Skip navigation

Tag Archives: javascript

In preparation for the upcoming 1.0 release and with the hopes of laying a foundation for more interactive slopegraphs, I threw together some rudimentary output support over lunch today for Raphaël, which means that all you have to do is generate a new slopegraph with the “js” output type and include the salient portions of the generated html/css/javascript into a web page (along with including the Raphaël script code).

The next github push will have this update. Here’s an example of the output, using the classic Tufte example chart:


It’s definitely a bit rough around the edges (my eyes immediately fixate upon spacing discrepancies) and lacking any interactivity, but the basic building blocks are in place. It also does not render on my Android phone (HTC Incredible 2) but it does render in Chrome, Safari & on my iPad. Embedding a Raphaël graphic in a web page will definitely have advantages over a PNG or PDF in most situations even if it’s not interactive, so I’ll probably keep the support in regardless of whether I continue to improve upon it.

As I was playing with the code, I kept thinking how neat it would be if there was a Raphaël Cairosurface” option. Perhaps that will be a side project if all goes well, since it would not be that much more complicated (in fact, it may be less complicated) than the Cairo SVG surface code.

The FBI made a tool to help you determine if you were a victim of the DNSChanger malware.

If you’re like many casual Internet users, you have no idea how to get the information to plug into the input box.

Unfortunately, the security model of most modern browsers makes it impossible to easily retrieve this information. However, it is possible to grab the DNS entries if the user is willing to trust the requesting source.

To help make it easier to determine if you’re infected, I wrote DNSChanger Detector. It’s a small Java applet that requires the user to allow it to have privileged access to the DNS entries via a call to sun.net.dns.ResolverConfiguration to get the nameservers. Once it has them, there is some jQuery glue in place to let Javascript access the results.

I understand why the FBI didn’t attempt to go this route, but it will hopefully be useful to folks who don’t wish to walk their friends and family through the process.

I’m putting together a computer & online safety presentation for an upcoming talk at a senior center in Portsmouth (NH) and came across Support Details in my information hunting trek. This site makes it dirt simple to get basic information from whomever you are providing remote support to (a task I’m sure many of us have to do on occasion). I suspect it could also be handy to a developer who wants to double-check client settings. If you’ve ever tried asking someone what their IP address is or even what browser they are using, you know how helpful it might be if you could find out simple information quickly and painlessly.

Support Details collects data on the following system/browser elements:

  • Operating System
  • Screen Resolution
  • Web Browser
  • Browser Size
  • IP Address
  • Color Depth
  • Javascript
  • Flash Version
  • Cookies
  • User Agent

Support Details | Tech Support Management

Both Windows and OS X provide internal utilities to do full screen sharing – and more – for remote assistance if you’re on that same platform. There are third party services such as GoToAssist and Copilot that enable remote support across platforms. While Support Details does not even come close to either types of interaction it does provide basic data to help you triage where to go next…and, it’s free.

Those were the words that greeted me within five minutes of checking out the Flask microframework for Python web applications. I feel compelled to inline those four, short paragraphs:

I’m not joking. Well, maybe a little. If you write a web application, you are probably allowing users to register and leave their data on your server. The users are entrusting you with data. And even if you are the only user that might leave data in your application, you still want that data to be stored securely.

Unfortunately, there are many ways the security of a web application can be compromised. Flask protects you against one of the most common security problems of modern web applications: cross-site scripting (XSS). Unless you deliberately mark insecure HTML as secure, Flask and the underlying Jinja2 template engine have you covered. But there are many more ways to cause security problems.

The documentation will warn you about aspects of web development that require attention to security. Some of these security concerns are far more complex than one might think, and we all sometimes underestimate the likelihood that a vulnerability will be exploited, until a clever attacker figures out a way to exploit our applications. And don’t think that your application is not important enough to attract an attacker. Depending on the kind of attack, chances are that automated bots are probing for ways to fill your database with spam, links to malicious software, and the like.

So always keep security in mind when doing web development.

Let’s look at the key take-away messages…

Data Should Be Stored Securely

Interestingly enough, this is not the default mindset of one of the more popular modern database technologies [mongoDB] (and it has plenty of company [memcached], too).

Even if your app starts out without any real sensitive data, odds are you will be storing credentials, e-mail addresses, social network handles and other bits of information that you should feel some fundamental responsibility to treat with care. There are somemcached manymysql resourcesoracle tocouchdb helpsqlite that you really have no excuse.

And, it will save you time later on when you realize you actually need to have a secure storage foundation.

Watch The Input To Your Apps

Flask protects you against one of the most common security problems of modern web applications: cross-site scripting (XSS). There are many others. If you are a programmer and have never even heard of OWASP, then you need to put down your PS3/Xbox controller and do a quick read on at least their take on the top ten web app security risks (btw: there are way more than ten, but you need to start somewhere).

