Posts Tagged ‘security’

Don’t do this: Initially visible ‘loading’ images

Sunday, October 10th, 2010

A common pattern on interactive web sites is to include a ‘loading’ image (sometimes called a ‘throbber‘), and display the image when an asynchronous action is taking place. This is usually implemented by placing an animated GIF inside a div that is initially hidden, and is displayed by JavaScript that is executed when the action begins.

However, bad things can happen when you do not initially hide the loading image using CSS. I’m an advocate of using NoScript to block JavaScript execution on untrusted sites, and I found a site that had a working throbber in my face while trying to read a blog post. Because NoScript blocked the JavaScript execution, the code that initialized the loading image by hiding it never executed, and the annoying circular ’spinning wheel’ made me move on without reading the post.

The way it should work:

  1. Set the initial style of the loading image <div> to include display: none;
  2. When the action starts, modify the <div>’s style to display: block;
  3. When the action ends, return to display: none;

Tags: , ,
Posted in Web Standards |

Advertising, the Internet, and guilt trips

Sunday, March 14th, 2010

The Internet, Advertising, and Guilt Trips

Last month, Ars Technica decided to run an “experiment” in which they denied site access to browsers that employed an “ad blocker”, followed by an impassioned plea to turn off your ad blocker. The impetus for doing this was that an estimated 40% of site visitors were using ad blockers, and since Ars uses ad views (as opposed to click throughs) for their ad metrics, users with ad blockers were denying Ars ad revenue, thus ’stealing’ site content.

Even by Ars’ own admission, the reaction to this act was “mixed”. Many people whitelisted Ars, some even subscribed. However, there were some commenters in Ars’ original announcement (which, unfortunately, are no longer online), who weren’t too happy about it.

The reason may have been the way in which content was denied: Ars simply served a blank page. There was no indication as to why, or what could be done to remedy the problem. It wasn’t until Ars published their plea that it became known what was happening.

Perhaps if only Ars swapped the order of events, things would have turned out better.  Had the post explaining how ad blocking was affecting the company come before the “experiment”, then active visitors could have prepared to avoid the blank pages, or at least known why the blank pages were being served. According to comments in Ars’ post-experiment post, all some needed to whitelist the site was to just be asked to do so.

I do enjoy Ars’ content, and read their RSS feed daily. I reluctantly decided to run my own experiment and whitelist arstechnica.com, and continue to do so to this day. I find that their advertisements aren’t distracting (for the most part, there is the occasional animated Flash ad), but I feel as if I was guilt tripped into doing it.

In the month since whitelisting, I haven’t regretted doing so. The ads served by Ars do not detract from the content for the most part, and are usually related to what I’m reading (they’re usually tech focused). I  As long as the substance AND STYLE of the ad matches the article. I don’t mind seeing animated or video advertising if I’m on a site that provides video content, but if I’m reading a article with static text, then the ad should be static as well, not Flash or an animated GIF.

How many animated advertisements do you see in a newspaper or magazine? Unless you’ve been dipping into Timothy Leary’s personal stash, the answer is “none.” Put simply, Ars Technica is an online version of a magazine. The advertising present on arstechnica.com should basically follow how advertising works in print magazines and newspapers. Print ads don’t flash or jiggle, make sound or appear in the middle of the page like magic; neither should ads serving static content.

Print ads also don’t have the ability to see what magazine or newspaper I read next, providing you ignore the possibility of following the trail of filler cards that fall out of a print magazine. There are some online ad purveyors that do like to follow where you go, much like a cyber stalker.

After whitelisting Ars, I noticed I wasn’t seeing ads on every visit. On some visits there would be a banner ad, usually in-house references to other Condé Nast sites, in the header; on other visits the banner area would be blank. I confirmed my whitelist settings, then realized I was still blocking JavaScript. Ads served from the nefarious doubleclick.net were being blocked because I specifically do not allow JavaScript from that domain to be executed because of their aggressive use of tracking cookies.

I don’t mind a web site tracking my visits. I very much mind when a third party, such as an ad server, tracks which sites I visit, and for how long. This is what Double Click did prior to their acquisition by Google. In the days prior to ad blocking extensions, I avoided doubleclick.net by using the host file trick to redirect doubleclick.net references to localhost, so nothing would appear, JavaScript and cookies wouldn’t be downloaded, and my actions wouldn’t be tracked. I’m still not convinced they’re behaving like a good net citizen, and I refuse to whitelist them.

