d00dism

I’ve finally written something officially for Macworld. It’s a fairly proud moment in my life. It’s almost like seeing my name in lights.

I’m making Tag Central prettier. I can do all the colors and styling I want just fine. I think it’ll look super when it’s done (but then again, I’m not an artist and that will probably be painfully apparent). Anyway, I want the Flickr pictures to line the right side of the page. Then I want all the other sections to be contained within their own boxes, two per row.

Old school webmonkeys would immediately think of using a table based layout. It seems natural and it would be very easy. The problem is, this is an abuse of HTML tables (and heresy when making an XHTML page). Only actual tabular data is supposed to go into tables. All presentation must be managed using CSS. There are many, many good reasons for this, not the least of which is that it makes the site more accessible. Besides, I’m new school.

I can almost hear Dana’s voice in my head. Then what’s the problem, Smartypants? The problem is that while CSS provides everything I need to achieve this layout, the CSS involved isn’t supported by Firefox. To be fair, it’s not supported by Internet Explorer, Camino (not surprising), Netscape, or iCab (which goes without saying). The real question is, what does support it? Opera and Safari both do. Unfortunately, much of my target audience isn’t using these browsers and when it’s not supported, the site looks like ass with a big white ass crack going down the middle.

The CSS I want to use is “display: inline-block;”. Basically, it forces all the sections of Tag Central to for a box like they would normally, with block elements that don’t break out. For those uninitiated, block elements are parts of the page that force a line break. Paragraphs and headers are good examples. Normally, the container I’m using for these various areas, DIV, is a block element. However, in this case, I want these elements to display in rows without forcing a line break unless they overstep the margin of the area that they are in. In this case, I make the width of each of these areas 49%. That means only two results areas per line. If there are any more, it’ll wrap onto the next line. This is exactly the behavior I want. It works perfectly in Safari and Opera. Firefox hasn’t implemented this even though it’s part of the CSS 2.1 spec. That makes me want to scream. What’s worse is that I read that earlier versions of Mozilla actually supported it. Bastards.

There isn’t much I can do about this other than hope that they get off their asses and correct this. I can live with incorrect display in Internet Explorer because I’m a snob like that. The other way that this whole issue could be avoided would be that I can find a way to integrate Smugmug content. In that case, I could go to a three column format (Flickr pictures on the left, Smugmug on the right, and everything else down the middle). At any rate, it sucks.

Update: For anyone interested, there is a Bugzilla bug registered for this. The bad news is that from the comments, it looks like this won’t be fixed for Firefox 1.1. The target milestone is 1.9b, but what version of Firefox that version of the core relates to is beyond me. It’s fairly disappointing to see so much work going into revamping how the preferences look when this is a bug that limits functionality at the browser’s very core.

Apple has released yet another security update. Fire up Software Update.

Here’s what’s updated, followed by my explanation:

AFP Server
Available for: Mac OS X v10.3.8, Mac OS X Server v10.3.8
CVE-ID: CAN-2005-0340
Impact: A specially crafted packet can cause a Denial of Service against the AFP Server.
Description: A specially crafted packet will terminate the operation of the AFP Server due to an incorrect memory reference.

Basically, if you use Apple File Sharing, someone can knock down the program serving the files. This is more of a pain in the ass than a security risk.

AFP Server
Available for: Mac OS X v10.3.8, Mac OS X Server v10.3.8
CVE-ID: CAN-2005-0715
Impact: The contents of a Drop Box can be discovered.
Description: Fixes the checking of file permissions for access to Drop Boxes. Credit to John M. Glenn of San Francisco for reporting this issue.

This is slightly worse. Basically, a Drop Box is supposed to be a place where people give you files, but no one but you can see in. This problem let people see what was inside (which could be incriminating).

Bluetooth Setup Assistant
Available for: Mac OS X 10.3.8, Mac OS X Server 10.3.8
CVE-ID: CAN-2005-0713
Impact: Local security bypass when using a Bluetooth input device.
Description: The Bluetooth Setup Assistant may be launched on systems without a keyboard or a preconfigured Bluetooth input device. In these cases, access to certain privileged functions has been disabled within the Bluetooth Setup Assistant.

This limits the amount of influence an entirely new Bluetooth device has. Otherwise it might do something malicious. I can’t say much more. This writeup is really vague.

Core Foundation Available for: Mac OS X v10.3.8, Mac OS X Server v10.3.8
CVE-ID: CAN-2005-0716
Impact: Buffer overflow via an environment variable.
Description: The incorrect handling of an environment variable within Core Foundation can result in a buffer overflow that may be used to execute arbitrary code. This issue has been addressed by correctly handling the environment variable. Credit to iDEFENSE and Adriano Lima of SeedSecurity.com for reporting this issue.

