Is there a list of the porn sites responsible? Give us that list and we'll DDoS the fucking bastards off the web!

Considering Perl's claim to be the securest form of web programming, this incident doesn't make them look good. Incidentally Google's cache of perl.com still contains the grepblogs stuff at the time of posting this.

I use Firefox/Adblock/Noscript, which might be why I never noticed anything when I went visiting on Thursday. Of course, I might have just missed the time they were redirecting people. Was it a good porn site?

[half-arsed plug mode]

However, I've noticed that a lot of "problems" that other people have don't seen to affect those who use this browser combination. Having doubleclick.* mapped to 127.0.0.1 also helps. I also don't tend to see advertising unless it's unobtrusive and well done (something that anyone using doubleclick seems incapable of), and I certainly don't let just any javascript run on my browser. Perl.com has so far resisted making javascript mandatory to visit their site, for which I thank them.

Various clients have commented on this easier browsing on several occasions, especially when I switch them from MSIE or Safari to this combination. Every so often they go back to their old browser and are shocked with what they used to put up with. Firefox is getting more and more bloated and buggy with each release, and their bookmark manager sucks farts from dead goats (in 3.0 beta as well damnit), and I'm not saying it any more or less "secure" than other browsers, but my experience is that the Firefox/Adblock/Noscript combination certainly makes browsing a lot more user friendly.

I still missed out on the porn site though.

The same old shit banner is served by off site company, domain is sold to porn site, porn site ends up where it doesn't belong for a few days. @BKB what does this have to do with Perl at all, try to understand what happened it may happen to you some day. BTW was the porn any good it's just that you know a porn link site might not be the last thing on earth a Perl programmer was looking for just a thought this might be good targeted advertising.

Well that's a shed load of porn sites about to be erased from the net then. Honestly, you don't fuck with the type of lads and lassie using those sites. They are a 100,000 strong vigilante gang, they are tooled up with DDoS nukes and they just might not have anything better to do right now.

If only we could harness their powers for good......

So the fact that someone else's javascript that pulls content from a third party site, continues to pull content from that same site after the site changed hands, means that Perl is somehow unsafe or insecure ?

Even though perl the language itself has nothing to do with it ?

I think you have another agenda.

I've never seen Perl claim to be the securest form of web programming. Neither has this incident reflected on the security of Perl as a language for anyone who understands what happened.

I found that the "Flat bookmark editing" add-on improved the bookmark manager a lot. Try it: https://addons.mozilla.org/en-US/firefox/addon/117

"Considering Perl's claim to be the securest form of web programming, this incident doesn't make them look good. Incidentally Google's cache of perl.com still contains the grepblogs stuff at the time of posting this."

Ok, I've never heard perl refered to as the "securest form of web programming". However, this has NOTHING to do with Perl, It was just a cock up by the admins not keeping track of who adertised on the site.

"Is there a list of the porn sites responsible? Give us that list and we'll DDoS the fucking bastards off the web!"

Woah there, take a few deep breaths. This isn't a targetted attack its just a typosquatter (Who are a real problem, we'll run out of domain names if they don't change the way the system works) who got lucky.

1) @ Dan Goodin:

----quote----

Perl is a popular program among sysadmins, web developers and network programmers. It borrows liberally from languages including C, shell scripting and AWK.

----end quote----

uh was this really necessary? Felt like I was reading an article at cnet. At least you could've thrown [ed we probably should tell them what Perl is] or something so it doesn't look like you think that the average Reg reader needs to know what Perl is.

2) @ By yeah, right

Um, so the way you browse, you couldn't use google maps? You almost had me convinced, but sorry can't limit my browsing that much.

Paris icon because she does know what a Perl Necklace is.

Be careful. At least, here in NY, the Russian Mob controls most of the porn/sex stuff.

Nasty bunch. They know more about DDoS than just about anyone. They also have novel ways of using common garden tools...

As I recall PERL stands for Pathologically Eclectic Rubbish Lister!!

... was that the ads on perl.com were being served by a PHP application (phpAdsNew)

Did some more digging about this late last night and it looks like (when you look at google caches) that the original owners of grepblogs.net (revenuedriver.com) were trying to sell the domain, and either sold it or just let it expire.

So the big question is has anyone talked to revenuedriver.com about the incident?

Jolyon

..."Firefox is getting more and more bloated and buggy with each release, and their bookmark manager sucks farts from dead goats (in 3.0 beta as well damnit)"...

So use Opera. No need to download all these sodding "extensions" to do simple things like blocking ads or JavaScript or iframes etc. etc. either for a site or globally - Its all inbuilt in opera, aloung with ither useful features likes notes, the ability to apply a custom CSS style to a page and a zoom function which actually *works* (allows you to zoom images and controls too, not just text).

