Out of the blue, a neglected, eight-year-old security vulnerability caused by the way the Internet supports multi-language Unicode typefaces has resurfaced with a splash.
Two weeks ago an information security researcher demonstrated how easy it was to still use Unicode font tricks to make malicious faked websites look safe and legitimate in modern web browsers.
In an April 14th blog post entitled “Phishing with Unicode Domains” security researcher Xudong Zheng showed off a one page website he created using a properly registered domain name. When viewed in certain versions of Chrome, Firefox and Opera, Zheng’s “proof of concept” website showed both a reassuringly secure and encrypted connection and one of the most trusted URL addresses in the world, namely “
Of course, the website had nothing to do with Apple and neither did the URL—it just looked that way.
The “аррӏе” of Zheng’s URL was made using characters from the Slavic Cyrillic alphabet—an alphabet included in every Unicode typeface. The Cyrillic characters and the order which Zheng used them in just happen to bear a near-perfect resemblance to the Latin alphabet characters that spell “apple”, though the pronunciation of the Cyrillic “аррӏе” would be closer to “arr-eh”.
What Zheng had pulled off is well-known among Internet security experts as a homograph attack, one exploiting the superficial resemblance between characters in different language scripts to fake website URLs.
More specifically it is called an IDN homograph attack, because it exploits the Unicode font support of the Internationalized Domain Name (IDN) system, which has allowed for the creation and registration of non-English domain (website) names for the last eight years.
However, before I go any further to explain the flaw that Zheng exploited, I want to quickly address his claim that certain web browsers are still susceptible to it—specifically that Mozilla (the makers of Firefox) when informed of the vulnerability in January of this year, decided not to issue a security patch and therefore that Firefox continues to be vulnerable. Read more…
As of April the 21st, 163 U.S. tech companies have joined an amicus brief in a Virgina U.S. Court of Appeals in support of the state of Hawaii’s lawsuit, which is blocking and seeking to overturn U.S. President Donald Trump’s second try at stopping all Syrian refugees and people from certain predominantly Muslim countries from entering the United States.
Confusingly, while many of the signatories are repeating their opposition to Trump’s original travel ban—issued on January 26 as Executive Order 13769—only about 121 of the 148-or-so technology companies which signed on to oppose the first Muslim travel ban have yet joined the Hawaii lawsuit against the second one. And some of the companies that have (41 by my count), did not sign the amicus brief against the first travel ban.
Apple, Inc. was a leading tech voice against Trump’s original Muslim travel ban and part of the first group of companies, along with Google, Microsoft and Facebook, to sign on to the Technology Companies amicus brief filed in the Washington v. Trump lawsuit. But, for whatever reason, while the likes of Google, Microsoft and Facebook have signed on to support Hawaii’s lawsuit, Apple’s name is glaringly absent from the new amicus brief.
Among the U.S. tech companies fighting the second travel ban, which did not fight the first one, the two standouts are:
- Electronic Arts, Incorported (EA), the video game maker which has a Canadian office in the Metro Vancouver municipality of Burnaby, B.C.
- Red Hat, Inc., the maker of Red Hat Linux and one of the most successful and important players in open source software.
For the record, here are the companies which had signed the amicus brief filed with the Hawaii v. Trump lawsuit, as of April 19th:
6sense • A Medium Corporation • Adobe Systems Incorporated • AdRoll, Inc. • Affirm, Inc. • Airbnb, Inc. • Akamai Technologies, Inc. • AltSchool, PBC • Amazon • Ampush LLC • Ancestry.com, LLC • Appboy, Inc. • AppDynamics, Inc. • AppNexus, Inc. • Asana, Inc. • Atlassian Corp Plc • Autodesk, Inc. • Automattic Inc. • Ayla Networks • Azavea Inc. • Bitly, Inc. • Box, Inc. • Brightcove Inc. • Brocade Communications Systems, Inc. • Bungie, Inc. • CareZone Inc. • Casper Sleep Inc. • Castlight Health • Cavium, Inc. • Checkr, Inc. • Chegg, Inc. • Chobani, LLC • Citrix Systems, Inc. • ClassPass Inc. • Cloudera, Inc. • Cloudflare, Inc. • Codecademy • Color Genomics, Inc. • Copia Institute • Credit Karma, Inc. • DocuSign, Inc. • DoorDash, Inc. • Dropbox, Inc. • eBay Inc. • Edmodo, Inc. • Electronic Arts Inc. • Engine Advocacy • EquityZen Inc. • Etsy Inc. • Eventbrite, Inc. • Evernote • Facebook, Inc. • Fastly, Inc. • Fitbit, Inc. • Flipboard, Inc. • Fuze, Inc. • General Assembly Space, Inc. • GitHub, Inc. • Glassdoor, Inc. • Google Inc. • GoPro, Inc. • Greenhouse Software, Inc. • Greenough Consulting Group • Gusto • Harmonic Inc. • Hewlett Packard Enterprise • Hipmunk, Inc. • IDEO • Imgur, Inc. • Indiegogo, Inc. • Intel Corporation • Kargo • Kickstarter, PBC • Knotel, Inc. • Lam Research Corp. • Light Labs Inc. • Linden Research, Inc. • LinkedIn Corporation • Lithium Technologies, Inc. • Lyft, Inc. • Lytro, Inc. • Managed By Q • Mapbox, Inc. • Maplebear Inc. d/b/a Instacart • Marin Software Inc. • Medallia, Inc. • Medidata Solutions, Inc. • Meetup, Inc. • Memebox Corporation • Microsoft Corporation • Minted • Molecule Software, Inc. • MongoDB, Inc. • Motivate International Inc. • Mozilla • MPOWERD Inc. • NetApp, Inc. • Netflix, Inc. • NETGEAR • New Relic, Inc. • Nextdoor.com, Inc. • NIO • NY Tech Alliance • Optimizely, Inc. • Patreon, Inc. • PayPal Holdings, Inc. • Pinterest, Inc. • Pixability, Inc. • Postmates Inc. • Quantcast Corp. • Quora, Inc. • RealNetworks, Inc. • Red Hat, Inc. • Reddit, Inc. • Redfin Corp. • Rocket Fuel Inc. • RPX Corporation • SaaStr Inc. • Salesforce.com, Inc. • Shift Technologies, Inc. • Shutterstock, Inc. • Sift Science, Inc. • Sindeo • Snap Inc. • SpaceX • Spokeo, Inc. • SpotHero, Inc. • Spotify USA Inc. • Square, Inc. • Strava, Inc. • Stripe, Inc. • SugarCRM • Sunrun, Inc. • SurveyMonkey Inc. • TaskRabbit, Inc. • Tech:NYC • Tesla, Inc. • Thumbtack, Inc. • TransferWise Inc. • TripAdvisor, Inc. • Tumblr, Inc. • Turbonomic, Inc. • Turn Inc. • Turo, Inc. • Twilio Inc. • Twitter Inc. • Uber Technologies, Inc. • Udacity, Inc. • Udemy, Inc. • Upwork Inc. • Via • Warby Parker • Wikimedia Foundation, Inc. • Work & Co. • Workday, Inc. • Y Combinator Management, LLC • Yahoo! Inc. • Yelp Inc. • Yext160. Zendesk, Inc. • Zymergen Inc. • Zynga Inc. Click the image to enlarge it.
A fancy sort of dollar store has popped up in the former location of the Kason mattress store at 1256 West Broadway Ave. And by “popped up” I mean the shelves and stock were going in on Thursday, April 13 and two days later the store was open for business.
The store is called Miniso and is self-styled as a “Japanese Designer Brand”.
It even looks like what you might imagine the Japanese equivalent of a dollar store would look like, if it was airlifted straight out of a suburb of Tokyo and deposited in the Fairview neighbourhood of Vancouver.
In fact, Miniso is the Chinese equivalent of a dollar store—which is referred to in China as a “10 Yuan store” (10 Yuan equals about $2).
Miniso happens to be designed to look like a Japanese dollar store chain, because, well, I guess “Japanese” sells better than “Chinese”—even to consumers in China. Read more…
Some folks waiting for a westbound bus in the 1500 block of West Broadway Avenue at 5:58 p.m. during rush hour Tuesday (April 11) could only have been disappointed. Rather than the 9 Alma, or the 99 B-Line to the University of British Columbia, what they instead saw bearing down on them in the HOV lane was a B.C. Liberal Party campaign bus.
“Oh no”, I imagine they all groaned to themselves. “Not another out of service bus!”
The 41st general election to the Legislative Assembly of British Columbia takes place in less than four weeks, on May 9, 2017 and the governing centre-right B.C. Liberal Party, which has been in power since 2001, is campaigning hard for its fifth consecutive term in office. Read more…
All dogs may go to heaven but unless they’re service dogs they may not go into McDonald’s (which, I have no doubt, smells like heaven to a dog).
From my window seat in a McDonald’s restaurant this morning (April 13) I saw and photographed the latest in a long line of pooches forced to patiently wait outside while their owners take time to grab some fast food.
Using precedent as my guide, I would say, however, that it was unlikely anything was being grabbed for Fido here, which is a real shame.
I mean, If all that stuff about being man’s best friend really was true then you’d think that “the Man” would at least throw his (or her) BFF a succulent sausage patty but no—”a dog’s breakfast’ is rarely on the menu at McD’s. Read more…
There’s a curious patchwork appearance to the glass paneled southeast facade of the Broadway Plaza at 601 West Broadway Avenue.
On March 20th, I noted that 136 of the facade’s 153 largest window panels were a reflective amber colour, while 45 randomly distributed panels (a little over 29 percent) were plain glass.
Seen up close, the mixture of dark and light glass has a sort of monochromatic Mondrian vibe but viewed from across the street it strongly reminded me, at least, of a game of breakout or Tetris, as played on an old no-colour, no-resolution, Nokia feature phone of the late 1990s.
I’m guessing that the two kinds of glass mean that it’s proven to be something of a pain over the years to replace the amber-hued panes of reflective glass which originally made up the entire facade when the Broadway Plaza was completed 38 years ago, in 1979.
And judging by the long, taped-over crack I saw on March 20th in one of the facade’s remaining 136 amber panels, I’m also guessing that the number of plain glass panels will shortly rise to 46. Click the image to enlarge it.