New square backgrounds for @pomological

I’m happy to say I’ve fixed the most frequent complaint I’ve gotten about @pomological: the images, while great, are overwhelmingly in the portrait orientation, making the preview images on many Twitter clients—and especially Twitter.com—kind of lousy.

No more! Beautiful squares on a color hand-picked to match most of the painting backdrops.

To address this, I had to learn a little about pillow, the leading Python image library. Now, when the bot downloads a random image from the watercolors, it draws a new neutral-colored box that’s a little longer than the painting’s longest side, and pastes the thing in the center of that.

The hardest part was ensuring the resulting image was in a format that Twitter can understand—especially because this is one of the handful of things that changed in between Python 2 and 3. But I persevered, and read a lot of documentation, and now it’s live.

Amazon backdoor exposed wishlist mailing addresses

There’s an article circulating right now about how Amazon customer service can be exploited to reveal targeted mailing addresses. I discovered and reported a similar vulnerability in December of 2014, which was reported to me as fixed in May of 2015. I haven’t publicly documented that process until now.

The vulnerability I discovered relates to Amazon wishlists. Users can associate wishlists with a private address, so that people can buy and ship them gifts without having the recipient’s private information. That address should be kept confidential throughout the entire process, but I found that third party shippers—routinely used for Amazon sites outside of the United States—would sometimes include it in confirmation emails.

In particular: I used Amazon.ca to send a book to a friend, and Canada Post delivered her full address to me in an email. In this exchange, Amazon’s confirmation email properly showed my friend’s address as redacted, but Canada Post revealed it in its entirety.

Amazon confirmation

That would be unacceptable in any circumstance. But it’s all the worse because some of the people who use Amazon wishlists are especially vulnerable to targeted harassment. The service is popular, for instance, among camgirls and sex workers accepting gifts. I’ve also seen wishlists from Twitter microcelebrities, who get occasional threats and unwanted creepy overtures, as well as wishlists from women who are trying to get some support after leaving an abusive domestic situation. For many of these people, a revealed address can be devastating.

I contacted Amazon Security via email,1 and got a confirmation number and a response from a human that it had been assigned to somebody. The fix, introduced in May, seems to simply removed the second confirmation email direct from Canada Post.

My email to Amazon Security

Amazon Security fix

Although the five month window to fix this situation seemed too long to me, I didn’t want to go public until it had been addressed. An attacker who knew about this vulnerability could easily exploit it for the cost of the cheapest item on a particular wishlist, and the only fix a user could make was removing their address entirely.

Given that particular combination—easy, cheap exploitation, and no alternative path to security—it seemed irresponsible in this case to disclose the problem publicly. Others may disagree.

This isn’t the first time wishlists have inadvertently leaked address data—it happened at least once before in 2011. Nor do I know for sure that the fix has been applied worldwide, as I only tested in Canada. Unfortunately, for people who could face threats if their address were revealed, Amazon seems like a dangerous service to share it with.

  1. They make a PGP key available, but only distribute it over unauthenticated HTTP. All the more reason Amazon should switch to entirely HTTPS. []

Supreme Court Data (2015)

Here’s a supercut of all the mentions of the word “data” in last week’s Supreme Court Oral Arguments in Evenwel v. Abbott, a case addressing the question of whether the “one-person, one-vote” principle of the Equal Protection Clause allows states to use total population data instead of voter population data in apportioning legislative districts.

Turns out, “data” came up a lot!

This follows a supercut last year of mentions of the word “cloud” in the ABC v. Aereo argument, “Supreme Court Clouds (2014)”. The process of making this video was largely similar, though I’ve traded in mencoder for ffmpeg for cutting up, modifying, and muxing the video.

This time I thought it’d be nice to include some background music, so I turned to the public domain recordings of various Chopin compositions, created by Musopen. For the video, I used a segment of a 1958 educational film about computers made by IBM and sourced from the Prelinger Archive.

Both media sources, as well as the Supreme Court audio, are public domain. (All for different reasons, too: the music because of an intentional waiver of rights; the video because it was not noticed-and-registered and was made in an era that required formalities; and the courtroom audio because of § 105 barring federal employees from copyright on their official work.)

A Twitter list of somebody else’s timeline

Sometimes I wish I could use Twitter as a different account, and read all the conversations and references that result from the unique list of accounts a person has chosen to follow (sometimes over the course of years!) There’s no “use Twitter as @x” mode yet, so the next best thing is to create a list of all the accounts somebody follows. The public view of that list is, roughly, that person’s main timeline. This came in handy recently as I was trying to follow a basketball game, because I don’t yet follow the kinds of people who make insightful comments about basketball games.1

Fortunately, this is a one-liner with the super handy command line program t. If you don’t have t installed, I strongly recommend downloading and configuring it even if you don’t want to do the rest of these steps. It’s just a very useful tool to have in your Twitter toolbelt.

Here’s the t command:

t followings OTHERACCOUNT | xargs t list add LISTNAME

Where OTHERACCOUNT should be replaced with the name of the account you want to use, and the LISTNAME should be the name of an existing list. I just made the list through the web interface, which allows me to set it as private.

Important note! If you don’t set it as private, or if you ever make it public, members of the list will get a notification that they’ve been added. People tend to think that’s very weird.

I also like to add the originating account to the list so you can see replies to and from that person.

Finally, some caveats: obviously, you won’t get access to private accounts that user follows. You will see people that user has muted, unless you’ve already muted them. You won’t see notifications that user sees. And of course, if the user has something like Tweetdeck and uses columns other than the “main timeline,” you won’t know. Still, it’s a pretty good way to check out Twitter from somebody else’s point of view.

  1. You could argue it’s like a DIY version of Twitter Moments, where you trust the curation done by an individual user is better than the algorithm, but I won’t be the one making that argument. []

New bot: @pomological

I’ve unleashed a new bot onto the Twitter timeline today: @pomological tweets an image and description from the Pomological Watercolor Collection in the USDA’s National Agricultural Library. (As all of my friends and anybody unfortunate to stand near me at parties knows, I’ve worked extensively on bringing these watercolors to the public.) These are beautiful images with serious historical significance, so it’s fun to slip them in between everything else happening on Twitter. You should follow! Here’s the first automated tweet from the account:

For the nerd stuff: the code (such as it is) is available on Github. The actual bot doesn’t do much; the trick was getting all the data together in advance so it just has to wake up every three hours and pick from about 7500 statuses to post. One thing that has been super helpful on a lot of these projects is a scrape that Dave Riordan did earlier this year of the Collection’s page on the USDA site.

On the programming side, I continue to be incredibly pleased with the book Automate the Boring Stuff With Python. I feel like I promote it too much, but it really has been so helpful and has gotten me off the ground on a bunch of projects that I was too intimidated to face before. In this project, the manipulation of CSVs and scraping web pages with BeautifulSoup were done with skills straight out of the book.