Friday, March 30, 2007

Firefox extensions to install first

It happens to all of us sooner or later. My Firefox profile could not bear my continuous abuse and committed suicide without even writing a note. This event, albeit unfortunate, was not unforeseen. I knew, that if I keep switching back and forth between Firefox 1.x and 2.x, install and remove all sorts of suspicious extensions and tinker with about:config settings, I will eventually be punished. So, I assessed the situation and figured that if I am careful I will not lose anything important. I have backed up my corrupted profile, started and shutdown Firefox to create a new one, copied my bookmarks, stored passwords and saved sessions and called it a day. Once I started Firefox again though it still didn't look friendly, so I started adding extensions. Here is my list ordered by importance.

What did I install:
  • Tab Mix Plus - Is only the best tab manager extension I have seen so far. It makes tab switching behave in a logical manner (like windows on alt-tab and not in a dumb loop) it adds a lot of useful tab related functions such as lock tab or duplicate tab. Locking is a way to make sure that wherever you click this tab stays on the same page and links are opened in new tabs, this is highly useful for browsing lists of things, be that google search results, bookmarks or craigslist.org listings. Also Tab MIx Plus replaces the built-in Firefox two feature of crash recovery and turns it into a complete session management. You can save and restore multiple sessions including closed tabs and windows (oh, did I mention that you can undo tab close with Tab Mix Plus?) and other information.
  • Adblock Plus and Adblock Filterset.G Updater - Unless you are a masochist and enjoy intrusive advertising you need these extensions. Yes, you really do. This extension effectively bloxk most forms of banners, flash ads, popups (even the ones built-in popup blocker doesn't catch) etc. The updater will download current set of patterns, so you don't have to train the blocker yourself and will keep it updated.
  • del.icio.us firefox extension - A very convenient way to keep your bookmarks online. Includes a "Bookmark This" button that will open a new window allowing you to tag, describe and save current page.
  • Deepest Sender - There are a few blogging extensions out there that allow you to post blog entries in a comfortable (or not so comfortable in some cases) way. I have chosen Deepest Sender as my personal favorite. It supports all the major blog engines (in my case Live Journal, Blogger and WordPress), allows for simple formating, allows direct source editing and has a simple preview. I guess I would prefer a few more WordPress specific options, but I have yet to find a better blogging solution.
  • Colorful Tabs - All this extension does is paint your tabs carious semi-random colors (the colors cannot be assigned, but it will make sure that no two neighboring tabs are the same color) and slightly fades away tabs which are out of focus. You cannot imagine without trying just how much easier it is to navigate multiple tabs with this extension. Albeit your tab bar starts to look much less officious.
  • GreaseMonkey - a generic extension allowing you to execute custom JavaScript scripts on pages you choose. Using these scripts you can enhance usability of popular sites, add missing features, change look and feel etc. Pre-made scripts can be downloaded from UserScripts.Org site.
  • Web Developer and FireBug - The first one is the web developer's multi-tool. It is a tool bar that includes all features that you could possibly want when testing the web site you are working on. Cache disabling, headers, authentication, security and other information, window resizes for different resolution simulation, element outlines etc. etc. etc. And where Web Developer leaves off, FireBug comes in. Normally hiding in the status bar icon FireBug will tell you exact lines in CSS that affect particular tag, tag that corresponds to particular element, how long it took to load and render any of the page requirements, what scripts have been loaded and much, much more.
There are several extensions I didn't install because I personally didn't find them useful, but which should still be mentioned.

What I didn't install:

  • Sage - is the most popular RSS reader extension. I do not use it, because I don't like side bars and I am quite happy with my external RSS reader which happens to be Liferea
  • All-in-One Sidebar - is a great tool for people who use side bar a lot. It integrates downloads, extensions, source view and other features into the side bar and allows for custom side bar panels.
  • ScribeFire - is another popular blogger extension. It even supports some WordPress features better than Deepest Sender, but the interface is a little cumbersome and the Live Journal support is very buggy.
So, at this my browser is ready for action again. I will be back soon with Firefox extensions for web site testing.

Wednesday, March 28, 2007

A FreeBSD experiment

About a year back, there have been some activity around a post by one of the FreeBSD developers  regarding FreeBSD being ready to compete with Linux (and I suppose by proxy with Windows) as a desktop system. Back then I wanted to play around with FreeBSD once again (my friendship with UNIX started with installing FreeBSD 2.2.4 on my home computer), but found some features lacking for a proper support of my favorite UNIX desktop (that would be GNOME). A few days ago I figured it was a good time to take a look at what the BSD people came up with in the desktop department. I have done some probe installs in VMware, so now I am ready to try it on my home computer. So far (after those test installs) I figured out two main things about FreeBSD.
  • A lot of things are very different from Linux.

  • Well, this would be natural and expected, since FreeBSD is not Linux. But it has been a long time since a new system confused me and now I am refreshingly confused. The aspect I found especially confusing is disk allocation. I still hope to find a reasonable documentation on what the relation is between partitions, slices and labels is and how the information about the layout is stored etc. Since all of base system in FreeBSD is developed as part of the FreeBSD project, a lot of basic commands work in unexpected ways. This is not a problem though, I was ready for it and now I seem to cope well with the differences.
  • The community is extremely rude to new users.

