I am not going to specifically address the topic of scripted attacks (such as click-jacking, like-jacking, using tools like Selenium, etc) used to game contests. There are just too many variations, and frankly, many of the data analysis concepts here would apply to that scenario as well.

Understand that I Am Not a Lawyer, and am NOT giving you legal advice here. The intended audience for this article is application developers, database architects and product directors, as we discuss some fundamental concepts that must be integrated into your contest application before even a single line of code is written. Many of these concepts can be applied to non-Facebook online contests, but some are Facebook specific.

Also, if you got to this article because you’re trying to learn how to game a Facebook contest, please die in a fucking fire. You are a useless piece of shit, and people like you are what is wrong with the world.

First things first, and a little bit off-topic, if you’re planning on creating a Facebook contest, be sure your contest abides by Facebook’s promotional policy guidelines. They’re a pretty quick read, but failing to read them before deploying a contest on Facebook may result in Facebook disabling your contest for policy violation. You can (and should) read the whole set of guidelines here, but since we’re about to discuss planning your contest app, the ones you really need to be mindful of are:

1. You must not use Facebook features or functionality as a promotion’s registration or entry mechanism. For example, the act of liking a Page or checking in to a Place cannot automatically register or enter a promotion participant.
2. You must not condition registration or entry upon the user taking any action using any Facebook features or functionality other than liking a Page, checking in to a Place, or connecting to your app. For example, you must not condition registration or entry upon the user liking a Wall post, or commenting or uploading a photo on a Wall.
3. You must not use Facebook features or functionality, such as the Like button, as a voting mechanism for a promotion.
4. You must not notify winners through Facebook, such as through Facebook messages, chat, or posts on profiles (timelines) or Pages.

Basically, this means that you can’t use any of the native Facebook platform tools as voting or winning mechanics. You can like-gate an app, requiring the user to like an app or page before being shown the contest sign-up form, but you cannot use the act of liking the app or page as the registration itself. You cannot award points or incentives on a Facebook share, but you CAN award points or incent the conversion. So if your app lets me invite people to your app, you can award me points for every one of my friends that allows the app and participates, but you cannot award me points based on how many people I invite that do not convert to app users or clickthroughs or what have you.

There’s a little bit of nuance to it, but the general rule is just to avoid using the platform for stuff that determines who wins or loses, period. That part has nothing specifically to do with gaming a Facebook contest (or the prevention of gaming a Facebook contest), but it’s pretty important, and will influence some pretty core mechanics in your contest, so don’t gloss over them.

Rule #1 of running a contest: LOG EVERYTHING

Log absolutely everything possible. Require that the user is logged in, and always log their FBID *and* their IP address. Your legal counsel will thank you for it.

You need to be able to run an audit on every action related to potential winning or losing of the contest for your own liability, but also because it is the foundation of putting yourself in a good spot to detect suspicious or fraudulent activity. Seriously.

If ass-wiping influences the contest outcome, you had better be logging every single time the user wipes their ass, complete with IP address, user agent, timestamp, and anything else you can think of that would be specific to that action+session combination. I simply cannot emphasize this enough.

Without extensive logging, you will be left absolutely helpless when a user (or their lawyer) challenges your winner decisions, or when other users claim a specific user is cheating.

Make sure your web server is logging access correctly as well. You may need to correlate your Apache access log to a specific transaction and IP address as well. Test this before your app goes live.

As you analyse your logs, look for inconsistencies in user agent and/or IP address. If their user agent is logged as “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7″ in one log entry and “Mozilla/5.0 (Intel Mac OS X 10_7_2) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7″ in the next, something is up. The differences between those two user agent strings is subtle, but it’s there, and there is no legitimate reason for it to change from action to action in the same session.

Rule #2: Get their email address

It seems intrusive, but if your loot is decent, people won’t mind giving it to you. Once they have allowed your application and granted you email permission through the app allow dialog, you can pre-populate the email address field so they don’t even have to type anything in. You’ll need their email address anyway, to notify them if they won, since Facebook doesn’t allow you to use FB Messages to do that.

You want their email address because users creating fake Facebook profiles (each of which requires a unique email address) to generate bogus votes/points/whatever will generally not be terribly creative (or may be using an automated script or service to do it), so you can use the email addresses as a way to detect patterns in participating users that could imply fraudulent activity. If you see 100 new entries, all with the email pattern of firstname1234lastname@hotmail.com, there’s an excellent chance that those entries are bogus.

Brace yourself for the truth

The cost of winning a Facebook contest by cheating is much lower than you probably imagine – and unsurprisingly, there are businesses online that exist for the sole purpose of helping people win online contests. Right now, on a casual Google search, I can find services that will sell me 10 PVA (Phone Verified Account) Facebook accounts for $20. I can buy 100 non-PVA Facebook accounts for $20, if I think the contest won’t do that much checking for fraudulent activity. If you do a search for “facebook contest” on sites like freelancers and microworkers (I will not link to them), you’ll find hundreds of people with Facebook accounts just itching to get paid to help your potential contestants game your contest.

If you’re giving away a trip worth $3,000 and because of the number of participants, it would cost me $20 to win your contest, you are *going* to get gamed. My risk-to-reward-ratio is just too good for me not to do it. I spend $20 and I get $3,000 worth of prizes? Hell yeah.

In one investigation I performed, I saw bids of $30 accepted for people to get 200 people (real people or fake-but-look-real accounts) to vote x times. That means each one of those Facebook accounts is worth $0.15 to the person renting them out. Consider creating accounts at these microjob sites before your contest is over and check it for openings related to your contest.

Additionally, since there are people and services out there that have created Facebook profiles for exactly this purpose, you can’t rely on Facebook profile creation date as a reliable measure. Many of the fraudulent accounts I’ve come across have been around for over a year prior to the contest. They’re also smart enough to make sure these profiles have friends that look legitimate, so it won’t be as easy as looking for FB accounts that are new and have no friend connections.

It gets worse. There are also online sites that encourage users to do like/vote exchanges. “Vote for me for blah, and I’ll vote for you.” This method tends to be slower than simply buying accounts, but it’s also free. Search Facebook for terms like “vote exchange” and you’ll find pages and groups for the sole purpose of gaming contests.

It’s up to you to decide whether a vote/contest exchange falls under your definition of cheating. It absolutely does in my book, but it really depends on how your contest works. Either way, you need to set the definitions of what exactly qualifies as cheating before your contest even starts, because you’re going to run into more gray areas than you probably would have thought.

Rule #3: NOTHING GETS DELETED. EVER.

If users can submit content as part of the contest, make sure you architect your application in such a way that nothing ever gets deleted, either by moderator or by the users themselves. Instead use a database flag to toggle visibility in the app. Log the deletion (timestamp, IP, user agent, who took the action, etc) and tuck it away, but never, ever delete the data.

Doing so insulates you from users saying “I didn’t delete it!” You will have proof that they did, including all the particulars such as what browser they were using and when. This also allows you to recover from content that is accidentally deleted by a moderator. If “deleting” content is simply toggling that boolean database field, it’s easy to toggle it back on if it gets toggled off by mistake.

Rule #4: Know what counts as cheating up-front

This sounds like a no-brainer. Cheating is cheating, right? But if someone didn’t actually pay for votes, and did a vote exchange or spammed forums and Facebook groups to get votes from people who don’t actually care about the program, is that cheating?

