Since last night I noticed that The Pirate Bay's website appeared down. I checked in this morning, checked via multiple locations (from different countries) and same result. I asked a few friends to help figure this one out because this is not a DNS issue and it seemed to be more than just a server down.

The results is that the Pirate Bay's netblock is no longer advertised, this means there is no known route to 194.71.107.0/24.

MBS (the friend who figured it out) showed me this tool I could use to see for myself:

I found a list of Public Route Servers to query, those I tested say the same.

It appears that The Pirate Bay has been getting DDOSed since last night, however they have only mentioned it recently on their facebook page, and I read that after having investigated this... So is the solution to the DDOS to disappear from the Internet ? Is this a reaction from Anonymous beause of this ?

Friendica is a truly decentralised social network, it has been around for a few years now already. Back in the day it was called Mistpark and already then it was more than just a proof of concept.

Today Friendica 3.0 is released and it is now ready for even more users than ever. Friendica is easy to install, it's Php and Mysql based, so it can even run on a shared hosting platform. There are many plugins and some of those plugins are connectors that can allow you to connect to legacy social networks suck as Facebook and Twitter, but also StatusNet and Diaspora.

Friendica is exactly what many of us have wanted, and these guys, mostly Mike have worked hard and have delivered harder. The project deserves that you try it out. So go install it, or try out a test account on a test server to see what it's like... If you really don't know have a clue about installing "websites" or anything, register an account with a public server.

The other day a good friend of mine suggested I implement Gravatar on my website, so I started checking how it works and found it was incredibly easy. All I'd have to do use put an img element with a link to an md5 hash of the commenter's email. Like this: <img src="http://www.gravatar.com/avatar/205e460b479e2e5b48aec07710c08d50" />

MD5's can be Sensitive Information

There are 2 issues with this:

• Without figuring out the email, you can still find other user's posts on other sites. Indeed, all you need is to search for the MD5 hash. Perhaps the Gravatar user is okay with this maybe not in every case (more later).
• If you are the administrator of a large user database, you can search for MD5 hashes and easily find out what your user database has been posting.

Other Issues

• Non Gravatar user's can be tracked on the web too

  Even if you are not a Gravatar user, many websites will submit your email's MD5 hash to Gravatar and show that hash to the visitor. This means that even non-Gravatar users are now Gravatar users. There is nothing stopping Gravatar from storing this and nothing stopping people you know from finding your posts. Yes, anyone you know can go insane (like many employers who demand your social media credentials) and search the web for your email's md5 hash.

• Gravatar can haz your blog statistics

  Every time someone visits a Gravatar enabled website, Gravatar gets some of the website's user statistics: visitor's IP, browser/OS and the page visited.

• Gravatar Knows Where You Have Been

  Of course, because of the above, Gravatar can know about all the posts made by their users on Gravatar enabled sites. Maybe they don't gather that info, but technically it's totally possible.

• Websites that use Gravatar deliver content from third party sources

  This can be a problem when your website uses HTTPS, using Gravatar means some of your content is no longer encrypted, unless you use Gravatar's https version. But using Gravatars HTTPS version means asking your visitors to trust their SSL certificate, which is issued by GoDaddy !

  I know it is a very common practice to have many bits of websites hosted behind many different URLs, but it's always good to limit that where possible. For example, embedding a Youtube video is understandable as it is actual content and generally users can see where this comes from. Pulling avatars, icons and such from all over the web isn't so cool.

  It also means losing control over what parts of your site are actually getting delivered to your visitors and how they are getting delivered. You cannot know if your visitor's connection to Gravatar is broken or altered.

  On a non-privacy insane perspective there could be performance issues, don't forget visitors now have yet another domain name to resolve. Reducing the amount of DNS queries can help what they call "the user experience".

How can we Fix This ?

• Give your commenter the choice of using Gravatar's service

  Instead of just hashing everyone's email "de force", why not let the commenter chose to have their email hash posted on the Internet first ? Perhaps even a Gravatar user may want to make a comment without linking it to their Gravatar profile ?

  I'll stress this a tiny bit more just because so many sites use Gravatar but don't even inform their users in the slightest way. If you would want to use Gravatar for every comment, why not, but you should at least inform your users.

• Not show the email's MD5 hash in the first place

  Why not just make the request to the Gravatar avatar from the website and then deliver that to the visitors ?

  The technical howto in a nutshell is to replace the Gravatar image link with a script and pass a get variable to it, like the comment id. The script then figures out the md5 hash (if the user agreed), requests an image from Gravatar and shows that to the visitor.

  This also helps reduce the amount of DNS queries your visitors will make, instead your website/webserver will do all the work. And your webserver should probably have better bandwidth than your average visitor.

I think this probably extends to many more services than just Gravatar. And Gravatar are probably nice people with pure intentions... . It's not the end of the world, but it would be nice if webmasters put more thought into this sort of thing. The Interweb is still an experimental place, we should still be actively thinking about how we build it not just lazily and passively do things the way they've always been done.

Gravatar Enabled

Starting today, on this website, if you post a comment you can chose to have your email's md5 submitted to Gravatar to see if you have an avatar there I can use. Your email's MD5 hash will not be visible to other users.

This is what the img element that displays the G/avatars looks like on this website:

<img src="/blah/modules/gravatar/gravatar_img.php?id=1" />

Yuri Gagarin is the first human to orbit our planet, he made it around the world in 108 minutes on April 12 1961. To celebrate the 50th anniversary of the event The Attic Room has put together a trip around the planet. This video uses original images as well as new images, they tried much to stay on the same path Yuri took.

