Jibbering Musings

Google Base arrived recently, sharing the same domain as gmail, so cross site security holes in Google Base will allow access to all the gmail emails, as well as XSS phishing attacks using the google brand. Of course as you would expect for a new product from a major internet company, there’d obviously been no security testing whatsover and there were trivially obvious XSS holes in it.

Like the yahoo programmer last week, the incompetent google base programmer had simply taken a parameter from the querystring, and written it unencoded into the document. So a query http://base.google.com/base/search?a_n427=<script>alert(1)</script>&a_y427=0&a_s427=0&a_r=2 performed the alert, this was fixed about 5 hours after I reported it, showing again that google don’t care about the security of our data enough to not release clearly insecure software.

Like last year googles response to the email report was nothing, there wasn’t even an autoresponder on security@google.com, so other than by watching for it to be fixed did I learn that it was at all. Like the gmail security flaw google appear to have a complete silence approach to security, I guess they think what the public don’t know can’t worry them. I can’t understand the motivations behind not acknowledging and thanking a reporter of a security flaw, the alternative for the people who find these flaws are to get rich abusing them, or publicising them allowing other people to get rich abusing them. Surely “thanks for your bug report, we fixed it” email is a small price to pay for not having to hire your own QA team?

Google Base is beta, so bugs are perhaps to be expected, but I can’t understand why Google don’t have at least some security testing, would the publicity of a breach not be a PR disaster for them? Like I said last week, host the Beta on a seperate domain.

Firefox 1.0.5 was recently released and it fixed some now published security flaws, nothing unusual about this, and great that they were patched so quickly, the problem comes when I visit the FireFox front page it offers me:
Firefox 1.0.4 for Windows, English (British) (4.7MB). This isn’t good, on hearing about the flaws, the first thing people are going to do is download the latest version and think themselves safe, they wouldn’t be here, 1.0.4 isn’t the latest version.

It seems the problem is due to a possibly useful feature of the page, it looks at your accept-language header and picks out the most appropriate download for you, unfortunately though because the local versions come out later - packaging takes time of course nothing unreasonable there - it means I’m being offered the vulnerable version. Should be simple to fix, the script just needs to make sure it’s offering the latest version before it offers the regionalised one. Unfortunately bugzilla.mozilla.org and irc.mozilla.org are down right now, so I can’t even report this, maybe a blog post will be quick.

I bought a Mac Mini, and so far, it’s been a pretty disappointing process all around. Some nice people gave me some Amazon vouchers, so I went to buy it there, I’d never bought anything at Amazon before, so that was a new experience, and it was a bad one!

The biggest shock was that it simply doesn’t work, I needed a keyboard, so I looked at the list of keyboards, I wanted a cheap one so I sorted them by price. I ended up at the list of keyboards sorted by price low to high, so the cheapest keyboard Amazon had was £21.95, that surprised me somewhat as normally a fiver is a bit much, looking down though the numbers were, 21.95, 47.74, 22.99, 89.99, 147.95, 9.95. There was a 3.50 one at 15 in the list, but all very unsatisfactory. I didn’t bother with a keyboard from amazon, I borrowed one instead. Amazon are a big site, how can they get such fundamental things wrong? Are Amazon customers really so price insensitive that they don’t order things by price - the same effect happens all across amazon uk, it’s not just keyboards, sorting by price is simply broken.

So the parcel arrived, 3 days after ordering it, pretty poor again considering I paid for the fast delivery, next day delivery was what I would’ve expected, somehow the “normally ships in 24 hours” actually meant, ships a couple of days after you order it. They were my Amazon disappointments, next came my Apple disappointments.

It came installed with 10.3.7, fair enough, that’s all that was advertised, but you’d think it would be a free upgrade as it’s now 7 weeks since the upgrade was released (I guess Amazon UK doesn’t actual sell much volume of mac-mini’s), nope an upgrade would cost £11.99 with the up-to-date programme. I knew this fact before I bought it, and I took a risk that there would actually be a 10.4 OS in the box, but still at least I know how much Apple values my custom, I don’t even get the up-to-date software.

When it finally arrived, I went out and donated blood, figuring feeling slightly faint with tea and biscuits inside me would put me in the right mind for clicking around with one button on my mouse - I was using a borrowed keyboard and mouse from an old iMac. Installing it seemed to go pretty easy, it asked me some questions about where I was, the only oddity was that after telling it I was in the UK, and wanted a British settings, it suggested the date was 06-29-2005, so that was a little disappointing.

Next it started asking me a lot of personal questions about my address, and name and things, why does my computer need to know this - this is stuff I know already - there was no way to skip it given in the menus! Fortunately, the good folk in #SWHACK tipped me off the CMD-Q would let me get out of it, hardly the best advertised feature though.

