Ramblings of Narc

So I’ve just had the marvelous opportunity of digging into WordPress yet again after, for the second time, I found some funny iframes running around on my website.

The first time this happened, I cleaned up and changed permissions around so that a reinfection wouldn’t make so much work for me. The problem is, although this attack has been observed multiple times, the actual infection vector is either unknown or unpublished — or at least, it wasn’t at the time. I honestly didn’t spend that much time searching for it this time around.

What I did do this time around was dig around a little more and… I found this. If you take the PHP code from there and run it on a webserver (ideally one that only you have access to… like an Apache server running on your personal machine), you’ll see that it’s… scary. Really, really scary. As far as back doors go, this is mostly par for the course, offering pretty much complete access to as much as the Apache user can do, up to and including running a shell so the attacker can run arbitrary code of any kind under the Apache user’s credentials.

Entertainingly, this really decent back door doesn’t seem to have been used much — a real human would’ve dug in further and tried to get root privileges (which, admittedly, might not be that easy; I’m not a security expert), but this (apparent) bot seems to have satisfied itself with throwing in some iframes and calling it a day.

Now for the meat, and the reason for the title: as far as I can tell, the initial infection vector seems to be WordPress. I’m perfectly willing to allow that WordPress doesn’t have any more holes in it than any other sufficiently large PHP application (certainly willing to allow that my own apps have holes in them aplenty), but WordPress’s popularity means that there are plenty of bots hunting around the Internet looking for known exploits and taking advantage of them when they can be found.

For my part, I can’t say I care terribly much. There’s nothing really sensitive hanging around on my web server, and those few bits that are mildly important are well and truly secured away from the apache user specifically so that an exploit like this wouldn’t be able to get its hands on anything I actually care about.

I did want to write about what I found, though, so that hopefully others would be able to find the information about the (much bigger and scarier than apparent) backdoor that nobody seems to have written about. For reference, I found it in the WordPress “classic” theme, in its functions.php, trying to hide under a reasonably long set of blank lines.

Update: A little googling around found a previous report of this same piece of code. It’s got pictures, too!

Earlier today, I was reading this Ars Technica article and found it difficult to relate the figure of 250 GB/$250 to what I knew. So I figured it was time to do some statistics of my own!

First of all, a direct comparison isn’t really possible — I’m on a proper unlimited data plan (well, two of them actually), and nobody has ever called me up to ask me about toning down my usage. Similarly, I live in a nice big city of 2.something million residents and that really does translate to good prices solely because it’s cheaper to run Internets to a lot of people in a small area, than to a small number of people in a large area.

But putting all that aside for now and just focusing on the numbers, let’s see how we can quantify my Internet usage:

Cost

We’ll start with the easiest part, determining the cost per month. I have two ISPs: RDS and iLink. The RDS connection costs me 64 RON/month and the iLink one costs 45 RON/month. Converting (and rounding up) to the nearest US Dollar, we get:

RDS: $21 US/mo
iLink: $15 US/mo
Total: $36 US/mo

Usage in the last month

Looking at my pfSense gateway’s statistics, I don’t actually have numbers for the entire previous month, but I’m pretty close. Here are the graphs I saw (click for full-size, if you want):

RDS:

iLink:

And here are the interesting numbers in plain text:
RDS: 210.11 GB in + 20.83 GB out = 230.94 GB
iLink: 68.96 GB in + 32.57 GB out = 101.52 GB
Total (rounded up): 230 GB in + 54 GB = 284 GB

Which gives us a ratio of 284 GB / $36 US = almost 8 GB/US$.

When we compare this to just over 1 GB/US$, we come to the conclusion that I would’ve ended up paying 8 times more for the same bandwidth usage, were I unfortunate enough to have Frontier Communications as my ISP.

Now, like I said earlier, it’s not really a fair comparison, in that they’re in a small town and I’m not, but still… a ratio of 1/8th the price?

And some fun

Anyway, while we’re looking at this data, let’s have some fun with it. Using the maximum columns from the two graphs above, we can characterize my two Internet connections (with some crappy approximation):

• RDS: Asymmetrical 20 Mbps/3.5 Mbps, for $21/mo.
• iLink: Symmetrical 10/10 Mbps, for $15/mo.

Is that good? Is that bad? I don’t know. All I know is it’s more bandwidth than I absolutely need (and the averages agree), but since I need both connections for redundancy anyway, why not use them both?

