Scott Hanselman

Blocking Image Hotlinking, Leeching and Evil Sploggers with IIS Url Rewrite

June 3, '13 Comments [60] Posted in IIS
Sponsored By

I recently discovered that a blog called (seriously) "Google Chrome Browser" was reblogging my site. (It of course has NO relationship to Google or the lovely folks on the Chrome team.)

This is a splog or "spam blog." It's less of a blog and more of a 'suck your feed in and reblog it.' Basically every post is duplicated or sucked in via RSS from somewhere else.  I get this many times a week and have for years.

However, this particular site started showing up ahead of mine in searches and that's not cool.

You evil bastards.

Worse yet, they have almost 25k followers on Twitter. I've asked them a few times to stop doing this, but this time I got tired of it.

They're even 'hotlinking' my images, which means that all my PNGs are still hosted on my site. When you visit their site, the text is from my RSS but I pay for the images bandwidth. The irony of this is thick. Not to mention my copyright notice is intact on their site. ;)

When an image is linked to from another domain the HTTP_REFERER header is populated with the location that the image is linked from. That means when my web server gets a request for 'foo.png' from the Google Chrome Browser blog I can see the page that asked for that image.

For example:

Request URL:
Request Method:GET

Because this differentiates the GET request that means I can do something about it. This brings up a few important things to remember in general about the web that I feel a lot of programmers forget about:

That said, I want to detect these requests and serve a different image.

If I was using Apache and had an .htaccess file, I might do this:

RewriteCond %{HTTP:Referer} ^.*http://(?:www\.)?*$
RewriteHeader Referer: .* damn\.spammers

RewriteCond %{HTTP:Referer} ^.*http://(?:www\.)?google-chrome-browser.*$
RewriteHeader Referer: .* damn\.spammers

#make more of these for each evil spammer

RewriteCond %{HTTP:Referer} ^.*damn\.spammers.*$
RewriteRule ^.*\.(?:gif|jpg|png)$ /images/splog.png [NC,L]

Since I'm using IIS, I'll do similar rewrites in my web.config. I could do a whitelist where I only allow hotlinking from a few places, or a blacklist where I only block a few folks. Here's a blacklist.

<rule name="Blacklist block" stopProcessing="true">
<match url="(?:jpg|jpeg|png|gif|bmp)$" />
<add input="{HTTP_REFERER}" pattern="^https?://(.+?)/.*$" />
<add input="{DomainsBlackList:{C:1}}" pattern="^block$" />
<add input="{REQUEST_FILENAME}" pattern="splog.png" negate="true" />
<action type="Redirect" url="" appendQueryString="false" redirectType="Temporary"/>
<rewriteMap name="DomainsBlackList" defaultValue="allow">
<add key="" value="block" />
<add key="" value="block" />
<add key="" value="block" />

I could have just made a single rule and put this bad domain in it but it would have only worked for one domain, so instead my buddy Ruslan suggested that I make a rewritemap and refer to it from the rule. This way I can add more domains to block as the evil spreads.

It was important to exclude the splog.png file that I am going to redirect the bad guy to, otherwise I'll get into a redirect loop where I redirect requests for the splog.png back to itself!

The result is effective. If you visit their site, I'll issue an HTTP 307 (Moved Temporarily) and then you'll see my splog.png image everywhere that they've hotlinked my image.

Not cool, splogger, not cool.

If you wanted to change the blacklist to a white list, you'd reverse the values of allow and block in the rewrite map:

<rewriteMap name="DomainsBlackList" defaultValue="block">
<add key="" value="allow" />
<add key="" value="allow" />
<add key="" value="allow" />

Nice, simple and clean. I don't plan on playing "whac a mole" with sploggers as it's a losing game, but I will bring down the ban-hammer on particularly obnoxious examples of content theft, especially when they mess with my Google Juice.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Hanselman's Newsletter of Wonderful Things: May 13th, 2013

June 3, '13 Comments [4] Posted in Newsletter
Sponsored By

I have a "whenever I get around to doing it" Newsletter of Wonderful Things. Why a newsletter? I dunno. It seems more personal somehow. Fight me.

