Daniel Martin

Yeah, yeah. First post in a long time, first post of the new year, first post with a new US President, etc. Assume I've groveled sufficiently for not posting in ages.

So the other day I visited a website belonging to a friend and my web-browser completely freaked out, blocking the site and saying that it linked to all sorts of disreputable places. That is to say, it warned that my friend's site was including material from sites that attempted to install all sorts of malware.

Now, this was odd, but occasionally a bad ad can get into an ad network, and then everyone showing those ads accidentally is displaying malware, and I figured that was what happened since when I went back and then visited the site again, all was fine.

Only, after reloading her page I discovered that my friend doesn't run ads on her site.

( A more detailed description of what was going on, probably of interest only to techies )

Some people might deduce from my posts this past month that either I have abandoned livejournal or that nothing happened during June. The latter is not true, and I don't think that the former is either, but I still can't get into the regular blogging habit.

#include <std/apologies/long_journal_update_lag.h>

So now for something completely different; namely, a rant about a particular instance of idiocy common as dirt on the web:

---

Dear web page designers:

See all the hits this search generates? Almost without exception, every result there is either telling you how to do something that's a bad idea or asking about details of how to implement a bad idea. What I'm talking about is this: most of the time when you need to type in actual physical address online, there will be a text box for your name, one for your street address, one for your city, one for your zipcode, and a drop-down box for your state.

Now, every state has this convenient little two-letter abbreviation, and anyone typing in an address in a particular state already has the abbreviation quite literally at their fingertips. Why is it that I can't type "NJ" into the state box? Why do I need to type in "NNNN" or "NNNNN" or "NNNNNN" to get my state? (Depending on whether the creator of the box has included Canadian provinces in the drop-down or not, and on whether they sorted the options in the dropdown by abbreviation or by state/province name) I can't even get a standard bunch of keypresses memorized to type my state!

This is not a new issue; there was a use-it.com article about this in 2000. The big boys (aka amazon) do this correctly, with a text box. And yet still, you'll find advice like this (from a page supposedly made in 2005):

Sometimes you may want to replace text fields with drop-down menus. This might be because selecting from a menu is easier than typing. But it could also be because the script that handles the form can't interpret just any text entry.
For example, you will often be asked to choose your state from a drop-down menu. This might be because picking it from the menu is easier than typing the name of the state.
Along the same line, you may often asked to enter the 2 letter initials of your state from a drop-down menu as well.
This could prevent confusion for the script that handles the form input. If, say, the script was programmed to only accept capital letters, then a drop-down menu would secure that no invalid entries were made.

Aaaaaaaaaaaaaaaah!

Look, if the script on the back end blows up when given input like that, then fix the script. Or make a wrapper around it to validate data first, representing the form to the user if they type in a bad state abbreviation. (Since for security reasons, you need to do that already anyway, and you know it)

Don't make me guess how many "N"s to press, and don't make me jump back to the mouse, especially when you lay out your form like a standard US postal address so that I'm jumping back to the keyboard for the zipcode anyway.

Is this a small annoyance? Absolutely. It's trivial in the grand scheme of things, and even fairly small in the world of web-based annoyances. But it's totally unnecessary. In fact, implementing the drop-down is probably more work than putting another text box there. Please - go play an extra minute or so solitaire instead of making yet another state drop-down box. Your time will be better spent.

Continuing my pattern of occasional technical posts just that my journal won't be completely dormant, here's another one:

If you do much web development at all, you probably work with a template language of some kind. You know, the kind of thing where you write HTML with various placeholders in spots that get filled in by the web application - examples include jsp pages, Django's template system, Smarty templates, PHP pages, or HTML::Mason.

Anyway, the problem with virtually every HTML templating language out there is that they make it easier for the person writing HTML templates to add an XSS hole than to avoid it. This isn't a matter of making it possible for page writers to shoot themselves in the foot - that's always going to be possible, given any reasonable system - it's a matter of making it easier to do than to avoid.

