January 2006

marnanel points out that Google Maps UK have updated their aerial shots to include a much higher resolution, down to a half a metre or so.

Apart from the inevitable “I can see my house from here”, you can also see a punt approaching Grantchester (the image doesn’t show whether the clock stands at ten to three, unfortunately), and a whole swarm of them having a look at King’s College chapel. You can also see Tony’s house, which I was a bit surprised by, because of the terrsts: Google, why do you hate AmericaEngerland?

On an unrelated note, someone pointed out a Wikipedia edit on Wicca, surely worthy of Encyclopedia Dramatica.

Apparently (as in, I read on some blog somewhere), one of Channel 4‘s newspaper adverts for Richard Dawkins‘s Root of all Evil? programmes was a picture of the New York skyline with the Twin Towers intact. It was captioned “A world without religion”.

From this you can tell that the UK’s most famous atheist meant business. Watching the introduction to the first programme, The God Delusion, it’s obvious Dawkins is worried by the apparent resurgence of militant religious faith, both Islamic and Christian, and has decided to draw his own line in the sand. Over the course of the two programmes, he outlines his case against religion.

<lj-cut text=”1: The God Delusion”>His argument in The God Delusion is that the methods of science and religion are totally incompatible. Religion is about accepting things on authority, and believing them on faith. Science is about setting up models and constantly trying to disprove them. Dawkins makes the point that something which has been accepted for a long time gains a certain religious weight, regardless of whether there’s any evidence for it, citing the Assumption of Mary as a doctrine which is not even in the Bible, but which grew in popularity over time until it received papal approval.

Dawkins’s field of expertise is evolution, so it’s not surprising that he uses it as an example of a subject where science is under threat from religion. He takes us to Colorado Springs, home of New Life Church, which Harpers called America’s most powerful megachurch. In conversation with Ted Haggard, the pastor, Dawkins seems adversarial from the start, comparing his service to a Nuremberg rally. Dawkins seems particularly angered when Haggard claims that evolution teaches that the eye evolved “by accident”, telling him that he obviously knows nothing about the subject. Haggard calls Dawkins intellectually arrogant, and later throws him off the mega-church’s compound for “calling my children animals”.

For all his fearsome reputation, with the exception of his reaction to Haggard, Dawkins is pretty polite to his interviewees. He visits Jerusalem, and listens to both Jewish and Islamic people talking about the Dome of the Rock site. When talking to Yusuf Al-Khattab, a Jewish convert to Islam, Dawkins remains polite until Al-Khattab’s most outrageous statements. When the theist tells Dawkins “You dress your women like whores”, Dawkins snaps back “I don’t dress women, they dress themselves”.

After hearing the Jerusalem theists, Dawkins seems to despair. Each side is implacable, committed to their holy book and their truth.

In the second programme, The Virus of Faith, Dawkins is concerned with how religion is spread to children, and with the morality taught by the religious scriptures.

<lj-cut text=”2: The Virus of Faith”>Dawkins points out that assigning children to a religion seems bizarre: we do not label children as “Marxist” children or “Conservative” children. He compares sectarian education to speciation: information stops flowing between populations, and eventually they see themselves as totally different.

Dawkins visits the rabbi of some Hassidic Jews in London who school their children themselves, and a private school using the Accelerated Christian Education (ACE) curriculum. I’ve written about ACE schools before: I think they come into the “mad, but probably harmless” category, as they’re privately funded schools which only a few parents would care enough to send their kids to. However, if Dawkins’s statement that the Blair government is making it easier for religious schools to get public money is true, that’s slightly more concerning.

Dawkins then moves on to his meme theory, although he doesn’t use the word meme, but rather, the much stronger “virus”. He points out that children are predisposed to believe what they’re told by their parents: this is necessary for survival. Religion piggy-backs on this, the cuckoo in the nest.