Pity so few people use it - personally I've always rated Opera far above the likes of IE, FireFox (which is by no means bad, but I preferred "Phoenix" when it existed) and Safari.

Such is life.

(*Dons fire-retardant clothing and makes a hasty exit* I'm smelling the flames spouting from the nostrils of the hording fanboys already)

"Honestly, you don't fuck with the type of lads and lassie using those sites."

Scary!

- "Oooh, the Perl guys are mad at me... I'm so scared! Oooooh, the Germans... Uh oh..."

- "'Stop it, Burns"

- "The Perl guys are coming after me... Oh, don't let the Perl guys come after me... Oh, the Perl guys are coming after me... No, they're so big and strong... Protect me from the Perl guys! The Perl guys!"

Well, do it right then; don't get caught. Otherwise, THEY sue you and YOU end up paying tens of thousands of $$ and some jail time...

Your view might seem less ridiculous if you'd only scuttle off and read the article but I suspect you've already tried - so instead, just scuttle off and learn to read.

RTFM for the quote about Perl being the securest form of web programming. Page 559 of the third edition of "Programming Perl" by Larry Wall et al, as follows: "... making a Perl CGI script more secure than one written in any language without taint checks. (Which as far as we know, is any language other than Perl.)"

Although the problem occurred because of Javascript rather than Perl, regardless of how the bug happened, this doesn't make them look good. If it was National Westminster Bank whose site this had happened to, people would be berating them for their incompetence or even withdrawing their money in a panic, but because it's those lovely Perl people, how dare anyone attack them, right? Just like we all have to say Larry Wall's jokes are funny, and look how lovely the emperor's new clothes are.

Sorry but that doesn't fly with me. Perl.com should be keeping their own house in order.

Taint checks are a optional feature of Perl. If you weren't so intent on taking the quote out of context, you might have noticed that even if they were being used, it wouldn't have helped in this case.

Though, from the second paragraph, I suspect even if Perl.com had been running on IIS, written in C# talking to a SQL Server back end, you'd still say it was somehow the Perl community's fault.

Logic isn't your strong point, is it mate?

1. Perl.com is run by O'Reilly, not Larry Wall or Perl (whomever that is? Do you know C# personally as well?!)

2. Taint mode prevents a script writing to disk - nothing to do with 3rd party Javascript redirects.

3. This was a network problem, not a programming error. Heard of DNS and domain purchasing? The world wide web??

4. Perl hasn't got anyone's money, it's open source. It's not a bank, and why would a bank run 3rd party adverts? Should perl.com get you to log in to see the home page as well?? Perhaps all websites should all add in extra security because they're not banks too...

Hope that helps clear things up for you.

If it turns out that grepblogs had expired and then been registered by the pr0n industry, we could see others re-registering a domain name of an expiring site that feeds other sites banner ads or other material like javascript. More bang for your buck. What if the material contains a virus, or a keylogger, or creates a botnet? Why have one compromised site when you can have hundreds or thousands for the same work and cost? Online software is replacing home/work based software at an increasing rate, this could turn out badly.

I first wrote about expiring names being used by the pr0n industry back in 2001 (if interested go to ICANNWatch.org and type 'xxx-piring' in the search box at bottom of home page). I brought this to the attention of ICANN's then Chair Vint Cerf and then CEO M. Stuart Lynn and the DNSO-GA. Nothing has changed in the meantime except for the worse. I'm not a purist who says retire expired names forever, but an expired name could and should be washed by keeping it out of circulation for six months and then release it through a randomizer set for +/- 10 days. Dropped telephone numbers aren't immediately reassigned, they are washed for a few months so as not to cause chaos, which is what we have here. The registrars/registries/ICANN want the money NOW. -g

"Though, from the second paragraph, I suspect even if Perl.com had been running on IIS, written in C# talking to a SQL Server back end, you'd still say it was somehow the Perl community's fault."

You are absolutely right, Steve P. If Perl.com was run entirely on Microsoft software instead of Perl, I would say it reflected extremely badly on the Perl people, yes. A little bit like those Linux / Apache servers which Microsoft was alleged to be using at one time. So hats off to you, Sir, for your insightfulness.

Anyway, I should have thought that it would be possible to write a Perl script to check that one's web page hasn't been hijacked by rogue Javascript, too. Perhaps the people at Perl.com are too busy with other activities.

As for iain's remark about Perl.com not having anyone's money, exactly how many copies of Perl related books has O'Reilly sold? I believe that Larry Wall was once a full-time employee of theirs, so they must have a few quid knocking about somewhere.

