Chad Perrin: SOB

22 July 2009

writing malware, kinda

Filed under: Geek,Security — apotheon @ 05:18

I’ve discovered today that I need to write what amounts to malware to test a security feature I incorporated in a Web script. It’s pretty simple, this security feature; the code I’ll have to write to test it will actually be more complex and annoying to write than the code I wrote for the feature itself.

Right about now, this whole thing seems a bit like an irony sandwich.

I’ll probably include such code in a security article at TechRepublic in the near future — both the security feature code and the testing code — especially if I can come up with a solution to the one minor fly in the ointment of using this security feature.

The concept behind it is basically a really simple sort of implicit Turing test, assuming that anyone who can see and edit a given field in a form is accessing the site improperly. Unfortunately, that’s not necessarily the case, because using a browser that doesn’t support CSS will have the same effect as accessing the form as a bot: you’ll see the field. At least the field won’t be visibly labeled for someone accessing the page in Lynx, so it’ll appear kind of weird and pointless and hopefully be ignored, but I’d prefer a way to more substantially prohibit or discourage using the field for non-bot visitors.


21 July 2009

recent Firefox troubles

Filed under: Geek,Mezilla — apotheon @ 10:46

News flash: I still think all browsers suck, to varying degrees. Some of the following is my fault, as you’ll discover as you read, but I think a significant chunk of the reason it happened is probably just the overly complex edifice it has become, pursuing competitiveness with IE.

Months ago, when I should have upgraded my FreeBSD 6.2 system to 7.something, I didn’t. The SigO was planning to get a new laptop, and her old laptop is exactly the same model as my laptop. I figured I’d just wait on upgrading the FreeBSD version, and after she got her new laptop and migrated everything to it, I’d just install FreeBSD from scratch on her old laptop, then migrate my own stuff onto that. There are a number of minor reasons to do things that way, but nothing really major.

Well . . . there were some issues with getting her new laptop set up, at first. We finally got those ironed out sufficiently, and she was playing World of Warcraft on Debian again. More time passed as she hesitated to completely commit herself to the new laptop, waiting to see if problems would arise with the way the system was installed, so that it wouldn’t be too difficult to reinstall stuff if there was a problem — which meant she kept the old laptop as her primary. In the meantime, my own laptop waited.

I don’t blame her at all for the problems I’m currently having with Firefox, of course. It’s not her fault in any way. If I had similar problems getting a new laptop set up to my liking, I’m sure I would have done much the same that she did. I might have moved a little faster, but I’m also a bit more experienced and comfortable dealing with technical issues with Unix-like systems.

Disclaimer aside, recently a Real Problem has arisen.

Firefox 3.0.x has had some issues keeping up with my browsing habits, of late. Apparently, it doesn’t like it when I keep 100+ tabs open all the time. When the number of tabs starts getting higher, Firefox 3.0.x starts getting crashy. Luckily, it’s quite good at recovering all those tabs the next time I start it after a crash, so nothing is lost other than time.

I heard good things about the speed of Firefox 3.5.x, and hoped some of the minor issues with Firefox 3.0.x might have been fixed, so I decided it was time to upgrade. I backed up my .mozilla directory and went about the process of moving to a newer Firefox version. Then, when I tried to start it up, it failed.

There’s a note in the /usr/ports/UPDATING file on FreeBSD saying that you have to load the sem module to make sure that FreeBSD won’t crash. I tried to make sure that would load, but it turned out that (for some incomprehensible reason) it wasn’t on my system. It was in the source tree I had on the computer, though, so I compiled it and then made sure it loaded. Of course, Firefox still crashes.

I found some references to the fact that a few people (particularly on FreeBSD 6.x) are having some problems with HTML 5 content crashing the browser, so I used the FreeBSD ports system to install the NoScript extension. Suddenly the browser started, and ran stably! Excellent! Now, I just had to deal with the fact that all my tabs from the last pre-upgrade session were gone. Luckily, I had backed up everything in the .mozilla directory, which should include those tabs. I haven’t bothered checking on that, though — I’ve had other things to do for the last couple days. I guess, if the tab session isn’t saved, I’ll just deal with it. I’ll probably need some of those tabs from the previous session today, so I’ll find out for sure later today, I think.

Okay, so now I have Firefox 3.5.x on the system, and it doesn’t crash when it’s running with NoScript.

It does crash if I allow any scripts from reddit, which basically means I can’t use reddit, since everything one can do at reddit beyond reading requires JavaScript, evidently.

It crashes if I allow scripts here, at SOB. Luckily, WordPress hasn’t become so bloated and ridiculous yet that it doesn’t work without JavaScript enabled (though for some stupid-ass reason Flash is required to make the stats page work).

