?

Log in

Previous 10 | Next 10

Jul. 30th, 2008

phantom gray

NBBC and open-source thoughts

As most of you know, I've been working hard on a webcomic software package called CMXpress, and one of its distinguishing features is that for nearly all the places where a user can type text, it uses BBCode to allow you to format it.

I discovered around the start of this month (July) that the BBCode parser I'd been using was covered under the GPL.  This is bad.

See, here's the thing:  CMXpress is covered under a BSD license, which is about as open as open-source gets:  Free as in speech, free as in beer, you can download your copy, modify it, sell it, do anything you damn well please with it --- you just can't claim you wrote it.  Which is fair, I think:  BSD and similar open licenses have helped spur the development and the spread of a huge number of software packages.

The major competing open-source license is the GPL, which is similar in principle, except for two things:  First, you can't take the code, modify it, and not release your modifications to the public.  BSD allows you to have a private copy, effectively, and GPL doesn't.  Second, the GPL is, as Micro$oft rightly argues, somewhat like a virus:  It infects everything it touches, and overrides everything it touches.  If I had (stupidly) included that GPL'ed BBCode parser with CMXpress, CMXpress itself would have been forcibly covered under the GPL.

I don't like people telling me what I can and can't do.

So the old GPL'ed BBCode parser is out, and I couldn't be happier, really.  It wasn't really that great a piece of code to begin with; it was cranky and somewhat inflexible, didn't handle whitespace in ways I really wanted, and the original author stopped supporting it two years ago.  I did some searching, and there weren't any other good BBCode parsers out there; seems a lot of people are looking for one, and nobody's written one...

...Until now.  Introducing NBBC, a fast, flexible, well-documented BBCode parser that's covered under a BSD license.  Unlike most open-source code, it's well-commented, includes a huge user's manual, includes several examples, and is small and lightweight to boot.  It's a validating parser, meaning that no matter what broken garbage your users type in, you get XHTML 1.0 Strict out.  It runs under PHP 4.0.5 or later, and is everything that old parser wasn't.  It's long overdue.  Go download your own copy now.

NBBC will quickly replace all of the places where I used that old BBCode parser:  It's faster, more flexible, works flawlessly right out of the box, and has a nice API for adding extensions and new tags and smileys and other stuff.

NBBC is hosted by SourceForge, and I have mixed feelings about that.  On the one hand, SourceForge is a nice clearinghouse for open-source projects.  On the other hand, SourceForge seems to me to be a royal pain in the @$$ to work with, and somewhat slow.  Still, I'm giving it a try, and maybe SourceForge will grow on me over time.

And those of you who have been wondering where CMXpress is can stop wondering:  CMXpress has been inside the garage while I replace its BBCode parser and get rid of anything that smells even vaguely like the stink of the GPL.

Jun. 15th, 2008

phantom gray

The Acceptance Speech

My fiancée is a theater geek, and tonight's her big night of the year:  the Tonys.  It's a bit more entertaining than the drivel embodied by most award shows, since theater tends to be a bit more substantive than most other fields of entertainment, but still, at three and a half hours, it drags like a bad prom dress.

Much of the boring part is, of course the acceptance speeches.  Sometime around the 900,000,000,000th award, I found myself wishing that someone would stand up and actually make a good and entertaining acceptance speech for a change.  It would be spoken slowly, and it would go something like this:

"I couldn't be here tonight, so I asked myself to come in my place and read this speech I wrote.  Please bear with me."

(He reaches into his jacket and withdraws a written acceptance speech.  He begins reading it slowly and carefully.)  "Screw you.  I hate you all.  Backspace.  Backspace.  Backspace.  Thank you all so much for giving me this award in the field of acting, writing, and/or directing."

(Pause.)  "Note to reader:  If I have been nominated for a different category, please alter the speech accordingly, and remove references of loathing and anger where appropriate."

(Deep breath.)  "I could not have acted, written, or directed this play or musical without support from loved and cherished immediate family members whose names I conveniently forget when I write speeches.  I would like to thank the producers who saw my obvious brilliance and asked me to star, write, or direct this play or musical, knowing that my talents would win them an Oscar, a Tony, an Emmy, a Pulitzer Prize, and/or a Nobel Prize.  I would like to thank Jesus, Ghandi, Mohammed, Buddha, Zeus, and my mother, not necessarily in that order.  Finally, I would like to thank my wife, whose name I cannot recall, having just married her in Vegas last Thursday."

"Thank you all once again for this statue or certificate, and please know that if you were to star, write, or direct a play I would gladly give you a similar one in return, so long as it is made entirely of chocolate, preferably without nuts, as nuts are expensive."

