30 September 2009


Part of my job involves maintaining a Web application which I wrote almost entirely from scratch. I designed the database, wrote pretty much all of the PHP and HTML, and even put my toe in the water of CSS. A colleague now supports part of the application, but v1.0 was more or less entirely my own work.

Unless, that is, you count the date picker. You know what I mean: the little window which opens on a travel site, say, so you can say when you want to leave and when you want to come back. When I was writing the application, I hadn't yet learned Javascript, so I scoured the Internet looking for a date picker that could do times as well as days, have the week start on a Monday, was multilingual, and free software.

Well, 2 out of 4 ain't bad. I found one which did the first two, scraped together just enough Javascript to allow me to send the day name abbreviations (M, T, W, etc) to it in different languages, and ignored the word 'Copyright' because, well, er, we're non-profit and nobody will find out.

That was nearly four years ago. In the meantime, I've found some things I don't like about it, apart from the fact that I would like our application to go open source and then somebody might just notice that I stole the code. It uses Javascript's date objects, so you can't ask people for their date of birth with it unless you're running a school, because Javascript's dates start at 1/1/1970. And it opens a new document window, which often turns into a tab these days, depending on how the user has set up their browser. So we get support calls: "I can't see the calendar" (as most users call it), and when we look, they've got 35 copies, each in its own tab, as a result of frantic clicking.

Anyway, about a month ago I was on a hotel's site and I noticed that the date picker appeared and disappeared in an instant. (It certainly wasn't the first one I've seen like that, but presumably I was in a receptive mood.) It occurred to me that it was running in a DIV rather than a window. I thought this was brilliant and decided to write my own, so that my application could be "pure" (and people wouldn't open 35 tabs trying to specify a date).

Remembering how much of a hassle it was to use the one which I stole (OK, OK, if you break into someone's house and steal their DVD recorder, you don't get the instruction book), I decided to make my date picker as flexible as possible, so that other people could use it without having to touch the code (although you do need to write a couple of Javascript data declarations yourself).

The result is called AnyDatePicker. I don't know what this means, except that it does let you pick any date in any year from 1582 (the start of the Gregorian calendar) through 9999. It also has a lot of ways to allow you to control exactly which dates and times people can choose; for example, it would be pretty good for a system where people book 15-minute appointments and you have different opening hours for Fridays, weekends, and holidays.

Please feel free to check it out.

22 January 2009


I learned a new word today: Podslurping.

I've been having fun with StatCounter seeing how many people have been hitting this blog since the Conficker worm made people take the whole business of securing their networks against memory stick worms seriously. (The answer is: about 15000 in the last 7 days.)

One of the sites which referenced my original post was this one at the Postdam Institute for Climate Impact Research in Germany. It notes that with Autorun.inf disabled, Podslurping is made harder.

So what is Podslurping? Well, at its simplest, it consists of plugging a USB storage device (of which an iPod is just one example) into somebody's PC and copying lots of data from its disk, or the network to which the PC is connected. That hardly seems worth giving a name to, but the clever part comes if you automate it. You can write an Autorun.inf file which will start the copy to the USB device as soon as you plug it in, without any need to access the keyboard. All it needs is a reasonable copy program and a few lines of a .BAT file.

So now you literally only need three seconds unsupervised access to the PC on two occasions (one to plug the device in, one to unplug it half an hour later) and you can steal all of the data from it, without having to log in or risk detection by hanging around in the office, leaving a command prompt window open on the screen, etc. If the PC has USB ports on the rear, you don't even have to walk round to the side of the desk where your victim sits; in fact you could probably drop your phone and slip the USB device in while the user is sitting there.

So if you have issues with people potentially stealing data, disabling Autorun might be a useful extra precaution to take.

15 January 2009


This rather unfortunately-titled virus - ask anyone who speaks both French and German ;-) - seems to be "flavour of the month" at the moment.

There is a nice, readable summary of how this virus spreads here.

On our network, we installed the MS08-067 patch to every PC as soon as it became available, and we have Autorun disabled (of course).

That just leaves the problem of the worm, once it's on your LAN, spreading by logging in to the other PCs. I presume from the description that it does the equivalent of
  NET USE \\{pc}\ADMIN$ /USER:{pc}\Administrator {password}
for some set of passwords selected from a dictionary.

Well, as luck would have it, all of our PCs have unique, computer-generated(*) passwords on the local Administrator account. This was a decision we took 12 years ago when we first installed Windows NT 4.0. It was done so that if necessary we could keep any troublesome users from having Administrator privileges (we had decided that by default, Domain Users would be in the Administrators group, after discovering that this was necessary to install a patch for Office, and not being in the Administrators group didn't prevent them accidentally breaking NT anyway). In 12 years we've only had to do this once (and the guy was let go a couple of months later), and we've always wondered if it was really a sensible thing to do, since managing all those 8- or 9-letter random words is quite a bit of work. It looks like we may have found a good reason after all...

(*) Since you ask: we used SET PASSWORD /GENERATE on VAX/VMS.