Holy crap, has it been that long, really? Actually, I probably shouldn’t draw attention to it, should I? I vaguely recall reading that people are irritated by this kind of thing. Hell, I dunno.

There haven’t been many updates from me because I haven’t had much time for generating content, nor do I have that many interesting things to talk about, anyway. Work has been… well, busy, obviously, but also unusually tedious. This is new to me, but it certainly gives me an idea of where the phrase “working stiffs” came from. Nonetheless, we press forward, since nobody wants to hear about any of that (nor do I believe anyone appreciates the excuses).

I actually want to bring to your attention some stuff I’m interested in and one thing I’m proud of. Let’s get pride out of the way first, yes? I don’t know and can’t be bothered to check how many people have seen this blog’s About page, but if you go look at it now and you remember what it used to look like, you’ll notice something new… a photo! I’ve actually been meaning to add one for almost a year now, and today I finally decided (on a whim) to get my webcam working again (not for any particular purpose, mind you), and while playing around with it I managed to snap a particularly good photo.

Come to think of it, I suppose the reason I wanted my webcam running is because I wanted to see myself in a mirror without actually getting up to find one (and without leaving my headphones behind). The reason for that was to see how I look with the new glasses. They’re non-corrective “computer” glasses, which are supposed to prevent eye fatigue from prolonged staring into computer monitors. I was skeptical that they would provide any real effect, but having worn them for a few hours now while sitting here, they do seem to help quite a bit. Normally, by this point I’d be having trouble focusing and be forced to squint to keep going — which hasn’t happened yet. I’m not entirely convinced it’s not just a placebo effect yet, though, but every little bit helps. And they look great on me, too, which is a definite bonus.

Now, for some stuff I’m interested in that I’ve picked up recently. Firstly, some webcomics:

• Irregular Webcomic!
• Darths and Droids
• MS Paint Adventures

That last one is such an awesome concept that it’s worth expanding on a little bit. According to the site, “MSPA stories exist in the format of “mock games”, specifically text-based adventure games.” This was a definite draw for me, in spite of having pretty much never played an actual text adventure — the name “adventure” itself was enough for me. Maybe that says something about my psychological profile, I dunno. One thing of note about the so-far sole completed story (Problem Sleuth) is that it eventually seemed to reach a level of complexity that made it nearly impossible to fully follow — which gives us another draw: pushing one’s limits! I’m having much better luck following the story in the current adventure, Homestuck. It’s not easy to quantify why MSPA is so amazingly fun — you just have to see it for yourself.

Beyond all of that, I’m finding myself enjoying a bunch of not-new-even-to-me things:

• TVTropes
• Ars Technica
• jQuery

I’ve actually been meaning to rave about jQuery for a while now, but the truth is it’s all been said already by more awesome people than I (to whom I can’t link because I don’t really keep watch on their blogs and have no idea who they are anymore. Seriously, if I started following every blog that I ever read anything interesting on, I’d end up just reading updates for 10 hours a day).

So, that’s it for now. Hopefully it won’t be another 6 months until the next update, yes?

By request, here’s the script I worked up to make periodic database dumps into a directory and gzip them up:

#!/bin/zsh

mysql_user=root
mysql_pass=your-root-password-here
bk_path='/where/to/put/the/dumps'

right_now=`date +"%Y%m%d-h%H"`

bk_fname="${bk_path}/full-db-dump.sql"
bk_gzname="${bk_path}/full-db-dump-${right_now}.sql.gz"

mysqldump -u"$mysql_user" -p"$mysql_pass" --all-databases > "${bk_fname}"
gzip -c "${bk_fname}" > "${bk_gzname}"

Running this as a cron job every [x] hours should be pretty good for small sites, especially if the archive directory is periodically rsynced to another remote host (as in my case).

For serious stuff, you may consider adding MySQL replication for continuous backup.

Oh, and since not everybody uses zsh, you can probably change the hash-bang to point to /bin/sh safely. I haven’t tried it myself, though.

Here’s an interesting quickie: I’ve been getting a bunch (well, four so far, but far more than usual) of comments in Russian, all coming from the same IP that DomainTools says is in Ukraine — apparently, an ISP or something like that.

