Vista when there was no need for it Until you remember that XP is responsible for all the worlds botnets because everybody was running as root. Vista fixed that bug, you know. Nobody is root anymore.
I think the product segmentation is going to get more pronounced in the future. This is a very good thing.
Why? Simple, people at home treat their computers different then at work.
At work, you log into a domain. At home, who is logged in doesn't matter much at all; in fact, Vista is the first OS I've even bothered setting up a new profile for my girlfriend.
At work, somebody who is a professional manages your computer and it's hardware. At home, you do, and you might not be very sophisticated.
At work, all the computers are the same. At home, there is only one computer, but every computer in the home market is different then the other home computer.
At work, your sysadmin installs your software via a group policy. The Windows Server in the closet feeds your computer updates. Unless it is your job, you probably dont do much "multimedia" things like rip CD's or play videos. You certinaly aren't playing games (ha ha) At home, Microsoft.com gives you updates. You might have your computer hooked up to your TV and stereo. You play games on it.
At work, all your data is stored in a roaming profile. Your documents and data are backed up by a trained professional with expensive hardware. At home, you might be lucky to have a USB disk drive or a couple DVD's.
The Home and Business market have very different needs. For example, the backup solution for home users is useless in a business. A backup solution for a business is a vast overkill for home users. The massive active directory model for a business is to complex for a home network of perhaps three computers. A traditional windows workgroup is very insecure for a corporate network.
It makes a lot of sense to segment the Operating system into Home and Business. The trick is what to add and remove from each offering. Obviously "vista ultimate" is "all of the above".
I wonder though, how many people actualy buy the machine with that?
Surely they (dell) only offers 512mb so dell can show the absolute lowest price possible on a given laptop. Dell always checks the lowest end of every box and always has "Dell Recommended" be the one with the highest margin. That is how it works:-)
Hi, I'm Cory R. King from the Planet Earth (aka "The Real World"), year 2007,
Here in the real world, I use Vista because it is significantly more secure than XP, it looks much nicer than XP, it has many little improvements that add up to a big win, and it is much faster on the same hardware.
Sadly, your problems with Vista don't apply to those of us here on earth who use computers as tools. Quite frankly, I dont really care about Microsoft's dominance, they make a great product at a good price so I buy it, is there a problem with that? While I do not like DRM, it is not forced on me and it is not the fault of Microsoft. "Open Standards" are highly overrated and usually mean "we want free stuff from microsoft".
Do you have any specific problems with Vista that don't involve religion?
Seriously. Can we stop with the Vista bashing now? Please?
Remember what your mom told you about the bullies who picked on you? What they say about you is a reflection of how they feel about themselves. Isn't that the truth?
If all you can do is bash other people and their ideas, what does that say about your own person and ideas? Why can't you be proud enough about yourself and your ideas to let them stand on their own? Surely if your ideas were so great they would speak them self, right?
Re:Bet there still isn't a decent "Stop!" button
on
HTML V5 and XHTML V2
·
· Score: 1
I'm not convinced.
I'm not an idiot and I do clean up user input - both on the way into the database and on the way out.
The problem is even these libraries will have exploits. It isn't as easy to parse html as some people make it out to seem. There are a lot of details to nail down right (angle brackets "http://www.google.com/ to become a clickable URL automatically when they type it in. You have to sanitize that URL somehow and make sure your URL code doesnt let evil crap like " slip by and into a real quote, thus prematurely closing your final href attribute and "executing" the user's javascript inside your page.
This stuff is not as easy as some of you think. Try it. Write a secure way to automatically parse user input for URLs, handle line breaks, auto bold text, handle unicode AND generate safe, uninjectable HTML/XHTML on the way out to the browser.
Re:Bet there still isn't a decent "Stop!" button
on
HTML V5 and XHTML V2
·
· Score: 1
You dont understand the problem. HTML injections are from users like me posting busted HTML as a comment to slashdot. The comment injects evil bits of javascript into the output when the page gets displayed. Using XHTML and having the browser choke and die on the output is just another security loophole as far as i'm concerned. Being able to get the end browser to choke on XHTML errors is a DOS. Imagine how much trolls would like it if they could get firefox to not even display this page because their evil XHTML caused this page to no longer validate?
er... but yeah. I think your thoughts about strict and dymaic is interesting. The browser knows a lot of stuff that *html* doesn't know. Javascript can know it though. Maybe we need to formalize the way a page is rendered (at least at a high level) and let our semantically marked up content participate more in the layout. The rendering engine can tell our semantic bits something about itself an we can both negotiate to make sure the final page is rendered and the meaning of our content is preserved. XAML seems to follow this idea a bit, but I haven't played with it enough to really figure it all out.
I better pull out of this now before I make no sense at all. This kind of stuff is always a good exciting debate. Thanks for not being religious:-)
Re:The current situation is awful.
on
HTML V5 and XHTML V2
·
· Score: 2, Insightful
but even on the trickiest sites the grids are just a framing device for the stuff to be read And even then, those are letters of a common alphabet delivered over light that travels inside glass. What is your point? You saying layout isn't important or something?
