Archive

Archive for the ‘Security’ Category

IE 8.0 – First Impressions and Rendering

Unfortunately, I’m at home nursing the flu rather than living it up in Vegas at MIX08 so I’ve had to experience the fun vicariously through the thousands of blog posts, twitters, and videos of nearly every second of the event.

A big kick off revolved around the first Beta release of Internet Explorer 8.  Being adventuerous and well, not having anything else to do, I downloaded the x64 Vista version and have been hitting various web sites that I frequent to see how things look.

The IE Interface

Overall, IE 8 currently looks a LOT like IE7.  In fact, it takes a bit of hunting to find any differences what-so-ever.

The new “Favorites Bar” (or was that old) seems to be built to hold the new WebSlices, which I haven’t quite grasped yet (I don’t use eBay, sorry).

The Phishing Filter has been renamed the “Safety Filter”, which was immediately turned off.  I’m assuming Phishing was too difficult to explain (which is OK).  The concept is cool, I’m just not sure I want Microsoft being the “safe site” police.

Beyond that, I haven’t seen any other “changes”.  Let’s hope the real excitement is in the rendering.

Rendering

The tout of IE8 is it’s successful passing of Acid2, a standards-based rendering assessment.  Sadly, this is just in time for Acid3, which it not only doesn’t pass (nothing passes right now), but it does worse than most other “current” browsers only scoring a 17/100.

So, what about real sites?

Here are a few of the more common sites I visit and the results:

iGoogle – Renders OK, albeit VERY slowly.  Accuweather.com and del.icio.us web parts require mousing over the empty boxes to display their contents.  There is also a bunch of odd spacing at the top of the Gmail web part.

GmailRenders OK, very fast.  I couldn’t find any issue with Gmail at all.

Microsoft Exchange 2003 OWAWorks great, very fast. 

Microsoft SharePoint 2003 (SPS)Works very well.  Renders extremely fast from page to page.  Mouse overs, context menus, etc. seem to work even better than in IE7.  Hah.

Microsoft SharePoint 2007 (MOSS) Works.  Still requires “accepting” the “Name ActiveX Control”, which is REALLY annoying, but the site renders just fine.  Also renders a bit slow, but that’s just MOSS2007. 😦

Weather.comWorks. A few positioning snafus, but everything is functional.  See image below.

Linkshell Fourms (built on VBulletin 3.6.8) – Works great.  The PHP-based forums work like a champ for my FFXI linkshell.  Thankfully!

Virtual Server 2005 R2’s Control PanelDoes not work.  Unfortunately, none of the menus work.  You cannot create/update/add anything or view the status of a running VM.  I can bounce back to IE7 emulation mode and it works OK.

MSDN Subscriber DownloadsSorta works.  I’m assuming the new version of this site will resolve these issues.  So far, the site “works”, but renders a bit funny when you move the frame bars around.

IE8 - FFXIAH

FFXI Auction HouseDoes not work.  The side navigation bar is covered up and inaccessible.  Without that, it’s almost impossible to browse through the site (searching for EVERYTHING gets a bit tedious). See image to the right.

Twitter.com – Sorta sometimes works.  The functionality of the site is there, but the background and themes to the site are a bit haywire.  And updates aren’t being processed without a logout/login.  Ehh, odd.

WordPress – Does not work.  For some reason, the wp-admin console simply blanks the page out.  There’s a brief flash of it rendering, and then poof, just white.  I can View Source and see the code, refresh and see the flash, but haven’t been able to fix this one without dropping back to IE7 mode.

My Blog (Freshy Theme)Sorta works. Well, this blog doesn’t render right either.  The Search bar at the top right of the screen is covered up and missing the [Search] button.  The right-hand bar no longer trails to the end of the page, but stops at the end of the content (assuming the height:100% failure), The main body footer is now the footer to the right-hand bar.  There are a few other z-index issues here and there, but those can be fixed (I’m assuming).

