## Friday, April 30, 2010

### Nostalgic Elation — the Super Mario Crossover

http://games.slashdot.org/story/10/04/30/1958201/Nostalgic-Elation-mdash-the-Super-Mario-Crossover?art_pos=4

"Sure, they're stepping all over proprietary rights and copyright, but something must be said about the amount of bliss-filled nostalgia inside Exploding Rabbit's Super Mario Crossover. If the plumbers never really did it for you, you can now kill those goombas as Link, Mega Man, Samus, Simon Belmont, or Contra's Bill. Goodbye jumping and spitting; hello slicing, whipping, and shooting. Is this one of the early firsts in the new genre of video game mashups?"
I ignored this the first couple times I saw it because I thought it was just playing Mario with a different character sprites.  But you actually play as the chacter.  So as link you kill goombas with your sword and boomerang.  It's pretty great, I just wish it was a ROM and not flash.

Interview

## Monday, April 26, 2010

### Tracking Promises

http://www.politifact.com/truth-o-meter/

Interesting site.  Tracks political promises and rates if they were broken or kept.  Also tracks statements for truthiness.  It is ultimately owned by The Poynter Institute.  Various warnings apply about bias, trusting a single source, and that two promises are not equal in importance.  That being said it is a pretty good site, and I particularly like the pants on fire section.

## Saturday, April 24, 2010

### Atheist given ASBO for leaflets mocking Jesus

http://www.telegraph.co.uk/news/newstopics/religion/7624578/Atheist-given-Asbo-for-leaflets-mocking-Jesus.html

Harry Taylor, 59, left home made posters at Liverpool John Lennon Airport three times in November and December 2008.
The self-styled philosopher denied three counts of causing religiously aggravated harassment, alarm or distress but was convicted in less than an hour by a unanimous jury.
...
Taylor's Anti-Social Behaviour Order bans him from carrying religiously offensive material in a public place.
He was sentenced to six months in jail suspended for two years, ordered to perform 100 hours' of unpaid work and pay £250 costs.

