Those of you paying very careful attention may have noticed that I didn't disappear on April 13th, as previously advertised. My second mouth operation was postponed two weeks, so I am now due to go in on Wednesday. I hope to be out early the following week, but I'll be taking some more time off to recuperate.
After that, I have six weeks of daily radiotherapy to look forward to :-).
"A mother who gave birth to a twin girl following an incomplete termination is suing the hospital where she had the procedure for £250,000 to help with the cost of raising the child."
"I still don't know if, or what, I am going to tell Jayde when the time comes," she added. "Maybe when she is nine or 10 I will sit her down and explain it to her. I just hope that she understands what happened and why I did it. Of course it will be much harder to explain to her that she had a twin."
Yes. Right. Let's imagine how that conversation might go, shall we?
"Jayde?""Yes, Mum?"
"I've got something to tell you."
"OK..."
"Well, when you were very little, and still in Mummy's tummy, there were two of you - you, and your sister. When I found out that you were both there, I tried to have you both killed.
Your sister was successfully killed, but you survived. I didn't know, otherwise I'd have told them to have another go at it. When I found out, the law said that it was too late to try again. I was really angry, so I sued the people who were supposed to have killed you because they didn't do their job properly."
<long silence>
"Mummy... why did you try and kill me?"
That's just inexpressibly tragic.
We’ve actually had this on our radar for a long time, and have had it supported in the code for a while now. We have certainly heard the clear feedback from the web design community that per-pixel alpha is a really important feature.
I commend Microsoft for listening to their customers, and hope they will continue to do so when they hear calls for full CSS 2.1 support. :-)
Last call for comments on the newsgroups list. Here'a a diff of the recent changes. I've decided "users" is more clear and more general than "userhelp", particularly now we have an "accessibility" group in there.
Ever had nothing useful to say in a checkin comment? Try this. For bonus points, do it in the right order...
Opera has released version 8 of its browser. It comes with an interesting innovation in security UI - it displays the "O" or "Organisation" field of the certificate in the URL bar (screenshot), ostensibly to help the user in making security decisions about a site.
One concern about this is that O fields are non-unique - you can have many companies all with the same name, in different areas of a country. A recent paper demonstrates the latter problem well - the authors managed to legally and properly obtain certificates for a random domain from multiple CAs with O fields which happened to be confusingly similar to that of some major US banks. Phishers could take advantage of this loophole. Additionally, in some types of certificate the field is useless, containing a repeat of the domain name, or a liability disclaimer statement.
Today (full disclosure: at the kind invitation of GeoTrust) I attended the Anti-Phishing Working Group's spring meeting in London. The need to allow all attendees to speak freely means that I can't say too much about what was discussed, but I came away both worried and encouraged at the same time. Like with spam, organised crime is following the money; phishing and identity theft are only going to get worse in the short term. On the other hand, people are becoming aware of the problem and there are things we can be doing.
One thing that's clear is that browser SSL UIs are going to have to change to be more discriminating between different types of certificate with different levels of owner verification attached. More on that soon.
Firefox 1.0.3 has been released. Before reading on, go download it!
We fixed nine security fixes, three of them critical. That's a total of 29 separate issues which were deemed worthy of a write-up since the release of 1.0. So does this add some weight to the argument that previously, Firefox only seemed secure because no-one has bothered to attack it?
Frank Hecker made an important point about this issue very eloquently in an email to drivers, which I'm sure he won't mind me quoting here:
Yes, Firefox is a lot more popular now and has a much higher profile. Yes, a lot of smart hackers are working now to break Firefox. And what a surprise: These hackers aren't making life miserable for Firefox users, they're working with us to make Firefox more secure. Why is that? Because we pay attention to security bug reports, we try to treat people who find and report security bugs with respect, we invite them to work closely with us, we reward them for finding bugs (both with money and with credit), and most important: we actually fix bugs in a timely manner as opposed to sitting on them and treating security as just a potential PR problem.
Absolutely.
