K-Squared Ramblings

Powerless at the Mall

How an outdoor mall dealt with a lunchtime power outage. And some Apple observations.

• Power’s out at mall. No teriyaki bowl for me. Subway it is! (Hmm, and no iced coffee either. *sigh*) #
• Near as I can tell, the Apple store is just completely shut down. Hazards of making checkout depend on computer network, I guess. #
• For contrast, Subway just dug out a pad of paper credit card slips & did texture rubbings w/ a pen. #
• Odd: muzak is so omnipresent I didn’t notice it was still playing. Speakers must be on another circuit from the stores. #
• Turns out only some buildings have lost power. Including all the coffee except Starbucks. But Jamba Juice has power! #
• Was weird walking through mall at lunch seeing lighted stores on right & dark on left. Some stayed open, some closed, some adapted. #
• Coffee Bean mostly closed during the power outage, but set an employee out front with 2 urns of coffee. No ice, though. #

Links of the Day

• Mac users: if you upgrade to Snow Leopard, be sure to re-update Flash afterward. #
• Impressive LA fire pix at Flickr. #stationfire #

Adobe Vulnerabilities Everywhere

Uh-oh: 80% of web users running unpatched versions of Flash/Acrobat. These are being exploited, so check your system! #

BOB This Way! & Reality Bytes

• Sign taped to light pole: “BOB →” #
• This doesn’t look good: major data breach claimed at T-Mobile. #
• One day, someone will take a collection of popular songs from the 1990s and turn it into a nostalgia musical. #

Social Malware

Malware spreading “via” social networking sites? Sounds like it’s impersonating them phish-like. Worth a look, tho #

Fall, Spelling, WPA2, Jokes

• Fall in SoCal = checking the weather report daily to decide between shorts or a heavy jacket. #
• I keep seeing pill spam with sensational election-related subjects. Oddly they can spell Obama correctly, but consistently write “McCane” #
• OK, chicken-and-road jokes are old hat, but this set using (mostly political) celebrities is new to me. #
• Time to upgrade your wireless network security to WPA2. #wifi #security #

Flagging (Non)-Spoofed Mail

Following up on the PayPal anti-phishing discussion of a few weeks ago, I see that PayPal is promoting a service called Iconix. You install the program on your system, and it looks at your inbox for messages that claim to be from one of its customers. It tries to verify them “using industry-standard authentication technologies such as Sender ID and DomainKeys.” Messages that pass get a lock-and-checkbox icon attached to the sender’s name, and in some cases the name is replaced by the sender’s logo.

On the tech side, it’s similar to SpamAssassin’s whitelist_from_spf and whitelist_from_dkim features. Both allow you to specify a sender to whitelist, and it will only give a message special treatment if it can verify the sender.

On the user-interface side, it’s similar to EC certificates, in that it tries to highlight a “good” class of messages rather than flag or filter out a “bad” class.

It’s not a bad idea, actually, and now that I’m surprised I haven’t seen something similar in other email clients. It’s sort of like setting up custom rings or images for images on your cell phone address book

They seem to be focused on webmail and Outlook so far, and only on Windows, but it looks like the perfect candidate for a Thunderbird extension. They do have a sign-up form to notify you when they add support for various programs and OSes, and I was pleased to see not only Thunderbird and Mac OS listed, but Linux as well. Too often, Linux gets forgotten in the shuffle to ensure compatibility with every Windows variation.

Links: Freedom and Security

The CBLDF has issued a press released detailing the victory in the Gordon Lee case. This was the case in which a comic book store in Rome, Georgia, as part of a 2004 Halloween promotion, was handing out free comics left over from that year’s Free Comic Book Day. Among over 2,000 comics, they accidentally included a copy of Alternative Comics #2, which included a story about Picasso which included him running around his studio in the nude. And they accidentally gave it to a kid. The parents wouldn’t accept an apology, and pressed charges instead. The DA has been determined to make an example out of him, pushing grossly overinflated charges including felonies that would have given him prison time. 3½ years, 3 trial dates, a mistrial for prosecutorial misconduct, and $100,000 in defense costs later, the Rome DA finally agreed to drop the case in exchange for a written letter of apology — which is exactly what the store owner had offered in the first place.

Cookie Security in WordPress 2.5. The latest version of the blogging software has a feature that can make it harder for attackers to grab your login sessions. It involves setting a pass phrase in wp-config.php, one which you’ll never have to remember, but which will be unique to your site. You have to copy the SECRET_KEY section from wp-config-sample.php and add in your passphrase…or you can generate a random code at http://api.wordpress.org/secret-key/1.0/ (be sure to put it in the middle of the file!)

The Internet Storm Center writes on Hundreds of Thousands of SQL Injections — all websites that have been hacked to host various sorts of malware.

Blocking IE6: You, Me and…PayPal?

On Thursday I stumbled across a campaign to Trash All IE Hacks. The idea is that people only stay on the ancient, buggy, feature-lacking, PITA web browser, Internet Explorer 6, because we web developers coddle them. We make the extra effort to work around those bugs, so they can actually use the sites without upgrading.

Well, yeah. That’s our job.

And a bunch of random websites blocking IE6 aren’t going to convince people to change. If I were to block IE6, or only allow Firefox, or only allow Opera, I’d have to have seriously compelling content to get people to switch. Mostly, people would get annoyed and move on. Who’s going to install a new browser just so they can read the history of the Flash? Or choose an ISP? Or buy a product that they can get from another site?

Slapping the User in the Face

It’s so easy for someone to walk away from your site. One of the tenets of good web design is to make the user jump through as few hoops as possible to accomplish whatever you want him/her to do. Every hoop you add is an obstacle. Too many obstacles, and they’ll just go somewhere else more convenient.