P.S. as far as I know, taint mode doesn't have anything to do with writing things to discs: what it does is stick a little "taint" sticker on incoming text which has to be removed by using a regular expression match on the text. This is to catch any kind of illegal CGI input, etc.

Last I checked Opera (admittedly a long time ago) they were pathologically opposed to decent ad blocking. Have they changed their tune?

Guess I'll have to get the latest version now and take it for a spin. If they have decent (as in easily managed and unobtrusive) ad blocking and per-site javascript managing then I might jump ship. At least for a little while.

Just tried Opera. To say that it sucks doesn't begin to describe it. In 20 minutes, the latest "official, non beta" version has succeeded in crashing twice. This is the same system where Firefox manages to run for days on end. The rest of the time Opera was often (estimate 30%) "unavailable", as in stuck in some busy-wait loop somewhere, usually while I looked at the bookmark manager. Something right dodgy there methinks.

The bookmark manager isn't any different from Firefox (actually, it looks identical. I wonder who copied whom, and if it really matters?). The Javascript handling is marginal as far as I could see when I could access it. Don't know about the ad blocking, never got that far. Probably won't either.

Sigh. Back to Firefox.

"Um, so the way you browse, you couldn't use google maps? You almost had me convinced, but sorry can't limit my browsing that much."

With noscript you can allow scripts to run by domain, or can temp allow scripts by domain for 1 session.

so add "maps.google.com" (or .co.uk or whatever) to your allow list and your sorted.

:)

I'm curious - do you distinguish at all between Perl.com - O'Reilly's site for selling Perl related books and conferences, and the Perl community?

And, it is possible to write a Perl script to check that one's web page hasn't been hijacked. Of course their page hadn't been hijacked - it was a trusted third party.

To anticipate your next statement, I'm not sure that it is, in general, possible to prevent scenarios like this. Advertisement brokers tend to require that a site link the scripts etc. directly from the broker's server, essentially bypassing the content provider.

This is done so the broker can update the scripts whenever they need to, and can help protect against content providers gaming the system.

However, once they are out of the loop, content providers have little ability to control what is displayed.

This problem has happened once in approximately 10 years, and yes, it is embarrassing for O'Reilly Media, but I can't really see what could be done within the current model of advertisement serving.

Actually, NoScript allows you to configure what javascript gets run by domain or sub-domain. So I'm not barred the pleasure of using Google maps, because I have the option of allowing javascript along with the pleasure of denying other sites access to my browser in that fashion. It's been incredibly useful these past few years.

Whether the cause of the issue is related to perl or not is irrelevant in the management (and similar) worlds.

If your company is considering what languages to use for a new website, then the management are likely to type "perl" into google (or similar). Now since they are a company, and not interested in free stuff, they're going to go to the second site that shows up - perl.com - rather than perl.org, especially with a description of "Perl.com: The Source for Perl -- perl development, conferences".

Said manager suddenly gets popups of porn. They're either going to say "YAY, go for it!" or they're going to decide to go with a.n.other language.

So yes, it will reflect badly on "the perl community", regardless of whether that is fair or not.

PS. Apologies for the bad subject line, it's supposed to almost be perl for "to all the people that posted to BKB".

its markup - dont force me to find you and slap you into sense

It's still code. It isn't a programming language, is what you mean.

As the academics pointedly (and pedantically) state:

"HTML is a DECLARATIVE LANGUAGE."

They sure think it's code.

However, they could probably use some sense slapped into them anyway, so how's Saturday night for you at Oxford? They don't get out much during the weekend, so you'll find most of them at home then.

Although I suspect it could be loosly done why checking for a percentage of changed content against a cached version, but in this instance it certainly would seem possible to disable links based of Whois registration expiration or ownership changes pending administrative review.

I'm just starting to learn Perl since it was dumped in my lap at work and know nothing of Java. So please excuse any ignorance of Perl or Java on my part.

Don't forget the taint!

[/Stewie Griffin]

Er. Good point. Thank you Graham.

Your coping a lot of flak but you have a point. As usual a lot of el reg readers are forgetting that not everybody is a knowledgeable as us

Assume I was just starting out in programming and somebody mentioned PERL to me. I think that sounds interesting so I go to PERL.com. I then get a whole bunch of p0rn links and popups.

Getting that from an official site isn't going to do much for my opinion of the language.

Obvious perhaps, but absolutely classic. Made my day.

Or vinager shot (the most sublime experience in human existence), Pearl Jam and the rest - I would have thought that it was an obscure joke. (And yes, when I heard of PERL, I thought Necklace.) - I'm still surprised that no-one else around me has heard of the expression....

Paris because (you need to ask ?)