You can view all the previous newsletters here. You can sign up here Newsletter of Wonderful Things or just wait and get them later on the blog, which hopefully you have subscribed to. Email folks get it first!

Here's the newsletter that I sent out May 13th.

Hi Interfriends,

Thanks again for signing up for this experiment. Here's some interesting things I've come upon this week. If you forwarded this (or if it was forwarded to you) a reminder: You can sign up at and the archive of all previous Newsletters is here.

Remember, you get the newsletter here first. This one will be posted to the blog as an archive in a few weeks.

Scott Hanselman

(BTW, since you *love* email you can subscribe to my blog via email here: DO IT!)

P.P.S. You know you can forward this to your friends, right?

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Is the Windows user ready for apt-get?

May 28, '13 Comments [88] Posted in NuGet | Open Source | Tools
Sponsored By
Chocolatey installs Git

What it does

Chocolatey lets you install Windows applications quickly from the command line via a central catalog of installation scripts. You could install Git, 7Zip or even Microsoft Office (given a key.) The idea is seamless and quiet installations using a well-known key.

For example, once installed you can do this from and command line:

  • cinst git
  • cinst 7zip
  • cinst ruby
  • cinst vlc

That's basically it.

The catalog has grown so complete, in fact, that I recently wanted to install DosBox so I could play Zork. I took and chance and just "cinst dosbox" and it worked. THAT is a the promise that Chocolatey makes.

Getting Started with Chocolatey

You can get started by first installing the Chocolatey package manager. Copy paste this line to your command line and run it. (More on the fearfulness of this first step in a moment).

@powershell -NoProfile -ExecutionPolicy unrestricted -Command "iex ((new-object net.webclient).DownloadString(''))" && SET PATH=%PATH%;%systemdrive%\chocolatey\bin

Presumably you like to know what command line stuff is going to do to your computer before you do it, so parse this line out. It's going to launch PowerShell to do the hard work. Nearly every Windows machine has PowerShell these days, and it's PowerShell that makes Chocolatey work.

Some folks have custom profiles so the -NoProfile switch suppresses custom profiles to prevent conflicts during installation. It launches a chunk of PowerShell script that it downloads from then executes. Note that it's setting execution policy to unrestricted to do this. To be clear, it's executing code downloaded over the web, so there is a non-zero risk there. It then adds Chocolatey to your path (for this one prompt) so you can use it immediately. It'll be added to future instances of prompts automatically.

Look at now. It's a very clean and easy to read script. It downloads the Chocolatey installation zip file (which is actually a NuGet package), unzips it and continues the installation by running a scripts in the tools section of the package.

How it works

Chocolatey is a bootstrapper that uses PowerShell scripts and the NuGet packaging format to install apps for you. NuGet is the package management system that Windows Developers use to bring libraries down at the project level. Chocolatey (get it? Chocolatey Nu-Get?) extends that concept to bring applications down at the system level.

Today if you want to get 7Zip, you usually google for it, find the site, figure out the latest version or right version for your system, download it, run it, next next next finish and maybe add it to your path. Chocolatey does that for you.

Again, NuGet is libraries installed locally for projects, Chocolatey is applications installed globally for your whole system.

Chocolatey uses PowerShell scripts (that you never have to think about) that package developers use to chain installations and build dependency trees. Take the internals of a Git installation script for example:

try {
Install-ChocolateyPackage 'git.install' 'exe' '/VERYSILENT' ''

#------- ADDITIONAL SETUP -------#
$is64bit = (Get-WmiObject Win32_Processor).AddressWidth -eq 64
$programFiles = $env:programfiles
if ($is64bit) {$programFiles = ${env:ProgramFiles(x86)}}
$gitPath = Join-Path $programFiles 'Git\cmd'

Install-ChocolateyPath $gitPath 'user'


Making GIT core.autocrlf false
"@ | Write-Host

#make GIT core.autocrlf false
& "$env:comspec" '/c git config --global core.autocrlf false'

Write-ChocolateySuccess 'git.install'
} catch {
Write-ChocolateyFailure 'git.install' $($_.Exception.Message)

The most important part for you to take away here is the first line. Note that this Chocolatey script is downloading Git from the mSysGit Site. Chocolatey is not changing installers, making installers or hosting installers. It's automating the boring parts of getting software, but it's still getting that software from the same location as always.

