Hey, that's right! I have a blog!
Do people still blog?
Bookmarklet: Load All GitHub Comments
-
A quick way to load all the comments on a GitHub issue.
2 months ago
Tuesday, February 26, 2013
Wednesday, March 03, 2010
facebook and browser security
It's been less than a year since I joined facebook, after a long battle of keeping social networking sites at arm's length. I was surprised at just how much fun it was, which really has only so much to do with facebook, and so much more to do with all my friends from high school, and my relatives I hadn't seen for years.
One of my initial concerns with facebook (and any social networking site) was the security, both in terms of technical security (someone posts a virus as an archive of pictures, as a real example), and also in terms of social engineering (say you leave a post about going on vacation for two weeks ... and the "wrong" people see it, and break into your house while you're away). But really, those issues are really avoidable, as long as the end-user is smart - don't trust a file you don't know (scan it!), and beware of TMI in your posts.
But as of this morning, I have a new security concern with facebook - about:blank. When I tried to accept a friend request this morning, nothing would happen; when I tried to post a comment - nothing; basically, as of this morning none of the buttons on facebook work for me anymore. And the reason why? They are all attempting to run scripts from "about:blank".
Let me back up just a bit. I deal with web security as part of my job, and as such, I am just bit more paranoid, and run tools to avoid common network threats. I use Firefox as my web browser, and a special plug-in called NoScript that warns me when a site is trying to run a script from an untrusted source. And what is an untrusted source? Let's put it this way: If I'm on cnn.com, and that page needs to run a script that comes from cnn.com - that's okay, that's trusted. If it's trying to run a script from virusworld.net or someone's IP address, that's NOT okay! Basically, scripts MUST come from the same domain as the page that is trying to run them. If not, NoScript blocks them.
Once a script has been blocked, I can tell NoScript that "it's okay, I trust that site". I've done this for a number of apps that I am aware of and trust (amazon has a number of scripts from their a3.com domain, for example - I know where they're coming from & trust them). So, in most cases, if I trust the site with the script, it really not a problem. I just tell NoScript to allow it.
The problem is, "about:blank" is not really a site. It's supposed to give you a blank screen in your browser, but it should NEVER be running scripts!!! In fact, this is a known security hole in some browsers - by tricking the browser to see a script coming from "about:blank", it thinks it's a local script, and does not apply the same security it would if it thought it was coming from across the internet.
In other words, the developers at facebook are now doing something that any web developer with a half-hour security class should know is absolutely WRONG to do! And there's absolutely no reason for them to use this method unless they PLAN on doing something malicious! (I still hope they did it because they were clueless, rather than malicious ...)
Now, I could allow "about:blank", but that would mean that ANY SITE could run scripts as about:blank - not what I want at all.
So, I may be done with facebook. It hasn't even been a day, and I am sincerely hoping the facebook developers realize their glaring error and remove this reliance on "about:blank" (after all, it worked before without introducing this security hole). But, until they fix the issue, you probably won't see much of me on facebook (unless I post something through this blog or YouTube).
Again, I hope they fix their mistake very soon. I absolutely LOVED getting back in touch with everyone!
One of my initial concerns with facebook (and any social networking site) was the security, both in terms of technical security (someone posts a virus as an archive of pictures, as a real example), and also in terms of social engineering (say you leave a post about going on vacation for two weeks ... and the "wrong" people see it, and break into your house while you're away). But really, those issues are really avoidable, as long as the end-user is smart - don't trust a file you don't know (scan it!), and beware of TMI in your posts.
But as of this morning, I have a new security concern with facebook - about:blank. When I tried to accept a friend request this morning, nothing would happen; when I tried to post a comment - nothing; basically, as of this morning none of the buttons on facebook work for me anymore. And the reason why? They are all attempting to run scripts from "about:blank".
Let me back up just a bit. I deal with web security as part of my job, and as such, I am just bit more paranoid, and run tools to avoid common network threats. I use Firefox as my web browser, and a special plug-in called NoScript that warns me when a site is trying to run a script from an untrusted source. And what is an untrusted source? Let's put it this way: If I'm on cnn.com, and that page needs to run a script that comes from cnn.com - that's okay, that's trusted. If it's trying to run a script from virusworld.net or someone's IP address, that's NOT okay! Basically, scripts MUST come from the same domain as the page that is trying to run them. If not, NoScript blocks them.
Once a script has been blocked, I can tell NoScript that "it's okay, I trust that site". I've done this for a number of apps that I am aware of and trust (amazon has a number of scripts from their a3.com domain, for example - I know where they're coming from & trust them). So, in most cases, if I trust the site with the script, it really not a problem. I just tell NoScript to allow it.
The problem is, "about:blank" is not really a site. It's supposed to give you a blank screen in your browser, but it should NEVER be running scripts!!! In fact, this is a known security hole in some browsers - by tricking the browser to see a script coming from "about:blank", it thinks it's a local script, and does not apply the same security it would if it thought it was coming from across the internet.
In other words, the developers at facebook are now doing something that any web developer with a half-hour security class should know is absolutely WRONG to do! And there's absolutely no reason for them to use this method unless they PLAN on doing something malicious! (I still hope they did it because they were clueless, rather than malicious ...)
Now, I could allow "about:blank", but that would mean that ANY SITE could run scripts as about:blank - not what I want at all.
So, I may be done with facebook. It hasn't even been a day, and I am sincerely hoping the facebook developers realize their glaring error and remove this reliance on "about:blank" (after all, it worked before without introducing this security hole). But, until they fix the issue, you probably won't see much of me on facebook (unless I post something through this blog or YouTube).
