Hacking for Christ

Reconsidering Star Wars IV

Now it all makes sense... I knew there was more to R2-D2 than met the eye.

If we accept all the Star Wars films as the same canon, then a lot that happens in the original films has to be reinterpreted in the light of the prequels. As we now know, the rebel Alliance was founded by Yoda, Obi-Wan Kenobi and Bail Organa. What can readily be deduced is that their first recruit, who soon became their top field agent, was R2-D2...

Cargo Cult Software Engineering

Today, a classic for your reading pleasure: "Cargo Cult Software Engineering" by Steve McConnell.

Cargo cult software engineering is easy to identify. Cargo cult software engineers justify their practices by saying, "We’ve always done it this way in the past," or "our company standards require us to do it this way"—even when those ways make no sense. They refuse to acknowledge the tradeoffs involved in either process-oriented or commitment-oriented development. Both have strengths and weaknesses. When presented with more effective, new practices, cargo cult software engineers prefer to stay in their wooden huts of familiar, comfortable and-not-necessarily-effective work habits. "Doing the same thing again and again and expecting different results is a sign of insanity," the old saying goes. It’s also a sign of cargo cult software engineering.

XHTML 1.0 Compatibility Guidelines

The XHTML 1.0 standard has a non-normative appendix of Compatibility Guidelines - ways to code your XHTML to make it render reasonably well in HTML user agents. Of course, being the browser-neutral standards body that they are, the document doesn't say exactly which browsers require which compatibility workarounds.

It would be rather cool if someone were to knock up a test page which used each of the possibly-problematic constructs (e.g. <br/> without the space, checked="checked", line breaks in attributes) and then made a matrix from the results people sent in when they pointed different browsers at it. This would give web developers some idea of which of the requirements were only for the benefit of long-dead browsers like, er, Netscape 4.

Any volunteers? :-)

Phishing: Conning The Unwary For Fun And Profit

I gave a talk entitled "Phishing: Conning The Unwary For Fun And Profit" at LugRadio Live 2005. The slides are available, although most of the fun was in the delivery ;-) If I can get hold of an audio recording, I'll upload that too at some point.

Update 2005-06-28: Apparently the recording didn't work. Sorry :-(

Mouseover DOM Inspector

This is ridiculously, mind-bogglingly, scarily cool. Wow. Just... wow.

Curvy Corners

MSDN has a new article on doing rounded corners in IE (via IEBlog). None of the solutions they suggest really separates content and presentation well - they all involve extra markup of one sort or another. It's amusing that they criticise the four-divs-and-CSS solution as being "difficult to read", having just suggested a table-based solution which is a lot more markup-heavy.

My current favourite method is the Nifty Corners JavaScript library. (Note that the version I link to is free software; later versions are not.) After all, if JS is turned off, you just get square corners. No big deal.

I also note with interest the following quote from the article:

So, you're staring at your Web site. It all looks very boxy, and you're thinking that it would be nice if you could add some rounded corners. Perhaps you're tired of waiting for the W3C to release the CSS3 Recommendations, which will include specifications for rounded corners, and—even better—several border properties. The good news is that you don't have to wait any longer...

I am glad that Microsoft is committed to supporting CSS3 as soon as it is released, as it's clear from this quote that the unfinished nature of the spec is the only thing holding them back.

CSS Distress

I'm a big fan of CSS, and CSS positioning. I've always heard and believed the mantra "Use CSS for positioning; use tables only for tabular data". It seemed wise to my young and innocent ears. However, I've recently been having some doubts, brought on by considering a common layout case.

Here's my scenario. I want to have a series of labelled widgets, e.g. for a "Preferences" page. Quick ASCII art diagram:

Foo:          [ Freeform Text   ]
Bar Setting:  [ Sometimes Bar |V]
Baz?          ( ) Yes, Baz
              (.) No, don't Baz
Quux:         [X]

(No, you don't need to point out the number of UI design principles broken in this diagram. It's an example.)

Doing this with CSS would involve something like two divs, one for the left side and one for the right, either floated or absolutely positioned, and a lot of messing about with vertical margins and padding trying to get the widgets to line up exactly with their descriptions at various font sizes. And, even if I managed it, is it the right thing to do? Would a screen reader read all the descriptions and then all the widgets?

Should I (whisper it) be using tables for this, even though it's not really tabular data? Or is it?

LugRadio Live

LugRadio is an online UK Linux/free software radio show, which was podcasting before podcasting was cool. They are having their first one-day conference, beer drinking session and live recording event (hopefully not in that order) in Wolverhampton this coming Saturday, called LugRadio Live. I'm speaking on "Phishing: conning the unwary for fun and profit" at 3.05pm in the "Lightning Talks" track.