## Friday, April 23, 2010

### The Wrong Man

http://www.theatlantic.com/magazine/archive/2010/04/the-wrong-man/8019/
On the day al-Qaeda struck the World Trade Center and the Pentagon with hijacked jetliners, Hatfill was recovering from nasal surgery in his apartment outside the gates of Fort Detrick, Maryland, where USAMRIID is housed. We’re at war, he remembers thinking as he watched the news that day—but he had no idea that it was a war in which he himself would soon become collateral damage, as the FBI came to regard him as a homegrown bioterrorist, likely responsible for some of the most unsettling multiple murders in recent American history. His story provides a cautionary tale about how federal authorities, fueled by the general panic over terrorism, embraced conjecture and coincidence as evidence, and blindly pursued one suspect while the real anthrax killer roamed free for more than six years. Hatfill’s experience is also the wrenching saga of how an American citizen who saw himself as a patriot came to be vilified and presumed guilty, as his country turned against him.
...
Hatfill was fired from SAIC. The official explanation given was that he had failed to maintain a necessary security clearance; the real reason, he believes, was that the government wanted him fired. He immediately landed the associate directorship of a fledgling Louisiana State University program designed to train firefighters and other emergency personnel to respond to terrorist acts and natural disasters, a job that would have matched the $150,000 annual salary he’d been getting at SAIC. But after Justice Department officials learned of Hatfill’s employment, they told LSU to “immediately cease and desist” from using Hatfill on any federally funded program. He was let go before his first day. Other prospective employment fell through. No one would return his calls. One job vanished after Hatfill emerged from a meeting with prospective employers to find FBI agents videotaping them. His savings dwindling, he moved in with Boo. ... Virtually everywhere Hatfill went, the FBI went too, often right behind him—a deliberately harassing tactic called “bumper locking.” Hatfill believes that local authorities joined in tormenting him at the behest of the Justice Department. Coming home from dinner one Friday night, he was pulled over by a Washington, D.C., police officer who issued him a warning for failing to signal a lane change. Three blocks later, another cop stopped him, again for not using his turn signal. The officer asked if he’d been drinking. Hatfill said he’d had one Bloody Mary. He was ordered out of his car. “Not unless you’re going to arrest me,” Hatfill says he responded indignantly. The officer obliged. Hatfill spent the weekend in jail and would later be ordered to attend a four-day alcohol counseling program. The police, he says, refused to administer a blood-alcohol test that would have proved he wasn’t drunk. ## Thursday, April 22, 2010 ### Seattle Hacker Catches Cops Who Hid Arrest Tapes http://yro.slashdot.org/story/10/04/22/2031222/Seattle-Hacker-Catches-Cops-Who-Hid-Arrest-Tapes?art_pos=1 "In 2008, the Seattle Police illegally arrested security consultant Eric Rachner for refusing to show ID. After Rachner filed a formal complaint, he was prosecuted for obstructing, and the police claimed that videos of the arrest were unavailable — until Rachner's research uncovered proof that the police had the videos all along." It's an interesting story of how he figured out how the system in use by Seattle police automatically tracks deletion, copying, or other uses of the recorded stream. ## Wednesday, April 21, 2010 ### Steve Jobs Recommends Android For Fans of Porn http://apple.slashdot.org/story/10/04/21/1635206/Steve-Jobs-Recommends-Android-For-Fans-of-Porn?art_pos=13 "After being asked about the App Store's recent ban on 'sexy apps,' Steve Jobs responded, 'We do believe we have a moral responsibility to keep porn off the iPhone. Folks who want porn can buy an Android phone. You know, there's a porn store for Android, you can download nothing but porn. You can download porn, your kids can download porn. That's a place we don't want to go, so we're not going to go there.' Apps such as Playboy's and the Sports Illustrated Swimsuit Edition are still available on the App Store, however, as they come from 'more reputable companies.'" ### Extremists Warn South Park Creators Over Muhammad In a Bear Suit http://yro.slashdot.org/story/10/04/21/1455217/Extremists-Warn-South-Park-Creators-Over-Muhammad-In-a-Bear-Suit?art_pos=16 "A radical Islamic website is warning the creators of South Park that they could face violent retribution for depicting the Prophet Muhammad in a bear suit during an episode broadcast on Comedy Central last week. RevolutionMuslim.com posted the warning following the 200th episode of Trey Parker and Matt Stone's South Park." ### True Tales of Tech Hoarding http://hardware.slashdot.org/story/10/04/21/1359249/True-Tales-of-Tech-Hoarding "Recently some member of my household forced me to watch several episodes of A&E's Hoarders. This led to several *ahem* discussions about hoarding tendencies and the closet of cables, wires, boxes and parts in my basement. But I'm not doing bad compared to some of these tech hoarders. My favorite is the guy using a stack of 9 VA rack machines as an end table." ### ACTA Treaty Released http://yro.slashdot.org/story/10/04/21/1247253/ACTA-Treaty-Released?art_pos=20 "The full text of the Anti-Counterfeiting Trade Agreement (ACTA) was released today. It differs from the earlier leaks in that the negotiating stance of each country has been scrubbed. Preliminary analysis is up at Ars, which warns that 'Several sections of the ACTA draft show that rightsholders can obtain an injunction just by showing that infringement is "imminent," even if it hasn't happened yet.'" ## Tuesday, April 20, 2010 ### Robo Tetris Yesterday I was wondering how difficult it would be to build a robot to play Tetris. Luckily I have the internet. So, instead of spending and time or effort and actually learning