Oh, yeah, and I tried re-enabling to Awful Bar (the people at Mozilla call it the Awesome Bar) again. I figured there’s no way the new operation of the address bar in Firefox as of 3.x was as bad as I remembered, and I probably only needed to get used to it to find it useful. After playing with it for twenty minutes, though, I’ve come to the conclusion that it’s even worse than I remembered. It literally couldn’t find anything I wanted it to for URL completion. Nothing. Terms that used to come up automatically, at the top of the list because they’re the terms I used most often, simply failed to come up at all, no matter how many times I tried to “train” the Awful Bar to find those terms for URL completion instead of whatever irrelevant crap it was finding instead.

Of course, I can’t turn off the Awful Bar completely, unless I just want to do without any kind of address bar. It’s baked into the browser now. What I actually do is use the “oldbar” extension. It’s not perfect, but it’s definitely a lot better than the Awful Bar. It takes more training to come up with useful results than Firefox 2’s address bar, but at least it can be made to come up with useful results. I turned on the oldbar extension again, and figured that’d solve everything.

Actually, I discovered that just turning on the Awful Bar again (or, more accurately, disabling the oldbar extension) had wiped out all the “training” I had put into the oldbar-enabled Firefox 3. I had to start over! It still isn’t quite up to snuff, though I’ve been working pretty diligently; it still tends to give me URL completion options in the wrong order almost as often as in the preferred order of likelihood that I’ll want a given result. It’s clearly on its way to being back to the state it was in before I decided to give the Awful Bar another chance.

Fool me once, shame on you. Fool me twice, shame on me.

Firefox sucks. The only positive things I can say about it are “At least it’s better than Opera,” where I can slot in the names of almost all other browsers in the world. Problems aren’t particular to Firefox and Opera: all Web browsers suck to varying degrees. About the only Web browser I’ve used that I both don’t find more loathesome than Firefox and can use to do all the things I tend to need to do on the Web from day to day (including research for work-related purposes) is Chrome, but the Chromium browser (that’s the open source project behind Chrome) hasn’t been ported to FreeBSD yet (or even finished getting ported to Linux), so that’s not really an option for my primary browser choice.

There is, supposedly, someone working on ironing out the crashing problems with Firefox 3.5.x on FreeBSD (which are apparently pthread related), but I don’t know what progress is being made on that front. I hope it’s progressing to a point of “solved” very soon.

19 July 2009

How do you really know it’s desktop ready?

Filed under: Geek — apotheon @ 11:56

I had an epiphany the other day about this whole “desktop ready” thing that everybody goes on about all the time. I realized how we can recognize desktop readiness — or, at least, I realized one way to know for sure that something is not desktop ready. Since MS Windows is basically free to home users anyway, “desktop ready” seems to be pretty important to widespread adoption of open source software; the price argument just isn’t important enough to overcome a lack of “readiness”.

Over and over again, the question “Is Linux ready for the desktop?” comes up in the trade press. It comes up all the time in the constant, ongoing flame wars between Linux and Microsoft fans, too. Interestingly, nobody in the BSD Unix community seems to give a crap — but that’s not really relevant.

I don’t know that there’s really a clear way to explain what it takes to make an OS “desktop ready” in the way everybody means that phrase (with variations to suit one’s desired answer, of course). The general meaning is the same as the “Aunt Tilly” test: Is this thing “good enough” (at whatever) to be able to stand alongside MS Windows and MacOS X as an operating system for the masses?

How do you define the criteria for something like that? The entire reason there are such raging, unchecked flamewars on the subject, and the reason it can come up day after day, month after month, and year after year, as if it’s a new subject every time, is simply that different people have different criteria for “desktop ready”.

If your primary criteria are particular to the gleam of fancy, flashy tricks and bells and whistles, OSes that use the X Window System are more than desktop ready, if MS Windows is considered desktop ready. The glitz and glamour of Compiz puts Aero Glass to shame.

As my Adventures with Desktop Ready Linux pointed out, Linux-based systems are not ready for the desktop, if your criteria include both having the “benefits” of MS Windows superficial shine and the technical benefits that make it worth your while to switch to Linux — but if you only need one or the other, you’re golden.

