Slashdot Mirror

http://www.dshield.org/diary/D...
http://www.dshield.org/diary/D...
http://www.dshield.org/diary/*...
http://www.dshield.org/diary/A...
http://www.dshield.org/diary/7...
http://www.dshield.org/diary/B...
http://www.dshield.org/diary/D...
http://www.dshield.org/diary/D...
http://blog.watchfire.com/wfbl...
http://www.theregister.co.uk/2...

APK

P.S.=> Con't. w/ more in my next post - there's SO many I can't fit it in 1 post (unless I was KGIII allowed to post encyclopedias that is - odd that, eh? Not!)... apk

If you read the whole whitepaper, the authors say (p15) that an attacker could use the vulnerability to turn on the "search across computers" feature.
The whitepaper is well written and worth the read. It's a pretty scary vulnerability.

exactly - how the f*k are we supposed to know what is considered 'inaccessible' - ie worthy of being sued over - without some specific, clearly defined guidelines.

A good place to start is the WebXACT tool (formerly known as "Bobby") that sees how sites conform to Section 508.

Section 508 has been around for years now and might be the specific, clearly defined guidelines you're looking for. The good thing about Section 508 is that if you write XHTML and just separate content and style, you pretty much comform automatically.

Like many geeks, I am registered at an insane number of websites. I only remember being able to use audio support for a captcha once (I think it was an HP website). For me computers are very empowering as I find it much easier to type than to write by hand, especially in class. Other people have a really hard time. Developers need to learn to test their sites for accesibility, just like new buildings are tested.

When I assisted in developing phpWebsite the project leader stressed that the entire site be w3c and bobby compliant. Web developers forget that there are people who need a text-to-speech reader or braille pad to browse the internet. It may be a small part of your audience but it is something to consider. Alternative human interfaces depend on standards.

Bobby:
-------------------
http://webxact.watchfire.com/

Back in college, I worked as a student assistant for the Occupational Therapy dept. at the University at Buffalo. I had to make sure the department's site was handicapped accessible. We used Bobby, which was free back then. It helped catch a lot of easy-to-fix errors. I see that the product is still around, but now they charge for it:

http://www.watchfire.com/products/desktop/accessib ilitytesting/default.aspx

HTML isn't hard to learn. If your friend couldn't learn it quickly, then I think that reflects on your friend.

You're right html isn't hard, xml is getting there though. As for the person I mentioned, he wasn't my friend, just someone I met.

Now, design is another thing completely. That takes a skill that is not wholly scientific.

Yeap! Design is different, and there's two basic way to get there though related, graphic design and print. I knew one person who was a graphic artist who started designing graphics for the web on her own and another one who was a commercial artist who started her own web design business. She'd do the design work for a website and would pay people working freelance for any programming needed. There's something I don't understand about web design and programming in the US, accessibility isn't stress much. For the classes I took for my web programming degree all we really did was valid the code and run a webpage through Bobby neither of which does much of a job of testing for accessibility. Sure, Bobby checks for things like alt attributes for images but it takes a person to test and check layout, colour, and other areas of accessibility. We didn't do any of these, however chatting with people in Canada and Britian who were in college working on a degree or updating their skills said their education stressed accessibility. And they did at least a little of both design and programming, her design and programming are totally separate.

Falcon

Oops, I just visited Bobby, er Cast.org and Bobby wasn't there. A similar service is at Watchfire.

Based on the original and detailed exploit report. No news on a patch for that, I notice.

No, you're not pigging back data over the Content-Length: HTTP/1.1 header, you're abusing the HTTP/1.1 header to confuse a required combination of a proxying firewall (or proxy/cache) and a webserver.

I recently released an internal advisory on this from reading TFA. Folks, the sky is not falling. 99% of consumers out there will not be affected. People behind NATing firewalls will not have issue. People behind proxies (Squid to name one), and proxying firewalls (Checkpoint, Symantec, etc) will be the ones "vulnerable" to this "attack".

The deal is this:

Proxy A uses Content-Length: header #1, and Webserver A uses Content-Length: header #1 == no problem, no vulnerability.
Proxy A uses Content-Length: header #1, and Webserver B uses Content-Length: header #2 == problem.

That is how it's done. TFA says this may be used to bypass intrusion detection systems. Sure, if you don't have defence in depth. Otherwise you're fine.

• The current production version of Apache 2.x is 2.0.54. 2.1 is alpha-quality code, the unstable development branch.
• The advisory's dated 5th July, but I certainly haven't seen anything on any of the usual lists about it (and I monitor them as part of my job.)