Layout is just as important to understanding content as the content itself. If you went into a $100USD per dish restaurant dressed in a tuxedo with your hot chick date and the menu is all in comic sans, what do you think about the quality of the food you are about to be served? Those guys who march around downtown areas might have really good compelling content, but nobody reads it because it is always done in permanent marker and twenty different colors. You know, the time cube guy might be right, but his site design makes him look like a joke. People argue that Kerry lost the 2004 election because they did a poor job with the presentation of their logo.
The thing that upsets me about these debates is people think that the colour scheme used, the fonts used, the line spacing, the margins, the proportion between elements, or any other fundamental unit of design is just pretty window dressing around content. Those people also tell you looks dont matter and first impressions aren't important. They are wrong. Very, very wrong. Layout matters, even more on the internet than in print. We need powerful tools in our language to help us express layout. Dismissing layout as a trivial afterthought is a great way to ensure our future is nothing but flash apps.
The only irritating part is the ads, which occupy a fixed width, but letting them fall off the right side of the screen works fine and has the added benefit that I don't have to see them. I almost forgot. That is another challenge for me going forward when I start doing a mobile version of my platform. Google has a different ad format for mobile content (and guess what, it is actually server side and requires either php or asp... and I'm all mod_perl:-). People scan your page different on a mobile phone too, so I'll have to re-adjust my ads so you see and click on them. I still haven't figured out who will buy ads that are site targeted for mobile devices though - people aren't gonna buy $1,000 nikons on their iPhone:-)
Am I evil? No. Advertising is an important consideration when designing a layout. You'd be amazed how big of a difference it makes when you optimize your ad placement. There is, of course, a fine line between optimal ad layout and obnoxious layout:-) I try to stay on the non obnoxious line because I like my visitors to return:-)
I notice your web page handles width and font size changes gracefully as well. Definitely not WYSIWYG. Thanks you for the compliment. It was very hard to get it to look like that without tables and render in IE fucking 6 (thank god that will be gone). There are still some rough spots that dont size well, but they are low priority since they are seldom used and only exposed to people logged in.
Tables as a TABLE tag suck - I'm not arguing. I'm not sure what I am arguing about anymore besides that our tools, right now, suck. I think we limit ourselves if we think that the HTML/CSS model is the best way to do things and I think we need to be more creative. The web isn't a book, it shouldn't be pixel perfect, but good layout is essential. XAML feels very right for some reason, like Microsoft listened to both designers and programmers when it designed the language. It lets you really define how your grid should work and how things on it should move around based on changes in the rendering output. I like XAML because it lets participate in the rendering process. For example, XAML lets you tell the rendering engine "hey, I really want 400 'pixels'" and the rendering engine can make a callback into either your XAML code or even your C#/VB.net code-behind and tell you "sorry pal, you ain't gonna get that, tell me the absolute minimum you need instead and we can work with that". In XAML, pixels are just an abstraction too... a pixel might not be depending on the DPI, but you can still force the rendering engine to snap to a real pixel to keep it from blurring across two or more pixels.
My point is, it is possible to have our presentational cake and eat our semantic icing too. HTML & CSS as it is right now just doesn't work because it favors semantics over layout.
Two passwords, one of which is alphabetical only? This is how paypal does it and I agree it has... issues. But I can also see people weakining their normal password so it is easy for them to enter into their mobile. You can see my point though, there is more to targeting a mobile phone than just a stylesheet switch. I think is a red herring that a lot of people toss out when they try to convince us to go 100% semantic. It forgets there are very real differences in the two devices that go way beyond what a simple stylesheet can address. Do you post as long of comments on slashdot from an iPhone? Is that something that can be fixed with a stylesheet only or does it require you to rethink how people interact with the entire site when they are on a mobile?
So quit trying to lay things out yourself (ie with tables) Maybe I want to run a business that makes money? How can I be successful if my site doesn't try to lay things out and my competition does? Should slashdot just dump it's database into a CSV file and let you render it?
Yes, a good web site can work just fine on a mobile device with a simple change of style sheet. Okay hotshot.
Should I require the user to enter the exact same password on both a mobile phone with a numeric only keypad and a full sized browser with a real keyboard? Keep in mind, my password is 8 characters of random line noise and it takes a good minute to key it in on my RaZR. Ever tried entering that into your tiny mobile phone? How do I fix this obviously glaring usability bug with nothing more than a stylesheet AND keep my user secure?
Extra credit: How can I present this entire thread of 150+ comments on slashdot by just changing the stylesheet? Keep in mind, it has to be just as usable as what I'm doing right now AND you cannot change the javascript or images. Stylesheet only bud.
er... openssl I ment:-) To add... I dont think much changed as far as certificate management between XP and Vista so you should be able to replicate everything on your XP systems........ I think!
