Archive for the 'Google' Category

Google fails to predict who I will marry

Friday, October 24th, 2003

I have mentioned 8 females on my blog who are about my age. Their first names are Aurora, Erika, Helen, Kay, Michaela, Pamela, Sara, and Selene. I searched Google for these first names with my last name (for example, 'Helen Ruderman'). My rank is between #1 and #4 for each theoretical full name.

My rank for each name does not correlate well with my how likely I think it is that I'll marry each girl, crush strength, or even how well I know them (|r| < 0.3 for each).

Three of the theoretical full names are "taken" -- people with those full names exist. Surprisingly, there is no correlation between my rank and whether the full name is "taken" (r=0.127 in the expected direction). In one case, part of my site ranks #1 even though 3 sites mention a person who actually has that full name. In another case, nobody has the full name, but part of my site ranks #4.

Another Google security hole

Thursday, October 23rd, 2003

This simple hole allows any site to change your Google preferences behind your back. Someone could change your Google interface language to Pig Latin. (Why Pig Latin rather than, say, Russian? It's more fun, and the "Google.com in English" link isn't as obvious when the surrounding text looks like English.) Someone could make your searches only turn up English results. Worst of all, someone could stop you from using Google to search for porn by turning on SafeSearch.

Slashdot's solution to this type of hole is "formkeys". I don't know how other sites solve it. But one incorrect solution is to check referrers. (Update May 5, 2005: I'm no longer sure checking referrers is incorrect.)

Minor security hole in Google

Thursday, October 23rd, 2003

Webmasterworld's "hitchhiker" and I found a security hole in Google today. He searched for something like "this can't be true" and his browser reported a JavaScript syntax error. I pointed out that with a carefully constructed query string, you can get Google to spit out something syntactically valid that does whatever you want. For example:

http://www.google.com/search?q='+alert(document.cookie)+'
causes Google to generate the following onClick attribute: onClick="c('http://images.google.com/images?q='+alert(document.cookie)+'
&hl=en&lr=&ie=UTF-8&c2coff=1&safe=off','wi',event);"

If you follow the link and click a tab (web, images, groups, directory, news), you'll see your Google cookie in a dialog.

Hitchhiker responded:

I just can't believe G made that kinda mistake.

ESCAPE ESCAPE!

Escaping is not always the best solution. When I found a similar hole in some JavaScript code in Mozilla, ducarroz's solution was to use an alternative window.setTimeout syntax. The normal version of setTimeout takes a string to be parsed and executed; the alternative version takes a function and parameters. Instead of escaping the untrusted input, we avoided parsing a string containing the untrusted input.

Smaller Google home page

Friday, August 22nd, 2003

I edited Google's home page to make it as small as I could without changing how it looks. The result is 30% smaller and works slightly better.

Most of the changes that weren't simple deletions involved the code for the tabs above the search box.

Suggestions for Google Calculator

Tuesday, August 19th, 2003

General suggestions

  • Stay within unit systems. If I search for rod= or acre, give the answer in feet or square feet, not meters or square meters. If I search for 1 acre / 1 mile, say 8.25 feet instead of 2.5146 meters.
  • Output in km/h rather than m/s if the inputs are in terms of kilometers and hours or days. 800 km / 8 hours should be 100 km/h (rather than 27.77777778 m/s), but 3/5 c and 10 m / 3 s should be in m/s.
  • Parse 8 h as "8 hours", not "8 times Planck's constant". Not everyone knows what Planck's constant is or that it is represented by "h". I noticed this problem while searching for 800 km / 8 h. Strangely, 800 km / 100 km/h works as I would expect.
  • Never round aggressively. Round without explanation once (one baker's dozen in dozens), and you lose my trust whenever you output an integer (1 acre in square feet) unless I figure out your rule for when to round.

Error-handling

  • Floating-point arithmetic errors (1 / 0, 2 ^ 2000) should be displayed by default. Currently, they cause the calculator line to not appear, as if the calculator hadn't feature been triggered at all.
  • Unit errors should be displayed by default. Examples: 1 acre in feet, 1 meter + 2 seconds, cube root of a square mile.
  • There should be a way to see syntax errors so I'm not left in the dark when I make an error in my input and only get search results. It would make sense to use = at the end of a search for this, since = already causes questionable calculations like 1 feet= or 8 mile= and useless calculations like 6 cm= to be displayed.

New features

This is my second post about Google Calculator. My first was Units in Google Calculator.

Units in Google Calculator

Saturday, August 16th, 2003

Asa is skeptical of the usefulness of Google Calculator. He uses something like the "ja" keyword bookmarklet, so he can type "calc 1+5" into his address bar to do a quick calculation. While that's great for arithmetic (and DOM), Google Calculator does a lot more than arithmetic.

My favorite Google Calculator feature is units.

  • Can't remember a conversion factor? Search for 1 foot in cm or feet in a meter.
  • You'll notice quickly if you multiply when you should divide or vice versa, because the units in the output will be wrong (1 volt * 1 amp vs 1 volt / 1 amp).
  • 128000 bps * 3 minutes is much less error-prone than trying to remember all the conversion factors, even if you ignore than 1000-vs-1024 problem. (1MB is 1024^2 B, but a "128kbps" MP3 is 128000bps, which I verified with a long "160kbps" MP3).

I also like Google Calculator's metric-centricness. Google knows I'm in the US, but a simple search for foot or mile gives me a conversion factor to cm or km, while searching for cm or km does not convert back. Unpatriotic? Maybe.