Jesse Ruderman

Google Adsense doesn't like Adbar

From: Google AdSense
To: Jesse Ruderman
Subject: Google AdSense Account Status
Date: Tue, 8 Mar 2005 21:56:17 -0800

Hello Jesse,

We regularly review sites in the AdSense program for compliance with our program policies.

While reviewing your account, we noticed that you are currently displaying Google ads in a manner that is not compliant with these policies. We've noted that you are in violation of the following program policies on www.squarefree.com/extensions/adbar:

- We've found that you're displaying Google ads in a manner that does not comply with our program policies. According to Google AdSense program policies, no Google ad or search box code may be pasted into any software application, even if it is modified to not show ads through your AdSense account. In order to comply with our policies, please remove the Google ad code from the software provided in your site.

Thank you for your understanding. Once you've made the necessary changes, please reply to this email so that we may review your account again.

We also suggest that you take the time to review our program policies (https://www.google.com/adsense/policies?hl=en_US) and Terms and Conditions (https://www.google.com/adsense/localized-terms?hl=en_US) to ensure that all of your pages are in compliance.

Sincerely,

Heraldo
The Google AdSense Team

More Google changes

• The maximum words per query has increased from 10 to 32.
• If you click a word in your query, it now takes you to answers.com instead of dictionary.com. Answers.com shows not only dictionary definitions but also thesaurus entries, encyclopedia and Wikipedia articles, and several other sources of information.

Google expands some acronym searches

A search for np tree turns up a lot of hits for Joshua Tree National Park, with the phrase "National Park" bolded in page titles and snippets. This doesn't work for all searches involving the term np -- for example, it doesn't work for a search for np by itself. How new is this feature? What other acronyms does Google expand?

Firefox first suggestion for "f"

When I type "f" into Google Suggest, the first suggestion is "Firefox". Nice. Does that mean Firefox is the most common search starting with "f", or are there other factors that affect the ranking?

My impressions of Google Desktop Search

Google Desktop Search is useful enough for me to keep it installed, but I wouldn't say that it works well.

Functionality

• The file I'm looking for is often missing from Google Desktop Search's index. Even the filename is missing. I can't tell if it decided to skip the file because of its extension, contents, location, or changed-on date. Sometimes touching the file gets it indexed, but sometimes it doesn't.
• It "caches" old versions of files often enough to take up disk space unnecessarily, but not often enough that I can rely on it for a revision history when I break something.
• Since Google Desktop Search is slower than www.google.com, leaving "Show Desktop Search results on Google Web Search result pages" checked makes it slow down web searches.
• It gets much slower if I add num=100 to the URLs. A search with num=100 usually takes 3 seconds. This would be ok if it streamed the results, but I just don't see anything for 3 seconds. (There's no UI for adding num=100, so it's not really fair to complain.)

Security

• "Show Desktop Search results on Google Web Search result pages", which is checked by default, elevates any XSS hole in www.google.com to a read-my-files hole.
• Google Desktop Search uses an interesting scheme to mitigate XSS and CSRF holes: it includes a hash in every URL, even the root. The hash includes the path and sometimes includes the query parameters. If the hash is missing or doesn't match, it returns "Invalid Request".
• Clicking a link to an .exe file in search results runs it without any warning.
• The web site doesn't mention the current version number. The program doesn't have a "Check for upgrades" link, and if checks automatically, it makes no indication of that fact.
• Any web page can detect whether you have Google Desktop Search running by loading an image (or perhaps any URL) from http://127.0.0.1:4664/.
• The index is stored in a predictable location. "File upload holes", which let sites read your files if they know the filenames, are common in web browsers. File upload holes that require no user interaction are usually fixed quickly. But file upload holes that do require user interaction are not always fixed quickly. Two file upload holes requiring user interaction that I reported in 2000 are still present in IE and Firefox.

New Firefox extension: Search Keys

Search Keys lets you go to search results by pressing the number of the search result instead of clicking. You can press 1 to go to the first result, Shift+2 to open the second result in a new window, etc. It works with Google, Google News, Google Groups, Google Desktop Search, and del.icio.us.

Update Oct 16, 2004: The shortcut for opening in a new tab is now Alt+N on Windows and Mac, to avoid conflicting with the Ctrl+N shortcut for switching tabs. It is still Ctrl+N on Linux, which uses Alt+N for switching tabs.

