afongen

A long commute on the bus gives me several hours guaranteed reading time every day. I love it. Sometimes I’m lucky enough to read something that so overwhelms me that I forget myself: I moan in extasy at a particular turn of phrase, laugh out loud, quietly read passages under my breath. Some time later I become aware of fellow passengers’ sidelong glances, and it dawns on me that I’m the crazy guy on the bus.

Which isn’t all bad. At least no one will sit next to me.

Storm Constantine used to have this effect (Burying the Shadow is wonderful) until she got all weird and sex-magic crazed. Right now, pride of place belongs to Michael Ondaatje’s Anil’s Ghost. An absolute gem. I’ve been reading bits of it aloud to Owen, who quietly lays against my chest, listening. Considering that his usual reaction to a book is to crawl frantically toward it, chew on the binding, then coo as he flips through the pages, his calm appreciation for Ondaatje’s prose speaks for itself.

But I’m still the crazy guy on the bus.

Utah has launched OneStop Online Business Registration. Instead of having to register independently with several state and federal agencies, you can now register a new business online, in one place, “in about an hour.”

Now that‘s effective and useful eGovernment.

A coworker died this morning, after being hospitalized suddenly yesterday. It feels very strange to be working, everyone going about their business. I did not work closely with her so do not immediately feel her absence, but it’s beginning to creep into my awareness.

We don’t allow HTML mail at work. Our GroupWise email clients are configured to disable both display and creation of HTML messages. This causes some problem for those who receive HTML mail without a plain text equivalent, but someone decided that the benefits are strong enough that the inconvenience is worth it. Some may declare to our tech support, “You’re preventing me from doing my job!” but they’re wrong.

The problem is Internet Explorer. Many popular Windows email clients use IE for HTML rendering. Since IE is riddled with unpatched security holes, HTML mail is potentially unsafe. Opening an email message is enough to bring down your machine.

To help out our beleaguered tech support staff, I put together a little web-based app that demonstrates our two primary reasons for disabling HTML mail: security and spam. (Spammers sometimes use single-pixel images to track their mail and help identify valid addresses.) It’s quite simple: supply an email address, and the system sends you an HTML-only message. The message contains an <img> whose src is a PHP script that associates your email address with an IP, user agent, what time the message was opened, etc. Most important to a spammer is that the email address is valid. A more malevolent attacker could use the user agent information to craft a more focused exploit.

The message also includes exploits for several IE vulnerabilities: one buffer overflow (now patched), an ActiveX exploit, and now something that launches NotePad (see this followup). Depending on the circumstances in which the message is opened, one or all of those is triggered.

The trouble was not coming up with exploits. IE security holes abound. The trick was coming up with something that a non-technical user can see is a problem. So many of the vulnerabilities are complex or hidden: “Oh no, a cookie has been read!”

The astute reader will point out that disabling image loading and scripting in the email client protects from most of the existing vulnerabilities. True enough, which is why I included a bogus link in the same message on a web server. If the user follows the link, IE crashes. Too, in my tests I was still able to launch NotePad without user intervention. Considering the rate at which IE security holes are discovered, some of which do not require scripting, I do not consider simply disabling functionality to be adequate protection.

I used to abhor HTML mail but no longer feel so strongly: I can understand why many people prefer to read styled text. That is, as long as a plain text version is sent as well. I just read that and refuse to read HTML-only mail. Know, however, that there are risks.

Simon Willison may be glad that he switched to Firebird. Switching your web browser may not be enough.

Now I’m going to get all sorts of mail complaining that I’m alarmist. Nah. I just think that my employer’s tech support staff’s concerns are valid, and if they don’t want to enable HTML mail, I stand with them.

“Firebrands of ‘ecoterrorism’ set sights on urban sprawl”:

The latest attack came last weekend when a large condominium project under construction in an upscale San Diego neighborhood burned to the ground. A banner stretched across the charred site read: “If you build it – we will burn it. The E.L.F.s are mad.” In e-mails to regional newspapers, the Earth Liberation Front (ELF) claimed responsibility for the conflagration that also damaged nearby homes.

Writing with Elvish fonts. This would be perfect for those who aren’t satisfied with ordinary means of obfuscating Perl.

Heck, why stop with fonts? Surely if we can write Perl in Latin, we can write Perl in Elvish, too.

Bert Bos: What is a good standard? An essay on W3C’s design principles.

Why doesn’t HTML include tags for style? Why can’t you put text inside SMIL? Why doesn’t CSS include commands to transform a document? Why, in short, does W3C modularize its specification and why in this particular way? This essay tries to make explicit what the developers in the various W3C working groups mean when they invoke words like efficiency, maintainability, accessibility, extensibility, learnability, simplicity, longevity, and other long words ending in -y.

The single-page printable version is one place where you might want to use Mozilla’s DOM Inspector to adjust CSS on the fly: you can edit any h2‘s CSS style rules to bring the section headers down to something reasonable, and maybe add a border or something else to visually mark the headers.

You could, of course, just save as “Web Page, complete” and edit the CSS files manually. I think the DOM inspector is more fun and saves me the trouble of sifting through several files.

Anyway, this all misses the point: it’s an interesting essay.

I went this morning with Kiara and a couple friends to Darien’s Dash, a 5 & 10K walk/run in South Saint Paul. Kiara and her friend Kim decided earler this year to walk or run this charity race as a motivating goal to get them to exercise together over the summer. I believe, however, that today is the first day all year that they’ve managed to walk together. Heh. Oh well.

We’ve all had our share of walking this year. I’ve lost 25 pounds since Christmas doing nothing different than walking a whole lot. I don’t really pay close attention to my weight, I was just nebulously aware that I was around 30 pounds overweight and out of shape. Hence the resolution to exercise. I might still be less in-shape than I’d like, but I’m a whole lot better off. Especially since I get to combine my walks with spending lots of time with my son.

I did not walk in Darien’s Dash, though. Instead I spent time in the bad coffee shop across the street, reading Details magazine out of desperation because I’d forgotten to bring my book. Time well spent: I learned about the International High IQ Society, an organization I understand even less than Mensa.

(Funny story: our friend S was at a party being subjected to someone’s swooning over how so-and-so had been accepted into Mensa. “Isn’t it wonderful,” the swooner gushed, “he is so brilliant.” S said that she didn’t really see the big deal. “Well! Have you ever tested genius?” the swooner shot back. S said yes. “Oh.”)

On the way back we stopped at Homesteader restaurant in Golden Valley, a great little family-owned place that serves very reasonably priced basic fare. Not much for vegetarians, but worth a visit if you’re the meat-and-potatoes type.

Now Kiara and Owen are off at the Uptown Art Fair (something I learned to hate when I lived in Uptown), and I’m settling down to watch an episode of All Creatures Great and Small, happily ignoring all the things that perhaps I should be doing instead. Ah, this is living.

I don’t have a lot of respect for our Senator Norm Coleman. He’s pretty much pissed me off since he first became mayor of Saint Paul, and little that I’ve heard him doing in Congress has improved my impression of him. I am glad, therefore, to see him exercise a bit of common sense by questioning the RIAA’s “extreme approach” to quashing illegal filesharing, expectiing that the punishment fit the crime. Good for you, Norm. (Listen to an interview with Coleman on Future Tense, a RealAudio stream.)

The fifteenth edition of the Chicago Manual of Style will soon be released, with some very welcome updates.

There’s a special place in my heart for the Manual. As a kid I spent hours reading and rereading it, and to this day I get a warm feeling when I hold a copy, or even see one on a shelf. For some reason I no longer own a copy myself (though I do keep Turabian handy) so I’m looking forward to this new edition.