Unfortunately, Ars uses Double Click. And being that Double Click just doesn’t serve ads, but JavaScript as well, the NoScript extension in Firefox blocks the JavaScript download, which prevents the ad from loading. (The fact that the ad won’t even display if JavaScript is disabled is troubling to me, and it should be troubling to Ars as well) Even more unfortunate, NoScript will not allow you to whitelist scripts for only a single site. In order to view the Double Click ad on Ars, I would need to allow doubleclick.net JavaScript on all sites I visit. I’m not willing to do that.

Shortly after the Ars “experiment”, I started having troubles accessing some stories on my local newspaper’s site. Most of the time, visiting sacbee.com (The Sacramento Bee) would result in seeing a story. However, every now and again, I would get a very confusing message about needing to be logged in to see a story:

Note that further down the page it says that I am, in fact, logged in. Regardless of what I did, including logging out and back in, and a forced refresh (control-F5), I would get this message, and then only on certain stories. Then, one day, completely by accident, I used a browser without any JavaScript or ad blocking (it was Internet Explorer, which I use only by accident), and stories that had previously been showing the above error were showing fine.  I tried with Firefox again, and the very same story I’d just been viewing was still being blocked.

It turns out that sacbee.com also uses Double Click, and it appears that either Double Click or their clients (in this case, sacbee.com) are “pulling an Ars” and refusing content to browsers with ad blocking.  I was able to confirm this by turning off the ad blocking and JavaScript blocking software in Firefox, and the previously blocked article suddenly started appearing.

I’m willing to work with sites and whitelist them if their ads are relevant and not distracting, but don’t expect me to start practicing unsafe browsing practices just so I can see your ads. There are some newspaper sites (ahem) that trigger XSS (Cross-site scripting) alerts when JavaScript blocking is turned off. That is a security risk, and I’m not willing to allow that risk just to see ads. If the Sacramento Bee, or any other site serving potential malware, doesn’t want me viewing their pages unless I allow my malware defenses to be lowered, then I won’t view their pages.

Aside from showing advertising in dissimilar media, I don’t like advertisements that slow down page loads. The next time you find yourself waiting for  a page to complete downloading, look at your browser’s status bar, and see if it’s waiting on an advertiser. I find that most page “hangs” are due to advertisements. Having content blocked by waiting on a overloaded ad server is infuriating, even more so if you’re being told it’s bad to block ads.

I certainly want the sites I use and enjoy to continue producing content and services, and if that means viewing advertisements, I’m all for it as long as my guidelines are met. Ars appears to be meeting those guidelines (for the most part), so I’m willing to help them out. A great example of how I believe advertising should be done can be found at Instapaper. Instapaper is an offline web reader that offers excellent Kindle integration, and I find it an invaluable resource. Instapaper displays a single, small, relevant ad, served by The Deck, an advertising company I find to be reputable (check out their web site to understand what I mean by ‘reputable’). Any site thinking of using advertising should look to Instapaper (or any of The Deck advertising clients) as an example.

Tags: , ,
Posted in General |

Happy New Year! Now update your passwords!

Saturday, January 2nd, 2010

Frapestaartje / flickr

One of my new year’s rituals is to change my passwords.  All of them.  Personal PC’s, work PC’s, servers, and all the websites I visit that require a password. The hardest part of this for me is to actually choose a new password.  It has to be secure, but also easy enough to remember.  Additionally, each of them has to be at least a little different, in the event that if one of them becomes compromised, I’m not totally screwed.

Passphrases

There’s a trick I learned a few years ago that made creating passphrases (a password made of multiple words) much easier.  Did you know that the space character is a valid password character on most systems? That allows you to create an easy to remember short phrase or sentence to log in, instead of trying to remember a sequence of random characters.

The one drawback to this is that typing the space key sounds a little different than all the other keys. This might provide an intruder that has physical access to you a little more information about cracking your password, but I believe that if you make the words in the passphrase long enough, and type it quickly enough, that “hearing” the space key(s) shouldn’t matter.