Advanced Stuff

Once you learn the basics - and they're pretty basic - there's more depth to Chocolatey to explore. Beyond the cinst and cuninst there's other commands to make installing stuff on Windows easier. Remember, they're all in your PATH so you can call these commands anytime.

Each of these major sources can be called with cinst using the -source parameter like "cinst IISExpress - source WebPI" or using their own aliases for simplicity as shown below.

  • cwindowsfeatures - If you've ever opened Add/Remove programs then click Install Windows Features in order to setup IIS or Hyper-V then this command is for you. Some examples:
    • cwindowsfeatures  IIS-WebServerRole
    • cwindowsfeatures Microsoft-Hyper-V-All
    • cwindowsfeatures TelnetClient
      • Plus, you can always clist -source windowsfeatures for the complete list.
  • cwebpi - The Web Platform Installer is a great GUI for downloading any development tools you might need for Web Development on Windows. It's a catalog, an installer, and a chainer. There's also a command-line version of WebPI that Chocolatey integrates with so you can:
    • cwebpi IISExpress
    • cwebpi VWDOrVs11AzurePack_2_0
      • And again, clist -source webpi gets you a list of what you can do.

There's a more complete list at the Chocolatey Commands Reference including how it integrates with Cygwin, Gems and Python.

Security Issues

nugetlogoThis is a prickly one. How do you make a system that lets you install anything directly from the Internet quickly, cleanly, and easily without, well, installing something evil directly from the Internet? You'll want the communication with the server to be secure and the packages trusted, but you'll also want to make sure the packages haven't been tampered with since they were uploaded. There's the inevitable threat of a man-in-the-middle attack. You'll want to watch for malicious packages and enable quick takedowns if one sneaks by.

Security concerns aren't unique to Chocolatey, of course. They are a part of package repositories since their inception. The node npm repository had a security breach in March of 2012, and the folks at andyet explored the issues surrounding it, but also pointed out that personal responsibility has to have a role as well.

Linux's apt-get solves much of this with appropriate uses of cryptography and best practices that can (and should) be emulated. Packages in apt repos are signed with SecureApp, there are warnings if you're using a 3rd party repo or installing an unsigned package.

The Chocolatey team has been very quick to jump on security issues and they are very approachable. They've added SSL where appropriate and are aware of the work to come. If Chocolatey gets big (bandwidth and costs is a question in my mind) perhaps a non-profit organization would step in to help with not only costs, but also security audits and best practices.

Here's some points (edited for length by me) from a post from Chocolatey's lead, Rob in a post on their mailing list, also in march of 2012:

Security has a big future aspect of chocolatey. At the present I am the curator and I every day I get an email showing me all of the new packages that went in the day before. I look at all packages from new authors and I typically look at the first version of most new packages from authors I have good contacts with.

I've talked at length with others about having a moderated feed in the aspect of every package, every new version would be approved prior to showing up on the main feed. I am paying attention to how debian does things with multiple feeds and there are thoughts to move in that direction as well.

Security? In the future we are looking at a small group of folks be an approving body for nupkgs. We also talked about showing the hash for the nupkg, and possibly letting folks specify a hash for the installers so chocolatey can verify the things it downloads prior to execution.

Chocolatey's LIB folderCould I make a Chocolatey package called "FormatMyHardDrive?" Sure I could, just like I could ask you to open an admin prompt and format c: /q, but you won't, right? ;)

What's next?