( More for people who've ever worked in such environments )

So I've thought about several different journal entries I could write lately, but I somehow just don't feel I have the requisite will-to-type to write any of them. So here are some scattered thoughts I'm not journaling about:

• Katherine: ( 3 topics, 107 words )
• Personal: ( 4 topics; 418 words )
• Technical: ( 5 topics; 345 words )

This is a story about an exploit that didn't happen. Mostly, because I chickened out.

The short version is this: for a while, there was a bug in the way google accepted user preferences that meant that it was possible to create an <img ...> tag such that anyone who looked at a page containing the image would have their google preferences changed. Think about this for a second. See that blank box above the smiley face? If Google were still vulnerable to this exploit, you'd see a second little smiley face in that box. Also, merely by loading your friends page with this entry on it, your google preferences would have been changed to whatever I picked. In this case, to have the google buttons and all explanatory text switch to Arabic, to search only for pages in Chinese or Japanese, and to display only one result per page. You'd see this when next you used Google, whether you used it directly by visitng http://www.google.com or through some browser plugin.

Now, freerepublic.com (no, I'm not linking to them) is frequently visited by people who would at the least be freaked out by something like this. Furthermore, it's full of people I wouldn't mind freaking out. Also, it encourages semi-anonymous users to post images in the comments. At least as of Halloween, Google hadn't fixed this exploit. Think about it: right before the election some of the more rabid online right-wing activists have their ability to use Google taken away from them in what looks like an islamofascist plot...

Anyway, as I said, I chickened out. I don't know if there's some sort of moral or lesson here - except that web application security is so difficult that even Google can get it wrong in potentially embarrassing ways - but it kind of seems like there ought to be. If anyone cares about the technical details behind the flaw you can read about it by googling "google setprefs xsrf" and see more details about my specific way to exploit it by looking at what http://xrl.us/rv5j/smile.gif gets you when you feed it through wget.

(And yes, I'd reported this to Google on September 25th, but I wasn't the original discoverer of the flaw itself. Encoding the evil into an image tag was my own creation, as was the exploration of how much evil could be encoded into one little picture.)

This is another computer-geek post, because I was thinking about it today, and thought it deserved to get documented. Most of my friends will not care, so...
( How to allow users to change their own passwords when using subversion *without* apache )

This is a technical/work entry. I'll do a Katherine update at some point in the not-too-distant future.

Occasionally, even the most insulated-from-the-customer programmer must write some sort of documentation. (I'm actually not nearly as insulated from the customer as I might pretend to be) Recently, a piece of install documentation that I had been maintaining in reStructuredText was officially transferred to the publications group, and since then it has been a Word document, though I am still expected to submit updates. At one point I noted that I would be much happier maintaining that documentation in the plain text format I had been using before, and was asked by publications “Dan, what do you want to do with the doc in plain text that you can't do if it's in Word format?” — this is my reply to that question, with some slight rewording and elaboration.
( Why I find Word inadequate for maintaining technical documentation )

So in the effort to get me posting about anything, and prevent my journal from idling for another month, I'm going to talk about a toy I bought myself on eBay a few weeks ago.

It's a slide rule.

It's a moderately nice one, though the sight on it is slightly askew, such that if I don't touch it, the line isn't quite vertical. It's only a 10 inch model; the really accurate 20-inch and longer ones aren't selling on eBay, or are too pricey.

It has scales L, C, D, A, B, K, Ci, CF, DF, CiF, S, T, ST, LL1, LL2, LL3, LLO, and LLOO.

Just think - there was a time when every engineering student would know what all of those scales meant. I've included a discussion of what those scales mean, and what it means I can compute with this, below the cut.
( The rest gets rather math-heavy )

As I may have mentioned here before, I work from home four days out of five. Recently, everyone in the office was forced to switch email programs to Outlook because we're now using the corporate Outlook server.