This is a quote from a genuine "bug report".
Motif is a form of Flash files that Double Click uses to serve rich media. The
motif ads use a .mta extension, and are basically the same as an .swf with
some addition ad tracking features.It doesn't appear that users can see motif files in Firefox, this is a serious
problem for advertisers that are trying to serve those ads to an audience that
is likely to download and use firefox.
Oh no! ;-)
Please don't spam the bug.
Hardly earth-shattering, but I've released version 1.2 of the DSMLTools, one of my more obscure bits of software, which helps you manipulate directory (LDAP) data as XML. This release fixes the three bugs that have been found since the last release in 2002 and, more significantly, introduces a new make-based build system. The release packages now conform to the Software Release Practice HOWTO.
It's a measure of how busy I am that 90% of the work for the release was done in April 2004...
There are several sites on the Internet which offer Windows HOSTS files for download, together with installation instructions. The HOSTS file is part of the DNS configuration; the ones offered for download divert any requests to a long list of ad and spyware servers into a black hole, meaning that your browser can never contact those machines.
This is all fine in theory, but how long would it take someone to notice if one of those popular files (and some of them are very large) had the following lines buried somewhere in the middle, either deliberately or because the site had been hacked?
87.65.43.21 www.paypal.com 87.65.43.21 www.bankofamerica.com 87.65.43.21 www.ebay.com ...
Phish City. I suggest that, however much you may not like advertising, encouraging people to download and install HOSTS files from the net is rather irresponsible.
When written, what's the plural of OS?
And, for that matter, how do you pronounce the singular and the plural? Please give nationality when replying.
The newsgroups list has now had two rounds of feedback and I think we are getting close. Any more comments?
Shock - some innovation in mapping which doesn't come from Google! Head over to this aerial photo of Westminster Abbey and mouse over it. This trick appears to be the dynamic updating of the CSS clip property, so it'll work in most modern browsers.
By the way, I'm singing Evensong there today at 3pm with the Friends of Morland Choristers Camp if anyone wants to stop by. The anthem is "Greater Love" by Ireland, and the Magnificat and Nunc Dimittis are Bairstow in D.
This is why software Freedom is important, and why the "use the best tool, whether it's open source or not" attitude gets you in trouble in the long run.
We need to be prepared to use inferior but Free applications and, scratching itches, make them better. And we need to gently persuade other community members to do the same. The Open Source movement has reduced the talk about software freedom and we need to value and promote it again before we get taught more nasty lessons like this one.
Update: Random example of what I mean:
I know that binary-only drivers are a sore spot with free software purists, but I'd rather have a fully functional, if closed, Nvidia driver than a reverse-engineered one that limps along.With a basic level of driver stability, Linux could become as easy as Windows to support.
-- The State of Laptop Linux 2005
I've created an index page to my writings on security, having written up and added a few things that initially started life as blog posts and are now much improved by your kind input :-) It includes stuff on Phishing and Cross-Site Scripting. More to come as I find time to write it; feel free to comment here or by email.
Here's an interesting approach to the problem of making your email address easily available to people but not spambots - hide the page with the mailto: link behind a form POST. See comment #2 in that discussion for the most slick method - return the mailto: link as the location in the response headers. For extra points, you could disguise the submit button to look like a URL...
My personal attitude is that spam is a price you have to pay for being contactable. You'll find my email addresses, unobfuscated, all over the web.
Oh, and I've updated the newsgroups list. Please have another look and see if the changes are to your liking.
We're having another push to get new, better organised and spam-free Mozilla newsgroups set up. We have the hardware; we just need two things - someone to administer the server, and a definitive list of new groups.
We first made the list back in 2000 (believe it or not), when there was an extensive discussion. I updated it quietly myself in both 2003 and 2004, when we also sent out calls for an admin but for various reasons didn't manage to make it happen. Since then I've been wary of re-opening the debate because I didn't want to engender false hope. :-) Now, however, I believe there's a real chance we can make it happen soon.