Not to say it's impossible, the HTTP request smuggling attack vector is real enough - the paper is interesting reading, see http://www.watchfire.com/resources/HTTP-Request-Sm uggling.pdf

This seems to be a duplicate of the June 12 article on HTTP Request Smuggling. I don't see anything new here, as the original paper also talks about Apache being susceptible to this relatively minor (yet still interesting) issue.

-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner.

There are some neat tricks here including storing the cart ID as a cookie on the client.

I sure hope that people who read that chapter also take time to read how cookies can be abused.

Like The Twelve Most Common Application-level Hack Attacks(102 KB pdf)

Note The linked article is good reading for new web programmers but probably old news for many programmers here.

Will Macromedia Flash Player 6 work with all screen readers and other assistive technologies?

Microsoft Active Accessibility (MSAA) makes it easier for all assistive technologies to incorporate support for Macromedia Flash Player. Once the contents of a Macromedia Flash movie are placed under MSAA, it is up to the individual assistive technology to render that content for the user. Since MSAA support is a new feature of Macromedia Flash Player, many assistive technologies still do not know how to handle the information made available under MSAA. At the release of Macromedia Flash MX, Window-Eyes from GW Micro is the first product to take advantage of the improvements in Macromedia Flash Player.

Well, since it only works on MS platforms, most assistive technologies don't work with MSAA, and there are better ways of accomplishing the desired result, I can only say

Bzzzt. Thanks for playing.

P.S. The Macromedia Accessibility FAQ page does not pass all of the Priority 1,2 and 3 accessibility checkpoints of the W3C Web Content Accessibility Guidelines 1.0.

Hire you?
Why?
You have just proved you don't know shit about the specs. (Alt tags for title tags)

Back in the mists of POPFile time a developer came along and wanted to work on the HTML of POPFile's UI (made it HTML 4.01 and CSS1 compliant) and I said "If you want to work on it then you need to do that PLUS you need to make it pass the Bobby Accessibility Guidelines".

He did all three and I have heard from users that POPFile works well with screen readers. I'm not sure about JAWS in particular.

It wasn't particularly onerous to get the Bobby AA mark for the software and I'm always happy to have another satisfied user.

John.

It's a little hypocritical that an article that complains about software that puts ads on your computer is so full of ads itself.

I'm not just complaining about web page sponsorship in general, but about ones that are so intrusive that the page is hard to "read"... I mean even for my computer. You don't think I'm going to read that long article myself do you? I have my Mac 'speak' it to a file for me and listen to it on my PDA later. The problem is that this article is so full of obtrusive advertisements and other junk that you can't just highlight the whole thing and have the computer speak it. It took almost as long to copy and paste the damned thing as to read it... even with images and animations turned off!

Can you imagine how hard such sites must be for people with accessibility issues? The article was so bad that it crashed Bobby. Talk about an accessibility nightmare.

The point is NOT to make a web site accessible to people who don't understand web sites! This is like the icon caption: "AOL 4.0: DOUBLE CLICK TO START". Don't do that. It's okay to say "Click here to view the page I have written about foo." instead of "I have written a page about foo.", but please don't take all that advice literally.

Yes, please do not take this advice literally, as it is wrong. The poster is correct that you are not to build a web site to people that don't understand web sites, but W3C actually recommends the exact opposite of his example of what is ok.

Also, making multiple links only seperated by spaces is bad. Not just because slashdot's filter (or whatever it is that adds the link domain) probably just garbled that, but those with poor sight cannot tell the difference when one link ends and the other begins (unless slashdot garbles it for them to point out a link is done and where it goes).

Also, if you come across sites referencing Bobby, please note that for some reason Bobby has decided that if an image is used anywhere in the page it will not pass their test. Previously, they would mark it off and warn testers that they must ensure that colors aren't used to differentiate context. Because of this, there are many sites out there that will claim Bobby compliance when they are not. That said, Cynthia Says provides a similar tester with a few more options. If you use Mozilla, Chris Pederick's Web Developer Extension contains an option under the Validation menu to validate against WAI Accessibility or Section 508 (as well as validate links, HTML and CSS).

Finally, it's worth noting that some you should check your pages in Lynx Viewer to see how the page would look in Lynx (or just run Lynx yourself). This is useful for when judging your content based on its textual equivalent (which in some instances is what is read off by screen readers). Also add a "skip to content" link whose CSS sets it to display none for graphical browsers (some people suggest leaving this on, but W3C's validator even uses this method so I go with them). If they are having the screen read to them after a while they will no how the navigation system works, and won't need to have all those links read to them and just want to get to the actual content in your page. If you go the full XHTML route, you'll also have accesskeys and tabindexes available so they can tab through your links corretly and can get back to the beginning of your page if you set a named anchor as the first thing they tab to (the second being the skip to content, thus they can simply hit the 'T' key on to take them to the top and then skip the content to get to the beginning of the content OR they can go through the navigation (of course, you could have given each entry in your navigation an accesskey, but that's not always helpful, and this is useful in case they forget what they key is for something in the navigation).