Dawkins talks to a psychologist who counsels people who have had an abusive religious up-bringing, and then visits a pastor in the US who organises Hell Houses, who tells him that the best age for children to visit such a performance is 12. Dawkins is unfailingly polite, while in the background the pastor’s peformer prances about pretending to the the Devil officiating at a lesbian wedding.

Dawkins moves on to the morality preached by the religious texts, and notes that “the God of the Old Testament has got to be the most unpleasant character in all fiction”, before quoting examples like Deuteronomy 13 and Numbers 31. He does allow that Jesus was a good bloke, but considers Paul to have made up the doctrine of original sin and substitutionary atonement, calling it sado-masochistic (and not in a good way, either).

To illustrate just what going to the Bible for morality leads to, Dawkins then visits Michael Bray, a supporter of Paul Hill, a pastor who murdered a doctor for performing abortions.

Dawkins knows, and says, that not all Christians agree with Bray and Hill, but points out that people like them are a problem for Christians, since the alternative is a selective interpretation of the Bible, which leads to the question of whose selection is correct. He turns to the ructions in the Church of England caused by the debate over homosexuality. Dawkins talks to Richard Harries, the Bishop of Oxford, who gives the standard liberal rationalisation of the Bible passages on homosexuality.

Dawkins argument against liberal Christianity is that it is redundant: if we can pick and choose from the Bible, why do we need it at all? Our picking and choosing implies that there is a higher standard than the Bible, so why not just use that?

Dawkins goes on to say that altruistic behaviour arises out of our genetic predisposition to co-operate. We have an idea of the sort of society we’d like to live in, and an empathy towards others. He cites attitudes to racism and homosexuality as examples of how a modern morality is better than the Biblical one.

Finally, Dawkins plays up atheism as life-affirming: if the here and now is all we have, we’d better make the most of it.

As a post-script, over the credits, the announcer said: “Turn over to More 4 now, where historian Michael Burley argues that a faithless world has lead of a collapse in the fabric of society: A Dark Enlightenment. On Channel 4 next: Celebrity Big Brother“. Well, I laughed.

So, what did I make of it all? I’m in broad agreement with Dawkins, in that I’m worried about playing the Netherlands (a handy bit of flat ground where generations of Europeans have staged wars) in a battle between two armies of crazy people.

I don’t think his ambition to stop the religious indoctrination of children is a realistic one: while public money should not be going into religious schools, the right of parents to bring up their kids as they like is not something the government should mess with, except in extreme cases. It’s sad that some kids end up scared to death of hellfire and need the services of the counsellor he talked to, but there’s not much a government can do about that.

Some reviewers have accused Dawkins of attacking extremist straw-men. Since many of his targets in the programme were Americans, I’m not sure how true that is: the perception on this side of the pond is that America is 51% populated (and 100% governed) by people who think they have an invisible friend who likes laser-guided munitions but doesn’t like the gays. The fact that the atheists in Colorado Springs had formed a support group speaks volumes.

Dawkins’s interviewees might be unrepresentative in another sense. We might place the religious on two axes: how crazy are they, and how much do they think about stuff? All of Dawkins’s religious interviewees were people who had thought about stuff and were crazy anyway. In that sense, they’re the dangerous sort: the people who will tell other, simpler souls, to, say, vote against gay marriage, or in extreme cases, to fly airplanes into buildings. The religious people I know in Cambridge are largely not crazy and have thought about it. In that sense, they too are unrepresentative.

Most theists haven’t thought about it very much, and are varying degrees of crazy. Dawkins’s argument about them seemed to be that they’re the soil in which the real nutters grow. I’m not sure that’s a good enough reason to condemn all religion, especially when Dawkins has given us plenty of other good reasons. As an acknowledged Internet expert on kooky religious groups, I can tell you that to my knowledge, none of CICCU‘s alumni have ever flown an airplane into a building. Something else is going on, as I’ve said before. I wish I understood what it was.

