It has long been know that if you want a trouble (virus) free computer your best chance of getting this is to use an Apple. I myself have an iBook and have not had any problems since I got it (granted I am myself, quite careful and didn't have any problems before either).
However, recently there have been two known vulnerabilities to have come about with OS X. One of them is a Trojan, that if installed can try and send itself using iChat (much like all the windoze msn viruses). This Trojan has been classed as "mainly harmless". It has been given this ranking as it has to be installed by the user before it can infect the computer.
The Trojan itself is quite sneaky as it changes the icon of the file as to make people believe that it is an image, rather than the application it really is. While this may confuse your average user, who has file extensions hidden, anyone with "show all file extensions" turned on will notice it is not in fact the innocent image it tries to be.
It has turned out that this practice is actually used be apple to try and convince people an application shipping with their iTunes actually is a text file. See article 1:
This is just one instance that I have come across I am sure there are many more examples out there on the Apple site. There are a number of problems; one of which being what is this application that is being shipped with iTunes? Is it a copy of text edit? If so why? OS X ships with text edit so cant Apple make the assumption that every OS X user in the land has text edit? Obviously not.
I sugest to anyone using OS X turn on "show all file extensions" and be weary of ANY file you download.
Last week I added Glen Jones' MapSurface on to most of the pages here. (If you want to see it Hit Alt+X on the home-page or any article page.) It just so happened that this was a day before I published my Hacking Reddit article. This was a good test for me to see how the system coped. It also gave me some real time statistics which I have not been able to have in the past.
Note: If you are running OS X (like me) and Alt+X doesn't work try using Option+Shift+X. I didn't realise this for a few days and had to switch browser (from Camino) when I wanted to check my stats.
All of my current statistics are produced daily and are based on what my log files pick up. They aren't able to give me interesting data about which pages people have been looking at. This is due to the fact that all requests are directed to a single page with mod_rewrite.
Things I Like
The thing I like most about MapSurface it the ability to see real time links coming in how people were leaving. I was also happy to know that the people that were getting tracked were real people. In general you cannot trust statistics due to the number of robots crawling the web. However, using javascript to track people means that you can be pretty sure that there is a real person on the other end of the line.
The second notable thing that MapSurface enables you to do is see stats for a page while you are looking at the page. This was really useful during my time on the top of Reddit as I could look at the page in question and not see the stats for the rest of the site.
Things I Didn't Like as Much
There have been two major annoyances while using MapSurface over the past week. The first of these was myself. While this was not the scripts fault it was really annoying that it tracked where I was moving as well. This may not be a problem if you have a high volume site, as you will disappear in the shear volume of traffic. For my little site on the other hand, it was very noticeable. What would have been good was if I could specify my IP, and any requests from my IP could be ignored. Then I could stroll around the site to look at the stats without becoming the stats.
The second thing that was noticeable was the number of times I loaded up the dashboard and it didn't load the images. Now I don't know if this was because it couldn't find the images or if there was a problem with the code at my end. Either way when this happened it made the dashboard almost unusable. This problem may however, be one of those beta problem that will fix itself before MapSurface gets released as final.
Overall
The experience so far has been mostly positive. It has given me a few questions as to why people like some links but not others. I will continue to use MapSurface and will be expanding it to cover all of my pages. If you are the type of person who likes to see stats with a bit more context I would highly recommend using MapSurface. Kudos to Glen Jones for a great product.
It has come to my attention that it would be easy manipulate people on Reddit into giving a link points with the user non-the-wiser. While I am sure this trick could be used on systems such as digg having never used it I could not say for sure.
Javascript Bookmarklets
On Reddit you can get a selection of bookmarklets that enable you to like and / or dislike things on Reddit without having to visit Reddit. This is great if like me, you open all of the links that you think you may like in different tabs (in your favourite tabbed browser). You can then let the bookmarklets tell Reddit whether or not you did like the page.
The process that the bookmarklets go through can be recreated and added on to a static page though. So if someone that is logged in to Reddit, strolls passed the page they will invisibly tell Reddit that they liked the page. So if lots of people just look at the right page it can push it up to the front page of Reddit. Now anyone who has made it on to the front page of Reddit will tell you that when you get there you can expect a large number of people to visit your site.
So what does this all mean? Well, if lets say for a moment that I really want people to notice an article that I have written, I can go to Reddit, submit the page, add onto the page the small piece of javascript then anyone who walks passed while being logged into Reddit will invisibly say they like the article.
So What’s The Code?
This code is only a proof of concept and should not be used on a public site. It does work perfectly in the browsers I tested it in. (I have not used this script to actually affect a link on Reddit)
<script type="text/javascript">
<!--
// The encoded version of the current page
var page = encodeURIComponent(location.href);
// Create an image on the page, give it an address, then style it
var child = document.createElement("img");
child.src = 'http://reddit.com/d/like'+Math.random()+'?u='+page;
child.style.position = "absolute";
child.style.left = "-9000px";
// Finally push it out on the current page
var daddy = document.getElementsByTagName('body')[0];
daddy.appendChild(child);
// -->
</script>
This script is totally invisible, and if the user is not logged in, it just reverts to an image saying that you have to be logged in. Furthermore if the page hasn't been submitted it reverts to an image saying it needs to be submitted. It will always produce an image. So displaying it with such a large negative position to the page means it will always be pushed out of view and work invisibly.
For the user who likes to rate everything that they see on Reddit, they will just override this if they click their bookmarklets. However, people who have the "don't show sites after I’ve liked them" preference turned on, will never see that they liked the article. After a while people might start to notice something fishy is going on but for the short while people are just visiting the site and the script will gain it points.
How Can This Be Stopped?
Well I spent a while pondering different ideas as to how to stop this from being exploited. The method I came up with would require a little more work on the Reddit side of things but it would enable them to stop someone pasting a script (such as above) on their website. It would also be virtually invisible to the user so would not detract from using the bookmarklets. The method would work by every user getting a personalised set of bookmarklets - one that would only work with the right user being logged in. It would be simple to add as you could just add an extra variable to the URL. So the image URL would look like http://reddit.com/d/like[random number]?u=[page]&user=[username]. This would stop the script I made because the user you are logged in with could be verified before the points are added to the link.
While this is not a massive hack it could be used to ruin the whole way Reddit works. The worst part is the way the whole thing can be done invisibly. For all I know there are already sites out there using a similar technique. If not, how long can you go on trusting the honesty of website owners?
Update
It apears that if you have your Reddit exploit on the front page of Reddit for a day they are quite responsive to fix it. Please all update your bookmarklets. It looks like they went with a similar fix to the one I suggested. You now get some sort of hashed string in the request. Kudos to the Reddit guys.