What if the Facebook account that’s participating is “real”, but the person only ever uses it for entering contests? Is that a legitimate user to you, or a cheater? You should figure that out ahead of time.

It’s going to be your choice as to what level of detail you disclose your policies on cheating. My recommendation is to be a little vague. While this goes against my standard policy of transparency in everything, if you give the bad guys an explicit set of rules on how you define cheating, they will be sure to tailor their cheating to specifically avoid the things you outline. If you tell me (as a bad guy) that my votes will be disqualified if too many votes come in from the same IP address, I will be sure to use different IP addresses for each vote to make sure I avoid your detection.

Rule #4: Audit, audit, audit and audit some more

Auditing by eyeball isn’t really going to cut it, but if it’s all you’ve got, it’s better than nothing. A better idea would be to set up a series of heuristics programmatically that flag user activity as being suspicious and requiring additional review. Things like the number of unique users coming from a specific IP address, the time of day that you see the most activity, the kinds of email addresses you see associated with the participating users, etc.

Look for patterns that don’t make sense. Examine the Facebook pages of the folks you suspect of cheating. Do they have any wall posts? Any photos? Do they have friends? Click on their friends profiles – do their profiles also have no wall posts and no photos? Look for generic “hot babe” profile photos. Look at the pages and topics the user has “liked”. Do they seem a little too demographically on-point, as if they were created to appeal to a specific contest demographic? Is there a pattern in the things they’re liking? (All contest pages, etc.) This part can’t be automated.

Give yourself the time between the end of the contest and the announcement of the winner to be thorough and audit all of your top contenders. Hold off notifying anyone that they won until you’ve had a chance to comb through this data and you feel confident that it’s legitimate.

You have a cheater. Now what?

When you find someone cheating, how are you going to handle it? Revoke their points/votes/etc? Disqualify them? Whatever your decision, know what you’re going to say to them in advance, because if the stakes are high enough, there’s a good chance they will be loud and public about how you wronged them. Once again I advise not showing too much of your hand.

If you decide to confront them and allow them to offer explanations, hold specifics back. If you user claims, for example, that they got most of their votes from their friends at a high school using their own computer (which would explain the same IP address), but the timestamps on the votes are at 1AM, 2AM, etc, that should raise some eyebrows. If you tell them too much about what you’re basing your decision on, a decent cheater will come up with excuses to explain them that they would have mentioned earlier if the story was legitimate.

It’s rare to find a smoking gun in these cases. Instead, it’s going to require a some judgement calls and a preponderance of evidence. It’s very like you won’t find *one* thing that makes you *sure* someone is cheating. Instead you’ll find a half-dozen things that, when combined, form an equation that just doesn’t add up.

One option, upon finding a cheater, is to disqualify just the votes that seem fraudulent. In the case of a contest where the user submits an entry and other people vote on it to determine a winner, be cautious of disqualifying the entry based on fraudulent activity. Knowing how inexpensive it is to buy Facebook profiles, if I were a particularly bad guy who had also submitted an entry, I might consider spending some money to game my opponent’s entry in a way that was obviously fraudulent to get their entry disqualified.

If I knew you would kick anyone out if you detected any fraudulent behavior on their entry, I might go out of my way to make sure you found some on the other guy’s entry to increase my chances of winning by kicking them out of the running. This technique, similar to joe jobbing in the spam world, isn’t one I’ve seen often, but it’s only a matter of time.

Make a decision and be prepared to stick with it. Feel confident that your decision was the right one, and don’t back down. The bad PR from the folks you disqualify will be better than the bad PR from the rest of the contestants claiming that your contest is rigged or allowed fraud. Your legal department will make sure you have a TOS that basically says that you don’t owe anyone an explanation, and it’s up to your discretion to disqualify anyone for any reason.

Running a (good) contest is an incredibly laborious process. The technical aspects of creating the app are honestly the least complicated, least time-consuming part of the whole thing. Make sure you have the appropriate resources to handle it. If you half-ass it, you will regret it.

Nailed it.

Not quite. Honestly, there is almost no fool-proof way of detecting all fraud activities – partly because some of this fraud is being conducted by actual people, not machines. They’ve invested the time into creating profiles that look real.

You’ll be able to find the ones that do a crap job of it, but a few of the more sophisticated folks will have profiles that have current wall posts about things other than contest spamming. They’ll have photos uploaded, lots of friends, and profiles that weren’t recently created. Fortunately for you, those kinds of profiles tend to be more expensive to buy, since they require more work to upkeep to look legitimate.

Maintaining believability in a friend network that large requires a lot of time, so examining the friend profiles associated with your top contestants is absolutely critical. If you poke around enough, you’re bound to find something that doesn’t fit. Examining their entire footprint on the social graph will give you a much clearer picture than a specific profile.

Also check out:

On Facebook, “like” the Social Media Scam Alerts page to get updates as new Facebook scams and rogue applications are identified. The posts will be short, without a lot of technical jargon to make them easy to share with your less brainy friends and family.

On Twitter, follow @scamdb for tweets about the latest scams, phishing and rogue apps affecting Twitter users.

Social Media Security Tips

In addition to staying informed about bad applications, some better practices and common sense will go a long way here.

We have become completely desensitized to clicking on things in websites, our social networks, on our smartphones and in email – and this is why these types of attacks are so wildly successful, often garnering tends of thousands of “likes” before they are detected and banned by Facebook or Twitter. More often than not on social media websites, the attack is not a technical attack, it’s a social engineering attack, tricking you into clicking on something because what they are offering is something you want and you found the link through a reasonably trusted source (your friends twitter stream or Facebook news feed.)

Be skeptical. If something looks too good to be true, it probably is, even if you trust the person it came from.

Confirm before you click. If you’re not sure, take a moment to email or (gasp!) call your friend and confirm they actually intentionally posted that message. If they didn’t, you’ll be doing them (and all of *their* friends) a favor by bringing it to their attention quickly.

If your friend posted to their Facebook wall that they are stuck in London and need money for passport/plan home/etc – resist the urge to immediately send cash. Be rational, contact them using a different method (email, phone) and confirm that it’s really them. Use common sense. Did your friend even mention they were going to London?

That “stuck in London” scam has made its rounds for several years through email and social networks. I don’t know why it seems to always be London, but that’s almost always the city I’ve seen in these scams.

Use the SSL version of social networking websites when you’re surfing on public or unsecured wifi. As Ashton Kutcher learned this week at TED, non-encrypted sessions + a little Firefox addon called Firesheep = getting pwned in front of your six-and-a-half-million Twitter followers.

Facebook offers a clunky (and currently unreliable) way to switch to HTTPS for your Facebook sessions, but that method resets back to HTTP if you access a non-SSL application. My understanding is that Facebook security is aware of the bug that resets the default preference back to non-SSL, but I don’t think it’s been fixed yet.

An alternative is using something like the Electronic Frontier Foundation’s HTTPS Everywhere addon. The first release of this addon was a little buggy, but the second release seems more stable. (The first version rendered Amazon.Com effectively useless.) You can select which sites you want to use HTTPS Everywhere on, and it will always force the HTTPS (versus the plain HTTP) connection.

Ideally, you should try to avoid public or unsecured wifi connections whenever possible. Make sure your computer and smartphone preferences are to NOT automatically join wifi networks. If you have to be on public wifi, your best bet will be to tunnel your traffic over VPN, but not everyone is going to have that as an option.