Now, the comment text, when run through Google Translate, reads pretty innocuous, but the activity smells spammy; and I can’t read Russian anyway, so I don’t want to approve what I don’t understand, either.

To the commenter(s) in question: I have only a slight idea of what you posted. I would prefer comments in English, or Romanian (if you speak that one). French is also an acceptable alternative. I’ll even try Spanish.

And if it’s spam, please just don’t bother — it’s useless!

a.k.a. “Inter-dimensional vortexes? In my database?”

Yah, so I screwed up. Back when I moved the Web server from one computer to another, I thought I might’ve forgotten something important, but couldn’t quite figure out what it was. Then I forgot about that, too, and everything was just fine until yesterday morning…

Being that I was pissed off by the web server’s inability to hold an erection function properly without periodically stopping and starting udev (seriously, I still have no idea why that was happening!), I decided a dist-upgrade to Jaunty might help. I’d already done a couple of them, so I wasn’t totally going into the unknown… And it seemed to work, too! It asked for a reboot, I gave it one. It lost its nvidia driver, but asked for another reboot, so I gave it that one, too… and then things got heavily reminiscent of the Windows days.

You see, after that last reboot, the system would come up, all the way through GDM and showing the nice xfce desktop… and then reboot. Out of the blue. Lather, rinse, repeat.

At this point, I realized I was more or less fuckt… so I dug up a fresh Jaunty iso, burned it to about four CD-RWs before one finally worked, and found I was supposed to plug in a monitor because the install GUI wouldn’t come up on the TV, and… sort of backed up the interesting bits. You know, the old /home, and the old /etc, and also the /opt/www dir.

Did you notice me forgetting anything at this point? If you said “THE DATABASES!!!1oneone!”, you’d be right. Yes, I forgot to back up the databases. The reason I forgot is that I remembered there being 4x daily dumps to a directory inside /opt. Which there are. On the old web server. The one that’s not running anymore.

So, long story short, the databases are back to where they were before I finally disabled apache on the old web server. I’m going to recover the old posts from Google cache (come to think of it, I probably also still have them in the Atom feed) and repost them, but the 4 comments that were posted in the mean time are gone. So sorry.

And after I do that, I’ll turn on that damned automated backup…

Just took these pictures outside my window an hour or so ago:

UPDATE: I took a bunch of photos from the set and managed to make a panoramic pic:

Every blogger has done a post like this. You know them, you love them, they are… the silly Google search queries people use to find your blog!

These are in reverse order of arrival, and the URLs are mostly pasted straight out of the referrer log. Without further ado:

• narc ftp port (Google UK) — I’m not sure I really want to know. Do I have an FTP daemon I’m not aware of? If so, it’s probably stuck inside the LAN, since I’m not forwarding anything unexpected.
• what a narc does to set up people — Did you really think it would be that easy? Us narcs have our professional pride, you know?
• acronym for narcs (Google Australia) — Do we really need an acronym here? “Narc” is a pretty short word already. What would be the acronym? “N”?
• zap+ro (Google Thailand) — I’d really prefer if you didn’t, thank you. I happen to live here in .ro, and I like it.
• pl poke data narc (Google UK) — Er… I don’t think I really want to know what that’s supposed to mean. Using Perl to poke data into my brain? No, thank you. Although, if you manage it, that’ll be a neat hack.
• short summary of the notebook — Before I did that search, I hadn’t known The Notebook (2004) was a movie (and a novel, apparently). So here’s a short summary, then: “It’s a movie (and a book).” Happy?
• why is vodafone website so shit? (Google UK) — Good question! Without knowing anything about their internal organization, I’d guess that most of it was their use of a very crappy technology (JavaServer Pages? That’s what the JSP stands for, yes?), which presumably was chosen because the rest weren’t Enterprise-y enough and/or because that’s what the consultants they hired to do the job “knew”.
• mysql “add a fucking user” — This search actually returns a very specific result from my blog, that being my “Going Insane From Work” post, which unfortunately, doesn’t actually answer the (implied) question. So, here it is: to “add a fucking user” to mysql, the command is: GRANT <privileges> ON <database>.<table> TO '<username>'@'<host>' [IDENTIFIED BY '<password>]. Alternatively, to leave the user at default privileges (that is, none), use: CREATE USER '<username>'@'<host> [IDENTIFIED BY '<password>']. This, and more, can be found in the fucking MySQL manual, which you should’ve picked up like the rest of us do.
• arguments against alcoholics anonymous — Er… why? Oh! Oh! I got one: “I’m not a drunk, I can quit whenever I like!” There’s your argument.
• Finally, i didn’t know my friend was a narc — Well, neither did I. Which poses an interesting question: if neither of us knew, are you really my friend?

