18 stories
·
1 follower

Haavoittuvuus 095/2014: WordPress lisäosassa kriittinen haavoittuvuus

1 Share
Custom Contact Forms -nimisestä WordPress lisäosasta on löytynyt haavoittuvuus, jonka avulla sivuston tietokantaa on mahdollista muokata ja tarkastella.
Read the whole story
jyrki
3752 days ago
reply
Share this story
Delete

How to Create Adaptive Placeholders with CSS

2 Shares

Advertise here via BSA

Danny King has designed an interactive placeholder thing for his forms and wrote it entirely in CSS. He has shared how he designed that placeholder and how it manages to adapt to user input.

Before he came up with the Adaptive Placeholder, it was just using a normal one. he liked the simplicity of using a placeholder as a label. It actually made a pretty crappy interaction for the user though. A user would type and the text disappeared. The person who enters a value first isn’t always the same person who sees it later. To solve this problem he tried making the placeholder persist through the typing.

palceholder

Requirements: CSS
Demo: http://blog.circleci.com/adaptive-placeholders/
License: License Free

Sponsors

Professional Web Icons for Your Websites and Applications

Read the whole story
jyrki
3829 days ago
reply
Share this story
Delete

WordPress: unsafe at any speed

2 Shares
EFF technologist (and creator/maintainer of cool privacy tools), Yan Zhu noticed that WordPress still does not secure their session cookie, meaning users at the local Starbucks can have their accounts hijacked.

I first popularized this problem in 2007 at BlackHat with my Hamster/Ferret tools, hijacking an audience member's GMail account (I probably shouldn't have done that -- but the demo was otherwise not working). Eric Butler then released a much easier tool called Firesheep which really got the ball rolling: my tool was for hackers, but Firesheep made it so anybody could exploit the bug.

Google quickly fixed their servers over the next two years. Yes, relative to everyone else, this was "quick" -- it took everyone else much longer. Today, it's considered standard that when you log into a website, the entire session must be encrypted with HTTPS.

But not so WordPress -- apparently they haven't even started working on solving the problem. It's been 7 years since this has been in the news, and they still haven't thought of dealing with it.

But, this isn't even the worst problem. On WordPress.com, their login screen is served via HTTP. Cookie hijacking only gives the hacker the current session, but not your password or ability to make major changes. Unencrypted login forms allow a local hacker (sitting next to you at Starbucks) to steal your password as you login. Since you are probably a dufus and use the same/related password for all your other accounts, this means the hacker can steal everything.


As it turns out, this may not even be the worst problem. The standard WordPress configuration is built on the LAMP (Linux-Apache-MySQL-PHP) system, which has been obsolete for more than a decade. The problem with LAMP is that it doesn't scale.

The result is that once you start writing a lot of blogposts on your WordPress blogs, SEO bots (search engine optimization robots) will start spidering your blog, downloading a copy of all the posts and comments. This frequently overloads your server, taking down your blog. People just learn to live with it, with friends occasionally complaining that they can't get to the blog.

I know several people who've had this problem, and have partially solved the problem with CloudFlare. This gets rid of most, though still not all, scalability issues.


The upshot is this: WordPress is fundamentally broken in every way something can be broken. There's no way to secure it. There's no way to make it fast enough without spending a lot of money. If you are starting a new project, do not under any circumstances use WordPress. If you are stuck with WordPress, well, then, it sucks to be you, I know of no way to help you.


Read the whole story
jyrki
3831 days ago
reply
Share this story
Delete

A Material that Can Be a Mirror... Then a Window

1 Share

0mirrorwindow-001.jpg

A group of MIT scientists have created a new material that can be both a mirror and a window, and no it's not a one-way mirror.

This new material can filter light depending on the direction of the light beams. In the image above light that hits from one angle goes straight through (white beam) but light that hits the material at different angle is reflected back (red beam). For designers it might make for interesting new tricks for walls or new forms of windows.

To filter light one must alter either it's frequency or polarization. In terms of frequency, stained glass windows are a good example, where the glass lets specific wavelengths pass through.

0mirrorwindow-002.jpg

Polarized glasses, like the 3D glasses you wear at the movies, are able to let light through that oscillates in a specific way. But the idea of filtering light based on the direction it comes from has always been tough.

0mirrorwindow-004.jpg

(more...)
Read the whole story
jyrki
3871 days ago
reply
Share this story
Delete

→ Learn how Vesper built offline sync using Azure Mobile Services

1 Comment and 3 Shares

Somebody please build a time machine so we can travel back a decade and tell 2004 John Gruber that 2014 John Gruber would star in a promotional video for Microsoft.

∞ Permalink

Read the whole story
jyrki
3884 days ago
reply
Share this story
Delete
1 public comment
MotherHydra
3884 days ago
reply
Yet here we are. Azure is pretty great.
Space City, USA

And

1 Comment and 3 Shares

Yesterday’s article has been on the front page of Hacker News for a while, 1 and in the middle of the onslaught, I modified my Google Analytics code to start counting high-DPI screens. Why they don’t already count this is beyond me. They can, however, tell me what percentage of visitors support Java applets — 59% — or have less than 24-bit color — 0.5% — which, unfortunately, aren’t nearly as useful for informing modern web design as high-DPI displays.

I’ve been wondering for a while whether it was worth having separate 1X images instead of my current method, which is just making most images 2X-sized and letting the browsers scale them down. 1 2

Based on this, I added these lines to the Analytics embed code: (it’s at the very bottom of this page’s source code, if you want to see it in context)

var pixelRatio = (window.devicePixelRatio >= 1.5) ? "HiDPI" : "1X"; if (window.devicePixelRatio) _gaq.push(['_setCustomVar', 1, 'DevicePixelRatio', pixelRatio, 2]); 

Since making the change, Analytics has tracked 21,122 visits from supporting browsers 2 3 (mostly from Hacker News), and the results are pretty great:

  • 51.4% HiDPI
  • 48.6% 1X

It certainly helps that 46% of my traffic is from smartphones and tablets. Within each category:

  • Smartphones: 98% HiDPI
  • Tablets: 66% HiDPI
  • PCs: 18% HiDPI

These are much higher ratios than I expected.

Obviously, this audience isn’t representative of the world’s entire web-browsing population, but given how important mobile browsing is to every site and how lopsided this data is for mobile devices, I think the results are clear: assuming everyone is high-DPI and designing accordingly is not only a safe bet — it’s a requirement. And serving 1X images isn’t something that small sites (for which bandwidth costs aren’t significant) need to worry much about.

(And that’s what I think.)3


  • This title’s for you, scootjad.


    1. Since I don’t have a Retina desktop display yet, I captured the Amazon promo in Worse at high resolution by simply zooming it in a huge Safari window until it was 1800 pixels wide.

    2. This data also doesn’t count browsers that don’t support window.devicePixelRatio. But that’s not many anymore, especially among visitors of my site. The breakdown for this sampling period was 46% Chrome, 38% Safari, 10% Firefox, 3% Android Browser, and only 1.2% Internet Explorer.

    3. This title’s for you, scottjad.

    Read the whole story
    jyrki
    3901 days ago
    reply
    Share this story
    Delete
    1 public comment
    jhamill
    3901 days ago
    reply
    Person how writes mainly about Apple surprised that majority of his traffic is from high DPI screens.
    The echo chamber is strong with this one.
    California
    stereotactic
    3900 days ago
    He's honestly an Apple Troll.
    Next Page of Stories