Mar 31, 2017

default priority in org-mode

problem

org default priority is usually [B] and it's hard to control. i want to set it into lowest.

what is expected

For me, this is nice

  • [A]
  • [B]
  • [C]
  • default

solution

You can change the range of allowed priorities by setting the options org-highest-priority, org-lowest-priority, and org-default-priority. For an individual buffer, you may set these values (highest, lowest, default) like this (please make sure that the highest priority is earlier in the alphabet than the lowest priority):
(setq org-highest-priority 65)
(setq org-lowerst-priority 68)
(setq org-default-priority 68)

effect

now i'm happy :) it reduce 50% of my time to organize TODO-list

Mar 16, 2017

Malcious Ad is now removed by Media Math

Rapid reaction by Media Math

Here is an update for the previous article.

and in 3days, they also told this problem is resolved.

try to visit the page again, and now it's safer!

  1. go to the Nikkei's article where the problem happened
  2. check XHR (here is the zipped one)
It still shows mathtag in Rubicon Project's partner area
{
    "pingdom_id": "399231",
    "ttl": 7,
    "img": "http://sync.mathtag.com/sync/img?mt_exid=9",
    "priority": 10,
    "secure": {
 "img": "https://sync.mathtag.com/sync/img?mt_exid=9&redir=https%3A%2F%2Fpixel.rubiconproject.com%2Ftap.php%3Fv%3D4222%26nid%3D1512%26put%3D%5BMM_UUID%5D"
    },
    "resync": 1,
    "partner": "mediamath"
}
AND I confirm NO REQUEST to malcious server happens now. Yeah!
Thank you for the Media Math team! Now I can continue browsing safer Internet and My grandmother as well.

Mar 12, 2017

How Advertisement Hijack Ads-owner's contents

Overview

(update: they fixed the problem )

When I tried to read article in Nikkei, chrome in Android move without any notification to strange website. (caution: please don't access URLs in the pics)






What I tried to read (Japanese only): http://trendy.nikkeibp.co.jp/article/col/20030924/106051/?ST=trnmobile_f

This advertisement just hurt the brand image of owner website (this case it's Nikkei). And other users also have met the same problem: https://productforums.google.com/forum/#!msg/chrome/AzyvOJ1xcYg/L354tQk1BAAJ

Here is also interesting comment (https://productforums.google.com/d/msg/chrome/AzyvOJ1xcYg/6R8cSVk8BwAJ)

TNTBrian said:
Even if it is an advertiser, Chrome is still being exploited.
Also it does not happen on an older version of Chrome -- At least for me. Would love to see if the same is true for others.
After reading, I have two questions.
  1. How it works?
  2. Why does Chrome allow the problematic script to run?

track requests to know how it works

here is recorded *.HAR in Google Chrome when I read trendy.nikkeibp.co.jp
HAR.zip

In the response, one amazon ec2 instance sent response with javascript that includes the domain "comumx[dot]site" that is the original site of the above picture.
It does move webpage forcely to comumx[dot]site.
function(){top.window.location='http://comumx[dot]site/lpde1/index.php?s1=mas_jiami_de&pubid=B22CD7E7954F3EED828B3172748A31FA&bid=354163f6a3a632c304e2b91277de2f3b';}
After checking a bit, I realized this script was triggered in the following steps:
  1. trendy.nikkeibp.co.jp
  2. www.googletagservice.com
  3. securepubads.g.doubleclick.net
  4. ads.rubiconproject.com
  5. optimized-by.rubiconproject.com
  6. tags.mathtag.com
  7. ec2-52-23-195-173.compute-1.amazonaws.com ( this responses with problematic javascript )
Now it's clear why it happens :)

why Chrome allowed this script to run?

According to the registory information in WHOIS, the domains belonged as follows.
  1. NIKKEI (trendy.nikkeibp.co.jp)
  2. Google (www.googletagservice.com)
  3. Google (securepubads.g.doubleclick.net)
  4. Rubicon project (ads.rubiconproject.com)
  5. Rubicon project (optimized-by.rubiconproject.com)
  6. MediaMath (tags.mathtag.com)
  7. ec2-52-23-195-173.compute-1.amazonaws.com ( this responses with problematic javascript )
NIKKEI is a user of google advertisement network in their website.
Unfortunately I haven't heard anything about "Rubicon project" and "MediaMath". After googling, I realized they are advertise network company / agency.
Rubicon Project seems to belong to the IAB. Thus they should not allow such an advertisement generally. https://www.iab.com/news/iab-names-googles-jonathan-bellack-rubicon-projects-jay-sears-advertising-technology-council-co-chairs
MediaMath is described in crunchbase. (https://www.crunchbase.com/organization/mediamath#/entity) Their codebase also includes the requests against "*.mathtag.com" i.e. https://github.com/search?utf8=%E2%9C%93&q=org:MediaMath+mathtag.com&type=Code&ref=searchresults
HTTP response from Rubicon Project includes the following
{
    "pingdom_id": "2117306",
    "ttl": 7,
    "img": "http://pixel.mathtag.com/sync/img?redir=http%3A%2F%2Ftap.rubiconproject.com%2Foz%2Ffeeds%2Fmediamath-pub%2Ftokens%3Fafu%3D%5BMM_UUID%5D",
    "secure": {
 "img": "https://pixel.mathtag.com/sync/img?redir=https%3A%2F%2Ftap.rubiconproject.com%2Foz%2Ffeeds%2Fmediamath-pub%2Ftokens%3Fafu%3D%5BMM_UUID%5D"
    },
    "partner": "mediamath-pub"
}

Thus naturally MediaMath is a business partner of Rubicon Project.
NOTE:
this domain, "pixel[dot]mathtag[dot]com" has already raised some discussions before:
Now we know which companies related to this problem and their relations.
  1. Google shows advertisement from partner company, Rubicon Project
  2. Rubion Project loads some script from partner company, MediaMath
  3. MediaMath loads some (unfortunately malicious) scripts from their clients.
From the viewpoints of typical business contracts, MediaMath should take responsibility to check the codes from their client.
And I guess it's fatal if advertisement can hijack the contents of owner of the advertisement.

