Archive for Internet category
Access AIM and ICQ via Google Chat
Google just added support for AIM to Google Chat so you can just enter your login details and chat right away from your GMail or Google Apps for Domains account as if they were Google Chat users.
Better yet you can actually enter your ICQ number in the user-name box, fill in your password and integrate your ICQ account although this is seemingly undocumented and likely just a result of the ICQ and AIM integration from some time back.
It’s not as comprehensive as the fantastic Mac-app Adium or the clever Meebo web-interface and doesn’t offer support for MSN Messenger like those two but it’s a great extra tool to have at your disposal when stuck behind a proxy needing to get hold of someone.
[)amien
My favourite WordPress plugins
I’ve been asked what plugins I recommend for WordPress so here’s the ones I currently use. Some of them require work in your theme – I started with the Redoable 1.2 theme which supports many of them.
Akismet
Probably one of the most well-known plugins for WordPress this little wonder
screens all comments for spam using the Akismet web service. Get a key to access the service by signing up for a at WordPress.com and then configuring it in Plugins > Akismet Configuration.
Feed Statistics
I’m don’t want my subscribers in the control of a third party but I do like FeedBurner’s subscriber counts and analysis tools.
The Feed Statistics plugin provides a small subset of that functionality, the important one being a subscriber count which I now show in the sidebar. I went with a 3 day count configured from the Feedin WordPress admin.
Google Analytics for WordPress
There are a bunch of Google Analytics integration plugins out there but Google Analytics for WordPress apears to be the one currently using Google Analytics New Tracking Code ga.js instead of the old Urchin one. This actually uses a new URL and technique that hopefully won’t be blocked by so many viewers and also promises access to exciting new features as they become available…
Google Reader widget
I’m still in love with Google Reader especially since they added search to it (quite how they forgot that I’ll never know). One of the great things is that you can share your stories with your friends or better yet expose it as another RSS.
Google Reader widget adds a sidebar widget to show the stories you have chosen to share in your sidebar so no need for the annoying link-list posts (unless you need to add opinion or commentary of course). Configurable via Plugins > Google Analytics.
Gravatars2
Blog that don’t allow comments don’t get onto my Reader list without a fight. Without comments a post can’t be trusted – the author isn’t interested in any other opinions or thoughts.
Gravatar is a great site where you can register a picture with your email address so any site implementing Gravatars will show it next to your comments. In no time you’ll start recognising faces and pictures and decide if you want to check out their blogs too.
The Gravatars2 plugin puts those images next to the people who comment on your blog and can helpfully cache them locally for you given permission. It is configured from Options > Gravatars and the cache managed from Manage > Gravatar Cache.
Gregarious
Social bookmarking is incredibly popular through sites like Digg, StumbleUpon, Reddit, Delicious, Technorati, Windows Live Favourites or plain old email.
Gregarious takes care of providing links to submit your posts to these sites at the whim of a passing viewer. You can configure it in Options > Gravatars to choose the sites you want (I added DotNetKicks with a URL of http://www.dotnetkicks.com/kick/?url={url} ) as well as emailing you when a post is dugg and draw those famous little ‘n diggs’ yellow buttons.
Related Posts
Problogger’s Darren Rowse recommends interlinking posts to keep readers on your site and interested.
Related Posts automatically provides a list of likely related posts & pages based on keyword matching.
StatPress
Google Analytics is nice but the stats tend to lag a bit behind and sometimes you want to know what’s happening right now.
StatPress collects and reveals interesting real-time stats on Dashboard > StatPress including per-day & month counts of visitors, pageviews, spiders and feeds as well as recent hits, search terms and referrers. It also shows some visitor analysis and an interesting spy mode that shows recent visitors path through the site including how they got there.
My only complaints are that the MySQL database grows quite quickly and the analysis pages are slow. This is most likely caused by logging and analysis of raw data. Still it seems a lot less resource hungry that FireStats.
WP-PostRatings
An attempt to get quick feedback on what posts people are finding interesting and which aren’t with a simple star-rating next to each post.
Through no fault of it’s own WP-PostRatings has failed rather miserably here with few people wanting to click a star to rate a post. Will be dropped in the redesign.
WP-PostViews
Another visitor-retention seeking effort. By presenting the most popular content in the sidebar I’m hoping to entice people to look at a couple of other posts and hit the magic RSS subscribe button.
WP-PostViews records the stats and provides a method to get the post stats out you can put into your theme but most importantly comes with a widget to render a sidebar full of your most popular content.
[)amien
Friends Reunited violates own privacy policy to spam users
Hello Damien
You have received this email as a customer of our sister company, Friends Reunited.
Stared back at me from my inbox yesterday purporting to be from UK television company ITV. It was curious because I always de-select the marketing option. I visited Friends Reunited site to confirm the option was indeed off which it was. More interestingly it stated it would be for their own marketing messages, not third parties which their privacy policy clarified:
We, and (where relevant) our credit card processing agents, will not supply your personal data to a third party for commercial exploitation – thus, you can rest assured that we will not sell the lists of our Members’ email addresses to a third party; and
Yet here they are doing exactly what they claim not to.
