I think it's best to start by sending the site an e-mail. If that doesn't work, file a Tech Evang bug and say that you already tried e-mailing the owner of the site. The Tech Evang team doesn't have time to help fix every broken site on the Web, so the more you can get fixed by yourself, the better.
Re:The coders are getting a bit punch though.
on
Mozilla RC3 Released
·
· Score: 1
Where should one go to keep track of what features and what bugs are in a particular build?
The last thing I want my server to do is to "figure out for itself" that it needs to download some worm and then automatically go do it.
Rather, let me decide and then it's my fault if I download a worm.
You know what I hate? Dialogs that are designed to shift blame to the user if the program makes bad decision. "This code is signed and looks safe. Are you sure you want to run it?" (Use a sandbox!) "It was my fault I lost my mail because I clicked 'yes' when it said my Inbox was corrupted and wanted to know whether it should rebuild the indexes." (Don't ask the user confusing technical questions!)
Having the user verify each security patch does little to protect against patchworms, and it prevents patches from being distributed while the admin is sleeping. I would not be happy if a Code Red-like worm broke into my computer while the patch system waited for my permission to install a critical security patch.
Including a verification dialog would make it seem to me that the system was designed insecurely -- insecurely enough that the author decided he needed to be able to blame me for clicking "Yes" when the crypto-based verification breaks.
I was just re-reading Lysis and came across the word "eristic". I didn't know that was a real word! And the paper I'm writing about Lysis mentions IRC. Spooky.
"...I always get, "A script wants to read your password." I know it's for protective reasons, it's just annoying..."
This attitude is just why klez.*, the Outlook exploit of the hour, the IIS compromise of the day, is always so effective.
IMO, his attitude is closer to one that might actually promote security. Outlook viruses work because Microsoft overestimates the effectiveness of warning dialogs. "Opening an attachment may be dangerous" does not work, especially when opening a.txt file gives the same warning. Neither does "A script is trying to read your address book" or "A script is trying to read your password", because by definition the script already has control over your computer or the web page. Getting rid of unnecessary security dialogs can help security by reducing dialog fatigue and by eliminating the chance that 10% of users clicking "yes" is enough for an attacker.
I was about to complain that your card game didn't fit in my Mozilla window (maximized at 800x600), but then I tried doing a text zoom, and it worked! Thanks for using em units.
This is sad because while Opera never supported advanced DOM2 bookmarklets, it supported simpler bookmarklets better than other browsers. For example, clicking a bookmarklet in Opera would not cause the page to stop loading, and changes made by bookmarklets would not be lost after hitting the Back button like they are in other browsers.
Rant: first IE 6 doesn't support bookmarklets longer than 508 characters, and now Opera 6.02 doesn't support them at all. Recent versions of Mozilla have a bug where windows created by bookmarklets end up behind the current window (108394) and a bug that prevents the linked-images bookmarklet from working on porn sites (123293). I'm frustrated. Regressions suck.
Opera does not have pop-up blocking. Opera has an option to disable the window.open function, which breaks legitimate sites almost as often as it blocks pop-up ads. You can re-enable window.open temporarily by pressing F12, but you have to know that the site is broken because Opera thinks it's trying to open a pop-up ad before you can use the workaround.
Mozilla's pop-up blocking isn't perfect, but it's pretty close to Just Working.
Since you wrote your code to work with NS6, it's not surprising that it works with Mozilla. NS6 is just Mozilla with Netscape branding, a spell checker, and an AIM client.
Reading through the privacy policy of every site I visit is not worth my time. Paying the extra taxes in order to enforce a law requiring opt-in would require much less of my time and might be worth it.
That said, I don't really care whether companies share information, as long as there are reasonable restrictions on how they advertise. Ads at the bottom of newsletters are ok, but spam is not. Banner and text ads are fine, and I can just leave your site if I find your interstitials annoying, but pop-up ads should not be legal. Bulk snail-mail is ok, but print it on recycled paper. Don't use the word "free" inappropriately -- "Get 12 CDs for the price of 1" is ok, but "Get 11 CDs free*!" is not.
By the way, the kind of targeted advertising you mention doesn't require companies to share information about specific customers. AOL can target the ads itself without giving your personal information to WWE.
Regarding spyware, I don't see that as a privacy issue, but rather a breaking-and-entering issue. It's illegal, and it would be nice if the government enforced its existing laws, but I don't think it needs to be part of the debate over whether companies should be able to share personal information.
Maybe we can figure out exactly why the RIAA doesn't like file swapping. Note: I use "downloaded music" to mean music downloaded through a file-swapping system such as AudioGalaxy, not music downloaded from mp3.com.
What percent of music downloaded was from non-RIAA labels? Do music downloaders purchase more from non-RIAA labels than non-downloaders?
