October 2004 - Posts
I think that this is one of the fastest response and corrections to a vulnerability I've never seen... only yesterday a security vulnerability on the Gmail service was announced, and today Google has announced to have fixed it. 
I've no words... congratulations. This is really a great service to the community. With Google the quality is guaranteed! 
 | 
This night is the Halloween Night... I wish you an happy Night. Have fun!! |
Today I was searching around the net for some tools that could help me on a really boring task... backup all my settings on Firefox and Thunderbird for a future migration (the official Firefox release 1.0 launch day is near and one of the lack on Mozilla product installations is that it's not so easy to maintain the settings during upgrades).
What's the result of this search? A great tool that works exactly as I want: MozBackup, an utility for creating backups of Mozilla, Mozilla Firefox, Mozilla Thunderbird and Netscape profiles. It allows you to backup mail, favorites, contacts, etc. and works really good.
The main lack I've seen on my little test is that at the moment is impossible to backup all your Firefox and Thunderbird extensions, but all the settings are saved correctly. Unfortunately only a Windows version of the tool is available at the moment...
If you're a Firefox or Thunderbird user, this is a tool to have absolutely!
A new Internet Explorer flaw is out... according to Netcraft, a new spoofing flaw in IE allows an improperly coded web link to send users to a different URL than the one displayed in the status bar.
If you try to create an URL with an HTML like this:
you obtain this result:
As you can see (if you don't have XP SP2 installed), your browser displays "microsoft.com" on the status bar, but you're redirect to my personal website... an easy way to redirect where you want, accessible to all that know a little bit of HTML.
The flaw affects versions of IE up to 6.0.2800.1106 and users running Windows XP SP2 (IE version 6.0.2900) and the open source Firefox and Mozilla browsers are not affected.
I hope on a patch because there are a lot of machines that have not installed XP SP2...
UPDATE: also Firefox has a flaw like this... 
If you try to create an URL with this format:
you obtain this link:
If you try to open the link on the current TAB on Firefox, it works correctly and you are redirect to Microsoft.com, but if you try to open the link on a new TAB, you are redirect to my personal website.
I hope that the new Firefox version attended for the 9th of November will be patched.
Bad news from Gmail users... a new big security flaw has just been discovered.
This exploit can allow hackers to have full access to a user's email account simply by knowing the user name, with no need to know the password. simply by using a special hex-encoded XSS link, the victim's cookie file can be stolen by a hacker, who can later use it to identify himself to Gmail as the original owner of an email account, regardless of whether or not the password is subsequently changed. More details can be found here.
And now? I hope on a patch by Google soon...
The open source nature of Firefox helps to have these type of possibilities: optimize the browser engine to your hardware.
On MOOX you can download optimized version of Firefox and Thunderbird, precompiled for different CPU for maximum stability and speed (from AMD processors family to Pentium, Pentium 2, Pentium 3, Pentium 4, Pentium M and Xeon family).
Interesting to test...
Just some hours ago, Mozilla has released the 1.0 RC1 version of Firefox, the Release Candidate that will be like a preview to the big launch of the official 1.0 version in November (9th November the announced date).
You can have a ChangeLog here... if you are planning to test the RC1, it's important that you submit all your feedbacks and bugs to the Bugzilla Forum, so they can be correct or revisited for the official 1.0.
What is good is that seems that all your extensions used on the previous 1.0PR wil continue to work, as reported on forums. Just open /%appdata%/Mozilla/Firefox/Profiles/randomname/extensions/Extensions.rdf and change all instances of maxVersion="0.10" to maxVersion="1.0"... all will be ok!
If you're a DotNetNuke user, certainly you know that the 1st of November is an important date: the new version 3 that we're waiting for will be out!
I've seen some tests of Beta versions and what I can say is that it will be a big improvement on features and design. The Working Environment is wonderful and more clear and the new Draggable Modules feature is one the best things I've ever see on a website. So, if you're using previous versions of DNN, I think that a migration is necessary...
