2009 Jun 12, 12:20"We have discovered remotely-exploitable vulnerabilities in Green Dam, the censorship software reportedly mandated by the Chinese government. Any web site a Green Dam user visits can take control of
the PC. According to press reports, China will soon require all PCs sold in the country to include Green Dam. This software monitors web sites visited and other activity on the computer and blocks
adult content as well as politically sensitive material."
censorship china hack security internet greendam 2009 Jun 10, 3:36
I've made an OpenSearchDescriptionToHTML XSLT that given an OpenSearch description file produces
HTML that describes that file, lets you install it, or search with it. For example, here's a Google OpenSearch description that uses my
OpenSearchDescriptionToHTML XSLT.
I had just created an OpenSearch description for WolframAlpha at work and was going about the process of adding another install link to my search provider
page so that I could install it. Thinking about it, I realized I could apply an XSLT to the OpenSearch description XML to produce the HTML automatically so I wouldn't have to modify additional
documents everytime I create and want to install a new OpenSearch description. While I was in there writing the XSLT I figure why not let the user try out searching with the OpenSearch description
file too. And lastly I made the XSLT apply to itself to produce HTML describing its own usage.
Incidentally, I added WolframAlpha at work to replace my FileInfo search provider for the purposes of searching for information about
particular Unicode characters. For instance, look at WolframAlpha's lovely output for this search for "Bopomofo zh".
technical xml wolframalpha opensearchdescriptiontohtml xslt opensearch 2009 May 3, 10:26Seems very similar to that ShellExecute/Firefox app URL protocol handler exploit last year. "A vulnerability in the ChromeHTML URI handler allows an attacker to bypass the Same Origin Policy for any
site and also enumerate victims files and directories. When loaded in Internet Explorer, a specially crafted HTML page can launch Google Chrome with an arbitrary URI without requiring any user
interaction."
exploit security google chrome browser web url protocol 2009 May 3, 10:36
Looking at the HTTP traffic of Netflix under Fiddler I could see the HTTP request that added a movie to my queue and didn't see anything obvious that would
prevent a CSRF. Sure enough its pretty easy to create a page that, if the user has set Netflix to auto-login, will add movies to the user's queue without their knowledge. I thought this was pretty
neat, because I could finally get people to watch Primer. However, when I searched for Netflix CSRF I found that this issue has been known and reported to Netflix since 2006. Again my thoughts stolen from me and the
theif doesn't even have the common decency to let me have the thought first!
With this issue known for nearly three years its hard to continue calling it an issue. Really they should just document it in their API docs and be
done with it. Who knows what Netflix based web sites and services they'll break if they try to change this behavior? For instance, follow this link to add my Netflix recommended movies to your queue.
technical stolen-thoughts csrf netflix security 2009 May 2, 8:54Humorous Firefox bug description: "This privacy flaw has caused my fiance and I to break-up after having dated for 5 years."
firefox bug humor privacy browser web 2009 Apr 20, 3:37Web service that hosts avatar images for things like blog comments. The image is ID'ed by a hash of the user's email address. Auto generated or if the user signs up, the image can be whatever they
upload. Lots of plugins for different blogging platforms.
blog web photo avatar image authentication identity icon hash 2009 Apr 20, 3:14This site does user generated reports on (mostly) spam phone numbers. They have a RESTful API to get at that data too! I'm looking for more like this.
api phone spam search reference telemarketing telephone lookup 2009 Apr 7, 12:12HTML5's registerProtocolHandler seems to come from a cool FireFox 3 feature: "With web protocol handlers, the web application can register the specific protocol it wants to handle. Firefox will then
prompt the user to choose which of the registered applications (web or desktop) it should use to handle the action. Any protocol, real or imaginary, can be used - mailto: is only one example,
webcal:, tel: and fax: are others."
firefox uri scheme protocol mozilla html5 registerProtocolHandler 2009 Apr 7, 9:02
I'm a big fan of the concept of registerProtocolHandler in HTML 5 and in FireFox 3, but not quite the implementation. From a high level, it allows web apps to register themselves as
handlers of an URL scheme so for (the canonical) example, GMail can register for the mailto URL scheme. I like the concept:
- Better integration of web apps with your system.
- Its easy for web apps to do.