This is Linux conferencing at the cheap and cheerful end - tickets are only £5. See you there :-)

Extracts From My Sent Mail (2)

Due to our tight deadlines the latest date we need a decision by is 21/JUN/05 (today unfortunately). If you do not reply by this date we cannot guarantee that your product will feature on the disc.

I apologise, but I am losing patience with <magazine company>. You appear to have a large number of magazines, all of which wish to feature Firefox on their cover CDs, and so I get bombarded with vaguely threatening short-deadline emails because you don't appear to be able to communicate with one another and/or understand what Free software is.

I've requested "repeat permission information" a couple of times and heard nothing back. So here it is: Firefox is free software. As the FAQ on our site clearly states[0], you don't need our explicit permission to redistribute our binaries. Ever. Period. I won't say it again; I'll just point all future enquirers to you and you can explain it to them.

So why not go away and revel in your new-found freedom, rather than assuming we operate like some petty, intellectual-property-hoarding software house who requires signatures in triplicate on a lawyer's used toilet roll before you can hand a CD of the software to the guy sitting next to you? It's free, darn it! Everything we ship is free! Freeeee! Take it and be happy!

If you have new or updated version of the product requested and would like it included instead please let us know.

Please read the website to find out about new versions of the software. That's what it's for. :-)

Crete Treat

It's the company outing this weekend; we're off to Crete. Please don't expect any email replies until next Wednesday evening GMT at the earliest. :-)

Firefox Trademark and Debian

<sigh>. Why is it the press never actually bother to ask the people involved before running with a story? Or, for that matter, actually reading the sources? RTFA clearly doesn't just apply to Slashdot posters.

The Mozilla Foundation has applied for or is going through the process of applying for our trademark in the USA, the EU and other countries. The EU trademark gives us coverage in all EU countries, including Germany. We have a licence with the Firefox trademark holder in the UK; as a gesture of goodwill, we even have a link to them on firefox.com. Getting this worked out was one of the delaying factors in announcing the Firefox name, way back when. Having said that, the law provides protection for trade names even if a trademark has not yet been applied for.

We are currently discussing with Debian how we can come to an arrangement so that Debian can ship Firefox still being called "Firefox", while we make sure that "Firefox" remains a mark of quality. The main issue is not with Debian itself - everyone agrees they ship quality software - more with the rights that are passed on to someone who modifies and redistributes Debian's package.

Neither Debian nor any other Linux distributor is expected to be covered by the general trademark policy, as the article erroneously implies - that's not even a suggestion. We understand their needs are different. We have agreements with many Linux distributors which gives them the flexibility they need in shipping software inside their system, and we would like to have one with Debian.

Rather than try and summarise or soundbite the position, I encourage anyone interested to actually read the thread (and the previous threads on this topic from several months ago). And ignore ZDNet's attempts to create a mountain out of a molehill.

Controlling JS From CSS

Separation of content and presentation is an important principle of modern web design. It is generally accomplished by styling semantic HTML or XML (content) with CSS (presentation). However, there are some occasions where CSS is unable to provide the presentational effect required, and one is forced to fall back on scripting. Adding curved corners to boxes is one example of something which usually cannot be done cross-browser without extra markup or scripting.

Recently I was thinking about accesskeys, and decided that accesskey underlining, while very desirable, was arguably also presentation - after all, you don't need the underlining on a printed copy of the document. So putting <u> tags in HTML is a violation of the separation. Also, if your web application is localisable, you don't want to be scattering <u> tags through your strings file either.

CSS doesn't provide a facility which would allow me to underline individual letters without adding extra markup, so I wrote a JavaScript library, the Accesskey Underlining Library, to dynamically underline the correct key. Using the principles of unobtrusive JavaScript, all you have to do to use it is include the script in your page. However, there still isn't a clean separation because there's no way to turn the script's effect on or off using CSS.

So (and this is the new bit; thanks for keeping reading), I came up with the idea of using CSS to style the script element itself, and having the script check that styling when deciding whether to run. This allows control of the script's function from the presentation layer. Styling the script element itself avoids creating a dependency on having any other particular markup in the page, and you can style almost anything you like about it because it's invisible.

So, the upshot of all that is that if you are using AUL, you can turn the accesskey underlining effect off by putting the following in your print stylesheet:

#accesskeyUnderline {
  visibility: hidden;
}

Check out the code.

Skype - Hype?

