Archive for April, 2006

Widgets!

Tuesday, April 25th, 2006

I’ve been creating things that are lot like what are now called widgets for a long time, HTML+Javascript applications with full trust. I’ve always used something called Zeepe which turns IE into a fully trusted containier that you can launch locally (or even from the web, if you’ve got a licence and use the trust model).

Zeepe is much richer than other widget platforms on windows currently, not least because it allows complete connection to all windows COM objects - so you really can connect to anything, I use it for automating Windows Media Encoder and recording video streams, or as a Database management tool. I don’t know how capable the OS-X dashboard is, it may well be able to do similar stuff, but until there’s a powerbook with a nipple and release IE6 for OS-X I’ll stick with XP.

The widget system from Opera is new, last week at the gathering Opera ran a widget competition, and lots of widget folk arrived in #svg on freenode asking how to use all that cool opera SVG in the widget. I had a couple of hours so I decided to join in and create a quick widget.

Another cool thing that Opera have is the My Opera FOAF data they provide for everyone, so in a foafnaut kind of style, I decided to create widgnaut, a browser of the data. It’s very ugly but it shows some nice features of widgets and RDF and how easy such connections of data can be made once you escape the security constraints of browsers, but still use all those easy HTML/javascript features.

Opera Widgets currently have a few problems, which make the sort of widgets I like to create not really viable, the 2 big ones are:

  • You can’t decide where to position your initial widget, or control its location, this means widgets like widgnaut which really need full screen rely on the positioning it in a particular place.
  • The screen darkens! This just seems very silly, I can’t understand the use case for this at all, if I want a widget, it doesn’t mean I don’t want the other stuff on the screen. A calendar widget, I still need to copy info to my other applications, once they’ve gone dark, I can’t even access them, let alone anything else. This didn’t happen on builds earlier than the Beta, so hopefully it will go away again.

Opera widgets are still good though, easy to create, and useful, just not quite ready for my perhaps odd requirements.

Google Flaw not fixed, GMail contact stealing demo

Monday, April 10th, 2006

Despite the flaw being announced a long time ago, the google Book search flaw is still broken. It’s surprising that Google aren’t taking it more seriously, this one is very easy to use to automate a users GMail account, stealing contacts, or sending email if they are logged into google when they’re tricked into visiting such a page.

Here’s an example that will list your gmail contacts List your gmail contacts

There’s no reason why a page cannot also send emails, steal the contents emails or anything else. Given the length of time this has been public (I didn’t find this flaw, it was posted to bugtraq on the 4th April, or 6 days ago) it’s very possible that a worm that stole GMail information is already circulating. Disable script on google.com!

The script that gets the contacts is trivial:

function x() {
	xmlhttp = new XMLHttpRequest();
	xmlhttp.open("GET","http://mail.google.com/mail/?view=page&name=contacts&ver=e0ad439ebad5ad16",false);
	xmlhttp.send('');
	return xmlhttp.responseText;
}

the x function then contains a json structure containing the contacts, this can be easily changed into the output format with some simple regular expressions: see test6.js for those and the complete included script. The livehttpheaders extension in FireFox is how to find out how to do other things.

Yet More Google Security Failures

Monday, April 10th, 2006

Google are still failing to keep even their flagship google.com domain secure from Cross Site Scripting attacks, others it allows arbitrary code insertion into google.com.

See googles new pay search service (Not really of course, just my credit card form!)

The flaw appears to be in failing to clean the characters in a book result search, It’s a trivial flaw, that every google employee should know about, the same class of flaws keeps getting produced, Google developers, and google testers would appear to be uninterested in security, not even bothering to test flaws that they’ve found before.

Places to Work whilst Travelling

Saturday, April 8th, 2006

Travelling or Backpacking is well catered for on the web, sites such as Hostelz and the more commercial similar sites have lots of information on places to stay all over the world. There’s also lots of places telling you how to get jobs whilst travelling if you’re in one of the under 30 working visa countries.

There don’t seem to be anything out there telling geeky people places where they can get reliable internet connections, the hostel sites and guidebooks will indicate if internet is available, but will generally have no more information on it - is it fast, can you use your own notebook, is it available at 3am when you need to be on the teleconference with the guys back in the office.

paradise jamaica beach

This would be really useful, but there’s the huge bootstrapping problem here, how do you get enough information to encourage other people to leave information? Maybe I should just create it, then once there’s enough places in there, I can go off and stay in them… It might be better than being homeless just bumming around in the UK. Openguides is almost a good platform to build it on, but it’s very much built around a city rather than a topic, a pure wiki solution is a little dry, I’d rather see more commentary based stuff.

Paradise Jamaica was where I stayed recently in Jamaica, and it was good for working, the wifi was fast and reliable, and the beach was deserted and lovely. I just need a few thousand more such places and I’ve got a site!