This is bad. Unix has data one can set called environment variables. They’re very commonly used by programmers. Basically, by formatting the data being inserted into one of these slots in a certain way will allow any program to run without restriction. That means a trojan could do anything.

Cyrus IMAP
Available for: Mac OS X Server v10.3.8
CVE-ID: CAN-2004-1011, CAN-2004-1012, CAN-2004-1013, CAN-2004-1015, CAN-2004-1067
Impact: Multiple vulnerabilities in Cyrus IMAP, including remotely exploitable denial of service and buffer overflows.
Description: Cyrus IMAP is updated to version 2.2.12, which includes fixes for buffer overflows in fetchnews, backend, proxyd, and imapd. Further information is available from http://asg.web.cmu.edu/cyrus/download/imapd/changes.html.

This is for server only. Like the first entry, vulnerabilities could knock down the mail server program as well as grant a program full access.

Cyrus SASL
Available for: Mac OS X v10.3.8, Mac OS X Server v10.3.8
CVE-ID: CAN-2002-1347, CAN-2004-0884
Impact: Multiple vulnerabilities in Cyrus SASL, including remote denial of service and possible remote code execution in applications that use this library.
Description: Cyrus SASL is updated to address several security holes caused by improper data validation, memory allocation, and data handling.

This has the same effect as the last one.

Folder permissions
Available for: Mac OS X v10.3.8, Mac OS X Server v10.3.8
CVE-ID: CAN-2005-0712
Impact: World-writable permissions on several directories, allowing potential file race conditions or local privilege escalation.
Description: Secure folder permissions are applied to protect the installer’s receipt cache and system-level ColorSync profiles. Credit to Eric Hall of DarkArt Consulting Services, Michael Haller (info@cilly.com), and (root at addcom.de) for reporting this issue.

Certain parts of the filesystem were left with permissions that allowed arbitrary data be written to them (which means a malicious program could be written out or tons of data that would be hard to track down).

Mailman
Available for: Mac OS X Server v10.3.8
CVE-ID: CAN-2005-0202
Impact: Directory traversal issue in Mailman that could allow access to arbitrary files.
Description: Mailman is a software package that provides mailing list management. This update addresses an exposure in Mailman’s private archive handling that allowed remote access to arbitrary files on the system. Further information is available from http://www.gnu.org/software/mailman/security.html.

Server only again. This allowed remote people to access arbitrary parts of the system, reading your private data or writing in malicious programs.

Safari
Available for: Mac OS X v10.3.8, Mac OS X Server v10.3.8
CVE-ID: CAN-2005-0234
Impact: Maliciously registered International Domain Names (IDN) can make URLs visually appear as legitimate sites.
Description: Support for Unicode characters within domain names (International Domain Name support) can allow maliciously registered domain names to visually appear as legitimate sites. Safari has been modified so that it consults a user-customizable list of scripts that are allowed to be displayed natively. Characters based on scripts that are not in the allowed list are displayed in their Punycode equivalent. The default list of allowed scripts does not include Roman look-alike scripts. Credit to Eric Johanson (ericj@shmoo.com) for reporting this issue to us. More information is available here.

This is by far the most visible fix for most users. Check out the full writeup including an example. Basically, using special character combinations, one can make a domain name look identical to another, such as Paypal, or Amazon. This is incredibly bad because phishers could collect your usernames, passwords, and credit card numbers by fooling you into trusting the site. Now these special domain names look different. The fake “paypal.com” suddenly becomes “xn--pypal-4ve.com”. Whoa. Safari users need this update.

How does one know when to upgrade one’s computer? The answer is apparently very simple according to an upgrade forum post.

if u up grade ur comp do it when ur redy. :? :? :? :-D

No, I didn’t add those smilies after the fact.

I’ve started work on the Tag Central project I talked about previously. It currently uses the various RSS feeds that the suppported sites spit out. Unfortunately, this also means no Technorati tags. Unless I’m totally out of my mind, they don’t supply easily accessed RSS feeds.

Right now, I’m not using a database, but instead just using the standard file based caching built into MagpieRSS which is processing all the feeds for me. Space may become an issue if this site becomes popular. I’d hate to not cache, but as I’m not getting paid for this yet, I can’t afford to use gigantic amounts of space.

Currently supported services

• Flickr
• del.icio.us
• Tagsurf
• Jots
• 43 Things

Services that will be added soon

• Furl

Services I’d like to add if I can find RSS feeds for their tags

• Technorati
• Smugmug
• Genielab

With all that info out of the way, go check it out. Let me know what you think. I’d love to hear any feedback. That includes how you think it should be laid out and look.