I thought I'd give Skype a try for dialling into long US teleconferences, as there's a little friction in our household currently over use of the phone. Sadly, its DTMF generation is so bad that the conference server won't let me into the meeting! Apparently I'm not the only person with this problem, and it's been present for 18 months. You would have thought they could get something as basic as DTMF right. Oh, well.

Video Using Table Background Colours

If any of you have ever idly wondered whether it would be possible to do web page video using a large table with very small cells and messing with the background colours, wonder no longer - it doesn't work.

Having spent a random 45 minutes messing around with the idea this morning before breakfast, it turns out that my 3GHz Pentium can do about 5000 table cell background colour changes a second in Deer Park alpha 1, which isn't nearly enough for video of any decent size, frame rate and movement. Our DOM is good, but not that good :-)

If anyone wants my test code, let me know.

ASP.NET Discriminatory By Default

ASP.NET is Microsoft's newest web application development system. Unfortunately, in its default configuration, it seriously discriminates against non-IE browsers. The browserCaps section of the machine.config or web.config configuration files uses the User Agent string to set a number of "capability" flags - such as what level of support it has for the W3C DOM, CSS and ECMAScript. However, this file knows next to nothing about non-IE browsers newer than Netscape 4.

We ran into this problem at work - ASP.NET applications looked fine in IE, but really ugly in Firefox. This was because it was treating Firefox as a really old browser, and doing its "panels" using tables instead of divs, which didn't work very well when you nested them or tried to put them side by side. A quick update to browserCaps, as outlined on the page linked above, fixed the problem.

It would be easy to label this as part of some sort of conspiracy. I'm not going to do that, but I think Microsoft does have a duty to fix this in the next release of ASP.NET, and/or issue a patch. After all, not doing so means that their customers' sites look terrible in some of their customers' browsers. And they probably won't be too happy about that, particularly if they spend hours trying to figure out why ASP.NET is generating different and broken HTML for these modern UAs.

Come In IE 5, Your Time Is Up

IE 5 has several deficiences which make it difficult to cater for when writing web applications. Two major ones are the broken box model and the broken font keyword system. IE 5.0 also lacks support for XMLHttpRequest [Update 2005-06-16: apparently it does support it; sorry about that].

IE 5.x is almost completely unsupported by Microsoft. As their lifecycle site outlines, IE 5.5 (SP2 only) is supported on Windows ME until the end of this year, and IE 5.01 is supported on Windows 2000 until 2010 - in both cases, only because it's the version that OS shipped with. However, even Microsoft recommend in a footnote that you upgrade to get "improved security protection". So anyone using IE 5.x is at a greater risk than they need to be.

The graph below is of browser market share, collected from the occasional press releases of OneStat, a web analytics company. There are several misleading things about this graph, due to the infrequency of samples - but let's ignore all those and focus on the yellow and pink lines. These are the percentage market shares of IE 5.0 (yellow) and IE 5.5 (pink).

Unfortunately, OneStat stopped providing version breakdowns in November last year. Still, it can be seen that around the time Firefox was released (which may be a factor, but is certainly not the only one), the market share of IE 5 versions fell off a cliff. If that trend has continued, the market share of IE 5 now is tiny, and the market share at release time for any new web apps now under development will be miniscule.

These three factors together mean that taking time to develop new web applications with IE 5 in mind, and to test them against it, is no longer worth the investment. The resources would be better spent testing in standards-compliant browsers such as Safari and Opera - where it's much more likely to work first time anyway.

A few intrepid souls are leading the way, and politely requiring that their customers upgrade. I invite all web developers to consider joining them.

Deceptive Documents

There have been several stories recently about collisions in MD5 hashing, the latest being a report from the Institute of Cryptography at Ruhr University giving two documents with different content but the same MD5 hash. One is a letter of recommendation, and the other is a permission to access secret files. The underling presents her boss with the first to sign, then transfers the signature to the second one.

However, one doesn't need to do clever tricks with MD5 to achieve this end. PostScript is a Turing-complete page description language, and other document scripting languages, such as Visual Basic for Applications (Microsoft Word's macro language) are similarly powerful. Both have access to their own filename.

So, for example, you could create a Microsoft Word document containing a macro which hid or showed different bits of text depending on the value of ActiveDocument.Name. With one name, it's a letter of recommendation; with another, it's a grant of permission for access to top secret files. So you present it to the victim to sign when it has one name - so when they view it, it looks innocent - and then rename it before sending it to the Security department, so when they view it you get your secret access.

You could argue that the filename should be incorporated into the data which is signed - but the script could switch on any external info it has access to, such as the IP address of the machine, or the name of the logged-in user.

The lesson here is clear: don't sign bits you didn't create.