How to create a passphrase

You want it to be easy enough to remember, but not easy enough to guess. For example, if you’re a well-known fan of Tiger Woods, you don’t want your passphrase to be “in the hole!“, as that would be very easy to guess.  The goal here is to be random.  And, if you’re like me (and, for your sake, I hope you’re not), you might have a problem thinking about random things.  That’s where a random word generator comes it.  My favorite is the Random Phrase Generator (that same site also has random words, sentences and paragraphs).  You can create a random phrase up to four words long, with the ability to select the type (noun, verb, adjective, etc.) and the obscurity (from Very Common to Obscure), and it will spit out a phrase for you:

The Creativity Tools from watchout4snakes.com

The phrase itself may not satisfy all systems’ password complexity requirements.  Many systems may require the presence of at least one character from a certain character set, such as capital letters, numbers and punctuation. Try to mix it up a bit.  Instead of using a space, use a punctuation character or number. Or, although it’s frowned upon, you could use 1337 speak; replace l’s or i’s with the number 1, O’s or o’s with the number zero, etc. The reason it’s frowned upon is that it’s a well known substitution cipher, and may not provide much more security than without the substitution.

Using hashes

I read about this concept a few weeks ago on Lifehacker; it pointed to an article on cybernetnews called “How to Remember Secure Passwords Without Writing Them Down“.  The gist of the article is to create an apparent random string of characters using the MD5 hash tool. If you’re technically savvy, you may already have MD5 (as well as SHA) hashing tools already on your computer. If not, there’s a web site for that: the Online MD5 Hash Generator. Enter a word or phrase of your choosing, then press the “Calculate MD5″ button, and you’ll see a long string of characters generated.  All you need to do is remember the first eight or so characters in the hash, and use it as your password.

If you do have the tools, you can use the same technique, but use your favorite mp3 or favorite photo to hash and use the beginning sequence of digits as your password.  At first, I thought this was a crazy way to come up with passwords, but after trying it in a test, I found that you do start naturally remembering the password after entering it several times.  If you forget the password, just redo your hash.

Making them unique

I mentioned earlier that I make all my passwords slightly different to avoid having all my accounts breached if one password is cracked. When creating passwords for seriously sensitive sites (like your bank account, for instance), it should probably be entirely different than your Twitter password, so your financial information remains safe if (or should it be when) Twitter’s password information is breached. Your work passwords should also be completely different than your personal passwords for similar reasons. However, for those not-so-sensitive services, such as the aforementioned Twitter or Facebook, try simply modifying the password in such a way as to personalize it for that site. Perhaps add the first few characters of the site’s domain name to the beginning or end of your password, or somewhere in between.

So, get to it! Happy password changing!

Tags: , ,
Posted in General |

Attention software developers: Hands off my desktop!

Monday, November 30th, 2009

I returned from the Thanksgiving holiday to find my new PC with a black desktop. It wasn’t the Black Screen of Death; there were (a few) icons on the desktop, and the PC was functioning normally, it was just that my desktop appeared to be a photo of a very deep cave at midnight during a new moon. Perhaps a remnant of Black Friday?

Artist's rendering of my black desktop

Artist's rendering of my black desktop

At first, I thought it was an issue with Windows activation, since that can cause the desktop to go black if Windows hadn’t been properly activated during install.  That was not the case, since there was no activation warning in the lower right of the screen, plus I have system updates turned on, which requires the Windows genuine advantage tool (or the Windows 7 version of it, anyway). I also noticed that fonts didn’t look quite right.  The smoothness of the fonts in the Windows Explorer were gone, and most other fonts looked jagged as well.

After I started poking around, I found there was a dialog that had been minimized telling me that my trial version of Norton AntiVirus had expired. Surely, they wouldn’t black out my desktop and screw with my fonts over that, would they?

Short answer: yes. I had planned on testing out Microsoft Security Essentials, so I uninstalled Norton, and lo, the desktop reappeared! After restarting the desktop came back, the fonts were smooth as a baby’s bumper cushions, and all was right with the world.

The chances of me extending my Norton trial? Very close to zero.  There are ways of communicating with your users other than messing with fonts and desktop backgrounds.  Not cool.

Tags: , ,
Posted in Hardware and Servers |

Gartner tells network administrators to “Release the Hounds”

Monday, October 19th, 2009

CNET reports that Gartner execs have told the crowd attending Gartner Symposium that it’s time to relax the network restrictions a bit:

[Gartner analysts] argu[ed] that corporate computing departments shouldn’t block social networking and that security shouldn’t completely lock down communications with the outside world. And even if information technology authorities want to shut down such activity, they can’t.

