With E3 happening round about now, I wanted to keep up to date with the E3 news as it came down the wires, and my current RSS reader (I’m using thunderbird’s RSS folders thing, and then also bloglines.com) is set to update only every hour or so, so I wanted something else.

Back when I was still running gentoo on my desktop PC, I was using KDE, which had a nice newsticker that could fetch RSS feeds and tick them at the bottom/top of the screen. Now that I’m running Ubuntu, which uses Gnome by default, I wanted something similar that the KDE newsticker. So a googling I went. I found a rather poor attempt at a ticker for gnome, which adds an applet to a gnome panel. Not bad, but not quite what I was looking for. Then it struck me! I’m using Firefox! Some more googling, and I found this:

RSS Ticker Firefox Extension
RSS Ticker is an extension for the Mozilla Firefox Web browser that scrolls your live bookmarks (also known as newsfeeds/RSS feeds) across your browser, a la a cable-news style ticker.

Clickety-click, installed. Restart Firefox and voila! An extra panel at the bottom of the browser, which reads your Firefox Live Bookmarks (RSS-in-a-bookmark-format), and tickers them across the browser window. It can open the items in a new tab for you, and it can hide the items you’ve already read. Gotta love it!

Tags: E3, RSS, Firefox

After my previous rant about bad security on an e-commerce website I recently used, I mailed them, and they replied, plugging the rather gaping hole. I replied, wondering if they’re going to reward me for my diligence (haha!). At the same time I pointed out that they had another hole that needs plugging. This time they plugged the hole, but never responded. Go figure.

Anyway, so today I had to place an order for a book online. This time, I visited a different South-African online retailer. I was quite impressed that they had SSL’d their pages. But what oh what do I find once I’ve confirmed my order? A url that looks like this:

https://www.xxxxxxxxxxxx.com/checkout.xxx?ordernumber=123456

“Hmmmmm, I wonder…” I wondered. I edited the order number, and voila! I see somebody else’s order! What. The. Fark?! This is basic website security stuff. You don’t allow a logged in user to view any records of any database that doesn’t belong to him! It’s a simple “if requestedRecord.userID != loggedIn.userID then f.off!” check. (Naturally not storing the userID in a cookie or some other stupid client-side place…). This is not rocket science.

Well, I managed to find the buying habits of a couple of people, and their phone numbers, addresses, billing addresses, etc. No, I didn’t store them anywhere. But I could! And if I was a nasty person, I could harass these people, hell, I could even go stalk them if I wanted to. “HA! I know you bought that that Oxford English Dictionary buddy! Can’t you spell? Huh? Huh?”.

*sigh*, so yet again, another snotty (I know, I know, I’m an ass) e-mail to be sent to the lack-of-cluebies. Honestly, I don’t know why I bother… Oh yes, in addition to being an ass, I also like to think of myself as sufficiently “nice” to let people know of their blatant security holes. One day, when I grow up, I r going to be a l33t h4xx0r. *sigh*

No, not mine. On a site that I used recently to purchase a music CD from, here in South-Africa.

Two days ago I ordered a single music CD from an online music website, quite a reputable one too I might add. Large chain. I won’t mention names, I’m sure the interested reader will figure it out. Developers with complete lack of security knowledge coded that site it looks like.

First off, their login procedure doesn’t take you through an SSL‘d connection, so we have username and password being sent cleartext. So there already, if somebody had to sniff some traffic, my personal details, including my home address and cellphone number, are open for reading. This is not so much a big problem as the next problem is.

Next, after confirming that the site at least goes to an SSL’d page when entering my credit card details, and at least it does a POST to a secure page, after confirmation of the payment, I get redirected to a URL along these lines:

http://www.xxxxxxxxxx.co.za/xxxxxxxxxx/invoice.asp?OrderID=12345

“That’s nice” I thought to myself. A nicely formatted, printable invoice, with my delivery details, phone number, etc. on. At first I didn’t notice the URL, but once I did, I thought “Hmmmmm, surely not?!” I changed the URL to have an order ID one less than that of my own, and voila, I find that Mr John Doe ordered several “Treffers” CDs, delivered to his house in Centurion. I have his name, address, and phone number.

This is horrible! I can’t believe that a company like this large chain company would actually allow somebody with such a total lack of the most basic web-security knowledge or savvy, to actually code their site. Or, at best, allow a total security-knowledge-lacking system administrator to implement such a poor piece of code. Granted, it’s nice-ish looking, but good god, this is pathetic!

I’m e-mailing them, hoping that they would fix the problem Real Soon, as I can’t be the first person to notice this… The internet is not in an infantile state anymore, and one would expect to find a little bit better coding going on! Hell, even a simple “Is this user logged in?” check in the code would have been a good start, but you don’t need to be logged in to harvest all their order details.