So go to firstorbit.org, read more about it, watch it, download it share it.. . Oh by the way, this is released under the Creative Commons license.

It appears that some just want to help out the Libyan people so much that they are willing to help them by surprise.. . It's almost comical how MI6 and SAS officers got caught by some farmers and were then handed of to the rebels.

I can only wonder what were the real motivations for this ? Was it out of pure solidarity, that burning desire to do what you can to help ? Create good relations with the future new controllers of Libyan oil ?

Whatever may be the real motivations, I tend to think that a good way to help the oppressed would be to stop selling weapons to their dictators in the first place.

Pidgin users with MSN accounts may have been experiencing problems connecting. It seems they have changed their certificate. The solution seems to be to manually delete the certificate, either by going to "Menu -> Tools -> Certificates" or by doing something like:

It seemed to work, but then the next day I had to do it again, I checked the certificates and found out the following:

The certificate that expired was valid from Tue Dec 1 22:45:11 2009 till Wed Dec 1 22:45:11 2010. The one I got the other day after moving this one is valid from Wed Jun 23 03:06:48 2010 till Thu Jun 23 03:06:48 2011, and after getting the same issue again and mv again the certificate I received a new one valid from Mon Nov 15 22:28:19 2010 till Wed Nov 14 22:28:19 2012.. .

I am going to guess there is an issue with their servers not using the same key every time, and I am going to guess that the official MSN client uses more than one certificate so it can switch from one to another depending on the server you connect to with giving the user any alert. .. .(yeah this does seem to not fit with the whole idea of the certificate.. . then again what do I know).. anyway, the three certs I got so far have these SHA1 fingerprints:

The one I originally had

f3:1f:2c:78:6a:8f:97:a6:8d:a8:c9:d4:0a:af:64:ae:63:57:88:17

The one I got a couple of days ago

c8:f3:b1:69:52:36:07:33:b5:02:1b:a2:b2:b4:ce:32:b9:68:37:36

The one I just got now

ac:7e:e4:5f:97:b8:7e:f0:0b:ac:a6:51:9f:ba:51:f0:ad:73:17:8b

It almost looks like MSN got a Man In The Middle attack or something strange like that, maybe their private key got leaked so they changed it quickly thinking nobody would notice ? No official information to be found (if someone knows of any official information let me know).

It seems that there is a patch for Ubuntu and it seems their solution was to manually add certs and stuff like that.. All this because MSN has/had an issue with their servers issuing different certificates at the same time.. Or something like that (MITM)..

Lately I've been finding it quite difficult to actually get good results from most search engines, hence after a while I'd often end up back on "do some evil" Google search engine page. After experimenting with other search engines like Ixquick (very good on privacy) and Clusty (they changed their name :/ but I like the idea of clustering results) I was still hungry. And then I found DuckDuckGo, very nice and clean interface, works with https (as the link shows) and gives results in https when possible. It has too many features for me to write about, go and look around in the options and such.

Some images from the OpenNight event last night..

More about King James Hyperfuck.

Get source code, debs and live iso to play din, program software by Jag.

Every so often OpenLab organises an OpenNight where people can try out there work in front of an audience. The works should be produced using open source technologies. There is much creativity to be seen and heard.

More information here.

I'd like to add a word about a program developed by one of the members of Cunbucket (Jag), it's called DIN (Digital INstrument). It's a very intriguing instrument that reminds me of the theremin.

You can get some of the media files from this podcast

I just setup this website for a friend of mine, Roger Woloshyn AKA starman. I met him at the Churchill Northern Studies Centre when I was on my "Subarctic Lifstyle of a Spotted Mind" trip. starman has a few articles on aurora viewing and other Churchill related stuff.. see for yourself at starman.ca

You might have already heard about distributed research, projects like Seti@home and Folding@home, you install some software and your computer works for science. It's a way of passively helping out.

I recently found out about this very nice project called Galaxy Zoo which is a bit the same except that the participants act as active researchers. It seems that with all these new telescopes and probes and things like that, the amount of information that needs to be analyzed is enormous. The idea is to send out images to the participants for them to classify the images, this helps the filtering process by alot, astronomers can work with sorted images.

Results have been published and recently Galaxy Zoo 2 has help publish a paper. The idea is great, people putting together their efforts to do things.. hmm, rings a bell. In all this you get to see rare images and be yourself a part of the findings.

So instead of clicking on sites like "hot or not" in your spare time, do something useful and head to one of the Galaxy Zoo sites, oh yeah I didn't mention, this seems to be very fruitful so there are a few variants, including the new Solar Storm Watch.. (I love a good solar storm!!).

Links:

• Galaxy Zoo 2
• Solar Storm Watch
• Galaxy Mergers
• Super Nova Watch
• Zooniverse -this seems to be the place where all this stuff is centralized

This website is now using HTML5, normally this shouldn't change much, well all except for one thing important to me is the video tag that allows me to publish video content in such a simpler manner.

I re-encoded all my photo/video montages in OGV "format" and it seems the quality is better (this could be just an impression) and mostly it's now using open formats. There should still be a Flash fallback for older browsers for now, however I just noticed IE is broken, any Safari feedback would be nice too although I'm not sure I'll "fix" it.