Fix Outlook – On the first page of Google results please

Wednesday 24th June, 2009

This morning I was introduced to the wonderful FixOutlook.org (thanks @philhawksworth) and thought I should throw it my tiny speck of pagerank support. The short version is that Microsoft are planning on keeping on using Word for HTML rendering in Outlook 2010… which is quite broken (justification on request, I wouldn’t know where to start).

Wouldn’t it be lovely if we could get enough links pointing to fixoutlook.org that it appears on the first page of results for a Google search for “Outlook”.

As a side-point… has PageRank replaced the whole signature/petition thing? Has Twitter replaced PageRank? I love change.


This is me not claiming my Facebook URL

Tuesday 16th June, 2009

Rather than spending 5 minutes claiming my personal Facebook URL I’m going to spend 5 minutes writing a blog post. During that 5 minutes time, a statistically unlikely 165,000 people may have registered theirs.

Reasons in favour of registering a Facebook URL:

  • Vanity
  • Umm… vanity

Reasons against registering:

  • 5 minutes of life wasted (dubious benefit since I spent them doing this)
  • One step closer to Facebook being a closed monolithic identity provider
  • Obstinance

The nays have it.


Internet Explorer fails to render ' in XHTML

Friday 5th June, 2009

XHTML is a subset of XML. All XML rules should apply. Why then, in 2009, does Internet Explorer still fail to unescape the ' entity as XML dictates? Come on. It’s not complicated.

If it’s backwards compatability the IE team are worried about then surely the burden of compatability lies with page authors who wish to switch to XHTML from HTML.


MySpace security FAIL

Friday 29th May, 2009

MySpace store users original passwords in clear-text, and return them by email on request. Enough said really. FAIL.

For reference purposes, there are better ways to do this:

One step better: don’t return the original password (potentially revealing additional information to an attacker), just create a generated one or a one-off link that allows a new one to be created by the user.

Two steps better: don’t store the original password at all, store a one-way hash instead, that way even an attacker who compromises the DB can’t see it (assuming you do it right).


Wolfram Alpha – poor user experience

Saturday 25th April, 2009

I have an apology to make. The title of this post leaves room for you to infer that I’ve actually used Wolfram Alpha… I haven’t.

What I *have* done (along with many others I’m sure) is signed up for access to their closed preview. Did I get access? Not yet. All I have so far is a series of  unfulfilled promises.

Either this was an honest oversubscription which they’ve handled badly, or it was a deliberate trick to create hype and aquire a mailing list.

Regardless of which is closer to the mark, I refer Stephen Wolfram and Hector Zenil to Seth Godin.

I suspect that in 18 months time Wolfram will be languishing in the Hall of Forgotten Hype alongside the equally world-changing Project Ginger.


Developing with methodologies

Wednesday 18th March, 2009

I have a new rule of thumb:

If you can call it a methodology then it’s probably wrong.


Mozilla requires you to log into mozilla.org to install experimental add-ons

Friday 6th February, 2009

From Mozilla: “The add-on site requires that users log in to install experimental add-ons as a reminder that you are about to undertake a risk step.”

…and providing your personal data to a third party is another risk step. Irony is not dead it seems.

Anyone wishing to try out this add-on without creating yet another login and password can install it from Sitepoint’s own site.


Monster security FAIL

Sunday 25th January, 2009

International job site Monster has suffered a serious security breach and an undisclosed portion of its user database is now in criminal hands.

Prompted by Monster’s warning to change your passwords if you use their site, I decided out of curiosity to see if there were any tell-tale signs that they store actual passwords, rather than hashes. Following their instructions, I dutifully changed my password. They didn’t send the original, only a link to change it (which suggests they probably store hashes rather than plain text passwords). The link only worked once, subsequent attempts were blocked, which is good.

Then I found a security hole, which for the sake of responsible disclosure I will not reveal now. I’ve emailed Monster and asked them to get in touch with me to sort the problem out.

[Updated – Monday 26th Jan] On further thought, the barrier to entry on this exploit is so high (man in the middle) and the time pressures are so immediate (lots of people will be changing their passwords right now) that I think it’s right to publish it, and responsible disclosure weighs on my side. It’s pretty simple. Monster’s forgotten password tool transmits your passwords over HTTP, rather than HTTPS.

Whoever developed this obviously thought a little about man-in-the-middle, as the password parameter is ‘obscured’.

Below is the unencrypted new password, visible to anyone between my web browser and Monster’s servers.


{
"encryptedTicket":"ljy1astmbrv25fjoq3kvts2...",
"newPasswrod":"cheese555"
}


More Outlook abuse

Tuesday 20th January, 2009

It’s been a while since I complained about Outlook but don’t panic, it’s not all better now. I am still very annoyed with it, I’ve just been trying to concentrate on more productive blog posts.

Today’s Outlook rant is about the attachment previewer. Outlook 2007 has this feature that (quite rightly) allows you to preview attachments in the reading pane. This works brilliantly for text files and Office documents.

Can you guess what happens if someone sends, oh I don’t know, a “.sql” file, or a “.java” file? These are plain text files that could be displayed even more easily than an HTML email.

Instead you get presented with a link to find and download more previewers. What’s on the page at the other end of that link? Downloadable previewers perhaps? No, you naive young scamp, there’s absolutely nothing of use whatsoever. That’s right, it’s impossible to preview them without writing your own file previewer in .NET, or possibly attempting some pith-helmeted registry botching (via).

I love you Outlook!


Spore ruined by DRM?

Tuesday 9th September, 2008

I’ve been waiting to play Spore for years, literally. I even paid £5 a few months back for the creature creator demo, even though charging for a demo feels a little weird to me. But now it’s been released, I’m not going to buy it.

Why? Because I’d rather vote with my feet and make a point to computer game distributors that I don’t want DRM. I’d rather sacrifice a little bit of fun by spending my money on something else (lets face it, it might not even be a sacrifice). It seems like I’m not alone, the Amazon review page for Spore (via ZDNet) is filled with complaints about the DRM they’ve bundled with it, pushing the rating down to a rather weak ‘one star’.

A few years ago when Half Life 2 was released, I bought it straight away, then spent ages waiting for the game to phone home every time I wanted to play it because Steam’s DRM servers were under strain. I haven’t tried playing it recently, but if the DRM provider have switched off their servers for any reason then I’ll be unable to play my own game.

I don’t want games to phone home whenever I play them, it’s creepy, it’s a potential point of failure, and it’s downright rude.

The PC game market (at least the grumpy older gamer segment) is pissed off. Lets see if the industry is listening.