See that?  That's an acceptance speech with some cohones.  That's an acceptance speech they'd be talking about around the water cooler the next day.  Anybody can thank everyone they've ever met.  Not everybody can thank nobody, much less make it fun to watch.

P.S.  If you're nominated for something and want to steal my speech, steal the damn thing.  Maybe that'll be one less boring, lame-ass acceptance speech I'm stuck having to sit through.  Thank God for TiVo.

May. 17th, 2008

phantom gray

CMXpress, getting closer

I built a comic-import tool for CMXpress over the past two days, mainly because while CMXpress makes it pretty easy to upload a comic, if you have to upload, say, a hundred of them at once, it can get to be a chore.  The initial test installation on the Crossworlds comic is going well; once I had the bugs worked out of the import tool, I was able to import, sort, and categorize all 93 comic pages (that's 75 in-canon comics, 2 cover pages, and 16 fillers) in the space of about a half hour; and most of that time was spent going through the comics and trying to decide which ones belonged in which story arcs.

Overall, CMXpress is starting to feel very good.  It's still a little rough around the edges, and there are some bugs to deal with, and a few things that aren't fully implemented yet, but the overall feel, to compare it to cars, is "Porche in need of some body work" (which is a lot better than "Yugo in need of demolition"):  There's more work yet to do, but it's starting to finally really feel like something people can and would willingly use.

For the record, the initial version of CMXpress we installed on the Crossworlds test site was v0.9.2, and the current version installed there is v0.9.4.

May. 13th, 2008

phantom gray

CMXpress, rolling out like a snail

Okay, we're not quite at the stage of a major rollout, but we hit a milestone with CMXpress tonight.  I got enough of the installer done that I was able to package up CMXpress in its current beta form and install it successfully on another site --- or, more accurately, I watched and fretted while my friend Thom installed it ;-)

There are a number of bugs to squish yet, but overall, I'm pleased; we got it installed relatively painlessly on his site in about an hour and a half (it'll take only about fifteen minutes for most people to install once CMXpress is released, but we were finding and fixing bugs during the install), and the next step is to start configuring it to the needs of Crossworlds and import his existing data.

Based on his needs, I think I need to spend a lot of time working on importer code, even though that wasn't part of the original design spec, because he's got a decent-sized comic that really needs to be inhaled more easily than importing the comics one at a time, and he's also got a blog that he'd like to turn into CMXpress's built-in news system.  A package for managing data isn't very useful if you can't get your data into and out of it easily.

Still, though, I'm a relatively happy camper; I've suffered through far worse initial software rollouts than this.

Mar. 6th, 2008

phantom gray

The IE8 beta: Nice try, guys

So today I tried out the newly-released Internet Explorer 8 beta. You can download it and install it yourself, but it's a beta, not a final release, so don't expect polished edges.

Overall... well... my results were mixed. Yes, it passes the vaunted ACID2 test. That's good. It's definitely a step in the right direction. However, ACID2 isn't a test of all of the CSS 2.1 language specification; it tests a lot of important cases, but not everything. And while IE8 does correctly render ACID2, it definitely doesn't get all the other parts of the CSS 2.1 spec correct.

I pointed IE8 today at the current build of CMXpress to see how it'd handle it. CMXpress is a very Web 2.0 program, and its back-end (the administration side of it) makes extensive use of CSS, XHTML, Javascript, and AJAX for its page layouts. Its front-end (the part visitors see) uses whatever page template the site is set up with, and the default front-end I've been working with is an XHTML+CSS variant of the Wotch's front page.

Both the back-end and front-end are rendered, perfectly, unchanged, by Firefox 2, Opera 9, and Safari 3. They do have embedded IE-conditional comments so that they can render acceptably on IE6 and IE7 by including additional stylesheets.

IE8 gets it wrong. Not massively wrong, but wrong enough that the site is unusable. The front-end has a lot of formatting and layout glitches, with many of the link images being scattered around the page semi-randomly. The back-end's Javascript is broken in its entirety; IE8 gives up somewhere in the middle of the code, and I'm not really sure why yet. Without that Javascript working, all the AJAX and Web 2.0 stuff that it does is non-functional, so the back-end is effectively unusable.

Don't get me started on other Web 2.0 sites like the new Yahoo! Mail (crashes on a Javascript error) or Google Maps (looks like it went through a blender) even a simple page like script.aculo.us's front page (flickers and animates all wrong).

Google Maps on IE8
Google Maps on IE8 or postmodern art? You decide.

