Finally.. I've made it through the nutrition database for TrueWeight and normalized all the data.  There's still some work to do on assigning the foods to categories.  I'm trying to decide between putting them in one-to-one heirarchical categories or using a one-to-many approach.  I'm leaning towards the latter.  Though it will make the back end a little messier, it will make the foods easier for the users to find and after all.. the main goal of this projects is to create something that is easy to use.

Next step will be creating the actual interface parts to select and add foods to the daily menu.

 

If you liked this post, please be sure to subscribe to my RSS Feed.

So I got an email today...

NOTE: The addresses have all been changed.

The email was a delivery failure notice from a Yahoo address I didn't recognize. It was a Paypal phishing scam. You get them all the time.. "We're updating our records, please log in and verify your account"...

===========
Return-Path: <myemail@hotmail.com>
Received: (qmail 89555 invoked from network); 13 Feb 2006 23:22:35 -0000
Received: from unknown (HELO User) (11@buyerbwhere.us@68.17.xxx.xx with login)
by smtp106.biz.mail.re2.yahoo.com with SMTP; 13 Feb 2006 23:22:29 -0000
Reply-To: myemail@hotmail.com
From: support@paypal.com<myemail@hotmail.com>
Subject: You have added new email address to your account
Date: Mon, 13 Feb 2006 17:22:29 -0600
===========

I did an nslookup on the from IP and got adsl-068-017-xxx-xxx.sip.mob.bellsouth.net. Great. I know the message came from a Bellsouth DSL subscriber. I contacted their abuse team and filed a report saying that one of their users most likely has a backdoor virus and is being used as a zombie mail relay for a fraud spammer.

Continue further down the email...

===========
glasshk32@comcast.net> and if you need assistance with your account, please click here to login to your account.
===========

So the person had a bad address in the link but left the email address in the message. Quick check on that led to this. That's the exact email I got, only I have HTML off, so I just saw the code. The screenshot at the bottom is of the page that you see when you click the login link above.

The address the link is to is http://xxxx.us/redirect.html. A whois lookup of the domain gives us John Doe. I gave Mr. Doe a call at the phone number listed and asked him why his website was pointing to a Paypal phishing scam. He wanted to know why he kept getting these calls. He claimed to have never heard of the website - even though it's pretty much his last name. He confirmed that the contact info was his, but denied all knowledge of the site. I advised him to run a virus scan on his computer.

Since Yahoo is the domain contact, I sent an email to their abuse team as well advising them of the situation. Maybe the guy is innocent, but since he's listed as the contact and the site is so close to his name, I doubt it.

.. which brings us to actual redirected page : http://999999999:89/ssl/index.php. 999999999 is an IP address in DWORD format. If you convert it back into its decimal form, it's 24.11.xxx.xxx. Do an nslookup of that and get c-24-11-xxx-xxx.hsd1.mi.comcast.net. File a report about it with Comcast's abuse team.

I looked at the page.. almost all of the links call a javascript function that loads a fake login page. That Javascript removes your address bar and then creates a new one with a paypal address in it.. so that it looks like you're at Paypal. That page asks for your Paypal user/pass and when you put that in, it asks you to confirm your credit card number, complete with box for "PIN verification". I had logged in with a fake name, and I put in fake credit card info here. I know a bunch of test credit card numbers that validate a mod10 check from using them at work to test the apps I write. Once you submit that page, it cleverly redirects you to paypal's site and logs you in.. so you'd never know it happened.

At this point, I had found the machine actually hosting the scam. Comcast is mostly a home service, so I did some more poking around. I noticed that it was running PHP, so I typed in a fake page name to see if it would give me an error. It gave me the default apache error message and listed admin@zzzzzzzzz.net as the contact. Whois on that showed nothing, so I figured it was made up.

I then tried port 80- the default HTTP port - since the URL was calling 89. I got a prompt to log in, so I tried the Guest account, but it was denied. I canceled that and noticed that I got back an IIS error message.. meaning that was a Windows box. Either port 89 is forwarded to another box on the network, or someone is running IIS and Apache and PHP on the same box.

I tried doing a Remote Desktop.. and got a Windows 2003 Server log in screen. I've never been a great hacker, so after trying to crack that with a couple of brute force dictionary attack tools I found (that work on Terminal Services connections), I gave up. That's the only part that kills me (though in retrospect, it's a damn good thing since then I would have had access to the stolen info and would have fucked myself). It would have been awesome to take control of the web server, just to say I did.. I didn't get that thrill, but it did give me another piece of the puzzle.. the computer's name was BREAKxxxx.