You can get vista to trust certificates signed by any certificate authority you want, not just the stock ones! I tried doing something like this to get vista to trust certificates signed by ourselves in outlook (imaps) and ie (https) with good results. If I can do it with OpenSSH as a certificate authority, I'd think you can do it for code certificates too. The "fuck around factor" might be high so if you are a good writer... document how you did it for the rest of us:-)
While I hate to say RTFM, I'll have to defer you to microsoft.com. While you are hunting, pretend you are a sysadmin and trying to add a certificate authority to Windows 2003 server and you should find something you can apply to vista. You'll also have to wade through OpenSSH documentation to get that side of the world working.
Good luck!!
Re:The current situation is awful.
on
HTML V5 and XHTML V2
·
· Score: 2, Insightful
You know why you are wrong? The idea of a pure semanticly described document with all the formatting elseware works only for non interactive documents that get printed, like a book. Period.
Semantic markup languages like HTML break down because the web isn't for print. Semantic markup is the holey grail in the print world because it works so well for linear documents. The web is an interactive, non linear medium that doesn't get printed.
The web is an two way, interactive, non linear medium that is evolving to almost real-time interaction between the client and server. Books, which are written in semantic languages like LaTeX, dont have client-server interaction. Books dont have forms. Books dont have real-time data. Books are none of these things. Books only have headings, tables of contents, footnotes, indexes and other easy to describe things. These are all very easy things to handle in semantic markup languages. In fact, you are insane *not* to use semantic markup for a 300 page book because it makes changing the layout difficult.
You *cannot resize a book with a mouse*. You *cannot order an ipod* from a book. You *cannot post a comment shared across the globe* in a book. You *dont print the book in different sizes* (for example, you couldn't take Programming Perl and use the same content for a pocket sized book). You *dont have programming language running inside the book*. Books dont have programmers designing significant chunks of their architecture.
The web is more than a book. The web has some things that are book like that make sense for semantic content (all H1 should be this font) but lots that dont make sense (make the page 100% high so there are no scroll bars and inlay a second grid for scrollable content... think gmail). You think it makes sense to have a language that is only semantic for creating web applications? How could it even begin to describe google maps?
Even more damning is a book, which is described semantically, HAS A FIXED OUTPUT DEVICE LIKE A PDF FILE!!! Book authors can "cheat" with their semantic markup and layout because they already know what the target output device is!! They know what inks they can use, what fonts they can use, what the margins are, what the DPI of the printer is, and what the page dimensions are! They all output pixel perfect books using a semantic markup language! We HTML authors no NONE OF THIS and yet you expect us to design our web pages the same semantic markup abtraction as a book author!?
Can't you see the irony of recommending I use PDF when the main way to generate a PDF is with software using a semantic language!
Can't you see we can acheave the same goal of "making it easy to change the layout" in ways besides a stylesheet? Ever heard to a template language like the one used by Ruby on Rails or Template::Toolkit? Isn't it easier and cheaper to swap out "big layout" bits like columns by swapping out a template than it is a stylesheet? You think all it takes to target a mobile phone is just swapping out the stylesheet? No sir! I have a template system that changes *the entire fucking document* to suit mobile phones and their limitations! Isn't that the better way when you consider how different the two devices are?
So stop treating the web like a damn book! The web is not a book and semantic markup breaks down as an abstraction with modern development. This is very obvious to anybody who has done real web application development. Either help invent a better language to abstract what the web is or get left in the dust while you preach to a shrinking congregation.
Re:fonts are platform-specific and copyrighted
on
HTML V5 and XHTML V2
·
· Score: 1
So good. Enjoy how my HTML degrades. Don't think you will stop me giving you fonts that really make my page look good. Don't be surprised if my page looks like crap in your font either. But at least you can read it, right?
Re:Bet there still isn't a decent "Stop!" button
on
HTML V5 and XHTML V2
·
· Score: 2, Insightful
bah! see? slashdot's filter system just fucked me over too and I swear I previewed to see if it kept all my paragraphs.
It ain't easy as you say bro...:-)
Re:Bet there still isn't a decent "Stop!" button
on
HTML V5 and XHTML V2
·
· Score: 1
It's a hell of a lot simpler if you normalize to a valid subset of HTML. True.dat. But you gotta know how to normalize it down first. Not saying you are wrong, but why are there so many XSS issues if it is easy? Poor education? How do we educate good programmers to do the right thing? I mean that seriously... like is there a "here is how to let your users make their comment pretty and link to other websites and not get hosed" FAQ?
I think I see your take though... it helps if you have give the user a wysiwyg editor that spits you a known set of HTML. Anything outside that known set of HTML is evil.
But maybe I'm still wrong. I'm a pretty smart guy, I think... at least open minded or something. I mean, at least I seem to know enough to worry about XSS issues but yet I dont find it easy at all. What am I missing here? I really don't want to get my users hosed:-)
PS: I'm also a slightly special case because the I extended HTML with a couple tags that are only useful to photographica users (<popup> and <slideshow>)...
PPS: Slashdot doesn't even do HTML filtering "elegantly". How can I type in those two fake tags as a comment AND quote you without escaping the brackets myself? I dont think this is as easy of a problem to solve as you think it is:-)
Re:The current situation is awful.
on
HTML V5 and XHTML V2
·
· Score: 2, Interesting
WYSIWYG is impossible if you are using templates. You gotta visualize how the chunks come together!