- Links to URNs can now take the user to the sites the user prefers for the sort of thing identified by the URN. For example, if I have a physical address in HTML, instead of making that an http
link to Yahoo Maps, I can make the link a geo scheme URI and those who follow the link will get their preferred mapping site that
has registered for that scheme. Actually, looking at the geo scheme's RFC, maybe I'd rather use some other URN scheme to represent the physical location, but you get the point.
However, the way its currently spec'ed out I don't like the following:
- There's no way to know if you are the handler for a particular URL scheme which is an important question for web app URL protocol handler authors.
- There's no way to fallback to an http URL in the case that a particular URL scheme isn't registered. A suggested solution to testing the registration of a scheme is for browsers to provide an additional script method
to check if a scheme is registered. I don't like the idea of writing script that walks over all my page's links and rewrites them based on that method. I'd much rather see a declarative and
backwards compatible fallback mechanism, although I don't know what that would look like.
- There's no way to register for a namespace within the urn scheme URI, the info scheme URI, or the tag scheme URI. I want to register
info:lccn/... (Library of Congress Card Number identifiers) to LibraryThing or Amazon and I want to register urn:duri:... (dated URIs) to the Web Archive, among other things.
- Will this result in a proliferation of unregistered URL schemes with clashing namespaces? The ESW Wiki notes why this would be bad.
- And last, although this is nitpickier than the rest, I don't like the '%s' syntax used in the registration method. I'd much rather pass in an URL template, like the URL template used
in OpenSearch. If an URL template is used for matching rather than registering against a particular URL scheme, this could also allow for registering a namespace within a URN. For example
something along the lines of:
registerProtocolHandler("info:lccn/{lccnID}", "htttp://www.librarything.com/search_works.php?q={lccnID}", "LibraryThing LCCN")
url template registerprotocolhandler firefox technical url scheme protocol boring html5 uri urn 2009 Apr 1, 10:42Lol at actual Facebook app that does IPv6 over Facebook. "...most network users are not aware of what IPv6 is or are even afraid by IPv6 because it is unknown. On the other hand, Social Networks
(like Facebook, LinkedIn, etc.) are well-known by users and the usage of those networks is huge... With IPv6 over Social Network (IPoSN): * Every user is a router with at least one loopback
interface; * Every friend or connection between users will be used as a point-to-point link... A working prototype has been developed by the author and is freely available: IPv6 over Facebook Social
Network [IPv6overFacebook]."
humor social network ipv6 ip iposn facebook ietf rfc 2009 Mar 23, 11:06The HTML5 spec tells us how it is in the real world for URLs: "This specification defines various algorithms for dealing with Web addresses intended for use by HTML user agents. For historical
reaons, in order to be compatible with existing Web content HTML user agents need to implement a number of processes not defined by the URI and IRI specifications [RFC3986], [RFC3987]."
html html5 url uri reference w3c 2009 Mar 23, 8:13
I've made another extension for IE8,
Outline View, which gives you a side bar in IE that displays an outline of the current page and lets you make intrapage bookmarks.
The outline is generated based on the heading tags in the document (e.g. h1, h2, etc), kind of like what W3C's Semantic data extractor
tool displays for an outline. So if the page doesn't use heading tags the way the HTML spec intended or just sticks img tags in them, then the outline doesn't look so hot. On a page that does
use headings as intended though it looks really good. For instance a section from the HTML 4 spec shows up quite nicely and I find its
actually useful to be able to jump around to the different sections. Actually, I've been surprised going to various blogs how well the outline view is actually working -- I thought a lot more
webdevs would be abusing their heading tags.
I've also added intrapage bookmarks. When you make a text selection and clear it, that selected text is added as a temporary intrapage bookmark which shows up in the correct place in the outline.
You can navigate to the bookmark or right click to make it permanent. Right now I'm storing the permanent intrapage bookmarks in IE8's new per-domain DOM storage because I wanted to avoid writing
code to synchronize a cross process store of bookmarks, it allowed me to play with the DOM storage a bit, and the bookmarks will get cleared appropriately when the user clears their history via the
control panel.
technical intrapage bookmark boring html ie8 ie extension 2009 Mar 12, 2:17
I've made an extension for Internet Explorer 8, FormToAccelerator which turns HTML forms on a web page into either an accelerator or a search
provider. In the design of the accelerators format we intentionally had HTML forms in mind so that it would be easy to create accelerators for existing web services. Consequently, creating an
accelerator from an HTML form is a natural concept and an extension I've been meaning to finish for many months now.