Google's "Browse By Name" in Firefox

Google recently introduced a mode called "Browse By Name", a cross between "I'm Feeling Lucky" and a normal Google search. "Browse By Name" acts like "I'm Feeling Lucky" if Google is certain that the first hit is correct, but otherwise returns a normal set of search results. If you use Internet Explorer with the Google Toolbar, "Browse By Name" is the default behavior for non-URLs typed into the address bar. The Google Toolbar shows a dialog the first time you use the feature.

By default, Firefox uses "I'm Feeling Lucky" for non-URLs typed into its address bar. You can change the behavior by going to about:config and setting keyword.URL to the appropriate URL and then restarting Firefox.

Custom 404 page

www.squarefree.com now has a custom 404 page.

Opera's least popular feature comes to Firefox

The adbar extension displays Google ads related to pages you view. It works in Firefox 0.9+.

Hidden search results - answer

Michael Lefevre and mpt gave correct, but incomplete, answers to the question in my previous blog entry in their comments. Part of Michael's answer:

You'd have to work out which bits of closed bugs should be queryable (if you give any indication of a result based on, say, summary or comment queries, you could be disclosing important bits of the closed bug).

Indicating hidden results for a summary query would indeed disclose an important bit of the bug: its summary. First, the attacker would query for bugs with summaries starting with "a", "b", etc. Discovering that at least one hidden bug's summary begins with "b", the attacker would query for bugs whose summaries start with "ba", "bb", etc. After a few hundred more queries, the attacker would have the entire summary.

Hidden search results

Google sometimes hides search results to ensure that search results are varied:

In order to show you the most relevant results, we have omitted some entries very similar to the 15 already displayed. If you like, you can repeat the search with the omitted results included. [foo site:squarefree.com]

or due to bad laws:

In response to a complaint we received under the Digital Millennium Copyright Act, we have removed 1 result(s) from this page. If you wish, you may read the DMCA complaint for these removed results. [scientology site:xenu.net]

Bugzilla also sometimes hides search results, to protect confidential bugs such as undisclosed security holes. Unlike Google, Bugzilla doesn't tell you that there are hidden results for your search. This caused me to worry that potential employers would think I can't count. It also makes it impossible for Peter(6) and others to tell exactly how many release blockers there are.

When Bugzilla hides search results from you, why doesn't it inform you like Google does?

Hint: while "Because nobody implemented that feature" may be technically correct, that's not the answer I'm looking for.

Browser stats from search referrals

For visitors who reach my site through Google searches, browser percentages vary widely depending on search terms. In general, geekier terms have a higher percentage of Mozilla users. I analyzed stats for 35 days in June and July 2004 using a hacky batch file.

Stats for some of these search terms are skewed toward Mozilla not because the search terms themselves are geeky but because "Firefox" or "Mozilla" appears in the title of the result page on my site. Searches for "good porn" and "best porn" lead to a page on my site titled Why Mozilla Firefox is the best porn browser. Searches for "how to get a gmail" lead to my blog entry titled Help make Firefox better and get a Gmail invitation!.

By the way, over 50% of total hits to my site are Mozilla :)

Kerry beats Bush in Google

Kerry has an impressive PageRank 8 while Bush only has PageRank 7, like me. (Via curious on IRC.)

Kerry also beats Bush in a search for kerry | bush and even in a search for president.

jruderman@gmail.com

Thanks to aebrahim and Biz Stone for the Gmail invite.

Two strange things from the Terms of Service:

"Google disclaims all responsibility and liability for the availability, timeliness, security or reliability of the Service."

"You also agree that you will not use any robot, spider, other automated device, or manual process to monitor, or copy any content from the Service." (Does that include checking my e-mail every 5 minutes?)

Google makes site: searches easier

Google "site:" searches no longer require search terms. I used to search for e.g. "site:www.squarefree.com -asdf" to get a list of all pages on a site; now I can just search for "site:www.squarefree.com". I don't know how long this has been fixed.

Experience Google's new look

Google has been testing a new look with a small percent of visitors. I wrote a bookmarklet that lets you make Google show you the new look:

toggle google look

(Drag it to your bookmarks bar, visit google.com, and click on the bookmark.)

It works by changing the ID in your Google cookie to 102c51875a8839e9, the ID of one of the visitors Google randomly selected to test the new look. If your ID is already 102c51875a8839e9, it sets it 0000000000000000 (anonymous), letting you switch between the old and new looks quickly. Since the bookmarklet only changes the ID part of the cookie, it preserves your settings, such as the number of results per page.

Thanks to jcurious for pointing out the Neowin thread in which "poind" posted the ID from his Google cookie.

Update March 28, 2004: Google is now showing the new look by default. The bookmarklet no longer has any visible effect.

Update January 27, 2005: iMilly has created a modified version of this bookmarklet to anonymize your Google cookie.