The Apache error message I got also had the version, so I looked up some Apache/PHP exploits. I noticed a lot of them had to do with OpenSSL. I tried the IP address as https at port 443 - the default SSL port. I got a certificate acceptance button meaning SSL was installed, but the certificate was made on that machine and not signed by any Certificate Authority. I viewed the details of the certificate and lookie there.. the company was listed as breakxxxxonline.net. I tried http://breakxxxxonline.net:89/ssl/index.php and there was the phishing page.

Jackpot.

The name on the cert was close enough to machine name, and the URL worked. That ties someone there to it, since it's on their network and most likely involves 2 computers since someone had to either route that traffic or installed Apache and PHP on a Windows box.

Since there was nothing at http://breakxxxxonline.net, I went to http://web.archive.org and Google's cache to see what used to be on the page.. Looked like it used to be the website of a legit company.

I did a whois on that and got the contact info, then called Network Solutions (since they were the registrar) and filed an in-depth report, explaining it all. They said they would be getting in touch with me once they resolved it. I really want to find out what happens. I wonder how much follow up any of those companies - Yahoo, Comcast or Network Solutions - will actually do on this. I'm not claiming to be some super sleuth or have extraordinary skills, but it'd be pretty cool to think I broke up a spam phishing ring, even if it only means one less message for my filter to process.
If you liked this post, please be sure to subscribe to my RSS Feed.

The button I created for the new Google Toolbar to post links to del.icio.us was accepted and is now in the Tools section of the Button Gallery!

If you liked this post, please be sure to subscribe to my RSS Feed.

Earlier, I was having problems finding an easy way of loading the data from the Nutritional Database into my hosted SQL Server. The import feature on the server was timing out with large datasets.

Rather than mucking around writing complicated regular expression switches to convert the delimited text file statements, I figured it would probably be easier to look for a tool that would export the Access version as SQL INSERT statements.

I found a couple of tools, but nothing did quite what I was looking for.  I wanted a utility that would load an access database, let me select a table, and then export the data as SQL Inserts and save them to a text file.  So, like any geek, I wrote one myself.

If you are interested, it can be installed from here:

SQL Scripter (requires .Net Framework 2.0)

It is very basic, doesn't have any features other than those listed above and it comes with no warranties... but it has suited my purpose just fine. The data has been exported from the local database and imported to the hosted one.

If you liked this post, please be sure to subscribe to my RSS Feed.

As pointed out on Google's Blog, there is a Beta of the newest Google Toolbar available for Windows.  This version adds some amazing features such as:

• Custom Buttons that are easily scriptable.
• Bookmarks Handler which centrally stores your bookmarks
• RSS Headline Grabber
• Google suggest for the toolbar
• A really slick Translation feature that works by hovering the mouse over a word

I immediately wanted to add this to Del.icio.us and realized it was the perfect application for the new custom buttons, so I created one... but let me jump ahead a bit.  After creating it, I noticed the snazzy install buttons in the Button Gallery and found out how to make those.  I then hacked their installer and made that a button itself.

Add XML definition as ToolbarButton

This button allows you to quickly add any button xml Toolbar Button definition file that you are viewing through the browser to be added to your toolbar.  Install this using the "Install" button just below, I'll show you how it works in the next section.

Using the very simple Toolbar Button API, I wrote the following definition (link: ToolbarButtonFromDefinition.xml):

Clicking the button below will add this button to your toolbar.

Add Custom Button From Definition:

 

Post To Del.icio.us

To create the Del.icio.us Button, I wrote the following xml definition (link: delicious.xml):

When it installs, it prompts you for your username. This is simply used to create the URL. You will need to log into Del.icio.us yourself and this button will not ask for your password.

There are two ways you can use this button. 

• Hit the button on any page and the current page will be passed to Del.icio.us as the URL, leaving the Description blank. 
• Select some text on the screen, then hit the button and the text you selected will be pre-filled in the Description, and the URL will be passed as well.

The ToolbarButtonFromDefinition button above can be used to install this by clicking the source link (delicious.xml) and then clicking the ToolbarButtonFromDefinition button in the Toolbar itself.  Or you can click the button below instead.

Del.icio.us Custom Button:

Future Expansion

Since this is still Beta, I'm sure there will be a couple things tweaked by the time it reaches final release.  I'm excited about using this wherever I can and am very curious to see how others will use it. 

Stay tuned, as I come up with new ideas, I will post them here.  Sign up for the RSS feed via ToolbarButton:

OurCurrentFuture.com Search/Feed Toolbar Button:
If you liked this post, please be sure to subscribe to my RSS Feed.