If you want traditional graphic design, make a PDF. PDF is for printing, dummy:-)
I've got a better idea anyway... How about a way to take our centuries of knowledge about "traditional graphic design" and apply it to the a web-based medium? Do we have to chuck out everything we know about good design just because of the silly constraints of HTML/CSS? How about we improve or replace HTML/CSS with something that incorporates all we know about "traditional graphic design", all we know about good semantic markup, all we know about good programming, all we know about accessablity and all we know about usability and create something better?
"Use a PDF, jackass" is an open invitation to fuck all ya'll and use Silverlight or Flex. Who knows... maybe Adobe and Microsoft understand us better then "the experts"?
I remember when rusty and friends rolled out Dynamic Comments on Kuro5hin/Scoop. They did it with an iframe that chucked out a bunch of onload() crap that wrote into the parent document. Pretty slick for the time.
Way ahead of it's time though... most javascript was either for homework assignments or popup ads. All of it was copy/paste hackjobs that the web author found on super-mega-awesome-javascript.com or something. The result was "most people" hated javascript. You could browse 99% of the interweb with it disabled and all you'd miss were popups. Kuro5hin was one of the first reasons to actually turn on javascript because dynamic threaded comments were 100% better than the non-dynamic ones.
Now that javascript is starting to come of age and real programmers are writing cool things on it (and really javascript is kinda cool programming language once you get past super-mega-awesome-javascript.com and the differing implementations), almost anything that is useful on the internet uses javascript in some way. In a way, javascript has crossed the chasm from early adopters like kuro5hin to mainstream adoption and that nice beefy 80% of the market.
What I find funny is only the tech people are the laggards of this bell curve. And all 10% of them seem to hang out on slashdot pining for the days of yore. What a world we live in when the supposed alpha geeks are the laggards of a technology bell curve!!
Re:Bet there still isn't a decent "Stop!" button
on
HTML V5 and XHTML V2
·
· Score: 1
I think it is still to easy to exploit is the problem. I'm sure if you thought hard, you could write some evil HTML to route around it and run your javascript. You'd just have to somehow get the big_key thing in your proposal.
The only real secure way is to isolate the untrusted bits into their own block.... like how you do multipart mime documents in email or something. You'd need a tag to reference the "external" untrusted bits and have the browser render them in a sandbox. Even in this case, you can exploit it by injecting your own stuff to trash where the boundary between the two documents are (like how you can exploit poorly implemented webforms that send email by injecting your own email headers:-).
I'm sure there are a wide range of technical reasons this would be hard to implement though. I'm already shooting holes in what I typed... even if you had the untrusted bits pulled down in a separate HTTP request there are problems like "it would be very slow":-)
Sweet.. So we agree and I owe you some kind of beer. Slashdot makes everybody a flamer:-)
There is a very strong business case for good degradation too... Last I checked, Google doesn't interpret your javascript. You want good SEO, you better make sure the content flows right in lynx (which is the best way to think about how google sees the page).
Sadly, screen readers are pretty much like google too, but I really think we aren't feeding screen readers enough information for them to properly read a page. I really dont know the answer to screen readers. I've never played much with it, but in the windows world, if you were doing a winforms app you can sprinkle your form with metadata to help screen readers. But again, even the winforms solution is a bit like an alt tag.
When I took a usability class, we watched some video I wish I could find of somebody using a screen reader. Talk about intense. Imagine reading a web page, or any document for that matter, while looking through a straw that is only one word wide. That is about what it is like. Now read it with the voice cranked to "hyper fast talk mode" and that is how the blind experience the web. Very interesting and eye opening.
Whatever the future holds (silverlight/flex), we need to make sure the standard has some good, juicy metadata to help out screen readers (and google, really).
Where was I now?
Re:Bet there still isn't a decent "Stop!" button
on
HTML V5 and XHTML V2
·
· Score: 4, Insightful
On the contrary, it's very easy. There's plenty of tools out there to do this for you. Cow Crap!
You want easy? SQL injections are easy to handle. Just use a parameterized query so you don't have to mix tainted data with your trusted SQL.
Back in the stone age before php thought parameterized queries were more then enterprise fluffery, you were forced to mix your user data with your SQL. And oh were the results hilarious! It look three tries (and three fucking functions) for PHP/mysql to get their escape code right and I'm sure you can still inject SQL with "mysql_real_escape_string()" in some new unthought of way.
There is no "parameterized query" with HTML. You are *forced* to mix hostile user data with your trusted HTML. If it was that hard to sanitize an "easy" language like SQL, how hard is it to sanitize a very expressive language like HTML?
You are telling me all those CPAN modules handle the hundreds of ways you can inject HTML into the dozens of different browsers? How many ways can you make an angle bracket and have it interpreted as a legit browser tag? How many ways can you inject something to the end of a URL to close the double quote and inject your javascript? How many ways, including unicode, can you make a double quote? Dont forget, your implementation cannot strip out the Unicode like I've seen some filters do - I need the thing to handle every language! I would guess there are thousands of known ways to inject junk into your trusted HTML.