Wow, I can't believe I knew this much on the subject....

The W3C WAI resource page has pointers to everything you need to know. A popular tool that helps evaluating web accessibility is Bobby, but unfortunatly it isn't free.

Unicast, the company responsible, says the ads will play regardless of pop-up blocking.

Not in my browser they won't

More seriously though, it's bad enough that webpage makers seem to disrespect the HTML standard enough to make life for the blind on the web painful, but it seems that this intersticial video ad thing will just flatly deny them access to the pages behind.

Not to mention the legions of internet users who'll be forced to swallow advertising bull in English for products they don't have (and/or don't want) access to in their own countries.

And the accessibility.

Hehe, Slashdot's not really a shining example of web accessibility, but it's a good place to ask for help none-the-less.

The first stops for help (as someone's no doubt pointed out already) should be:

Section 508

Mark Pilgrim's excellent "Dive Into Accessibility"

The W3C's web accessibility guide

The UK Disabled Rights Commission website, paying particular attention to the superb Interactive Demos (e.g. Inaccessible Website Demo).

Buy these books:

Constructing Accessible Websites

Building Accessible Websites

Oh, and a copy of Zeldman's Designing With Web Standards for good measure.

Write your pages using validating HTML or XHTML, and style the pages using CSS.

Validate your webpages using the W3C Validator and your CSS using the W3C CSS Validator. Use Watchfire's Bobby to validate your pages, and aim for AAA rating (also note that Bobby has some helpful hints when it does find errors).

Other excellent resources (in no particular order):

http://www.webstandards.org/
http://www.w3.org/WAI/References/QuickTips/
http://www.mezzoblue.com/
http://www.meyerweb.com/
http://www.simplebits.com/
http://www.whatdoiknow.org/
http://www.stopdesign.com/

Though this was labeled as troll, and I can see why, I can also see the point in it. Some may not, so I will clarify. Microsoft's Internet Explorer web browser is horrid about complying to W3C standards, and even creates its own "standards" that some people are more likely to comply to. Maybe this wouldn't be labeled troll if the statement was more like, "This is a great development for the W3C, but seems that, unfortunately, it's not going to do much good. Microsoft has been making web standards useless ever since they 'took control' of the 'browser market,' and they don't seem to care about accessable web pages (WCAG 1.0, US section 508). I did check the document source for an accessable alternative version as the W3C standards would accept instead of the main version being accessable, but they have no alternative versions, even for mobile devices or anything."

Though this was labeled as troll, and I can see why, I can also see the point in it. Some may not, so I will clarify. Microsoft's Internet Explorer web browser is horrid about complying to W3C standards, and even creates its own "standards" that some people are more likely to comply to. Maybe this wouldn't be labeled troll if the statement was more like, "This is a great development for the W3C, but seems that, unfortunately, it's not going to do much good. Microsoft has been making web standards useless ever since they 'took control' of the 'browser market,' and they don't seem to care about accessable web pages (WCAG 1.0, US section 508). I did check the document source for an accessable alternative version as the W3C standards would accept instead of the main version being accessable, but they have no alternative versions, even for mobile devices or anything."

Removal of pop-ups is a recommendation of the current w3c accessability standards. Switching window focus without letting the user know that it is going to happen can confuse accessibility programs and users. I believe pop-unders are just a hack that switches focus back, so they are also not recommended.
Very few web sites that I've seen care about accessibility standards. Very few web devs, it seems, even care about W3C standards, because they develop for browsers (i.e. IE) rather than for the web (i.e. W3C standards). Check a number of pages with Watchfire Bobby and you'll see. Even slashdot has quite a few "violations" of the WCAG 1.0 standard.

If you want to test if your webpage is accessible to visually deficient people, you can ask Bobby to scan it and analyse it. Best accessibility report tool in town, I use it on all my pages.

Section 508 mandates that federal and some other types of government web sites fit the guidelines. It is not a rule that has to be applied towards any other site, although it is a really good starting point for non-government web sites. It is often used by webmasters to convince the Pointy-Hairs how to build a web site correctly and keep the Flash and other crud as decorative only... not the whole site itself.