Chocolatey is clearly not meant to be used by your "Gender Non-Specific Non-Technical Parent" and it does have some "competition" in the form of the Ninite GUI installation utility. While still not for the average Joe/Jane and having only a limited catalog, Ninite does fill a gap for the super-user to quickly get the common apps and utilities they want.

Additionally, is Chocolatey really apt-get? It's not installing libraries system-wide, although there's no reason it couldn't. Other open source projects like CoApp would like to be the Windows app-get although CoApp is more of a "system-wide libraries, C++ support, and Unix-like utilities" and Chocolatey is more of a "developer and poweruser utilities and their dependencies."

Chocolatey does install dependencies and you can see that happen yourself by trying out "cinst gitextensions" which itself has a dependency on git. Chocolatey will walk the graph and install what it needs before finally installing gitextensions.

Where Chocolatey, and ultimately Windows itself, falls down is with odd PATHing and install locations. Because Windows doesn't have formal install locations for things and because Chocolatey puts itself first in the PATH, it's possible to get one's self into odd situations where apps that were installed outside of Chocolatey don't line up with apps installed inside. For example, I installed Git with Chocolatey some months ago, then forgot about that version and installed a newer version of Git on my own. However, I kept hitting an old git bug because the Chocolatey version of Git was "first." I believe issues like this have changed with recent builds of Chocolatey, but the point remains: it's hard on Windows today to who installed what low-level utility, when, and where it ended up.


Now, by no means to I want to take away from the hard work done by Rob and the team, but (and I've said this to Rob before) I really have trouble getting past the name Chocolatey. Sure, there are two ways to spell "Chocolaty," which make it hard at least for me to type "Chocolatey" reliably. The -ey is a theoretically a valid variant spelling, but you can tell that that to the red squiggled underline in Word. But it's less the spelling and more the name itself. It lacks the nerdiness of an "npm," the gravitas of an "apt-get," or the poetic terseness of a "gem."  I realize that we are living in a world with companies called Hulu, Yahoo, Microsoft (seriously, MICRO SOFT, what is that?) and Google, but it's worth pointing out that a good name can really take a project to the next level. I'm not sure Chocolatey is the right name for this project, but that's 100% my opinion.

I encourage you, technical reader, to check out Chocolatey for yourself! It's a powerful tool, an engaged and growing community and an interesting piece of tech in its own right.

Is Chocolatey the apt-get Windows users have been waiting for? Sound off in the comments.

Sponsor: Big thanks to SoftFluent for sponsoring the feed this week! Check out their slick code generation tools: Less Plumbing, More Productivity! Generate rock-solid foundations for your .NET applications from Visual Studio and focus on what matters!

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

JavaScript is Web Assembly Language and that's OK.

May 24, '13 Comments [47] Posted in Javascript
Sponsored By

Some years ago I said that JavaScript is the Assembly Language of the Web. In fact, lots of people said it, because it's true. Later, some folks disagreed, saying that this is an inaccurate analogy. Of course, it is inaccurate because it's an analogy. That said, as analogies go, it's pretty good. Sure, assemblers are architecture and processor specific. Maybe "JavaScript is the Web's Bytecode" is better. At the very least, JavaScript is a totally reasonable compile target.

Given that (using Wikipedia as a dictionary here and has a decent definition:

An assembly language is a low-level programming language for a computer, or other programmable device, in which there is a very strong correspondence between the language and the architecture's machine code instructions.

It's initially not clear that JavaScript is a good assembly language as it's a high-level programming language that is itself interpreted, then JIT-ted, then turned into machine instructions. Phrased differently, JavaScript floats pretty high in the stack. Certainly every processor has its own assembler and they are very specific, but the browser's JavaScript VM is what runs the "new machine code." There's only one processor architecture. The Web. (again, analogy!)

JavaScript remains a popular transpilation/compilation target. From Google's GWT to Clojure to TypeScript to CoffeeScript, it all stops at JavaScript because JavaScript is the ubiquitous virtual machine that we already have installed on our machines.