  • This, unfortunately, is a problem I didn't expect. For years of working with Linux, I have gotten used to people being willing to help and if not at least not being outright evil. Not so in FreeBSD world. On one of the test installs, I messed up my disks by trying to switch to a different boot manager. I couldn't boot my system and I didn't want to reinstall, since I have configured and installed and compiled a lot of stuff on it. So, being a newbie I went to #freebsd channel and asked for help. To my surprise, I was immediately told that the only way for me was to reinstall entire system. I have expressed some doubts about this, since I was pretty sure that my data was still intact on the system, but was told again, that the only way was to reinstall and restore from backup if I had one. At this point I figured that this was a big usability hole for a modern operating system, but I figured that I will get a second opinion before I destroy my data. Some 10-15 minutes later, some other channel member took pity on me and told me that the reinstall was only suggested because I was on a wrong channel. I was supposed to ask for help on #freebsdhelp. I went to that channel and while my question was ignored for a while, I kept digging through man pages and mailing lists and other documentation and found my answer. By that time, someone on #freebsdhelp told me to shut up because I didn't use proper terms for disk allocation units. If I wasn't stubborn and didn't have enough prior computer knowledge, at this point I would be reinstalling my system from scratch. Why? Because I asked a question on a wrong channel. Mind you that the "right" channel jst plain ignored my question, which, while being better than the previous experience, also didn't help much. I am still going to try FreeBSD. Albeit I doubt I will ever ask for help from anybody in FreeBSD community.

Thursday, March 22, 2007

Fun with MySQL query optimizer

A few days ago, after a minor bug fix in our site code, suddenly, the load on the database server dropped about 50%. I was obviously interested in what caused such a major improvement and found out a few interesting things. To demonstrate, this fascinating phenomenon, lets create a database:
CREATE DATABASE test;

create a table
CREATE TABLE `table1` (
`f1` int(11) NOT NULL auto_increment,
`f2` char(10) NOT NULL,
PRIMARY KEY (`f1`),
KEY `an_index` (`f2`)
);

and populate this table with some values
DELIMITER $$
DROP PROCEDURE IF EXISTS `test`.`populate_table1`$$
CREATE PROCEDURE `test`.`populate_table1` (ct INT)
BEGIN
PREPARE q1 FROM 'INSERT INTO table1 (f2) SELECT ?';
SET @x = 0;
REPEAT
EXECUTE q1 USING @x;
SET @x = @x + 1;
UNTIL @x >= ct
END REPEAT;
END$$
DELIMITER ;
CALL populate_table1(100000);

And now the evil magic begins (query results skipped for brevity)

Wednesday, March 21, 2007

Web security and the autocomplete attribute

In this day and age, most web browsers offer some sort of a form autocompletion feature. IE, firefox, opera, saphari all have it. The browser will offer you to store your logon information and common form fields such as first name or address and fill them into appropriate forms. As far as I am concerned this feature was a blessing for the web security. Now, you would think, a user can choose proper, secure passwords for his various web sites without writing them down on sticky notes and without reusing the same ones over and over again.

Unfortunately this is not entirely true, since not one browser I know would allow for an easy and obvious way to backup the passwords and an easy and obvious way to use these from a portable medium such as a USB key or a mini CD. I know, that with a bit of skill, you can export IE and opera settings and backup firefox profile, but who is going to bother? This should be something the browser does for you transparently, for people to actually get into a habit of using such a feature properly. But back to the point. In Microsoft implementation, the autocomplete doesn't automatically fill the fields. If you go to a login page of some site it will present you with a choice of usernames and once you pick a username it will fill in the password if it was stored. Not very secure. Especially considering that by default every time you fill a form IE will prompt you to turn autocomplete on and once it is on, there is no indication, that your username is being stored. It will prompt for password. So, on a publicly accessible computer this feature becomes a privacy and security horror?

Not really. If you do not turn this feature on by default and do not bug user about it, no one in their right mind will turn it on on a public computer and a nicely evil restrictive user policy will help against those not in their right mind. Firefox also has a similar feature, where it will ask to remember your username and password, but the default answer is no and it will not remember your username by default without asking. So, what is the Microsoft solution? In IE 5.5, a new feature creeps in. The autocomplete attribute. Now anybody who is trying to design a login form can turn off the autocomplete for a particular form, or even for a particular control. Firefox, in a fit of moronic exitement, follows suite and implements support for this new non-standard attribute without thinking about consequences. I am fairly sure Opera recognizes autocomplete as well. So, for example, when browsing Chase online banking site you are not going to be prompted to remember the password you are entering. So, this is a good thing. You do not want to leave your bank account wide open, do you? No, I am not. But this is not a good thing. Why? Because it takes control over security from me, the user. Now, Chase Manhatten Bank decides that my bank login information is sensitive enough not to store it anywhere and not me. A lot of sites follow suite and use autocomplete attribute left and right without any regard to the actual risks of user accounts falling into the wrong hands. Some web site analyzer programs actually throw out a warning if they find a password field without autocomplete=off. So, now I cannot decide for myself if particular piece of information is important or not, this has been decided for me.

Promoting personal freedoms is a good thing, but do these restrictions actually help. Lets imagine a scenario where it helps. A user comes to an internet caffe and goes to check his bank account. When prompted to save his account information on a public computer that doesn't belong to him he inexplicably clicks yes (and mind you that just hitting enter wouldn't help, since even IE doesn't choose to store the password by default) and walks away. The next person goes to the same computer, happens to be an evil bandit, finds his username and voila all his money is gone, all his base are belong to us and the bandit is in his base killing his dudes. Well, this is bad, so instead we never offer him to remember his password. So, to accomodate to the fact that he has to remember his passwords once again by himself, the user in our example and a lot of other users revert back to the ways I described at the beginning of this post. They use the same password everywhere (or two, or three), they choose simple, easy to remember (and easy to crack) passwords, they leave sticky notes with passwords on the monitor etc. etc. etc. So to protect some shmuck who doesn't know that fire burns and guns kill MS have inconvenienced a lot of reasonable people into lowering their defenses. Is that still a Good Thing?