In the big, scary internet, there are countless ways your personal information and login credential are at risk. Some of these are technical vulnerabilities in the websites you trust your information to, but the social engineering approach is gaining tremendous momentum. It’s cheap, it’s fast, and it works. Remember that even if you think you have nothing of value, when you are careless with your security, you are also putting your friends and family at risk.

Take a moment to check out the security presentation I posted a few weeks back that covers important information on privacy and password security, and consider joining the new Facebook and Twitter resources.

Also check out:

I will warn you that a few slides are not appropriate for all corporate environments – or any corporate environments, really. But you’re welcome to use the bits that may be helpful to you.

My company is small, so I omitted the scenarios that are really more appropriate for large companies with IT departments they do not know personally. My office is open (everyone can see each other), so someone calling and claiming to be from IT would stand out as someone who is full of shit pretty quickly.

This isn’t meant to be all-encompassing, and the audience is not meant to be a technical one. It seemed to go over well though, and enough people laughed that I think it kept their attention. More importantly perhaps, more than half of them left looking a little alarmed, which was really the whole point. Also note that the slides don’t reflect the entire content of the presentations, since I would be a shitty speaker if I were just reading from slides.

PDF Download | Keynote Download | Zipped Images Download

If the topic of social engineering is of interest to you and you’d like to learn more, I strongly recommend picking up the following books – they are outstanding and worth every penny (and then some):

• The Art of Deception: Controlling the Human Element of Security [paperback] [kindle]
  by Kevin Mitnick
• Social Engineering: The Art of Human Hacking [paperback] [kindle]
  by Christopher Hadnagy

Both of these books are really exceptional, and even if you’re not in the information security field, they’re damned interesting to read. Some of the case studies in this presentation were taken directly from these books, as both have extensive detailed examples that may be more suitable for the type of company you work for.

Be sure to check out Chris’ social engineering podcast as well, and check out the episode where I was a guest.

Also check out:

NOTE: If you want to skip all my chatter and explanation and just get to the code, check out Jeff Atwood’s post on the StackOverflow blog. It’s much less verbose, but probably not ideal for people unfamiliar with OpenID.

What is OpenID?

OpenID is “a decentralized authentication protocol that makes it easy for people to sign up and access web accounts”. That means if you create an account on any website using OpenID (such as Google, Yahoo, Flickr, MySpace, AOL, WordPress.Com, LiveJournal, Get Satisfaction, and more recently Facebook, to name just a few), you can use that account to login to any website using OpenID. It attempts to simplify logging into websites by using one account, and therefore not having to create a new username and password set for every website on which you wish to create an account.

Many studies have shown that the average web user feels overwhelmed by the number of usernames and passwords they have to remember, which means they often end up using very simple paswords that are easy to remember, and often use the same password for multiple websites.

This is, of course, a big no-no. If one of the websites gets compromised and user login data is exposed, malicious parties now potentially have access to all of the websites for which the user has used the same password. So if my BigButtPorn.Com account gets hacked, and I use the same login for my bank, my banking login credentials are now compromised. Unifying a login makes user registrations easier, so people will arguably be more apt to use a strong password for that one OpenID account. (I should mention that I have no idea if BigButtPorn.Com exists, or if it uses OpenID. As such, the example above should not be considered an endorsement for BigButtPorn.Com, or any other kind of butt porn, for that matter.)

Incidentally, in this day and age, there is absolutely no reason for anyone to still be using the same password for ANY two websites. Thanks to applications like 1Password, hard-to-guess passwords are automatically generated and stored for easy access, and every popular web browser allows you to store passwords. Remembering passwords isn’t even something people should be concerned with.

How Does it Work?

If I have a Livejournal account where my journal address is snipeyhead.livejournal.com and I want to use my LiveJournal OpenID to login to a different website, I would enter snipeyhead.livejournal.com in the OpenID url field of the site:

(Alternatively, if the OpenID provider’s icon is listed, as LiveJournal’s is above, I could login without knowing my OpenID url. Most OpenID logins will give you the option of selecting which service you’d like to use, or manually entering your OpenID url.)

If this is the first time I’m using this OpenID account to login to this particular website, I’ll be taken to my OpenID provider’s website (in this example, Livejournal.Com) and I’ll be asked if I want to allow the website to use my OpenID account to authenticate. I will then confirm this, and be taken back to the original website I’m trying to login to.

Pretty simple, right? Unfortunately, this is often not as straightforward as it seems, not because of OpenID itself, but because of the way many websites implement their OpenID system.

Where it Gets Wonky

The way many websites implement OpenID can be utterly maddening, if you have more than one OpenID account – which you probably do.

I was recently on the UXExchange website and was nearly apoplectic with rage as I tried OpenID after OpenID account. I know I have an account there. I have had an account there since the day they launched. But I have NO idea which OpenID I created my account with.

After the 5th try, I gave up and realized I’d have to create a new account. This pissed me off for a few reasons, not the least of which being that in this particular community, prior community engagement (the number of questions you’ve posted and answered, etc) establish your rank. By creating a new account, I’m effectively seen by the community as a newbie, and I’m enough of a nerd that stuff like that matters to me.

Ironically, UXEchange is a usability and information architecture community. I know that I can email them to consolidate my accounts, and I probably will, but this experience really helped underline how easy it is to screw up the user interface for OpenID.

In short, the problem becomes remembering which out of the collection of OpenIDs you have is the one you’ve used to initially create an account with a particular website.

Making it a Little Easier

To use OpenID without losing your mind, you have a few options. The easier would be to decide that you will only ever use one specific OpenID to login to third-party websites, and leave it at that. The problem I have with that is that mainstream adoption of OpenID has happened over a very long period of time, so I may have started off with only LiveJournal as an OpenID account, but then gradually Google, Blogger, Myspace, etc added OpenID support, so I decided that I’d rather use one of the newer ones instead of my LiveJournal account. This is how things got fragmented and confusing for me, and I would assume other people as well.

Fortunately, there is a little known feature of OpenID called delegation that can help save your sanity. If you have your own website with it’s own domain name, you can delegate your own domain name to act as your OpenID.

I decided to start from scratch. I don’t know if I’ll always have my LiveJournal account, I don’t know how much I trust Google anymore, I hate MySpace, I don’t use Blogger, and so on. I created an account at myopenid.com, a very simple OpenID provider that is easy to remember and offers persona managament.

A 20-second registration later, I was set up with snipe.myopenid.com as my new OpenID identifier.

To enable my domain, snipe.net, to act as a delegate for MyOpenID.Com, I added the following to the header of Snipe.Net:

[sourcecode='html'] 2. 3. 4. [/sourcecode]

Now, instead of trying to remember which OpenID provider I used, I use ‘snipe.net’ as my OpenID manual url, and it automatically knows to use my account at MyOpenID to authenticate. Since I’m the only one that has control over Snipe.Net, I’m the only one that can delegate Snipe.Net as snipe.myopenid.com.

So that’s all there is to it. I have heard that delegating using Google and Yahoo is tricky, if not impossible, but I haven’t looked into it. I personally prefer to avoid letting either of those companies have too much of a reach over what I’m commenting on and where.

Also check out:

UPDATE: Sadly, in April 2010, Facebook shut down FB Lite so this article is now moot. It was a good run while it lasted.

Your Facebook friends are total tools with entirely too much free time on their hands. So are mine. If you want to continue to use Facebook but bypass all of the crap that fills your Facebook homepage newsfeed, you’re in luck.

Facebook Lite?

