Posted on by Wladimir Palant

I already left Darmstadt and I am on my way back to Oslo now. The unpleasant surprise is that Germanwings no longer flies to Oslo. I have no idea why they stopped serving this direction in the middle of the season — I couldn’t find it mentioned anywhere, there are just no more flights between Cologne and Oslo (the webpages of both airports confirm this so this isn’t a glitch in Germanwings’ database). That means that I will fly from Düsseldorf with Norwegian which is slightly less convenient. But at least I will spend a few more days in Cologne.

I have to be finished with my PhD in two months, so I guess I will be very busy now. Don’t expect to see much Adblock Plus progress during this time and I probably won’t look at the forum all too often. As usually, anything urgent is better sent with a mail directly to me. I cannot promise a fast reply but I will look at it.

Read more… Comment [5]

Posted on by Wladimir Palant

I guess some of you run a web server. Maybe you have noticed entries like this one in your logs:

"GET /forum/admin/admin_styles.php?phpbb_root_path=\r HTTP/1.1" 302 5 "-" "-"

What is this about? In this particular case somebody tried to use a security hole in an older phpBB version to execute PHP code loaded from another server. I had several hundreds of entries like this one in the last month, targeting vulnerabilities in all kinds of PHP scripts (most of which are not even installed here). The attackers tried to install backdoors, defacement tools or in one case a simple script to send all e-mail addresses from the local phpBB installation to its owner. The requests are usually done by other web servers, I guess those have the backdoor already installed (a botnet).

Read more… Comment [2]

Posted on by Wladimir Palant

I recently linked to an article stating that users of Internet Explorer have been exposed to known critical vulnerabilities for 284 days last year. That sounds bad enough but unfortunately it is not all. For example I came across a vulnerability in Internet Explorer that has been ranked “Less critical” for reasons I don’t understand. What this does — it basically eliminates same-origin checks, any web site can read contents of another site. I put up an example that can check whether you are logged in on Google or Yahoo and read out your user name — provided that you use Internet Explorer. It could just as well read out your mail or change your mail password. It could also go into your banking account if you happen to be logged in. Information on this vulnerability has been published April last year and still unpatched in both Internet Explorer 6.0 and 7.0.

Read more… Comment [4]

Posted on by Wladimir Palant

I have seen many people complaining about how Firefox is no more secure than Internet Explorer. Usually this impression comes up when people read the long lists of security bugs fixed with every maintenance release. Since I have reported a few security bugs myself and could observe how Mozilla deals with those, I knew well that Firefox is still incomparably more secure than Internet Explorer — and now there is proof. Internet Explorer Unsafe for 284 Days in 2006 has the data. Last year users of Internet Explorer have been exposed to unpatched critical security flaws for 284 days in total, on 98 of those days the security flaws were actively abused by web sites. In comparison, there was only one vulnerability in Firefox that was publicly disclosed before a patched Firefox release was available, amounting to 9 days of exposure.

So where did the long lists of security bugs go? Did the author of this article overlook them? No, he didn’t. These bugs were there, they have been discovered and fixed — and only then the information on them has been disclosed. So while each and every software has bugs, the major difference here is that Firefox vulnerabilities are reported and fixed before the information is disclosed and somebody gets a chance of abusing them — and with Internet Explorer it often happens the other way round.

Read more… Comment [9]

Posted on by Wladimir Palant

I should be finished with my PhD in May. What should I do once I am done? This question is bugging me right now. These three years have made it very clear that I don’t want to continue an academic career. I want to produce good software that will be used by real people, and sadly this is simply unrealistic being at a university. Most of the research produced will never turn into real applications, and even if it does, most of the time nobody will ever notice those.

There is also a complicating factor — after spending three years away from my family and my fiancé, I really want to settle down in the area of Cologne or at least somewhere from where one can easily go to Cologne for a weekend. Finding a company in Germany where I could spend most of my time programming instead of fighting the process isn’t exactly easy. Add to this that I’m not the convenient type of employee — I have a strong opinion on just about anything and I won’t hesitate to tell it. All this together means that I don’t have all too many choices.

Read more… Comment [6]

Posted on by Wladimir Palant

The spell checker in Firefox 2 is certainly a great feature. I have already seen lots of people write this and I agree. And yet, it has some certain deficiencies that make me use it far less than it could be. The reason is: it seems to assume that you always write your texts in the same language. Yet I am frequently switching between languages, I write texts in English, German and Russian all the time. And going to the context menu, digging into the languages menu and choosing the right language is just annoying, especially for a short text. There is also another issue: switching languages takes a while, and for a huge dictionary like the German (10 MB) it becomes a major annoyance.

These issues could be solved of course. For example one could make the UI for switching languages more accessible by adding keyboard shortcuts, maybe Ctrl+Shift+1 through Ctrl+Shift+9 (extension, somebody?). Then, when I switch away from a language this probably doesn’t mean that the dictionary should be released — I want it to be kept in memory. I don’t care about the extra 30 MB of memory usage for the German dictionary but I care very much about the 10 seconds delay when Firefox has to load it again.

Read more… Comment [15]

Posted on by Wladimir Palant

Disclaimer: I don’t blame people working on AMO for anything. They face extremely difficult problems and are working very hard. I am simply noting some areas where they still have a long way to go.

I started a little experiment — downloaded all extensions from (AMO), unpacked them and tried to find security holes by searching for specific strings. As expected, it wasn’t all too difficult, one can easily find a dozen vulnerable extensions in an hour, and that not even accounting for the fact that there is a certain unpopular class of extensions on AMO all sharing the same buggy code. The only reason I didn’t hit all too many high profile extensions was that I was going through the extensions in alphabetical order instead of going by popularity.

Read more… Comment [7]

Posted on by Wladimir Palant

Do you still remember? Sometime in the beginning of year 2004 Bill Gates promised us to take care of the spam problem by 2006. It was big in the news all over the world. Well, the year is almost over and I don’t see anything change for the better. A look at my inbox tells me that spam got much worse if anything. In fact, spammers have made considerable progress in these two years. They are now making heavy use of botnets thus rendering the spam protection methods based on IP address checks or identity verification almost irrelevant. They successfully use randomized mail content and images to trick Bayesian filters. And they got much better at social engineering. What did Microsoft do? They sued a few spammers — which didn’t quite make the expected impact because spam is still much too profitable.

It’s not that I really expected them to find the silver bullet. I mean, it was obvious that Bill Gates was selling hot air there. But I miss the public outcry. Where are the newspapers who reported about this two years ago, do they want to let him simply get away with a lie?

Read more… Comment [11]

Posted on by Wladimir Palant

I just came back from Germany a few days ago and now (in a few hours) I am going there again. This came quite unexpectedly, I didn’t know myself until two days ago. This time I will stay in Darmstadt for a few months, working with the guys at the university and hopefully producing something useful together. I should come back to Oslo in the beginning of March to finish my PhD thesis — plan is to be all done before May. That’s some crazy time coming up…

Read more… Comment [8]