In any case, the selection pressure on variant strains of theism seems to favour craziness at the moment, although I’d concede that some of those pressures are coming from sources external to the religion in itself, such as politics. Some of the pressure is merely from the fact that being crazy means you’re more enthusiastic (check the etymology), excited and exciting. You make converts, you stand on street corners, you write threatening letters to the BBC, and so on. The Bishop of Oxford is right: liberals should be more outspoken about their liberalism. And rationalist atheists, it seems, should start forming support groups. The Root of All Evil was part of an attempt to turn the tide, and despite its flaws, I welcome it for that alone.

Dawkins’ reaction as he walked back from his talk with Michael Bray was that he’d quite liked Bray, who didn’t seem to be an evil person. He quoted the physicist Steven Weinberg: “Religion is an insult to human dignity. With or without it you would have good people doing good things and evil people doing evil things. But for good people to do evil things, that takes religion”. I think that’s my take-home verse.

Those of you who missed the programmes or who are Foreign may obtain the videos of both programmes by waiting for them to fall from the back of a passing lorry or by fishing them from the torrent of information that is available on the Internet. Verbum sap., as E.E. “Doc” Smith used to say.

The recent change to LJ’s URL formats seems to be part of an attempt to defend against one or more attacks which allow the attacker to steal another LJ user’s credentials, gaining the ability to impersonate that user. The theft occurs when the victim visits a page on LiveJournal which contains some malicious Javascript inserted by the attacker (more technical details below for those that care).

What’s been happening?

Slashdot linked to an article with some more details on the attacks. This article includes details supplied by the Bantown group (who live at bantown.com, a site you probably want to visit using lynx). Bantown have use these attacks to pwn LiveJournal quite comprehensively: the comments on the news entry contained comments from tens of different users with the same demand from Bantown. It’s likely that these users all had their credentials stolen by Bantown.

I found a comment quoting an explanation of the vulnerability in an entry on lj_dev, but that entry has now been deleted. The quoted explanation is about a vulnerability which only applies to browsers based on Mozilla (so, Mozilla, Firefox and Netscape). The Bantowners claim that this is not the vulnerability they were using, as they have a vulnerability which affects all browsers. LJ recently patched a vulnerability which would do the job for all browsers, but it’s possible there are other, similar, vulnerabilities in LJ’s code. Or it’s possible that the Bantown people are lying.

Is it fixed?

LJ went down for a while on Friday afternoon, and seems to have invalidated all existing cookies. However, bradfitz is keeping quieter than I’d like about whether the risks still exist and about what workarounds users can use while LJ’s crack programmers are working on a fix. bradfitz‘s use of “soon” suggests that the URL change was part of further changes. These further changes aren’t in place as I write this, which I think means that it’s still possible to use whatever attack the Bantowners have been using to steal credentials, although it’s not possible for an attacker to use an old set of credentials from logins before this afternoon.

Edited: LJ has now fixed this, so it’s safe to turn Javascript on again.

What can we do about it?

For now, I’m running with No Script turned on, and using that to disable Javascript for all but trusted sites, of which LJ obviously isn’t one. LJ’s lack of communication about the risks to user data, and about possible workarounds, displays a worrying incompetence, as I’ve said elsewhere.

The Science Part

LJ uses cookies, small pieces of data stored by your web browser, as your credentials. When you log in to LJ, you get a cookie. From then on, your browser presents the cookie whenever it requests a page from LJ. LJ trusts you because you have the cookie, and lets you do things that only you should be able to do. The cookie can persist just until you close your browser, or longer if you’ve ticked the “remember me” option when you log in.

The attacks on LJ are cross-site scripting or XSS attacks. A Javascript running on a particular page can access the cookies for that page. Currently, any Javascript running on an LJ page can see your cookie, because the same cookie applies to the entire site. If an attacker can cause their own Javascript to run on a page supplied by LJ, they can steal that cookie and send it to a remote server that they own.