And did I mention the speed? You can tell when IE8 is rendering a page in "Standards Mode" because it's slow. Slow like molasses in January. Slow like a dead sea turtle crawling up the beach with a towtruck on its back. Maybe they have a lot of debugging code in there: I don't know. But what I do know is that its page-render times are better-expressed in geologic terms than in seconds. I dare you to resize the browser window. Go on, do it. Let me know how that turns out for you, if it ever finishes.

Oh, about all those new features... Yes, IE8 comes with a raft of new features, most of which seem to be designed to point IE's users at various Microsoft Live services. You can right-click on text and search for it on Microsoft Live Search. You can translate it with Microsoft Live. You can post it to your blog on Windows Live Spaces. Anybody see a trend here?

Conclusion? IE8 breaks pages that worked under IE7. We knew that going in, and that's okay, because IE7's rendering sucked. The problem is that it didn't replace IE7's pseudo-standards mode with a real standards mode: It still breaks pages that are standards-compliant, pages that work fine with three different competing renderers. And it adds in new "features" that seem to me more about targeting people toward Microsoft services than anything else. From my perspective, it looks like Microsoft spent some of their time making IE8 appear less broken without actually making it less broken, and the rest of their time extending the monopoly.

I wanted to like IE8. I really did. I wanted to believe the hype about CSS compliance and all the other good rumors. I've been telling other devs, well, just wait for IE8, you'll see, it'll be great. But this is just pathetic. Seems to me like it's business as usual in Redmond, and now we web developers will have yet another nonstandard renderer to support.

Thanks, guys, thanks a lot.
Tags: ,

Feb. 29th, 2008

phantom gray

The lessons we learn

Nobody's above learning a new lesson, and I'm no exception. Today, I spent several hours going through many large chunks of PHP code I'd written removing security vulnerabilities. Yes, that includes the Wotch and CMXpress.

On last week's 910CMX podcast, I explained that website coding should really be left to the experts: If you want to have a webcomic site, let somebody else write the code, and stick to drawing and writing your script, because I can pretty well guarantee you'll produce code that's a hacker's dream. There are a hundred well-known pitfalls, and there are really weird, obscure pitfalls too, like the two I cleaned up today.



The first pitfall was that of not including the "D" modifier on all regular expressions that use the "$" operator. (If that sentence confuses you, you'd better skip to the bottom of this post, because it only gets more technical from here.) For those who don't know what the "D" modifier does, you're not alone: It's not mentioned in most commentaries on preg_match(). But it does something very important: It says that the "$" operator matches the end of the string, not the first newline embedded within it.

This means that this simple-looking code has a huge, huge security vulnerability, a gaping hole big enough for a dragon to fly through:

$page = $_GET['page'];
if (preg_match("/^[a-zA-Z0-9_]+$/", $page)) {
    ... do some stuff with $page, which has been checked and found safe ...
}


Don't see the hole? You're not alone. It's perfectly-reasonable code that checks to make sure that the incoming parameter "page" is a C-like identifier --- doesn't it?

Turns out that it doesn't do that at all. This code will allow "apple" through and "apple2" through... and it'll also allow "apple2\n@^#$" through and "x\n<script>Insert evil code here</script>" through, because the "$" operator will match any newline. If a malicious attacker were to feed a newline into this script, he could insert any characters he wanted after that newline and they'd go right through.

The right way to code it is this:

$page = $_GET['page'];
if (preg_match("/^[a-zA-Z0-9_]+$/D", $page)) {
    ... do some stuff with $page, which has been checked and found safe ...
}


The all-important "D" modifier on the end says, "Match the whole string, not just up to but not including the first newline." Without it, an attacker can potentially inject anything he wants to into your variables, bypassing your checks. Nasty.

And this isn't just a PHP problem, either. Anything using the PCRE library to process regular expressions is a potential victim --- Python, I'm looking at you too, and I wouldn't be surprised if Ruby were also a victim here.



The second one I ran into is a PHP-only issue, which is that the $_SERVER['PHP_SELF'] and $_SERVER['HTTP_HOST'] parameters are wildly, terribly unsafe to use. In fact, many security advocates are generally now recommending that people avoid using $_SERVER whenever possible. Which, of course, it often isn't, but that's beside the point.

The issue here is that PHP_SELF and HTTP_HOST come from the client and aren't generated by the web server itself. Which means that a suitably-nasty client can insert all sorts of unpredictable stuff into those, some of which will definitely break your code. This is discussed much better here, if you want to study it in depth.