anything I can just watch the work someone else did. http://singularityhub.com/2010/04/19/first-video-of-lego-robot-playing-tetris/ ### Google Enumerates Government Requests http://news.slashdot.org/story/10/04/20/197254/Google-Enumerates-Government-Requests "In the aftermath of Google's exit from mainland China, it had sought to be more open about what it censors. Google has launched a new tool to track the number of government request targeted at Google and YouTube. These include both requests for data and requests to take down data. A quick look at the tool shows that Brazil is the top country in both categories (largely because Orkut is popular there), and information for China cannot be disclosed because 'Chinese officials consider censorship demands as state secrets.' As part of its four-part plan, Google hopes to change the behavior of repressive governments, establish guiding principles for dealing with issues of free expression, build support online to protest repression, and better provide resources and support for developing technology designed to combat and circumvent Internet censorship." The tool includes 3703 requests from the US. I will note though, it's odd they think they can change repressive governments if all it takes to get requests removed is classifying requests as state secrets. ### Plan of Attack ### The Effectiveness of Political Assassinations http://opinionator.blogs.nytimes.com/2010/04/13/title-2/ Particularly ominous are Jordan's findings about groups that, like Al Qaeda and the Taliban, are religious. The chances that a religious terrorist group will collapse in the wake of a decapitation strategy are 17 percent. Of course, that’s better than zero, but it turns out that the chances of such a group fading away when there's no decapitation are 33 percent. In other words, killing leaders of a religious terrorist group seems to increase the group's chances of survival from 67 percent to 83 percent. ## Monday, April 19, 2010 ### The Best Part Is The Other Contestants ## Saturday, April 17, 2010 ### Dragster There is little doubt that Dragster was the best game for the Atari. You are going to want to train for it day and night. Here's some info that should help: http://www.atariage.com/manual_html_page.html?SoftwareLabelID=1050 http://www.youtube.com/watch?v=L64-DpklZrw I think this is my personal best: ## Friday, April 16, 2010 ### Google Backs Yahoo In Privacy Fight With DOJ http://yro.slashdot.org/story/10/04/16/1352209/Google-Backs-Yahoo-In-Privacy-Fight-With-DOJ PatPending sends in CNET coverage of Yahoo's new allies in its fight with the DoJ to protect the privacy of its customers' email stored in the cloud. Google, the EFF, the CDT, and others have filed a friend-of-the-court brief arguing that the DoJ should be required to obtain a search warrant signed by a judge in order to compel Yahoo to turn over users' email messages. "Does email stored in the cloud have the same level of protection as the same information stored by a person at home? No, according to the Obama administration's Assistant US Attorney Pegeen Rhyne, who wrote in a government motion filed last month, 'Previously opened e-mail is not in "electronic storage." This court should therefore require Yahoo to comply with the order and produce the specified communications in the targeted accounts.' (The Justice Department's position is that what's known as a 2703(d) order — not as privacy-protective as the rules for search warrants — should let police read email.)" ## Thursday, April 15, 2010 ### Piano Chat Improv http://www.youtube.com/user/PianoChatImprov This guy is really good. ### Nein ## Wednesday, April 14, 2010 ### THE Definitive Guide To Single-Serve Website Awesomeness http://yepyep.gibbs12.com/2010/03/the-definitive-guide-to-single-serve-website-awesomeness/ I could post each one of these individually. They are all great. ## Tuesday, April 13, 2010 ### Beating Hoses To Death ### Schneier on "Security, Privacy, and the Generation Gap" ## Sunday, April 11, 2010 ### Should Kids Be Bribed To Do Well In School? http://news.slashdot.org/story/10/04/10/2049216/Should-Kids-Be-Bribed-To-Do-Well-In-School "Harvard economist Roland Fryer Jr. did something education researchers almost never do: he ran a randomized experiment in hundreds of classrooms in Chicago, Dallas, Washington and New York to help answer a controversial question: Should Kids Be Bribed to Do Well in School? He used mostly private money to pay 18,000 kids a total of$6.3 million and brought in a team of researchers to help him analyze the effects. He got death threats, but he carried on. His findings? If incentives are designed wisely, it appears, payments can indeed boost kids' performance as much as or more than many other reforms you've heard about before — and for a fraction of the cost."
Schools in Dallas got the simplest scheme and the one targeting the youngest children: every time second-graders read a book and successfully completed a computerized quiz about it, they earned $2. Straightforward -- and cheap. The average earning would turn out to be about$14 (for seven books read) per year.
And in Dallas, the experiment produced the most dramatic gains of all. Paying second-graders to read books significantly boosted their reading-comprehension scores on standardized tests at the end of the year -- and those kids seemed to continue to do better the next year, even after the rewards stopped.
One clue came out of the interviews Fryer's team conducted with students in New York City. The students were universally excited about the money, and they wanted to earn more. They just didn't seem to know how. When researchers asked them how they could raise their scores, the kids mentioned test-taking strategies like reading the questions more carefully. But they didn't talk about the substantive work that leads to learning. "No one said they were going to stay after class and talk to the teacher," Fryer says. "Not one."
We tend to assume that kids (and adults) know how to achieve success. If they don't get there, it's for lack of effort -- or talent.