What percent of music downloaded did the downloader later purchase? How did purchases from non-RIAA labels compare to purchases from RIAA labels?
What percent of music downloaded was deleted?
What percent of music downloaded was played more than twice?
What percent of music downloaded did the downloader already own in a different format (e.g., on a CD)?
What percent of music downloaded was from artists who said it was ok to download their music through file-swapping systems?
What percent of artists downloaded did the downloader later purchase CDs from, regardless of whether the same song is on the CD?
What percent of music downloaded had the downloader heard on the radio? Heard in a movie? Read about on the web? Heard about from a RL friend?
Do music downloaders purchase more music as gifts than non-downloaders? Do they purchase less for themselves?
I read about a fifth of the licenses and TOS agreements I agree to, but I never read the uppercase parts because I assume they're always the same and because they're twice as hard to read. If I really wanted to read that part of a license, I'd fire up the "test styles" bookmarklet and type in * { text-transform: lowercase } to make the entire page lowercase.
But only a malicious app would put a file onto disk, and then attempt to trick you into clicking on a link to access it.
The problem isn't malicious helper apps. It's malicious web pages and helper apps that aren't familiar with the idea "cache your stuff in a random place because some web browsers let web pages link to local files and then automatically grant local files the ability to read other local files". The web page gets the helper app to put the file in a known location, and then the web page links to that location.
And I have no problem with blocking links with javascript attached to them. But plain-old, non-javascript links have no security issues, and should be allowed.
What do you mean by "plain-old, non-javascript links"? The link could be an ordinary a-href and the javascript could be elsewhere on the page.
If you have a "helper app" that's planting malicious files on your hard drive, then file: hyperlinks are the least of your problems.
Any web browser has to put files in its cache, and many helper apps do the same thing.
Checking whether a file exists: you get the user to click on the link, and then you use javascript to see what happens after that. (This isn't the end of the world, and it requires enough user interaction that a page wouldn't be able to run a systematic search.)
The helper app problem: you get the helper app to plant a file in a known location, and then you link to the planted file. The browser opens the file, and since it's on your hard drive, it has somewhat elevated privs. IIRC, it can read any text or html or xml file on your hd. (I think the real problem here is that local files have too many extra privs, since a user might save a page intentionally. It might be possible to change that, at least in the browser.)
Google Answers has reasonably good tech support for popular programs. It's even possible to get an answer without losing $4, since other users who are unsure that their solution will work may add a comment rather than claiming to have the answer. In that case, you're only out the 50-cent listing fee.
Another advantage of Google Answers is that you get to vent your frustration publicly instead of to a poor tech support worker.
Slashdot Mirror
I think it's best to start by sending the site an e-mail. If that doesn't work, file a Tech Evang bug and say that you already tried e-mailing the owner of the site. The Tech Evang team doesn't have time to help fix every broken site on the Web, so the more you can get fixed by yourself, the better.
Where should one go to keep track of what features and what bugs are in a particular build?
Mozillazine build bar talkback,
Mozillanews build votes, or cc yourself on specific bugs in Bugzilla to find out when they're fixed.
Also, where is this "wild-west" repository? I don't see anything like that in http://ftp.mozilla.org/pub/mozilla/
nightly/latest-trunk
In Mozilla, you can close a tab by middle-clicking on it.
Right-click on taskbar, properties, uncheck "Group similar taskbar buttons".
The last thing I want my server to do is to "figure out for itself" that it needs to download some worm and then automatically go do it.
Rather, let me decide and then it's my fault if I download a worm.
You know what I hate? Dialogs that are designed to shift blame to the user if the program makes bad decision. "This code is signed and looks safe. Are you sure you want to run it?" (Use a sandbox!) "It was my fault I lost my mail because I clicked 'yes' when it said my Inbox was corrupted and wanted to know whether it should rebuild the indexes." (Don't ask the user confusing technical questions!)
Having the user verify each security patch does little to protect against patchworms, and it prevents patches from being distributed while the admin is sleeping. I would not be happy if a Code Red-like worm broke into my computer while the patch system waited for my permission to install a critical security patch.
Including a verification dialog would make it seem to me that the system was designed insecurely -- insecurely enough that the author decided he needed to be able to blame me for clicking "Yes" when the crypto-based verification breaks.
Last night's uberpatch did not ask me to reboot. Maybe Windows 98 noticed that I use Mozilla for browsing and decided it wasn't worth the reboot.
I was just re-reading Lysis and came across the word "eristic". I didn't know that was a real word! And the paper I'm writing about Lysis mentions IRC. Spooky.
we'll soon see a video of Dan Rather singing Rocked by Rape?
IMO, his attitude is closer to one that might actually promote security. Outlook viruses work because Microsoft overestimates the effectiveness of warning dialogs. "Opening an attachment may be dangerous" does not work, especially when opening a
I was about to complain that your card game didn't fit in my Mozilla window (maximized at 800x600), but then I tried doing a text zoom, and it worked! Thanks for using em units.