A few months ago, Facebook introduced Facebook Lite – a pared down version of Facebook for people who were frustrated with the ever-sluggish load time of the normal Facebook homepage. This lite version loads fewer javascript libraries and is blazing fast compared to to dismal experience that regular Facebook.

The speed increase is great – but there is an awesome added bonus that isn’t widely publicized:

Using Facebook Lite, you will never see another application notification again.

That’s right. Facebook Lite does not display application notifications. At all. Which is awesome-covered awesome with awesome filling.

To see it in action, just point your browser to http://lite.facebook.com.

But wait – there’s more.

Kiss Those Application Notifications Goodbye For Good

Even more awesome, there is a way to set Facebook Lite as your default view, so that every time you go to your Facebook homepage newsfeed, it loads the Lite version instead of the Clusterfuck version. Here’s how to do it:

1. Go to http://lite.facebook.com/settings/defaultsite/.
2. Select Facebook Lite from the radio boxes.
3. Click “Save”.
4. Rejoice.

Set Facebook Lite as your default in your settings

That’s all there is to it. Honest. You’re free. You’re welcome.

Granted, this trick won’t stop your friends from posting a thousand pictures of their cat (yeah, guilty) or drunkenly updating their status in horrifyingly graphic detail that makes you want to claw your eyes out – but I don’t think there’s an app for that yet.

Also check out:

What is Mod_Rewrite?

Simply put, mod_rewrite is an Apache module that let’s you rewrite urls based on rules you define. That’s it. Seriously.

Regardless of how confusing some of the rules you may have come across appear to be, all they are doing is taking one url and rewriting as a different url. This rewriting happens at the server level, before the user’s browser sees anything, so the end result is seamless to them.

When you hear about “search engine friendly” urls, you’re most often seeing mod_rewrite in action. Mod_rewrite is the Apache module that let’s you turn a url like:

http://www.example.com/shop.php?category=Books&Title=Foo

into:

http://www.example.com/shop/books/foo.html

Some other common uses for mod_rewrite:

• Directing all traffic from multiple domain names to one domain
• Directing all traffic from www and non-www to one location
• Blocking traffic from specific websites
• Blocking spammy searchbots and offline browsers from spidering your site and eating your bandwidth
• Mask file extensions
• Preventing image hotlinking (other web pages linking to images on your server)

Apache’s mod_rewrite can be intimidating if you start where you’re supposed to start – the Apache documentation, however there are some very useful, common – and simple rewrite rules that you may wish to consider implementing into your site development plan, if you’re not doing so already.

Note: If you’re using Microsoft IIS, you have a few options, but I don’t use IIS, so I’m afraid I won’t be of much help to you beyond telling you where to look. ISAPI ReWrite seems to be very popular, and there is a free “lite” version available.

Getting Started

Your mod_rewrite rules typically live in an .htaccess file in your web root. You can only have one .htaccess per directory, but you can have individual .htaccess files in sub-directories under the web root. I generally do not recommend doing this. If mod_rewrite rules from one .htaccess conflict with the rules from the .htaccess in a sub-directory, it can be a real pain in the ass to troubleshoot. Try to avoid it.

When you’re adding mod_rewrite rules to your .htaccess file, you’ll want to start by using a conditional that checks to see if mod_rewrite is installed on your server. This can prevent getting a 500 Internal Server Error if you don’t.

[source='c#']
# Start your (rewrite) engines…
RewriteEngine On

# rules and conditions go here…
[/source]

Directing Multiple Domain Names to a Single Domain Url

If you have multiple domain names pointing to the same site, mod_rewrite can also help you direct all traffic to a single domain url, to improve your search engine rankings. Search engines don’t take too kindly to the same content living at multiple urls – they usually think its an attempt to spam the search engine – and you can actually be penalized for it. To redirect all traffic to one specific domain name,

[source='css']RewriteCond %{HTTP_HOST} !^www\.snipe\.net$ [NC]
RewriteRule ^(.*)$ http://www.snipe.net/$1 [R=301][/source]

This basically says “if the domain requested (the HTTP_HOST) does not match www.snipe.net then rewrite the url as www.snipe.net“. (Note the escaping slashes after the www and before the .net in the condition.)  The R=301 specifies that the redirect should be a 301 redirect, meaning that the address has moved permanently and search engines should use the new url instead of the old one.

To www or not to www

Even if you have only one domain name, if you’re not redirecting traffic from the “www” version to the “non-www” version (or vice versa), you may encounter this problem. Whether or not you choose to use the www in your url is largely a branding decision more than anything else (i.e. it doesn’t really matter in most cases) – but you should pick one and stick with it.

Require (force) the www

[source='css']RewriteCond %{HTTP_HOST} !^www\.snipe\.net$ [NC]
RewriteRule ^(.*)$ http://www.snipe.net/$1 [R=301,L][/source]

Remove the www

[source='css']RewriteCond %{HTTP_HOST} !^snipe\.net$ [NC]
RewriteRule ^(.*)$ http://snipe.net/$1 [R=301,L][/source]

Deny traffic by referrer

There may be a few reasons why you want to block traffic by referrer. Maybe you’re getting a lot of bandwidth-sucking hits from a spammy website – or maybe someone is linking to you that you feel does not represent you very well, and you want to pull the plug on traffic from coming their site.

[source='css']RewriteCond %{HTTP_REFERER} onebadsite\.com [NC,OR]
RewriteCond %{HTTP_REFERER} anotherbadsite\.com [NC]
RewriteRule .* – [F,L][/source]

In this snippet, the rule is saying “If the referring url is onebadsite.com OR anotherbadsite.com, redirect the user to an HTTP Forbidden error.” The NC specifies that the condition is not case-sensitive, and the OR flag is… well… an “or”. OR is used with multiple RewriteCond directives to combine them with OR instead of the implicit AND.

Keep in mind – this method of blocking traffic is hardly foolproof, at least in the latter of the two scenarios above. If the webmaster of onebadsite.com is linking to you in a way or context you do not want (and you’ve asked them to remove the link), the above method will cause a user on onebadsite.com’s website who has clicked on the link to you from onebadsite.com to hit a Forbidden error. If that user has half a brain, they may very well just google your site name or try to access it later from a bookmark – but it’s a simple measure you can take to keep the idjits out.

Blocking Bad Bots and Spiders

While there is some potential debate as to what is a “bad” bot or spider, the consensus seems to that a bot is bad if they do more harm than good, such as e-mail harvesters, site rippers that download entire websites for offline browsing, etc. Even if bandwidth isn’t so much an issue, I like to block these just on principle.

Please note – this list is not mine – it was directly nicked from a list on JavascriptKit.