### Delayed sleep phase syndrome

http://en.wikipedia.org/wiki/Delayed_sleep_phase_syndrome

Often, people with the disorder report that they cannot sleep until early morning, but fall asleep at about the same time every "night". Unless they have another sleep disorder such as sleep apnea in addition to DSPS, patients can sleep well and have a normal need for sleep. Therefore, they find it very difficult to wake up in time for a typical school or work day. If, however, they are allowed to follow their own schedules, e.g. sleeping from 4 a.m. to noon, they sleep soundly, awaken spontaneously, and do not experience excessive daytime sleepiness.

## Friday, April 9, 2010

### Spamming a Judge Is Contempt of Court

http://yro.slashdot.org/story/10/04/09/1519251/Spamming-a-Judge-Is-Contempt-of-Court?art_pos=6

"TV pitchman Kevin Trudeau was sentenced to 30 days in jail because he urged his fans and followers to spam a judge. Apparently the judge (who was deluged with emails) decided that this was an act of contempt of court on the court's 'virtual presence' since nothing happened while the court was in session in regards to Trudeau's courtroom behavior. US Marshals are now trudging through those emails to decide if any are threatening."

Contempt of court is a legal loophole.  Judges can just declare people are in contempt of court and there is no trial.  It should be a law like any other, and if you are charged with it you'd have to be found guilty like you would for any other law.

## Monday, April 5, 2010

There is no shortage of advice along the lines of using 12 random characters, different for every password, changed monthly, and written down nowhere.  All those ideas are terrible, and ignore basic facts about people.  However, they do have some root in good practices.  The problem is they have been corrupted and taken to an extreme by people that don't understand them.

Before making a password you must first understand what types of attacks you will be protecting against. You think about what you are protecting and act accordingly.  Many people use the same password on every website, from their bank to the Pumpkin Lover's Forum.  The reason that this is a bad thing is that while your bank likely takes security seriously the forum possibly doesn't.  Thus, an attacker can get your password from the forum and then use it everywhere else you have an account.

On the other end of the spectrum is random forums and other sites.  More and more often sites force you to register to gain access to content.  Bugmenot can help to some degree, but sometimes you just have to register for some site, possibly one you know you will never return to.  If you truly will never return you might want to use a disposable email service and make a quick one time account (and submit it to Bugmenot).  However if you plan on reusing the account, you may want an account only you can access.  In these cases you can use the same simple password across the web.  You can use any regular dictionary word, just be sure you won't care at all if someone hacks this account.

For other sites though, you want a hard to crack password.  Yet, it also has to be easy to remember.  There are a few different approaches to this.  I'll list three here.  First there is a simple memory device.  The example I remember from ZDTV more than a decade ago was to use the last 4 presidents.  First letter of first name, followed by ones place digit of year they took office.  Republicans in capitals, democrats in lower cases.  This gives (without quotes) "G(b3G!b9".  George 1989, Bill 1993, George 2001, Barack 2009.  In case it isn't obvious where the ( and ! came from I held shift while typing 9 and 1, thus "capitalizing" them since they are republicans.  The good thing about this is that it should be easier to remember the method for coming up with the password than a random string itself.  If you think you will forget you can write down a somewhat cryptic hint, and the info is easy to look up.  This specific example isn't that great.  There is too much of a pattern, not to mention it has been used as an example in various places.  You should definitely pick a different one.  It is important not to use something that would be likely to be guessed by someone that knew you.  Stuff about your favorite foods, bands, TV shows, movies, etc would be bad choices.