It started, and I had it all onscreen, then a box popped up telling me it wanted to download updates, ah, that’s good I thought, then I noticed it wanted to download things like iPod Updater 2005-06-26, thinking I must have a free iPod I quickly looked through the packaging I threw away, it wasn’t actually there though, maybe it got lost? I can’t understand why an iPod updater or iTunes are Mac OS-X updates, it just wanted me to download 100mb of stuff that I have absolutely no need for. Of course it also didn’t download a load of security updates it now things I need - I had to manually force another check after installing the first load, no idea when it might have told me those. I thought the Mac was supposed to make me more secure?

Starting up Safari came next, I’d heard good things about it, and seen it render pages well, and it did! Worked nicely, first things first, let’s get rid of all those animations - I can’t concentrate with any movement on webpages - hmm, no options to disable flash, or animated gifs? Off to google, apparently the only way to kill flash is to remove it from the plugins directory. Something that removes it from all browsers, and requires a restart of the browser to re-enable, hardly useable. Killing animated gifs seems to need a 3rd party plugin costing 10$, disappointing, I guess I might just have to make Opera my default OS-X browser.

Installing OS-X VNC was quick and painless, and works very well on the local network, if only it could just export a safari window though, that would be much nicer, is there anything that can do that?

Link spammers believe they’re doing nothing illegal in link spamming, and they’re probably right. However here in the UK we have a pretty horrible piece of legislation called the ASBO (Anti-Social Behaviour Order) that can criminalise just about any sort of behaviour, from Drinking Petrol, or howling at the moon, or using a phone, or using the word grass.

Whilst it’s a bad law, which can be used to criminalise individuals for non-criminal activity, if wearing a hat or using the word grass is wrong it should apply to everyone or no-one. However, as it’s here, why shouldn’t it be used on link spammers? A few complaints to the local council of a UK individual link-spamming could easily get them banned from using the internet, or commenting on blogs/wikis. Whilst it won’t do much to stop link spamming world wide. It’ll certainly discourage any UK individual joining in the act. So el Reg. you know a link spammers name, how about trying to get an ASBO for his anti-social behaviour?

The WHAT WG kicked off a lot of discussion on how to improve the current state of the web languages available to us, so as to create the future web-applications. The general consensus (e.g. 1, 2, 3) appears to be we need “graceful degradation” so that it works in IE6 but offers something more elsewhere.

The argument appears to be:

1. Create something that makes authoring easier but only works in the exciting new ways in Mozilla, Opera and Safari, but degrades elsewhere.
2. The developer will get such a implementation gain from these improvements, that they’ll use it.
3. Users will learn of the improvements in these other UA’s and switch to them.

I don’t think this argument works, it relies on authors willing to forego the enhanced performance in IE6, for the ease of authoring with the new technologies. The alternative traditional script solutions to extending the capabilities of web documents, work fine in IE6, they’re well understood (if poorly implemented) and generally work either as well, or only marginally worse in the other browsers - the ones today too, not some new ones that people need to have upgraded too.

IE6 is too important to authors and product managers, whatever the solution is we ship to IE that’s the most important, we can’t compromise that in any way. So whilst offering a calendar control that degrades to a text box might be a fair enough if we’re degrading to IceBrowser, it’s not acceptable to us for IE - We’ll ship one of the common script calendar controls that degrade to a text box when there’s no script. Our IE customers are simply the most important, they’ll get 95% of our development and testing time, in that scenario the degradation must not compromise IE6 behaviour at all.

The WHAT-WG’s approach to this appears to be javascript shims to get it working. As I often say javascript development is almost universally crap, under-tested and poorly implemented. Libraries are often the worse kind, the test requirements are simply too high to do on the huge variety of systems out there, that javascript code can run on, they’re generally not rich enough to do everything - so you’re always extending them, libraries simply haven’t been shown to work on the web. (If I’m wrong, show me some sites!).

These libraries would also need to have to no licence encumberance or risk for me to just re-use them, and most likely be free (all the script the Web Forms 2 spec offers is available for free out there now, how do I justify the cost of something new.) Who’s going to write it? There’s maybe only a hundred or so people with the script skills available, but generally they’re pretty busy doing real work, that actually puts food on the table.

But let’s suppose that authors can deliver good enough IE6 sites through these script methods that they’re willing to ship it. Great, but all that happens now is that users have no reason to move to a new browser, the pages in IE6 are just as good as they would be in those other browsers. Without the motivation to move the process of degradation as an evolutionary strategy doesn’t work, we’ll still be stuck authoring the same pages in the same styles. Only now we’ll also have to worry about a large javascript library that we have little control over.

So what’s the solution?

