Comments on: TCLP 2009-06-07 News

By: cmdln

cmdln — Mon, 08 Jun 2009 21:01:50 +0000

J.C.: My pleasure. First and foremost, I try to only recommend books, games and films on the show that I enjoy myself first hand. Honestly, why would I recommend something if I didn’t like it myself? My only other criterion is that it be something that I think my audience, folks interested in hacker culture and computing technology would find interesting. All of my friends’ projects clear the first bar by a mile but not all of them fit the second category as cleanly. As an exploration of alternate reality gaming, especially one this compelling, PE:DA happily clears that second bar by a huge margin, too.
I am still digging into the clues I have been able to uncover and am on the final third of the novel itself. (I haven’t even had the book a full week yet.) I hope to do a spoiler free re-visit soon to recap my more complete impressions of the ARG component of the project and how they affected my experience of the mainline narrative. I already have some pretty insane theories and can’t wait to see how close to the mark I get.

By: cmdln

cmdln — Mon, 08 Jun 2009 20:48:40 +0000

Noah: OK, I just re-read both the Zero Day piece and the alert from WebSense and the way they worded this is very confusing. They say the exploit site is *similar* to the domain name for Google Analyitcs, then they put the legitimate URL as a parenthetical remark. I assumed the parenthetical was the attack site (again, not that Google Analytics access via any of its correct names is anything other than a legitimate statistics service).
You are correct, Noah, google-analytics.com is just apparently a CNAME alias for google.com which is then used to bounce users to the analytics page on the main domain.
Neither Zero Day nor Websense actually reveal the name of the active exploit site. In fact, if you try to suss it out from the screen shot on the Websense alert, they have intentionally blurred out the domain name of the attacker. This is infuriating as there is no practical way to verifiably defend oneself from this attack.

By: cmdln

cmdln — Mon, 08 Jun 2009 20:42:45 +0000

Noah: I never said Google Analytics was malware, though I was perhaps not clear enough on that point. According to the Zero Day article, the attackers are using a domain name very similar to that of Google Analytics to try to make their exploit site seem legitimate.
The *only* domain name mentioned in the article was the one with the hyphen. When I visited my own Google Analytics account, it was served by a site at the standard Google domain, not google-analytics.com.
I will do some more research and issue a correction/clarification in my next episode. The issue definitely is not whether or not Google Analytics is malware, or more properly an exploit site, but rather what similar seeming domain name these attackers have set up their exploit site as and make sure that the subtly incorrect domain name is the one you block to prevent yourself from being harmed.

By: noah

noah — Mon, 08 Jun 2009 18:57:24 +0000

I just listened to the podcast this morning on my commute, and was surprised to hear you say that google-analytics.com is actually a malware distribution site and should be blocked using noscript. Whatever one may think of of Google Analytics, that domain is, in fact, legitimate and used by the GA service. Blocking it, while potentially beneficial from a privacy point of view, won’t protect you from malware.

By: J.C. Hutchins

J.C. Hutchins — Mon, 08 Jun 2009 12:52:56 +0000

cmdln, you freaking RULE. Thanks for generous endorsement, all the kind words, and for offering a copy of Personal Effects to your audience. I can’t thank you enough for the support and encouragement!