I promise you that even the best CPAN module is still exploitable in some way not considered by the author. And I'd be insane to roll my own, as I'm not as smart as she is.
Don't kid yourself and thinking filtering user generated content is easy. It is very, *very* hard.
Semantic is awesome for "make the navigation column have a the colour of Mt Everestt on a cool summer day". Semantic is awesome for "make all the links in my header have an icon in front of them". Semantic is great for "Make my pull quotes use comic sans and set them in a box with a drop shadow and a reflection under them" But you still need to address basic presentation!!! I still need to make the three column grid in a straightforward way!! Where is my grid tag? Where is my "flow content between these columns"? You know how sweet it would be if done right?
I'm a tech writer by training. I know all about semantic markup and it's niceness. But I'm also a usability person and I know how getting the *presentation* of the content right is just as important as the content itself. In a very real way, the presentation *is* the content just as much as the content is the presentation! Either one, poorly done, ruins the message.
You could have the worlds best linux documentation in the world, written so well grandma can recompile her kernel, but if it is presented poorly (like as in "info" document), you might as well just write "Fuck you asshole, docks are for pussies, read the source code" because nobody will understand your docs. If it is all done as a single column and it has some grainy goat face on the top left of the page, grandma will not even bother. She'll use BitchX and ask the IRC nerds instead. If the designer didn't use a readable screen font, or left it to the browser default of times new roman, she will not be able to read it. She doesn't know how to change the browser font yet either--how can she without reading the documentation?
Telling us we are evil for hacking around a shitty semantic markup language is a surefire way to get ignored. Fight presentational markup like the catholic church fights sex and you'll loose your following. Right now it is hard to give grandma a good looking website that makes a "I can trust this page" impression without resorting to hacked HTML. We need good layout so grandma trusts our linux documentation!
Ever hear of XAML? XAML is the sound of the future if the W3C doesn't deliver...
Slashdot Mirror
I think the product segmentation is going to get more pronounced in the future. This is a very good thing.
Why? Simple, people at home treat their computers different then at work.
At work, you log into a domain. At home, who is logged in doesn't matter much at all; in fact, Vista is the first OS I've even bothered setting up a new profile for my girlfriend.
At work, somebody who is a professional manages your computer and it's hardware. At home, you do, and you might not be very sophisticated.
At work, all the computers are the same. At home, there is only one computer, but every computer in the home market is different then the other home computer.
At work, your sysadmin installs your software via a group policy. The Windows Server in the closet feeds your computer updates. Unless it is your job, you probably dont do much "multimedia" things like rip CD's or play videos. You certinaly aren't playing games (ha ha) At home, Microsoft.com gives you updates. You might have your computer hooked up to your TV and stereo. You play games on it.
At work, all your data is stored in a roaming profile. Your documents and data are backed up by a trained professional with expensive hardware. At home, you might be lucky to have a USB disk drive or a couple DVD's.
The Home and Business market have very different needs. For example, the backup solution for home users is useless in a business. A backup solution for a business is a vast overkill for home users. The massive active directory model for a business is to complex for a home network of perhaps three computers. A traditional windows workgroup is very insecure for a corporate network.
It makes a lot of sense to segment the Operating system into Home and Business. The trick is what to add and remove from each offering. Obviously "vista ultimate" is "all of the above".
I really should fuck with my browser string. What do you suppose the user agent string looks like for windows 3.11?
I wonder though, how many people actualy buy the machine with that?
:-)
Surely they (dell) only offers 512mb so dell can show the absolute lowest price possible on a given laptop. Dell always checks the lowest end of every box and always has "Dell Recommended" be the one with the highest margin. That is how it works
Hi, I'm Cory R. King from the Planet Earth (aka "The Real World"), year 2007,
Here in the real world, I use Vista because it is significantly more secure than XP, it looks much nicer than XP, it has many little improvements that add up to a big win, and it is much faster on the same hardware.
Sadly, your problems with Vista don't apply to those of us here on earth who use computers as tools. Quite frankly, I dont really care about Microsoft's dominance, they make a great product at a good price so I buy it, is there a problem with that? While I do not like DRM, it is not forced on me and it is not the fault of Microsoft. "Open Standards" are highly overrated and usually mean "we want free stuff from microsoft".
Do you have any specific problems with Vista that don't involve religion?
Seriously. Can we stop with the Vista bashing now? Please?
Remember what your mom told you about the bullies who picked on you? What they say about you is a reflection of how they feel about themselves. Isn't that the truth?
If all you can do is bash other people and their ideas, what does that say about your own person and ideas? Why can't you be proud enough about yourself and your ideas to let them stand on their own? Surely if your ideas were so great they would speak them self, right?
I'm not convinced.
I'm not an idiot and I do clean up user input - both on the way into the database and on the way out.