I don't use that method at all, as I find the next two methods produce better passwords which are easier to remember.  The next method is stringing together ordinary words with special characters in between.  Now I do realize people always warn against using dictionary words in passwords, but that is aimed at using a single word.  I am talking about using multiple words 2 or 3.

Let me go off on a tangent here and explain how you calculate how many possibilities there are from a number of choices.  The formula is quite simple.  You find the number of choices for each place, and multiply them together.  If the number of choices is the same for every place then you can simply raise that number to the power of the number of places.  For example if you can only choose digits (0-9) that is 10 choices.  If you have 4 numbers (as in a common PIN) that gives you 10 * 10 * 10 * 10 = 10,000 possible choices.  You can also do 104 = 10,000.  Since most people only use lower case letters in passwords, and their passwords are 8 or less letters long you can find the number of possibilities for an eight letter password with 268 = 208,827,064,576.  I realize 200 billion sounds like a lot of passwords but you aren't concerned with humans guessing your password one by one.  Rather you are concerned with a computer doing it automatically billions at a time.  "The system supports a brute force attack of 300 billion passwords per second".

You can add a great deal of complexity to your password by adding capital letters, digits, and special characters (% * :).  A standard keyboard has 26 letters * 2 + 10 digits + 32 special characters = 94 possibilities.  A stronger password using all these types and 10 characters long would have 9410 = 53,861,511,409,489,970,176 possibilities.  At 300 billion passwords per second that would still take over 5 years to go through all the possibilities.  The problem is completely random characters are nearly impossible to remember.

Enter the use of words.  The problem with using words is that while you may have a lot of characters they aren't random.  Thus, you can't use the above rules for calculating possibilities.  Instead you need to treat the word as a single character.  So if you use an eight letter word instead of 268 = 208,827,064,576, you instead would do 10,0001 = 10,000.  I use 10,000 because a list of the 10,000 most common words will probably cover any word you come up with.  Thus there are 10,000 possible choices to the first power (since there is only one word).  However, if you simply increase the number of words, and toss in some extra characters in between the number grows immensely.  If we use three words, and between each insert a digit or special character (digits or shift + digit = 20 characters), we end up with 10,0003 * 202 = 400,000,000,000,000.  This will "only" last 22 minutes at 300 billion passwords per second, but it is vastly better than 8 random letters, and I think much easier to remember.

Some notes about this method.  First the digits in between don't increase the total possibilities by much.  The reason to include them is they do increase the protection by quite a bit if someone is specifically targeting this type of password.  There are also a number of methods you can use to increase the possibilities without making the password much harder to remember.  First you can use a (random) name.  Just make sure you don't use a name of someone you know.  It shouldn't be hard to remember a name that is somewhat silly.  Next, you can replace some letters with characters that look similar (zero for oh, 0 for o).  Finally, you can use one word that isn't in the list of common words.  Maybe find a word of the day archive, pick a random month and find a word that you think sounds funny.

Using those methods you may come up with something like "Pauley^chair3mulct".  It shouldn't be that hard to remember that.  However, my preferred method produces even better passwords.  Instead of using just a few words you use a lot; you use a whole sentence.  Building on the techniques from the previous method you want to use a word not on a common word list, and digits and special characters.  However, in a sentence it is easier to use these in a way that is memorable.  "I saw Jeffrey eat 19 pineapples, with the shells."  Note this includes both cases, digits, punctuation, a name, and an unusual word.  At the same time it shouldn't be that hard to remember.  It would also be easier to put a hint somewhere that doesn't stand out.

A caveat to long passwords though is that many sites won't allow long passwords.  Before using a sentence as a password you should find out how long of a password the site allows.  Don't just assume that since a site allows the password that it is using the whole thing either.  If a site does limit you to a shorter password then you can use one of the other two methods.

