Sunday, 25 September 2011

Daily Review #7: HTML5 Security Holes

The Daily Review - 25th September 2011
Photo from ENISA | European Network and Information Security Agency

HTML5 Security Vulnerabilities

Back in July, the European Network and Information Security Agency produced a 62 page report, documenting 51 separate security threats and issues in the HTML5 Specifications.

It has been mostly ignored, although word of its existence is starting to trickle out via various blogs and Twitter feeds now. It makes for fascinating reading.

The organisation argues that "The web browser is arguably the most security-critical component in our information infrastructure. It has become the channel through which most of our information passes. The standards which govern the browser are currently undergoing a major upgrade. This includes HTML5, cross-origin communication standards such as CORS and standards for access to local data such as geo-location.".

The report points out that "the volume of web-based attacks per day increased by 93% in 2010 compared to 2009, with 40 million attacks a day recorded for September 2010 (Symantec Threat Report, 2010)", going to state that in publishing its report ENISA is "seizing a unique chance to make detailed recommendations for improvements to browser security before they become non-negotiable for years to come."

But is anyone listening?

Windows 8 Stories mostly FUD

The Week Ahead

It's just two weeks since I kicked off this fast and fluid blog, and a week since I started the Daily Review blog posts. Feedback via email, from the few who've discovered the blog, has been unequivocally enthusiastic. From the Echo Chamber 'personalities' (I refuse to use the self-aggrandising phrase 'rock star') who continually retweet the same few, tired 'circle jerk' blog post links, less so!

No matter, I think the blog will find its audience over the next few weeks as I ramp up the output and the weekly podcast comes onstream in October. There's lots planned!

Next week, I'll be kicking off the Reviews section of the blog site.

With the tagline "Wading through hours of Build videos so you don't have to" the new Build Video Review series will start tomorrow (Monday) with the first of the three Big Overview talks presented at Microsoft's Build conference just over a week ago.

Each review will indicate whether the video is worth spending your time on (or not), but perhaps most importantly of all, will include a complete transcript download that includes the slides as a pdf file download.

Many of the speakers at Build talked about their slide decks being available for download, but at the time of writing that still hasn't happened, so this seemed a good approach to take to help the over-worked folks at Channel 9 out, especially given the paucity of good technical information on Windows 8 and particularly Window RunTime at the moment.

It may seem odd that someone with the reputation as 'the video guy' should be posting transcripts rather than promoting the original videos, but the reality is that video isn't always the most efficient way to learn something - even when played at 1.5 or two times normal speed!

It's also frustrating to see the number of Microsoft MVPs simply taking small parts of different presentations, and blowing them out into whole 'original' blog posts. Isn't it better to just go to the original source and get ALL the information?

The fast and fluid transcripts help promote the whole 'fast and fluid' way of learning, by giving you an alternative way of learning from the Build conference session videos - a way that can be easily carried around on your Kindle or iPad device, without eating up Gigabytes of broadband download width or scarce solid state storage on your portable device. I find them useful (which is why I've produced them) and hopefully you will too.

Personally I've never understood why online training companies don't provide the same course notes that their offline competitors do. Video on its own is too time-consuming to sit through for most people, especially in a world where we're all being bombarded with information overload. And if you want to recall something from an online course, what are you supposed to do? Go back and rewatch the entire video again?

If the online training industry won't change, then I'll have to change things for them! Watch out for an exciting announcement about a new form of online training for Windows 8 coming before the year end!

Next week also sees the first product review. Unlike other 'review' web sites these product reviews will be based on PURCHASED products, not freebies or 'favours to friends'. I think this will make the reviews here more honest and impartial than most of those that appear on the web, where the reviewer has not had to pay for the product out of his or her own pocket.

Things kick off on Friday with a full review of the Fundamantals of the Managed Extensibility Framework video course, on sale from the folks at InformIT, as written and delivered by Jeremy Likness.

Is the course worth USD 70 of your hard-earned money? I'll be delivering my verdict on Friday! If you can't wait until then and want to review the course for yourself, it's currently available for a limited time for half price. Sod's Law says the dramatic 'Limited time offer' price drop happened the day after I purchased the course! I'll try not to let that prejudice my review, although it's annoying that it was 3 days AFTER the price drop offer that the download links I'd been sent for my purchase actually started to work!

Every time I see the WindowsRT Javascript sample code the phrase 'Just because you can doesn't mean you should' pops into my head

Today's "News" Links

Good Read! Another Day Another Departure from Microsoft's Cloud Management Team (Mary Jo Foley, Ziff-Davies)
There have been so many departures from Microsoft's upper management these last few months that Mary Jo Foley can't keep count. Just-appointed Commerce Corporate Vice President Rajat Taneja is the latest to leave.
Good Read! European Group Finds HTML5 Security Gaps (Jeremy Kirk, ComputerWorld)
OK, so this is hardly 'news' given that the report was published in July, ComputerWorld reported on it in August, and now in September people like me are just discovering it. The original report should be required reading for all those writing HTML5 web apps.