The upshot is that in your code, you should never use the variables on the left below and always use the variables on the right:
  • PHP_SELF ----> REQUEST_URI
  • HTTP_HOST ----> SERVER_NAME
As usual, you should never, ever, ever trust HTTP_USER_AGENT, because that can be (and often is) readily spoofed. DOCUMENT_ROOT is marginally reliable, as it comes straight from the server's httpd.conf file. SCRIPT_FILENAME is relatively safe, but often not useful; and SCRIPT_NAME should be avoided because it often isn't what you think it is (on a server that uses PHP in CGI mode, it points to the PHP binary, not to your script).

Again, mishandling these can allow an attacker to inject nasty things into your variables that you don't expect to be there.


These holes now are fixed on the sites I maintain (including the Wotch), so don't bother trying to take advantage of them. But before a few hours ago, they were there, which just goes to show how difficult web security can be: By all measures, I'm an expert --- I have a degree in computer science, I've been coding for 23 years, and I speak PHP very fluently --- and I still made these mistakes. So be careful when building web sites, folks, and if you're not sure what you're doing, leave the code to the experts (who at least know how to fix these problems when they learn about 'em).

Feb. 22nd, 2008

phantom gray

On Commissions and Requests

It's been asked (again) why I don't take commissions and don't do requests. So I think I'd better boil this down one more time.

Commissions: To put it bluntly, you couldn't afford it. Not because the art's so wonderful, but simply because it takes me hours and hours and hours to do a typical picture. Lineart often takes four to ten hours, and a finished colored work can be anywhere from twenty to sixty hours. At even ten bucks an hour, I'd have to charge anywhere from $200 to $600 for a finished work, and that's far outside the price range of most potential commissioners --- especially for all-digital artwork where you don't even get a canvas in the mail for your money.

Requests: I usually have plenty of ideas of my own, for one thing, and for another, most ideas that have been suggested don't inspire me. My muse is fickle, and if she doesn't get inspired, I don't draw: It's that simple. You can propose a thousand ideas, but if none of them strike me, it just won't happen. Sorry. So to save you the embarrassment of being turned down a thousand times in a row, I just say upfront, "No requests."

That's it. No commissions because you can't afford them, and no requests because my muse won't like them anyway.

But, hey, if ya got a few hundred bucks burning a hole in your pocket and you're just dying to get a PI original, maybe we can still talk ;-)

Jan. 21st, 2008

phantom gray

Antivirus Software Sucks

Okay, I'm getting pissed.

I just uninstalled my antivirus program (Kaspersky AntiVirus Trial Version) and it took a very large percentage of my computer's functionality with it when I did. Everything worked fine yesterday before I uninstalled it, and now --- well, now it might be simpler just to reformat the thing and start over:

  • The Windows login screen is borked. Clicking on names to login does nothing; you have to hit Ctrl+Alt+Del twice to get to the old login screen and login from there.

  • The mouse is borked. I have a six-button mouse that now thinks it's a two-button mouse no matter what mouse drivers I have installed.

  • The UI is borked. Clicking on windows to bring them forward often doesn't work, and neither does the taskbar and usually the only reliable way to switch between applications now is Alt+Tab (and even that doesn't always work).

  • The software is borked. Sure, some stuff runs, but a lot of the most essential applications I use, like Firefox and CorelDRAW, now have weird glitches --- like in CorelDRAW, I can use all of the tools --- except the critical select tool, which makes the entire package now utterly useless. It's like having a word processor that lets you type text, but that prohibits you from changing anything you've already typed in the document.

I hate antivirus software.

I hate antivirus vendors.

It wasn't always this way. Once upon a time, an antivirus program was something you ran at your leisure, and it would search, find things, and then go away. No intrusion, no logos, no blasting alerts in your face, no hooking its tendrils into the core of the operating system.

But faced with declining revenues and declining interest, every one of the antivirus vendors now installs a package that is brutal, gargantuan, dictatorial, and, whether you ask for it or not, sinks its hooks into every last corner of the OS. It's not just Kaspersky --- I've seen the same exact behavior (on other computers, thank God) from McAfee, Norton, Trend Micro, Panda --- they all uniformly suck.