If you have any feedbacks, please leave a comment.

アドネットワークを使ってハイジャックする話

概要

追記:MediaMathさんが解決してくれたよ!

なんとなく日経さんの昔の記事を読みたくなってアンドロイド上で読もうとしたら2秒程して変なページに飛ばされた。危うくクリックするところだった。
昔の記事:http://trendy.nikkeibp.co.jp/article/col/20030924/106051/?ST=trnmobile_f
変なページ



珍しいなーと思ってちょっと調べてみたら、アメリカの大手広告代理店経由で変なスクリプトを実行されていたというお話。
広告が広告主のコンテンツを食うなんて下克上みたいですね。ブランドイメージを毀損されてしまうので、広告主からしたら大問題だと思うのですが、それなりに放置されているのでまとめてみました。
なお、ユーザーリポートは飛んでるようです。 https://productforums.google.com/forum/#!msg/chrome/AzyvOJ1xcYg/L354tQk1BAAJ
「そもそもなんで飛ばされるの?」「なんでChromeはブロックしないの?」という2点について調べたり考えてみたりしました。


リクエストを追って何が起きているか確認してみる


該当ページを見たときのHARはこちら
ざっとみると上記画像の「COMUMXドットSITE」さんを含むEC2インスタンスからのレスポンスがありまして。 下記のJSなんかが問題を引き起こしているようです。
function(){top.window.location='http://comumx[dot]site/lpde1/index.php?s1=mas_jiami_de&pubid=B22CD7E7954F3EED828B3172748A31FA&bid=354163f6a3a632c304e2b91277de2f3b';}
詳しく見ると下記の順で各ドメインへリクエストを投げているようです。
  1. trendy.nikkeibp.co.jp
  2. www.googletagservice.com
  3. securepubads.g.doubleclick.net
  4. ads.rubiconproject.com
  5. optimized-by.rubiconproject.com
  6. tags.mathtag.com
  7. ec2-52-23-195-173.compute-1.amazonaws.com ( this responses with problematic javascript )
どうしてページ遷移が発生しているかはこれで明らかになりました。わーい。 ページ遷移自体はJavascriptで完結する話なのでこれだけで危険なコードを実行されているわけではないと認識してます。


Chromeがスクリプトを実行してしまう理由


さて、とりあえずドメインをWHOISベースで調べて会社名をマッピングしてみます。
  1. NIKKEI (trendy.nikkeibp.co.jp)
  2. Google (www.googletagservice.com)
  3. Google (securepubads.g.doubleclick.net)
  4. Rubicon project (ads.rubiconproject.com)
  5. Rubicon project (optimized-by.rubiconproject.com)
  6. MediaMath (tags.mathtag.com)
  7. ec2-52-23-195-173.compute-1.amazonaws.com ( this responses with problematic javascript )
NIKKEIは日経でGoogle ADのユーザーさん。
Rubicon ProjectはADnetworkのパートナーみたいなもんですね。IABにも参加しているようですので、こういう広告を配信してしまうのはどうなのかなと思いますが。 https://www.iab.com/news/iab-names-googles-jonathan-bellack-rubicon-projects-jay-sears-advertising-technology-council-co-chairs
MediaMathは広告代理店のようです。 (https://www.crunchbase.com/organization/mediamath#/entity) 実際ここが"*.mathtag.com"の所持者のようですね。 i.e. https://github.com/search?utf8=%E2%9C%93&q=org:MediaMath+mathtag.com&type=Code&ref=searchresults
Rubicon Project のHTTP responseを覗くとMedia Mathとの関係が見えてきます。
{
    "pingdom_id": "2117306",
    "ttl": 7,
    "img": "http://pixel.mathtag.com/sync/img?redir=http%3A%2F%2Ftap.rubiconproject.com%2Foz%2Ffeeds%2Fmediamath-pub%2Ftokens%3Fafu%3D%5BMM_UUID%5D",
    "secure": {
 "img": "https://pixel.mathtag.com/sync/img?redir=https%3A%2F%2Ftap.rubiconproject.com%2Foz%2Ffeeds%2Fmediamath-pub%2Ftokens%3Fafu%3D%5BMM_UUID%5D"
    },
    "partner": "mediamath-pub"
}
どうやら取引先のようですね。MediaMathが入稿してRubicon Projectのネットワークに載せる感じでしょうか。
ちなみにこのpixel[dot]mathtag[dot]com経由で、以前から色々と問題があるケースがあったようです。(注:「ちなみにこのpixel[dot]mathtag[dot]comは色々以前からやらかしているようです。」という表現を修正しました。)
まとめます。
  • 悪意ある広告製作者がスクリプトをEC2上に設置
  • 悪意ある広告製作者がMediaMathを通じて上記スクリプトを入稿
  • RubiconProjectがGoogle Adnetworkを通じて上記スクリプトをばらまく
  • NikkeiがGoogleAdnetworkを使うことにより日経Trendyの記事を読みにきたユーザーを変なサイトに無条件で飛ばす
恐らくGoogle-Rubicon Project, Rubicon Project - MediaMath間はCORSでもホワイトリスト方式で通してしまうんだろうなーと。 つまりMediaMathがスクリプトをきちんと確認しない限りどうしようもないんじゃないだろうか。 というわけで近日中に問い合わせてみます。

おわりに


この分野はシロウトなので、もし間違い誤解などがあったらコメントなりに残していただければ幸いです。