Today's "Opinion" Links

Good Read! Day 1 at the Office with my Windows 8 Tablet (Stephen Forte)
Stephen got his favourite Apps (Evernote, Dropbox, LiveWriter, Skype) up and running and is a happy man. Despite having to run most of these in Desktop mode, his main realisation was that 'the new Metro UI is the main experience'.
Good Read! Windows 8 Design Flaws Microsoft MUST Address (Adrian Kingsley-Huges, Ziff-Davies)
Not sure I agree with Adrian's assessment that Microsoft 'must' kill Metro on the desktop and allow multi-tasking to mean more than 'just two Metro apps side by side'!
Good Read! Windows 8 Faces Several Challenges to Success (Brian Jackson, ITBusiness.ca)
In summary, Brian thinks it's too early to call one way or the other.
Good Read! Top Five Things We Dislike About Windows 8 (GeekITDown)
Lack of Window Start menu, over-reliance on Windows shortcut keys, Too many clicks to Restart/Shudown... I'm sending some pretty common themes here!
Good Read! Windows Phone Proven to Record Location Data Without Authorisation (Tom Warren, WinRumours)
Apple got into a lot of trouble when it was discovered they were tracking location data without user permission and had to issue a patch fairly quickly. Is anybody surprised that Microsoft have been found to be doing the same thing?
Good Read! Internet Explorer 10 Preview: HTML5 First Look (Michael Mullany, Sencha)
A quick look at the new HTML5 features that have been added to the latest version of Microsoft's IE 10 browser
Good Read! Re-focusing for the Future (Ryan Posener, DenverDev)
Like many Silverlight developers, Ryan is struggling to work out what do do next given Silverlight's diminished role following the Build Conference announcements. He shares his thoughts here.
OK! Killer Build Interviews and XAML Sessions (Michael Crump, Telerik)
I'm not sure I'd call such meandering, DotNet Rocks-like video 'killer', but then I don't work for Telerik who put the interviews together. Worth a watch if you're bored and follow the whole 'rock star opinions are valuable' world view of things. I'm also not a fan of all these 'best videos' blog posts that are appearing. NOBODY has had the time to sit through WEEKS worth of video from parallel sessions at the Build conference, so how can people KNOW which ones were the best?!?!
OK! Financial Times Proves HTML5 Can Beat Native Mobile Apps (John Paul Titlow, ReadWriteWeb)
It's the information not the technology that's important. But not buying this whole 'better sales by going HTML5' argument. It's a worse user experience, as the article acknowledges.
Meh! Windows 8 Features and Release Dates (Joel Fernandes, The Tech Labs)
An extremely thin overview of Windows 8 features, with the 'and Release Dates' title added as link-bait.

Today's "Technical" Links

Bookmark It! How to Avoid the 'Please Install .NET 3.5' dialog when running older .NET applications on the Windows 8 Developer Preview (David Anson, Delay's Blog)
Can someone tell the folks who make Sony Vegas Pro software to go read this article and ship a new version? Kthxbai.
Bookmark It! HTML5 Canvas Cheat Sheet (Jacob Seidelin, Nihilogic)
Handy cheat sheet for the HTML5 Canvas feature, although I prefer Jacob's png and pdf download versions that this HTML version was plagiarised/copied from. They can be found on Jacob's blog.
Download It! Physics Helper XAML for Metro WinRT (Andy Beaulieu)
Andy's ported his Physics Helper Library across to WinRT. Blimey! That was fast! :-)
Download It! SharpDX - The Power of DirectX for C#/.NET (Code.Google.com)
SharpDX is a full DirectX framework for the .NET Platform, including the newest DirectX technology and support for Windows 8. Nice!
Good Read! Core .NET Types Usable from a Metro Style App (Jeffrey Richter)
A. Very. Long. List.
Good Read! A Simple Example of 'async' and 'await' in C#5 (Tim Anderson)
Nice code example comparing the old way of handling long-running async tasks vs the new way.
Good Read! Using the Windows Run Time from a Non Metro Application (Jeffrey Richter)
If you thought it couldn't be done Jeffrey proves you wrong, with some code snippets to help you along.
Good Read! How to Install Windows 8 Preview As Virtual OS in Windows 7: The Complete Guide (TechDug)
If you thought it couldn't be done Jeffrey proves you wrong, with some code snippets to help you along.
Good Read! What is the WinRT Windows Run Time, and What Does it Have to do with .NET? (Seth Juarez, DevExpress)
Three of the slides from the Build Conference and a few explanatory words give a quick, snappy introduction to WinRT for those that haven't watched the '930' session video from Build.
Good Read! Running Unit Tests in Visual Studio 2011 and Windows 8 (Laurent Bugnion, GalaSoft)
A quick, snappy set of instructions for those that haven't watched the '529' session video from Build.

Fast and fluid News

Don't forget that all the latest Windows 8 Metro links are posted in 'real time' on the Fast and fluid Twitter account.
The Fast and Fluid Podcast, covering all things Windows 8 related, will be launched in early October.

1 comment:

  1. Ian, thank you for mentioning our post of installing Win8 preview. I'm happy it's under "Good read".

    Wishing all the best.

    Billy

    ReplyDelete

Comments may take some time to appear as all comments are moderated to avoid spam.