K-Squared Ramblings

CSS Outlines

I’d never bothered with the outline property in CSS before, mainly because I could never see what made it different from border. OK, it doesn’t affect the object’s size or position, but you can account for that when designing a page. And I could see it might be useful if you wanted to have a two-layer border around an object, since the outline starts just outside the border.

Well, Firefox is nearing 1.1 alpha, and among the new features is real support for outline. I figured I’d set up a test page and see what happened.

I set up two classes, one which applied an outline and one which applied a border, and just tried them on different objects. <p> only looked different in positioning (since border is just inside the edge, and outline is just outside), but <span> illustrated the difference clearly:

The first paragraph has some text with an outline. The second has text with a border. In both cases, the text wraps at the edge of the window, but while the border breaks and picks up again on the next line—as if the span had simply been chopped into pieces—the outline completely encloses each section on its own. This fits with its intended purpose, which is “to make [elements] stand out.”

Opera and Konqueror (and presumably Safari) seem to handle outline already, and display my test page the same way as Firefox 1.1.

Therapeutic Immolation

Another subject line, this one on a pill spam:

immolatel Therapeutic Mu

Yes, I think many people would find it therapeutic to immolate a spammer.

Spamanagram

Subject line (slightly expurgated) from a spam this morning:

Wow MILFS can f*** like mhrotefucesrk!

My first thought was, “like what?” Then I realized it was an anagram. Not unlike the naked sushi spammers, just taken a bit further to the point where it took a few seconds to realize it wasn’t just gibberish. And of course, if you think about it, the statement isn’t entirely logical.

Actually, the rest of the message is rather bizarre. I’m not sure how much I want to actually paste here, though. The footer is safe enough, if odd:

Showing us the beautiful light,
The chalice holds what quenches thirst
Not for me, while I stare at the cold moon

They missed the chance to make the last line an unsubscribe link, and the text is different in the plaintext part, so it’s clearly just random poetry bits.

The website clearly uses a wildcard name, and one of the links is to horrible.bl******.com (with a few extra letters)—not exactly enticing.

Fantasy Gaming: Good News and Bad News

I’ve started installing games on the new computer, some of which I haven’t played in over a year.

Arcanum seems to work fine, and maybe now I can actually play it. (It stopped working on the old computer, so I moved on to other games.)

Heroes of Might and Magic IV installs fine, but Game Update can’t find the server to grab patches. I assume that’s because 3DO doesn’t exist anymore. If I’d been able to just download the installers and save them locally, I’d be able to run them. So I’ve got a fully-patched copy on a computer I’m getting rid of, and I can’t install it on the new one. This is a major problem with download-on-demand software updaters.

Arcomage, the card game embedded in Might and Magic VII, which was later released stand-alone, and is a fun puzzle game to while away 15 minutes…refuses to install on Windows XP.

And now the good news. Since Ubisoft bought the rights to the Might and Magic brand, I went there looking to see whether they had picked up support of any of the older games. They do have the patches… and I just learned that Heroes V is in the works!

Setting up Windows

We finally replaced our 4-year-old Windows Me computer with a new Dell (I’d had enough of building computers a few weeks ago) and it arrived yesterday. Katie had already asked me to upgrade her Mac while she made pizza for an office party. I had planned to finish installing Tiger first, but once you get past a couple of options and the EULA it’s all a matter of waiting for it to finish.

There’s something oddly exhilarating about simultaneously setting up both a Mac and a PC.

Of course I spent the next few hours registering the pre-installed software and updating everything. Run Windows Update. Reboot. Run LiveUpdate for Norton Internet Security. Reboot. Run Office Update (twice). It’s nice that Dell will pre-install stuff for you, but given that the computer is built to order, you’d think they could apply the updates before shipping.

With today’s hostile internet, it would greatly benefit not just new computer owners but the world at large if Microsoft (and Apple and Red Hat, while we’re at it) would take a cue from SuSE and Mandrake and tie their update systems into the setup process.

To Microsoft’s credit, Windows XP setup gives you a chance to turn on automatic updates, and recommends it to the point of “Well, if you really want to turn it off, you can, but you’ll be sorry!” And I’m reasonably certain Windows Firewall was turned on by default (i.e. it’s on now, and I don’t remember turning it on), though Norton supersedes a lot of its functionality. Depending on the default firewall rules, that should mitigate the impact of any worms that happen to pick your IP address before you run Windows Update.

Correction: It seems Windows Firewall wasn’t on as I thought. Norton Personal Firewall kept asking me whether I wanted to disable redundant rules (makes sense) or disable Windows Firewall entirely (I told it no—twice), so I assumed it was running. I hope it was only off because Norton was pre-installed.

Follow that link!

