Thursday, November 15, 2012

New version of InterfaceLIFT Downloader coming soon

I've spent the past few months getting InterfaceLIFT Downloader to work better.  One of things that the addon was pinged on was it's use of innerHTML and non-sanitized text.  I thought I had fixed this a while back but apparently there were a few other parts of code that created the vulnerability.

0.5 was uploaded to Firefox Addons a while back.  It was rejected.  :-(

InterfaceLIFT Downloader was my first venture into the Firefox Addon world.  While I consider myself a JavaScript expert, it turns out creating an Addon comes with it's own set of problems.  First off, you actually have to care about security.  Most of the JavaScript I wrote is for the web and since the browser ultimately decides what is safe and what isn't, I can do whatever I want.  However, this is not the case with Addons.  Addons give you unparalleled power and this power comes with a heavy responsibility.

I've put the finishing touches and will be Alpha testing it on my computer first before submitting it for review.

Also, I am working on a 1.0 version of this addon.  My hope is to have it be a sidebar that can be displayed along side of the InterfaceLIFT website.  Also, assuming that 0.5 gets approved, the addon will be branched to GitHub for easier maintenence.  Tailgate is really for the one-off scripts (e.g. greasemonkey) and not for full-blown packages. The repository is already set up.  Nothing there yet, but will be populated after 0.5 gets approved.

Thursday, May 24, 2012

Just as I feared: the newest Autopoke doesn't work

As I was getting ready to deploy the newest version of Facebook Autopoke, I decided to open it up to see if it still works.  Just as I feared, it doesn't.

A very quick look at the source and it looks like that it will take quite a long time to figure out how to do automatically again.

Back in January, I decided to stop development on Facebook Autopoke because there were various copies of my script on userscripts.  While a vast majority of them have been deleted and removed, it shifted my focus elsewhere.  And with the ever-changing landscape of Facebook, it's becoming clear that the "Poke" feature is becoming antiquated.  What I mean by this is that the "Poke" feature isn't a major button anymore.  It's actually tucked away under the "Gears" menu.

I believe it's only a matter of time before Facebook does away with the whole poke thing.  Originally, this script allowed me to beat friends in poke wars.  And since I'm no longer poking anyone, this script was maintained only for others.

My personal philosophy in coding has been to code to make my life easier and then release the code to others to see if anyone else can benefit from it.  Since I'm no longer using the script, I'm sure this announcement will cause you pain.

Effective immediately, all development on my Facebook Autopoke script will cease.

I will be releasing the latest changes to the Facebook Autopoke script this weekend so that if you want the latest code, you can get it.  Be advised that it's set to "developer" mode so it produces a lot of noisy output.  I want to thank users who have put up with me inconsistent build schedule and for all of the support over the five-ten years that this script has been in development.  The userscript uid is 5200!  This was one of the first scripts I ever wrote.  Going back through each revisions show how much I had learned as a programmer and how much my style has evolved.

Normally, when I retire a program, I release the code under the more permissive MIT License.  But because of the numerous violations, the code will stay under the GPL until further notice.  If you would like to use a different license, please contact me.

Finally, you'll notice that tailgate is more than just for the Facebook Autopoke.  Instead of creating a Google code project for individual script I write, I decided to create one repository for everything.  The latest script that I have written is Give Me Paste Back.

Saturday, May 5, 2012

Give Me Paste Back!

As a web-developer and a programmer, there's a rule about never trusting user input.  It's similar Murphy's law and why software companies spend lots of money beta testing.  If there is a wrong way to enter data, a mindless user will find a way.

The rule of thumb to counter this is to programatically eliminate user error on the server-side.  This means that if you're expecting a phone number in format "(555) 555-1212" and the user enters it as "555.555-1212", you either give an error or you process the data anyway after you fix the entry.  Eliminating the user's ability to type a period does solve the aspect of not being able to type a period only.  It does not eliminate a user from typing "555    55 5 -  1212".

I recently had this "discussion" with the good folks at @CreditKarma in 140-characters or less.  They told me what I expected, but 140-characters isn't enough to tell why using JavaScript to turn off a browser feature is ultimately stupid and pointless.

Overall, JavaScript should be used to enhance the browsing experience.  Eliminating paste, right-mouse-click, obfuscating image URLs are all things that cheapen the user experience because the browser does not do what the user expects.  An user should not have to jump through digital hoops to be able to use a website in the way they would like.

Specifically, pasting is something that most people do everyday.  They expect every application, whether it's Microsoft Word or their favorite browser, to do what they've come to expect when pressing "Ctrl-V".

On the other hand, as a web-developer, I understand why folks like Credit Karma choose to prevent pasting via JavaScript.  It's cheaper to write one line to stop pasting than it is to actually test user input.  Testing user input would require more programming hours to test for each possibility.  Furthermore, you run the risk that the user was stupid and accidentally fat-fingered something in one box and then pasted it in another.  I will admit that I have done this.