That’s it for this edition of “Silly Google Phrases”. One thing I’d like to mention, though — a lot of people have been finding my website by searching google for… narc.ro. I find this very curious, but ultimately, as long as people find what they’re looking for, who am I to judge?

Thank you all, and good night!

So if you’re a visitor here who’s ever at least thought of posting a comment, you’ll probably know I recently (about half a year ago?) switched away from Akismet to reCAPTCHA for my spam-blocking needs. ReCAPTCHA is nice, and the fact that they also make it possible for humans to help where OCR fails is a big bonus for them.

However, the fact that it’s one of the most common types of CAPTCHA means that it’s also the one under the heaviest attack, and that means there are spambots that have learned how to crack it.

As evidence of this, I offer the (dozens of) spam comments I just deleted from my queue (as I was typing this, another one just showed up). The major difference between this spam and the stuff that used to pass through Akismet is the length — these new spam comments are very long. This works in my favour, of course, since it makes it easy to figure out what to delete: if it takes a tap of the Page Down key to get to the end of the comment, it’s very likely spam.

However, if we disregard the content of the spam (which is easily changeable), we can see that it’s really quite a bad idea to rely on any kind of CAPTCHA by itself. It seems I have to echo the many others who have said that spam is a machine-generated problem with only human solutions.

Ultimately, every kind of anti-spam solution has drawbacks:

• statistical analysis solutions (think Bayesian filters) will have false positives and false negatives sometimes.
• distributed blacklists (like Akismet) fail because they’re blacklists — and enumerating badness is a failure waiting to happen[1]. On top of that, open blacklists are easy to poison, leading to… false positives, of course.
• CAPTCHAs, as a special class of solutions, fail because they rely on computers not being able to “read” as well as humans can — the problem being that some humans cannot read as well as a computer can; and also that computers are getting smarter all the time.

I’m sure there are other types of anti-spam solutions I haven’t enumerated, and likely they all fail on one point or another.

One of the best approaches to such problems is a whitelist-based approach, or enumerating goodness. This is much easier to do, since the number of honest commenters is likely much lower and much more stable than the number of potential spammers out there.

“But wait, narc, doesn’t that mean that I have to keep an eye on my moderation queue, to whitelist the allowed commenters?” Well, obviously, but you’d have to keep an eye there anyway to check for false positives, and to delete all the spam you’re getting. So there are no savings either way.

With that said, using a solution like reCAPTCHA can reduce the immense size of the moderation queue, which is a good enough reason to use it. But you still need to keep your eye on the ball, and you also shouldn’t forget that CAPTCHAs will keep out parts of your (potential) audience. I try to do that, and if I ever seem to have failed, I strongly encourage you to contact me and remind me.

Update: I’ve had to close comments on this post due to the fact that it got targeted by a bunch of spammers (who don’t seem to have much trouble with the reCAPTCHA). Meh.

Inspired by Jon Eveland‘s qqint, I’ve produced (from scratch) a personal version written in PHP and using an SQLite backend that anyone can set up and use themselves.

I started by putting up some slightly rambly QQSearch documentation that should explain what’s what, and why. Because the docs came first, they may be slightly out of date. They are also slightly ahead of the current state of development, as aliases have not yet been implemented (though it should be reasonably easy to do so).

You can use a demo of QQSearch with the really dangerous bits removed (i.e. no adding and deleting URL mappings).

If you like that, you can go ahead and:

• download QQSearch v. 0.1 as .tar.gz (about 100 KB), or
• download QQSearch v. 0.1 as .zip (about 300 KB)

Short instructions for use: download, extract to the htdocs folder of a PHP-enabled (version 5.1 minimum!) webserver, and browse to it.

If you need more help than that, feel free to contact me and I’ll do my best to get you sorted.

So, I must be the last person on the Internet to have heard of webmin — or, at least, the last person who administers a bunch of Linuxen to do so.