Making the rounds this week: IO Error’s critique of “nofollow”, the link add-on that was supposed to stop comment spam, but hasn’t even slowed it down. He suggests that it was never intended to: it was simply a sneaky way to lower blogs’ rankings in search engines.

Now, I don’t have a problem with the idea of being able to tack a note onto a link and tell Google not to treat it as an endorsement. But the way it’s been implemented in most blog software—blindly applying it to all links in comments—is overkill. Legitimate, useful, interesting comments should factor into the resource’s ranking, for all the reasons IO Error provides.

Where rel="nofollow" does help with comments is in devaluing the spam that slips through your filters overnight. If a search engine bot happens to crawl your page between the time the comment hits and the time you see it and remove it, nofollow will at least make the spam less effective. Of course, you only need it active for a day or two (depending on how often you check). Once you’ve cleaned the junk out, you want what’s left to get the rank boost it deserves. I’ve been using the No Nofollow plugin to do this since March.

In short, I don’t think that rel="nofollow" is a bad idea in itself. It’s just being used the wrong way.

Where’d the spam go?

Aside from the occasional massive spam run, there’s been a fairly regular trickle of spam targeted at the comments on this blog. Dr. Dave’s excellent Spam Karma plugin takes care of nearly all of these using a combination of content filters, blacklists, form checks, signs of proxy use, and more.

On Tuesday I added IO Error’s Bad Behavior. This plugin looks at actual HTTP requests, identifies known spambots and looks for signs of cloaked bots—those that claim to be a browser like MSIE or Mozilla, but don’t act like it—and prevents them from even getting in the door. The advantage here is that you can save processing time and bandwidth on all kinds of bogus requests, not just comment spam, but address harvesting bots, referrer spam, and so on.

Maybe it’s coincidence, but Spam Karma hasn’t seen a single spam attempt since I installed Bad Behavior.

Of course, blocking bots won’t catch the occasional person who posts comment spam the old-fashioned way: by surfing to the page and filling in the form. And eventually bots will do a better job of imitating real visitors, just as phishing attacks have moved from crude, badly-spelled notes to sophisticated forgeries with real logos and disguised links. Spam Karma will still be needed for those.

But the combination looks very promising!

More Netscape 8 Nuttiness

Q: What happens when you break up/fire your web browser-developing group with years of experience, and later hire an outside firm to build your next product?

A: Netscape 8.

IEBlog has an amazing report—which I’ve just verified. Netscape 8.0.1 disables IE’s XML rendering. So if you try to load an XML document—say, an XSLT-styled RSS feed like the feed for this blog—using Internet Explorer or Netscape 8 with IE’s engine, you’ll see either a blank page or an unloaded-image icon.

Apparently every time Netscape 8 runs, it trashes a registry entry that defines how IE displays XML. At this point the only way to fix it is to uninstall Netscape 8 and delete that entry (directions at the above link).

This raises two questions:

1. Why does Netscape 8 alter an Internet Explorer registry setting?
2. Why can Netscape 8 alter an Internet Explorer registry setting?

I’ve said it before (though possibly not here), but Mozilla is much better off now that AOL isn’t calling the shots.

Update June 20: Netscape 8.0.2 fixes this problem.

What do you want?

I just can’t figure out what this message is supposed to be. My first thought was that someone was replying to spam that used a forged sender, but it scored 11 points in SpamAssassin for forged headers (it claimed to be from Yahoo, but wasn’t), a date stamp from the future, and Bayesian analysis.

From: Stock Advisor <probably fake address>
To: Stock Advisor <target address>
Subject: Go where?

>Go Away!

To top it off, it showed up in several spam traps with different subjects and senders, but the same two-word body. Maybe it’s a probe of some sort?

Class Dis-Mythed

Phil Foglio once again illustrates the Myth Adventures universe in the next book in the series: Class Dis-Mythed.

I don’t know how much of it is Jody Lynn Nye’s influence and how much of it is just Robert Asprin being re-energized about the series, but since they started collaborating the books have improved drastically. The new ones have much more of the feel of the early series, before Asprin burned out on it and spent a decade working through writers’ block.

(via the Studio Foglio newsletter.)

Open Letter to WordPress Plugin Authors

Please, when developing your plugins, be sure to always use the full opening tag for PHP:

<?php code goes here ?>

On some servers—maybe even your own—you can shorten this to just the opening <?. The following line in php.ini will disable this “feature,” and many web server administrators do so to simplify things like generating XML with PHP:

short_open_tag = Off

When this option is set, PHP will ignore <? and assume it’s simply part of the template… along with all the code following it. If you’re lucky, it means a bunch of PHP code gets sent to the web browser. If you’re not lucky, it results in invalid syntax, and PHP grinds to a halt, spitting out a blank page and a PHP Parse Error.