My Photo Site Does not work.  Hmm, sucks.  Unfortunately, the menus doesn’t work.  Well, let me reword that, they work, but if you try to move from the Parent Menu to a Child Menu item, the menu disappears.  I’m assuming it’s a spacing issue for the mouse overs, but I’m not sure.  Ugh.

Random sites – I noticed most sites that I authenticated to, the hash out for the password turned up as an invalid character.  See below.

Things I Wish It Had

NoScript.  I really like FireFox’s NoScript plug in—especially with all the shakeup and paranoia regarding compromised accounts in FFXI.  I wish IE had something similar built directly into the browser.

Built-in support for social bookmarking.  Does anyone use Favorites or Bookmarks anymore?  I totally rely on del.icio.us and would LOVE to see better support for that in IE8.  I don’t want an annoying button that was put out by Yahoo, I want to open an Explorer Panel (like my Favorites) and see the heirarchy of my tags.

Conclusions

Well, for Beta 1, it’s not half bad.  It starts up instantly, looks clean, and appears to integrate into Windows Vista just fine.  If a few of the odd rendering snafus can be addressed (either by releasing WHY it doesn’t work or tweaks to the rendering engine in IE), I look forward to the next release.

Getting at the Membership Roles.GetAllRoles()

February 13, 2008 3 comments

For the WebGallery2 project, I’ve moved away from my own user management and opted for the .NET Roles and Membership “features”.  I do like the functionality (built in is good sometimes), and the ease of maintenance; however, the management of roles and memberships SUCKS—especially when you want to use that information in your application.

One such is our Galleries.  Each gallery has an associated Role that is checked by the User.IsInRole() method.

However, when editing a gallery, I want to see the enumeration for all roles—so I can pick and choose in a drop down list.  Unfortunately, there’s no really good way to get at the Roles list and drop it into a GridView’s FooterRow—at least not that seems to work without 40–50 lines of code.

So, I ended up cheating a bit.

Inside our LINQ DataContext, I added a non-LINQ-releated method called “GetAllRoles()” that returns a string array (string[]).  To me, this is still data, data retrieval, and fits into the DataContext partial class.

public string[] GetAllRoles()

{

return Roles.GetAllRoles();

}

I can now call that method like:

WebGalleryDataContext db = new WebGalleryDataContext();

string[] rolesList = db.GetAllRoles();

That’s great.  However, if I wanted to use a LinqDataSource adapter, that won’t work—it doesn’t exist inside a LINQ Table context.  To fix that, the good old ObjectDataAdapter comes to the rescue.

<asp:ObjectDataSource ID=”Roles” runat=”server”

SelectMethod=”GetAllRoles”

TypeName=”WebGallery.Models.WebGalleryDataContext” />

Then, in my EditItemTemplate (of a GridView), I can populate the DropDownList with the roles in the system:

<asp:DropDownList runat=”server” ID=”EditRole”
   DataSourceID=”Roles”
   SelectedValue=’<%# Bind(“Role”) %> />

ObjectDataSource at work

If there’s a better way, I’d LOVE to hear it. 🙂

Update: Whoops, http://localhost for the photo probably isn’t gonna work.

Internet Explorer Team removing “Click to Activate”

November 10, 2007 Comments off

Back in April 2006, the IE team added an measure to ActiveX controls loaded in Internet Explorer after losing their lawsuite to Eolas (another interesting editoral from 2005).  It was subtile, but required you to CLICK the control to activate it.  Many users, not seeing the text informing them what to do, simply thought that they were lagging out and clicking twice, instead of once, fixed it.  The April 2006 update found its way into our SUS updaters and wasn’t caught—driving our Customer Service department absolutely mad for the following weeks.  Good times all around.

So, two years later, it appears the team is backing the change out by finally purchasing licensing from Eolas.  Whether right or wrong in this case (I actually side with Microsoft and the evidence from W3C on this one… but meh), it’s absolutely insane that this took two years of frustrated consumers “clicking to activate” their embeded QuickTime movies, Flash movies on YouTube, and even controls built on web pages.