Again, I hope they fix their mistake very soon. I absolutely LOVED getting back in touch with everyone!
Thursday, October 22, 2009
Absurdism in HTML
For various reasons, I've been thinking about absurdism lately. I'm especially fond of works such as Tom Stoppard's "Rosencrantz and Guildenstern Are Dead", and Samuel Beckett's "Endgame" (both of which I happened to see at UMD many, many years ago ... maybe that has something to do with it). But of all the places you might find absurdism, I never expected to see it in HTML code.
Today, buried in the depths of JSP/HTML, I came across a "summary" attribute for a table that made me really stop and think. Now, the point of a "summary" attribute, is SUPPOSED to alert screen readers and other text-only display devices, and help describe the information contained in the table. This summary was strait forward, and absolutely absurd:
a simple table to hold our rows
Yep. Absolutely correct, yet absolutely useless information. Beautiful, in it's way.
Still, if you follow the semantics of the HTML document, what Adobe Dreamweaver does for the "title" element is a downright contradiction:
<title>Untitled Document</title>
Frankly, any software that writes HTML like this shouldn't be trusted.
:P
Saturday, July 18, 2009
Making Music ... maybe
Oh, so many years ago, I got my first PC from my dad, including a program called "Electronics Workbench". My entire goal of this computer was to begin developing circuits for sound design, and experimental music. Well, rather than music, I ended up with a career in computers instead. And here I am today.
Despite how interesting I find computers, I still find that my first love is still music. But music, and the cost of musical instruments is not one of my family's priorities, so I have found little time to take more than a passive role listening to music (and then usually on the bus to & from work, or late at night when everyone else is asleep).
About a year ago, I discovered the Linux MultiMedia Studio (LMMS), a complete open-source sound/song editor. It includes a ton of samples, has several different oscillators and synthesizers for creating your own sounds, full two-way MIDI interface, and of course the ability to sample from other audio files.
Of course, it's quite a bit different than noodling on the piano, or strumming a guitar. It's a lot more like creating your own paint-by-numbers, and then telling the computer, "okay, paint!". So, since discovering this cool system, I've made sure it was installed on every one of my Linux machines ... but have yet to really sit down & give it a good honest try.
So, this morning, I was the first one awake, and sat down with the LMMS manual and walked through the initial tutorial, and tried some of the subsequent experiments. I do feel a lot more familiar with how it works now, and feel like I'm ready to start making some music. Now, I just have to have the discipline to TRY, rather than passively listening to music while playing solitaire or sudoku.
Time will tell ...
Thursday, June 04, 2009
NBA Finals Disappointment
For the past several weeks, ABC has been having problems with the sound not matching the video. I kept hoping that the problem would be fixed before the NBA Finals ...
No such luck! Tonight, the Spanish SAP is playing over the broadcast.
Now, I don't know if the problem is at ABC, or my local Charter Cable (Rosemount, MN). All I know is I was hoping to watch the NBA Finals ... but not knowing Spanish, I guess I'll find something else to do, and check ESPN's site from time to time.
Monday, April 27, 2009
More Charter Cable trouble
So once again, Charter cable is out. Or rather, all I get is a "One Moment Please" screen. This is starting to happen on a weekly basis now. What is really frustrating is there is no number you can call for support - they only have sales (and I don't see the point in upgrading when I can't get what I am paying (being robbed) for). It really makes me reevaluate why I am paying way too much for cable.
Sunday, April 19, 2009
How Novell is Killing SuSE Linux
I just can't hold back anymore. I've been running Linux a long, long time, and in the past five years, I have been working more and more with SuSE Linux. About five years ago (roughly), Novell acquired the rights to SuSE Linux in the United States. They created a set of custom distributions (SuSE Linux Enterprise Desktop, SuSE Linux Enterprise Server), but there plans beyond that have always been questionable. Personally, I am not sure if Novell is even sure which direction they are heading.
One of the first things they did was replace the functioning OpenSuSE mirror system with something of their own design - something that will fail with any large update. Each mirror "hides" behind download.opensuse.org - so the end user has no control over which mirror they are using (all up to Novell). This would not be so bad, but with almost every large update, there is always some piece of software missing. Frequently, this breaks the entire system. You cannot simply choose another mirror - you're pretty much dead in the water until someone updates that mirror (which you can only find out by keep trying the update again and again until it works).
Beyond their issues trying to keep their mirrors together, they seemed to forget the purpose of an operating system with the release of OpenSuSE 11.1. Now, most of the time with software, a "dot" release is an update, not a complete rework. Not so for Novell and SuSE! OpenSuSE 11.1 breaks more things than it fixes. In 11.0 sound worked, you had a configurable (and more secure) login manager, just to name my two biggest annoyances. My SuSE 11.0 played sound beautifully, PulseAudio worked well, and I had made this system a central part of my music system. That was over as soon as I upgraded to 11.1, where it seems like they pretty much threw sound out the window.
And then there's Novell's commercial offering. SLES and SLED 10 have held on to Java 1.4 well beyond it's end-of-life, and now SLES and SLED 11 are skipping right to Java 6. So, for all those apps certified for Java 5 (like, well, all of them), obviously SLES and SLED are not for you! Or, be prepared to maintain your own custom install of Java, separate from the system (and why are we paying for support?). Worse, their "support" forums actually suggest users mix their distributions - just combine OpenSuSE repositories with the SLED/SLES repositories in your list of update sites. Following this piece of advice will guarantee you break your system beyond repair!
Novell has made SuSE into a useless nightmare. All the predictions were true.
Go Ubuntu!!!
Subscribe to:
Posts (Atom)