After installing it yesterday on Bast, I discovered, among other things, that webmin has a neat little interface to configure BIND. Since that was basically the one thing I hated having to manage on my own, I decided I’d give it a try — and boy, did it ever work nicely. I’ve managed to transfer the narc.ro zone from the shitty MS server to a nice, neat little BIND9-managed zone on bast.

On top of that, I’ve finally segregated *.narc.ro and *.internal.narc.ro, which makes the DNS a lot cleaner.

In other recent news, however, I did a stupid (this is where the “oopsies” part of the title comes in): I had to change Themis’s IP from 192.168.0.1 to .100 (well, I didn’t have to, I was just lazy), and… I forgot to change the port forward for the DNS. Which ended up breaking my e-mail deliveries, as well as most of everything else related to narc.ro, I’m sure. Luckily, since I also had a reason to change that forward, I caught it relatively quickly (yeah, it only took a couple of days, heh).

So if you were wondering why you couldn’t reach narc.ro, or why your RSS reader was having trouble getting updates, now you know. Aren’t ya glad?

I feel a bit like I’m picking on a retarded kid, but I’ve been asked for instructions about changing one’s password on a Yahoo! account, and I figured that was a good excuse to analyze some of the pitfalls of bad UI. Having just tried to find it myself, I have to say it’s not very easily discoverable unless you know what to look for, and that’s pretty hard for a non-programmer.

First, a caveat: I’ve only tried to do this in the context of accessing Yahoo! Mail. It’s possible that other Yahoo! applications make this process a bit easier, but I’m going to assume the person who needs this (friend of my uncle’s, I’ve never met her) is a typical user who doesn’t care about anything other than Yahoo! Messenger and Mail.

With that said, let’s see how to do it:

First, go to http://mail.yahoo.com/ — the easiest way to get straight to Yahoo! mail:

If you don’t have automatic login enabled, you will probably have to sign in now:

In the above picture, note the “Forget your ID or password?” link that can help you if you can’t remember those.

And now we get to the really bad UI: Yahoo! Mail “non-classic” (click for bigger screenshot):

I know, that’s not the whole UI, I’ve cropped a lot of it out, but the interesting part is in there. See what I’ve highlighted there:

When you click it, this is what you see:

Now, you have to figure out that the “Edit My Account” link is likely to have the password-changing option (maybe not that huge a logic leap — I’m not a user, I don’t know how they think). It’s right there:

The result? Erm, you’ll have to enter your password again:

This helps, I’m sure (for instance, if you have auto-login enabled and some idiot goes to Yahoo! Mail on your behalf, at least they can’t change your password, right? But they can read your mail, and send mail as you. Oops.

On the other hand, the profile edit page appears to contain more sensitive information, such as home address, telephone numbers, and such. It would probably also contain credit card information, which is definitely something we don’t want an unauthorized prankster to see.

So, anyway, the result is you’ll be presented with this screen (click for bigger screenshot):

Which, among other things, contains this:

That’s right, there’s the Change Password link. It didn’t take long to get here, did it? Click it, and you get this:

After you fill out this rather standard password change form, you should be looking at this:

That’s it! Now, let’s see how much it took to get here:

• Two password prompts (one of which might not show up in some cases)
• Figuring out a UI element is actually a menu, and that it’s the one we want!
• Understanding that editing “my account” includes changing the password (as I said, maybe not so much of a logic leap)

The conclusion? It’s not too bad, but it could be better. I’d love to see this action — changing one’s password — be somewhat more easily discoverable without having to browse through a drop-down menu, but otherwise it’s pretty understandable once you spend a few minutes thinking about it.

And there’s the rub: you have to think about it. And it’s not in the obvious place, either — there’s an “Options” menu you might think was related, but it actually refers solely to the Yahoo! Mail options. I have no doubt a lot of people get hung up on this point: “I’ve looked everywhere and I can’t find it”. The profile menu is hidden away in the top-left corner next to the logo, and it looks like a greeting, rather than something with which to get stuff done. Further, there are so few options in that menu that they could all be shown directly below, like the “Sign Out” link is, and that might help a bit.

Alternatively, maybe the drop-down menu could be called “Profile Options” or “My Profile” or something, rather than “Hi, <first name>!”. That makes it look like website fluff rather than like an actually useful piece of user interface.

Oh, in case you’re wondering — I’ve removed my details from the screenshots mostly for clarity, rather than out of any fear of giving away any information. My “About Narc” page contains the personal info I’m okay with having out in the open, and you’ll probably note it’s pretty complete. I’m not that bothered by having random people know my personal information — I assume nobody really cares.