So, AV vendors, you want to mollify me? I've been in the computer industry longer than many of you have, and I have expectations. If you want a thumbs-up from me, here's the criteria:

  1. You add or modify a single file in C:\Windows or any subdirectory under it? You fail.
  2. You may add ONE key to the Registry under HKLM\Software and HKCU\Software, but if you add or change anything outside that key, you fail.
  3. You may add ONE directory under C:\Program Files, and you may not place anything executable --- EXEs, DLLs, OCXs, you name it --- anywhere other than that directory. You alter or replace any other EXEs or DLLs anywhere else? You fail.
  4. You may add ONE directory under [username]\Application Data if you need to store configuration files somewhere. Store them anywhere else, or alter files anywhere else? You fail.
  5. You may not "call home". No exceptions. If you call home, you fail.
  6. You may not use system hooks, API hooks, or input hooks of any kind, no exceptions. If you hook anything, no matter how temporary the hook, you fail.
  7. You may not monitor my actions, for good or for evil. If you monitor even a single byte, you fail.
  8. I will tolerate false negatives, but not false positives. If you give me a false positive, you fail.
  9. If you run without me explicitly asking you to run, you fail. No exceptions.
  10. If I cannot manually uninstall you by simply deleting your single directory like any other application, you fail.

So, antivirus vendors, you want my thumbs-up? That's what it takes. There's not a current antivirus product on the market that even comes close to meeting those criteria --- most can't even meet two or three of those criteria, much less all of them. Hell, by those criteria, Notepad is a better antivirus program than any current antivirus software. If you want my thumbs-up, those are my rules. They're not hard rules to meet --- unless you don't give a flying f*** about your customers.

Which, I think, pretty well explains most of the current antivirus software on the market.

Dec. 11th, 2007

phantom gray

Sheer Exhaustion

Well, folks, on Saturday (that's a mere four days from now by my clock), I'll be moving.

It's a big move, in that my fiancée, Songbird, and I, are moving to a new apartment together.

All of my life is packed in boxes right now, from the credit-card bill I paid last week to the book of Christmas carols a six-year-old boy received and then kept for another twenty-five years. It's a strange thing to have your life compressed down into countable units, to say, everything that defines me except for what's in my head is sitting in a Tetris-shaped pile on the floor, awaiting large men to whisk it away and my past, my present, and my future with it.

Maybe that's a little too deep. What can I say: I'm exhausted.

The packing isn't done yet, either.

We're moving to an apartment complex about a half hour away, and it's a nice place, with good nearby amenities, ready access to public transportation, a reasonable driving distance to Songbird's job, and a nice little office for my work. I've been here for eight years now, almost eight years on the dot since graduating college, and I've felt a little like I was in a holding pattern the whole time, neither child nor adult, neither student nor salaryman, despite making a reasonable income and not being in any kind of school.

I wonder at what point you go from being a boy to being a man. I'm certain that in elementary school and middle school, I was just a boy, but somewhere after that I evolved into just "a guy," and I think I'm still waiting for that next step where Mr. Name actually sounds normal instead of a phrase referring to my father. I don't know if this move will do that, but it feels like it might.

Or maybe getting married will. We'll find out in ten months...

Anyway, I'm exhausted tired, and still haven't finished packing, and have four days of semi-coherent emboxing to perform before I can consider myself moved, followed by an equal quantity of imboxing (ain't English grand?). I apologize if this posting was less lucid than most of my writing; it's 3 AM and I've been running on very little sleep lately.

The upshot is that this week's and next week's Caity's World installments will likely be delayed due to circumstances way, way, way psychotically beyond my control. Fear not, though: The story will continue!

Nov. 21st, 2007

phantom gray

Quickie CMXpress progress update

Okay, so I don't have too much new to say about CMXpress, but I thought it'd be nice to show off a few of the handful of new and changed things in it, especially since I get to show off the Wotch's current status page. Here's a screenshot that gives you about 90% of what's new all at once:

CMXpress screenshot


Here's what's new, in short:
  • Admin pages with a modern theme! That's right, folks, the old flat-shaded '90s Macintosh look is out, and a shiny new orange-and-blue theme is in! Functionality is no less, and the software isn't significantly slower, so all hail the shiny and new! (Admin-page themes are not swappable, at least not in the current design. They might be in a later version, I suppose, but not for now.)

  • Tip-of-the-day to help remind you of things you should remember to do or things you might not already know about CMXpress or (web)comics in general.

  • Artists' comments (not shown) is about 80% done now, from its former ten-ish percent as of the last posting. A lot of progress there, but the remaining 20% is gonna be a bear, since it's very AJAX-heavy.

  • Personal settings (not shown) allow individual administrators to set personal preferences for the admin pages, like how many comics you'd like to see in a comic gallery or whether you'd like to see tips-of-the-day.

And last, but not least, there's the "events" feature, which congratulates you on having reached significant milestones. It existed in the last announcement, but as you can see, the Wotch has reached its 5th birthday today, so a big hearty congratulations to Anne and Robin on reaching five years!
Tags:

Previous 10 | Next 10