Rubénerd Blog :)

Hehe Safari 4.0.4… I suppose if it doesn’t download properly you get a 404 error? HA!

Moving on, I just finished downloading the new Safari 4.0.4 release. Reviewed in one sentence: its one slick, fast browser. As I said on MacRumors though (and was promptly ignored) there’s still one huge reason why I can’t use it.

Read this post >

As I said with the Ghostery Firefox extension back in May (Ghostery Mozilla Firefox extension review), it bowls me over when I go to some sites to see just how much sneaky crap is going on behind the scenes, and how most people simply have no idea. With NoScript, I’m starting to see the same thing, and it’s rapidly getting much worse.

Read this post >

Don't remember where or when I found this, but I've had it for ages and a series of phone calls and email support queries over the weekend have prompted me to put it here. Probably won't make any difference.

Unless the purpose of your site is to be an Ajax application, regardless of whether you’re using it to dynamically load in comments on pages from services such as Disqus, or your own comment systems on sites such as Lifehacker, or for some reason static text and images, using JavaScript to compose pages is just a dumb thing to do.

I linked to The Nationals (an Australian political party) for a joke on a previous post and noticed this garbled mess of text and images along with an appropriate image of an irritated kid, presumably because he’s just as unimpressed as I am and feels bad being associated with such a page! I shouldn’t have to re-enable JavaScript just to read a static web page.

Friends, don’t let your web designer friends use JavaScript to compose pages!

I noticed this afternoon while going through my comment moderation queue that Rubenerd.com was running a bit sluggishly. Like I would if I ever ran anywhere presumably.

The culprit? A line of JavaScript designed to download and display my latest photos from Flickr. Seems it was hanging on that particular part of the page and deciding not to go any further. So I got rid of it, and now my site is running faster than it ever has! Not sure whether I’ll do something server-side to replace it’s function, or whether my link to my Flickr page in the header along with linked images in posts here like I’ve done above will suffice.

Aside from some Ajax websites that behave more like applications than web pages such as Google Docs, I dislike JavaScript on pages. It’s cool now I can say I don’t have any on my own site. Have NoScript in Firefox or CamiNoScript in Camino? My site will work exactly the same!

Disqus is an external blog commenting system that seems to be all the rage thesedays, so much so that even veteran blogger Dave Winer has just started using it on Scripting News. While the concept seems like a great idea, the implementation leaves a lot to be desired.

Firstly, instead of relying on accessible web forms for users to submit their comments, Disqus uses a JavaScript hook which dynamically loads comments onto the page. I can’t begin to describe what a bad idea this is, so perhaps some bullet points will help me out!

It makes page slower

Because you’re making two database calls, one to your own blogging system and another to the external Disqus servers, the resulting page takes far longer to load than what a regular commenting form would. It’s so bad on some blogs I read that I’ve simply given up posting comments on them.

It makes pages far less secure

The idea of running JavaScript from a third party on my own site scares the heck out of me, but in this case we’re not talking about a potential attack vector to display photos from a Flickr page or something similar, we’re talking about critical parts of your blog’s infrastructure being loaded by an external server each time a page is loaded. XSS exploits are exploding, as well as any exploit discovered for Disqus with its larger surface area will affect your site. It also means security conscious people like me who use NoScript can’t leave comments.

It makes pages less accessible

For people who use audible or visual aids to access content, this approach to comments is just as bad as Flash. It also means certain browsers wont be able to render the comment field at all, such as lower powered computers and mobile phones which increasingly have web browsing capabilities. Disqus provides a link to their website for such people, but it’s a lousy compromise when other comment systems can work inline while adhering to web standards and accessibility.

It’s a legal pickle

To quote Webby’s World in their article on 8 reasons you shouldn’t use Disqus: "surely it can’t be good to subject users to another privacy policy with servers in another jurisdiction. Who would be liable for any breaches in data protection?"

Comments are no longer associated with the page

This makes local and search engine per-site querying impossible because the comments are disconnected from the content they were regarding.

Comments are no longer in your database

For some people that may be fine, but I prefer having such critical parts of my blog running locally. If in the future a plugin comes along that can do something really fun or interesting with comments left by people, you’re also completely out of luck.

It locks your comments into a silo

The Disqus team seem like honest people, but their service is closed and proprietary, and as of now there’s no way to reliably and easily export comments out of it, then import them back into your blog if you change or mind. If they start charging for their services or start embedding ads in the future, you’re completely at their mercy.

It makes pages less predictable

Because it uses JavaScript to fetch data after the page has already appeared to finish loading, you may already have started scrolling to a part on the page before everything changes. This is really, REALLY irritating!