So, if you have news server admin experience, or know someone who does, get in touch. And please read the current list of suggested new groups and post your feedback.
Darin is not going to have time before Firefox 1.1 to implement a mechanism to whitelist top-level domains where Unicode can be safely displayed, and I probably am not either. So someone who is comfortable hacking on Mozilla needs to, if Firefox 1.1 is going to have any IDN Unicode display support. I can provide guidance as to what needs to be done. Get in touch if you can help.
Tributes are flooding in for the Pope, many referring to his great works and moral leadership. A Cuban cardinal said: "This is a man who has carried the moral weight of the world for 26 years... turning himself into the only moral reference for humanity in recent years of wars and difficulties." All the news reports and stories mention how everyone is praying. "The Church around the world is united in prayer."
But what are they praying for? Surely they can't be praying that he would live longer; at this stage, that would be terrible. They might be praying that he would die - that would be entirely reasonable - but it doesn't seem so. Maybe some people are.
One guy, interviewed on Radio 4 in St. Peter's Square, said that "we are praying that his suffering will help the Church, and indeed the whole world". But that can't be right. There was only one man whose suffering could help others - Jesus Christ, the man who lived a sinless life yet took the punishment we all deserve.
So why pray for the Pope? Well, I am praying for him - praying that even now, he would repent, stop relying on his deeds and works for salvation as Catholic doctrine wrongly requires (e.g. #837), turn to God and accept the glorious and incredible offer of free, unconditional grace and forgiveness through Jesus Christ.
For it is by grace you have been saved, through faith - and this not from yourselves, it is the gift of God - not by works, so that no one can boast. (Ephesians 2:8-9)
Despite my saying that there would be no more delay, wise Gecko-heads have persuaded me we should wait until we have a release with a recent Gecko to point people to, as Firefox 1.0.2 Gecko is almost a year old now. That will be Gecko 1.8b2, the Firefox and Thunderbird preview releases, scheduled for mid-April sometime. So we'll do this ASAP after we ship those.
You didn't think we'd leave you out there unprotected, did you? Asa needs help testing some new ideas for blocking plugin-based popups, which we may roll into a future release. Head over to his blog for the info, and help him out.
Does anyone know of gateway or proxy software you can install on a machine to simulate a bad network - i.e. it routes packets from one interface to another but drops, delays or rearranges them in a configurable way at the same time? I know Squid can do bandwidth limiting, but ideally I need the other things too.
Unsurprisingly, it's for testing a product over a dodgy network connection.
This is the last of my ideas for prevention of Cross-Site Scripting, and in a way the most radical. I was having a shower this morning, when I was struck by a great idea. What if the entire Internet was under the same domain? This radical move would prevent Cross-Site Scripting at a stroke! We could change the DNS servers of the world to only resolve a single domain, and move all other websites under it. There's be no way to do cross-site anything at all.
So, which company or group is worthy of the honour and responsibility of watching over such a valuable community resource? Much as I'd like to suggest mozilla.org, I'm not sure we have the bandwidth. So, having seen the good job they've done with newsgroups, I think it's time that we recognised that inevitability of GWorld Domination and handed over control of the entire Internet to Google, Inc. Instead of "The Internet", we'd have "G-Internet" (catchy, huh?). It would give all websites a new subdomain of the main google.com domain - for example, www.gerv.net.g-internet.google.com. No more Cross-Site Scripting!
Putting the entire Internet under Google's control has a number of great side benefits. For a start, it would be a lot easier to search - Google having the master copy of the web would help them to spider it much more quickly, and keep their index up to date. Then, of course, all web apps would be automatically upgraded by Google's New Service Gnomes to use XmlHttpRequest and other modern web application technology. I can certainly see a lot of people appreciating Hotmail getting such a makeover.
But lastly and most importantly, it would be a great help in the War on Terror. (This is a clinching argument because no-one can object because they'll get accused of being soft on terrorists, and therefore it requires no justification.) I, for one, look forward to this brave new world! Viva G-Internet!