A side benifit is that being Section 508 compliant makes really friendly robot fodder, so the site gets in Google and other search crawler sites faster.

Any high-profile webmaster is going to follow something like Section 508 anyway, just to minimize the chance of getting a lawsuit. You can find out more here:

http://bobby.watchfire.com/bobby/html/en/index.jsp

and the 508 Guidelines here:

http://www.access-board.gov/sec508/508standards.ht m

Bobby

If you intend to follow the guidelines or not... reading the results is often interesting in either case =)

They limit the number of tests you can run via the web interface, but they also sell a standalone and server version of their tool for a decent amount (decent as in not too expensive but not cheap).

I use Bobby to test my site for content accessibility and made changes to as many pages on my site as possible in order to get almost every page to meet section 508 and/or WCAG Level A (or level 1).

If the DoJ is going to replace a web site, they ought to ensure it adheres to federal regulations, namely the Section 508 Accessibility guidelines. In this case, they left out the ALT attributes of the two images they included from the old IsoNews site; the images comprise the IsoNews logo. For these reasons, the page does not meet the 508 requirements.

This error might seem trivial, but the first line of text relies on the image to convey the name of the site (IsoNews) and therefore it violates the mandate of accessibility.

Furthermore, the ALT tags provided for the two logos do nothing more than reproduce the text in those images - the name of each agency. Those ALT tags don't even attempt to convey the visual information contained in those images, such as an eagle clutching an olive branch, the latin motto of the DoJ, or the scales and key within the Customs Service seal.

ps - The name "Lissard" for school admin s/w reminds me of a particular school admin: Police Academy Cmndt. Eric Lassard. :)

http://bobby.watchfire.com/bobby/bobbyServlet?URL= http%3A%2F%2Fslashdot.org&gl=wcag1-aaa&tes t=

Microsoft is part of the W3C, and help make many of these standards. If you look at the acknowledgments [w3.org] you'll see Microsoft is actually a member of the working group responsible for these guidelines.

Haahahaa (sorry, I couldn't help myself). This explains why hugely respected accessibility expert Mark Pilgrim slated the MS site redesign in October then (as did Zeldman)? See the news post over at the Web Standards Project (scroll to the bottom of the page).

In summary: Invalid. Inaccessible. Undecipherable in a text-only browser.

Don't get me wrong, Microsoft have some fantastic employees such as Tantek Çelik (who's site kicks major ass BTW) who care passionately about standards, but MS doesn't seem to want to listen most of the time...

Check your web site for accessibility using Bobby. I've found Bobby to be an invaluable tool when trying to design accessible web sites.

Check out "bobby" here. I believe it is a govenment sponsored (IBM is government, right ;) ) program to find and repair potential barriers to people with disabilities. To test it, make sure to click the "Bobby" link in the upper-left corner. You can choose which set of guidelines to use: Web Content Accessibility 1.0, or U.S. Section 508 guidelines.

It, and the W3C's modified HTML 4 spec, seem to be trying to distance the presentation from the data, so that the data can be presented in a variety of formats, depending on the needs of the client.

This is a good thing, as affirmed in The Pragmatic Programmer (Andrew Hunt, David Thomas; Pub. Addison Wesley 10/1999; ISBN 0-201-61622-X, $37.99) reviewed here. I own this book, and find it to be an extremely practical, applicable, enjoyable and easy read.

I piped the output of Bobby and found it to be uncompliant. I thought that was funny.

It is possible to design good sites and get passed by Bobby, E-bility.com

Har Har... Bobby doesn't pass the Bobby test!!

check it out...

Is the Bobby Test even usable? I couldn't find a single site, besides Bobby, that passes. I tried Google, the W3C validator, American Council for the Blind, and the National Federation for the Blind. As long as I'm complaining, wouldn't Bobby me more accessible if the reports had some coherent means of navigating to other parts of the site?

Is the Bobby Test even usable? I couldn't find a single site, besides Bobby, that passes. I tried Google, the W3C validator, American Council for the Blind, and the National Federation for the Blind. As long as I'm complaining, wouldn't Bobby me more accessible if the reports had some coherent means of navigating to other parts of the site?

Is the Bobby Test even usable? I couldn't find a single site, besides Bobby, that passes. I tried Google, the W3C validator, American Council for the Blind, and the National Federation for the Blind. As long as I'm complaining, wouldn't Bobby me more accessible if the reports had some coherent means of navigating to other parts of the site?

Is the Bobby Test even usable? I couldn't find a single site, besides Bobby, that passes. I tried Google, the W3C validator, American Council for the Blind, and the National Federation for the Blind. As long as I'm complaining, wouldn't Bobby me more accessible if the reports had some coherent means of navigating to other parts of the site?