The thing is, unless the halls of higher education have crumbled completely since I was in school, I distinctly remember having the concept of input validation, bounds checking, etc. being rammed into my thick skull in almost every programming class (and this was way before web apps were even contemplated). You may think you’re innovating by posting a link to your functioning rapid prototype on Hacker News, but what you’re really doing is being sloppy, lazy and irresponsible. Period.

And, while it’s fine to seek out frameworks like Flask and rely on some of their inherent protections, it does not absolve you from your responsibility to deliberately & consciously build rugged software (which doesn’t just mean “secure”).

“Don’t think that your application is not important enough to attract an attacker”

I’m not sure if any amount of verbiage will convince someone of this fact if they are determined not to believe/accept it. It’s a much larger discussion (and this is already a long post). If you are inclined to have a slightly open mind, I encourage you to read So You Think Your Website Won’t Get Hacked by Joseph Schembr. It’s really slanted towards “script-kiddies,” but should pique your interest enough to keep exploring why your hacked-up personal URL shortener might be a target.

Fin

It’s impressive that the Flask authors cover security in some way, shape or form on 21 pages in the documentation [PDF]. If you’re building or contributing to other frameworks, projects or engines (hint, hint, Node.JS devs!) I would strongly encourage you to take as much time and consideration as the Flask team did to ensure you are making it as easy as possible for your users to deploy applications as securely as possible by default.

Security

  • VSR uses some high-ish profile attacks from 2010 to provide fodder for the VAR community :: Security Risk: Top Hacker Attacks of 2010. I include it as the examples they provide should make it easier for folks doing presentations where they need to show real-life attacks (without sifting through the individual entries at the various data breach web site databases). [Vertical Systems Reseller]

Windows

  • Windows 7/2008 SP1 looms large. OEMs, VLCs & MSDN/TechNet subscribers get it on February 16th and the rest of the masses can give it a go on February 22nd. It looks like it has a decidedly enterprise-y focus, but one can hope it continues Microsoft on the path to robust desktop & server experiences :: Announcing The Availability of Windows 7 and Windows Server R2 SP1 [Microsoft]
  • Autoruns – the ability to automatically perform tasks when certain devices are made available to Window systems (e.g. USB sticks) – are a boon to malware writers. While Microsoft has somewhat mitigated the threat they pose in more modern versions of their operating systems, it can be tricky to make older systems safe. With the latest round of Patch Tuesday updates, they included a way to disable Autoruns in older systems. W00t! Microsoft Update Offers an Easier Way to Turn off Autoruns [PC World]
  • Succinct and informative article by Chris Sanders on how to determine if your systems is being actively compromised. Chock full of screen shots and examples of what to look for. While not exactly aimed at the general Windows community, it does provide a solid introduction to core tools that technically-inclined users should make room for in their toolboxes :: http://www.windowsecurity.com/articles/Determining-You-Actively-Being-Compromised.html [WindowsSecurity.com]

Programming

  • Pageforest helps you ship complete web applications without having to write any server-side code. You can build your application using HTML[5], CSS & javascript and the Pageforest service provides application hosting, user authentication & data storage. You only use client-side javascript and are free to include jQuery, Prototype or any other frameworks that you need to include in your app. Hosting is currently free and the site includes a full IDE to help you get started coding :: A Pure JavaScript Web Application Platform [pageforest.com]

Security

Programming

Interesting points/counterpoints on the efficacy of Node.js being tied so closely to the V8 javascript engine:

HTML5

I wanted to play with the AwesomeChartJS library and figured an interesting way to do that was to use it to track Microsoft Security Bulletins this year. While I was drawn in by just how simple it is to craft basic charts, that simplicity really only makes it useful for simple data sets. So, while I’ve produced three diferent views of Microsoft Security Bulletins for 2011 (to-date, and in advance of February’s Patch Tuesday), it would not be a good choice to do a running comparison between past years and 20111 (per-month).  The authors self-admit that there are [deliberate] limitations and point folks to the most excellent flot library for more sophisticated analytics (which I may feature in March).

The library itself only works within an HTML5 environment (one of the reasons I chose it) and uses a separate <canvas> element to house each chart. After loading up the library iself in a script tag:

<script src="/b/js/AwesomeChartJS/awesomechart.js" type="application/javascript">

(which is ~32K un-minified) you then declare a canvas element:

<canvas id="canvas1" width="400" height="300"></canvas>


and use some pretty straighforward javascript (no dependency on jQuery or other large frameworks) to do the drawing:

var mychart = new AwesomeChart('canvas1');
mychart.title = "Microsoft Security Bulletins Raw Count By Month - 2011";
mychart.data = [2, 12];
mychart.colors = ["#0000FF","#0000FF"];
mychart.labels = ["January", "February"];
mychart.draw();

It’s definitely worth a look if you have simple charting needs.

Regrettably, it looks like February is going to be a busy month for Windows administrators.

Your web-browser does not support the HTML 5 canvas element.

Your web-browser does not support the HTML 5 canvas element.

Your web-browser does not support the HTML 5 canvas element.