This is NO excuse for disabling a critical feature of the browsers.  However, if you simply MUST do this, consider the following:
  • What frustrated me the most is that there was no feedback as to why paste did not work.  INFORM THE USER that paste has been disabled and offer a reason.  They may not like it, but at least they know that the problem *isn't* between the monitor and keyboard.
  • PROVIDE A WAY TO PASTE ANYWAY.  A switch, a preference...anything that says, "Hey, if you want to paste, we'll let you, but be sure you know what you're doing."  Doing this will help people like me who get frustrated and then write Greasemonkey scripts fixing your mess.
  • No matter what client-side solution you create, a user will find a way to mess things up so BE PREPARED TO HELP THEM.  Users make mistakes.  Give them a way to fix these mistakes instead of forcing them with the digital equivalent of cattle prods.  Guide them by giving them clear and concise instructions.
  • DO NOT RELY ON JAVASCRIPT TO FIX YOUR CARELESSNESS.  Users expect their browser to behave in a specific way. Things like autocomplete are a great way to augment the user experience.  However, forcing the user to wait while their browser counts down to 30 seconds is ridiculous when a crafty user can just read the source to get the final URL.  Furthermore, blocking the word "DROP" via javascript doesn't mean that they won't type in "; DROP TABLE customers". 
  • Finally, DO NOT "EDIT WAR".  If people are downloading and using my script, it's because they are frustrated like me.  Listen to your users.  The frustration that we feel doesn't color your company well.  Web Development is like electricity: we don't think about it until something goes wrong.  And users will make sure you hear them loud and clear.
Bottom line: Do not negatively alter the user's browser behavior unless you have absolutely exhausted every other option.  And if you have to, let the user know that you have done so.  After all, you are a guest in the user's browser.  (Technically, the user is the guest, but I digress.)  Don't scruff the floors, drink all the milk and put the carton back in the fridge.  Be a great guest so that the user will invite you back.  Otherwise, you'll find yourself lower and lower on the user's favorites/bookmarks and less and less on their minds.

All of this aside, Credit Karma is a great service.  They provide a way for you to get your credit score for free.  Yes, actually free unlike FreeCreditReport.com.  I do recommend them, even with their broken registration process.

So here it is: Give Me Paste Back now in version 0.2, tested specifically on Credit Karma.  Download the script and then go to Credit Karma and sign up for an account.

Saturday, April 28, 2012

Facebook Autopoke Update

It's been a few months since my last post.  After a few months, I finally got in touch with the folks at Greasemonkey.  It looks like Jesse Andrew is no longer running things, which is great for him.  He's got a lot on his plate and it's good to see him giving away some things.

But it did make making the DMCA takedown's a bit longer.  There is only one script left that violates GPL.  Since it's one script, I will be releasing the newest autopoke script sooner than anticipated.

Please note that the public version of the script will be an obfuscated version.  This does accomplishes two things:
  • Makes it much easier to see who is actively copying my script without permission
  • Also allows those who have "pirated" scripts to know they may be using an outdated or insecure version.
By no means is this perfect, but it gives people like Tony White, who does nothing but copy scripts and claims them as his own, another hurdle to jump through.

If you are a developer and would like access to the "development" version, feel free to look through the Google Code project.  I use mercurial so it should be easy to figure out which is which.  (Sorry, no further clues will be given.  You're a developer.  It's easy to figure out.)

Speaking of Tony White, I'd like to take a brief moment to share a few thoughts about the GPL and litigation.  First, I don't enjoy using a public forum to address a personal issue.  But he has left me no choice since he has yet to respond to any of my messages.  I have asked Tony White on four separate occasions to bring his scripts into compliance.  I could understand a one-time mistake.  Most people don't understand how the GPL works.  However, after reviewing all of his scripts, the vast majority of them are copies of other people's work.  He then removes the original author's name and substitutes his own.

My goal is to not make money off of any of my scripts.  They are freely available, both in speech and in beer.  That is why I did not sue Userscripts or Tony White.  However, claiming someone else's work as your own is simply despicable.

I cannot fight for other people's copyrights.  But I can fight for my own.

Tony White has blocked private messages, either only from me or from everyone.  Either way, here is the bottom line:

If Tony White is found to have a copy of my Facebook Autopoke script, I intend to file suit in Federal Court for injunctive and damage relief.  I plan to ask the court for $1000 for each violation, which will include each copy that was downloaded.  And since he was a repeat offender, I can triple any damages that are awarded.

That being said, I hope to release the newest version of the Facebook Autopoke within a month.

Monday, January 9, 2012

Obfuscated and "polymorphic" code coming!

First, I know many of you are waiting desperately for the next revision of the Autopoke script.  I will say that the newest version of the script does work (albeit in a limited capacity) and very reliable.  So if that's all you care about, you can skip this post.  But if you're interested in the release date, read on!

Here's the "TL;DR" version: 4.1 will be released when the GPL violations from copied scripts are cleared.  This could be as much as 3 months from now.

Back in September, I found a user who was in violation of the GPL.  Four out of his give scripts were removed via a DMCA notice.  Since then, the same user has moved to copy someone else autopoke script.  I've seen many of these users on userscripts.  They take a wildly popular script, copy it, and then change the authorship to state that they wrote it.  The common mistake these "authors" make is they fail to update the code.  My guess is that they don't know how to program javascript and thus they are afraid to change anything.

