Some people are never happy, part 2

  • 66984 - Need name for new image library (rename libpr0n).
  • 108816 - World War III: "What should Backspace do (or not)".
  • 259207 - Mozilla firefox needs a title song.
  • 261354 - RSS button looks like it says "ASS".
  • 262173 - Firefox Icon Problem - new firefox icon appears to be giant red panda that is humping south america.
  • 266457 - Inappropriate content in the Firefox Crew's Pick list (default bookmarks).
  • 34669 comment 11 - "Fixing summary to not end with 'loads of ass' when truncated at 60 chars."

Thanks to Peter van der Woude for telling me about several of these bugs.

Part 1

Posted on October 29, 2004 at 04:39 AM in Mozilla | Comments (5) | TrackBack (2)

My impressions of Google Desktop Search

Google Desktop Search is useful enough for me to keep it installed, but I wouldn't say that it works well.

Functionality

  • The file I'm looking for is often missing from Google Desktop Search's index. Even the filename is missing. I can't tell if it decided to skip the file because of its extension, contents, location, or changed-on date. Sometimes touching the file gets it indexed, but sometimes it doesn't.
  • It "caches" old versions of files often enough to take up disk space unnecessarily, but not often enough that I can rely on it for a revision history when I break something.
  • Since Google Desktop Search is slower than www.google.com, leaving "Show Desktop Search results on Google Web Search result pages" checked makes it slow down web searches.
  • It gets much slower if I add num=100 to the URLs. A search with num=100 usually takes 3 seconds. This would be ok if it streamed the results, but I just don't see anything for 3 seconds. (There's no UI for adding num=100, so it's not really fair to complain.)

Security

  • "Show Desktop Search results on Google Web Search result pages", which is checked by default, elevates any XSS hole in www.google.com to a read-my-files hole.
  • Google Desktop Search uses an interesting scheme to mitigate XSS and CSRF holes: it includes a hash in every URL, even the root. The hash includes the path and sometimes includes the query parameters. If the hash is missing or doesn't match, it returns "Invalid Request".
  • Clicking a link to an .exe file in search results runs it without any warning.
  • The web site doesn't mention the current version number. The program doesn't have a "Check for upgrades" link, and if checks automatically, it makes no indication of that fact.
  • Any web page can detect whether you have Google Desktop Search running by loading an image (or perhaps any URL) from http://127.0.0.1:4664/.
  • The index is stored in a predictable location. "File upload holes", which let sites read your files if they know the filenames, are common in web browsers. File upload holes that require no user interaction are usually fixed quickly. But file upload holes that do require user interaction are not always fixed quickly. Two file upload holes requiring user interaction that I reported in 2000 are still present in IE and Firefox.
Posted on October 22, 2004 at 03:38 AM in Google, Security | Comments (7) | TrackBack (0)

Bookmarklets in print

My bookmarklets have appeared in print media several times:

  • PC Magazine, Fall 2004 Digital Home issue: Security Watch: Revealing Passwords mentions my view passwords bookmarklet.

    KMGI focuses on Microsoft products, but we also found a bookmarklet (a piece of JavaScript you save as a browser bookmark) that's more brand-agnostic -- and free. It's called "view passwords" and is available at www.squarefree.com . "View passwords" exposes saved password text in IE, Firefox, Mozilla, and Netscape. The script also reveals hidden text in Opera, but the way that browser executes saved passwords -- by filling in the user name and password, then activating the Submit button -- prevents the bookmarklet from working, except on a very slow page load.

  • O'Reilly's Google: The Missing Manual (May 2004) devotes almost two pages to my search and seo bookmarklets.
  • PC Magazine (February 2004): Bookmarklets Boost Web Surfing.
  • Heise c't (November 2003) has a screenshot of the result of using the "number rows" bookmarklet, if I'm remembering correctly.
  • New York Times (August 21, 2003): Fishing for Information? Try Better Bait had a paragraph about the @alltheweb bookmarklet.

I have print copies of all of these except the Feb 2004 PC Magazine article. O'Reilly shipped me a free copy of Google: The Missing Manual, Matti sent me a copy of the issue of Heise magazine from Germany, and I bought the others at bookstores.