I have a website based on the DNN 2.1.2. platform and I absolutely want a migration to the new version, but at this point some questions are alerting me:
- I know that some custom modules will not work correctly with the new version, due to the new user and security management expecially, but a module that don't interact with the portal security or users will continue to work correctly?
- My personal possible biggest problem... a DNN 2.1.2 skin will continue to work correctly on the new version 3? I hope so...
I hope on an easy migration and I hope also on performance improvements, expecially on DNN startup and initialization.
The Blog Spamming is growing... it's the 3rd day that I've to delete spam on my feedback. 
We've discussed a lot about the spam problem on blogs and I think that the solution widely adopted now (disabling the feedback feature) is not the correct way to do... Blogs must absolutely be opened for comments but spam must be avoided.
An idea to fight spam on a blog comment could be the adoption of a CAPTCHA image... something like this:
You can write a comment on a blog post only by typing the correct image...
This is not a way to stop all the possible spamming, but with this way you're sure that someone "live" is under the monitor (spamming robots are dead).
A little idea for the CommunityServer::Blogs (.Text) staff is launched...
A vulnerability has been reported in Gaim, the popular multi-protocol Instant Messaging client, which potentially can be exploited by malicious people to compromise a user’s system.
The vulnerability is caused due to a boundary error within the handling of MSN SLP messages. This can be exploited to cause a buffer overflow by supplying a specially crafted sequence of MSN SLP messages. Successful exploitation may potentially allow execution of arbitrary code.
Two other bugs have also been reported, which can be exploited to crash the application when accepting file transfers and processing a malformed MSN SLP message.
Solution? Update to version 1.02 soon: http://gaim.sourceforge.net/downloads.php
I've see only this morning that on on MozillaNews is appeared a thread that talks about a possible target for GBrowser, the domain bought by Google for a possible (??) browser project: a Google branded and customized version of Mozilla Firefox! :)
I don't know who is the author of the article but I don't think that the Google plans are these. The idea is fascinating but not a key of success for a company like Google. If they really want to open the door to the browser world, they must start thinking to a revolutionary way to surf the web, not only limited to a customized Firefox version with lots of Google toys...
A Firefox based Google Browser with GMail, GoogleGroups, Blogger, GoogleIM, Google Search for the web and for the desktop is (in my opinion) not the real target, but the real point of arrival could be a complete platform that integrates many popular web and desktop features, a new way to manage your pc and your net surfing. Do you remember that a month ago I talked about ideas for a Network Pc?
I can see a big amount of rumours against the last Google Desktop Search Beta service (I remember, BETA Service) launched last week by Google... exactly like the Gmail service, what is under fire is the user privacy.
As I've pointed out last week, Google Desktop Search on this Beta stage must not be used on a shared pc, because it caches lots of users data that can be retrieved by other people that have access to the machine.
So, if you plan to have a machine that is shared between lots of users, Google Desktop Search is not recommended now... but what I'm surprised to see are all these rumours against privacy.
Google Desktop Search is not a spyware, it has the ability to retrieve data that are on the target pc, naturally... Google's desktop only caches what's already on the machine's hard drive, don't forget this! Google Desktop Search doesn't do anything that an end-user wouldn't be able to do with a little cache snooping and looking in temporary files on the machine. Second, Google provides this tool for personal use at the moment, so installing it on a shared machine is really a stupid action. Third, this is only a Beta version released for testing, so it can be improved and must be improved.
Yes, maybe Google could alert the users about these "side effects" of its Google Desktop Search on a shared pc, but I think that all these facts are not a scandal as someone has trying to say...