The problem is even these libraries will have exploits. It isn't as easy to parse html as some people make it out to seem. There are a lot of details to nail down right (angle brackets "http://www.google.com/ to become a clickable URL automatically when they type it in. You have to sanitize that URL somehow and make sure your URL code doesnt let evil crap like " slip by and into a real quote, thus prematurely closing your final href attribute and "executing" the user's javascript inside your page.
This stuff is not as easy as some of you think. Try it. Write a secure way to automatically parse user input for URLs, handle line breaks, auto bold text, handle unicode AND generate safe, uninjectable HTML/XHTML on the way out to the browser.
You dont understand the problem. HTML injections are from users like me posting busted HTML as a comment to slashdot. The comment injects evil bits of javascript into the output when the page gets displayed. Using XHTML and having the browser choke and die on the output is just another security loophole as far as i'm concerned. Being able to get the end browser to choke on XHTML errors is a DOS. Imagine how much trolls would like it if they could get firefox to not even display this page because their evil XHTML caused this page to no longer validate?
er... but yeah. I think your thoughts about strict and dymaic is interesting. The browser knows a lot of stuff that *html* doesn't know. Javascript can know it though. Maybe we need to formalize the way a page is rendered (at least at a high level) and let our semantically marked up content participate more in the layout. The rendering engine can tell our semantic bits something about itself an we can both negotiate to make sure the final page is rendered and the meaning of our content is preserved. XAML seems to follow this idea a bit, but I haven't played with it enough to really figure it all out.
:-)
I better pull out of this now before I make no sense at all. This kind of stuff is always a good exciting debate. Thanks for not being religious
Layout is just as important to understanding content as the content itself. If you went into a $100USD per dish restaurant dressed in a tuxedo with your hot chick date and the menu is all in comic sans, what do you think about the quality of the food you are about to be served? Those guys who march around downtown areas might have really good compelling content, but nobody reads it because it is always done in permanent marker and twenty different colors. You know, the time cube guy might be right, but his site design makes him look like a joke. People argue that Kerry lost the 2004 election because they did a poor job with the presentation of their logo.
The thing that upsets me about these debates is people think that the colour scheme used, the fonts used, the line spacing, the margins, the proportion between elements, or any other fundamental unit of design is just pretty window dressing around content. Those people also tell you looks dont matter and first impressions aren't important. They are wrong. Very, very wrong. Layout matters, even more on the internet than in print. We need powerful tools in our language to help us express layout. Dismissing layout as a trivial afterthought is a great way to ensure our future is nothing but flash apps.
Am I evil? No. Advertising is an important consideration when designing a layout. You'd be amazed how big of a difference it makes when you optimize your ad placement. There is, of course, a fine line between optimal ad layout and obnoxious layout
Tables as a TABLE tag suck - I'm not arguing. I'm not sure what I am arguing about anymore besides that our tools, right now, suck. I think we limit ourselves if we think that the HTML/CSS model is the best way to do things and I think we need to be more creative. The web isn't a book, it shouldn't be pixel perfect, but good layout is essential. XAML feels very right for some reason, like Microsoft listened to both designers and programmers when it designed the language. It lets you really define how your grid should work and how things on it should move around based on changes in the rendering output. I like XAML because it lets participate in the rendering process. For example, XAML lets you tell the rendering engine "hey, I really want 400 'pixels'" and the rendering engine can make a callback into either your XAML code or even your C#/VB.net code-behind and tell you "sorry pal, you ain't gonna get that, tell me the absolute minimum you need instead and we can work with that". In XAML, pixels are just an abstraction too... a pixel might not be depending on the DPI, but you can still force the rendering engine to snap to a real pixel to keep it from blurring across two or more pixels.
My point is, it is possible to have our presentational cake and eat our semantic icing too. HTML & CSS as it is right now just doesn't work because it favors semantics over layout. Two passwords, one of which is alphabetical only? This is how paypal does it and I agree it has... issues. But I can also see people weakining their normal password so it is easy for them to enter into their mobile. You can see my point though, there is more to targeting a mobile phone than just a stylesheet switch. I think is a red herring that a lot of people toss out when they try to convince us to go 100% semantic. It forgets there are very real differences in the two devices that go way beyond what a simple stylesheet can address. Do you post as long of comments on slashdot from an iPhone? Is that something that can be fixed with a stylesheet only or does it require you to rethink how people interact with the entire site when they are on a mobile?
Should I require the user to enter the exact same password on both a mobile phone with a numeric only keypad and a full sized browser with a real keyboard? Keep in mind, my password is 8 characters of random line noise and it takes a good minute to key it in on my RaZR. Ever tried entering that into your tiny mobile phone? How do I fix this obviously glaring usability bug with nothing more than a stylesheet AND keep my user secure?
Extra credit: How can I present this entire thread of 150+ comments on slashdot by just changing the stylesheet? Keep in mind, it has to be just as usable as what I'm doing right now AND you cannot change the javascript or images. Stylesheet only bud.
er... openssl I ment :-) To add... I dont think much changed as far as certificate management between XP and Vista so you should be able to replicate everything on your XP systems.... .... I think!
Again, good luck!