[source='css']RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:craftbot@yahoo.com [OR]
RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]
RewriteCond %{HTTP_USER_AGENT} ^Download\ Demon [OR]
RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR]
RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR]
RewriteCond %{HTTP_USER_AGENT} ^Express\ WebPictures [OR]
RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR]
RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR]
RewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetRight [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR]
RewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR]
RewriteCond %{HTTP_USER_AGENT} ^Grafula [OR]
RewriteCond %{HTTP_USER_AGENT} ^HMView [OR]
RewriteCond %{HTTP_USER_AGENT} HTTrack [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Stripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^InterGET [OR]
RewriteCond %{HTTP_USER_AGENT} ^Internet\ Ninja [OR]
RewriteCond %{HTTP_USER_AGENT} ^JetCar [OR]
RewriteCond %{HTTP_USER_AGENT} ^JOC\ Web\ Spider [OR]
RewriteCond %{HTTP_USER_AGENT} ^larbin [OR]
RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mass\ Downloader [OR]
RewriteCond %{HTTP_USER_AGENT} ^MIDown\ tool [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mister\ PiX [OR]
RewriteCond %{HTTP_USER_AGENT} ^Navroad [OR]
RewriteCond %{HTTP_USER_AGENT} ^NearSite [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Octopus [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [OR]
RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [OR]
RewriteCond %{HTTP_USER_AGENT} ^pavuk [OR]
RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR]
RewriteCond %{HTTP_USER_AGENT} ^RealDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^ReGet [OR]
RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR]
RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR]
RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR]
RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [OR]
RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebWhacker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget [OR]
RewriteCond %{HTTP_USER_AGENT} ^Widow [OR]
RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR]
RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus
RewriteRule ^.* – [F,L][/source]

Once again, this method isn’t foolproof. The HTTP_USER_AGENT is quite easily spoofed, and some site ripping applications even allow you to specify what user agent you want to appear as. But if your site is large, implementing this list may make a significant impact on your monthly bandwidth bill.

Mask File Extensions

If for some reason you want to hide the fact that you’re using PHP (or Perl, or whatever), all it takes is a simple line in your .htaccess to have your .php files look like .html files:

[source='css']RewriteRule ^(.*)\.html$ $1.php [R=301,L] [/source]

You could even completely obfuscate it if you wanted to, for example serving files that end in .snipe that are really .php files:

[source='css']RewriteRule ^(.*)\.snipe$ $1.php [R=301,L] [/source]

In these examples, redirects all files that end in .html (or .snipe) to be served from filename.php so it looks like all your pages are .html (or .snipe) but really they are .php. Notice again that we’re using a 301 redirect.

Prevent Image/File Hotlinking

This snippets prevents people from hotlinking to your files – that is, linking directly to files hosted on your server from their website, thus sucking your bandwidth. It should be noted that in my experience, this rewrite rule seems somewhat spotty, and doesn’t always work, so be sure to test thoroughly.

[source='css']RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?snipe.net/.*$ [NC]
RewriteRule \.(gif|jpg|swf|flv|png)$ /images/dont_steal_bandwidth_jackass.png [R=302,L] [/source]

This rule basically says “If the request’s referrer is not blank (meaning the file was accessed directly in a browser) AND is not snipe.net (case insensitive), rewrite any files that end in .gif, .jpg, .swf, .flv or .png to display the file /images/dont_steal_bandwidth_jackass.png.

I have a friend who was trolling through their server logs (as he tended to do) and he realized that someone was using an image from his server, a Debian logo, if I recall correctly – as their MySpace background image. My friend spicyjack, being of the snarky persuasion, set up a leech=prevention mod_rewrite that directed all requests for that image that were not coming FROM his server to an image that was… shall we say…. not something you’d want as the background image of your MySpace page. (Google “hotcurry.jpg” if you’re really curious. It’s NSFW. Or anything, or that matter.)

Search Engine Friendly URLS – Make Dynamic Pages appear Static

To turn site.com/index.php?category=foo&subcat=bar into site.com/category-foo/bar.html, just use:

[source='css']RewriteRule ^category-([0-9]+)/([0-9A-Za-z]+).html index.php?category=$1&subcat=$2 [/source]

The category number and the subcategory name are variables, these are now represented by $1 and $2. The round brackets and the stuff inside them will be replaced by the variables. The things inside the round brackets are the regex rules for what the variable can contain. Example [0-9] means that it can contain any number from 0 to 9 and the + sign means that the number can be repeated 1 or more times.

The [L]ast Word

The [L] flag tells mod-rewrite that no more rules should be processed after that. Also remember that the order these rules are in DOES matter, so you’ll want to consider their intended behavior carefully when you’re planning your .htaccess. If at all possible, have your Apache error logs accessible while experimenting. when mod_rewrite goes wrong, it very often gives you a generic (and infuriating) “500 Internal Server Error” instead of anything actually useful to you – the Apache error logs may help shed some light on things.

Also be sure to test thoroughly whenever using mod_rewrite, since you can seriously break stuff if you’re not careful.

More Resources

Can’t get enough mod_rewrite? Check out these links for additional information and tips.

• Mod_Rewrite flags
• Mod_rewrite Tips & Tricks
• Mod_Rewrite Cheat Sheet

And if you’ve got a handy mod_rewrite rule you can’t live without, let us know in the comments.

Also check out:

Some Amazing Examples of Tilt-Shift Photography

While tilt-shift photography has been gaining momentum, photographers Olivo Barbieri and  Vincent LaForet were some of the first to bring this technique mainstream, with LaForet’s work featured in the New York Times and all over the country. I’ve included a few of his pieces here, but if you like this style, be sure to check out the New York Times photo slideshow (with fascinating audio) of his work, a great collection of 50 Beautiful Examples of Tilt-Shift Photography by Smashing Magazine, and a substantial collection on Funtasticus (although I suspect a few of these may be faked – but more on that later.)

Photo by Vincent LaForet

Photo by Vincent LaForet

Photo by Vincent LaForet

So How Does it Work?

According to Wikipedia:

Tilt-shift photography refers to the use of camera movements on small- and medium format cameras. In many cases, it refers to tilting the lens relative to the image plane and using a large aperture to achieve a very shallow depth of field. The technique relies on the Scheimpflug principle [a geometric rule that describes the orientation of the plane of focus of an optical system (such as a camera) when the lens plane is not parallel to the image plane] and usually requires the use of special lenses.

“Tilt-shift” actually encompasses two different types of movements: rotation of the lens, called tilt, and movement of the lens parallel to the image plane, called shift. Tilt is used to control the orientation of the plane of focus (PoF), and hence the part of an image that appears sharp. Shift is used to control perspective, usually involving the convergence of parallel lines.

Applying tilt on a small- or medium-format camera usually requires a tilt-shift lens or perspective control lens; shift can be applied with the same type of lens or with a lens that offers only the shift movement.

An article on Cheapshooter describes it like this:

A tilt-shift lens allows the photographer very exacting control over the depth-of-field in an image, much more than any regular lens could provide. Focus can be restricted to a single, narrow band, with everything else rapidly blurring away. This distorts the appearance and makes the eye think that distances are a lot smaller than they typically are. When applied to a large scene like a city or a museum, everything appears miniature.

Tilt-shift and perspective-correction lenses are available for many SLR cameras, but most are far more expensive than comparable lenses without movements. The Lensbaby SLR lens is a low-cost alternative for providing tilt and swing for many SLR cameras, although the effect is somewhat different from that of the lenses just described. Because of the simple optical design, aberrations are significant, and sharp focus is limited to a region near the lens axis. Consequently, the Lensbaby’s primary application is selective focus. If that’s what you’re looking for, however, the Lensbaby may be a great (and affordable) choice.

Tilt-Shift for the Rest of Us: Miniature Faking

Unlike my amazingly talented husband, who is a professional photographer (among other things), I am less-than-awesome behind a camera. I’ve managed to pull off a few decent shots in my life, but only thanks to digital cameras, and taking thousands of shots, hoping one might come out the way I want. Seriously, if I were kidnapped by that bad guy from the Saw franchise, and all I had to do to get out was take a decent photo using a camera that doesn’t auto-focus, I’d be dead.