This is similar in concept to the Opera feature that lets you add a form as a search provider. The user experience is very rough and requires some knowledge of accelerator variables. If I can come
up with a better interaction model I may update this in the future, but at the moment all the designs I can come up with require way too much effort. Install IE8 RC1 and then try out FormToAccelerator.
activity html accelerator ie8 internet-explorer activities formtoaccelerator extension 2009 Feb 27, 10:49Finally, you can play solitare on your phone while waiting for Android to boot with VMWare's mobile phone OS: "VMware has demoed its mobile virtualisation platform, which could potentially let users
simultaneously run two different operating systems."
video vmware mobile phone cellphone os android google microsoft windows windows-ce 2009 Jan 15, 4:57Lovely travel visualization: "We've generated what we call the Personal Annual Report for all our users. It's a unique-to-you PDF of data, visualisations and factoids about your travel in 2008, that
we're delivering over the next week via email to every Dopplr user who travelled in 2008. To give you an example, we thought we'd show you the Personal Annual Report of someone who's had a very busy
2008 - President Elect Barack Obama."
via:mattb visualization blog dopplr obama travel statistics map 2008 Nov 9, 11:29
I finally replaced my old regular cell-phone which was literally being held together by a rubber band with a fancy new G1, my first Internet accessible phone.
I had to call the T-Mobile support line to get data added to my plan and the person helping me was disconcertingly friendly. She asked about my weekend plans and so I felt compelled to ask her the
same. Her plans involved replacing her video card so she could get back to World of Warcraft and do I enjoy computer gaming? I couldn't tell if she was genuine or if she was signing me up for
magazines.
I was with Sarah in her new car, trying out the phone's GPS functionality via Google Maps while she drove. I switched to Street View and happened to
find my car. It was a weird feeling, kind of like those Google
conspiracy videos.
The phone runs Google's open source OS and I really enjoy the application API. Its all in Java and URIs and mime-types are sort of
basics. Rather than invoking the builtin item picker control directly you invoke an 'intent' specifying the URI of your list of items, a mime-type describing the type of items in the list, and an
action 'PICK' and whatever is registered as the picker on the system pops up and lets the user pick from that list. The same goes if you want to 'EDIT' an image, or 'VIEW' an mp3.
I wanted to replace the Google search box gadget that appears on the home screen with my own search box widget that uses OpenSearch descriptors but apparently in the current API you can't make home screen gadgets without changing
parts of the OS. My other desired application is something to replace this GPS photo tracker device by recording my
location to a file and an additional program on my computer to apply those locations to photos.
tmobile personal api phone technical g1 android google 2008 Oct 30, 12:13On hearing news of Live ID supporting OpenID this is pretty much exactly what I was thinking: "With every big portal acting as a provider but not a consumer of identity credentials, users are still
going to wind up creating accounts for more than one service (says this user of Flickr and Google Calendars). When it comes to third-party sites, they may not need to remember a new username and
password, but they will have to remember to which of the providers they chose to provide the credentials for their account. Anyone who slips up may wind up with three or more identities on a single
website, with different data associated with each."
openid identity microsoft google 2008 Oct 29, 9:50MTV's new music video web service's API. The API provides feeds of music videos by artist or search term, list of artists that are 'like' other artists. Things it doesn't do: doesn't provide access
to the video files instead provides URI to flash player. Also doesn't provide access to user's favorite videos or other user information.
api video music mtv web feed rss 2008 Oct 29, 3:09Video showing some more interesting touch screen ideas from Microsoft Research. A touch sensitive sphere that can accomodate multiple users and a table which projects one image onto itself and
another image onto objects beyond itself: "But hold another piece of a translucent glass in the air above the table, and it catches a second ghostly image. This trick is in the tabletop glass, which
electronically flickers between translucent and transparent 60 times per second, faster than the eye can notice."
research microsoft video touchscreen table 2008 Oct 29, 10:27MTV has tons of music videos online. The service has an API and everything. No more adding music video on YouTube to delicious only to have the video taken down later... hopefully.
proldfile music music-video mtv video me
Some rights reserved