Opera 6.02 for Windows is missing support for bookmarklets. If you use bookmarklets, skip this release and go back to 6.0 or 6.01.
This is sad because while Opera never supported advanced DOM2 bookmarklets, it supported simpler bookmarklets better than other browsers. For example, clicking a bookmarklet in Opera would not cause the page to stop loading, and changes made by bookmarklets would not be lost after hitting the Back button like they are in other browsers.
Rant: first IE 6 doesn't support bookmarklets longer than 508 characters, and now Opera 6.02 doesn't support them at all. Recent versions of Mozilla have a bug where windows created by bookmarklets end up behind the current window (108394) and a bug that prevents the linked-images bookmarklet from working on porn sites (123293). I'm frustrated. Regressions suck.
Opera does not have pop-up blocking. Opera has an option to disable the window.open function, which breaks legitimate sites almost as often as it blocks pop-up ads. You can re-enable window.open temporarily by pressing F12, but you have to know that the site is broken because Opera thinks it's trying to open a pop-up ad before you can use the workaround.
Mozilla's pop-up blocking isn't perfect, but it's pretty close to Just Working.
Since you wrote your code to work with NS6, it's not surprising that it works with Mozilla. NS6 is just Mozilla with Netscape branding, a spell checker, and an AIM client.
Don't forget the overpriced soft drinks.
Everyone supports privacy.
Or do they?
Reading through the privacy policy of every site I visit is not worth my time. Paying the extra taxes in order to enforce a law requiring opt-in would require much less of my time and might be worth it.
That said, I don't really care whether companies share information, as long as there are reasonable restrictions on how they advertise. Ads at the bottom of newsletters are ok, but spam is not. Banner and text ads are fine, and I can just leave your site if I find your interstitials annoying, but pop-up ads should not be legal. Bulk snail-mail is ok, but print it on recycled paper. Don't use the word "free" inappropriately -- "Get 12 CDs for the price of 1" is ok, but "Get 11 CDs free*!" is not.
By the way, the kind of targeted advertising you mention doesn't require companies to share information about specific customers. AOL can target the ads itself without giving your personal information to WWE.
Regarding spyware, I don't see that as a privacy issue, but rather a breaking-and-entering issue. It's illegal, and it would be nice if the government enforced its existing laws, but I don't think it needs to be part of the debate over whether companies should be able to share personal information.
And no, I don't want to use the quick launch. I like to conserve my memory.
Conserve memory? Mozilla gets paged out if other apps need the RAM even in quick launch mode, just like Internet Explorer.
Propoganda Posters!
I read about a fifth of the licenses and TOS agreements I agree to, but I never read the uppercase parts because I assume they're always the same and because they're twice as hard to read. If I really wanted to read that part of a license, I'd fire up the "test styles" bookmarklet and type in
* { text-transform: lowercase }
to make the entire page lowercase.
why can't I find and download my favorite Got Milk ads for free?
But only a malicious app would put a file onto disk, and then attempt to trick you into clicking on a link to access it.
The problem isn't malicious helper apps. It's malicious web pages and helper apps that aren't familiar with the idea "cache your stuff in a random place because some web browsers let web pages link to local files and then automatically grant local files the ability to read other local files". The web page gets the helper app to put the file in a known location, and then the web page links to that location.
And I have no problem with blocking links with javascript attached to them. But plain-old, non-javascript links have no security issues, and should be allowed.
What do you mean by "plain-old, non-javascript links"? The link could be an ordinary a-href and the javascript could be elsewhere on the page.
If you have a "helper app" that's planting malicious files on your hard drive, then file: hyperlinks are the least of your problems.
Any web browser has to put files in its cache, and many helper apps do the same thing.
Gateway's sundown ad is great. Where can I find the Whip It ad that the articles keep mentioning?
The DoS attack: I guess I was wrong there.
Checking whether a file exists: you get the user to click on the link, and then you use javascript to see what happens after that. (This isn't the end of the world, and it requires enough user interaction that a page wouldn't be able to run a systematic search.)
The helper app problem: you get the helper app to plant a file in a known location, and then you link to the planted file. The browser opens the file, and since it's on your hard drive, it has somewhat elevated privs. IIRC, it can read any text or html or xml file on your hd. (I think the real problem here is that local files have too many extra privs, since a user might save a page intentionally. It might be possible to change that, at least in the browser.)
So maybe you're right.
Google Answers has reasonably good tech support for popular programs. It's even possible to get an answer without losing $4, since other users who are unsure that their solution will work may add a comment rather than claiming to have the answer. In that case, you're only out the 50-cent listing fee.
Another advantage of Google Answers is that you get to vent your frustration publicly instead of to a poor tech support worker.