Google's leap year logo

Look closely at today's Google logo. I missed it the first time.

Google "for president"

Howard Dean leads in a Google search for "for president". He is followed by Bush, Kucinich, Clark, Kerry, Nader (2000), Edwards, Lieberman, Gephardt, Braun, Cthulhu, Bradley (2000), a hamster named Potus, Cusack, nobody, and Tony Blair.

Google search tip: wildcard word (*)

Google treats "*" as a wildcard meaning "any word". You can use it in phrases to:

Ignore unimportant words

• "all but * anything but" (vs, and)
• "shanked * jengaship" (my, your, his jengaship)

Fill in phrases where you don't know a word

• "phyllis * tam" pomona (a middle name)
• "the * family is my boss" (hard-to-understand song lyrics from a song in Office Space)

See how people have filled in expressions and jokes

• "185 * walk into a bar"
• "friends don't let friends * *" (*'s at the end just keep the phrases from being cut off in snippets.)
• "* is to * as * is to *"

Crudely "search by proximity"

• "The shareware version * 10 levels"
• "The shareware version * * 10 levels"
• "The shareware version * * * 10 levels"

(I looked through my old searches by pressing Down in a Google search form in Firebird. The resulting autocomplete dropdown contains ~7000 Google searches I have done.)

Google Cache and slow CSS

If you use Google Cache when a server isn't responding, and the page uses an external style sheet, you won't be able to see the cached page. The reason is that most browsers block page display while waiting for the style sheet to load, and Google doesn't cache CSS or images. This limits the usefulness of Google's cache, especially now that CSS is popular.

Google could cache CSS along with HTML. To avoid spidering and storing every page's CSS, Google could proxy CSS loads for Google Cache users, and have the proxy time out after 5 seconds. But both of these solutions might use a lot of bandwidth.

Google could add code to cache pages to make CSS load later or in a non-blocking fashion. This has the disadvantage that when the server is responding, the page will be presented unstyled for a split-second. Since some Google users use the cache even when the site isn't down, this would be bad.

I hoped there would be a way for Google to add code to cache pages to stop blocking loads that are taking too long. JavaScript can detect a slow load: call setTimeout above the LINK element, and call clearTimeout in another SCRIPT element below the LINK. But the function setTimeout activates can't cancel the load by disabling the style sheet, changing the LINK's href, or removing the LINK element from the document. Browser makers didn't anticipate JS trying to cancel a blocking load. (Removing the LINK element from the document even crashes IE.)

Another solution is for browsers to make CSS loads block less:

• 84582#c11 - CSS loads should stop blocking layout if they take more than a few seconds
• 220142 - Pressing Stop while waiting for CSS should finish displaying what has been loaded before stopping.
• 224029 - JS can't cancel blocking load of a style sheet

Clever blogspammer

A spammer posted the following comment on my old blog post Chrome URLs in Mozilla and Mozilla Firebird yesterday:

I've been a long time user of both IE and Netscape. Now I'm using Mozilla and Firebird. Although I'm a fan of Mozilla and Firebird and have recommended it to friends.

The poster's URL had a spammy-looking domain name ("success-biz-replica"), but the site itself didn't look too spammy and the comment seemed fairly on-topic, so I didn't delete the comment. But today I stumbled on a very similar comment here and realized the comments were spam. The spammer probably decided to spam blogs mentioning Mozilla because those blogs are likely to have high Google PageRank.

I went into my web server logs to see what search phrase she used. I figured it would be something like mozilla "post a comment" "remember personal info" but I wanted to see the exact search phrase. I searched for the poster's IP address and found this:

193.230.197.6 - - [26/Oct/2003:11:07:05 -0800] "GET /archives/000007.html HTTP/1.0" 200 12252 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Alexa Toolbar)"

There was no referer, which probably just means she hid the referer intentionally. But I noticed something else: she used Internet Explorer to post the comment.

I deleted the comment.

Google spell correction

schwarzenator
governator
jessie ruderman
misdeception

Google fails to predict who I will marry

I have mentioned 8 females on my blog who are about my age. Their first names are Aurora, Erika, Helen, Kay, Michaela, Pamela, Sara, and Selene. I searched Google for these first names with my last name (for example, 'Helen Ruderman'). My rank is between #1 and #4 for each theoretical full name.

My rank for each name does not correlate well with my how likely I think it is that I'll marry each girl, crush strength, or even how well I know them (|r| < 0.3 for each).