Google Native Client (NaCl) is great and will likely have a role to play, but there's only one language that works everywhere without installation or trouble and that's JavaScript.

asm.js compilation & execution pipelineWe don't all have x86 machines. We don't have have machines that we could feed assembler or C. Certainly not in a portable way. JavaScript is the great portable equalizer.

There's languages that transform to JavaScript like TypeScript and CoffeeScript and HAXE and so many more, but many of these are arguably transformations, not compilations. They also tend to compile to lots of different kinds of JavaScript.

Enter asm.js. Why not take the sprawling language that is JavaScript and pick just the subset that one would want if one were to compile something to it? Why not take the assembly-esque parts of JavaScript and formalize it? Mozilla is doing this with the clear goal to compile things to JavaScript and make it perform well. Their FAQ says they're seeing slowdowns around a factor of two, which is amazing, in case you're wondering. It's also worth noting that I, as a user, don't care if you compile your C to JavaScript. I just want a great experience on the open web, and that's another reason that targeting JavaScript moves the web forward.

Working in tandem, there's emscripten, a LLVM bitcode to JavaScript compiler. We can take C/C++ and compile it to JavaScript. Don't buy it? They ported Unreal Engine 3 in 4 days with asm.js as the target.

You can argue that JavaScript isn't the x86 or Assembly of the web. You can argue all you want. It's still happening.

As our great philosopher Kosh from Babylon 5 once said: "The avalanche has already started. It is too late for the pebbles to vote."

The avalanche has already started. It is too late for the pebbles to vote.

It's not clear that JavaScript is the end state. In fact, if anything it's clear there is no end state. But along the way we will - actually are - passing though the JavaScript as Assembler part of the trip.

Sponsor: Big thanks to SoftFluent for sponsoring the feed this week! Less Plumbing, More Productivity! Generate rock-solid foundations for your .NET applications from Visual Studio and focus on what matters!

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Reviews of Super Weird Mice:The Microsoft Arc Touch and Wedge Mouse

May 24, '13 Comments [38] Posted in Reviews
Sponsored By

I'm always on the lookout for the perfect mouse. I don't think it exists, yet, frankly, but we're getting close. I've got two notebook mice I'm bouncing between while using my new ultrabook, the Lenovo X1 Carbon Touch. I'm using the Microsoft Arc Touch Mouse and the Microsoft Wedge Mouse.

I'm classifying both of these mice as "weird" because, well, they are. They aren't classic-looking mice and each one has garnered the occasional double-take from passersby. Each has an unusual design for a reason: portability.

The Wedge Mouse

That's a tiny-ass mouse

The Wedge is tiny. Like, really tiny. The idea appears to have been to remove the back half of the mouse completely (the part that usually gets cupped in your palm) and instead make just the fingertips part. There's a AA battery that goes in the round part (the butt) and underneath there's a single button for on/off/Bluetooth sync and a battery door switch. Oddly, the battery door switch looks like an on/off switch also so I ended up flicking that a few times before I learned.

The Wedge is a Bluetooth mouse, and getting a good Bluetooth mouse was my goal. This Ultrabook only has two USB ports and that's one port too few. I'll often find myself with a hard drive plugged in, then want to add one more item (USB key, presenter remote, smart card) and with most mice I'm stuck because the other USB port already has that mouse's transmitter.

The mouse uses the capacitive touch technology that we're seeing in a lot of mice lately. See that vertical line that separates the two mouse "buttons?" Stroke that and it's the "scroll wheel." It feels odd initially but ends up quite comfortable. Speed of scrolling is also easily changed. There's no middle mouse button, but that hasn't been an issue for me.

Shown actual size. Tiny.

My Right-Clicking Issues

Now here's an odd one. Every once in a while I do what, in my mind is a CRYSTAL clear right-click and it registers as a left-click. I've tested it. Click hard with the right and it got picked up as a left. What the heck? I searched around and found a few people in the forums with the same issue so I assumed it was a driver issue. However, I have the latest drivers. What's going on?