Ultimately, it’s unnecessary

Twitter integration, threaded comments, better spam blocking, they’re all available with existing plugins that don’t have any of these problems. In fact Dave Winer needs to use Disqus exactly because his Radio software doesn’t include commenting systems or plugins to do these things.

This is why, dear readers, for your benefit and mine (our collective sanity as it were!) I will not be putting Disqus on my own blog here. I suspect it’s a fad anyway, and will start disappearing in a few years when the Next Big Thing comes along. Disqus is to comments what Adobe Flash is to web pages, a little extra convenience for the target audience at a grave expense.

That’s not to say the existence of services like Disqus is a complete disaster. What developers at WordPress, Movable Type and so on should be taking away from this is that some people aren’t happy with existing commenting systems in their blogs, and that they’ll implement self destructive plugins like this to get the features they want! I hope this means we see more innovation in the comments space.

UPDATE, 2009: Some good news, it seems the tide is beginning to turn on Disqus and other such dynamically loading comment systems. Matt Mullenwag, the head developer of WordPress, has publicly stated they’re a bad idea in a post bluntly titled 6 Ways To Kill Your Community.

I hope this represents a wider trend (from the looks of it, it has) and will encourage others to leave the service for alternatives… though as I stated in the original post, for people who have got hooked to the service this might be impossible or extremely difficult.

For some reason this evening while searching for information about how to grate cheese using only rubber bands MacGyver style (or maybe while I was searching for SQlite information for Ruby, I don’t remember) a random message box popped up:

Given I’m on FreeBSD (they didn’t even check whether their victim was running Windows?!), just for a laugh I decided to click OK and see what they showed!

I was expecting the usual silly looking website with affiliate links for piles of overpriced and unnecessary security software, but instead a new fake web software screen appeared, complete with animated progress bars and an evolving list of "infections" that the "software" had "detected". When it was done another fake message appeared which linked to an executable file to download, presumably containing spyware or a virus. Taking a look at the source on the page itself, each button triggered the same JavaScript download function.

ASIDE: The JavaScript code took up more space than any of the HTML. I’ve never seen that before, quite eye opening. Scams like this need more 1337 programming skills than I thought. And all the more reason to disable JavaScript except for trusted sites!

I must say, despite the fact the Windows logo is different in four different places and the grammar is terrible, the animations and fake scan results are pretty well done. For most savvy and intermediate computer users the flaws would be pretty obvious and they’d probably laugh them off, but the scary thing is I’m sure there are plenty of people who would find this whole shameless charade convincing. Just like all these hoaxes, they seem to target this group; heck if they can net one person out of a few thousand, the whole exercise has been… how does Richard Quest put it… profitable.

Malware distributor, I stick my tongue out at thee!

For what it’s worth though, and on the bright side, it was really hilarious seeing this whole thing act itself out… in KDE on a FreeBSD machine where the windows look completely different, the colours don’t match, the fonts aren’t even the same and the .exe file it tried to download to the machine wouldn’t have been able to run itself even if it did make it to the hard drive to start off with!

Sorry guys, there’s no Microsoft Windows code to exploit on this machine!

It wasn’t until after I uploaded that picture that I realised how BIG it was. My sincerest apologies for absorbing an excessive amount of your screen real estate. But she looked scared right, and this post is about scary stuff, right? Right?

With all the talk these days about phishing and non-trustworthy websites that contain all kinds of evil, I really haven’t come across that many of them. Perhaps what I search for on the intertubes or the material that I download just doesn’t take me to shady areas. Plus given the fact I don’t use Microsoft Windows on any production machines (or any machine with a network connection!) I tend to feel fairly safe.

Today though I was given a rude reminder that I still need to be assertive when it comes to intertube nasties: I typed a URL incorrectly and after several bizarre redirects ended up at the website of Face Software Inc at Face.com (I’m not linking directly to them for obvious reasons):

ASIDE: Does look funny having fake Windows alert dialog boxes on a clean install of Mac OS X Leopard!

So I took a look at the source code: nearly the entire page is generated with Javascript, and many other dubiously titled scripts are linked to within that code. That really is fishy, because there is really no reason for static material like headings or paragraphs to be generated by Javascript unless it was designed to either spoof something or execute code on other servers automagically when you load their page. And I didn’t even dare click on the fake dialog boxes!

Scary stuff. Gives at least some credence to Steve Gibson’s tireless argument that you should disable Javascript in your browsers and only approve sites that you trust. Any good selective blockers for Camino or Konqueror anyone?