Three of the theoretical full names are "taken" -- people with those full names exist. Surprisingly, there is no correlation between my rank and whether the full name is "taken" (r=0.127 in the expected direction). In one case, part of my site ranks #1 even though 3 sites mention a person who actually has that full name. In another case, nobody has the full name, but part of my site ranks #4.

Another Google security hole

This simple hole allows any site to change your Google preferences behind your back. Someone could change your Google interface language to Pig Latin. (Why Pig Latin rather than, say, Russian? It's more fun, and the "Google.com in English" link isn't as obvious when the surrounding text looks like English.) Someone could make your searches only turn up English results. Worst of all, someone could stop you from using Google to search for porn by turning on SafeSearch.

Slashdot's solution to this type of hole is "formkeys". I don't know how other sites solve it. But one incorrect solution is to check referers.

Minor security hole in Google

Webmasterworld's "hitchhiker" and I found a security hole in Google today. He searched for something like "this can't be true" and his browser reported a JavaScript syntax error. I pointed out that with a carefully constructed query string, you can get Google to spit out something syntactically valid that does whatever you want. For example:

http://www.google.com/search?q='+alert(document.cookie)+'
causes Google to generate the following onClick attribute: onClick="c('http://images.google.com/images?q='+alert(document.cookie)+'
&hl=en&lr=&ie=UTF-8&c2coff=1&safe=off','wi',event);"

If you follow the link and click a tab (web, images, groups, directory, news), you'll see your Google cookie in a dialog.

Hitchhiker responded:

I just can't believe G made that kinda mistake.

ESCAPE ESCAPE!

Escaping is not always the best solution. When I found a similar hole in some JavaScript code in Mozilla, ducarroz's solution was to use an alternative window.setTimeout syntax. The normal version of setTimeout takes a string to be parsed and executed; the alternative version takes a function and parameters. Instead of escaping the untrusted input, we avoided parsing a string containing the untrusted input.

Smaller Google home page

I edited Google's home page to make it as small as I could without changing how it looks. The result is 30% smaller and works slightly better.

Most of the changes that weren't simple deletions involved the code for the tabs above the search box.

Suggestions for Google Calculator

General suggestions

• Stay within unit systems. If I search for rod= or acre, give the answer in feet or square feet, not meters or square meters. If I search for 1 acre / 1 mile, say 8.25 feet instead of 2.5146 meters.
• Output in km/h rather than m/s if the inputs are in terms of kilometers and hours or days. 800 km / 8 hours should be 100 km/h (rather than 27.77777778 m/s), but 3/5 c and 10 m / 3 s should be in m/s.
• Parse 8 h as "8 hours", not "8 times Planck's constant". Not everyone knows what Planck's constant is or that it is represented by "h". I noticed this problem while searching for 800 km / 8 h. Strangely, 800 km / 100 km/h works as I would expect.
• Never round aggressively. Round without explanation once (one baker's dozen in dozens), and you lose my trust whenever you output an integer (1 acre in square feet) unless I figure out your rule for when to round.

Error-handling

• Floating-point arithmetic errors (1 / 0, 2 ^ 2000) should be displayed by default. Currently, they cause the calculator line to not appear, as if the calculator hadn't feature been triggered at all.
• Unit errors should be displayed by default. Examples: 1 acre in feet, 1 meter + 2 seconds, cube root of a square mile.
• There should be a way to see syntax errors so I'm not left in the dark when I make an error in my input and only get search results. It would make sense to use = at the end of a search for this, since = already causes questionable calculations like 1 feet= or 8 mile= and useless calculations like 6 cm= to be displayed.

New features

• Add support for multiple-unit output: 100 minutes in hours and minutes.

Units in Google Calculator

Asa is skeptical of the usefulness of Google Calculator. He uses something like the "ja" keyword bookmarklet, so he can type "calc 1+5" into his address bar to do a quick calculation. While that's great for arithmetic (and DOM), Google Calculator does a lot more than arithmetic.

My favorite Google Calculator feature is units.

• Can't remember a conversion factor? Search for 1 foot in cm or feet in a meter.
• You'll notice quickly if you multiply when you should divide or vice versa, because the units in the output will be wrong (1 volt * 1 amp vs 1 volt / 1 amp).
• 128000 bps * 3 minutes is much less error-prone than trying to remember all the conversion factors, even if you ignore than 1000-vs-1024 problem. (1MB is 1024^2 B, but a "128kbps" MP3 is 128000bps, which I verified with a long "160kbps" MP3).

I also like Google Calculator's metric-centricness. Google knows I'm in the US, but a simple search for foot or mile gives me a conversion factor to cm or km, while searching for cm or km does not convert back. Unpatriotic? Maybe.