The past two days have been trying to say the least.  At some point Tuesday night, my host - GoDaddy.com - changed some security settings on my account.  They claimed that my site had been set up with elevated permissions and that they had "fixed the problem".  Unfortunately, those changes broke my blogging application.  After sending many emails back and forth with their technical support team, I was unable to get them to even tell me what they did so I could figure out if I could work around it.  Their official suggestion?  Upgrade to a dedicated server, which would give me full control at only 3 times the price.

Through trial and error, I found the section of code that was causing the problem and in my searching for a solution, I found another site that had already made similar modifications to the blogging engine to allow it to work under medium trust privileges within .NET 2.0.  Working from that codebase, I was able to finally get my site back up.  I've spent the rest of today making the configuration tweaks that I had already set up.

Sidetracked for two days.. but still on course.

 

If you liked this post, please be sure to subscribe to my RSS Feed.

Seeing as I already have the basics of the EWMA calculations built in the backend code, my task tonight was to be the loading of Nutrient Database. It's available in ASCII and Access formats. I have SQL Server 2000 as part of my hosting account, so you'd think that would be a pretty easy data load, right? Wrong..
If you liked this post, please be sure to subscribe to my RSS Feed.

TrueWeight is a web-based application for tracking weight and calorie intake in order to better manage your weight.  The basic idea came from The Hacker's Diet.  In it, John Walker lays out the most basic of dieting ideas.  If you want to lose weight, you need to eat less calories and exercise more in order to start burning more calories than you take in.  Duh.

Where I feel he was ingenious was in his idea to use the exponentially weighted moving average (EWMA) of your daily weight to accurately track the effects of your calorie intake and exercise.  I did this for a month and saw the difference between the high and low weights to be about 7 pounds.  Removing all of the fluctuation by examining the EWMA, I saw that I was never more than .5 pound from where I started, which made sense since I hadn't changed anything about what I ate or my activity level.

If you combine this with a detailed look at your calorie intake, you can get a reasonable estimate of how many calories you burn on an average day.  I've used many online calculators that ask you to specify age, gender, build, height, weight and activity level and it spits out a number.  Since each of us has different characteristics and metabolisms, there's no accurate way given that info to figure out how many calories we use each day. 

TrueWeight not only allows you to figure that out, but you have a list of what you ate, so you can see areas where you can cut back on food.  You can also see what effect workouts have on you.  Perhaps you'll find that if you push yourself to do a half hour of cardio every day burns off more calories than doing a full hour every other day.  TrueWeight is a tool that will help determine things like that for you based not on some generalized quiz, but based on actual data from your body.

I have used similar "calorie counting" sites before, but never stuck with them for long.  Why?  Because the interface was cumbersome.  Who wants to click 30 times to add "1 cup coffee, 1 creamer, 2 packs of sugar"?  TrueWeight will allow you to lookup the data from the USDA Nutrient Database.  It will also allow you to enter personal items, group items together into recipes or combinations, and keep a favorites list of the ones you use all the time.  Using "Web 2.0" technologies such as web services and AJAX, TrueWeight gives the users an intuitive and responsive interface.  No more tedious multi-click drilling down to find the food you are looking for.

Finally, there is the TrueWeight community.  This will give people the ability to form groups with shared space.  Examples could be all members of a family or a weight loss group like Weight Watchers.  Eventually, I see it being a social networking application of people supporting each other along the path of managing their weight.

Stay tuned.. we're just getting started with all of this.. and you'll get a chance to read about it from the ground up.

If you are interested in Beta Testing TrueWeight, please send an email, and you will be notified when the Beta is released.

If you liked this post, please be sure to subscribe to my RSS Feed.

I got this site because I wanted to start a blog.  Part of the reason I wanted to start sharing my thoughts with the world was because I think I have a pretty good idea for a website, and am in the process of building it.  Recording my progress here will help keep me focused on doing it.. or at least remind me where I left off.

I'm sure there will be some non-technical stuff mixed in here as I've also been thinking about putting more of my karate stuff online.  Taking the time to transfer the knowledge that I've picked up into written form with enough detail that someone who does not understand karate would be able to imagine what it looks like easily will help cement the movements in my own mind.  Train your mind and the body will follow.

If you don't like codin' and you don't like fightin', you're probably in the wrong place.

If you liked this post, please be sure to subscribe to my RSS Feed.

The 'Safe Bedside Table' has a removable leg that acts as a club and a top that doubles as a shield for self-defence. This is for people who are willing to take on an intruder, providing an extra sense of security whilst in bed
If you liked this post, please be sure to subscribe to my RSS Feed.