My skills are more in the post-production area, using Photoshop to create the effect I am not capable of achieving through my camera alone. I can fake it, even though I can’t make it.

And just like everything else genuine and cool in this world, you have to figure that eventually someone would figure out how to fake it.

In principle, it’s not hard to make a fake: essentially, pick an area in a photo that you want to sharpen, then blur the rest. (Unnatural color saturation, one helpful fake-tilt-shift tutorial offers, “makes it look more as if it’s built from polystyrene and lichen.”) In practice, it’s a little harder and takes some time, but the end results are really fun.

Two excellent tutorials on using Photoshop to turn a regular photo into a faked tilt-shift photo can be found on TiltShiftPhotography.Net and Receding Hairline, although like any other tutorial for photo editing, it’s not an exact formula since every photo is different. Once you get a feel for the process, you’ll want to play around with the settings until you get the end result you’re looking for.

If you don’t have any aerial photos laying around to practice on, consider using Google Earth.  To get an idea of exactly how amazing this effect can be using Google Earth images, check out this video on the Google Earth Blog, that does a video flyover of San Francisco using faked tilt-shift photos based on images from Google Earth. Simply incredible.

And, For the Truly Lazy…

The website TiltShiftMaker.Com lets you upload your own real-life photos, and use a simple interface to select the area you want to focus on. Click a button, and boom, you’re done. If you’re skeptical that it can be that easy, check out their gallery on Flickr and see for yourself.

Also check out:

I am not sure that my problem is actually solved, but With some help from someone suffering a similar problem, my issue was finally solved, but since there are so many things that work for some people and not others, I thought it would be helpful if I compiled a list of options that have been shown to work for some people, so you don’t have to dig quite as far as I had to. Right now, finding these solutions involves reading literally hundreds of forum and blog posts, so hopefully having them organized in one place will be helpful to someone.

First I’ll give you a little more detail on what I’m running and what I’ve learned:

I have a 17″ Intel-based dual core 2.5 Ghz  Macbook Pro, only about two months old, running Leopard 10.5.6. My router is an Airport Extreme Broadcom BCM43xx 1.0 (5.10.38.24), however I was running into this problem with my old Linksys G router as well. In fact, I ended up shelling out $180 for the new Airport Extreme specifically in an effort to fix this wifi issue. I had realized this wasn’t necessarily a router issue, but figured the extra antenna in the Airport Extreme N router might help. It didn’t.

The Problem:

From the moment I took the Macbook Pro out of the box, I have had terrible issues with dropped wifi connections in my house. My wifi signal shows full strength, and then suddenly dips down but still appears active, although the connectivity itself drops to zero. This can happen several times a day to literally every 10 seconds. (Just upgrading my WordPress software last night took an hour because I couldn’t hold onto a connection long enough for the files to upload, and had to keep restarting.)

When the connection drops, I can sometimes get it back before it completely fails by clicking on the Airport icon and letting it scan. Once the status goes from “scanning” to “on”, the signal comes back. When I do that, the connection recovers fully, but the dropoff can happen again in 5 seconds, so it is clearly not an ideal solution.

A post on InstallingCats summed it up nicely:

After doing some research, I had a theory that AirPort was searching through old wireless connections within /Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist constantly looking for a better signal. And whenever the current wireless connection suffered from minor transient interference (say cordless telephones), it would immediately try to connect to another base station or try to switch to a different channel. Have a look at your version of the airport preferences file by navigating to it in Finder, starting with Macintosh HD, then Library, Preferences, and finally within the SystemConfiguration folder. You can simply hit enter with the file highlighted to use Quick Look. You can also use Terminal to quickly print the file to the screen with the following command: cat /Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist

Once the AirPort control software in 10.5.2 set about trying to find a better wireless connection, it would never successfully get back your original wireless connection which was really fine. Hence, from time to time, you would see a slight drop in wireless signal strength, then after clicking on the AirPort wireless icon, it would scan for networks for a few seconds, then return to full strength, yet you would have already lost Internet access.

Unfortunately, the fixes offered didn’t work for me, but at least it seems I’m on the right track in my theories. Not that that does me a lot of good…

What I have Learned So Far:

This is NOT an uncommon problem. There are literally thousands of posts, both on Mac discussion sites and on the official Apple discussion boards. Apple is aware of the problem, and they evidently made an effort to address it in the recent OSX upgrades. The upgrade to 10.5.6 has solved the problem for some people – it did not solve the problem for me.

For this specific issue, the router itself is not the issue – Leopard is the problem. If your router is working for everyone in the house except your Macs, it may not be worth it to go out and buy a new router. I dumped my old Linksys G-router for the Apple Airport Extreme N-router and although the signal is much stronger now, there have been no changes in the dropout issues. My router was old, so I don’t regret the upgrade, but if you’re having the problem discussed here, it probably won’t help much.

There is some discussion about how the aluminum body of the Macbook Pros interferes with wifi signal reception. (Older PPC macs often had the antenna in their display frame, but newer Macs have the antenna in the hinge.) While I have experienced a weaker signal with Macbook Pro than I did with my Dell, I do not believe this problem is related, as I have seen people with every imaginable kind of Mac laptop having these wifi issue, regardless of whether the laptop is plastic or aluminum.

Since forcing Airport to scan by clicking on the Airport icon works 99% of the time, this leads me to believe that Airport is either 1) erroneously losing the signal or 2) getting confused and trying to connect to another network, despite already being connected to a preferred network.

Many people report this problem starting with them upgrading to Leopard. Apple has apparently been trying to fix it since 10.5.2, but many users are still having the problem, which they never had before upgrading to Leopard.

Possible Fixes

In my many hours or research, here are some things you can try that have shown some level of success for people encountering this problem. They did not work for me (or at least not entirely, some seemed to improve things temporarily or marginally) but many users reported success with this, so if if saves you some headache, rock on.

Like any other troubleshooting process, you will want to try these one at a time. If you make a bunch of changes at once and something worked, you won’t know which change actually fixed it – and conversely, if you do one thing that fixes it and two other things that break something else, you won’t know you actually found the fix.

If you’re running Leopard, upgrade to 10.5.6. The latest OSX upgrade specifically mentions fixes to some Airport issues, and many users have reported better performance after the update.

If you’re using an Airport Extreme router, make sure your router’s firmware is up to date. You can find the setting to check for updates automatically in: Utilities > Airport Utility > Airport Extreme > Base Station > Options.

Download and install AP Grapher, a freeware program for Mac OS X which searches for and displays nearby wireless (AirPort/WiFi) access points along with information about their percent availability, maximum signal strength, and last contact time. At the very worst, the graph visually shows you when your connection is about to crap out – and at the very best, some people have reported this actually helping to prevent the dropoffs, presumably because AP Grapher is constantly pinging the router.

Set up terminal window to ping your router. This is easy to do but is obviously not ideal, as you’ll have to do this every time you connect to your wifi, but it actually seems to have helped for me. If you’re comfortable with setting up Apple Scripts, Jeff over at the forums on Beyond-School.Org shows you a quick way to automate this in his blog comment post.

Check for (and remove) the RealPlayer Downloader login item. I never had RealPlayer installed (yuck), so it wasn’t an issue with me, but a lot of people have reported this as a fix that worked for them.