Timeline?  Looks like the first preview release (e.g. public beta) will be released in December 2007 with another pre-release included in Vista SP1 and XP SP3.  The final patch won’t be until the two year anniversary of the change—April 2008.  How slowly the cogs turn…

The IE Team has posted up the background here: http://blogs.msdn.com/ie/archive/2007/11/08/ie-automatic-component-activation-changes-to-ie-activex-update.aspx

Big Brother is Watching Me Surf

October 25, 2007 5 comments

I was mid-read of Matt Berseth’s blog this morning and was greeted with our filter’s cheerful message:

You cannot access the following Web address:

http://www.mattberseth.com/

This site is blocked under the filtering policy. If you believe this site has been blocked inappropriately, send a request for a site review to {email removed}. In order for your request to be processed you must include the address of the site you would like reviewed, your name, and the educational application of the site in question. Please contact your site STS or Customer Service at {phone removed} if you have additional questions.

The site you requested is blocked under the following categories: Malicious Sites

So, I contacted with a serious WTF question.  Lately, more and more blogs, forums, and community sites—which are key resources to modern developers—have been blocked. 

The answer I got: Send in a formal request, it will be reviewed by the curriculum department to ensure it’s safe for children.  If it’s not, then it will remain blocked.  Coding sites are considered malicious because they teach potential hacking skills to children that could endanger the stability of network systems.

w.t.f.

I haven’t even responded yet.  I don’t have anything nice to say that will keep me employed.  And, for now, I don’t have to worry… because THIS blog (my blog) is blocked too… tomorrow, maybe Google will be blocked because we don’t want children to find anything “bad”.

Thankfully, I can still RDP into my home computer and WORK.

Note: I’m not saying Internet filtering and such are bad; but due dilligence of staff/parents/etc. should make up for some of that—and educating children what they should and shouldn’t access will make it less taboo.  Oh, and separate filtering policies for the MIS Department and the kindergarteners, kthx.

[Update 12:45pm: I now have an ‘understanding’ of the full process.  An email to a monitored address, a response, a form to fill out, a few committee or individual, a response with further questions, an email back, and finally it’s opened up.  I’m tempted for two things: a) just continue RDPing out because that process took almost 1.5 hours, b) send in 100+ of them at one time.  And yes, my blog is still blocked—RDPing home to post.]

The Security Development Lifecycle : Oil Change or Culture Change?

Dave Ladd provides an interesting picture of how architecting (and “selling” security) to the CxO’s isn’t so much about promoting technology, but promoting culture change.

I have worked on security and privacy initiatives at Microsoft for a number of years, but it wasn’t until I came to the Security Engineering group to work on the Security Development Lifecycle that I realized I don’t actually work on security. To be clear, I do many of the tasks that one might associate with security – look at bugs, evaluate tools, provide guidance and the like – but it’s more accurate to say that I (along with everyone else in Security Engineering and Communications) am in the culture change business.

The Security Development Lifecycle : Oil Change or Culture Change?.

This is very interesting concept, especially in my field of education.  Many of our vendors, peer districts, and such are baffled by our rigerous standards for security—both in our development and our infrastructure.  I’ve spoken with only a handful of districts that place security at the level that it is a strategy—not a byproduct—of their overall technology architecture.

Why is that?  First off, I believe a lot of that comes from our CIO’s passion for security and doing things “right.”   FERPA and privacy are at the forefront of concern—and avoiding the courtroom for any mishaps.  Our applications must not only be protected from the deviant of the Internet, but from the 50,000 students and 10,000 staff members who are using our systems.  Are they all “out to get us”?  Nah, not usually—but typically the most innocent of individuals is the first to find the biggest security hole.

Second is resources.  Technology is highly valued in our environment and has almost infinite funding given proper documentation and a good sales pitch to the executive levels and board.  Because of that, our physical and software infrastructures have many of the latest and greatest gizmos, gadgets, and such to protect our information.

What’s missing?  For us, it’s standardization in both development and implementation.  We’re still struggling with fully grasping what it means to write “secure” code; however, this changes with every day as we become more adept at development and, as most, learn from our mistakes.