Well, it's actually obvious and a little funny if you give it some though. Occasionally when I right click I end up right-clicking the FAR TOP EDGE on the right. Looking at the picture below, I'm pushing with my finger ABOVE the right-side blue square. This is outside the touch area but is registered with the mouse's mechanical click. Since there's no right-touch, there's no right-click.

Stated differently, there's a touch area with clear left and right areas delimited. If I mechanical click the mouse - remember, there's just one click...the whole mouse goes down - then the mouse decides if it's a left or right by seeing where your finger is that moment. If it's on the far top edge then it can't see your right finger, so....left click from the right.

Don't click the top top top edge.

Call it an oddity, call it a design flaw, call it "you're holding it wrong." Regardless, as soon as I figured this out, it stopped happening. I just assumed initially that the touch area wrapped around the front of the mouse. It doesn't. Once my subconscious heard about this from my conscious mind, I can right-click like a champ, but it was quite confusing for a minute there. Be aware.

Bluetooth Disconnecting

I thought that Bluetooth aspect of this mouse would be pure win, but even after using it for a few hours it stopped responding at least a half dozen times. I would have to lift the mouse up and put it down again. The word on the street and in the forums is that this a power management issue and that you should go into Device Manager and check the properties of the mouse and change the setting that allows the operating system to, well, turn it off. Of course, this setting is not checked and not available.  The takeaway here as far as I'm concerned is that while the dream of a Bluetooth mouse is a great and valid one, it's just not ready. Whether is it's the tech or the stack or the mouse itself, I dunno. I tried an Apple Magic Mouse for a day this week and had the same issue, but worse. The Magic Mouse wouldn't go 10 minutes without just stopping - and this was with new batteries. The Wedge has turned off maybe twice a day, so enough to be annoying but not enough to kill the deal. That said, there's lots of anecdotes from folks who LOVE this mouse and haven't had this issue, so I'm assuming it's my Bluetooth driver stack.

All in all, I haven't decided if I'm going to keep this mouse. It's small, which is great. It's Bluetooth which is super great until it's totally not-great. I will give it a 7 out of 10. It's small. So, um. Ya

The Arc Touch Mouse

I love this mouse. It's darn near perfect. The only mouse I love even more is the original Microsoft Arc Mouse which is equally brilliant in different ways.

Nice stock photo of the Arc Touch Mouse

The gimmick of the Arc Touch Mouse is that it folds flat. This isn't a cute gimmick, it actually works and works well. Given that my Lenovo is so small and flat, it's nice to have this mouse slide into my backpack and lay flat against the laptop. They kind of match, too.

The ArcTouch Mouse folks super flat

It arcs with a reliable and satisfying snap. The back is rubber and the top is glossy plastic.

The ArcTouch Mouse arches nicely

The scroll area has a wonderful haptic feedback (that's geek for "it vibrates when you scroll with it") that is adjustable with drivers. This attempts to simulate the "scroll-wheel nubbins" that regular mice have. It's a great little feature and I appreciate it. It gives you a sense of "it's working" without having to look at the mouse.


The ArcTouch Mouse matches my Lenovo

The ArcTouch Mouse and the Wedge next to my hand

The Arc Touch Mouse is also a very comfortable size even for my giant lobster hands. It is tiny and portable, but it supports and cups the inside of your palm in a stable and reliable way.

The only thing this mouse needs is optional BlueTooth. Instead the Arc Touch Mouse uses a nano-transceiver which I just keep plugged in all the time. When it's not plugged in, it attaches rather sturdily to the base of the mouse with a magnet. It just snaps into place and stays there. Very cool.

While it's not Bluetooth, it's absolutely reliable. I haven't had any communication issues with the transceiver and it never loses connection with the mouse.

For now, the Microsoft Arc Touch Mouse is my travel mouse of choice and I get give it a 9.5 out of 10.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.