1. Go to System Preferences
2. In the fourth row, under Systems, click on the Accounts icon
3. In the Accounts screen, click on Login Items
4. Click on RealPlayer Downloader, then remove it from login Items by clicking on the minus sign

Try removing security on your router. I have not tried this myself – its the only one of the options I’ve found that I haven’t tried, as it makes me uncomfortable (which is silly, I know, because wifi networks are SO easily hackable by even the most rudimentary means). Might be worth trying, even if just temporarily to see if it works.

Try manually setting a channel on your router instead of letting it choose automatically. This is a hit or miss process of course, since we can’t see which channel is the best option based on interference, but tweaking the channel seems to have worked for people. A lot of people report 5 being particularly successful, but that seems arbitrary to me. That said, a lot of this stuff seems arbitrary, and if you’re as frustrated as I have been, you’ll probably try it.

Directly in conflict with this advise, according to a post on InstallingCats, “Change wireless channel on your wifi router (e.g. AirPort Extreme base station, NetGear, Linksys) from 6 (the default) to anything from 1-4 or 8 to 11. Please refer to your router’s instruction manual on how to do this. The reason for avoiding channels 5 and 7 is that wifi routers by design will automatically switch to one channel above or below their current channel when wifi signal noise passes a certain value. Thus, if you were having problems on channel 6, your router and AirPort have already tried channels 5 and 7 and you’re still experiencing problems.”

Set Airport to NOT display an icon in the menu bar. You can do this by going to System Preferences > Network, selecting Airport in the left side options and un-checking the “Show Airport status in menu bar” option. I’ve had mixed results with this one. It seems like the dropouts *are* fewer when I do this, but when it does drop, my only way of getting it back before complete disconnection is to force Airport to scan using that icon. So I have the problem less often, but when it happens, I have to go back into System Preferences > Network and recheck the box, then click on the icon to force it to come back. A little time-consuming when you’re in the process of getting your face eaten off by a Fel Reaver while playing World of Warcraft.

Check the “Ask to Join New Networks” option. In System > Network > Airport, there is a checkbox that allows you to toggle whether or not you wish to be asked to join a wireless network that isn’t in your known networks list. Checking this may help some people by telling Airport to not try automatically connecting you to a network that isn’t in your preferred networks list.

Minimize interference from other sources. If possible, use the 5Ghz transmission frequency/band for your wireless router. Most wireless devices (nearly all wireless routers and cordless telephones) in homes use the 2.4Ghz transmission band. Avoiding this band will result in much less radio noise. You would change this configuration option in your router settings, not on your Mac.

Remove the AirPort preferences file. Locate the file named com.apple.airport.preferences.plist, which is stored in the /Macintosh HD/Library/Preferences/SystemConfiguration/ folder and remove it (after copying to the desktop, just to have a backup). Then reboot the computer and set up the WiFi connection again.

What Finally Worked For Me

Neil deMause, a commenter on BeyondSchool.Org was in a similar situation, having tried all of the above solutions (a great many of which worked for other people, but not for us) to no avail. He was kind enough to post what finally ended up working for him, and it looks like that might have worked for me too. It’s been over 24 hours and I haven’t had a single signal drop yet (knock on wood), so I am feel pretty comfortable that this actually solved it.

Neil writes:

Well, I have a solution, but it was neither cheap nor easy. After a trip to the shop found no problems with the Airport card, I broke down and bought an Airport Extreme router, to see if that would help. Test results showed:

* Airport Extreme set to b/g/n compatible: same problem.

* Airport Extreme set to n only, at 2.4 GHz: same problem.

* Airport Extreme set to n only, at 5 GHz: Blazing fast connection speeds, not a single lost packet, even in rooms of my house where wireless reception was previously only a rumor.

So ultimately, all I did was go into my Airport Extreme settings and change it from b/g/n to n-only. That’s it.

Neil’s setup was a little more complicated than mine. For me, just switching to N-only (on channel 11) seems to have done the trick. Although I have several older Windows-based laptops, I rarely use them anymore, so I didn’t have to deal with getting the older (non-N) Windows boxes to work on the N-only network, but just in case that’s the situation you’re in, here’s what Neil did:

Unfortunately, we also have a Windows laptop in the house that doesn’t have an n wireless card. So until we can buy one, right now I have my old b/g router daisy-chained to my new Airport Extreme, serving up a separate subnet just for the sake of the Windows laptop. My friend who helped me set this up characterized this as insane, but hey, it works.

So, the saga seems to be over, for me and Neil at least. Thank. Freaking. God. Many, many thanks to Neil. I totally owe him a beer.

Still Not Working?

If none of these solutions work, I’d suggest checking out this excellent article on MacFixIt that goes through additional router troubleshooting steps. They may not all apply, since this problem isn’t really a router issue, but you may want to try tweaking some of the settings they mention there to see if anything helps.

For those who are a little more tech savvy and comfortable trying something more advanced, there is a rollback fix posted on Atomic Lemur that basically reverts back to an older, pre-breakage set of settings. This is ambitious for a Mac newbie though, and I wouldn’t recommend it unless you’re fairly comfortable at the command line.

If I find a fix that really, truly works – or even some more that don’t work for me but work for others, I’ll post them here.

Big thanks to the people at Beyond-School.Org and several other blogs and forums – their thorough discussions are what made this blog post possible.

Also check out:

The first virus email subject was “RE: You were caught on our secret camera!” and the second was “RE: You have a great hair cut in this movie” . The geocities addresses they pointed to were for user’s reedgates21 and richiemack11. I’ve googled both addresses and gotten no results, so my guess is that they are randomly generating geocities accounts and generating these emails. A co-worker just one too – variation on a theme. Subject is “Don’t cry! Your mom will never see this movie”, also pointing to geocities, user name rkssbcyzk. Another one, “I’m not kidding I just saw your pics all over a site address swimcaw” has come through as a wall post.

The links in the Facebook messages point to websites that contain viruses. Do NOT click on them.

Below are some examples of what they look like. (These are just images, so you can click on them for larger versions to see how the messages come into your inbox.)

Screenshot 1

Screenshot 2

Screenshot 3

If you’re using Firefox, your browser should warn you that you’re about to try to access a page that has been linked to virus/malware when you click on the Facebook messages in question, but if you’re using an older version of IE (shame on you!), you may not get any warning at all.

When You Receive a Virus Email

1. DO NOT CLICK ON THE LINK
2. Send an e-mail (or call) the sender, letting them know they are likely infected with a virus
3. Suggest to the friend that they change their password from another, uninfected computer, and follow the steps further down in this article to remove the virus. (The method they use will depend on which virus they’ve been infected with.)
4. Once the virus is cleared from the sender’s system, suggest they install a free anti-keylogger program and switching to Firefox just to be safe

Ultimately, its like anything else – common sense will go a long way. If the email seems odd (for example, the fact that the subjects sometimes start with “RE:”, as if they were replies to a message you sent, but you never sent a message with that subject), the phrasing seems off or not something your friend would actually say, something is probably awry. If you’re unsure, contact the friend directly and ask if they sent it to you.

This has been happening a lot lately, and the scenario Tech Crunch describes in this article sounds a lot like what’s happening here.

Keep in mind… Facebook applications do NOT have access to your password, so unless you installed an application that “required you” to download an executable application (any kind of .exe, .msi, etc), your Facebook applications should NOT be the cause. (Being an application developer, I can say that I couldn’t steal someone’s password even if I wanted to, using their API. HOWEVER there have been several reports of phony applications and groups that require some sort of download in order to get the full experience (Secret Crush was one of them).

NO application or group should EVER require you to download and install anything. If they do, report them to the social network immediately.