Flash has shown us how to ship sites which don’t degrade in IE - we use a plugin for the new features, it’s worked great, plugin solutions for IE degradation are fin. So long as what it offers the developer is something of a leap in performance (authoring, technical etc.) that they simply can’t do it in traditional HTML ways, it’s fine. This is where we can make a new technology platform, develop a real improved solution that can be rendered in an IE plugin. IE plugins can go full browser window no problem, and you can change the accept-headers of IE in the install - they don’t need to be done with HTML and OBJECT elements, in this case. Of course IE users who don’t install the plugin won’t get much other than the degradation to HTML, what the users will get though is an incentive to change, since the features will be new and offer something worth installing.

Of course, moving to this system, is a much more complicated system, it’ll take longer to come about, but I think it’s a much more likely scenario than imagining Web Forms 2.0 will really offer enough benefits to either authors, or developers to achieve anything, it’ll just be another XHTML 1.1 never used in the real world.

You often see stats saying how many millions of people are online, when those of those of us in the know, know that in reality there’s only a few hundred, (#crickettalk reckoned 303, but 1 was a fridge)

A few weeks back I was looking for some Fire Poi’s for a friend of mine on, one of the sites I looked at a lot was fire-gear.com. Then a couple of days ago whilst looking what was being said about FOAF I came across a request for a FOAF script from Adam Rice and did a quick and dirty hack for him.

Two unrelated things you might think, but no, because there’s only 300 of us doing this stuff, Adam has to also run the Fire Gear site, still he seems to know what he’s doing so it’s probably ok. Now I have to decide if I should try and make some Poi’s with Adam’s instructions, buy some, or just leave J. to only have her fire clubs.

This is a pretty poor set of notes on the SVG Panel
someone - Will you kill PDF/XSL-FO/HTML etc. ?CL - We make sure SVG uses similar terms to html etc. PDF is “Print the Damn File”, Chris sees PDF as purely presentation.JF - PDF/SVG 1.2 overlap, but workflows are very different. PDF has big inertia and support, SVG tools not there.DS asks can we have variable stroke widths, maybe do a Nike Swoosh, could be in RAX?CL - Implementation seems complicated to do, but would be really useful, Chris would like to see it in SVG, but others may not?DS Will SVG spec re-add the cream of the RCC stuff back into core?CL - That could be good?DS Drag and Drop anything in spec?CL Antoine Quint wrote cool one, back in 1.0, RCC there.Dean - new features take time from the WG, more we add the longer it takes, we need feedback. 3hours a week telecon, 6 days F2F in 3 months between draft yet only 6 features added.Some Guy? Any X3d/SVG integration X3d a W3 note.CL - There’s been some interaction between groups, they’ve been to dinner at www2003, SVG textures would be good, modern graphics cards are 98% 3D accelleration.Phil Mansfield - SVG viewer can implement 3D see presentation previously.Java more efficient that javascript!Some Guy? Will we get more complicated matrixes to calculate stuff. So we can do “star wars text”, to get perspective effects.No plans yet… good suggestion though.Alistair from victoria uni - Will the WG define any UI components?CL - People will always ask for more, but we assumed everything was a special so no symbols, but for zoom/pan control for examples, people want it to look the same. but for TINY we will need to add it as Script can’t do it.Benoit/CL dSVG has some ideas, send feedback to www-svg@w3.org especially on RAX/dsvg etc.A.Adam - Elaborate on live templates?DF they only exist in spec form, there’s some simulations.CL says there is implementations that renders stuff like MathML.PM It’s like XSLT, so could be used, but it’s different.Alison from schemasoft - Markers are a problem, they seem useful, but they’re tough to use, line ends show up behind marker. changed rendering model, with exclusion zone around marker, see automated marker generation.

Initials are www-svg folks or svg-developer guys.

Benjamin Camplin, gave a very interesting talk on his SVG maps which had a haptic (touch paper) output and could talk and interact with the user, unfortunately I had no power for my laptop, so no proper notes, they should be online though, the map of canada he demoed with audio sounds and talking was cool though.

I modify my IE so as to send an Accept-Header clearly indicating that it doesn’t understand application/xhtml+xml. This seems wise as it doesn’t and most people will also offer up a non-XHTML representation of their content.

Terje Bless’s “homepage” only provides an XHTML representation, which rather annoyingly for me, Apache decides to send rather than a 406 response. This seemed odd, but it’s apparently completely fine: RFC 2616 section 10.4.7 says:

Note: HTTP/1.1 servers are allowed to return responses which are not acceptable according to the accept headers sent in the request. In some cases, this may even be preferable to sending a 406 response. User agents are encouraged to inspect the headers of an incoming response to determine if it is acceptable.

I don’t understand why some useless document is preferable to a 406 with a list of available representations (so I can choose a different UA), but apparently it is - it doesn’t seem to help the usefulness of HTTP ACCEPT headers though.

20:19 this month, so that’s over a minute improvement in 2 months, I’m beginning to feel a lot more confident about my running…