Today Secunia has published a new collection of vulnerabilities that affects all the browsers available, from Internet Explorer on XP SP1/SP2 (two vulnerabilities discovered in Internet Explorer, which can be exploited by malicious people to compromise a user's system, link to local resources, and bypass a security feature in Microsoft Windows XP SP2) to Opera, Mozilla / Mozilla Firefox / Camino, Safari, Netscape, Konqueror, Avant Browser and Maxthon, which all suffers some new spoofing vulnerabilitities. Also flaws live demonstrations are available, just check here and here.
Great day...
SQL Server Express Edition CTP released last week, this week is the time for the new Community Technical Preview releases of the Visual Studio Express family.
This downloads contain a more recent version of products than the Beta, however (Microsoft recommendations) "CTP builds do not go through the same rigourous testing that Beta builds undergo. Therefore, do not install these builds on machines you depend on".
Last minute news... Microsoft has decided that multicore chips will be considered a single unit, so the License politics will not be modified.
Good choice, I was terrible worried for this MS decision, expecially after the decisions taken by company like Oracle and IBM (dual-core, two license... bleah!! ).
When I saw the CherryOS announce some weeks ago, a Mac emulator capable of running Mac OS X on a Windows PC at 80% of the CPU speed, my first thinks was that it could be a fake...
This morning I've see this article on Wired News that said exactly what I've thinked: CherryOS is likely PearPC wrapped in a different package. They are using plenty of PearPC code, and have done a poor job hiding it... To demonstrate this, Sebastian Ballas, PearPC's lead developer, said a screenshot of CherryOS shows a variable named "SPIRO MULTIMAX 3000" a nonsensical term Ballas claims to have invented for use in PearPC. Amazing...
Congratulations to all the CherryOS Team... great idea, maybe now you can open a bar and launch your new cocktail!
I've just read the last Windows XP SP1 vs SP2 Performance comparison published today by Short-Media.
It's an interesting comparison focused on performance comparison on various fields, and the official results are that "Windows XP Professional with only Service Pack 1 installed is faster 2/3 of the time... The test PC equipped with Windows XP Professional Service Pack 1 was an average of 0.5% faster than the same hardware with Service Pack 2 installed. The percentage difference between faster and slower is insignificantly small".
Personally, I can't observ these results on my reality... I've installed XP SP2 on 3 different machines (on my desktop P4 3Ghz with 1Gb Ram, on my laptop P4 2,6Ghz with 512Mb Ram and on an Athlon XP at work) and all the machines have a terrible slow down on performances (plus other problems on some cases). Windows XP SP1 has (for me) better performances than XP SP2 and my personal machines are (at the moment) not upgraded to the last Service Pack.
The news of the day is pubished on this post at IETF's MAIL-SIG list: Google has begun to sign outgoing email from Gmail with Yahoo's DomainKeys signatures.
DomainKeys is a technology for verifying both the domain of each email sender and the integrity of the messages sent and all the details about it can be found on the Yahoo's site. What is relevant here is that Google is the first big company to start adopting this standard, and I think it could be a big sign for the future.
Google has now a big impact on the IT world so... what could be this? A new de-facto standard? And what will be the future for the announced Microsoft Caller ID?
Google Desktop Searching Tool is really great, works good and indexes perfectly all your files, contacts and emails on your PC with a quick retrieval engine.
There's only a problem that I've personally experienced on a machine at work... if used on a shared PC (used by many people, with different accounts), Google Desktop Search retrieves files and emails bypassing the accounts settings. What is the result? you can read all files and (expecially) the emails by other users of the machine. Not too good I think!
Google Desktop Search is not intended to be used on a shared pc, so be careful...
A little advice to Google... for the next Beta version, maybe you can start thinking to integrate Google Desktop Search with the OS users account (authentication to start using the tool).
Microsoft SQL Server 2005 Express Edition Community Technology Preview (CTP) is out for trying...
For the few people who don't know who is it, it is a free, easy-to-use, lightweight version of Microsoft SQL Server 2005 (born to replace the old MSDE 2000). I don't like to try CTP normally, but this is one of the products that I was waiting for...