Posted on October 20, 2004 at 07:21 PM in Bookmarklets | Comments (1) | TrackBack (0)

Community Firefox ad in The New York Times

The Mozilla Foundation plans to run a full-page Firefox ad in The New York Times soon after the launch of Firefox 1.0. Spread Firefox is asking for donations to fund the ad and expenses related to the 1.0 launch.

All donors' names will be included in the ad. In addition to creating an incentive to donate, this strengthens the ad by showing that it was paid for by a large community rather than a corporation. (Why don't more political and non-profit ads do the same thing?)

I donated today. If ten readers donate through my donation link, I will be listed as a Community Champion instead of just a donor.

Posted on October 19, 2004 at 04:30 AM in Mozilla | Comments (12) | TrackBack (4)

Request for extension ideas

What new Firefox extensions would you like to see?

Posted on October 18, 2004 at 06:22 AM in Mozilla | Comments (81) | TrackBack (0)

Political Halloween costumes

Some ideas for political Halloween custumes:

Update 2004-10-30: Other people came up with funnier ideas for political Halloween costumes and illustrated them:

Posted on October 15, 2004 at 11:38 PM in Politics | Comments (0) | TrackBack (0)

New Firefox extension: Search Keys

Search Keys lets you go to search results by pressing the number of the search result instead of clicking. You can press 1 to go to the first result, Shift+2 to open the second result in a new window, etc. It works with Google, Google News, Google Groups, Google Desktop Search, and del.icio.us.

Update Oct 16, 2004: The shortcut for opening in a new tab is now Alt+N on Windows and Mac, to avoid conflicting with the Ctrl+N shortcut for switching tabs. It is still Ctrl+N on Linux, which uses Alt+N for switching tabs.

Posted on October 15, 2004 at 08:01 AM in Google, Mozilla | Comments (14) | TrackBack (0)

StarcraftGamers on UCSD Starcraft flyer

The Starcraft flyer I photographed and blogged made its way to a site called StartcraftGamers. The site has an article about the flyer and the associated research.

Posted on October 05, 2004 at 03:49 AM in Games, UCSD | Comments (0) | TrackBack (0)

Foreign policy debate mistakes

Some of Bush's mistakes:

0:06:10 "Do you believe the election of Senator Kerry on November the 2nd would increase the chances of the U.S. being hit by another 9/11-type terrorist attack?" "No, I don't believe it's going to happen. I believe I'm going to win."
0:07:55 "The enemy understands a free Iraq will be a major defeat in their ideology of hatred. That's why they're fighting so vociferously."
0:14:20 "Of course we're after Saddam Hussein -- I mean bin Laden."
0:15:44 Bush tries to pound on the podium.
0:30:57 "What's he say to Alexander Kwasniewski of Poland?"
0:32:37 "Well, actually, he forgot Poland."
0:40:25 "Let me finish" (who was interrupting him?)
0:42:20 "You know, it's hard work to try to love her as best as I can"
0:45:35 Bush interrupts Kerry. Lehrer lets Bush respond, but Bush pauses for five seconds and then babbles about mixed messages.
0:52:00 In response to a question about Iraq: "the enemy attacked us, Jim". (Kerry called him on it.)
1:10:35 "You cannot lead if you send mexed missages." (How are the Capitol Steps going to make fun of this spoonerism?)
1:11:55 Referring to his daughters: "I'm trying to put a leash on them." (Kerry called him on it: "Well, I know. I've learned not to do that.")
several times Being the president is hard work.

Some of Kerry's mistakes:

0:37:00 "United States, the America and Great Britain"
0:57:15 "Global test". (Bush called him on it.)
0:58:00 "Iran and Iraq are now more dangerous -- Iran and North Korea are now more dangerous."

The times refer to the Washington Post's Real stream, which I watched using Real Alternative and Gebest's Media Player Classic. Political Animal: Clip Contest, commenters on Daily Kos, and georgewbush.com caught some mistakes I might have missed otherwise. I copied some quotes from the MSNBC/FDCH transcript of the debate.

Posted on October 04, 2004 at 01:02 AM in Politics | Comments (7) | TrackBack (0)