How might the attacker get their script onto LJ’s pages? Well, LJ lets you submit HTML as entries, comments, and as your own styles, and then displays it on its pages. LJ attempts to sanitise the HTML you supply it, but if it doesn’t do this correctly, the attacker has a way in. They can put their Javascript on the page, and visiting that page would then send your cookie to their server. Also, browsers based on Mozilla (such as Netscape and Firefox) allow stylesheet authors to embed Javascript in a CSS stylesheet, so the way LJ lets users reference their own external stylesheet is another security hole (although as I said above, it’s possibly not the one that the Bantown people are using).

There’s some more discussion of how this works (in amongst a lot of sarcasm) in this thread on jameth‘s journal.

The LJ New Comments script now copes better with the bewildering variety of journal styles that are out there. I also stopped it from giving up in disgust if a style allows it to see the comments but doesn’t provide a permanent link to each comment, as the “n” and “p” keys will still work in these styles (q.v. peacerose‘s journal, for example).

I’m now using scrollIntoView to move each new comment to the top as you click or press keys, so you don’t get a new history entry for each comment you visit (I was annoyed with having to hit the “Back” button multiple times to leave the entry). The docs for Greasemonkey allege that scrollIntoView doesn’t work within Greasemonkey unless you do special stuff, but I seem to be getting away with it. Possibly I’ve broken the script for people not using Firefox 1.5, but such people need to feel the white heat of technology, anyway.

Ph34r my sk1llz!

ETA: Except that I broke it again trying to make it handle all the extra ways of denoting comments. v0.4, now on the userscripts.org site, seems to be working.

I’ve finally got around to writing the Greasemonkey script which I’ve long been threatening.

What it does

The script remembers which comments you’ve seen on LJ (or Dreamwidth) and helps you navigate to new comments. That’s right, I’m finally dragging LiveJournal kicking and screaming into the 1980s.

If you’re on an entry page, pressing “n” skips you to the next new comment, and “p” skips to the previous one. If the style has an “Expand” link, moving to an unexpanded comment with these keys will also expand the thread. If the style has a permanent link or a reply link for each comment in that comment’s header or footer, the script inserts another link next to it, labelled “NEW”. That link shows you that the comment is new at a glance. Clicking the “NEW” link selects the comment so that pressing “n” will go to the next comment from there. On some styles, the currently selected comment will be outlined with a dotted line.

On a journal or friends page, the script will also add the number of new comments to the link text, so that, say, “15 comments” becomes “15 comments (10 new)”, and enable the “n” and “p” keys to move between entries which have new comments, and the “Enter” key to view the selected entry. This only works if you’re looking at a journal which adds “nc=N” to entry links to say there are N comments on an entry (LJ can do this as a trick to confuse your browser’s history function into thinking you’ve not visited that entry whenever there are new comments). If you want to turn this on for your journal then ensure you’re logged in, visit this page, check the box which says “Add &nc=xx to comment URLs” and hit the “Save” button.

How it works

You don’t need to understand this section to use the script. If you don’t care about programming, skip to the next part.

<lj-cut text=”Gory details”> LJ makes it a total pig to do this sort of thing: there’s so little uniformity in journal styles that getting a script like this to work for all of them is impossible. It’s fair enough that LJ allows people to customise their journal’s appearance, but there aren’t even standardised CSS class names for stuff. Not that I’m bitter. So, what the script does is look for anchor tags of the form <a name="tNNNN"> or elements with an id attribute of ljcmtNNNN or tNNNN. NNNN is the comment number, which seems to be unique for each comment on a given user’s journal. It then looks for the permanent link to that comment, which is usually to be found in the header of the comment (or footer, in my current style), and adds a “New” link after that. So, new comments are marked with a link to the next new comment.

The upshot of all this is that if you’re reading a journal with a style which doesn’t use either anchor tags or elements with the given id for all comments, the script won’t work correctly. If the style doesn’t provide each comment with a permanent link in the comment’s header, the comment won’t be marked with a “New” link. Such is life. Please don’t ask me for special case changes to make it work with LJ’s many horribly customised journals. Pick a sensible style of your own and learn to use “style=mine” instead. There’s even another Greasemonkey userscript which will help. On the other hand, if there’s a large class of the standard styles for which it doesn’t work, tell me and I’ll have a look at it.