Now, this morning at around 9:15, the office network went down, which naturally meant I was kicked off VPN. Because I'm using Outlook and was composing a message when the network went down:

1. I can't finish and send my message, and have it just sitting in the outbox until the network comes back up.
   
2. I can't access any email that was stored on the server, though I can still see all the subject lines and who sent stuff to me.
   
3. Every now and then while I was typing the rest of my message Outlook would freeze for a couple of seconds as it desperately tried to communicate with home base.

Now, if I am disconnected from the network when I start Outlook, I can choose to work offline. However, when I do that (stopping and restarting Outlook), I no longer have any email sent after about 2pm yesterday. Specifically, I don't have the message I was replying to when the network went down nor do I have my partially typed response. (Oh, I still have the text, cut and pasted into Notepad, but it's pointless without what I was responding too) This despite the fact that Outlook supposedly did a synchronization this morning at 8, unless the "Send/Receive" button and messages in the status bar about "Synchronizing..." mean something different from what they should.

Life was much better when all email was on the local IMAP server and those of us who wanted to used Mozilla. Disconnected operation just plain worked. Why oh why are "enterprise" solutions so fragile?

So this is my first entry in a while and, sorry, but I'm not going to talk about Katherine. (she turned 1 last Monday, and there was cake and a multitude of relatives and cameras, and maybe I'll post a Katherine update later today)

Instead, I'm going to talk about stuff I found in the webserver log.

Recently (late last week) I cleaned out my old account at the Johns Hopkins Math department. Among the other things I did was to drop a little Redirect directive in the .htaccess file there to point to my my current web home. This means that requests for files that used to be in my math.jhu.edu account are now bounced automatically to my snowplow.org account.

As I never had access to the webserver logs on math.jhu.edu, I never knew if my pages were being looked at, or, if so, which pages were popular, in terms of being linked to from other places. Well, as I've now found out apparently the most interesting thing in my old web account (in terms of hits) was this stupid image. That's right, it's just a "POW!" with a border around it. I'm not even sure when or why I made it - playing around in gimp, I suspect.

So now I get to see from the logs what pages link to that image, and it's a little bizarre how it's spread. Below I give the referrer and the first time the snowplow.org logs see someone looking for pow.png from that page: (not necessarily when requests started, since I don't see what went to math.jhu.edu) (All times Eastern Standard Time)

a google image search for "pow"	07/Jan/2005:13:58:44
user profile at http://www.myspace.com/	07/Jan/2005:14:28:18
http://cactokaur.blog.com/ (in Spanish)	07/Jan/2005:17:19:34
http://boards.theforce.net/ Revenge of the Sith discussion	07/Jan/2005:17:43:52
The freepers use "pow" too	07/Jan/2005:21:28:24
Something on driven2modify.com	08/Jan/2005:00:24:55
Blog for "kasha_teishu" on xanga.com	08/Jan/2005:02:08:30
http://maroc-chat.de/forum-thread-539--.html	08/Jan/2005:09:40:40
a post on www.blackcatbone.34sp.com	08/Jan/2005:14:25:15
a post on forum.surfermag.com	08/Jan/2005:17:08:31
sealiontavern.nobledead.com	11/Jan/2005:12:07:06
Another xanga.com blog (PermitaSer)	11/Jan/2005:18:29:53
an old xanga.com blog post (warning: background music and probably NSFW)	11/Jan/2005:20:38:19
A post (currently unreachable) on gaiaonline.com	11/Jan/2005:23:02:53
Someone's hotmail email	12/Jan/2005:10:01:28
ekok.nl post	12/Jan/2005:10:49:51

"Pow" gets around. (I omitted other google image searches which found it, such as "POW", "Pow", and "pow!") It also probably points to the idea that "most links to" is not necessarily a good measure of "most interesting", "most valuable", or "most useful". Or maybe I'm just deluding myself about the usefulness of anything else I've ever put up on the web.