May 8, 2008

With extensions for programs like Firefox at the convergence of desktop applications and the Web, they can at times become attack vectors:

Starting in mid-Feburary, Vietnamese users of Mozilla’s open source Firefox browser were at risk of infection from malicious Trojan Horse code seemingly accidentally embedded in a language pack available on its Add-ons site.

The add-on’s author is not suspected of intentionally booby-trapping the file, but instead had his own system infected. That Trojan inserted a banner-ad displaying script into any html [sic] file on his system, which included the help files for the language pack.

Ironically, the HTML files have been removed altogether from the forthcoming Firefox 3, because Mozilla has decided to use an online, wiki-based help system, rather than the static help files that come packaged with Firefox 2.

Application security is still important these days, but as software vendors race to embrace add-ons and RIAs, Web technologies can no longer be considered confined within a tight security “sandbox”. It’s not even just a security issue, either: with phishing- and other fraud-based attacks so prevalent, software developers need to be especially vigilant about any user interface details that could be used to deceive.

As the author of a similar extension for Thunderbird, Firefox’s companion e-mail client, I should note that the Vietnamese localization pack I wrote for Thunderbird is not affected by the trojan. The current version was released in 2005, long before the Firefox localization package.

By the way, an updated version of that localization pack is in the works, based on the Firefox extension. Although I did consult some parts of the Firefox extension’s source code to resolve some tough-to-translate terms, there was no code sharing of any kind. (Not even copy-pasting.)

You can track my progress by pointing your Subversion client (such as TortoiseSVN) to And if you happen to be thạo tiếng Việt, please contact me; I’d be more than happy to accept your help.

To clarify, only advertising banners were inserted, not actual worm or trojan code. See Asa Dotzler’s explanation.

January 4, 2006

You might be wondering why it’s taken me so incredibly long to finally blog about Planet Xavier’s long-awaited and long-needed redesign. As usual, the answer is procrastination. It takes effort to write well, y’know. (No, “stream of consciousness” is not good writing, no matter how many periods you stick in it.) I seriously intended to redesign that site since I set it up more than a year ago, and I’ve blogged about my plans numerous times, but my original plans for the site were so complex and wide-ranging that I was never able to get it done, because it was just too easy to put off. The plans originally included excluding certain entries at the push of a button (isn’t at the push of a button), a robust theming system (isn’t robust), automatic school closing information (isn’t automatic), dynamically-updated weather information (doesn’t work), automatic large image resizing (doesn’t work), a blog submission form (didn’t happen), a preferences panel (didn’t happen), automatic inclusion of news items from St. X’s website (isn’t automatic), and more. As I’ve just noted, I had to change my plans somewhat. I essentially pulled a Longhorn, yanking features out so I could get something – anything – out the door by the first quarter of 2010. I could’ve designed and built the pX you see today in about a week, but instead it took me about a year. Apparently doing smaller things to delay bigger – and more important – tasks is the bad form of procrastination. In the time since I first placed the redesign on my to-do list, I’ve incrementally improved and grown pX, made quite a few contributions to Wikipedia, designed a website for my parish from scratch, similarly designed one for my dorm, translated Mozilla Thunderbird for the Summer of Code, upgraded this blog to the latest version of Movable Type, and attended my first quarter at Stanford. Are these really the smaller things? Don’t think so; it all took me plenty of late nights. Though I’ve finally gotten something of a new design up, there are still several major kinks to work out:

  • The dates of each entry are consistently 45 hours behind. That’s right, 45. And I have no idea how such a random flaw crept into the system, à la Peter Rother’s little bug. Fortunately, the “last updated” clock is still correct, and new posts are displayed as usual.
  • The weather indicator (powered by Yahoo! Weather’s RSS feeds and some nifty Ajax) isn’t working; it gives an annoying JavaScript error, even though the script, ironically, works on the test version in my computer.
  • Whenever someone posts an exceptionally wide image, the main page column expands to accomodate it, leaving no room for the sidebar, so the sidebar gets pushed down to the bottom of the page. This shouldn’t happen, and ideally the large images should be automatically resized anyways.
That said, there are some long-needed changes that the new design brings in:
  • Alumni blogs have finally been moved to their own separate pages, and a section for the Class of 2004 has been added. (So far only Peter is being syndicated there; I’ve found some others from that class, but I’ve yet to ask their permission first.)
  • I can now add news items to the site without having to mess around with HTML in my text editor and upload it to the server. The news section is now handled by Movable Type, and new news is automatically propagated to the Latest Entries listing.
  • There’s an “Update” button (for Firefox users only) that lets you update pX yourself. It still takes a few minutes to update, so you can continue browsing to whatever questionable sites you crave and come back to pX when it’s done. I haven’t added any throttling to stop abuse of this feature yet, but I’m hoping that responsible Web users (aka Firefox users) won’t abuse it before I get a chance to add that in.
  • The list of syndicated blogs (formerly known as the “Rollcall”) has been moved to a separate Roster page. This move should significantly speed up the front page and stop Google from mistaking pX for a linkfarm. In the future, the Roster will include more information about each blogger (like statistics perhaps), which will make the page that much more useful.
In addition to the goals that I didn’t meet with this redesign (listed above), I’m also planning to eventually include an automatically-updated listing of the most recent threads over at the St. X Forums, with Peter Franklin’s permission and cooperation, of course. That should be fun. Hopefully I’ll be able to work out the kinks and improve the new design before I return to college next week, but don’t hold your breath: I haven’t gone cold turkey on procrastination yet, and doing so is not on my New Year’s to-do list.

August 25, 2005

Over the summer, I’ve spent a large part of my time making plans for my personal projects (pX in particular), yet I’ve done very little in actually following those plans. That seems to be my style. (Remember all my promises of posting about my mission trips?)

Over the past week, though, I’ve managed to get moving on some of my projects, now that the my Summer of Code project is winding down (the deadline is the 1st, lest I forget). I’ve just finished extending Planet so that you can specify which category of blogs to display for each individual page on Planet Xavier. Previously, Planet had no understanding of categories, so I’m thrilled to have completed this task, since it means that I can now easily separate the alumni blogs from the others at pX.

Assuming, of course, that it all works. I’ve already made a clone of the main entry listing, and I’ll be testing my modifications tonight, so that most people will (presumably) be in bed in case something goes horribly awry – such as those pesky Xanga or MySpace entries creeping up to the top again. In the morning, then, all you freshman and sophomores will no longer see all those alumni posts that you never cared about. Hopefully, that is. If it turns out okay, I’ll generalize the code and contribute it to the Planet codebase.

In the meantime, Six Apart has just released Movable Type 3.2, so I’m going to start working on transitioning to the new version. That way, I can actually make some progress on St. Columban’s redesign.

  1. Ngựa thành Troy
  2. Almost done
  3. An end to procrastination
  4. In brief
  5. A first time
  6. Making the switch
  7. Duplication of effort
  8. Back from St. Augustine
  9. Coding the summer away