Wednesday, May 30

The Ghost In The Browser

I read Google's paper "The Ghost In The Browser Analysis of Web-based Malware". The fact is astonished: 10% note* of websites have malicious code to (at least try to) exploit visitor's computer, including my website.

In my website I deployed a free counter to send me report of visitors. From the report I can know when is the best time people visiting my page and how they found my website, and what kind of technology they are using: Most of my visitors are using 1024*768 monitors, which means that I should design my site according to this dimension. This kind of information is invaluable. In each page of my website I embed a short HTML code from the free counter provider to perform this survey. The provider's name was "NedStat", then changed as "webstats", and now it is "motigo webstats". I have been using this free counter since 2002.

In the Google's paper, this is an example telling webmasters to be cautious with Third-Party Widgets:
This widget used to keep statistics of the number of visitors since 2002 until it was turned into a malware infection vector in 2006... The web counter was benign for over four years and then drastically changed behavior to exploit any user visiting the site. This clearly demonstrates that any delegation of web content should only happen when the third party can be trusted.
Now it is deleted from my website.

note*: BBC said "One in 10 web pages scrutinised contained malicious code". Maybe that is not true. The origin word from the paper is:
We analyzed the content of several billion URLs and executed an in-depth analysis of approximately 4.5 million URLs. From that set, we found about 450,000 URLs that (is malicious)

So I would say that the rate is 450,000 out of several billion.

Labels: ,

Tuesday, May 29

Quirks Mode of Browsers

I need to add a drop-down menu in one PHPNuke enabled site. There are many drop-down menu available in Internet. Some are JavaScript programs, and some are CSS enabled. Of course, they are open source.

After looking at those menu for 1 hour, I decided to use a pure CSS menu from designmeme. Those JavaScript menus are way too complicate, and it requires some effort to go through the code to modify color, style. This CSS menu is pretty straightforward. There are 50 lines of CSS code to decide the style of UL and LI.

So I created a new test.htm and put the menu in it. It works fine in both Firefox and IE. Perfect! After I put the menu in header.html of the theme I am using in the PHPNuke and upload it to server, here comes the fun part: The drop-down menu only worked in Firefox, not in IE.

I spent 30 minutes to compare the test.htm and the output of PHPNuke. I actually downloaded ExamDiff to compare it. It is ironic that Visio Studio doesn't provide such a tool to compare 2 files. Finally, the result is: The test.htm is started with
< !DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >
while the output of PHPNuke is started with
< !DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" >

and the latter is parsed by browsers in Quirks Mode.

What is Quirks Mode? It is a mode that the webpage is considered as "not compatible with W3C standard", so the browser will parse it in the way the browser thinks suitable. The PHPNuke's output claims itself not compatible with W3C standard, so Firefox parses it as drop-down menu, but IE parses it in other way.

Please make your site in Standard Mode.


Reference:
http://en.wikipedia.org/wiki/Quirk_mode
http://www.webmasterworld.com/forum21/7975.htm
http://msdn2.microsoft.com/en-us/library/bb250395.aspx

PS: On right side bar I embedded a weather forecast of my living city. It shows good in IE but not good in Firefox. Yes, that is exactly what you are thinking: The header of it is:
< !DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
So it is telling the browsers to work in Quirks Mode, so it is very normal that it acts different in these two browsers.

Thursday, May 24

Chat Room

I built a AJAX chat room for this blog. AJAX is the best technology for this because it doesn't request high amount of network traffic, and the user can feel no delay.

Perl is used for server side programing.

The first time you log in, you are allocated a random color. You can reset your username and your color by visiting this page.

Chinese character is enabled for this chat room, but only Firefox can work with Chinese character: MSIE is infamous with not following standards, and I really can't solve this problem in IE. both Firefox and IE7.

Labels: ,

Saturday, May 19

Installing Bitware in Win2003 Server

I have been using Cheyenne Bitware 3.3 for ... 8 years. Today when I was trying to install it into my Win2003 Server, the printer driver is failed to install.

Solution: Run gpedit.msc to open Group Policy object Editor, disable this setting:
Local Computer Policy\Administrative Templates\Printers\Disallow installation of printers using kernel-mode drivers
and reinstall Bitware.


BTW: The successor of Bitware is Simply Messenger PRO.

Labels:

Friday, May 18

Messy MSDN help

Today the messy MSDN wasted me 1 hour.

By somehow I know there is a setting in the web.config to setup requestPriority as "Normal", "High", or "Critical". If it is set as Critical, the IIS Web server will server HTTP request in high priority, ignore other tasks. Because the server I am using is designed for IIS Web server solely, setting this value can help improving the performance.

But after I deployed this web.config, when I open IIS property of this website, I got error message:
Unrecognized attribute 'requestPriority'. Note that attribute names are case-sensitive.
So in Visual Studio 2005, I selected this keyword and hit F1--This is the way you get help from MSDN Library. I was directed to a help document:
.NET Framework General Reference
httpRuntime Element (ASP.NET Settings Schema)


....

requestPriority:

Optional HttpRequestPriority attribute.

Specifies the priority of all incoming requests to this application.

This attribute can be one of the following possible values.

Value Description

Critical

Specifies that a request is not subject to rejection, if the managed application queue is full. However, the request will be rejected, if the ISAPI threshold has been exceeded. The request is inserted at the end of the high priority queue, which is serviced before the normal queue.

High

Specifies that a request is subject to rejection, if the application queue is full. If the queue is not full, the request is inserted at the end of the high priority queue, which is serviced before the normal queue.

Normal

Specifies that a request is serviced as it normally would be, without elevated priority. This is the default.

This attribute is new in the .NET Framework version 2.0.

The default is Normal.

And there is default configuration for the httpRuntime element:
< httpruntime
executiontimeout="110">
...
requestPriority="Normal"
...
apartmentThreading="false"

/>
So I copy/paste the keyword and check it twice since the IIS mention "case sensitive". It didn't work. The document says this attribute only works for .NET Framework 2.0, so I double checked the ASP.NET version: 2.0.50727. I actually changed it to .NET 1.0, which apparently a wrong option, then changed it back. Same situation.

I had to Google for 15 minutes, until I found a simple reply in a news group:
Development Tray
Hello.

How can I to set requestPriority to "Critical" for an specific page in ASP.NET 2.0?

Thank you.

Author
26 Mar 2006 8:19 PM
Juan T. Llibre
requestPriority was killed after Beta 1.
If it is "killed", why is it shown in my MSDN Library? I searched keyword httpRuntime from the MSDN, came to an online help document with the same title:
.NET Framework General Reference
httpRuntime Element (ASP.NET Settings Schema)


....
In this document it doesn't mention requestPriority. But in the "default configuration " section, the "requestPriority" is still there:
< httpruntime
executiontimeout="110">
...
requestPriority="Normal"
...
apartmentThreading="false"

/>
Now I believe Microsoft actually canceled "requestPriority". But it forgets to delete it from the MSDN Library (The Visual Studio 2005 and MSDN I have is NOT Beta!), and it decided not to mention this keyword at all: It would be better if it lists this keyword and mention it is deprecated after 2.0.6xxx... And then it makes a mistake not to remove it from the default configuration!

Labels: ,