I am surprised that nobody has mentioned Bobby yet. Developed by the Center for Applied Special Technology (CAST) in cooperation with the W3C, Bobby is "a software tool designed to help expose and repair barriers to accessibility and encourage compliance with existing accessibility guidelines."

I've used it extensively over the past year. It used to be freeware when it was owned by CAST, but still... at $99USD it is a miniscule cost for any company that must comply with accessibility on it's web pages.

"Bobby"

Some times Mark's server is inaccessible, in that case, here is a mirror of the document at Vincent Flander's Fixing Your Web Site : Dive Into Accessibility.

There is also a pretty interesting example of usability gone wild at Chris Davis' - Sillyness spelled wrong intentionally who's site validates as XHTML 1.0 strict :: CSS 2 :: Web Content Accessibility Guidelines 1.0 and U.S. Section 508 Guidelines.

I've often wondered if sometimes we're not all hooked into usability for usability sake, sometime forsaking compelling content? Not so much in the case of Chris Davis, but of some other sites claiming to be diciples of 'the Pilgrim'.

Some times Mark's server is inaccessible, in that case, here is a mirror of the document at Vincent Flander's Fixing Your Web Site : Dive Into Accessibility.

There is also a pretty interesting example of usability gone wild at Chris Davis' - Sillyness spelled wrong intentionally who's site validates as XHTML 1.0 strict :: CSS 2 :: Web Content Accessibility Guidelines 1.0 and U.S. Section 508 Guidelines.

I've often wondered if sometimes we're not all hooked into usability for usability sake, sometime forsaking compelling content? Not so much in the case of Chris Davis, but of some other sites claiming to be diciples of 'the Pilgrim'.

Much to the shame of Trolls everywhere, the beloved Goatse Man also fails miserably. See his shame for yourself: (Yes, this is a Goatse.cx Link!)

The Shame Of Goatse Man.

Bobby does not like Slashdot.org!

Slashdot massively fails the Bobby Test. Hope you are proud of yourself Taco.

when you can check your site for these guidelines on the web here?

South West Airlines website is not an accessibility nightmare. Looks like Bobby has been slashdotted.

Nobody is entitled to use a webste. A blind person is not entitled to use a website either. It is up to the blind person to obtain the technology needed to access a website. If their screen reader software is not capable of doing the job, then they ned to get better software.

The disability laws were created to stop disabled people from being discriminated against, NOT to make their life more comfortable at the expense of the public.

Well i guess the good side is that it migght make Front Page and Dreamweaver cowboys obsolete and raise salaries for professional developes who know how to write HTML.

A couple of years ago, when I was in production support, I had to respond to our VP level concerning complaints from our clients who could not use our site with the standard screen readers. This was a novel issue to me at the time and I quickly familiarized myself with screen reader technology and the W3C's accessibility quidelines.

I suggested that it would not be a terribly huge undertaking to bring our site into a minimum level of compliance. Nope, this was deemed too costly relative to the small segment of our clientele who were disabled. Failing that, I suggested that we could simply ensure that all new development going forward implemented the accessibiltiy guidelines.

Well, two years and a new redesign later, and this still hasn't been implemented. I mean, how hard is it to include accessibility in the business requirements for the new development being farmed out?

Here's a web app that validates a URL against the W3C's accessibiltiy guidelines.Most sites will generate a ton of errors, but you'll also notice that this accessibility boils down to simple things like using *correct* html, making sure you supply text in alt and title tags, etc.

I'm not certain, but I think accessibility concerns was a reason that has caused the W3C to want to deprecate the use of framesets: screenreaders have a hell of a time trying to present essentially two different documents at the same time with any level of coherance.

I work on Web-based applications at Watchfire. One of our products is WebQA Interaction, which is a record-and-playback web client. While it is not intended primarily as a web application test tool, it does the job. And we do eat our own dogfood here. The focus is more on database-driven web sites.

Sorry, it runs only on Windows and is proprietary. Single seat licenses are $1495 US in the WebQA package. Free (as in beer) evaluation download available, registration required. You register and get the download location and keycode emailed to you.

I work on Web-based applications at Watchfire. One of our products is WebQA Interaction, which is a record-and-playback web client. While it is not intended primarily as a web application test tool, it does the job. And we do eat our own dogfood here. The focus is more on database-driven web sites.

Sorry, it runs only on Windows and is proprietary. Single seat licenses are $1495 US in the WebQA package. Free (as in beer) evaluation download available, registration required. You register and get the download location and keycode emailed to you.