So please make sure you always use the full opening tag so that your plugin will be compatible with everyone’s system. If you run your own server, set that option in php.ini so that if you miss one, you can catch it before you post it.

Updating Netscape—the old-fashioned way

People have justifiably criticized Firefox’s update system. It’s nowhere near what anyone wanted for 1.0, and it’s apparently a priority for 1.1. But for all its faults, at least they managed not to release a browser with publicly-known security vulnerabilities* to immense fanfare, then release a fixed version a day later—without any fanfare I could see—the way “Netscape” did.

Six days later, my copy of “Netscape” 8 still hasn’t noticed that there’s a critical security update available, even when I tell it to check. Fortunately I’m not using it for everyday browsing, since I just grabbed it out of curiosity. I finally gave up and downloaded 8.0.1, just in case I forgot about it later.

*Just as Netscape 6-7 were based on Mozilla, Netscape 8 is based on Firefox. Netscape 8.0 was based on Firefox 1.0.3, which contained a pair of security bugs that had already been fixed in Firefox 1.0.4. Given that the holes were widely publicized on May 7, Mozilla released a fix on May 12, and AOL released Netscape 8.0.1 on May 20, I don’t see why they couldn’t have incorporated the fix for the May 19 release.

“Alicia” Returns

Remember the guy who noticed the same model in a ton of spam and started stringing the ads together into An Unsolicited Commercial Love Story?

In the past week I’ve noticed the same model showing up in ad banners on various sites, particularly IMDB and Comics.com—some of them using the same stock photos. (And someone should tell Comics.com that they’re being extremely rude by not only bypassing attempts to block pop-ups, but popping up two windows per visit. Sitck with the banners, willya?)

Incidentally, the mystery model was eventually spotted eating lunch in a cafe in Auckland by a reader of cockeyed.com, and she added her own comments to the story.

Elephants in the Web 1: Opera

There’s a saying about the elephant in the room that no one will talk about. Everyone knows it’s there, but by some unspoken rule no one will mention it. I’ve noticed that when web browsers are compared, there’s one thing Opera supporters tend to ignore or downplay: Opera’s business model.

Internet Explorer and Safari are bundled with their respective operating systems, and so they’re perceived as free. Firefox is free in both the gratis and libre senses of the word. Opera, however, is ad-supported by default and will disable the ads if you pay for it.

You can use Opera without paying money, but you’re still paying it in attention (a persistent chunk of space dedicated to advertising), so in comparison to the other three leading browsers, it’s perceived as being less free. Think of it in terms of television.

So the perception of cost looks like this:

• IE, Safari, Firefox (commercial-free TV)
• Ad-supported Opera (network TV)
• Paid-for Opera (cable or satellite)

Most people really do prefer free without ads to free with ads or paid subscriptions. Why else is skipping commercials one of Tivo’s most popular features?

I’m certain this impacts marketshare, and it definitely impacts media coverage. Just look at CNET’s recent IE vs. the world review. Opera 8 gets high marks for features, but what’s the summary? “Despite a ton of great technology in Opera, few consumers will be likely to pay for the app. ” Whether you think the review is otherwise fair or not, the business model clearly lowered it several notches on the reviewer’s scale.

Next: Firefox’s blind spot.

Disclaimer: I’m a regular Firefox user these days, but I’ve also paid to register Opera since version 3.5 was current back in 1999. I used Opera as my main web browser on Windows back when Netscape 4 was aging and Mozilla hadn’t yet stabilized enough to replace it.

Super-Spawn: Titans

A thought: the original Teen Titans are beating the Justice League when it comes to passing on their super-genes. Leaving out possible-future stories and backstories, it comes down to just Aquaman of the core group, and Green Arrow as the most prominent member outside the “Big 7.”

As for the original 5 Teen Titans (now in their mid-twenties):

Speedy – now Arsenal, has a preschool-aged daughter, Lian (by way of international super-villain Cheshire).
Wonder Girl – now Troia, had a son Robert with her husband, but both were killed in a car crash.
Aqualad – now Tempest, has an infant son Cerdian with his wife Dolphin.
Kid Flash – now Flash, nearly had twins, but a villain beat his wife Linda so badly she not only miscarried, but lost the ability to have any more children. Update Nov. 2005: Time travel altered the attack, and Linda gave birth to healthy twins (who have yet to be named in print).
Robin – now Nightwing, no kids.

And of course if you do add in future stories, all five had children in Kingdom Come… who came back to visit the present-day mainstream DCU in “Who Is Troia?” in 2001.

Admittedly the mortality rate is high, but the 60% 80% birth rate certainly beats the core League’s 14%.