*sigh* I don’t know why I’m surprised at these things anymore…

Tags: security, SSL, web-security

Thanks to Vev, I found SimpleViewer, a very nice and smooth flash-based gallery tool.

It even has a nice Picasa web template, for very, very easy exporting of your pics into a simple, uploadable folder. It even has an Apple Mac iPhoto export option too… Very nice. I’ll be using it Real Soon Now[tm] to upload some pics of the new addition to our family (Yeah, that’s where I’ve been, the S.O. had a baby 3 weeks ago…)

Check out the SimpleViewer Demo…

What is ‘Web Clips‘?

Web Clips shows you news headlines, Gmail tips, blogs, any RSS and Atom feed, relevant sponsored links, and more — right at the top of your inbox and messages. Receive updates from your favorite sites without having to leave Gmail!

This is pretty sweet. Nice way of adding an rss feed to your gmail, especially if you spend a lot of time in your browser and/or using Gmail.
‘Web Clips’ adds a single line above your Inbox in Gmail, showing a single rss feed title, very similar to what Google Desktop already does, with a navigation arrow for forward and back. Very nice. All random too, not content targeted.

Update:
Savory Spam Crescents – Bake 12-15 minutes or until golden brown
Heh, Google’s adding recipes for spam (the food, not the irritation) in their web clips bar when you view your Spam folder in Gmail. Heh. Nice guys…

Tags: Web Clips, Gmail, Atom, rss, recipes, spam

Wow, the guys over at Lego are brilliant.

They’ve come up with a piece of software that you download for free (9mb download only), and you can design your own custom Lego sets. OK, so this has been done before with Lego Creator type software. What’s special about LEGO Factory? Well, you can order the pieces from lego.com to actually build the sets you designed! You even get to share your designs on their website.

The prices aren’t too bad either, the one example I saw had 607 pieces, and cost $40. OK, maybe that’s expensive.

Kids have it easy these days.

Thanks to Vhata, I discovered protopage.com. It’s a user changable homepage creator. What does that mean? Well, it allows you to drag small windows around, *inside* the webpage, edit the contents of the window, color scheme, background, etc. You’d use it as your default start-up page for your browser, where you’d put all your usual links that you visit every day.

It’s something you have to see for yourself. Javascript very much required.

Oh yes, the Big G has done it again.

This time, Google has released Google Talk, a jabber-combatible messaging server, and a Windows client to accompany it. They have detailed instructions on getting most of the popular IM clients out there to connect to their server.

Several things stand out to me about this new service, one specifically being the second-last column on their IM Clients page, being:

Voice calls to other Google Talk users

Their Google Talk Windows client allows you to VOIP other Google Talk users. Excellent!
I will be trying it out tonight when I get home. Meanwhile, fire up your favourite IM client, and connect now.

It seems you need a gmail account. If you still don’t have one, where have you been? I have lots of invites to send, so let me know if anybody wants one.

Go Go Gadget Google!

Oh, and for some interesting Easter Egg goodness, see this slashdot.org post about a ‘hidden’ game.

Just to add to my previous Ode to Google post, Engadget has an article on Mobile GMaps displays Google Maps on your Java-enabled cellphone. To go straight to the mobile Google maps, go to www.mgmaps.com, but please note that that site is not an official Google site, so as you should be, be careful with what you download and install on your phone.

Google is set to take over the world, I’m telling you. (I wish I bought shares when they listed… Their sharecode is GOOG if you want to see their performance.)
Every other day I get wind of a new service they’re offering…
I decided to make a list of the interesting ones I’ve come across.

Google Search – The Search Engine
Gmail – Free Google webmail service with over 2GB of space available
Google Image Search – Image search engine (Be sure to turn on Safe Searching if you’re at work!)
Froogle – Google’s product search engine (Sadly, only in USD, doesn’t work for South-African sites)
Google Groups – Google’s online newsgroup service
Google News – Customisable aggregated news
Google Video Search – Video and TV episode search engine, with screenshots and semi-detailed episode guides
Google Maps – Satelite images from around the world, now including Cape Town
Google Earth – Search for an address, zoom in and view areas and buildings in 3D (Windows, broadband and good video card required)
Google Desktop Search – Desktop search engine indexes your local files for easy searching (Windows)
Google Alerts – Matching news stories mailed to you as they appear on Google News
Google WebAccelerator – Speeds up your internet browsing by prefetching pages amongst other things
Google Toolbar – Nice toolbar for your favourite webbrowser

The above links are only a subset of all the excellent services Google offers. Go have a look for yourself at the Google Services page for a more complete list.

Also, don’t miss the Google Blog for updates and announcements of what they’re up to over at Google.