Better Interest Rates For Secure Customers

A recent editorial in "Computing" weekly called "Online security is a duty for us all" discussed new measures that banks are implementing against fraud:

The banks are taking a carrot approach, carefully avoiding the stick. But if new measures fail to halt the problem, the onus might shift to the consumer. Banks may one day only indemnify customers against fraud if they have the necessary precautions in place - from suitably secured home PCs to two- or even three-factor authentication tools such as biometrics.

That could lead us down a rocky road - a banking community divided by technical ability and personal security. Would the days of better interest rates for more secure customers be far behind?

This is not an option that anybody - banks or their customers - would want to consider.

Why on earth not? It sounds like an excellent idea to me. One reason people don't pay too much attention to the security of their PCs at the moment is that don't have that much obvious incentive to do so. If their bank said "turn on a firewall, use a secure browser and run regular spyware scans, and we'll give you an extra 2% on your savings", we might see quite a few more secure PCs.

Taskbars

Warning: rant dead ahead.

Why do the neither of the taskbars in the two main free software desktop systems behave in a sane fashion?

What I want is basically what Windows can do - a double-height taskbar so I can have several apps open and still see the titles on the window buttons, but with space economised to the left and right by using small icons for tray apps, QuickLaunch and so on. And I want it to fill up left to right, then top to bottom, so it's easy to mentally thread it into one long row. And when I close a window, I want as few buttons to move as possible.

Windows fails to achieve perfection in only a few small respects. When you expand the taskbar to double height, the start button goes to the top left rather than the bottom left. In neither configuration is the Start button or the bottom row of window buttons a mile deep. And it doesn't allow tray icons to wrap round the clock.

In Mandrake 10.0 KDE, you can get something a bit like this, but for some reason it decides to populate window buttons into the double height taskbar top to bottom before left to right, which means that when you close the first window you ever opened, 100% of your window buttons move vertically, and 50% of them also move horizontally! Nothing is where it was a moment ago! It's incredibly disorienting, and I never found a way to change it.

In Ubuntu 5.04 GNOME, which I've just installed on my laptop, you can have multiple toolbars (the default install has two). However, the widget which displays the current window list can only appear on a single bar. So, to get two rows of buttons, I have to double the height of the bar. However, it now "helpfully" expands all the other widgets (like the "Show Desktop" button) from 24x24 to 48x48, thereby squeezing the available horizontal space. Doh! By the time I have all the other widgets on the bar at that size, there's barely any room for window buttons at all.

It's not as if my requirements are odd. "UI stability" is a reasonably well known UI maxim - so what's going on with KDE? "Maximal space for window buttons" doesn't seem like an uncommon use case - so what's going on with GNOME? Or have I missed something?

Auto UNCO Resolution Date Set

The automatic resolution of old UNCONFIRMED bugs will take place on the 23rd of June, with the follow-up two weeks later on the 7th of July. We hope the Bugzilla downtime will be less than an hour.

It will happen in the following products: Core, Toolkit, Firefox, Thunderbird and Mozilla Application Suite.

I Hate Comic Sans

Comic Sans walks into a bar. The barman says "we don't serve your type here."

Doesn't the overuse of Comic Sans on everything from wedding invitations to schoolboy essays set your teeth on edge? I would have written a rant, but this excellent prose says it all. Read it, nod sagely, then head over to bancomicsans.com (putting the 'sans' in Comic Sans since 2002) and buy the t-shirt.

The Dictionary Dilemma

The Mozilla Foundation has a policy of only including software in our CVS repository, and in builds we distribute, which is available under our MPL/LGPL/GPL tri-licence or a compatible licence (e.g. the BSD licence or an MPL/LGPL dual licence). The reason for this policy is to present a simple story to people who want to use or distribute our code. We want to be able to say: "Happy with the MPL? OK - use what you like."

Many localisation teams come to us asking if they can include a dictionary with their localisation of Thunderbird. However, a lot of available free software dictionaries, including many of those used by the OpenOffice project, are available under the GPL or LGPL alone.

[Sidenote: why on earth do people use the LGPL for data? It doesn't make any sense. For a start, a straight reading prohibits modification of the data. "The modified work must itself be a software library", section 2a). They should have said "Library", not "software library".]

What can be done? Compiling a dictionary is a lengthy process, and it's work that no-one wants to have to repeat.

So here's an idea. You create a bit of code which checks text against the dictionary. This code is covered by the same licence as the dictionary. You then feed it a large number of documents in the relevant language. Words which fail the spell check are discarded; words which pass are added to an output file. Eventually, the output file is a new dictionary which you created, and you can licence how you choose. After all, one can't claim that the licence of spell-checking software infects documents it spell-checks.