Finally, I'd like to write something about hints.  Writing passwords down is often said to be a bad idea.  However, writing down a slightly modified version of the password and keeping it in your wallet can be quite secure.  "ISJE19PWTS" on a post it in your wallet shouldn't give too much away.  For one thing most people keep their wallets pretty secure.  For another even if an attacker found that they would probably assume it was the password itself, and not a hint.  Even knowing you used the sentence method, and given the first letter from each word an attacker would have a hard time guessing every possibility.  If you want even more protection you can omit some words from the hint.  "ISJE19P", or "I saw jeff" if you remember the first part of the password you are likely to remember the whole thing.

Edit:
I've written a simple javascript password checker.  There are many similar checkers out there, but something that bothered me about them is that they made no attempt at using a dictionary to gauge password strength.  The password Password1, which is one the most common passwords out there, and would quickly fall to any dictionary attack, scores as high as skwEow4ck.  Since I'm very lazy, the dictionary function isn't as robust as I'd like, but it's there, and I'm unlikely to improve it any more.

### Toyota Accelerator Data Skewed Toward Elderly

http://tech.slashdot.org/story/10/04/05/0019227/Toyota-Accelerator-Data-Skewed-Toward-Elderly?art_pos=20
An anonymous reader passes along this discussion on the data for the Toyota accelerator problem, from a few weeks back. (Here's a Google spreadsheet of the data.) "Several things are striking. First, the age distribution really is extremely skewed. The overwhelming majority are over 55. Here's what else you notice: a slight majority of the incidents involved someone either parking, pulling out of a parking space, in stop and go traffic, at a light or stop sign... in other words, probably starting up from a complete stop."

### Wikileaks Releases Video of Journalist Killings

http://news.slashdot.org/story/10/04/05/1648251/Wikileaks-Releases-Video-of-Journalist-Killings?art_pos=4&art_pos=6

"Today Wikileaks released a video of the US military firing large caliber weapons into a crowd that included a photojournalist and a driver for Reuters, and at a van containing two children who were involved in a rescue. Wikileaks maintains that this video was covered up by the US military when Reuters asked for an official investigation. This is the same video that has supposedly made the editors of Wikileaks a target of the State Department and/or the CIA, as was discussed a couple weeks ago."

### Paper Rater: Free Online Grammar Checker, Proofreader

http://www.paperrater.com/

So I stumbled upon a writeup about this site.  I'm glad I stumbled upon a writeup and not the actual homepage.  It is unlikely I would have stuck around given how cheesy/scamy the homepage looks.  I gave it a try with my two papers I've written for my English Comp I class.  I was pleased with the results.  It gave some good results.  Here's a screenshot of its analysis of my first paper:

On the left it gives the text with spelling errors (red), grammar errors (green), and word choice (blue) highlighted.  Clicking on the errors will give a suggestion as well as the possibility to explain it.  Almost all the word choice errors were "complex expressions", or overly complicated terms.  I wouldn't change most of them, but it is nice to at least think about it.  As an example when I click on 'witnessed' and click explain this is the popup text:
Complex Expression
Try a simpler word for witnessed
Where possible you should use a simple word over a complex word. Simple words are easier to read and let your readers focus on your ideas.
Replace witnessed with
* saw
Like I said I wouldn't change this, but some others I may.

On the right is a info box with various stats about your text.  It provides eight stats: Originality / Plagiarism Detection, Spelling, Grammar, Word Choice, Style (Word Usage), Style (Sentence Length), Style (Transitional Phrases), and Vocabulary Words.

Mine was detected as plagiarism because I published it on the Highpointers blog.  Spelling, grammar, and word choice each just briefly explain the highlights.  It would be nice in the future if they listed the total number of possible errors.  The last four are the interesting ones.  Word usage provides the following stats:
word usage:
verb types:
to be (114) auxiliary (54)
types as % of total:
conjunctions 5% (142) pronouns 12% (322) prepositions 13% (336)
nominalizations 0% (11)

sentence beginnings:
pronoun (41) interrogative pronoun (1) article (16)
subordinating conjunction (14) conjunction (1) preposition (15)
As well as a few paragraphs explaining what it means.

Sentence length is visible in the screenshot, these are the stats provided by it:
sentence info:
10176 characters
2601 words, average length 3.91 characters = 1.23 syllables
127 sentences, average length 20.5 words
33% (43) short sentences (at most 15 words)
12% (16) long sentences (at least 30 words)
1 paragraphs, average length 127.0 sentences
1% (2) questions
63% (81) passive sentences
longest sent 44 wds at sent 100; shortest sent 6 wds at sent 52
On everything I submitted it only detected one paragraph.  Both when I used proper 'indentation + no extra line' english style, and when I used the 'internet no indentation + extra line' style.

Next, there is transitional phrases, which simply rates your usage of words like 'however', 'then', 'next', and 'finally'.

Last, it gives insight into your vocab usage.  This seems like it just has a dictionary of words it considers fancy and looks to see how many of them you use.

Overall, it seems to be useful.  I'll be using it on future papers, and possibly even longer blog posts.  It is worth noting there was a bit of controversy in the comments section of that writeup about the TOS.  The TOS gave total control of your paper to the website.  The site claims to have fixed it (they responded in the comments) and people seemed satisfied.  Obviously, there is no way I'm reading a TOS myself.  It's probably a good idea to not submit your super secret novel to the site.

### uberOptions: Enable all options on all buttons in SetPoint

http://uberoptions.net/

If you have a Logitech keyboard or mouse you have to use their Setpoint program to be able to reprogram the extra buttons.  I've never been a fan of the default functions on the mouse, and have always changed them.  However, some buttons can't be reprogrammed, e.g., horizontal scroll, and left and right click.  uberOptions hacks Setpoint to allow you to reprogram every button.  Since horizontal scroll is worthless I changed mine to change tabs left and right.

## Thursday, April 1, 2010

### New Method Could Hide Malware In PDFs, No Further Exploits Needed

http://it.slashdot.org/story/10/03/31/1834255/New-Method-Could-Hide-Malware-In-PDFs-No-Further-Exploits-Needed?art_pos=16
"A security researcher has managed to create a proof-of-concept PDF file that executes an embedded executable without exploiting any other security vulnerabilities. The PDF hack, when combined with clever social engineering techniques, could potentially allow code execution attacks if a user simply opens a rigged PDF file. With Adobe Reader, the only thing preventing execution is a warning. Disabling JavaScript will not prevent this."
In Foxit Reader there isn't even a warning.  I tested it and it did run a command prompt in Foxit.  The author notes he hasn't yet gotten arbitrary code to run in Foxit, but thinks that the only thing stopping him is minor differences in how Foxit works.  He got it working shortly afterThis is the test PDF if you wish to test your reader.

Foxit Reader isn't opensource, which has bothered me a for a while.  Also in the last few years it seems to have become more and more bloated.  Closed source programs, particularly ones that perform a simple task, seem to inevitably bloat as the authors attempt to justify the "premium" or "pro" version.  Also, I've noticed there are always a couple Foxit processes running when I look at the task manager.  They are probably left over from reading documents in Firefox and them not closing properly.  This exploit was the final straw that made me search for an open source PDF viewer.

There aren't many options for open source PDF viewing with precompiled Windows binaries.  What I settled on was Evince.  It's pretty spartan as far as features go, but it has all the stuff that matters when reading PDFs: search, two page layout (not sure if it can change the starting page to properly align certain books), copy, and zoom.  Plus it is much smaller and quicker to launch than Foxit Reader.  It is immune to this attack as well.

Edit: After a bit more searching I found Sumatra PDF Viewer.   It is open source and developed directly for Windows.  I think I prefer it to Evince.  Mainly because it lets you click to grab the page and scroll like that.  Otherwise it is similar feature wise to Evince.  It is also immune to this attack.