You can get vista to trust certificates signed by any certificate authority you want, not just the stock ones! I tried doing something like this to get vista to trust certificates signed by ourselves in outlook (imaps) and ie (https) with good results. If I can do it with OpenSSH as a certificate authority, I'd think you can do it for code certificates too. The "fuck around factor" might be high so if you are a good writer... document how you did it for the rest of us :-)
While I hate to say RTFM, I'll have to defer you to microsoft.com. While you are hunting, pretend you are a sysadmin and trying to add a certificate authority to Windows 2003 server and you should find something you can apply to vista. You'll also have to wade through OpenSSH documentation to get that side of the world working.
Good luck!!
You know why you are wrong? The idea of a pure semanticly described document with all the formatting elseware works only for non interactive documents that get printed, like a book. Period.
Semantic markup languages like HTML break down because the web isn't for print. Semantic markup is the holey grail in the print world because it works so well for linear documents. The web is an interactive, non linear medium that doesn't get printed.
The web is an two way, interactive, non linear medium that is evolving to almost real-time interaction between the client and server. Books, which are written in semantic languages like LaTeX, dont have client-server interaction. Books dont have forms. Books dont have real-time data. Books are none of these things. Books only have headings, tables of contents, footnotes, indexes and other easy to describe things. These are all very easy things to handle in semantic markup languages. In fact, you are insane *not* to use semantic markup for a 300 page book because it makes changing the layout difficult.
You *cannot resize a book with a mouse*. You *cannot order an ipod* from a book. You *cannot post a comment shared across the globe* in a book. You *dont print the book in different sizes* (for example, you couldn't take Programming Perl and use the same content for a pocket sized book). You *dont have programming language running inside the book*. Books dont have programmers designing significant chunks of their architecture.
The web is more than a book. The web has some things that are book like that make sense for semantic content (all H1 should be this font) but lots that dont make sense (make the page 100% high so there are no scroll bars and inlay a second grid for scrollable content... think gmail). You think it makes sense to have a language that is only semantic for creating web applications? How could it even begin to describe google maps?
Even more damning is a book, which is described semantically, HAS A FIXED OUTPUT DEVICE LIKE A PDF FILE!!! Book authors can "cheat" with their semantic markup and layout because they already know what the target output device is!! They know what inks they can use, what fonts they can use, what the margins are, what the DPI of the printer is, and what the page dimensions are! They all output pixel perfect books using a semantic markup language! We HTML authors no NONE OF THIS and yet you expect us to design our web pages the same semantic markup abtraction as a book author!?
Can't you see the irony of recommending I use PDF when the main way to generate a PDF is with software using a semantic language!
Can't you see we can acheave the same goal of "making it easy to change the layout" in ways besides a stylesheet? Ever heard to a template language like the one used by Ruby on Rails or Template::Toolkit? Isn't it easier and cheaper to swap out "big layout" bits like columns by swapping out a template than it is a stylesheet? You think all it takes to target a mobile phone is just swapping out the stylesheet? No sir! I have a template system that changes *the entire fucking document* to suit mobile phones and their limitations! Isn't that the better way when you consider how different the two devices are?
So stop treating the web like a damn book! The web is not a book and semantic markup breaks down as an abstraction with modern development. This is very obvious to anybody who has done real web application development. Either help invent a better language to abstract what the web is or get left in the dust while you preach to a shrinking congregation.
So good. Enjoy how my HTML degrades. Don't think you will stop me giving you fonts that really make my page look good. Don't be surprised if my page looks like crap in your font either. But at least you can read it, right?
bah! see? slashdot's filter system just fucked me over too and I swear I previewed to see if it kept all my paragraphs.
:-)
It ain't easy as you say bro...
I've got a better idea anyway... How about a way to take our centuries of knowledge about "traditional graphic design" and apply it to the a web-based medium? Do we have to chuck out everything we know about good design just because of the silly constraints of HTML/CSS? How about we improve or replace HTML/CSS with something that incorporates all we know about "traditional graphic design", all we know about good semantic markup, all we know about good programming, all we know about accessablity and all we know about usability and create something better?
"Use a PDF, jackass" is an open invitation to fuck all ya'll and use Silverlight or Flex. Who knows... maybe Adobe and Microsoft understand us better then "the experts"?
I remember when rusty and friends rolled out Dynamic Comments on Kuro5hin/Scoop. They did it with an iframe that chucked out a bunch of onload() crap that wrote into the parent document. Pretty slick for the time.
Way ahead of it's time though... most javascript was either for homework assignments or popup ads. All of it was copy/paste hackjobs that the web author found on super-mega-awesome-javascript.com or something. The result was "most people" hated javascript. You could browse 99% of the interweb with it disabled and all you'd miss were popups. Kuro5hin was one of the first reasons to actually turn on javascript because dynamic threaded comments were 100% better than the non-dynamic ones.
Now that javascript is starting to come of age and real programmers are writing cool things on it (and really javascript is kinda cool programming language once you get past super-mega-awesome-javascript.com and the differing implementations), almost anything that is useful on the internet uses javascript in some way. In a way, javascript has crossed the chasm from early adopters like kuro5hin to mainstream adoption and that nice beefy 80% of the market.