Using it

If you want to use it, you will need:

  • Firefox, the web browser, version 1.5 or later.
  • Greasemonkey, the extension which lets people write little bits of Javascript to run on certain pages.
  • LJ New Comments, which is what I’ve imaginatively entitled my script. If the userscripts site is down again, you can find a copy on my site.
  • Your flask of weak lemon drink.

After you’ve installed all of the above, visit an entry on LJ and marvel at the “NEW” links on all the new comments (which will be all of them at this point, as the script wasn’t around previously to remember which ones you’d seen before). See above for operating instructions.


Note that the script stores a Firefox preference key for each journal entry you visit, listing the IDs of the comments it finds there. The script doesn’t let the database grow without limit: when the script has seen 500 entries, it starts to drop the history for the entries you’ve not visited recently.

Clearing the browser’s history doesn’t affect the script’s list of visited entries. Thus your visits to polybdsmfurries will be recorded for posterity, even if you clear the browser’s history. You can wipe the entire history by using the “Manage User Scripts” entry on the Tools menu to delete the script and its associated preferences (you can re-install it afterwards, but you must clear out the preferences for it to delete the history).

The script does not record the contents of any entry or comment. The script does not transmit any information to LJ or any other website, it merely acts on what it sees when you request journal entries.

Your questions

I’ve given this entry as the homepage for the script on Userscripts.org. That means this entry is intended to serve as a repository for questions about the script, so if you’ve got a question, comment here. I prefer this to commenting on my other entries or to emailing me, unless you already know me. Ta.

To keep up to date with new releases of my greasemonkey scripts, track the tag “greasemonkey” on my journal. This link should enable you to subscribe to that tag and get notified when I post a new entry about greasemonkey scripts.

Revision history

2006-01-02, version 0.1: First version.

2006-01-03, version 0.2: Added the “p” key. Used javascript to move between comments so doing so does not pollute the browser’s history. Coped with the id=ljcmtNNNN way of marking comments. Made “n” and “p” keys work even in the absence of permalinks on each comment.

2006-01-04, version 0.3: Apparently you can have id=tNNNN, too.

2006-01-04, version 0.4: Broke 0.3, fixed it again. I hope.

2006-01-19, version 0.5: Updated to cope with LJ’s new URL formats. Changed how comments are stored internally so that the database does not grow without limit: the script now remembers comments for the last 500 entries you visited, and forgets the entries you’ve visited least. Also added “New” marker based on reply link as well as thread link, for styles which don’t have a thread link for every comment.

2006-01-19, version 0.6: Convert dashes I find in URLs to underscores internally, to preserve access to history from older versions of the script before LJ’s URL change.

2006-02-09, version 0.7: Work around the fact that Firefox leaks memory like a sieve. Never display negative number of new comments. Change licence to MIT as GPL is overkill for this script.

2006-02-09, version 0.8: There was a bug in the workaround code I got off the Greasemonkey mailing list. Fixed that.

2006-06-04, version 0.9: Enabled the “n” and “p” keys on the friends/journal view. Added the box around the current comment.

2007-02-20, version 1.0, baby: Try harder to draw a box around the current new comment. Applied legolas‘s fix for pressing CTRL at same time as the N or P keys (see comments).

2008-03-31, version 1.1: Make it work faster on entries with lots of comments. Altered behaviour of “NEW” link so it now selects the comment you’re clicking on, as that makes more sense.

2008-09-24, version 1.2: Support Russian keyboards thanks to mumi_0, make threads expand.

2009-01-27, version 1.3: Support for independentminds journals.

2009-05-04, version 1.4: Support for Dreamwidth.

2009-09-22, version 1.5: Amend support for Dreamwidth.

2010-08-09, version 1.6: Made syndicated journals work.