The problem comes when there is a security vulnerability, as was the case in version 3.5 and 4.0 of my Autopoke script.  The vulnerability is actually based on a browser vulnerability.  But because these violators weren't updating the scripts, it meant that the users who installed their version of the script would continue using software that was unpatched.  Furthermore, they would not be notified of the vulnerability and could not make an informed choice whether to continue to use the script or disable it completely.

I try to assume good faith whenever possible.  It's impossible to determine someone's motives without talking to them.  And since this particular user declined to communicate with me, I'm left with the impression that this user, at the very best, simply copies scripts without understanding completely what the scripts did.

Yesterday, I spent a few hours finding more GPL violators.  These users seem to have the same MO: just copy the script.

Allow me to be clear so that there is no confusion: I completely support the open source movement.  I HIGHLY ENCOURAGE the improvement of my code.  There are a few scripts who have taken my code and translated it into different languages.  This is completely acceptable.  You do not need to ask me for permission to do this.  I prefer that you let me know, simply so that I can inform you of any security problems the script may have and so that I can keep track of the statistics.  I personally believe that the GPL is the best license since it requires attribution as well as continued use of the license in all derivatives.  It is one of the reasons why I chose the GPL over the other licenses.  I believe that the open source licenses must be actively defended.

If you copy the code and remove the copyright notification and replace your name as the author, then you are ruining it for everyone.  Instead of improving my code, I have to spend the time to send you a letter.  It takes time out of my schedule and makes things much more complicated than it has to be.  If you fail to respond to my letter, you take time out the admins of userscripts since they need to respond to my DMCA letter and they need to disable your script, all while keeping lawyers on retainer.

If you are new to userscripts and still learning javascript, feel free to download my code and look at it.  That's what open source is all about!  If you have questions, don't be afraid to ask.  But please, do not plagiarize and claim my work as your own.

My concern is not so much about copyright violations but about security vulnerabilities.  This wouldn't be as much of a problem if the authors communicate with me.  Seeing that they don't do this, it leaves me in a very uncomfortable position.

To make the script more secure, I will be obfuscating parts of it.  This decision has nothing to do with the perceived edit war between myself and Facebook.  The point of obfuscating is to limit the exposure of security vulnerabilities in my script when GPL violators copy the script verbatim.  Since mose of these violators usually don't modify the script in general, I can safely say that the obfuscated code will be left untouched.

This, however, now limits those who use my code for completely legitimate purposes.  First, I'm sorry to say that these violators ruined a good thing for you.  Second, I'm going to make this as easy as possible.  To received a clean version of the code, simply go to my google code page.  I reckon that most of the GPL violators won't go through the trouble of finding the clean versions of the code.  If you are familiar with git or mercurial, grabbing these should be easy.  If, for some reason, this is difficult for you, please feel free to contact me and I'd be more than happy to provide with you with a copy.  It will be under the same license so no worries on this side.

The obfuscated code will display a nag screen when autopoking.  The point of the nag screen is to inform the user that they may be using code that has security vulnerabilities and they should consider installing my version instead.  The code will continue to work, but will prevent autopoking until the nag screen is satisfied.  Users who are familiar with javascript can hack through the obfuscated code and disable the nag screen, if they so choose.  But this hacking proves that they know what they are doing and they accept the responsibility that comes with it.



Tuesday, December 20, 2011

Yes, Virginia, autopoke works again

Still working on the final touches:


Right now, this only works on the pokes app page, as suggested by Lord_Fandomar.

What's left is for me clean up the code and obfuscate parts of the code.  I also plan to make this work on the main page, but it's not a high priority.

Friday, December 9, 2011

Survey Results: 70% prefer closed source

Its not too late to voice your thoughts on closing the source.  I've finally had a chance to review the results and out of about 200 people who took the survey, 70% would prefer that I close the code.

I've been wrestling with this issue for a while and still have not come to a decision.  Here's what hangs in the balance:
  • Since the Autopoke scripts inception, it has been 100% open-source, using the GPL 2 and 3 licenses.  The latest version of the script (4.0.1) exclusively uses GPL 3.
  • Closing the source would mean that other developers could not learn from the work.  This includes both legitimate programmers who are porting the script to Google Chrome to Facebook programmers who may be trying to stop scripts like this from working.
  • Closing the source would not mean it's 100% secure against viewing.  Real developers can parse through obfuscated code.  It's harder, but not impossible.  (In fact, I go through Facebook's obfuscated code to create this script.)
  • Obfuscated code would be hosted remotely, making it less secure.  In order to properly shield the code from viewing, the code would be hosted on my personal site.  This comes with risks such as me having the ability to know who you are.  I would draft a very simple privacy policy (basically that I don't care who you are).  But doing this would allow me to block facebook.com from connecting to the site.
Despite the large number of people who would prefer that I close the code, I still lean toward an open-source solution.  I'm a firm believer that open-source is better since it allows everyone to learn and don't think that the benefits outweigh the problems.

I am still developing the Autopoke for the new version of the Facebook news feed.  PLEASE be patient.  I have a full-time job and I do other things besides computers.  This time of year is very busy for me.