What I find funny is only the tech people are the laggards of this bell curve. And all 10% of them seem to hang out on slashdot pining for the days of yore. What a world we live in when the supposed alpha geeks are the laggards of a technology bell curve!!
I think it is still to easy to exploit is the problem. I'm sure if you thought hard, you could write some evil HTML to route around it and run your javascript. You'd just have to somehow get the big_key thing in your proposal.
:-).
:-)
The only real secure way is to isolate the untrusted bits into their own block.... like how you do multipart mime documents in email or something. You'd need a tag to reference the "external" untrusted bits and have the browser render them in a sandbox. Even in this case, you can exploit it by injecting your own stuff to trash where the boundary between the two documents are (like how you can exploit poorly implemented webforms that send email by injecting your own email headers
I'm sure there are a wide range of technical reasons this would be hard to implement though. I'm already shooting holes in what I typed... even if you had the untrusted bits pulled down in a separate HTTP request there are problems like "it would be very slow"
Sweet.. So we agree and I owe you some kind of beer. Slashdot makes everybody a flamer :-)
There is a very strong business case for good degradation too... Last I checked, Google doesn't interpret your javascript. You want good SEO, you better make sure the content flows right in lynx (which is the best way to think about how google sees the page).
Sadly, screen readers are pretty much like google too, but I really think we aren't feeding screen readers enough information for them to properly read a page. I really dont know the answer to screen readers. I've never played much with it, but in the windows world, if you were doing a winforms app you can sprinkle your form with metadata to help screen readers. But again, even the winforms solution is a bit like an alt tag.
When I took a usability class, we watched some video I wish I could find of somebody using a screen reader. Talk about intense. Imagine reading a web page, or any document for that matter, while looking through a straw that is only one word wide. That is about what it is like. Now read it with the voice cranked to "hyper fast talk mode" and that is how the blind experience the web. Very interesting and eye opening.
Whatever the future holds (silverlight/flex), we need to make sure the standard has some good, juicy metadata to help out screen readers (and google, really).
Where was I now?
You want easy? SQL injections are easy to handle. Just use a parameterized query so you don't have to mix tainted data with your trusted SQL.
Back in the stone age before php thought parameterized queries were more then enterprise fluffery, you were forced to mix your user data with your SQL. And oh were the results hilarious! It look three tries (and three fucking functions) for PHP/mysql to get their escape code right and I'm sure you can still inject SQL with "mysql_real_escape_string()" in some new unthought of way.
There is no "parameterized query" with HTML. You are *forced* to mix hostile user data with your trusted HTML. If it was that hard to sanitize an "easy" language like SQL, how hard is it to sanitize a very expressive language like HTML?
You are telling me all those CPAN modules handle the hundreds of ways you can inject HTML into the dozens of different browsers? How many ways can you make an angle bracket and have it interpreted as a legit browser tag? How many ways can you inject something to the end of a URL to close the double quote and inject your javascript? How many ways, including unicode, can you make a double quote? Dont forget, your implementation cannot strip out the Unicode like I've seen some filters do - I need the thing to handle every language! I would guess there are thousands of known ways to inject junk into your trusted HTML.
I promise you that even the best CPAN module is still exploitable in some way not considered by the author. And I'd be insane to roll my own, as I'm not as smart as she is.
Don't kid yourself and thinking filtering user generated content is easy. It is very, *very* hard.
Semantic is awesome for "make the navigation column have a the colour of Mt Everestt on a cool summer day". Semantic is awesome for "make all the links in my header have an icon in front of them". Semantic is great for "Make my pull quotes use comic sans and set them in a box with a drop shadow and a reflection under them" But you still need to address basic presentation!!! I still need to make the three column grid in a straightforward way!! Where is my grid tag? Where is my "flow content between these columns"? You know how sweet it would be if done right?
I'm a tech writer by training. I know all about semantic markup and it's niceness. But I'm also a usability person and I know how getting the *presentation* of the content right is just as important as the content itself. In a very real way, the presentation *is* the content just as much as the content is the presentation! Either one, poorly done, ruins the message.
You could have the worlds best linux documentation in the world, written so well grandma can recompile her kernel, but if it is presented poorly (like as in "info" document), you might as well just write "Fuck you asshole, docks are for pussies, read the source code" because nobody will understand your docs. If it is all done as a single column and it has some grainy goat face on the top left of the page, grandma will not even bother. She'll use BitchX and ask the IRC nerds instead. If the designer didn't use a readable screen font, or left it to the browser default of times new roman, she will not be able to read it. She doesn't know how to change the browser font yet either--how can she without reading the documentation?
Telling us we are evil for hacking around a shitty semantic markup language is a surefire way to get ignored. Fight presentational markup like the catholic church fights sex and you'll loose your following. Right now it is hard to give grandma a good looking website that makes a "I can trust this page" impression without resorting to hacked HTML. We need good layout so grandma trusts our linux documentation!
Ever hear of XAML? XAML is the sound of the future if the W3C doesn't deliver...