I think there’s a lot more to being “desktop ready” in a market- and mind-share sense than any measurable criteria, though. The evidence is clear in the fact that MS Windows apologists often claim Linux isn’t desktop ready because you have to do stuff like issue shell commands and edit configuration files to get the system running the way you want it to. The fact of the matter is that you only have to do any of that if you want benefits above and beyond what MS Windows gives you; if you’re willing to settle for an OS with all the same problems MS Windows has, you can get a “user friendly” distribution and never look under the hood at all. Then, if something breaks, do what you do with MS Windows: pop in the CD and reset to zero, or live with it, or pay someone else to fix it for you, or throw the computer away and get a new one.

The fact that people never think “Woah, this is exactly like MS Windows, except I have the option of doing more to try to fix it if and when something goes wrong, and the option of doing more to customize it to my preferences — if only I have the desire and determination,” well . . . the fact people never think that is a pretty good indicator that there’s something much more keeping any open source OS from being considered “desktop ready” than merely objective criteria. Maybe the OS has to be different, to “advance” (or at least change) somehow, to become ready for the desktop, but that’s not all that has to change. Probably more important than any specific changes in the OS itself is the necessity of people’s perception of the OS changing significantly.

Give me availability of an open source OS preinstalled on consumer-grade desktop computers somewhere in the same league as MS Windows availability, and give me a general perception of the OS that’s roughly equivalent to that of MS Windows (or at least MacOS X): with those two things, you could probably even roll the state of the art back about half a decade and still be taken at least as seriously as MacOS X right now, as a “desktop ready” operating system.

What I’m looking for as a sign that this fateful day is finally approaching is a substantial change in the way people write about open source OSes. I believe that no open source OS, regardless of its technical superiority or user-obsequious behavior, will ever be “desktop ready” in a market- and mind-share sense, until the mainstream press talks about it more in terms like the way it talks about MS Windows.

Linux will never be ready for the desktop the way people mean it when they talk about it in the mainstream press until the way we talk about Linux is the same as the way we talk about Windows. Let’s compare.

Linux and open source technical how-to:
  • Setting up a dynamic DNS service part 1: named

  • Hacking Vim covers the basics and reveals tips for power users

  • Use Makefiles for more than handling source code

  • Manage dotfile configuration with subversion

MS Windows technical how-to:
  • How do I … change the Product Key in Windows XP?

  • How do I … blog from the Windows desktop with Live Writer?

  • A computer geek’s guide to building a 64-bit server on a budget

  • How do I… Use the Windows Common Feed List to manage RSS feeds?

Keep in mind this is stuff on a site that serves as a resource for IT professionals. The MS Windows stuff is, in essence, superficial stuff that can be picked up by Aunt Tillie. The Linux and open source stuff accomplishes much more interesting things, but also requires a much more interested, knowledgeable user. In other words, the Linux and open source how-to stuff is for experts, and also requires experts, while the MS Windows stuff is for “power users”, and requires nothing more than a mouse and rudimentary hunt-and-peck typing skills.

Okay, let’s talk about topics from the same two sources that discuss another topic.

Linux and open source market share:
  • What does Google Chrome OS really mean for Linux?

  • Celebrating freedom with open source

  • Will Microsoft threaten open source C# implementations?

MS Windows market share:
  • Microsoft Windows 7 pricing deals spark interest and controversy

  • IT professionals will not drop Windows XP quietly (if ever)

Did you notice the way the Linux and open source stuff is all about how competitors serve as potential problems (or boosts) for market share, while the MS Windows stuff is all about how MS Windows is competing with MS Windows? There is a definite disparity in how the trade press treats each of these software families. In one case, people are eager to talk about how it’s up-and-coming, a real contender, but potentially faced by game-ending challenges. In the other, nothing in the world exists but the software family in question. Any time there’s any comparison of the two, it shows up in the Linux and open source area.

Just to be painfully clear and obvious about all this:

I’m not saying open source software doesn’t measure up to the crap rolling downhill from Microsoft’s offices in Redmond. I literally don’t trust closed source software, because I know the failings of the model for someone who cares about security and privacy in any nontrivial manner quite intimately. I used to be eyebrow deep in the Microsoft Windows Registry all the damned time, professionally. I write about security for money. I have some inkling about the subject, and I can tell you that the worst thing you can do for security is start by choosing closed source software to handle anything that involves, or is capable of, communication over the Internet. This isn’t because open source software is necessarily written better (though, all else being equal, it would statistically be better); it’s because security you can’t trust for any objective reason isn’t security at all.

. . . but that doesn’t change the facts. The facts very plainly point out that Linux and other open source OSes simply aren’t “desktop ready” in the ways that matter for market- and mind-share. The very fact anyone still argues about whether or not it’s “desktop ready” is the only proof we need of that fact.

« Newer PostsOlder Posts »

All original content Copyright Chad Perrin: Distributed under the terms of the Open Works License