Also keep in mind that these viruses are not limited to Facebook users. I’m more familiar with the Facebook scenario because I avoid MySpace like the plague, but every time I login there are spammy and/or virus-y emails awaiting me. This isn’t as much a flaw in the Facebook platform as a result of social networks still being young and going through some growing pains. MySpace has just as much of a problem with these issues, if not moreso, since they have been historically less concerned about user experience and safety.

Another Variation – Fake YouTube Links

Another variation of the viruses being sent around Facebook is a similar message to users suggesting they are appearing in a YouTube video and providing the supposed link to view it. Instead of actually seeing a video, the virus advises viewers they need to download an updated version of Flash, which if followed may install a virus into the user’s computer. More info on that version, including sample messages and screenshots, is available here.

Why Its Working

If you find yourself infected, don’t be too hard on yourself. People have become so used to receiving emails from Facebook asking them to confirm this or that that it could be argued that people are more prone to click on a link that looks like it came from Facebook without being as diligent as we would be if we weren’t used to preforming this same action 10 times a day for legitimate Facebook actions. For example, most users of Facebook are familiar with the “Joe has added you as a friend on Facebook€¦” stock email.

Some users are conditioned to follow this process whenever they receive an email of this sort. Some people can receive this email several times every day and perform this login procedure so often it becomes automatic. This simple, clean design is very easy for a phisher to mimic. Since users are conditioned to follow this process blindly, they might not notice that the email is spoofed or that the address bar is slightly incorrect. This makes Facebook users ideal targets for the type of generic phishing attacks that are usually directed at financial institutions.

If You Clicked on the Link And Your Computer is Infected

I spent some time trolling Facebook’s forums to see if anyone had any specific direction on how to remove this virus from an infected machine. I found a few possible solutions, although since the people posting didn’t know or didn’t mention the name of the specific virus they were infected with, it may take some trial and error to find the solution that works best for you.

If your virus detection software determines that you’re infected with Bolivar23.exe, you can click here for directions on how to remove it.

In early August, there was a different one going around, called Koobface. Kaspersky’s website writes:

One confirmed method of removing this virus is by downloading MalwareBytes – for some at the time, it seemed to be the only out of the box software that was able to remove it.

Still another that was around this time, Troj/Dloadr-BPL Trojan horse, was reported on by Sophos:

Messages left on Facebook users’ walls are urging members to view a video (which pretends to be hosted on a Google website), but clicking on the link and visiting the webpage takes users to a site which urges them to download an executable to watch the movie.

Sophos detects the executable file as the Troj/Dloadr-BPL Trojan horse, which in turn downloads further malicious code (detected as Troj/Agent-HJX), and displays an innocent image of a court jester sticking his tongue out. [more]

In Conclusion

This isn’t the first wave of social network viruses, nor will it be the last. There isn’t one social network that is more prone to them than others. As we allow social networks to become a bigger part of how we communicate, we must simply remain cautious and avoid the temptation to become complacent. Pay attention to the links you click on that are sent through Facebook, the same way you pay attention to suspicious e-mails that come in through normal e-mail.

Also check out:

Retouching dark photos is possible because the camera captures more information than your eyes can see, so even if something looks very dark, there is more information contained there that can be brought out using a series of filters and adjustments. Bear in mind that the end result will be much nicer if the photo can be resized to a smaller version. The tricks we’ll use here can get rid of some of the graininess, but it does so by reducing noise and effectively blurring the image slightly, so if your end result image is smaller than the original, you’ll end up with a nicer finished product. Depending on how dark the image is that you’re starting with, the end result may not be perfect, but it may work for your needs.

For this tutorial, we’ll use a photo taken at a recent concert. MC Frontalot, MC Lars, YTCracker and Devo Spice played at the Mexicali Blues Cafe in Teaneck, New Jersey on the evening of the United States presidential election between John McCain and Barack Obama. (OUSTANDING show, by the way – go see them if you can, and bask in their awesomeness. Seriously. More photos of the show that are far better than the photo used in this article are available here.) Being political people, the musicians were kind enough to give us election updates every 10 minutes or so. In this shot, I’m looking over MC Frontalot’s shoulder, checking out the results map on CNN. However, it wasn’t a staged shot, and flash would have ruined it, so the shot came out too dark.

Original image

With a few tweaks, we can make this a usable photo. It was so dark to start with, its never going to be portfolio quality, but for pics that you can’t reshoot and would like to try to save, these techniques may help.

Getting There

The first place I start is either with IMAGE > ADJUSTMENTS > CURVES or IMAGE > ADJUSTMENT > LEVELS. In this case I started with levels. The three arrows you see on the bottom of the levels palette signify your shadow, midtones and highlights, left to right in that order. Most of the time, you’re going to want to move your midtones the most, and then finesse the levels with your shadow and highlights. This will bring up the light levels in the entire image, and then you can pull some of the shadows down again so it doesn’t look too washed out.

Adjusting with levels

As you can see, its still a little grainy, but there’s only so much we’ll be able to do to save this one. That said, I liked the shot, so I wanted to do what I could. This is a particularly severe example, so our end result isn’t amazing, but at least you can see what’s going on. When you’re starting with a less extreme example, your results will be much better.

After adjustting LEVELS

This looks pretty grainy, even at this smaller size – but the image I was working with was 2896×1936, so it was *really* grainy in the larger version. Here’s an “actual size” detail shot.

Grainy detail

Far from awesome, but its getting there – you can actually see my face now. We’re not going to be able to get too much more lightness in this one without making it even more grainy, so I’m going to stick with this level of exposure and work on smoothing out some of the noise.

The best way to accomplish this is going to be using the noise reduction filter, which basically blurs the pixels slightly and attempts to smooth out harsh variations in pixel colors.

Using FILTERS > NOISE > REDUCE NOISE, we’re able to blur out some of the grain and reduce the colors in the noise, making it less obvious. You’ll have to play with these settings to get it the way you want it – and you may even need to run the filter again to get the level you want – but bear in mind that the more you preserve sharpness and/or detail, the less effective this is going to be. This is where working with a larger image and resizing down is nice – the blurring becomes less obvious on a resized image.

Noise reduction settings

Because this is an extreme example that started off very dark, I ran the noise reduction filter again with the same settings.

Noise reduction filter applied twice

I then cropped the image, getting rid of some of the extra stuff along the sides, resized it and then hit it once more with the levels to bring out a teensy bit more of the shadow, which helps reduce the grain further.

So we went from a practically unusable photo:

Original image

To an image that won’t exactly end up in my photo portfolio, but at least you can see what’s happening:

Final result

Obviously, you’ll need to play with the settings on each of the filters to get the result you want – and hopefully you won’t be starting with an image that is basically pitch black, so your final product will be a little smoother.

If you’re stuck with an image that is particularly grainy, you can also try to get a little creative by using the texture to your advantage. By making the image black and white or sepia-toned, the grainy look can actually help the image, making it appear more aged. To convert an image to black and white or sepia, go to IMAGE > ADJUSTMENTS > BLACK & WHITE.

Use the Black and White filter to add sepia tones

Some variations:

Black and White

Sepia tint

And don’t forget to play around a little. I found that I liked the end result better when I ran the Black & White filter using the tint setting twice.

Sepia tint applied twice in a row

And that’s all there is to it. Have any tips of your own for saving a photo that’s just too dark? Be sure to share in the comments!

Also check out: