2010-06-18

"Viral" Like-Jacking on Facebook

It's out of control. Perhaps you've started to see a lot of stuff like this lately:


The title is provocative, mysterious or racy. Maybe it's scantily-clad ladies, the promise of a hilarious video, or in this example: from the title, it's implied that we're about to see something bad that our own President did.

The formula is always the same, though. You're taken to a page where you need to click something to continue...


Those who are paying attention will notice that on these pages, pretty much the entire page seems clickable according to the mouse cursor. That's because there is an invisible "Like!" button floating under your mouse the whole time. Unless, of course, you're running NoScript (which I've mentioned before). NoScript won't even load the page properly. Even if you disable JavaScript protection, ClearClick will alert you to what's about to unfold. Note the "thumbs up" icon.


What's happening is that there's a little 10x12 pixel iFrame named "fbframe" being rendered on the page, and it's being set to invisible using the style tag. You can see that the iframe is loading a URL on Facebook that will add this page to your "likes." This would be in the top left corner of the page, by default.


This snippet is where the damage is done. It's at the bottom of the page, and loads a bit of code that keeps this invisible iframe positioned under your mouse wherever you hover it over the page.


The iframe will intercept your click, even if you click on something that appears to be a valid link. You end up unwittingly "liking" it, and displaying the rogue links to everyone on Facebook. Curious, some of them will click to see what it is, and be taken to the same page. I'd imagine most of these people will also unwittingly fall for it as well.

Clickjacking is nothing new. I believe RSnake named it in 2008 if not discovering it. Facebook's platform, however, is making it very easy for people to create pages that dupe unsuspecting folks into spreading links around virally. Many of these pages could be loading malware to your computer via browser bugs or exploit packs while some others are probably just trying to drive traffic to their site for ad revenue.

At any rate, use NoScript. Seriously.

2010-06-16

Slowly growing my soul back...

I'm finally getting back to where I have some time (and the drive) to tinker some more.

I'm going to try to bring back the regular (several per week if not daily) RSS splice-feed of interesting links. I've been slacking on that since April. I wish I had a decent way to make those post here as well, but they only show up in the HiR RSS Feed and in a little box on the right side of the page. I suggest adding us to Google Reader if you don't currently use something else for RSS.

2010-06-09

Reprogramming Respironics CPAP and Bi-Level BiPAP Machines

-- OR --
All Your Sleep Apnea Are Belong To Us

Disclaimer: Messing with CPAP settings can cause your machine to no longer function as required by your doctor, and may lead to bad things happening to the operator. Use only the settings that your doctor or sleep technician has prescribed.

I have some oddball CPAP and BiPap machines laying around and I had to reprogram one of them for a good friend of mine. While I was at it, I decided I'd like to figure out what lies in the "forbidden" area that only sleep technicians know how to get to. I'd heard from a friend who uses a CPAP that programming them usually involves unplugging it and pressing some buttons. So I started putzing around with this older model, the Respironics SleepEasy.


It's set to apply constant pressure of 6cm/H2O. Boring. There's not much that one can do with the buttons available to be pressed. They're for things like adjusting the heater attached to the humidifier reservoir, and enabling "Ramp Mode" which, from what I can tell, starts you off at a lower pressure as you try to get to sleep.


After a few minutes, I found that pressing the + and - buttons while plugging in the power did something interesting.


It's an unlock icon on the screen. Pressing + and - now adjusts the CPAP pressure in .5cm increments.


Pressing the humidifier button in this mode allows you to cycle through a few interesting diagnostics and settings. Shown below is the menu that allows the technician to completely disable the humidifier heater. Why? No idea.


This is the screen for adjusting Ramp Mode's initial pressure.


I also got my hands on a more expensive and elaborate bi-level CPAP machine, the Respironics BiPap Plus M Series. These machines usually apply a higher pressure when they sense that you're inhaling, and then drop to a lower pressure while exhaling. There are more buttons and a higher-quality display on this model.

Usually, this is the screen you get in standby mode. Hitting + for "Setup" in the default user mode gives the operator very few useful options.

Holding + and - while plugging it in didn't work on this model. Next, I tried plugging it in while holding the arrow keys, and that did the trick.

Note the unlock symbol as well as a new menu option for "Data" which has a very rich array of statistics buried beneath it.

This machine hasn't been used.

Once unlocked, hitting the Setup menu button provides a lot of features, including the inhalation pressure...

And exhalation pressure.

There you have it. It seems like most Respironics machines are programmed by holding down +/- and arrow keys. These machines seem to be pretty popular. Maybe this quick walk-through will help someone who has to buy (or sell) a used machine.

Sorry I've been silent for so long. I'm still getting settled in at the new job. It's going great, and I have a great team, but there is a lot to do. Also, frankly, my brain is usually mush by the time I get home. Hopefully, I start playing with some cool and new shiny things outside of work again soon.