Archive for November 19, 2021

Friday, November 19, 2021

Click to Subscribe, Call to Cancel

Sarah Scire:

Publishers tend to think of this as “retention.” A study of 526 news organizations in the United States found that only 41% make it easy for people to cancel subscriptions online, and more than half trained customer service reps in tactics to dissuade customers who call to unsubscribe.

The Federal Trade Commission, meanwhile, recently made it clear that it sees the practice as 1) one of several “dark patterns that trick or trap consumers into subscriptions” and 2) straight-up illegal. The FTC vowed to ramp up enforcement on companies that fail to provide an “easy and simple” cancellation process, including an option that’s “at least as easy” as the one to subscribe.


Translation? If you can subscribe online, you should be able to cancel your subscription online.


AOL Exploits Bug in Own Software

Geoff Chappell (in 1999, via Hacker News):

In e-mail of dubious origin sent to security expert Richard M. Smith, it is alleged not only that the AIM client software has a so-called “buffer overflow” bug but also that AOL actually does use its knowledge of this bug to induce users’ machines, which are running the AIM client software, to execute code that is downloaded from the AIM server. AOL is said to do this as a way for the AIM server to distinguish AIM clients from MSN clients so that the latter may be denied service.


An ordinary, though certainly not necessary, effect of a program’s corrupting memory on its stack is that the program crashes some time later. The particular packet presented in the e-mail to support the allegations against AOL fits case 0013h but contains 0118h bytes of string data. This is too long and will indeed induce the AIM client to corrupt memory, as described above. However, the AIM client does not crash.

The reason is that the packet data, as received from the AIM server, is contrived so that the corruption of memory by the AIM client is carefully controlled. The buggy routine in the AIM client is made to “return” to an address at which it is known there will be the bytes for a call esp instruction (actually provided in the bitmap for an icon in the AIM.EXE resources). The effect of this instruction is to start executing some of the packet data.


Update (2021-11-23): Sherief, FYI:

Check out the section titled “(s)elf-exploitation

Unicode and Copying and Pasting Code

Glenn Faison:

I recently saw first-hand why I should never copy and paste any code I found online (or anywhere, for that matter).


To cut the long story short, what looks like a loose inequality check on line #4, is deceptively an assignment operation, which reads like (environmentǃ = ENV_PROD)! In JavaScript, assignment operations return the assigned value, which in this case is truthy (will be treated as true wherever a boolean value is expected).

But isn’t environmentǃ an invalid variable name in JavaScript, you ask? It’s complicated. You’d be right to say an exclamation sign cannot be part of a variable name. However, the ǃ you see there is in fact not the everyday exclamation sign you know. It’s an obscure character that happens to be accepted as regular text by the JavaScript interpreter, and thus can be a valid part of a variable name.

This particular example is unlikely to happen in Swift, both because assignments don’t have values and because the compiler is picky about whitespace around operators.

Via Nick Lockwood:

This is why unicode (outside of string literals) in programming languages was a mistake.


Support for unicode in variables adds a massive new surface for hiding security exploits in plain sight (see also: unicode urls).

The supposed benefit of being able to use mathematical symbols for custom operators is mostly just an attractive nuisance since you can’t type them.

Inclusivity is good, but unicode variables offer little practical benefit to non-English speakers if the platform APIs and dominant 3rd party frameworks are not localized, and unicode is neither necessary nor sufficient to solve that (it should ideally be handled at IDE-level).

CVE-2021-42574 (via Daniel Martín):

The Rust Security Response WG was notified of a security concern affecting source code containing “bidirectional override” Unicode codepoints: in some cases the use of those codepoints could lead to the reviewed code being different than the compiled code.


First MacPaint and MacWrite Public Demo

level1807 (via John Siracusa):

The well-known presentation already available on YouTube is from January 24 of 1984. What’s not so well remembered: Jobs did it all twice, in less than a week. Six days after unveiling the Mac at the Flint Center on the De Anza College campus near the company’s headquarters in Cupertino, Calif., he performed his show all over again at the monthly general meeting of the Boston Computer Society.

“That’s the first time I touched the keyboard.” Atkinson later refers to the Feature key.