The questions are: Is it technically possible? If so, does it produce a useful dictionary? If so, is it legal? If so, is it moral?

Windows May Run on Mac Hardware

CNet reports (spotted here):

After Jobs' presentation, Apple Senior Vice President Phil Schiller addressed the issue of running Windows on Macs, saying there are no plans to sell or support Windows on an Intel-based Mac. "That doesn't preclude someone from running it on a Mac. They probably will," he said. "We won't do anything to preclude that."

However, Schiller said the company does not plan to let people run Mac OS X on other computer makers' hardware. "We will not allow running Mac OS X on anything other than an Apple Mac," he said.

Actually, it's clearly in their business interests for it to be possible to run Windows on Mac hardware. Think about it: if you were buying 20 boxes for a test lab or Internet cafe, what would you get - 20 boxes which can only run Windows, or 20 boxes which can dual boot?

Allowing Windows to run on their hardware, while preventing Mac OS X from running on anyone else's, is a really smart business move.

Monday Surprises

It's hard to say which seemed less likely six months ago - Apple switching to the Intel architecture, or the Debian project releasing 'sarge'. Both happening on the same day is just amazing.

Still, congratulations to the Debian team. All I need now is for someone to explain to me the relative pros and cons of Sarge vs. the latest Ubuntu...

Jobs Galore

It's a good time to be a browser developer. Everyone's hiring. In alphabetical order:

• Microsoft
• Mozilla Foundation
• Opera

I suspect AOL/Netscape are hiring too, but I can't find a jobs page for them. Apple may well be hiring, but Googling for "Safari Jobs" just brings up a load of WWDC keynotes... And I'm sure Konqueror can always use more volunteers :-).

Clock Inaccuracy Data

It would be rather useful to have information on how inaccurate people's clocks are. Some security protocols, such as OCSP certificate revocation checking, can (in some circumstances or configurations) be affected by how accurate the user's clock is.

This means that if 90% of the Internet is going around with clocks which are several hours out, the protocol in that configuration would be more insecure than if everyone's clock was accurate to the nearest second. So it would be nice to have a chart of number of users against inaccuracy.

One could measure this info reasonably easy on a web page - just call
new Date().toGMTString() and send it back to a server which is connected to an accurate clock. Does anyone know of a source of such data? Ideally, it would be from a website whose visitors were a cross-section of the Internet population.

Extracts From My Sent Mail (1)

Gervase-

Would you be available to meet in person to discuss our product and Mozilla licensing?

Kind regards-
Susannah Smith
Kinetix, Inc.
264 Dolphin Way, Suite #98
Redwood City, CA 94063
(650) 555-1234

Certainly. I could make tomorrow evening free if necessary.

I believe there are regular flights from San Francisco or Oakland to London with a variety of excellent airlines. Then you'd need to take public transport to the center of town, make your way to Finsbury Park station in the north, and take an overland train to Gordon Hill (about 25 minutes). Walk down Gordon Hill, which changes into Gordon Road; Heene Road is then the first left. I'm at number 21, flat 3. If you come at around 7pm, I'm happy to cook.

Or perhaps a teleconference might be more convenient for you? :-)

Gerv

Feedback Skimmers Wanted

With the release of Deer Park, we've tried to differentiate between different sorts of feedback - specific, detailed bug reports are funnelled towards Bugzilla, and quick feedback and comments go via Hendrix to netscape.public.beta.feedback.

The key point here is that feedback left in Bugzilla requires positive actions to deal with (bugs have to be resolved), whereas feedback left via Hendrix does not. Those entering feedback there are warned not to expect any reply. The idea is that it should be possible for people to skim-read the Hendrix feedback and extract the most useful nuggets of info into bug reports, in a triaging process which is rather the reverse of the normal Bugzilla one.

So this is a request for Bugzilla triagers and other "customer-facing" contributors to also pay attention to the Hendrix feed. Because of the above logic, I hope that your overall workload will be lighter. That's the point, after all :-)

If you file a bug report or take an action based on a Hendrix feedback report, please post a quick reply in the newsgroup to say what you've done, so there's no duplication of effort.

"Ostrich" Bingo

This evening, as you are watching the news with a friend after the Dutch have voted No to the European Constitution, why not play "Ostrich" Bingo? Take a grid each, listen to the politicians' excuses, and see who's the first to get a line across in any direction. When you've got one, shout "House of Cards!".

But if I were you, I wouldn't play with this grid. You might be there all night...

(Sidenote: MT isn't very good at letting you add entry-specific style. I've had to put <style> tags in the <body>, which is not allowed, to style my tables. Sigh.)