Back when I was following Spread Firefox, every once in a while someone would suggest blocking IE. Every time, people like me would shoot it down. Read the rest of this entry »

Webbish Links

The WaSP Buzz recently posted several links to CSS resources, including a rather thorough CSS Reference at SitePoint.

The ISC reminds us that IE7 will be pushed out to WSUS next week, which should help get rid of IE6. Yeah, I’d rather more people switched to Firefox or Opera, but I’m at the point where I’d love to be able to stop worrying about IE6’s shortcomings when trying to build sites. IE7’s shortcomings are much easier to work around. (Sorry to keep harping on this!)

The inventor of Norton Antivirus talks about computer security and has some rather interesting ideas on what policies are worth pursuing…and what policies aren’t. Long passwords? Great for protecting a stand-alone machine, but on a 10,000 machine network, they only need to crack one. Patch everything? Not every vulnerability gets exploited. I’ll have to read the Slashdot thread when I have time; that should be really *ahem* interesting.

Net Links

ISC on Targeted Attacks

Hixie’s Natural Log: Come up with the best test for Acid3 Edit: Strike that, Acid3 has been completed.

Spies in the Phishing Underground (via Slashdot)

Links: Safety Last

Forklift Driver Klaus (a.k.a. Staplerfahrer Klaus)- a parody of work safety films in which a forklift driver blunders through his first day on the job, maiming fellow employees left and right. German with English subtitles. (via TV Tropes: Scare Em Straight)

And, on a more serious note, the Internet Storm Center is reporting on people finding malware pre-installed on digital picture frames, memory cards, etc. Something to watch out for with portable devices that can connect to your computer.

Firefox, Kindle(ing) and more

Firefox 3 Beta 1 is out. Nice so far. Oddly enough, it runs better than the current Opera 9.5 previews on my old Linux box at work, though that mostly seems to be the fault of the find-in-history option.

I usually avoid any sort of shopping on the day after Thanksgiving, online included, but I’ve been getting email from various online stores that are trying to get into Black Friday. Amazon is advertising a Black Friday Sale, and Apple is promoting a “special one-day shopping event” on their website—and annoyingly, neither of them is giving any clue as to what sort of deals are involved. Amazon keeps forwarding me to today’s deals, and Apple just says something’s coming. And neither site lists actual hours. Is it midnight to midnight? What time zone?

Speaking of Amazon, their entire home page is currently taken up by the announcement of their new eBook reader, Kindle. At $400 I’m not going to rush out and buy one, but it looks like they’ve solved some of the main e-book problems: it’s small, light and wireless, and they even bring up the reading-in-bed issue in the intro. The real question is going to be compatibility & openness: It’ll read plain text, HTML, Word, and a few other document formats (and they’re promoting its access to Wikipedia), so it should be possible for other stores to sell books for the device. And what about the e-book offerings themselves? Will they be loaded down with draconian digital rights management like the Adobe ebooks of a few years ago, or are they following the model of Amazon’s MP3 store?* In a nice change, their music downloads are entirely DRM-free and they use it as a selling point. Edit: Per Andrea’s comments and further research, Kindle ebooks are locked down with DRM. No, thanks!

The name, however, makes me wonder how soon they’ll offer Fahrenheit 451.

Finally, the Internet Storm Center has an insightful response to the statement, “There is nothing on my computer that a hacker would be interested in.” Let’s leave aside the question of your personal data for the moment. Just the fact that you’ve got a computer with an internet connection could prove very useful to someone who wants to cover their tracks or just add more power to their own distributed system.

* Amazon’s MP3 store is also surprisingly cheap. I replaced my old tapes of the original cast recordings of Les Misérables (Broadway) and Phantom Of The Opera for $9 each—they run upwards of $30 on CD.

Patch…Friday?

I suppose it’s best to release the security fixes when they’re ready, because any time you pick is going to be inconvenient for someone, but lately it seems like Friday is suddenly in style.

Last Friday saw the release of PHP 5.2.4, on the Friday before—in the US, anyway—a 3-day weekend. This morning Apache released security updates for all three supported branches of their webserver. And this evening—yes, Friday evening—WordPress 2.2.3 came out.

Which reminds me, I’m going to have to start looking at the betas for WordPress 2.3. I think it’ll be a good time for a redesign. Maybe pick a new theme and tweak that one, maybe try my hand at actually designing one. I wonder if the new tagging system can import Bunny’s Technorati Tags.

WordPress 2.1.1 Security Alert

Sometime in the last 3-4 days, someone managed to alter the download for WordPress 2.1.1, adding a remotely exploitable security hole. The WordPress team has declared the release “dangerous” and has issued an update, WordPress 2.1.2, taken from the clean source plus a few fixes. If you run WordPress 2.1.1, upgrade ASAP!

Things worth noting:

• The SVN source that the developers use was not altered.
• Older versions, such as 2.0, don’t seem to have been affected.
• If you downloaded 2.1.1 when it was first released, it’s probably okay.
• 2.1.2 also includes a fix for a cross-site scripting vulnerability discovered a few days ago, so it’s worth updating anyway.

I still had the tar archive of 2.1.1 from when I grabbed it the day of the release, so I compared its contents to the 2.1.2 archive. The two files mentioned in the announcement, feed.php and theme.php, aren’t any different, confirming that the initial release was unaffected. That’s also where I saw the changes for that XSS bug.

*sigh* It’s always something…

WordPress 2.0.7 security & feed fix

Just upgraded to WordPress 2.0.7. It fixes a security issue with certain versions of PHP, and it also includes the fix for the feed problem in 2.0.6 and a couple other minor fixes.

According to the announcement, WP 2.1 should be out by the end of the month. Looks like it’s almost time to see how many of my customizations will work with the new version.