I posted a “dent” (God, is that a silly name or what?) recently on identi.ca about how I hate not being able to tell visited links from fresh ones. And then I had a look at this blog and realized it had the exact problem I was ranting about.

The reason for this is that I got this theme from elsewhere, and never really cared enough to look at it very closely.

But, if there’s anything that can get me out of my usual lazy stupor, it’s being (or being called) a hypocrite, so I’ve set out to fix my most obvious failing.

So I’ve added a:visited CSS selectors to all the important places I could find here, on the Ramblings of Narc, and the final result is reasonable, as far as I’m concerned.

As a result, I can now whine all I want about websites that don’t make any obvious visual distinction between visited and unvisited links. But wait, there’s more — I also have a (decent) solution, in the form of a bookmarklet I picked up a long while ago called “zap”. To use it for yourself, all you need to do is drag and drop Zap to your bookmarks toolbar. You can even click it for a live preview.

Oh, the wonders of Javascript bookmarks

Update: Oops, the wonders of Javascript bookmarks, indeed. Somewhere along the way I think WordPress probably mangled it. That’s what I get for not testing carefully enough. Use this link to get to it, instead.

I’ve just had the immense pleasure of reading a bunch of code written by someone who is, or should be, a non-programmer.

Among other things, this piece of code (written in PHP) tends to take very roundabout routes to get where it’s going, its functions are mixed up with program logic (including such things as if(condition) function something() {};, which hurts my brain just thinking about it), and calls a Perl script to do something that’s eminently simple to do in PHP — querying a URL.

Thanks to an unattributed image found on Jeff Atwood’s blog, I can now express what the person writing this code should have been seeing as he wrote it:

Because that’s what was happening in my brain as I was reading it.

Now, I can appreciate code reuse, and the fact that the Perl script this one is calling is written mostly by myself gives me a nice ego-boost, but I’m questioning the validity of the current approach.

Firstly, what’s the point of having someone who is so obviously not a programmer write a bunch of code when I and my co-workers are generally available throughout the entire Toronto workday?

Secondly, does anyone doubt that this piece of code will end up having to be supported by us, the same people who should’ve been asked to write it in the first place? As evidence of this, I present the fact that I was the one asked to “fix it”. All I know is, at some point, I’m going to end up having to do some more in-depth maintenance on this code, and I’ll end up rewriting the whole thing, top to bottom. It’s just that bad.

And don’t even get me started on the excess trailing whitespace I just removed by saving the file. Or the shitty indentation that’s sometimes done with spaces, and other times with Tab. And even when done with spaces, it’s inconsistent between two spaces, three spaces and four.

I just noticed another thing: it calls mysql_free_result() at the very end of the application. How clever! It’s as if the “programmer” didn’t realize it would be done automatically the moment the script ended execution.

I’m also curious if the person who wrote this, ostensibly someone with the username “tony”, can even speak English. The reason I’m asking is this comment here: “Retrive Form Value and Assosate Vlaue for Xsell ID”.

Fun stuff, isn’t it?

You’ve probably seen it — heck, you’ve probably done it yourself, many times. Almost everywhere you go online, if comments are available, or if there’s any kind of open forum, you will see these posts:

this is my opinion: i think [X] should be [Y], [Z]

Now, I’m very specifically not trying to draw attention to the content of the post, because some number of them are very decent, and the rest are mostly ignorable. No, what I’m specifically looking at is the writer’s apparent hatred for the Shift key on his keyboard. With the exception of the [X], [Y] and [Z] I used as placeholders, that post has no uppercase characters whatsoever.

So, my question is, why? Usually, the answer I get is “its extra effort to use the shit^Hft key, and im too lazy”. I don’t buy that. I’m possibly the laziest person I know, and to me, it’s harder not to use the Shift key. It actually takes more mental effort to write like that than it does to write with proper capitalization, punctuation, and spelling (typos notwithstanding). And I’m sure my readers (all two of you) appreciate it.

So why do we see so little capitalization? What is the hatred for the Shift key? Are we moving towards an e. e. cummings-style Internet, where the Shift key is banned, or limited only to articles on media websites like CNN.com? Same for the apostrophe, and (in extreme cases), the period. What’s going on here?