That is quite a change from IT “lock it all down” policies that I’ve seen spiraling out of control.  In my mind, it would be a welcome change. Lockdowns of corporate networks have gone past the point of annoyance into the realm of complete productivity busting. Over the last year, I’ve encountered being blocked from reading essential information regarding Linux system administration (reason: bikinis and/or lingerie. Seriously.) to being locked out of my corporate network entirely due to a password change that didn’t propagate to my maven settings (lost time: roughly four hours).

What’s amusing is, as the article says, blocking is futile.  I was able to get to the blocked Linux forum by using my iPhone.  I can do the same with social networking services.  Ditto instant messaging services that are also actively blocked. The only drawback is that is takes a bit longer.

I’ll just have to wait and see if this takes hold in the corporate world.

Tags: , ,
Posted in Productivity |

Chrome Frame: What’s the big deal?

Tuesday, October 6th, 2009

chromeLast week, Google introduced Chrome Frame, an extension to Internet Explorer that allows Google’s Chrome browser to work inside IE. The advantage of doing that would be a much faster JavaScript engine, better rendering, plus support for HTML 5. That’s all great, but why the all the fuss? To my eye, this looks like technology for technology’s sake.

The obvious target of this is the standards-ignoring, security-threatening, bloated piece of s…oftware called IE6.  I’ve run into many instances of working for clients that MUST use IE6.  Why MUST they? Because the work in tightly-controlled PC environments, where they’re unable to download, yet alone install, any software. That would include web browsers. Some clients have had such tight security policies that they weren’t even able to control their pop up blocker settings.  These are people who have to put up with the inadequacies of IE6 because their IT department doesn’t trust them to install their own software.

I truly feel sorry for people who work in environments where they have no control whatsoever over their PC (remember that the ‘P’ stands for “Personal”).  At first, it would seem that this Chrome Frame extension would be a workaround for those stuck in IE to experience modern rendering, the fastest (maybe) JavaScript engine, and some HTML 5 goodness, but it’s not. If they’re unable to download Chrome or Firefox to replace IE, how are they going to download the Chrome Frame extension? If they do not have rights to install, how are they going to install the extension, assuming they were able to bring the extension in from home on a USB drive (although many tightly-controlled workplaces have also disabled USB drives as well)?  The answer is: they’re not.

OK, so maybe this is for people who can download and install on their own PCs, and THEY can experience the HTML 5 goodness, zippy JavaScript and fancy rendering.  What’s been stopping them? If they can freely download and install, why not just use the real deal and download and install Chrome (or Firefox) in the first place?

Tags: , , ,
Posted in Tools |

Why I hate proxy servers

Wednesday, September 23rd, 2009

“Hate” is a strong word. It’s also a massively overused word. I avoid the use of “hate”, reserving it for the most heinous of nouns.  One such noun is “authenticating proxy server.”  Fortunately, for most of my career, I’ve managed to avoid workplaces in which these roadblocks to the Internet are used.  That is, until my current job.

A brick wall

A brick wall

There was an issue that arose recently that perfectly exemplifies why I hate the proxy server. Somehow, probably through the proxy server itself, I managed to have my account locked out.  While I remained logged in to my workstation, I could not access any resources outside the proxy server. The application I was using apparently needed access to the Internet to phone home (perhaps validating registration or checking for updates), and because my account had been locked, I couldn’t get through the proxy server. When the application couldn’t complete the call home, it decided to crash. Net result: I lost about 30 minutes worth of work.  All because the proxy server was there ensuring that I didn’t go to nasty porn sites.

A similar issue occurs with some development tools, namely Maven.  During a build, Maven checks public repositories for updated libraries used in the project.  If you do not have proxy settings just right, Maven cannot access those repositories, and the build will fail.  Again, all for a little perceived extra security.

The rules in place for the proxy server to block a site appears to be completely random.  On several occasions, I’ve Googled something I was researching, and find the golden nugget of information I needed, only to have the site blocked because it had been tagged as “a BLOG”. OH MY GOD NO, NOT A BLOG! Fortunately, I was able to get around that problem by either looking at Google’s cached version of the page, or using a mobile broadband modem to view the actual site, but either solution meant that I wasted time.

The time lost due to data loss, build problems and blocked research is significant. This happens at least twice a month, and there have been days where this has happened twice or more.  Each “outage” costs me at least a half hour, more when you consider the “in the zone” time that’s lost.

My takeaway from this is that there is less concern about getting things done than there is about blocking questionable content from the Internet.

Tags: , , ,
Posted in Productivity |