with

rel='nofollow nosafe'

are links which may take non-idempotent actions (i.e. delete) when followed. The intention is to give tools like Google Web Accelerator enough hints for them to steer clear of such links. I really wish the anchor tag ('a') had the 'method' attribute like the 'form' tag does but I don't have time to wait til W3C remodels hell and I am not going to waste my time with idiotic and cumbersome workaround solutions so this will have to do.

As to why both, nofollow is already known and nosafe is more appropriate.

If you are going to do the same, link to this post.


Based on feedback, I've renamed unsafe REL to nosafe because 'unsafe' is a common word.

I need to explain what I am trying to accomplish with nosafe REL proposal. I am not expecting everyone to put the proposal into practice because a) I am not crazy, and b) I think that only a small number of web sites needs to use nosafe to make it sensible for developers to make their software nosafe-aware.

If I was writing a GWA-like tool, I would want to reduce abrasive surface area as much as possible. It would be irresponsible of me to not take advantage of hints like nosafe REL, even if only a small number of websites used it.

Slowing Down Attackers

While on the subject of sanitizing input, I've noticed that most developers stop at defending against cross-site scripting and SQL injection. While some ill-formed inputs are unintentional, many are clearly intentional attacks designed to explore and penetrate.

IMHO, origins of suspected attacks should be marked and degree of certainy used to slow down responses or return responses designed to confuse the attackers. Just one hour IP-specific probation of slow or no service will change the attack economics enough to make your site less attractive to attackers.

Going further, information should be shared in real time and accumulated over time to force the responsibility of defense as close to the attackers as possible. If each attack incident reported stains the source IP, ISPs will take more steps to prevent their entire IP range from being painted hostile, perhaps by subscribing to incident reports involving their IP range and mapping them to accounts. Anonymous proxies and Wi-Fi hotspots will also be forced to do the same if they want to avoid being effectively shutdown.