Two subsequent emails to their support team resulted in one stating they have switched my third-party emailing option off (there is no such option, they claim never to do it at all) and when I clarified this for them another stating:
All members comments and suggestions are noted and passed onto our management team for consideration.
Such blatent disregard for their own policies and European regulation should not be ignored. If you live in the UK and a UK company is spamming you then complain to the Information Commissioners Office.
[)amien
How dangerous is HTML injection?
A few years ago I believed that HTML and SQL injection vulnerabilities were headed for extinction. Thanks to object-relational mapping tools SQL injection continues to die but HTML and script injection vulnerabilities are as popular as ever.
Part of the problem stems from the “back-to-basics” approach to rendering web pages, throwing out classes and controls for string-based libraries (primitive obsession) and helpers which do not encode HTML or even offer a concise simple syntax to do so.
MonoRail was one such project but they took feedback on board and addressed the issue although I was surprised it had got as far as release candidate 2 with such a serious oversight.
Other projects have been less reactive when advised of the problem and I can’t help but wonder if I am not getting the severity of the issue across. This isn’t just an annoyance but a real security problem.
- HttpUtility.HtmlEncode (.NET)
- Server.HtmlEncode (ASP)
- htmlentities/htmlspecialchars (PHP)
- html_escape (Rails)
- {! } (MonoRail Brail)
and your web apps output data then they are likely open to HTML & script injection vulnerabilities.
Vulnerable code often looks like this:
myLabel.Text = Request.Form["Something"];
Response.Write(Request.Cookies["AddedProduct"]);
<%= myDataReader[0] %>
<? php echo get_the_title() ?>For more ASP.NET examples check out 5 signs your ASP.NET application may be vulnerable to HTML injection.
Let’s start by considering the actors involved:
Visitor to visitor
If your site stores input from an external user (visitor) and displays it to another then you could be exposed to this scenario. Many sites do this although it is not always immediately recognised – an internet banking site does not seem an obvious candidate until you consider that you may put a textual reference on payments made to another person. If you know they use a vulnerable internet banking solution…
A worst-case scenario here would be that one visitor could steal another’s login credentials and exploit whatever rights that might give him – anything from posting messages to stealing funds.
Visitor to staff
Not all sites exchange data between users but if your site collects information from visitors chances are it presents this information to staff. Internal systems used to examine it are often considered less vulnerable which is a mistake. Remember *all* data provided from a user should be considered to be a potential avenue for a dangerous payload, e.g. even the language-accepts or user-agent strings.
When exploited internal systems can reveal information in bulk about the users, the system and the administration accounts used to manage it. Gaining access to these details brings all the privileges those accounts have to offer which can be catastrophic.
Staff to visitor
It is easy to forget that many frauds are perpetuated by people on the inside. A staff member given the ability to present text to the user via a website has the ability to modify any page that the content is presented on which if it includes a login page (perhaps for system status messages) then capturing login details to a server of their own choice is easy.
Security operators with access to reset (but not view) passwords would find this attack particularly enticing given that they do not need to reset the users account and therefore raise any awareness. An insider can perpetuated the fraud and may be in a position to further conceal it within the organisation.
Next steps?
I can envisage a sequence of steps that start with discovery of injectable systems through detection of script-enabled into form capture-and-forward and async logging of passwords through XmlHttp.
Detailing those steps would certainly raise awareness and help developers appreciate the severity of the issue but how do I make sure that information isn’t abused?
Disclosure is a double-edged sword but then you can’t have security through obscurity… I wonder how many crackers/black hackers already utilise these techniques for nefarious means.
.NET developers might like to check out the slides from the Web Application Security talk I gave at the Guernsey Software Developer Forum which demonstrates exploitable, exploits and safe alternatives for preventing HTML and SQL injection.
[)amien
Free software projects need a pitch
Open source and free software projects still have much to learn from commercial software, the number one in my book being “the pitch”.
Most free software project home pages consist of a brief description, a list of technical documents and a number of download options but fail to pitch their solution at all.
Today I found myself at the home page for Mercurial which describes itself as
a fast, lightweight Source Control Management system designed for efficient handling of very large distributed projects
The site fails to persuade me to use or even evaluate their product. They present no argument for using their product over non-distributed systems such as Subversion nor why I should choose their product over distributed systems such as Git (which has associations with Linus and Google).
Contrasting that experience to the home page for Perforce, a commercial (non-distributed) product for source control management, we see:
- “Why Perforce” – the 10 minute pitch that covers their unique aspects such as performance, high-availability databases
- A quote from customer Clive Maxfield at iDesign pointing out that Perforce handles more than just source code (binary files & assets)
- Videos showing Perforce in operation so you can see how the product works (and learn it at the same time)
- Links to comparisons with ClearCase (commercial offering) and Subversion (popular free software offering)
Just because your software carries a $0 price tag doesn’t mean it will sell itself. Evaluating software takes time and effort which could mean another open source or commercial software is chosen because either it works out cheaper or made a better case for its selection.
When a project isn’t interested in new users that signals it could be a “pet-project” written for the challenge and not to address a real need not met by existing solutions. Until these projects reach a certain level of maturity, and some never do, users can expect to take a back seat in an uncomfortable ride.
So if your project wants users, pitch it.
[)amien